Re: [RFC] UEFI Secure Boot on Xen Hosts

[Bobby Eshleman <bobbyeshleman@xxxxxxxxx>]

On Wed, Apr 29, 2020 at 05:51:08PM -0500, Bobby Eshleman wrote:
> 
> # Option #1: PE/COFF and Shim
> 

... snip ...

> 
> # Option #3: Lean on Grub2's LoadFile2() Verification
> 

... snip ...

It's safe to say that the options boiled down to #1 and #3.  Seeing as how we
may not be able to start playing with the new Grub functionality for some time,
and also seeing as how the security properties of each approach are very
similar, I think that option #1 is probably the best path for what we are
looking to achieve in supporting UEFI SB.  With out any strong objections
against this, that'll be the path we start heading down (starting with Daniel's
patch set) and will be hoping to get upstream.

If possible, the implementation would support both SHIM_LOCK and LoadFile2(),
potentially by one falling back to other upon reporting a security violation,
or detecting the functionality provided by Grub in some manner...  but this
will be easier to evaluate after seeing how the LoadFile2() mechanism will
work.

If LoadFile2() proves itself a better approach, we would not be opposed to
moving in that direction when it is available.

I started joining community calls shortly after the intent of 'docs/design'
was discussed there.  Is this a change that merits a 'docs/design' RFC?

Best regards,
Bobby