Hi Tom, On Fri, May 31, 2019 at 11:05:20AM -0400, Tom Rini wrote: > On Fri, May 31, 2019 at 02:40:32PM +0100, Steve McIntyre wrote: > > On Tue, May 28, 2019 at 02:04:23PM +0300, Ilias Apalodimas wrote: > > >> > > > >> > The tl;dr purpose of my e-mail was 'Is implementing UEFI Secure Boot > > >> > for the > > >> > EFI playloads > > >> > > >> I think that you'd better explain why you stick to *UEFI* secure boot. > > > > > >The main reason is distro support. Since distros use a number of different > > >ways > > >of booting up on arm boards, using UEFI is the obvious way to unify that > > >(and > > >alrady supported on some) regardless of the bootloader. UEFI secure boot > > >provides a common approach to security instead of 'per bootloader' > > >solutions > > > > Yup, absolutely (says the Debian EFI team lead) ... > > The other things we need to keep in mind is that (based on my own > experience implementing UEFI secure boot on an x8664 platform), we are > not looking at a case of "make an existing solution function on other > architectures" but rather "there's some good concepts here and an > implementation waiting to be figured out".
We agree here. From Grant's proposal's #1 and #2, i'd prefer seeing something similar to #2 implemented. I'd prefer having the option to authenticate DTB/initramfs from the 'main bootloader', than delegating that to some EFI payload, mostly for fragmentation reasons Thanks /Ilias _______________________________________________ boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture
