boot1.efi future
Eric McCorkle
eric at metricspace.net
Fri Oct 20 02:03:29 UTC 2017
On 10/19/2017 13:18, Warner Losh wrote:
> On Oct 19, 2017 10:03 AM, "Simon J. Gerraty" <sjg at juniper.net> wrote:
>
> Warner Losh <imp at bsdimp.com> wrote:
>> There's lots of details to get right before we can make the final switch,
>> but I think it's in the interest of the project to do so.
>
> Just one comment that may or may not be relevant depending on the overal
> plan.
>
> I've implemented verification in the freebsd loader, along the lines
> previously mentioned, for us this pretty much closes the secure-boot
> gap - loader verifies kernel and its initial rootfs so init and etc/rc.
> Which then gets us to mac_veriexec.
>
> From that pov the initial boot bits can change as you like without
> affecting the above. Is that the plan?
>
> It only matters I guess in terms of the effort to upstream - assuming
> there is interest from other embedded vendors.
Do I assume correctly that this is based on the NetBSD mac-based
verification stuff? ie. Not the public-key crypto stuff I've talked about?
More information about the freebsd-arch
mailing list