From: "Richard W.M. Jones" <rjones@redhat.com>
To: Laszlo Ersek <lersek@redhat.com>
Cc: Dmitry Mityugov <dmitry.mityugov@gmail.com>, edk2-devel@lists.01.org
Subject: Re: change keys in a ..._VARS.fd file programmatically (SecureBoot enabled)
Date: Mon, 5 Feb 2018 18:13:39 +0000 [thread overview]
Message-ID: <20180205181339.GN2787@redhat.com> (raw)
In-Reply-To: <6da66215-3b2b-5b94-1978-823f569c3ce0@redhat.com>
On Mon, Feb 05, 2018 at 07:06:11PM +0100, Laszlo Ersek wrote:
> Hi,
>
> On 02/05/18 15:14, Dmitry Mityugov wrote:
> > Hi,
> >
> > Could you please let me know if it possible to automate changing keys in a
> > ..._VARS.fd when SecureBoot is enabled? I understand that I can go into the
> > UEFI shell and change them there manually, but I'm looking for a way to
> > add/replace/delete them from my program before a KVM VM is started.
> >
> > I've found an email in this list with a similar question,
> > https://lists.01.org/pipermail/edk2-devel/2017-August/012995.html , but I'm
> > not sure if the answer is still valid, or if any new possibilities have
> > arosen since then.
>
> My (still valid) answer is here:
>
> http://mid.mail-archive.com/550860A1.9030904@redhat.com
>
> and here:
>
> http://mid.mail-archive.com/56461E2D.1090601@redhat.com
>
> and here:
>
> http://mid.mail-archive.com/a1eedec9-f1c2-049d-8bb4-b094c9626f8e@redhat.com
>
> > There are also some home-made editors for the vars, like
> > http://git.annexia.org/?p=virt-efivars.git;a=summary . Should I go this way
> > in my adventure?
>
> I'm unsure how frequently Rich maintains this project (I'm CC'ing him),
> but the approach in this project is generally workable, because it
> modifies the variable store *from within* the guest (the "appliance" in
> libguestfs lingo), using the UEFI runtime variable services.
I don't really maintain it, but subject to the license the
original questioner is free to try and make something of it.
Rich.
> Summary:
> - if you try to modify the variable store file from the host side, with
> a custom utility that is independent of edk2, that's a bad idea.
> - Whereas, if you modify the variable store from within the guest, via
> the UEFI variable services (calling them from the UEFI shell, or from
> the guest operating system / a privileged guest OS process), that's a
> good idea. (This is what "virt-efivars" does.)
>
> Thanks,
> Laszlo
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/
prev parent reply other threads:[~2018-02-05 18:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-05 14:14 change keys in a ..._VARS.fd file programmatically (SecureBoot enabled) Dmitry Mityugov
2018-02-05 18:06 ` Laszlo Ersek
2018-02-05 18:13 ` Richard W.M. Jones [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180205181339.GN2787@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox