From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web09.1573.1659125014050933925 for ; Fri, 29 Jul 2022 13:03:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=pps06212021 header.b=HotuaLaQ; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=520996b1b0=bill.paul@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 26TJV9a8004055; Fri, 29 Jul 2022 13:03:33 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS06212021; bh=YlXmYEb3p+HSDgoxJpenLSwMk6lxpPQS/iJDJMFCJT0=; b=HotuaLaQgQCbOIqA2L/7GFCnNH6x1STFjo3UYxhTeji1fEuCXd87lHHPfpLtI1ny0ZFh yWI6lNPsTbEu6QssHr3luQpFsWBgMV+trfA1qGQ4YF1dG+/C5U5qzC75LaJQ/vpl7hO6 FrPW0MZJ4d6AwljzKkSYOsdlH8o+iqao8gDXm1t8tZDsw2UHPxMa1a5C+sG1Ua00ysw9 nj2GVqYFr9TCgInrhBm6FhLz9iJxOjNcpbwYTDBvj7KSOF8THAgfpOqnokjI2/81nPGm xtNQli+imOiSvu0EvKvHfcQMzUXekFNuzgKmTVhy7SjU1LAwLLxPKXj3bY+qFOsvynz2 vQ== Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2049.outbound.protection.outlook.com [104.47.66.49]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3hgc95584y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 29 Jul 2022 13:03:33 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cOaZX/eMCRFupzyr2VK+Gth2G7S+YE14u9LdB66i8cg077EbNovfiE1lmBvHq+O4HzdvAfYTRk6KtAMeMQCAUKEb+/pK8OdkeFyHJOOLJ2X7CCxqr63brIj8bpVjfSZMHARqnWgg1YnIcR441JWH6EQU2wr8JNo1v3VX+AJDKnqquZGbVh8Mg7BNCPge6Cg5RpxcU1rNSrVGvrMv42BOAlnsl4BYwsxF3Jg9KavXGd6L/T299SYQ6BEJ+2+k0svJPI1CA3ZUAlA+8DyHaLe25cPK9cePtElQnkx5AV+NPGfwryXuqZD2u1C4cyEeoXzGzgQSMvlPIZHqZU92br5fiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=YlXmYEb3p+HSDgoxJpenLSwMk6lxpPQS/iJDJMFCJT0=; b=By6AA8h7FmULHLRWd1Ip0wFaCWrrBXwuXgA8LMDSdErfn5HarQrc59dtydr/f9Jt3bj2IiE3cff+JfXsvi7DXDASCzu+LpWXHYWL8Ztw+Tt54vTiCKb2SEFnQCtwV+FYvyinuKRcFToSFJW30t+6HE/TAJbuX7MWouefAkg7cqalHSEOpygneCB3XIV+J31dEOWyOi1i+a0PxuJevH3owZLxgVnuhlj9a+0OMaHxPO6uoMVHvTr8M/nflMz2IO41wFpU05tAu1GIcLKfmfQT4GEUnUdlZS95cshHOlYbck8/W4vYbwUvd1Lp1f1PvMJo+O7SvYmW0PiRjFRwiqD6IA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from CO1PR11MB4962.namprd11.prod.outlook.com (2603:10b6:303:99::23) by SJ1PR11MB6084.namprd11.prod.outlook.com (2603:10b6:a03:489::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5482.12; Fri, 29 Jul 2022 20:03:30 +0000 Received: from CO1PR11MB4962.namprd11.prod.outlook.com ([fe80::d5d5:ca80:de46:402d]) by CO1PR11MB4962.namprd11.prod.outlook.com ([fe80::d5d5:ca80:de46:402d%7]) with mapi id 15.20.5482.012; Fri, 29 Jul 2022 20:03:29 +0000 From: "Bill Paul" To: James Bottomley , "devel@edk2.groups.io" , "rafaelrodrigues.machado@gmail.com" CC: "devel@edk2.groups.io" Subject: Re: [edk2-devel] Question about signed uefi vars at OS level Thread-Topic: [edk2-devel] Question about signed uefi vars at OS level Thread-Index: AQHYoPD3gJFw76RS9kCyVsFHVkUiH62Qok2AgAURCACAABcuAA== Date: Fri, 29 Jul 2022 20:03:29 +0000 Message-ID: <2670879.poxlI1A5LX@core> References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: e8c86111-e877-433a-46a2-08da719d6840 x-ms-traffictypediagnostic: SJ1PR11MB6084:EE_ x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: