mirror of
https://git.proxmox.com/git/efi-boot-shim
synced 2025-06-04 11:55:32 +00:00
4185c7d67e
There needs to be some way to communicate to the kernel that it's a trusted key, and since this mechanism already exists, it's by far the easiest.
27 lines
1.1 KiB
Plaintext
27 lines
1.1 KiB
Plaintext
Versioned protocol:
|
|
- Make shim and the bootloaders using it express how enlightened they
|
|
are to one another, so we can stop earlier without tricks like
|
|
the one above
|
|
MokListRT signing:
|
|
- For kexec and hybernate to work right, MokListRT probably needs to
|
|
be an authenticated variable. It's probable this needs to be done
|
|
in the kernel boot stub instead, just because it'll need an
|
|
ephemeral key to be generated, and that means we need some entropy
|
|
to build up.
|
|
New security protocol:
|
|
- TBD
|
|
kexec MoK Management:
|
|
Modsign enforcement mgmt MoK:
|
|
- This is part of the plan for SecureBoot patches. Basically these
|
|
features need to be disableable/enableable in MokManager.
|
|
Variable for debug:
|
|
- basically we need to be able to set a UEFI variable and get debug
|
|
output.
|
|
Db key mokutil config:
|
|
- Asked for by Mimi Zohar: An (on/off) option that would prevent the shim
|
|
and the kernel from trusting keys listed in 'db' and only use those coming
|
|
from the MOK List.
|
|
Hashing of option roms:
|
|
- hash option roms and add them to MokListRT
|
|
- probably belongs in MokManager
|