於 五,2013-08-09 於 08:10 +0100,Matthew Garrett 提到:
On Fri, Aug 09, 2013 at 02:49:44PM +0800, joeyli wrote:
於 五,2013-08-09 於 06:12 +0100,Matthew Garrett 提到:
The only potential problem is the generation of a new key pair on every reboot. Some hardware vendors have expressed concerns about writing variables on every boot, so if we can avoid that somehow then life would probably be better.
Do they concern the life of flash memory? or concern to brick the machine because garbage collection don't trigger?
Yeah, I think the concern is wear cycles.
Kernel load the S4 sign key (private key) before kernel call ExitBootServices(), load it from boot-time variable.
That sounds like a good plan.
But, above approach means S4 signature check function limit on EFI stub kernel. User can not enable this function without using EFI stub.
Personally, I don't have a problem with that - I think using the EFI entry point is the right thing to do, especially since you need to build the kernel with EFI stub support in order to sign it. But in that case, I should really work on getting the grub support for that upstream.
Thanks for your suggestion, then I will try the approach to load private key in EFI stub. Joey Lee -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org