lj5WbXDGUFuq/Tihda9IztOZCQ6o+D2CS8eK1uA761jjg0enRnvq7nj8xNV6XxDpePzTAnHKi64HExnNgYqF+Rf90Q8PQnhZoidyD0zkQnvkD6ENtqmEVNCbpIS+a6qw/gRkjEEfeVvcQ6QgzOmgHj3Tf8tHkOZj41x9L5NZcumlLuh+PlHhvuNFIRtIRNwHN2OXXeXFdVu37Fs9fpwIGbYTFfJO+IMttsdYjCafOAKJiWjnzeE/TxYcjGTSYx7ErnD3BjnWvhdMWDBz5BcGiJto4UBxgosyd9mmsZyRDHLTVmnu2/STdrC02VPbU139s+PJzfKBzl7qN5Xn7uvOWe6LPpsRpJ2oPx5+x61W8J5BZGrBq/99dc+XLPAgZH/C/yNiUSTBrK7CORZc+mjd4K8xZNShdYD22/n06//T+XJLFDh2Tv3B0lvSDZqq6ZfHp3D8T4wZs/9mjISBzxGS82JPzRs31kB5VECGBBqPAdAdVuCyFHb7IxXqmrdgps0OBUCzkNsC5vf/XR8UrhWIn2fvqAOcwOxcLOhk7SiT8tgjA6HkGBpUmN+ufuLdw6Jm6v1zXubZr6lj8PTGRIjjT6sw2JEPz0z+3+iV8fEdXWYxynKI4sxeta+AmZIojFtpQnfN2MX3x8KivbqNSw6rNy97f4oeEeWtDULMrbHRQ8F7NNhNXDfbAkAFpYOcA6d2YCCb9nO74qVS9pRKdaTb2VNUT9r+/HFr0QjeHbiGgKAgQ58Jksi1CsUyfxg1OTQzqT9sc4Yx7o7OIuX0BeKp7S/H7ozie0x/udmKEJ/seXDrFvDdEdjcXNsFWatSI7Dl9IEAIFraEt7DkQkfl2qaTechW1njS4QhALhxSSaE/G0= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO1PR11MB4962.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(4636009)(7916004)(396003)(366004)(376002)(39850400004)(136003)(346002)(9686003)(83380400001)(110136005)(316002)(41300700001)(33716001)(2906002)(86362001)(8936002)(40140700001)(5660300002)(38100700002)(76116006)(66946007)(91956017)(38070700005)(66556008)(8676002)(4326008)(122000001)(66446008)(26005)(6486002)(6506007)(64756008)(66476007)(478600001)(71200400001)(6512007)(186003)(39026012)(460985005);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?Do1pVKSQ3J6hnb/Geb3T5rOT9u3Ky+91A404R2ORbUeHIHxjULW7srtkRS?= =?iso-8859-1?Q?9eJDmrwgRfzFQYnWbEnhQzUwMhja17SWrnNDgyfWRNgfFn9WsW3tdg2CDC?= =?iso-8859-1?Q?TcVJd/844i1QrhnwedvNOcl/SE/U5HGXJetXfIXncb7izX8MFe/eemJ33q?= =?iso-8859-1?Q?DDI5gQHSijDuBcfEUqrtrEU4zytaCM9/uuzPm78JnzxM+exwuu9DD1t0WX?= =?iso-8859-1?Q?JetVtZ7T0cDs5KljKGU0A2RLyEobh6r7DPQCmo5C6Vq6pz9oiX1FqbYMzE?= =?iso-8859-1?Q?FuTR+5Qoe4h2cG2HDDNV3WePdiGSgRjW35GE73L8n5pwkcvWuqzZNXmFyL?= =?iso-8859-1?Q?sYT0dlGPMTyZYCMIzXDgy/DG3hEVAbHNgWa9kATJq1m27ixugAH0f1VryA?= =?iso-8859-1?Q?o1p7JBYxSpov/gBjBY+SvoDsYlv5wSEybOQIpAH16Jcn/B/LPNPo47/2pU?= =?iso-8859-1?Q?yw9eOfJrlfxqgfuyC8QOx/vh1pNur0k9lXGupyz1/zD+HR9GGsWmp/ucn9?= =?iso-8859-1?Q?nGi7q4ldsK9AVCMw4do6NYLAJ39TSORIQHVtOzDiP/o2VfQewyLDvoeN6c?= =?iso-8859-1?Q?VXyK5GNUTHOfBSPE4hn0fO+S0iN6kYHcZU3A1rBd6VtuHIwyzNWBLChepF?= =?iso-8859-1?Q?ab/xd5lhBi7fDOUnk9jEG6gxWhahX+jJvMbQ9kgwV1+o8Q20kb7RmWvxGg?= =?iso-8859-1?Q?lxNnFGubBai+4QDtfghGNpkgdLGUsafE0fkyLev0ryjdkdmPmzue2AZ/Ci?= =?iso-8859-1?Q?6eG559wf0BbU4lSZPGXK0GI7SZRrvvvXdDnLgMWXZS4JW4l5OVoXnFdL24?= =?iso-8859-1?Q?IJweOskoxzQsi5G51MUCJ8ftfR3XYvizWzFpYA+lTV/1tdVTEnt9KxLpt7?= =?iso-8859-1?Q?Gu76UjCFhFRz/hiPNY/VNiTgoW597wXDre/4Nf1K/Z6Dcji9NVR3/STVXq?= =?iso-8859-1?Q?8R2/hPqn5Q5JxDYqbpm8N8dGU6/NxOKQIwpqI4k5GezwXbTuUaIDe4myUL?= =?iso-8859-1?Q?2NNqabFzHpZFB4QxHdQxV1RLP1BPmsAv92teCLxEVDsuy1JAwOLZssb2A4?= =?iso-8859-1?Q?3LzXI/k5Mpev0m1BgOT1UdEQGh/MO8Z75LS6AEfIjS8jpFanMfswdVncZq?= =?iso-8859-1?Q?0oqwrBBFsjoa6waHAInqLVUjbxUXPzdo5Qvj0KQxFke4GeKCUd5hkLx77D?= =?iso-8859-1?Q?8bPOMB0HWVjiKg73pH6TznnNWdsHWEXAOROFD4cNlHvzqDL3C/1hPMxwP0?= =?iso-8859-1?Q?/viRnU0JH87v/gEShxZ/odph5aPDsJle6pxVkhPQHARaZllH02MntL+SsF?= =?iso-8859-1?Q?UN7yewEq/Lyjadd7ILz2iGHiC/9mIFaEVa7qcMH4NpDjpEGfb42377DGo8?= =?iso-8859-1?Q?QFu4G0KtcgZMqbz7mbzvLO14VTRO66Ml1MzOehI2rwR8Fj1kP8yCDAD0Jh?