mirror of
https://git.proxmox.com/git/efi-boot-shim
synced 2025-07-27 08:57:14 +00:00
39 lines
1.5 KiB
Plaintext
39 lines
1.5 KiB
Plaintext
Hardening startimage:
|
|
- Don't allow non-participating bootloaders/kernels to call
|
|
ExitBootServices(), but trap in StartImage() so we can let them do
|
|
that.
|
|
Versioned protocol:
|
|
- Make shim and the bootloaders using it express how enlightened they
|
|
are to one another, so we can stop earlier without tricks like
|
|
the one above
|
|
MokListRT containing shim key:
|
|
- MokListRT has to contain the shim key...
|
|
MokListRT signing:
|
|
- For kexec and hybernate to work right, MokListRT probably needs to
|
|
be an authenticated variable. It's probable this needs to be done
|
|
in the kernel boot stub instead, just because it'll need an
|
|
ephemeral key to be generated, and that means we need some entropy
|
|
to build up.
|
|
Better ui:
|
|
- Gary Lin at SuSE is working on better UI for MokManager. It
|
|
desperately needs it.
|
|
James's modification:
|
|
- We're merging James Bottomley's hack to make shim use unpublished
|
|
system crypto services, as a compile time option.
|
|
New security protocol:
|
|
- TBD
|
|
kexec MoK Management:
|
|
Modsign enforcement mgmt MoK:
|
|
- This is part of the plan for SecureBoot patches. Basically these
|
|
features need to be disableable/enableable in MokManager.
|
|
Variable for debug:
|
|
- basically we need to be able to set a UEFI variable and get debug
|
|
output.
|
|
Db key mokutil config:
|
|
- Asked for by Mimi Zohar: An (on/off) option that would prevent the shim
|
|
and the kernel from trusting keys listed in 'db' and only use those coming
|
|
from the MOK List.
|
|
Hashing of option roms:
|
|
- hash option roms and add them to MokListRT
|
|
- probably belongs in MokManager
|