Date: Thu, 19 Oct 2017 10:02:47 -0700 From: "Simon J. Gerraty" <sjg@juniper.net> To: Warner Losh <imp@bsdimp.com> Cc: "freebsd-arch@freebsd.org" <arch@freebsd.org>, <sjg@juniper.net> Subject: Re: boot1.efi future Message-ID: <44307.1508432567@kaos.jnpr.net> In-Reply-To: <CANCZdfqWSqjdRGetoiscEKJ_dNf3JgOQ2S9mzA0v1mP9PGAy=g@mail.gmail.com> References: <CANCZdfqWSqjdRGetoiscEKJ_dNf3JgOQ2S9mzA0v1mP9PGAy=g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Warner Losh <imp@bsdimp.com> wrote: > There's lots of details to get right before we can make the final switch, > but I think it's in the interest of the project to do so. Just one comment that may or may not be relevant depending on the overal plan. I've implemented verification in the freebsd loader, along the lines previously mentioned, for us this pretty much closes the secure-boot gap - loader verifies kernel and its initial rootfs so init and etc/rc. Which then gets us to mac_veriexec. >From that pov the initial boot bits can change as you like without affecting the above. Is that the plan? It only matters I guess in terms of the effort to upstream - assuming there is interest from other embedded vendors. Thanks --sjg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44307.1508432567>