Re: UEFI Secure Boot

[James Bottomley <jbottomley@parallels.com>]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 1317 bytes --]

[added mailing list cc's since this is probably going to be a common question]

On Wed, 2012-07-04 at 12:52 -0400, Finnbarr P. Murphy wrote:
> Hi James,
> 
> Nice work on your UEFI Secure Boot demo code!
> 
> Have you experimented with either of the following scenarios?
> 
>     - Removing current PK via a utility
>     - Replacing current PK with a new PK via a utility
> 
> assuming you know existing PK keys.

Not yet ... I'm still working on writing the code that constructs the
time based authentication bundle for the variables.  When I have it, it
will appear in my git repository (and I'll probably send a note to the
linux-efi list):

http://git.kernel.org/?p=linux/kernel/git/jejb/efitools.git;a=summary

>  From Chapter 27 of the UEFI Specification, this should be possible but 
> I cannot get either scenarios to work (due to error 26 - Security 
> Violation)   Perhaps it is the OVMF implementation (latest from trunk) 
> but I suspect it is just my old age!

Constructing time based authentication bundles is complex ... are you
sure you have the code right?  error 26 means the platform doesn't think
the authentication is correct.

James

ÿôèº{.nÇ+‰·Ÿ®‰­†+%ŠËÿ±éݶ\x17¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayº\x1dʇڙë,j\a­¢f£¢·hšïêÿ‘êçz_è®\x03(­éšŽŠÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?™¨è­Ú&£ø§~á¶iO•æ¬z·švØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?–I¥