* Question about signed uefi vars at OS level @ 2022-07-26 13:09 Rafael Machado 2022-07-26 13:17 ` [edk2-devel] " James Bottomley 0 siblings, 1 reply; 4+ messages in thread From: Rafael Machado @ 2022-07-26 13:09 UTC (permalink / raw) To: devel [-- Attachment #1: Type: text/plain, Size: 826 bytes --] Hey everyone I have a question for the experts. Suppose I have a BIOS feature that can be set from the OS via some OS application (.exe) that calls the runtime services set variable (). To set this feature I have a UEFI var, that during DXE is processed by some uefi module. In case I define this UEFI var as signed var (EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS or EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCES), at my OS application I will have to add the signing key, so it would be possible to create new signed data to change the uefi variable as needed from the OS level. So my question is: What is the correct way of creating a UEFI variable that is protected and that can be changed, by authorized person only, from OS level without the need of embedding my secret at the OS application (.exe) ? Thanks Rafael [-- Attachment #2: Type: text/html, Size: 1015 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [edk2-devel] Question about signed uefi vars at OS level 2022-07-26 13:09 Question about signed uefi vars at OS level Rafael Machado @ 2022-07-26 13:17 ` James Bottomley 2022-07-29 18:40 ` Rafael Machado 0 siblings, 1 reply; 4+ messages in thread From: James Bottomley @ 2022-07-26 13:17 UTC (permalink / raw) To: devel, rafaelrodrigues.machado On Tue, 2022-07-26 at 10:09 -0300, Rafael Machado wrote: > Hey everyone > > I have a question for the experts. > > Suppose I have a BIOS feature that can be set from the OS via some OS > application (.exe) that calls the runtime services set variable (). > > To set this feature I have a UEFI var, that during DXE is processed > by some uefi module. > > In case I define this UEFI var as signed var > (EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS or > EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCES), at my OS > application I will have to add the signing key, so it would be > possible to create new signed data to change the uefi variable as > needed from the OS level. > > So my question is: > What is the correct way of creating a UEFI variable that is protected > and that can be changed, by authorized person only, from OS level > without the need of embedding my secret at the OS application (.exe)? You don't give your use case, so it's hard to answer the above. However, the signing process of the update must be guarded because of the need to keep the key secret, so update bundles are usually created away from the system to be updated to preserve this. If you want your application to make arbitrary updates while it's running, you probably don't want to be using signed variables. James ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [edk2-devel] Question about signed uefi vars at OS level 2022-07-26 13:17 ` [edk2-devel] " James Bottomley @ 2022-07-29 18:40 ` Rafael Machado 2022-07-29 20:03 ` Bill Paul 0 siblings, 1 reply; 4+ messages in thread From: Rafael Machado @ 2022-07-29 18:40 UTC (permalink / raw) To: James Bottomley; +Cc: devel [-- Attachment #1: Type: text/plain, Size: 1772 bytes --] Hi James, thanks for the answer. I will try to explain my scenario in simple words. In my case, what I would like to do is to create a runtime uefi var, that would be changed only by one .exe I have developed. So other .exe would not be able to perform changes at this uefi var. Any ideia? Thanks Rafael On Tue, Jul 26, 2022, 10:17 AM James Bottomley < James.Bottomley@hansenpartnership.com> wrote: > On Tue, 2022-07-26 at 10:09 -0300, Rafael Machado wrote: > > Hey everyone > > > > I have a question for the experts. > > > > Suppose I have a BIOS feature that can be set from the OS via some OS > > application (.exe) that calls the runtime services set variable (). > > > > To set this feature I have a UEFI var, that during DXE is processed > > by some uefi module. > > > > In case I define this UEFI var as signed var > > (EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS or > > EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCES), at my OS > > application I will have to add the signing key, so it would be > > possible to create new signed data to change the uefi variable as > > needed from the OS level. > > > > So my question is: > > What is the correct way of creating a UEFI variable that is protected > > and that can be changed, by authorized person only, from OS level > > without the need of embedding my secret at the OS application (.exe)? > > You don't give your use case, so it's hard to answer the above. > However, the signing process of the update must be guarded because of > the need to keep the key secret, so update bundles are usually created > away from the system to be updated to preserve this. If you want your > application to make arbitrary updates while it's running, you probably > don't want to be using signed variables. > > James > > > [-- Attachment #2: Type: text/html, Size: 2490 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [edk2-devel] Question about signed uefi vars at OS level 2022-07-29 18:40 ` Rafael Machado @ 2022-07-29 20:03 ` Bill Paul 0 siblings, 0 replies; 