= =?iso-8859-1?Q?nd88X4n4q5cnpaZDa2rDtLT70J870n1+Rpd7Av3ZdtwDPePg4XMiL7BZx0?= =?iso-8859-1?Q?06HU8BmBT1ztg4p19khhj5klYSXzDI/YCTlByd/ppnrr9jCOSq+JZEwph/?= =?iso-8859-1?Q?+BZZq6Ez4rKAlHdbtcsBRbLKtbKqJL1ZoVIDFOleRnrwNIhYs+MYAmg3hK?= =?iso-8859-1?Q?hfxjvquGMQkoACQOmcBI+5rP8PDHX143FbQVcEYy+d04wXVNSgLrEVfQ?= =?iso-8859-1?Q?=3D=3D?= MIME-Version: 1.0 X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB4962.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: e8c86111-e877-433a-46a2-08da719d6840 X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jul 2022 20:03:29.8881 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: pu/ERbhMqYWE/q8E78g9lYM8BApmLiORitoabC6C4eam6w5wdft8qF/IufFjdSzcg1vneHeK5d4X60zlZl7Whg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ1PR11MB6084 X-Proofpoint-GUID: g1va6Wn9fCR_9Rg5zrHhzPL3F7FrCpKC X-Proofpoint-ORIG-GUID: g1va6Wn9fCR_9Rg5zrHhzPL3F7FrCpKC X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-07-29_19,2022-07-28_02,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxscore=0 adultscore=0 mlxlogscore=853 suspectscore=0 impostorscore=0 clxscore=1011 priorityscore=1501 bulkscore=0 spamscore=0 malwarescore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2207290083 Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-ID: <462CC77B3B236645871A43D59EB0E2D4@namprd11.prod.outlook.com> Content-Transfer-Encoding: quoted-printable Of all the gin joints in all the towns in all the world, Rafael Machado had= to=20 walk into mine at 11:40:00 on Friday, 29 July 2022 and say: > Hi James, thanks for the answer. >=20 > I will try to explain my scenario in simple words. > In my case, what I would like to do is to create a runtime uefi var, that > would be changed only by one .exe I have developed. So other .exe would n= ot > be able to perform changes at this uefi var. >=20 > Any ideia? If I remember right, changing UEFI secure variables (when UEFI is in the=20 secure state) can only be done if you know the private part of the Key=20 Exchange Key (KEK) for the system. Note that there is only one KEK, and it's used to validate all secure UEFI= =20 variable updates. This includes the "db" and "dbx" variables which contain the public keys th= at=20 UEFI uses to validate signed executables during secure boot. That is, if yo= u=20 have secure boot enabled, your BOOTX64.EFI loader for your OS must be=20 digitally signed, and the signer's public key must be in stored in the "db"= =20 secure variable. You asked if there's a way to modify secure variables "without the need of= =20 embedding my secret at the OS application (.exe)" and as far as I know, I=20 think the answer is no. If the data you plan to add to the variable must be= =20 generated on the fly, then you also have to sign it on the fly, which means= =20 you need to know the KEK secret key to generate the signature. Obviously, you don't want to risk somebody extracting the KEK secret key fr= om=20 the executable, because then they can defeat secure boot on the system (the= y=20 could modify the "db" variable to contain their own trusted public signing= =20 key). There *might* be