From mboxrd@z Thu Jan 1 00:00:00 1970 From: Heinrich Schuchardt Date: Fri, 4 Dec 2020 03:23:07 +0100 Subject: [PATCH] efi_loader: allow disabling EFI secure boot in User Mode In-Reply-To: <87wny2r9g0.fsf@cjr.nz> References: <20201130145839.31620-1-pc@cjr.nz> <87wny2r9g0.fsf@cjr.nz> Message-ID: <386e4f64-6664-58d7-8a8b-a9d9aed3ae52@gmx.de> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On 11/30/20 7:22 PM, Paulo Alcantara wrote: > Hi Heinrich, > > Heinrich Schuchardt writes: > >> On 11/30/20 3:58 PM, Paulo Alcantara wrote: >>> Introduce a new config option CONFIG_EFI_SECURE_BOOT_VAR_DISABLE to >>> allow disabling EFI secure boot when the platform is operating in User >>> Mode and there is an NV+BS EFI variable called "SecureBootDisable". >>> Otherwise, keep it enabled by default. >> >> could you, please, explain why this is needed. > > I was just looking for an easier way to disable it without having to > mess with the secure boot variables and possibly breaking secure boot > altogether. Of course, we could do the same by creating such > SecureBootDisable variable and forgetting about it. Since we're gonna > provide u-boot package with the secure boot keys (PK, KEK, db, dbx) > enrolled in (ESP)/ubootefi.var (generated by efivar.py script), and > those certificates are only provided at build time, that would be tricky > to get it enabled or disabled by removing and inserting the PK, finding > the appropriate certificate depending on whether it is openSUSE or SLES. > > For instance, OVMF does have something like that [1]. > > [1] > https://github.com/tianocore/edk2/blob/master/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c#L682 > > Thanks. > Hello Paulo, how would you stop an attacker from disabling secure boot on your device and tempering with it if this configuration were enabled? Best regard Heinrich