From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <glin@suse.com>
Received: from prv3-mh.provo.novell.com (victor.provo.novell.com
 [137.65.250.26])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 7938A21D492ED
 for <edk2-devel@lists.01.org>; Thu,  7 Sep 2017 19:08:37 -0700 (PDT)
Received: from localhost (prv-ext-foundry1int.gns.novell.com [137.65.251.240])
 by prv3-mh.provo.novell.com with ESMTP (TLS encrypted);
 Thu, 07 Sep 2017 20:11:19 -0600
Date: Fri, 8 Sep 2017 10:11:16 +0800
From: Gary Lin <glin@suse.com>
To: "David F." <df7729@gmail.com>
Cc: edk2-devel@lists.01.org
Message-ID: <20170908021116.6ksnrkapj3dvuder@localhost>
References: <CAGRSmLuQ3prdU1D_PDfzZpWHdnMjQfzKzzU8EpvOMX4BWvcxQA@mail.gmail.com>
 <CAGRSmLsh31v+nKSzMD+Yb-9JBPkRW9FPw6q=AgH=JUkc9sTvSw@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CAGRSmLsh31v+nKSzMD+Yb-9JBPkRW9FPw6q=AgH=JUkc9sTvSw@mail.gmail.com>
User-Agent: NeoMutt/20170609 (1.8.3)
Subject: Re: StartImage with Secure Boot on Self-Signed App
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Sep 2017 02:08:37 -0000
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Thu, Sep 07, 2017 at 01:00:03PM -0700, David F. wrote:
> Hello,
> 
> What is the proper way to allow running another app that is verified
> with a self-signed certificate?
> 
> Example, App1 is signed with one that allows secure boot booting (in
> firmware) and has a public key embedded in the signed code, App2 is
> verified by App1 and so is allowed to run, but because the key is not
> in secure boot firmware, StartImage will not run it (although
> LoadImage did what it needed to do and already reported the security
> violation potential).   Do we have to roll our own StartImage?  or is
> something already in place?  I can't rely on changing an internal
> private structure field to allow StartImage to work since each
> firmware platform may change the way it all works, looking for the
> proper method as designed.
> 
The major linux distros are using shim(*) to verify the bootloaders and
kernels signed by ourselves, and shim implements its own StartImage.

If your application is going to be deployed to the newer UEFI, instead
of using the built-in openssl, you can try EFI_PKCS7_VERIFY_PROTOCOL to
verify the UEFI images. It will make your application much slimmer and
easier to maintain.

Cheers,

Gary Lin

(*) https://github.com/rhboot/shim