• Ard Biesheuvel's avatar
    efi/libstub: implement generic EFI zboot · a0509109
    Ard Biesheuvel authored
    Implement a minimal EFI app that decompresses the real kernel image and
    launches it using the firmware's LoadImage and StartImage boot services.
    This removes the need for any arch-specific hacks.
    
    Note that on systems that have UEFI secure boot policies enabled,
    LoadImage/StartImage require images to be signed, or their hashes known
    a priori, in order to be permitted to boot.
    
    There are various possible strategies to work around this requirement,
    but they all rely either on overriding internal PI/DXE protocols (which
    are not part of the EFI spec) or omitting the firmware provided
    LoadImage() and StartImage() boot services, which is also undesirable,
    given that they encapsulate platform specific policies related to secure
    boot and measured boot, but also related to memory permissions (whether
    or not and which types of heap allocations have both write and execute
    permissions.)
    
    The only generic and truly portable way around this is to simply sign
    both the inner and the outer image with the same key/cert pair, so this
    is what is implemented here.
    Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
    a0509109
Makefile.zboot 2.53 KB