On Fri, Aug 03, 2018 at 03:39:53PM +0200, Daniel Kiper wrote: > Some verifiers, e.g. shim lock, may not be able to verify all file types, e.g. > GRUB2 modules, on your own and would want to delegate verification to other > verifiers, e.g. PGP. Currently this is not possible. So, I think that we > should
If every verifier is called in turn, isn't this handled by having the shim interface return valid for all file types it doesn't verify? > extend the interface with relevant functionality. However, this will not solve > all problems. E.g. it is dangerous to load iorw or memrw modules, even if they > are signed e.g. with PGP, if UEFI secure boot is enabled. So, I think that we > should disable module loading if such verifiers are in use or provide > a functionality which gives us a chance to black list some modules. One option would be a secure boot verifier that just denies verification of all modules (or has some more complicated policy)? > If TPM verifier is introduced then module loading order changes will change > measurements. So, in this case maybe we should encourage users to use > standalone GRUB2. Or enforce module loading order somehow. However, this > can be difficult and not reliable. Yeah, I think standalone images are going to be the right solution for most users here. -- Matthew Garrett | mj...@srcf.ucam.org _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
