From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id A528D20958BD7 for ; Tue, 12 Sep 2017 00:29:35 -0700 (PDT) Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga105.fm.intel.com with ESMTP; 12 Sep 2017 00:32:31 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.42,382,1500966000"; d="scan'208";a="127875178" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by orsmga004.jf.intel.com with ESMTP; 12 Sep 2017 00:32:31 -0700 Received: from fmsmsx102.amr.corp.intel.com (10.18.124.200) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 12 Sep 2017 00:32:31 -0700 Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by FMSMSX102.amr.corp.intel.com (10.18.124.200) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 12 Sep 2017 00:32:31 -0700 Received: from shsmsx104.ccr.corp.intel.com ([169.254.5.117]) by SHSMSX152.ccr.corp.intel.com ([169.254.6.93]) with mapi id 14.03.0319.002; Tue, 12 Sep 2017 15:32:29 +0800 From: "Gao, Liming" To: 'David F.' , Gary Lin CC: "edk2-devel@lists.01.org" Thread-Topic: [edk2] Fwd: StartImage with Secure Boot on Self-Signed App Thread-Index: AQHTKBPuJRh91zN8SEGvzczXCLHcbqKpuTwAgAALPACAANUBgIAEu9TA Date: Tue, 12 Sep 2017 07:32:28 +0000 Message-ID: <4A89E2EF3DFEDB4C8BFDE51014F606A14E13A935@SHSMSX104.ccr.corp.intel.com> References: <20170908021116.6ksnrkapj3dvuder@localhost> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: StartImage with Secure Boot on Self-Signed App X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Sep 2017 07:29:35 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable You can load and start the image based on PeCoffLib APIs in BasePeCoffLib i= nstead of LoadImage() and StartImage() service.=20 >-----Original Message----- >From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of >David F. >Sent: Friday, September 08, 2017 11:34 PM >To: Gary Lin >Cc: edk2-devel@lists.01.org >Subject: Re: [edk2] Fwd: StartImage with Secure Boot on Self-Signed App > >Actually, even a StartImageEx() would be fine with parameter to allow opti= ons. > >On Thu, Sep 7, 2017 at 7:51 PM, David F. wrote: >> Thanks, looking forward, can the people on the board dealing with the >> specification please consider revising EFI_LOADED_IMAGE_PROTOCOL to >> include a new "Flags" field and one of the bits allows StartImage to >> start the image even if LoadImage reported a EFI_SECURITY_VIOLATION >> was reported. defined bit name could be #define >> EFI_LOADED_IMAGE_PROTOCOL_FLAG_SELF_VALIDATED >0x0000000000000001ULL. >> This provides a clean interface for applications without having to >> hack StartImage() with a potential conflict with future changes to the >> internal firmware. >> >> >> On Thu, Sep 7, 2017 at 7:11 PM, Gary Lin wrote: >>> On Thu, Sep 07, 2017 at 01:00:03PM -0700, David F. wrote: >>>> Hello, >>>> >>>> What is the proper way to allow running another app that is verified >>>> with a self-signed certificate? >>>> >>>> Example, App1 is signed with one that allows secure boot booting (in >>>> firmware) and has a public key embedded in the signed code, App2 is >>>> verified by App1 and so is allowed to run, but because the key is not >>>> in secure boot firmware, StartImage will not run it (although >>>> LoadImage did what it needed to do and already reported the security >>>> violation potential). Do we have to roll our own StartImage? or is >>>> something already in place? I can't rely on changing an internal >>>> private structure field to allow StartImage to work since each >>>> firmware platform may change the way it all works, looking for the >>>> proper method as designed. >>>> >>> The major linux distros are using shim(*) to verify the bootloaders and >>> kernels signed by ourselves, and shim implements its own StartImage. >>> >>> If your application is going to be deployed to the newer UEFI, instead >>> of using the built-in openssl, you can try EFI_PKCS7_VERIFY_PROTOCOL to >>> verify the UEFI images. It will make your application much slimmer and >>> easier to maintain. >>> >>> Cheers, >>> >>> Gary Lin >>> >>> (*) https://github.com/rhboot/shim >_______________________________________________ >edk2-devel mailing list >edk2-devel@lists.01.org >https://lists.01.org/mailman/listinfo/edk2-devel