All of lore.kernel.org
 help / color / mirror / Atom feed
From: Joel Stanley <joel@jms.id.au>
To: Richard Hughes <hughsient@gmail.com>, Arnd Bergmann <arnd@arndb.de>
Cc: openBMC Maillist <openbmc@lists.ozlabs.org>
Subject: Re: validating secure boot settings
Date: Fri, 25 Feb 2022 04:40:20 +0000	[thread overview]
Message-ID: <CACPK8XfJ60B5aJchrzSDV5xDZuqYqLU0wRJ_+iq3um17Zeztow@mail.gmail.com> (raw)
In-Reply-To: <CAD2FfiHBHrc2WSSgsQUWqobYwTv+8wrEaQ39Nyr0F6Ed59TiMg@mail.gmail.com>

Hi Richard,

Long time listener, first time caller. I appreciate all the work you
do with fwupd.

On Mon, 21 Feb 2022 at 19:49, Richard Hughes <hughsient@gmail.com> wrote:
>
> On Mon, 21 Feb 2022 at 18:23, Andrew Geissler <geissonator@gmail.com> wrote:
> > So, anyone else interested in something like this? If so, any votes on where
> > a good place for this logic to reside would be?
>
> This seems like the kind of thing that we'd be interested in for the
> HSI specification[1], although I appreciate that's only tangentially
> OpenBMC related.

You might be interested in this patch set which Andrew's mentioned:

 https://lore.kernel.org/all/20220204072234.304543-1-joel@jms.id.au/

The idea is to have a set of sysfs files that say "this machine has
secure boot enabled", and other interesting bits about firmware boot
state.

You might already have that on EFI systems, but this would be
consistent regardless of the firmware used. Reading through your HSI
spec, we could also hook up the "read only SPI descriptor" file. I
called that opt_write_protect in an earlier version of my patches.

I have been chatting with Arnd about how to get it merged, and have
some ideas that I'll send out in a v4.

One thing we want to get right before merging is coming up with names
that are meaningful outside of a single firmware (eg EFI) or SoC
vendor (Like the ASPEED names I started with). I welcome your input.

Cheers,

Joel

  reply	other threads:[~2022-02-25  4:41 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-21 18:23 validating secure boot settings Andrew Geissler
2022-02-21 19:48 ` Richard Hughes
2022-02-25  4:40   ` Joel Stanley [this message]
2022-02-25  4:47 ` Joel Stanley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CACPK8XfJ60B5aJchrzSDV5xDZuqYqLU0wRJ_+iq3um17Zeztow@mail.gmail.com \
    --to=joel@jms.id.au \
    --cc=arnd@arndb.de \
    --cc=hughsient@gmail.com \
    --cc=openbmc@lists.ozlabs.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.