Re: [edk2-devel] Enabling Secure boot

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Laszlo Ersek" <lersek@redhat.com>
To: devel@edk2.groups.io, sent888@gmail.com
Subject: Re: [edk2-devel] Enabling Secure boot
Date: Tue, 6 Apr 2021 16:18:59 +0200	[thread overview]
Message-ID: <0e8c1390-ec49-6690-0a74-0c930d8cfdf1@redhat.com> (raw)
In-Reply-To: <9Sx0.1617267793542590857.aBnu@groups.io>

On 04/01/21 11:03, sent888@gmail.com wrote:
> Hi,
>  I have enable the secure boot for CorebootPayloadPkg in EDK 2017 and
> got the secure boot configuration in the boot menu. But the problem is
> Attempt secure boot is disabled. Also when I changed from standard mode
> to custom mode to add vmware key in the db, after reset its not getting
> saved. This may due to NVRAM support is not there.
> 
> How to make "Attempt secure boot" to be enabled?
> If NVRAM is not there, how i will add vmware keys in db database?
> Can i hardcode the keys in the edk2 source and secure boot? If so where
> to modify it?

Secure boot is based on authenticated non-volatile UEFI variables that
are described by the UEFI spec. If you don't have functional,
tamper-proof storage on your platform (virtual or otherwise) for said
non-volatile UEFI variables, secure boot will either not work, or will
not be secure in fact. (By "tamper-proof", I mean that e.g. the
operating system must be prevented from modifying said variables, unless
it invokes the appropriate UEFI runtime services.)

I don't know how this specifically applies to CorebootPayloadPkg though.

Thanks
Laszlo

     prev parent reply	other threads:[~2021-04-06 14:19 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-01  9:03 Enabling Secure boot sent888
2021-04-06 14:18 ` Laszlo Ersek [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0e8c1390-ec49-6690-0a74-0c930d8cfdf1@redhat.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox