From: Patrick Wildt <mail@patrick-wildt.de>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH 12/16] cmd: env: use appropriate guid for authenticated UEFI variable
Date: Mon, 18 Nov 2019 07:56:17 +0100 [thread overview]
Message-ID: <20191118065617.GA13053@nox.fritz.box> (raw)
In-Reply-To: <20191118063445.GQ22427@linaro.org>
On Mon, Nov 18, 2019 at 03:34:46PM +0900, AKASHI Takahiro wrote:
> Heinrich,
>
> On Sat, Nov 16, 2019 at 09:10:35PM +0100, Heinrich Schuchardt wrote:
> > On 11/13/19 1:53 AM, AKASHI Takahiro wrote:
> > >A signature database variable is associated with a specific guid.
> > >For convenience, if user doesn't supply any guid info, "env set|print -e"
> > >should complement it.
> >
> > If secure boot is enforced, users should not be able to change any
> > security relevant variables.
>
> I disagree. In fact, UEFI specification allows users to modify
> security database variables if their signatures are verified.
> For example, "db" must be signed by one of certificates in PK or KEK,
> and updating its value will should be authenticated in SetVariable API.
> That is what my patch#7 exactly does.
>
> Thanks,
> -Takahiro Akashi
I agree. It must be possible for any user of the EFI subsystem to be
able to update db/KEK/PK *if* he provides a valid signatures. The thing
is that keys are replaced and rerolled, not only because keys were com-
promised, but also because some policies say it's useful to replace the
keys regularly so that attempts to crack the key have less time to be
successfull. There are more use-cases then that, but what is important
is that it's possible to change them, if properly signed.
Thanks,
Patrick
next prev parent reply other threads:[~2019-11-18 6:56 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-13 0:52 [U-Boot] [PATCH 00/16] efi_loader: add secure boot support AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 01/16] include: pe.h: add signature-related definitions AKASHI Takahiro
2019-11-16 17:42 ` Heinrich Schuchardt
2019-11-18 5:44 ` AKASHI Takahiro
2019-11-18 6:26 ` Heinrich Schuchardt
2019-11-18 6:53 ` AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 02/16] include: image.h: export hash algorithm helper functions AKASHI Takahiro
2019-11-16 17:59 ` Heinrich Schuchardt
2019-11-18 6:22 ` AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 03/16] secure boot: rename CONFIG_SECURE_BOOT config option AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 04/16] efi_loader: add CONFIG_EFI_SECURE_BOOT " AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 05/16] efi_loader: add signature verification functions AKASHI Takahiro
2019-11-16 20:00 ` Heinrich Schuchardt
2019-11-18 7:57 ` AKASHI Takahiro
2019-11-18 8:31 ` AKASHI Takahiro
2019-11-19 5:22 ` AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 06/16] efi_loader: add signature database parser AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 07/16] efi_loader: variable: support variable authentication AKASHI Takahiro
2019-11-16 20:02 ` Heinrich Schuchardt
2019-11-18 7:08 ` AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 08/16] efi_loader: variable: add secure boot state transition AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 09/16] efi_loader: variable: add VendorKeys variable AKASHI Takahiro
2019-11-13 0:53 ` [U-Boot] [PATCH 10/16] efi_loader: image_loader: support image authentication AKASHI Takahiro
2019-11-13 0:53 ` [U-Boot] [PATCH 11/16] efi_loader: set up secure boot AKASHI Takahiro
2019-11-13 0:53 ` [U-Boot] [PATCH 12/16] cmd: env: use appropriate guid for authenticated UEFI variable AKASHI Takahiro
2019-11-16 20:10 ` Heinrich Schuchardt
2019-11-18 6:34 ` AKASHI Takahiro
2019-11-18 6:56 ` Patrick Wildt [this message]
2019-11-13 0:53 ` [U-Boot] [PATCH 13/16] cmd: env: add "-at" option to "env set -e" command AKASHI Takahiro
2019-11-13 0:53 ` [U-Boot] [PATCH 14/16] efi_loader, pytest: set up secure boot environment AKASHI Takahiro
2019-11-16 20:19 ` Heinrich Schuchardt
2019-11-18 5:52 ` AKASHI Takahiro
2019-11-13 0:53 ` [U-Boot] [PATCH 15/16] efi_loader, pytest: add UEFI secure boot tests (authenticated variables) AKASHI Takahiro
2019-11-16 20:28 ` Heinrich Schuchardt
2019-11-18 5:58 ` AKASHI Takahiro
2019-11-20 2:17 ` AKASHI Takahiro
2019-11-13 0:53 ` [U-Boot] [PATCH 16/16] efi_loader, pytest: add UEFI secure boot tests (image) AKASHI Takahiro
2019-11-16 20:31 ` Heinrich Schuchardt
2019-11-18 6:00 ` AKASHI Takahiro
2019-11-15 2:19 ` [U-Boot] [PATCH 00/16] efi_loader: add secure boot support AKASHI Takahiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191118065617.GA13053@nox.fritz.box \
--to=mail@patrick-wildt.de \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox