From owner-freebsd-current@freebsd.org  Mon Mar 30 05:18:10 2020
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id E1F83272E0A
 for <freebsd-current@mailman.nyi.freebsd.org>;
 Mon, 30 Mar 2020 05:18:10 +0000 (UTC) (envelope-from sjg@juniper.net)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com
 [67.231.152.164])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.pphosted.com", Issuer "Thawte RSA CA 2018" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48rLMD1DhZz3xlv;
 Mon, 30 Mar 2020 05:17:59 +0000 (UTC) (envelope-from sjg@juniper.net)
Received: from pps.filterd (m0108162.ppops.net [127.0.0.1])
 by mx0b-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id
 02U3h2uX031803; Sun, 29 Mar 2020 20:44:39 -0700
Received: from nam10-dm6-obe.outbound.protection.outlook.com
 (mail-dm6nam10lp2105.outbound.protection.outlook.com [104.47.58.105])
 by mx0b-00273201.pphosted.com with ESMTP id 302s0b90dv-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Sun, 29 Mar 2020 20:44:39 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=Yf/bJbflJNHaDspcxY2UrK1/AeE/eF83YVJ3LkGsAfhIlMY+aiF1pKnOxmcdpd454APFUro7iexJsEOKz+3yhGBy41KOJLRhizFhips2BgsyA4MiLSK0xH57w9ZZ8qaOPTnOEqQnGMjIqXX7+A2we8EFugUHOVdDs1ZqxkHrzDCWANCOtYlL1v8TA5KRWllWlgLle5Jmck08bwmb7Jw4SUdda2uhSL55BNMUuM4MgtYYaDMl71Pr6eToYB7ci9OkxEZu8frx2xo3/V8QyjpwEbxP2lURC8P5bWkeWncctZjGGWMP1kl+xRX/V3pdNiRjPgLmZj+wzEcBf6ZdHhPERw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=G59PyuVPuVbRc0n2yHAzfIGo6eP1SklF4ZKxuBvOlZI=;
 b=NuB3Ut5QzDfFvV4ZxyGlzOpXWr7gLPbjHm2WRUgnI73+Yr7iu144Ve8uQowXXc74KpSCxD5zyD7Zb9oAFxsQFe2ERl9AU6Rveu9rkuc4v9Ghip4ZrUmK1mPenRz4P0iy39Hkz+5E4oZL0MGmas1Re2EOiq3SXj4Kjap9N11J2nRddyo35rEGh9Tu57KKYSz7/9aKysEJKxUs2/oF384Qp9/Z4f9J+2bkrtmkt7pB+A26bnRFNtTegmrcKu9X0IR+o5U7RO1w/YAwgHTjfTV7Ml/O4kkRW4M6mI2PPg/a604F0oeWoqLPefIRsWPD+haYDf/qQh6QF3QRuZVAAyoujg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip
 is 66.129.242.12) smtp.rcpttodomain=bsdio.com smtp.mailfrom=juniper.net;
 dmarc=fail (p=reject sp=reject pct=100) action=oreject
 header.from=juniper.net; dkim=none (message not signed); arc=none
Received: from DM6PR02CA0100.namprd02.prod.outlook.com (2603:10b6:5:1f4::41)
 by BN3PR05MB2690.namprd05.prod.outlook.com (2a01:111:e400:7bbd::27) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.13; Mon, 30 Mar
 2020 03:44:37 +0000
Received: from DM3NAM05FT034.eop-nam05.prod.protection.outlook.com
 (2603:10b6:5:1f4:cafe::f2) by DM6PR02CA0100.outlook.office365.com
 (2603:10b6:5:1f4::41) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.20 via Frontend
 Transport; Mon, 30 Mar 2020 03:44:36 +0000
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning
 juniper.net discourages use of 66.129.242.12 as permitted sender)
Received: from P-EXFEND-EQX-01.jnpr.net (66.129.242.12) by
 DM3NAM05FT034.mail.protection.outlook.com (10.152.98.146) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
 15.20.2878.11 via Frontend Transport; Mon, 30 Mar 2020 03:44:36 +0000
Received: from P-EXBEND-EQX-02.jnpr.net (10.104.8.53) by
 P-EXFEND-EQX-01.jnpr.net (10.104.8.54) with Microsoft SMTP Server (TLS) id
 15.0.1497.2; Sun, 29 Mar 2020 20:44:31 -0700
Received: from p-mailhub01.juniper.net (10.104.20.6) by
 P-EXBEND-EQX-02.jnpr.net (10.104.8.53) with Microsoft SMTP Server (TLS) id
 15.0.1497.2 via Frontend Transport; Sun, 29 Mar 2020 20:44:30 -0700
Received: from kaos.jnpr.net (kaos.jnpr.net [172.23.50.162])
 by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id 02U3iTHK006994;
 Sun, 29 Mar 2020 20:44:30 -0700 (envelope-from sjg@juniper.net)
Received: by kaos.jnpr.net (Postfix, from userid 1377)
 id CC95C3D21F; Sun, 29 Mar 2020 20:44:29 -0700 (PDT)
Received: from kaos.jnpr.net (localhost [127.0.0.1])
 by kaos.jnpr.net (Postfix) with ESMTP id CC0713D21E;
 Sun, 29 Mar 2020 20:44:29 -0700 (PDT)
To: Warner Losh <imp@bsdimp.com>
CC: Rebecca Cran <rebecca@bsdio.com>, Nathan Whitehorn
 <nwhitehorn@freebsd.org>, Kyle Evans <kevans@freebsd.org>, Tomoaki AOKI
 <junchoon@dec.sakura.ne.jp>, FreeBSD Current <FreeBSD-current@freebsd.org>,
 Chris H <bsd-lists@bsdforge.com>, <sjg@juniper.net>
Subject: Re: When will the FreeBSD (u)EFI work?
In-Reply-To: <CANCZdfquXe_zb71kSJ6k8DtOn-UuJwJa803d9ZyGK-RZDpB8oA@mail.gmail.com>
References: <18df34fe-6256-6e68-ead5-481e83a501fe@freebsd.org>
 <4C050E22-E571-47ED-87A1-FE1BAC69A073@bsdio.com>
 <CANCZdfquXe_zb71kSJ6k8DtOn-UuJwJa803d9ZyGK-RZDpB8oA@mail.gmail.com>
Comments: In-reply-to: Warner Losh <imp@bsdimp.com>
 message dated "Sun, 29 Mar 2020 21:26:06 -0600."
From: "Simon J. Gerraty" <sjg@juniper.net>
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <84474.1585539869.1@kaos.jnpr.net>
Date: Sun, 29 Mar 2020 20:44:29 -0700
Message-ID: <89419.1585539869@kaos.jnpr.net>
X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:66.129.242.12; CTRY:US; LANG:en; SCL:1; SRV:;
 IPV:CAL; SFV:NSPM; H:P-EXFEND-EQX-01.jnpr.net; PTR:InfoDomainNonexistent;
 CAT:NONE; SFTY:;
 SFS:(10019020)(4636009)(39860400002)(346002)(376002)(136003)(396003)(46966005)(2906002)(316002)(54906003)(47076004)(55016002)(6266002)(107886003)(82740400003)(4326008)(70586007)(70206006)(9686003)(26826003)(5660300002)(7696005)(478600001)(356004)(86362001)(6916009)(4744005)(7126003)(8936002)(26005)(81156014)(81166006)(186003)(336012)(8676002);
 DIR:OUT; SFP:1102; 
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 8cdd990f-6ba6-4713-1158-08d7d45caae9
X-MS-TrafficTypeDiagnostic: BN3PR05MB2690:
X-Microsoft-Antispam-PRVS: <BN3PR05MB269074465970FDAD1E882927AACB0@BN3PR05MB2690.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-Forefront-PRVS: 0358535363
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: vCOxyCdMmdAWIgWFN0bWyTVuDuRTtcRvl+NDB+vsTqFaRxJMpdu0RCTh6YJd4apEWTql9/+eOW3abHQj8vb6MJbNfgPD1Akajob6UIRXf8Odl0LEsTCG8EnfSQ1XZT9ZbxUvjPXbcr5ryXBw7TVrke79AsBhcaX5cYvla7F33rXZLQcb3nmbfpGeOgHlDFl4BKFU8Oc+KgRmbEQYYXOIKZ+ObXsofLX6/Zpad7lPvn94sHnGsLfH5/PLO7KziSRNo4GF/s6afmvPr6Scg8ioW1wWkU5rF9hRmLiT3MEEaOw21jR2B5iUMpQu/AEAz02V0OP4rJVORztkBOlHhijQCse9gGfOan2WVFciYNNSoQhDvANjXKJXq/L75kcTzIkshkbJcQZ9kHcRCfWeVEGpJwD3iaO/s9jiPJfBgiO1EPzuIXvmBWE4nJTKxC2lqQ5HOldJEeoiZXAOIdWJiFU7mGuOZg3Wj2EF18Ikqa8rjEO5/GZ0m6ZyVR07qqxzyaTFMYqvf7889huuE2CarnS6lg==
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Mar 2020 03:44:36.4645 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 8cdd990f-6ba6-4713-1158-08d7d45caae9
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.242.12];
 Helo=[P-EXFEND-EQX-01.jnpr.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR05MB2690
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.645
 definitions=2020-03-29_10:2020-03-27,
 2020-03-29 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam
 score=0 mlxlogscore=381
 bulkscore=0 priorityscore=1501 spamscore=0 suspectscore=0 phishscore=0
 impostorscore=0 malwarescore=0 mlxscore=0 adultscore=0 lowpriorityscore=0
 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2003020000 definitions=main-2003300033
X-Rspamd-Queue-Id: 48rLMD1DhZz3xlv
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.83 / 15.00]; RCVD_TLS_LAST(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[juniper.net:s=PPS1017,juniper.net:s=selector1];
 FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip4:67.231.152.164];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain];
 IP_SCORE(-1.73)[ip: (-4.26), ipnet: 67.231.152.0/24(-1.93), asn: 22843(-2.42),
 country: US(-0.05)]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 DKIM_TRACE(0.00)[juniper.net:+];
 DMARC_POLICY_ALLOW(-0.50)[juniper.net,reject];
 RCPT_COUNT_SEVEN(0.00)[8];
 RCVD_IN_DNSWL_LOW(-0.10)[164.152.231.67.list.dnswl.org : 127.0.3.1];
 SUBJECT_ENDS_QUESTION(1.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:22843, ipnet:67.231.152.0/24, country:US];
 ARC_ALLOW(-1.00)[i=1]; RCVD_COUNT_SEVEN(0.00)[10];
 FROM_EQ_ENVFROM(0.00)[]
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2020 05:18:12 -0000

Warner Losh <imp@bsdimp.com> wrote:
> True, but as we move from boot1.efi to loader.efi, the need will
> grow...  Even if we keep boot1.efi, loader.efi will be needed for
> interesting secure systems, so we can't cop-out like we have in the
> past.

Sigh, that would force me to have to add verification to boot1.efi ;-)

Personally I'm quite happy with installing loader.efi as bootx64.efi
to avoid that.

I treat it as a separately published component, independent of the
loaders used on non-uefi platforms.  So the fact that I have to build it
from head, matters little.

The loader should be largely independent of the rest of the system, and
was until lua came along.  Eg we can successfully verify and load a
stable/6 based system using loader built from stable/11.
For at least some platforms we cannot use lua, as it takes up headroom
we need for verifying modules.