public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Rafael Machado" <rafaelrodrigues.machado@gmail.com>
To: devel@edk2.groups.io
Subject: Question about signed uefi vars at OS level
Date: Tue, 26 Jul 2022 10:09:30 -0300	[thread overview]
Message-ID: <CACgnt7-nfQS9nfAqQix81WRypu=oeBGDfKiSeuvUk1XzTwd+HA@mail.gmail.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 826 bytes --]

Hey everyone

I have a question for the experts.

Suppose I have a BIOS feature that can be set from the OS via some OS
application (.exe) that calls the runtime services set variable ().

To set this feature I have a UEFI var, that during DXE is processed by some
uefi module.

In case I define this UEFI var as signed var
(EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS or
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCES), at my OS application I
will have to add the signing key, so it would be possible to create new
signed data to change the uefi variable as needed from the OS level.

So my question is:
What is the correct way of creating a UEFI variable that is protected and
that can be changed, by authorized person only, from OS level without the
need of embedding my secret at the OS application (.exe) ?

Thanks
Rafael

[-- Attachment #2: Type: text/html, Size: 1015 bytes --]

             reply	other threads:[~2022-07-26 13:09 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-07-26 13:09 Rafael Machado [this message]
2022-07-26 13:17 ` [edk2-devel] Question about signed uefi vars at OS level James Bottomley
2022-07-29 18:40   ` Rafael Machado
2022-07-29 20:03     ` Bill Paul

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CACgnt7-nfQS9nfAqQix81WRypu=oeBGDfKiSeuvUk1XzTwd+HA@mail.gmail.com' \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox