On Do, 28.07.22 16:54, Petr Pisar (ppisar(a)redhat.com) wrote:
> This sounds pretty awesome, actually. I'd like to see that
get implemented...
>
Unfortunatelly (complex) file system drivers are not written with safety
on mind. They rather prefer performance over security. If somebody signed a
UEFI driver for ext4, there would be a storm of CVEs "Secure boot bypass with
a contrived file system".
efifs just added uefi glue on top of grub's fs drivers.
Thus, if grub is fine to sign, then efifs is much much less risk,
given it's a fraction of the grub codebase, but actually mostly code
from the grub codebase.
But anyway, I am actually advocating for sticking to VFAT
everywhere. ext4 drivers in the boot loader only are necessary for the
upgrade path.
Lennart
--
Lennart Poettering, Berlin