public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: Gary Lin <glin@suse.com>
To: "David F." <df7729@gmail.com>
Cc: edk2-devel@lists.01.org
Subject: Re: StartImage with Secure Boot on Self-Signed App
Date: Fri, 8 Sep 2017 10:11:16 +0800	[thread overview]
Message-ID: <20170908021116.6ksnrkapj3dvuder@localhost> (raw)
In-Reply-To: <CAGRSmLsh31v+nKSzMD+Yb-9JBPkRW9FPw6q=AgH=JUkc9sTvSw@mail.gmail.com>

On Thu, Sep 07, 2017 at 01:00:03PM -0700, David F. wrote:
> Hello,
> 
> What is the proper way to allow running another app that is verified
> with a self-signed certificate?
> 
> Example, App1 is signed with one that allows secure boot booting (in
> firmware) and has a public key embedded in the signed code, App2 is
> verified by App1 and so is allowed to run, but because the key is not
> in secure boot firmware, StartImage will not run it (although
> LoadImage did what it needed to do and already reported the security
> violation potential).   Do we have to roll our own StartImage?  or is
> something already in place?  I can't rely on changing an internal
> private structure field to allow StartImage to work since each
> firmware platform may change the way it all works, looking for the
> proper method as designed.
> 
The major linux distros are using shim(*) to verify the bootloaders and
kernels signed by ourselves, and shim implements its own StartImage.

If your application is going to be deployed to the newer UEFI, instead
of using the built-in openssl, you can try EFI_PKCS7_VERIFY_PROTOCOL to
verify the UEFI images. It will make your application much slimmer and
easier to maintain.

Cheers,

Gary Lin

(*) https://github.com/rhboot/shim


  reply	other threads:[~2017-09-08  2:08 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CAGRSmLuQ3prdU1D_PDfzZpWHdnMjQfzKzzU8EpvOMX4BWvcxQA@mail.gmail.com>
2017-09-07 20:00 ` StartImage with Secure Boot on Self-Signed App David F.
2017-09-08  2:11   ` Gary Lin [this message]
2017-09-08  2:51     ` David F.
2017-09-08 15:33       ` David F.
2017-09-12  7:32         ` Gao, Liming
2017-10-06  0:27           ` David F.
2017-10-09  6:56             ` Gao, Liming

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170908021116.6ksnrkapj3dvuder@localhost \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox