From: Patrick Wildt <mail@patrick-wildt.de>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH 12/16] cmd: env: use appropriate guid for authenticated UEFI variable
Date: Mon, 18 Nov 2019 07:56:17 +0100 [thread overview]
Message-ID: <20191118065617.GA13053@nox.fritz.box> (raw)
In-Reply-To: <20191118063445.GQ22427@linaro.org>
On Mon, Nov 18, 2019 at 03:34:46PM +0900, AKASHI Takahiro wrote:
> Heinrich,
>
> On Sat, Nov 16, 2019 at 09:10:35PM +0100, Heinrich Schuchardt wrote:
> > On 11/13/19 1:53 AM, AKASHI Takahiro wrote:
> > >A signature database variable is associated with a specific guid.
> > >For convenience, if user doesn't supply any guid info, "env set|print -e"
> > >should complement it.
> >
> > If secure boot is enforced, users should not be able to change any
> > security relevant variables.
>
> I disagree. In fact, UEFI specification allows users to modify
> security database variables if their signatures are verified.
> For example, "db" must be signed by one of certificates in PK or KEK,
> and updating its value will should be authenticated in SetVariable API.
> That is what my patch#7 exactly does.
>
> Thanks,
> -Takahiro Akashi
I agree. It must be possible for any user of the EFI subsystem to be
able to update db/KEK/PK *if* he provides a valid signatures. The thing
is that keys are replaced and rerolled, not only because keys were com-
promised, but also because some policies say it's useful to replace the
keys regularly so that attempts to crack the key have less time to be
successfull. There are more use-cases then that, but what is important
is that it's possible to change them, if properly signed.
Thanks,
Patrick
next prev parent reply other threads:[~2019-11-18 6:56 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-13 0:52 [U-Boot] [PATCH 00/16] efi_loader: add secure boot support AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 01/16] include: pe.h: add signature-related definitions AKASHI Takahiro
2019-11-16 17:42 ` Heinrich Schuchardt
2019-11-18 5:44 ` AKASHI Takahiro
2019-11-18 6:26 ` Heinrich Schuchardt
2019-11-18 6:53 ` AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 02/16] include: image.h: export hash algorithm helper functions AKASHI Takahiro
2019-11-16 17:59 ` Heinrich Schuchardt
2019-11-18 6:22 ` AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 03/16] secure boot: rename CONFIG_SECURE_BOOT config option AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 04/16] efi_loader: add CONFIG_EFI_SECURE_BOOT " AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 05/16] efi_loader: add signature verification functions AKASHI Takahiro
2019-11-16 20:00 ` Heinrich Schuchardt
2019-11-18 7:57 ` AKASHI Takahiro
2019-11-18 8:31 ` AKASHI Takahiro
2019-11-19 5:22 ` AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 06/16] efi_loader: add signature database parser AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 07/16] efi_loader: variable: support variable authentication AKASHI Takahiro
2019-11-16 20:02 ` Heinrich Schuchardt
2019-11-18 7:08 ` AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 08/16] efi_loader: variable: add secure boot state transition AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 09/16] efi_loader: variable: add VendorKeys variable AKASHI Takahiro
2019-11-13 0:53 ` [U-Boot] [PATCH 10/16] efi_loader: image_loader: support image authentication AKASHI Takahiro
2019-11-13 0:53 ` [U-Boot] [PATCH 11/16] efi_loader: set up secure boot AKASHI Takahiro
2019-11-13 0:53 ` [U-Boot] [PATCH 12/16] cmd: env: use appropriate guid for authenticated UEFI variable AKASHI Takahiro
2019-11-16 20:10 ` Heinrich Schuchardt
2019-11-18 6:34 ` AKASHI Takahiro
2019-11-18 6:56 ` Patrick Wildt [this message]
2019-11-13 0:53 ` [U-Boot] [PATCH 13/16] cmd: env: add "-at" option to "env set -e" command AKASHI Takahiro
2019-11-13 0:53 ` [U-Boot] [PATCH 14/16] efi_loader, pytest: set up secure boot environment AKASHI Takahiro
2019-11-16 20:19 ` Heinrich Schuchardt
2019-11-18 5:52 ` AKASHI Takahiro
2019-11-13 0:53 ` [U-Boot] [PATCH 15/16] efi_loader, pytest: add UEFI secure boot tests (authenticated variables) AKASHI Takahiro
2019-11-16 20:28 ` Heinrich Schuchardt
2019-11-18 5:58 ` AKASHI Takahiro
2019-11-20 2:17 ` AKASHI Takahiro
2019-11-13 0:53 ` [U-Boot] [PATCH 16/16] efi_loader, pytest: add UEFI secure boot tests (image) AKASHI Takahiro
2019-11-16 20:31 ` Heinrich Schuchardt
2019-11-18 6:00 ` AKASHI Takahiro
2019-11-15 2:19 ` [U-Boot] [PATCH 00/16] efi_loader: add secure boot support AKASHI Takahiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191118065617.GA13053@nox.fritz.box \
--to=mail@patrick-wildt.de \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.