some TPM gimmick you could use instead, but offhand = I'm=20 not sure what that would be. Now, based on what you've described, let's suppose you're trying to create = a=20 software licensing scheme, where you only want to enable a licensed feature= on=20 a specific customer's machine once they've they've paid for it. The=20 implication is that somewhere the system checks for the secure UEFI variabl= e=20 that indicates the feature is enabled. To really make this work, then a) ea= ch=20 customer's machine would need to be provisioned by you (so that you know th= e=20 KEK secret key and the customer does not), and b) each machine's KEK must b= e=20 unique. If all machines have the same KEK, then if you generate a signed UEFI varia= ble=20 update for one machine, it could be applied to all of them. In this case, it would not be required that the customer run an EXE on thei= r=20 system to do the actual signing, only the updating. If you know the KEK sec= ret=20 key for a given customer's machine, you can generate the signed variable=20 update remotely using your own secure internal system and then e-mail it to= =20 them, and then the customer just needs to run a program on their machine to= =20 call SetVariable() in order to store it. -Bill > Thanks > Rafael >=20 >=20 >=20 > On Tue, Jul 26, 2022, 10:17 AM James Bottomley > ship.com>> wrote: > On Tue, 2022-07-26 at 10:09 -0300, Rafael Machado wrote: > > Hey everyone > >=20 > > I have a question for the experts. > >=20 > > Suppose I have a BIOS feature that can be set from the OS via some OS > > application (.exe) that calls the runtime services set variable (). > >=20 > > To set this feature I have a UEFI var, that during DXE is processed > > by some uefi module. > >=20 > > In case I define this UEFI var as signed var > > (EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS or > > EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCES), at my OS > > application I will have to add the signing key, so it would be > > possible to create new signed data to change the uefi variable as > > needed from the OS level. > >=20 > > So my question is: > > What is the correct way of creating a UEFI variable that is protected > > and that can be changed, by authorized person only, from OS level > > without the need of embedding my secret at the OS application (.exe)? >=20 > You don't give your use case, so it's hard to answer the above. > However, the signing process of the update must be guarded because of > the need to keep the key secret, so update bundles are usually created > away from the system to be updated to preserve this. If you want your > application to make arbitrary updates while it's running, you probably > don't want to be using signed variables. >=20 > James >=20 --=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D -Bill Paul (510) 749-2329 | VxWorks Software Architect, wpaul@windriver.com | Master of Unix-Fu - Wind River Syste= ms =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D "I put a dollar in a change machine. Nothing changed." - George Carlin =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D