4+ messages in thread From: Bill Paul @ 2022-07-29 20:03 UTC (permalink / raw) To: James Bottomley, devel@edk2.groups.io, rafaelrodrigues.machado@gmail.com Cc: devel@edk2.groups.io Of all the gin joints in all the towns in all the world, Rafael Machado had to walk into mine at 11:40:00 on Friday, 29 July 2022 and say: > Hi James, thanks for the answer. > > I will try to explain my scenario in simple words. > In my case, what I would like to do is to create a runtime uefi var, that > would be changed only by one .exe I have developed. So other .exe would not > be able to perform changes at this uefi var. > > Any ideia? If I remember right, changing UEFI secure variables (when UEFI is in the secure state) can only be done if you know the private part of the Key Exchange Key (KEK) for the system. Note that there is only one KEK, and it's used to validate all secure UEFI variable updates. This includes the "db" and "dbx" variables which contain the public keys that UEFI uses to validate signed executables during secure boot. That is, if you have secure boot enabled, your BOOTX64.EFI loader for your OS must be digitally signed, and the signer's public key must be in stored in the "db" secure variable. You asked if there's a way to modify secure variables "without the need of embedding my secret at the OS application (.exe)" and as far as I know, I think the answer is no. If the data you plan to add to the variable must be generated on the fly, then you also have to sign it on the fly, which means you need to know the KEK secret key to generate the signature. Obviously, you don't want to risk somebody extracting the KEK secret key from the executable, because then they can defeat secure boot on the system (they could modify the "db" variable to contain their own trusted public signing key). There *might* be some TPM gimmick you could use instead, but offhand I'm not sure what that would be. Now, based on what you've described, let's suppose you're trying to create a software licensing scheme, where you only want to enable a licensed feature on a specific customer's machine once they've they've paid for it. The implication is that somewhere the system checks for the secure UEFI variable that indicates the feature is enabled. To really make this work, then a) each customer's machine would need to be provisioned by you (so that you know the KEK secret key and the customer does not), and b) each machine's KEK must be unique. If all machines have the same KEK, then if you generate a signed UEFI variable update for one machine, it could be applied to all of them. In this case, it would not be required that the customer run an EXE on their system to do the actual signing, only the updating. If you know the KEK secret key for a given customer's machine, you can generate the signed variable update remotely using your own secure internal system and then e-mail it to them, and then the customer just needs to run a program on their machine to call SetVariable() in order to store it. -Bill > Thanks > Rafael > > > > On Tue, Jul 26, 2022, 10:17 AM James Bottomley > <James.Bottomley@hansenpartnership.com<mailto:James.Bottomley@hansenpartner > ship.com>> wrote: > On Tue, 2022-07-26 at 10:09 -0300, Rafael Machado wrote: > > Hey everyone > > > > I have a question for the experts. > > > > Suppose I have a BIOS feature that can be set from the OS via some OS > > application (.exe) that calls the runtime services set variable (). > > > > To set this feature I have a UEFI var, that during DXE is processed > > by some uefi module. > > > > In case I define this UEFI var as signed var > > (EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS or > > EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCES), at my OS > > application I will have to add the signing key, so it would be > > possible to create new signed data to change the uefi variable as > > needed from the OS level. > > > > So my question is: > > What is the correct way of creating a UEFI variable that is protected > > and that can be changed, by authorized person only, from OS level > > without the need of embedding my secret at the OS application (.exe)? > > You don't give your use case, so it's hard to answer the above. > However, the signing process of the update must be guarded because of > the need to keep the key secret, so update bundles are usually created > away from the system to be updated to preserve this. If you want your > application to make arbitrary updates while it's running, you probably > don't want to be using signed variables. > > James > -- ============================================================================= -Bill Paul (510) 749-2329 | VxWorks Software Architect, wpaul@windriver.com | Master of Unix-Fu - Wind River Systems ============================================================================= "I put a dollar in a change machine. Nothing changed." - George Carlin ============================================================================= ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-07-29 20:03 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-07-26 13:09 Question about signed uefi vars at OS level Rafael Machado 2022-07-26 13:17 ` [edk2-devel] " James Bottomley 2022-07-29 18:40 ` Rafael Machado 2022-07-29 20:03 ` Bill Paul
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox