change keys in a ..._VARS.fd file programmatically (SecureBoot enabled)

change keys in a ..._VARS.fd file programmatically (SecureBoot enabled)

[Dmitry Mityugov]

Hi,

Could you please let me know if it possible to automate changing keys in a
..._VARS.fd when SecureBoot is enabled? I understand that I can go into the
UEFI shell and change them there manually, but I'm looking for a way to
add/replace/delete them from my program before a KVM VM is started.

I've found an email in this list with a similar question,
https://lists.01.org/pipermail/edk2-devel/2017-August/012995.html , but I'm
not sure if the answer is still valid, or if any new possibilities have
arosen since then.

There are also some home-made editors for the vars, like
http://git.annexia.org/?p=virt-efivars.git;a=summary . Should I go this way
in my adventure?

Thank you in advance for any insight on this subject

-- 
Dmitry

Re: change keys in a ..._VARS.fd file programmatically (SecureBoot enabled)

[Laszlo Ersek]

Hi,

On 02/05/18 15:14, Dmitry Mityugov wrote:
> Hi,
> 
> Could you please let me know if it possible to automate changing keys in a
> ..._VARS.fd when SecureBoot is enabled? I understand that I can go into the
> UEFI shell and change them there manually, but I'm looking for a way to
> add/replace/delete them from my program before a KVM VM is started.
> 
> I've found an email in this list with a similar question,
> https://lists.01.org/pipermail/edk2-devel/2017-August/012995.html , but I'm
> not sure if the answer is still valid, or if any new possibilities have
> arosen since then.

My (still valid) answer is here:

http://mid.mail-archive.com/550860A1.9030904@redhat.com

and here:

http://mid.mail-archive.com/56461E2D.1090601@redhat.com

and here:

http://mid.mail-archive.com/a1eedec9-f1c2-049d-8bb4-b094c9626f8e@redhat.com

> There are also some home-made editors for the vars, like
> http://git.annexia.org/?p=virt-efivars.git;a=summary . Should I go this way
> in my adventure?

I'm unsure how frequently Rich maintains this project (I'm CC'ing him),
but the approach in this project is generally workable, because it
modifies the variable store *from within* the guest (the "appliance" in
libguestfs lingo), using the UEFI runtime variable services.

Summary:
- if you try to modify the variable store file from the host side, with
  a custom utility that is independent of edk2, that's a bad idea.
- Whereas, if you modify the variable store from within the guest, via
  the UEFI variable services (calling them from the UEFI shell, or from
  the guest operating system / a privileged guest OS process), that's a
  good idea. (This is what "virt-efivars" does.)

Thanks,
Laszlo

Re: change keys in a ..._VARS.fd file programmatically (SecureBoot enabled)

[Richard W.M. Jones]

On Mon, Feb 05, 2018 at 07:06:11PM +0100, Laszlo Ersek wrote:
> Hi,
> 
> On 02/05/18 15:14, Dmitry Mityugov wrote:
> > Hi,
> > 
> > Could you please let me know if it possible to automate changing keys in a
> > ..._VARS.fd when SecureBoot is enabled? I understand that I can go into the
> > UEFI shell and change them there manually, but I'm looking for a way to
> > add/replace/delete them from my program before a KVM VM is started.
> > 
> > I've found an email in this list with a similar question,
> > https://lists.01.org/pipermail/edk2-devel/2017-August/012995.html , but I'm
> > not sure if the answer is still valid, or if any new possibilities have
> > arosen since then.
> 
> My (still valid) answer is here:
> 
> http://mid.mail-archive.com/550860A1.9030904@redhat.com
> 
> and here:
> 
> http://mid.mail-archive.com/56461E2D.1090601@redhat.com
> 
> and here:
> 
> http://mid.mail-archive.com/a1eedec9-f1c2-049d-8bb4-b094c9626f8e@redhat.com
> 
> > There are also some home-made editors for the vars, like
> > http://git.annexia.org/?p=virt-efivars.git;a=summary . Should I go this way
> > in my adventure?
> 
> I'm unsure how frequently Rich maintains this project (I'm CC'ing him),
> but the approach in this project is generally workable, because it
> modifies the variable store *from within* the guest (the "appliance" in
> libguestfs lingo), using the UEFI runtime variable services.

I don't really maintain it, but subject to the license the
original questioner is free to try and make something of it.

Rich.

> Summary:
> - if you try to modify the variable store file from the host side, with
>   a custom utility that is independent of edk2, that's a bad idea.
> - Whereas, if you modify the variable store from within the guest, via
>   the UEFI variable services (calling them from the UEFI shell, or from
>   the guest operating system / a privileged guest OS process), that's a
>   good idea. (This is what "virt-efivars" does.)
> 
> Thanks,
> Laszlo

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/