You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In an ideal world, a third-party bootloader such as systemd boot, but also 'hobbyist' bootloaders like rEFInd or OpenCore, would be able to integrate with shim, in order to take advantage of features it provides, and Linux users expect, without having to re-write them all.
[EDIT: systemd boot was a bad example above, as it is already a 'participating bootloader' which is shim lock protocol-aware (and of course therefore must implement its own image loader).]
In order of decreasing importance, these are:
SBAT support
MOK support
Abilty to package vendor DB and DBX of supported distros into shim, and for subsequent bootloader to verify using these:
of course shim already supports specifying vendor DB and DBX on build
grub itself already verifies using these, but relies on having its own PE loader, plus use of the shim lock protocol
a much simpler alternative for an abitrary non-grub bootloader is if gBS LoadImage, after shim, already enforces any additional permissions (i.e. DB from shim) and restrictions (i.e. DBX, SBAT from shim)
The idea here is for a third-party Linux loader (e.g. a BLSpeccompliantone) to be able to potentially boot more than one distro, with secure boot enabled (and very much more ideally than not: without needing its own PE loader, plus awareness of shim lock protocol).
Note that support for all of this is alreadypossible with existing shim code, using the apparently largelyforgotten code enabled with OVERRIDE_SECURITY_POLICY=1 (which currently requires the trivial fix discussed here in order to build).
This issue is raised to ask if this can be treated as a supported/valid use-case, with (something like) the existing support for OVERRIDE_SECURITY_POLICY made available. This includes requesting that it (continues to) be supported for third party boot loaders to be able to verify/deny with certificates from shim (potentially multi-vendor DB and DBX, plus MOK, plus shim SBAT enforcement), ideally just by using gBS->LoadImage.
The text was updated successfully, but these errors were encountered:
Based on the progress of discussion in #596 it seems like maybe such boot loaders are better off fending for themselves and adding their own SBAT support if they wish to have it (since, unfortunately, I believe that that or chaining from shim is the only way to get this). Not chaining via shim rules out MOK integration, unfortunately - unless such loaders implement that as well!
In an ideal world, a third-party bootloader such as
systemd boot, but also'hobbyist' bootloaders like rEFInd or OpenCore, would be able to integrate with shim, in order to take advantage of features it provides, and Linux users expect, without having to re-write them all.[EDIT: systemd boot was a bad example above, as it is already a 'participating bootloader' which is shim lock protocol-aware (and of course therefore must implement its own image loader).]
In order of decreasing importance, these are:
The idea here is for a third-party Linux loader (e.g. a BLSpec compliant one) to be able to potentially boot more than one distro, with secure boot enabled (and very much more ideally than not: without needing its own PE loader, plus awareness of shim lock protocol).
Note that support for all of this is already possible with existing shim code, using the apparently largely forgotten code enabled with OVERRIDE_SECURITY_POLICY=1 (which currently requires the trivial fix discussed here in order to build).
This issue is raised to ask if this can be treated as a supported/valid use-case, with (something like) the existing support for OVERRIDE_SECURITY_POLICY made available. This includes requesting that it (continues to) be supported for third party boot loaders to be able to verify/deny with certificates from shim (potentially multi-vendor DB and DBX, plus MOK, plus shim SBAT enforcement), ideally just by using gBS->LoadImage.
The text was updated successfully, but these errors were encountered: