* change keys in a ..._VARS.fd file programmatically (SecureBoot enabled)
@ 2018-02-05 14:14 Dmitry Mityugov
2018-02-05 18:06 ` Laszlo Ersek
0 siblings, 1 reply; 3+ messages in thread
From: Dmitry Mityugov @ 2018-02-05 14:14 UTC (permalink / raw)
To: edk2-devel
Hi,
Could you please let me know if it possible to automate changing keys in a
..._VARS.fd when SecureBoot is enabled? I understand that I can go into the
UEFI shell and change them there manually, but I'm looking for a way to
add/replace/delete them from my program before a KVM VM is started.
I've found an email in this list with a similar question,
https://lists.01.org/pipermail/edk2-devel/2017-August/012995.html , but I'm
not sure if the answer is still valid, or if any new possibilities have
arosen since then.
There are also some home-made editors for the vars, like
http://git.annexia.org/?p=virt-efivars.git;a=summary . Should I go this way
in my adventure?
Thank you in advance for any insight on this subject
--
Dmitry
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: change keys in a ..._VARS.fd file programmatically (SecureBoot enabled)
2018-02-05 14:14 change keys in a ..._VARS.fd file programmatically (SecureBoot enabled) Dmitry Mityugov
@ 2018-02-05 18:06 ` Laszlo Ersek
2018-02-05 18:13 ` Richard W.M. Jones
0 siblings, 1 reply; 3+ messages in thread
From: Laszlo Ersek @ 2018-02-05 18:06 UTC (permalink / raw)
To: Dmitry Mityugov; +Cc: edk2-devel, Richard W.M. Jones
Hi,
On 02/05/18 15:14, Dmitry Mityugov wrote:
> Hi,
>
> Could you please let me know if it possible to automate changing keys in a
> ..._VARS.fd when SecureBoot is enabled? I understand that I can go into the
> UEFI shell and change them there manually, but I'm looking for a way to
> add/replace/delete them from my program before a KVM VM is started.
>
> I've found an email in this list with a similar question,
> https://lists.01.org/pipermail/edk2-devel/2017-August/012995.html , but I'm
> not sure if the answer is still valid, or if any new possibilities have
> arosen since then.
My (still valid) answer is here:
http://mid.mail-archive.com/550860A1.9030904@redhat.com
and here:
http://mid.mail-archive.com/56461E2D.1090601@redhat.com
and here:
http://mid.mail-archive.com/a1eedec9-f1c2-049d-8bb4-b094c9626f8e@redhat.com
> There are also some home-made editors for the vars, like
> http://git.annexia.org/?p=virt-efivars.git;a=summary . Should I go this way
> in my adventure?
I'm unsure how frequently Rich maintains this project (I'm CC'ing him),
but the approach in this project is generally workable, because it
modifies the variable store *from within* the guest (the "appliance" in
libguestfs lingo), using the UEFI runtime variable services.
Summary:
- if you try to modify the variable store file from the host side, with
a custom utility that is independent of edk2, that's a bad idea.
- Whereas, if you modify the variable store from within the guest, via
the UEFI variable services (calling them from the UEFI shell, or from
the guest operating system / a privileged guest OS process), that's a
good idea. (This is what "virt-efivars" does.)
Thanks,
Laszlo
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: change keys in a ..._VARS.fd file programmatically (SecureBoot enabled)
2018-02-05 18:06 ` Laszlo Ersek
@ 2018-02-05 18:13 ` Richard W.M. Jones
0 siblings, 0 replies; 3+ messages in thread
From: Richard W.M. Jones @ 2018-02-05 18:13 UTC (permalink / raw)
To: Laszlo Ersek; +Cc: Dmitry Mityugov, edk2-devel
On Mon, Feb 05, 2018 at 07:06:11PM +0100, Laszlo Ersek wrote:
> Hi,
>
> On 02/05/18 15:14, Dmitry Mityugov wrote:
> > Hi,
> >
> > Could you please let me know if it possible to automate changing keys in a
> > ..._VARS.fd when SecureBoot is enabled? I understand that I can go into the
> > UEFI shell and change them there manually, but I'm looking for a way to
> > add/replace/delete them from my program before a KVM VM is started.
> >
> > I've found an email in this list with a similar question,
> > https://lists.01.org/pipermail/edk2-devel/2017-August/012995.html , but I'm
> > not sure if the answer is still valid, or if any new possibilities have
> > arosen since then.
>
> My (still valid) answer is here:
>
> http://mid.mail-archive.com/550860A1.9030904@redhat.com
>
> and here:
>
> http://mid.mail-archive.com/56461E2D.1090601@redhat.com
>
> and here:
>
> http://mid.mail-archive.com/a1eedec9-f1c2-049d-8bb4-b094c9626f8e@redhat.com
>
> > There are also some home-made editors for the vars, like
> > http://git.annexia.org/?p=virt-efivars.git;a=summary . Should I go this way
> > in my adventure?
>
> I'm unsure how frequently Rich maintains this project (I'm CC'ing him),
> but the approach in this project is generally workable, because it
> modifies the variable store *from within* the guest (the "appliance" in
> libguestfs lingo), using the UEFI runtime variable services.
I don't really maintain it, but subject to the license the
original questioner is free to try and make something of it.
Rich.
> Summary:
> - if you try to modify the variable store file from the host side, with
> a custom utility that is independent of edk2, that's a bad idea.
> - Whereas, if you modify the variable store from within the guest, via
> the UEFI variable services (calling them from the UEFI shell, or from
> the guest operating system / a privileged guest OS process), that's a
> good idea. (This is what "virt-efivars" does.)
>
> Thanks,
> Laszlo
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-02-05 18:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-02-05 14:14 change keys in a ..._VARS.fd file programmatically (SecureBoot enabled) Dmitry Mityugov
2018-02-05 18:06 ` Laszlo Ersek
2018-02-05 18:13 ` Richard W.M. Jones
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox