From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <liming.gao@intel.com>
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id A528D20958BD7
 for <edk2-devel@lists.01.org>; Tue, 12 Sep 2017 00:29:35 -0700 (PDT)
Received: from orsmga004.jf.intel.com ([10.7.209.38])
 by fmsmga105.fm.intel.com with ESMTP; 12 Sep 2017 00:32:31 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.42,382,1500966000"; d="scan'208";a="127875178"
Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201])
 by orsmga004.jf.intel.com with ESMTP; 12 Sep 2017 00:32:31 -0700
Received: from fmsmsx102.amr.corp.intel.com (10.18.124.200) by
 FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Tue, 12 Sep 2017 00:32:31 -0700
Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by
 FMSMSX102.amr.corp.intel.com (10.18.124.200) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Tue, 12 Sep 2017 00:32:31 -0700
Received: from shsmsx104.ccr.corp.intel.com ([169.254.5.117]) by
 SHSMSX152.ccr.corp.intel.com ([169.254.6.93]) with mapi id 14.03.0319.002;
 Tue, 12 Sep 2017 15:32:29 +0800
From: "Gao, Liming" <liming.gao@intel.com>
To: 'David F.' <df7729@gmail.com>, Gary Lin <glin@suse.com>
CC: "edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Thread-Topic: [edk2] Fwd: StartImage with Secure Boot on Self-Signed App
Thread-Index: AQHTKBPuJRh91zN8SEGvzczXCLHcbqKpuTwAgAALPACAANUBgIAEu9TA
Date: Tue, 12 Sep 2017 07:32:28 +0000
Message-ID: <4A89E2EF3DFEDB4C8BFDE51014F606A14E13A935@SHSMSX104.ccr.corp.intel.com>
References: <CAGRSmLuQ3prdU1D_PDfzZpWHdnMjQfzKzzU8EpvOMX4BWvcxQA@mail.gmail.com>
 <CAGRSmLsh31v+nKSzMD+Yb-9JBPkRW9FPw6q=AgH=JUkc9sTvSw@mail.gmail.com>
 <20170908021116.6ksnrkapj3dvuder@localhost>
 <CAGRSmLue80aZ=0Su_SC=hE_FimAO7A4rNbkiMLMrXfcXmTmq+Q@mail.gmail.com>
 <CAGRSmLsRYdt5M9+nXZYX-sHP4chG5S2xz7X17XBgBuhm25ksGg@mail.gmail.com>
In-Reply-To: <CAGRSmLsRYdt5M9+nXZYX-sHP4chG5S2xz7X17XBgBuhm25ksGg@mail.gmail.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Subject: Re: StartImage with Secure Boot on Self-Signed App
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Sep 2017 07:29:35 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

You can load and start the image based on PeCoffLib APIs in BasePeCoffLib i=
nstead of LoadImage() and StartImage() service.=20

>-----Original Message-----
>From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
>David F.
>Sent: Friday, September 08, 2017 11:34 PM
>To: Gary Lin <glin@suse.com>
>Cc: edk2-devel@lists.01.org
>Subject: Re: [edk2] Fwd: StartImage with Secure Boot on Self-Signed App
>
>Actually, even a StartImageEx() would be fine with parameter to allow opti=
ons.
>
>On Thu, Sep 7, 2017 at 7:51 PM, David F. <df7729@gmail.com> wrote:
>> Thanks, looking forward, can the people on the board dealing with the
>> specification please consider revising EFI_LOADED_IMAGE_PROTOCOL to
>> include a new "Flags" field and one of the bits allows StartImage to
>> start the image even if LoadImage reported a EFI_SECURITY_VIOLATION
>> was reported.  defined bit name could be #define
>> EFI_LOADED_IMAGE_PROTOCOL_FLAG_SELF_VALIDATED
>0x0000000000000001ULL.
>>  This provides a clean interface for applications without having to
>> hack StartImage() with a potential conflict with future changes to the
>> internal firmware.
>>
>>
>> On Thu, Sep 7, 2017 at 7:11 PM, Gary Lin <glin@suse.com> wrote:
>>> On Thu, Sep 07, 2017 at 01:00:03PM -0700, David F. wrote:
>>>> Hello,
>>>>
>>>> What is the proper way to allow running another app that is verified
>>>> with a self-signed certificate?
>>>>
>>>> Example, App1 is signed with one that allows secure boot booting (in
>>>> firmware) and has a public key embedded in the signed code, App2 is
>>>> verified by App1 and so is allowed to run, but because the key is not
>>>> in secure boot firmware, StartImage will not run it (although
>>>> LoadImage did what it needed to do and already reported the security
>>>> violation potential).   Do we have to roll our own StartImage?  or is
>>>> something already in place?  I can't rely on changing an internal
>>>> private structure field to allow StartImage to work since each
>>>> firmware platform may change the way it all works, looking for the
>>>> proper method as designed.
>>>>
>>> The major linux distros are using shim(*) to verify the bootloaders and
>>> kernels signed by ourselves, and shim implements its own StartImage.
>>>
>>> If your application is going to be deployed to the newer UEFI, instead
>>> of using the built-in openssl, you can try EFI_PKCS7_VERIFY_PROTOCOL to
>>> verify the UEFI images. It will make your application much slimmer and
>>> easier to maintain.
>>>
>>> Cheers,
>>>
>>> Gary Lin
>>>
>>> (*) https://github.com/rhboot/shim
>_______________________________________________
>edk2-devel mailing list
>edk2-devel@lists.01.org
>https://lists.01.org/mailman/listinfo/edk2-devel