From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-ej1-f46.google.com (mail-ej1-f46.google.com [209.85.218.46])
 by mx.groups.io with SMTP id smtpd.web09.6329.1658840974952737837
 for <devel@edk2.groups.io>;
 Tue, 26 Jul 2022 06:09:35 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20210112 header.b=ohnLjs/C;
 spf=pass (domain: gmail.com, ip: 209.85.218.46, mailfrom: rafaelrodrigues.machado@gmail.com)
Received: by mail-ej1-f46.google.com with SMTP id z23so25821315eju.8
        for <devel@edk2.groups.io>; Tue, 26 Jul 2022 06:09:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:from:date:message-id:subject:to;
        bh=2kOLiBEy9D1yigEG/mVY9mT09BnrM0iN0H/+uZ6CffE=;
        b=ohnLjs/C78tTS5RVC/qj9ITNJRWuNZoYiYOIbJMF0AYLFS/MgJ6TVHPmUpuL61Tn6c
         39iLzFuVdkJXtJy/ipCsTSRJltykvtxQf5jXzlJsRxuT4wDXLQmz5Od7OvQ2fJFNtrad
         Y7bY6qsGQMi4Ynr6UXmgxIcbeGF4g/bUb91zgbTbtkfkQ4fgaGuPHUKXEZNB+xAP2/ym
         rAob7hVHeHUJi5LnPkPKXbyzeoOdq9at7TgQOgXKCzMITF9I3Lf5IPS9jSTv5cSX0aUJ
         G/EgJbiL5QebhP+x1/bhCwYPWH/pk5KyOUCL5b26wk0eQqrhlGyGKx9O/MHzp3VyRLQf
         UHiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=2kOLiBEy9D1yigEG/mVY9mT09BnrM0iN0H/+uZ6CffE=;
        b=PdZ15H2+13FqFFlk4moEJICzRLBpVvjsfX+59X/JVRRQRsqSn+BueBjR/k8GTB11iF
         v8eLGpoJcCuD2PwnhWt2MfNKIwN6qbbwbK1HH8rYkrkfeBJcrEyQEkuahrV1aTC+wwAk
         ZDfBGBrtHM5eY4KNGOIDaeybs8+d+ja/yYzYYA7KB8LcZxkZGyZIaM2s8s7JDOfz+5Vg
         Sr9E9m2hm4kR8CJpb5VHy6myLHBF913gi0eXu8RBAoilpZr2uDKUyCyKEz3UWNZxdyys
         IxOcYBsdwRglcPOyYHNmTf5hymu5lSF+dpTErydUPUthZ/Ufsj+XBdWzxXQAEUfxkPkr
         BFhg==
X-Gm-Message-State: AJIora8jCKUNgW/LGpEPBD/68WOx7ZWp1Z2y9fUVxg0wEN++AWJZ4jBV
	/+hvh2w9bzK6Li+o0J1dERZHce3NQ0LLn2ZGLVlK5DbMCpo=
X-Google-Smtp-Source: AGRyM1t04OxpzsDMC9fGNVm5OQeDKYyybP02CRz9u9qeCqafD8APY1a6rQLJ7NPBrtK07hraVQqzS11EYg0kyEUhBK8=
X-Received: by 2002:a17:907:28c8:b0:72b:97cd:d628 with SMTP id
 en8-20020a17090728c800b0072b97cdd628mr14128026ejc.208.1658840972824; Tue, 26
 Jul 2022 06:09:32 -0700 (PDT)
MIME-Version: 1.0
From: "Rafael Machado" <rafaelrodrigues.machado@gmail.com>
Date: Tue, 26 Jul 2022 10:09:30 -0300
Message-ID: <CACgnt7-nfQS9nfAqQix81WRypu=oeBGDfKiSeuvUk1XzTwd+HA@mail.gmail.com>
Subject: Question about signed uefi vars at OS level
To: devel@edk2.groups.io
Content-Type: multipart/alternative; boundary="000000000000ec940c05e4b5020d"

--000000000000ec940c05e4b5020d
Content-Type: text/plain; charset="UTF-8"

Hey everyone

I have a question for the experts.

Suppose I have a BIOS feature that can be set from the OS via some OS
application (.exe) that calls the runtime services set variable ().

To set this feature I have a UEFI var, that during DXE is processed by some
uefi module.

In case I define this UEFI var as signed var
(EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS or
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCES), at my OS application I
will have to add the signing key, so it would be possible to create new
signed data to change the uefi variable as needed from the OS level.

So my question is:
What is the correct way of creating a UEFI variable that is protected and
that can be changed, by authorized person only, from OS level without the
need of embedding my secret at the OS application (.exe) ?

Thanks
Rafael

--000000000000ec940c05e4b5020d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hey everyone<div><br></div><div>I have a question for the =
experts.</div><div><br></div><div>Suppose I have a BIOS feature that can be=
 set from the OS via some OS application (.exe) that calls the runtime serv=
ices set variable ().</div><div><br></div><div>To set this feature I have a=
 UEFI var, that during DXE is processed by some uefi module.</div><div><br>=
</div><div>In case I define this UEFI var as signed var (EFI_VARIABLE_AUTHE=
NTICATED_WRITE_ACCESS or EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCES)=
, at my OS application I will have to add the signing key, so it would be p=
ossible to create new signed data to change the uefi variable as needed=C2=
=A0from the OS level.</div><div><br></div><div>So my question is:=C2=A0</di=
v><div>What is the correct way of creating a UEFI variable that is protecte=
d and that can be changed, by authorized person only, from OS level without=
 the need of embedding my secret at the OS application (.exe) ?</div><div><=
br></div><div>Thanks</div><div>Rafael</div></div>

--000000000000ec940c05e4b5020d--