V Thu, Jul 28, 2022 at 06:31:55AM -0700, Neal Gompa napsal(a):
On Wed, Jul 27, 2022 at 2:05 PM Lennart Poettering
<mzerqung(a)0pointer.de> wrote:
>
> On Mi, 27.07.22 16:50, Chris Murphy (lists(a)colorremedies.com) wrote:
>
> > > I prefer no shim in my computers. I'm using systemd-boot signed by my
> > > own CA.
> >
> > That is not a generic solution we can ship in Fedora. Since each
> > distro ships their own shim, they'd each have to ship their own
> > signed fsfs in order to read the shared a non-FAT $BOOT. It's too
> > high a barrier to adoption.
>
> Something we could add relatively easily to sd-boot is that it could
> look for drivers to load in one of its own PE sections (let's say a
> new section ".drivers").
>
> Then Fedora could do something like this:
>
> 1. build ext4 efifs as UEFI PE binary (→ ext2_x64.efi)
> 2. build systemd-boot as UEFI PE binary (→ systemd-bootx64.efi)
> 3. use "objcopy --add-section .drivers=ext2_x64.efi
> systemd-bootx64.efi systemd-bootx64.withext4.efi" to embedd the ext4
> driver inside systemd-boot
> 4. sign the resulting systemd-bootx64.withext4.efi via shim/…
> 5. profitt! now you have an sd-boot binary that can do ext4. yay.
> 6. ask relevant other distros to do the same. They are probably in a
> very similar situation as fedora is, given they typically all use
> Grub right now.
>
This sounds pretty awesome, actually. I'd like to see that get implemented...
Unfortunatelly (complex) file system drivers are not written with safety
on mind. They rather prefer performance over security. If somebody signed a
UEFI driver for ext4, there would be a storm of CVEs "Secure boot bypass with
a contrived file system".
-- Petr