Re: StartImage with Secure Boot on Self-Signed App

From: "Gao, Liming" <liming.gao@intel.com>
To: 'David F.' <df7729@gmail.com>, Gary Lin <glin@suse.com>
Cc: "edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Subject: Re: StartImage with Secure Boot on Self-Signed App
Date: Tue, 12 Sep 2017 07:32:28 +0000	[thread overview]
Message-ID: <4A89E2EF3DFEDB4C8BFDE51014F606A14E13A935@SHSMSX104.ccr.corp.intel.com> (raw)
In-Reply-To: <CAGRSmLsRYdt5M9+nXZYX-sHP4chG5S2xz7X17XBgBuhm25ksGg@mail.gmail.com>

You can load and start the image based on PeCoffLib APIs in BasePeCoffLib instead of LoadImage() and StartImage() service. 

>-----Original Message-----
>From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
>David F.
>Sent: Friday, September 08, 2017 11:34 PM
>To: Gary Lin <glin@suse.com>
>Cc: edk2-devel@lists.01.org
>Subject: Re: [edk2] Fwd: StartImage with Secure Boot on Self-Signed App
>
>Actually, even a StartImageEx() would be fine with parameter to allow options.
>
>On Thu, Sep 7, 2017 at 7:51 PM, David F. <df7729@gmail.com> wrote:
>> Thanks, looking forward, can the people on the board dealing with the
>> specification please consider revising EFI_LOADED_IMAGE_PROTOCOL to
>> include a new "Flags" field and one of the bits allows StartImage to
>> start the image even if LoadImage reported a EFI_SECURITY_VIOLATION
>> was reported.  defined bit name could be #define
>> EFI_LOADED_IMAGE_PROTOCOL_FLAG_SELF_VALIDATED
>0x0000000000000001ULL.
>>  This provides a clean interface for applications without having to
>> hack StartImage() with a potential conflict with future changes to the
>> internal firmware.
>>
>>
>> On Thu, Sep 7, 2017 at 7:11 PM, Gary Lin <glin@suse.com> wrote:
>>> On Thu, Sep 07, 2017 at 01:00:03PM -0700, David F. wrote:
>>>> Hello,
>>>>
>>>> What is the proper way to allow running another app that is verified
>>>> with a self-signed certificate?
>>>>
>>>> Example, App1 is signed with one that allows secure boot booting (in
>>>> firmware) and has a public key embedded in the signed code, App2 is
>>>> verified by App1 and so is allowed to run, but because the key is not
>>>> in secure boot firmware, StartImage will not run it (although
>>>> LoadImage did what it needed to do and already reported the security
>>>> violation potential).   Do we have to roll our own StartImage?  or is
>>>> something already in place?  I can't rely on changing an internal
>>>> private structure field to allow StartImage to work since each
>>>> firmware platform may change the way it all works, looking for the
>>>> proper method as designed.
>>>>
>>> The major linux distros are using shim(*) to verify the bootloaders and
>>> kernels signed by ourselves, and shim implements its own StartImage.
>>>
>>> If your application is going to be deployed to the newer UEFI, instead
>>> of using the built-in openssl, you can try EFI_PKCS7_VERIFY_PROTOCOL to
>>> verify the UEFI images. It will make your application much slimmer and
>>> easier to maintain.
>>>
>>> Cheers,
>>>
>>> Gary Lin
>>>
>>> (*) https://github.com/rhboot/shim
>_______________________________________________
>edk2-devel mailing list
>edk2-devel@lists.01.org
>https://lists.01.org/mailman/listinfo/edk2-devel