public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Michael Brown" <mcb30@ipxe.org>
To: "Marvin Häuser" <mhaeuser@posteo.de>,
	devel@edk2.groups.io, "Laszlo Ersek" <lersek@redhat.com>,
	"Andrew Fish" <afish@apple.com>,
	"Michael Kinney" <michael.d.kinney@intel.com>
Subject: Re: [edk2-devel] [GSoC proposal] Secure Image Loader
Date: Thu, 8 Apr 2021 10:55:31 +0100	[thread overview]
Message-ID: <f43f8599-1c9b-d96d-4d0f-324e76c9b163@ipxe.org> (raw)
In-Reply-To: <c4eeea74-4c9e-d5fb-9743-f038438e388e@posteo.de>

On 08/04/2021 10:41, Marvin Häuser wrote:
> No, 
> backwards-compatibility will not be broken in the sense that the old API 
> is absent or malfunctioning.

Perfect. :)

> As I *have* said, I imagine there to be an 
> option (default true) to expose both variants.

Very much less perfect.  The mere existence of such an option 
immediately reimposes the burden on external code to support both, 
because it opens up the possibility of running on systems where the 
option is set to false.

> With default settings, I 
> want the loader to be at the very least mostly plug-'n'-play with 
> existing platform drivers and OS loaders from the real world. "Mostly" 
> can be clarified further once we have a detailed plan on the changes 
> (and responses to e.g. malformed binary issues with iPXE and GNU-EFI).

Yes; thank you for https://github.com/ipxe/ipxe/pull/313.  It will take 
some time to review.

As a practical consideration: unless there is a security reason to do 
otherwise, you should almost certainly relax the constraints on images 
that your loader will accept, to avoid causing unnecessary end-user 
disruption.  What is the *security* reason behind your alignment 
requirements (which clearly are not required by any other toolchain, 
including those used for signing Secure Boot binaries)?

Thanks,

Michael

  parent reply	other threads:[~2021-04-08  9:55 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-04 23:01 [GSoC proposal] Secure Image Loader Marvin Häuser
2021-04-06  9:41 ` [edk2-devel] " Nate DeSimone
2021-04-06 10:06   ` Marvin Häuser
2021-04-06 16:16     ` [EXTERNAL] " Bret Barkelew
2021-04-08 11:16     ` Laszlo Ersek
2021-04-08 14:13       ` Andrew Fish
2021-04-08 16:06         ` Marvin Häuser
2021-04-08 16:44           ` Andrew Fish
2021-04-08 17:02             ` Marvin Häuser
2021-04-08 17:39               ` Andrew Fish
2021-04-08 21:07                 ` Marvin Häuser
2021-04-08 21:48                   ` Andrew Fish
2021-04-08 22:42                   ` Michael Brown
2021-04-12 17:22   ` Marvin Häuser
2021-04-12 18:30     ` [EXTERNAL] " Bret Barkelew
2021-04-13  0:19     ` Michael D Kinney
2021-04-13  0:56       ` Nate DeSimone
2021-04-13  7:31         ` Marvin Häuser
2021-04-13 15:05           ` Andrew Fish
2021-04-13 18:04           ` Nate DeSimone
2021-04-13 18:08             ` Michael D Kinney
2021-04-13 18:14             ` Andrew Fish
2021-04-16  7:36               ` Marvin Häuser
2021-04-07 21:05 ` Michael Brown
2021-04-07 21:31   ` Marvin Häuser
2021-04-07 21:50     ` Michael Brown
2021-04-07 22:02       ` Andrew Fish
     [not found]       ` <1673B28429E5B4FE.4742@groups.io>
2021-04-07 22:10         ` Andrew Fish
2021-04-08  9:04           ` Marvin Häuser
2021-04-08  9:40             ` Michael Brown
2021-04-08  8:53       ` Marvin Häuser
2021-04-08  9:26         ` Michael Brown
2021-04-08  9:41           ` Marvin Häuser
2021-04-08  9:50             ` Marvin Häuser
2021-04-08  9:55             ` Michael Brown [this message]
2021-04-08 10:13               ` Marvin Häuser
2021-04-08 10:31                 ` Michael Brown

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f43f8599-1c9b-d96d-4d0f-324e76c9b163@ipxe.org \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox