From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) by mx.groups.io with SMTP id smtpd.web11.6553.1574514501070220768 for ; Sat, 23 Nov 2019 05:08:21 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@riseup.net header.s=squak header.b=IO2YpC15; spf=pass (domain: riseup.net, ip: 198.252.153.129, mailfrom: phlamorim@riseup.net) Received: from capuchin.riseup.net (unknown [10.0.1.176]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 47Kts03mj1zFcH9; Sat, 23 Nov 2019 05:08:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1574514500; bh=HSVOfKHJSmJYErcflFrmaBCibvyq+QVMOe5ORxlhXpY=; h=Subject:To:References:From:Date:In-Reply-To:From; b=IO2YpC153fk+Mv+zzk98EYVnqBTpaFFB4yHbgJDHWniFiTk6Dm2B+pWZLaEFDvaAX i3uTEdOu4zoAsXiEk1SGC3h5l7osehG6Yg7+cMgxp9TpQeC2ojPfeaQmCMWBmwp8FQ UxSa6CltxO+se3Euh24c+7RlNVnnymUHURnFzMFo= X-Riseup-User-ID: 15F31E70C362955402EAA2B6E174DF55B19CF1CA715E1F577410FAA6FF5ACEC4 Received: from [127.0.0.1] (localhost [127.0.0.1]) by capuchin.riseup.net (Postfix) with ESMTPSA id 47Ktrz4cZbz8tTd; Sat, 23 Nov 2019 05:08:19 -0800 (PST) Subject: Re: [edk2-devel] Interpretation of specification To: devel@edk2.groups.io, sun2sirius@gmail.com References: <7e4784d1-998c-303b-711b-30f6beb33656@riseup.net> <9504.1574485172591155571@groups.io> From: "Paulo Henrique Lacerda de Amorim" Message-ID: <8bcef1fa-c8a4-2b1b-dcd3-adb45cc7254e@riseup.net> Date: Sat, 23 Nov 2019 10:08:16 -0300 MIME-Version: 1.0 In-Reply-To: <9504.1574485172591155571@groups.io> Content-Type: multipart/alternative; boundary="------------CE4271AE2337AECB00E9DBF8" Content-Language: en-US --------------CE4271AE2337AECB00E9DBF8 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Correct, im using my own GUID and Name, they started to name theses variables Private Authenticated Variables since UEFI 2.7 as stated in the session on how the firmware validate the payload to SetVariable using EFI_VARIABLE_AUTHENTICATION2 descriptor: "Otherwise, if the variable is none of the above, it shall be designated a Private Authenticated Variable..." In my case the first write is failing, i got a Security Violation return when trying to create the variable, you used Key/cert which chains to PK/KEK when creating variables on production devices? Maybe im missing something. Let me know if i need to provide more information, as i stated before i can provide the same scripts/sources im using. Thanks in advance. Em 23/11/2019 01:59, Eugene Khoruzhenko escreveu: > Hi Paulo, > > Just to be clear - your variables have your own GUID and Name, so your > variables are "common" Authenticated Variables, correct? What exactly > is failing in your case: > > * You cannot write your variable first time, so it does not get create= d? > * Or you can create, but cannot update after it's been created? > > I seem to be able to create my Authenticated Variables on a number of > production devices, including Dell, but then these variables cannot be > deleted. I see exactly why deletion does not work - > bug=C2=A0https://bugzilla.tianocore.org/show_bug.cgi?id=3D2374, but this > issue is specific to deletion only. >=20 --------------CE4271AE2337AECB00E9DBF8 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable

Correct, im using my own GUID and Name, they started to name theses variables Private Authenticated Variables since UEFI 2.7 as stated in the session on how the firmware validate the payload to SetVariable using EFI_VARIABLE_AUTHENTICATION2 descriptor:

"Otherwise, if the variable is none of the above, it shall be designated a Private Authenticated Variable..."

In my case the first write is failing, i got a Security Violation return when trying to create the variable, you used Key/cert which chains to PK/KEK when creating variables on production devices? Maybe im missing something. Let me know if i need to provide more information, as i stated before i can provide the same scripts/sources im using.

Thanks in advance.

Em 23/11/2019 01:59, Eugene Khoruzhenko escreveu:
Hi Paulo,

Just to be clear - your variables have your own GUID and Name, so your variables are "common" Authenticated Variables, correct? What exactly is failing in your case:
  • You cannot write your variable first time, so it does not get created?
  • Or you can create, but cannot update after it's been created?
I seem to be able to create my Authenticated Variables on a number of production devices, including Dell, but then these variables cannot be deleted. I see exactly why deletion does not work - bug=C2= = =A0https://bugzilla.tianocore.org/show_bug.c= gi?id=3D2374, but this issue is specific to deletion only.
--------------CE4271AE2337AECB00E9DBF8--