On 5/31/19 7:16 PM, Ilias Apalodimas wrote:
Hi Grant,
I see two ways to handle this that fits with the Secure Boot
authentication path:
Option 1: Leave it to the OS loader
We could simply say that if the OS wants to replace the DTB, then it
should take care of authentication itself within the OS loader (possibly
the in-kernel UEFI stub) and install a replacement DTB in the
configuration table before calling exit boot services. In this scenario,
U-Boot doesn't authenticate the DTB at all.
In fact, Option 1 is pretty close to what is required for the initrd.
I wonder if it is possible to wrap the DTB with a PE/COFF so that the os
loader can use load_image to authenticate and retrieve the data without
actually executing the image. That would allow for the DTB & initrd to
be authenticated in the same way as the kernel.
I asked around on this prior to the email, but i think it boils down to
"UEFI is intended to authenticate bootable images for the platform", so i doubt
this will be allowed.
What makes you think so? Also drivers are authenticated according to the
UEFI spec.
Best regards
Heinrich
_______________________________________________
boot-architecture mailing list
[email protected]
https://lists.linaro.org/mailman/listinfo/boot-architecture
