public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* Secureboot enable with OVMF
@ 2018-12-13  1:25 Park, Kyung Min
  2018-12-13 10:49 ` Laszlo Ersek
  0 siblings, 1 reply; 3+ messages in thread
From: Park, Kyung Min @ 2018-12-13  1:25 UTC (permalink / raw)
  To: edk2-devel@lists.01.org

Hi,

I'm trying to enable the secureboot with OVMF. I followed the steps as below.
But When I executed LockDown.efi, it gives me an error which says, "Failed to enroll PK: 26".
According to UEFI spec, the 26 means EFI_SECURITY_VIOLATION, but I don't understand why I got this error.
Before I ran the LockDown.efi, the secureboot was disabled by default and the PK key was not enrolled.

1. Build OVMF with secureboot enable
https://wiki.ubuntu.com/UEFI/EDK2

2. Generate/Execute LockDown.efi to enroll PK/KEK/DB keys
git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git

I would appreciate any useful information about this error.

Thanks,
Kyung Min







^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Secureboot enable with OVMF
  2018-12-13  1:25 Secureboot enable with OVMF Park, Kyung Min
@ 2018-12-13 10:49 ` Laszlo Ersek
  2018-12-16 21:49   ` Park, Kyung Min
  0 siblings, 1 reply; 3+ messages in thread
From: Laszlo Ersek @ 2018-12-13 10:49 UTC (permalink / raw)
  To: Park, Kyung Min; +Cc: edk2-devel@lists.01.org

On 12/13/18 02:25, Park, Kyung Min wrote:
> Hi,
> 
> I'm trying to enable the secureboot with OVMF. I followed the steps as below.
> But When I executed LockDown.efi, it gives me an error which says, "Failed to enroll PK: 26".
> According to UEFI spec, the 26 means EFI_SECURITY_VIOLATION, but I don't understand why I got this error.
> Before I ran the LockDown.efi, the secureboot was disabled by default and the PK key was not enrolled.
> 
> 1. Build OVMF with secureboot enable
> https://wiki.ubuntu.com/UEFI/EDK2

Please know that, if you build OVMF with *just* SECURE_BOOT_ENABLE, but
without SMM_REQUIRE, then a malicious guest OS may modify the pflash
chip with direct hardware access that contains the authenticated UEFI
variables. In other words, a malicious guest OS may circumvent Secure Boot.

If that's OK for your use case (it could be), then it's OK to use just
SECURE_BOOT_ENABLE; but it should be a conscious decision.

Regarding SMM_REQUIRE, please see OvmfPkg/README, section "SMM support".

> 2. Generate/Execute LockDown.efi to enroll PK/KEK/DB keys
> git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git
> 
> I would appreciate any useful information about this error.

You'll have to dig into LockDown.efi for that. If you are convinced
LockDown.efi does the right thing, then you'll have to add debug
messages to the edk2 stack that handles authenticated variables (the
variable driver, some SecurityPkg / CryptoPkg libraries, etc). This is
usually quite time consuming.

As an alternative, you might be able to use
"/usr/share/edk2/ovmf/EnrollDefaultKeys.efi", from the "edk2-ovmf"
subpackage package, from

  https://koji.fedoraproject.org/koji/packageinfo?packageID=16183

(You can find the source code in the SRPM.)

Thanks,
Laszlo


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Secureboot enable with OVMF
  2018-12-13 10:49 ` Laszlo Ersek
@ 2018-12-16 21:49   ` Park, Kyung Min
  0 siblings, 0 replies; 3+ messages in thread
From: Park, Kyung Min @ 2018-12-16 21:49 UTC (permalink / raw)
  To: Laszlo Ersek; +Cc: edk2-devel@lists.01.org

This works. Thanks!!

-----Original Message-----
From: Laszlo Ersek [mailto:lersek@redhat.com] 
Sent: Thursday, December 13, 2018 2:49 AM
To: Park, Kyung Min <kyung.min.park@intel.com>
Cc: edk2-devel@lists.01.org
Subject: Re: [edk2] Secureboot enable with OVMF

On 12/13/18 02:25, Park, Kyung Min wrote:
> Hi,
> 
> I'm trying to enable the secureboot with OVMF. I followed the steps as below.
> But When I executed LockDown.efi, it gives me an error which says, "Failed to enroll PK: 26".
> According to UEFI spec, the 26 means EFI_SECURITY_VIOLATION, but I don't understand why I got this error.
> Before I ran the LockDown.efi, the secureboot was disabled by default and the PK key was not enrolled.
> 
> 1. Build OVMF with secureboot enable
> https://wiki.ubuntu.com/UEFI/EDK2

Please know that, if you build OVMF with *just* SECURE_BOOT_ENABLE, but without SMM_REQUIRE, then a malicious guest OS may modify the pflash chip with direct hardware access that contains the authenticated UEFI variables. In other words, a malicious guest OS may circumvent Secure Boot.

If that's OK for your use case (it could be), then it's OK to use just SECURE_BOOT_ENABLE; but it should be a conscious decision.

Regarding SMM_REQUIRE, please see OvmfPkg/README, section "SMM support".

> 2. Generate/Execute LockDown.efi to enroll PK/KEK/DB keys 
> git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git
> 
> I would appreciate any useful information about this error.

You'll have to dig into LockDown.efi for that. If you are convinced LockDown.efi does the right thing, then you'll have to add debug messages to the edk2 stack that handles authenticated variables (the variable driver, some SecurityPkg / CryptoPkg libraries, etc). This is usually quite time consuming.

As an alternative, you might be able to use "/usr/share/edk2/ovmf/EnrollDefaultKeys.efi", from the "edk2-ovmf"
subpackage package, from

  https://koji.fedoraproject.org/koji/packageinfo?packageID=16183

(You can find the source code in the SRPM.)

Thanks,
Laszlo

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2018-12-16 21:49 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-12-13  1:25 Secureboot enable with OVMF Park, Kyung Min
2018-12-13 10:49 ` Laszlo Ersek
2018-12-16 21:49   ` Park, Kyung Min

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox