GRUB has a terrible security story, a key point in the posted presentation. GRUB is huge and has design traps which contribute to regular developer mistakes.
Any huge solution here will suffer the same problem, the larger it is the more likely the problem is.
You don't really need much to do work here, a UEFI program can walk through the directories in the ESP and make choices, and perform assertions, so keep your A/B/R kernel and ramfs objects in there (as UKIs, as separate files, whatever). It can make a choice and boot the thing.
If you want user choice you could put menus into that program too, but you don't need them for most users, so leave them out, that's a ton of deps gone.
A basic program to do this isn't more than 1000 lines, it'll be low on maintenance and exceptionally low on critical flaws.
It's not hard writing even fairly complex things for EFI, here's Fuchsia's UEFI stage which is designed for development and has far more features (fastboot, mdns discovery, etc) than most of these things need. It's still tiny compared to the grub stuff: https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/s...
GRUB has a terrible security story, a key point in the posted presentation. GRUB is huge and has design traps which contribute to regular developer mistakes.
Any huge solution here will suffer the same problem, the larger it is the more likely the problem is.
You don't really need much to do work here, a UEFI program can walk through the directories in the ESP and make choices, and perform assertions, so keep your A/B/R kernel and ramfs objects in there (as UKIs, as separate files, whatever). It can make a choice and boot the thing.
If you want user choice you could put menus into that program too, but you don't need them for most users, so leave them out, that's a ton of deps gone.
A basic program to do this isn't more than 1000 lines, it'll be low on maintenance and exceptionally low on critical flaws.
It's not hard writing even fairly complex things for EFI, here's Fuchsia's UEFI stage which is designed for development and has far more features (fastboot, mdns discovery, etc) than most of these things need. It's still tiny compared to the grub stuff: https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/s...