> I don't mind adding runtime checks if they help in debugging not completely > unlikely issues.
Since it happened to me and I was using bg_gen_unified_kernel, I'd say it's not completely unlikely :) Given that this tool is rather new, I wouldn't be surprised if there are more bugs waiting be discovered in the future (it's just the nature of software). > But I'm even more interested in finding and avoiding issues between the > artifact production, UKI generation and > finally signing possibly corrupted things. I agree, the actual problem is that bg_gen_unified_kernel generated an invalid UKI; it did produce a valid image though once I enabled CONFIG_EFI in the kernel (which was missing for the corrupted image). I will try to reproduce this issue after fixing another issue with U-Boot. In any case, signing wouldn't have made a difference in my case: I would have just signed the EFI file with my developer keys since I wanted to see if it actually boots (turns out, it didn't) :). This patch is not meant to protect from malicious attackers, it's just supposed to make the life of developers more pleasant. Kind Regards, Michael -- Michael Adler Siemens AG T CED SES-DE Otto-Hahn-Ring 6 81739 München, Deutschland Siemens Aktiengesellschaft: Vorsitzender des Aufsichtsrats: Jim Hagemann Snabe; Vorstand: Roland Busch, Vorsitzender; Klaus Helmrich, Cedrik Neike, Matthias Rebellius, Ralf P. Thomas, Judith Wiese; Sitz der Gesellschaft: Berlin und München, Deutschland; Registergericht: Berlin-Charlottenburg, HRB 12300, München, HRB 6684; WEEE-Reg.-Nr. DE 23691322 -- You received this message because you are subscribed to the Google Groups "EFI Boot Guard" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/efibootguard-dev/20221208140226.uwxf272ogkjzjbtr%40backstein.
