Hi Grant, > I see two ways to handle this that fits with the Secure Boot > authentication path: > > Option 1: Leave it to the OS loader > We could simply say that if the OS wants to replace the DTB, then it > should take care of authentication itself within the OS loader (possibly > the in-kernel UEFI stub) and install a replacement DTB in the > configuration table before calling exit boot services. In this scenario, > U-Boot doesn't authenticate the DTB at all. > > In fact, Option 1 is pretty close to what is required for the initrd. > > I wonder if it is possible to wrap the DTB with a PE/COFF so that the os > loader can use load_image to authenticate and retrieve the data without > actually executing the image. That would allow for the DTB & initrd to > be authenticated in the same way as the kernel. I asked around on this prior to the email, but i think it boils down to "UEFI is intended to authenticate bootable images for the platform", so i doubt this will be allowed.
Thanks /Ilias _______________________________________________ boot-architecture mailing list [email protected] https://lists.linaro.org/mailman/listinfo/boot-architecture
