From: bugzilla@busybox.net
To: buildroot@uclibc.org
Subject: [Buildroot] [Bug 15531] shim doesn't provide hooks for signing
Date: Tue, 11 Apr 2023 19:43:30 +0000 [thread overview]
Message-ID: <bug-15531-163-vlrVtQpakz@https.bugs.busybox.net/> (raw)
In-Reply-To: <bug-15531-163@https.bugs.busybox.net/>
https://bugs.busybox.net/show_bug.cgi?id=15531
Yann E. MORIN <yann.morin.1998@free.fr> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |yann.morin.1998@free.fr
--- Comment #1 from Yann E. MORIN <yann.morin.1998@free.fr> ---
Jonathan, All,
> Shim is supposed to provide a signed UEFI bootloader for secureboot.
> However, it is intended to be supplied with a key at build time (make
> VENDOR_CERT_FILE=<path.to.cer>). Perhaps a menu option could be added
> to Config.in allowing the user to specify a certificate location.
As far as I understand it, this is two-fold:
1. shim can check the signature of the files it loads; this is what
VENDOR_CERT_FILE is for, and
2. shim can be signed, so that the EFI bootrom can verify shim against
known keys; this is what ENABLE_SHIM_CERT, if set, is for.
However, it is very possible to build a shim that is signed but does
not verify the signatures of what it loads, or the other way around.
So, we'd need two options:
1. BR2_TARGET_SHIM_CERT_FILE, the path to a .cer file, to set in
VENDOR_CERT_FILE; if BR2_TARGET_SHIM_CERT_FILE, the generated shim
will not check signatures of what it loads
2. BR2_TARGET_SHIM_SIGNED, a boolean to drive whether shim is signed,
in which case the *.efi.signed should be installed, along with
shim.key (so it can be enrolled into the UEFI bootloader?)
It looks like they are independent each from the other, and so can be
done in any order, and it is OK if you only send a patch for the one
you need (you'll send a patch, won't you? ;-) )
For 2, I am not sure if one can provide their own shim.key and shim.crt,
but looking at the Makefile, it looks like it should be possible (one
does not want to enroll a new key for each build!).
Regards,
Yann E. MORIN.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2023-04-11 19:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-11 16:47 [Buildroot] [Bug 15531] New: shim doesn't provide hooks for signing bugzilla
2023-04-11 19:43 ` bugzilla [this message]
2023-04-13 16:13 ` [Buildroot] [Bug 15531] " bugzilla
2024-06-15 15:07 ` bugzilla
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-15531-163-vlrVtQpakz@https.bugs.busybox.net/ \
--to=bugzilla@busybox.net \
--cc=buildroot@uclibc.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox