From: Paulo Alcantara <pc@cjr.nz>
To: u-boot@lists.denx.de
Subject: [PATCH] efi_loader: allow disabling EFI secure boot in User Mode
Date: Mon, 30 Nov 2020 15:22:39 -0300 [thread overview]
Message-ID: <87wny2r9g0.fsf@cjr.nz> (raw)
In-Reply-To: <a4b7882a-5f17-7cd9-aa0d-d41885672d58@gmx.de>
Hi Heinrich,
Heinrich Schuchardt <xypron.glpk@gmx.de> writes:
> On 11/30/20 3:58 PM, Paulo Alcantara wrote:
>> Introduce a new config option CONFIG_EFI_SECURE_BOOT_VAR_DISABLE to
>> allow disabling EFI secure boot when the platform is operating in User
>> Mode and there is an NV+BS EFI variable called "SecureBootDisable".
>> Otherwise, keep it enabled by default.
>
> could you, please, explain why this is needed.
I was just looking for an easier way to disable it without having to
mess with the secure boot variables and possibly breaking secure boot
altogether. Of course, we could do the same by creating such
SecureBootDisable variable and forgetting about it. Since we're gonna
provide u-boot package with the secure boot keys (PK, KEK, db, dbx)
enrolled in (ESP)/ubootefi.var (generated by efivar.py script), and
those certificates are only provided at build time, that would be tricky
to get it enabled or disabled by removing and inserting the PK, finding
the appropriate certificate depending on whether it is openSUSE or SLES.
For instance, OVMF does have something like that [1].
[1]
https://github.com/tianocore/edk2/blob/master/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c#L682
Thanks.
next prev parent reply other threads:[~2020-11-30 18:22 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-30 14:58 [PATCH] efi_loader: allow disabling EFI secure boot in User Mode Paulo Alcantara
2020-11-30 16:36 ` Heinrich Schuchardt
2020-11-30 18:22 ` Paulo Alcantara [this message]
2020-12-04 2:23 ` Heinrich Schuchardt
2020-12-04 18:00 ` Paulo Alcantara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wny2r9g0.fsf@cjr.nz \
--to=pc@cjr.nz \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.