public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* Question about signed uefi vars at OS level
@ 2022-07-26 13:09 Rafael Machado
  2022-07-26 13:17 ` [edk2-devel] " James Bottomley
  0 siblings, 1 reply; 4+ messages in thread
From: Rafael Machado @ 2022-07-26 13:09 UTC (permalink / raw)
  To: devel

[-- Attachment #1: Type: text/plain, Size: 826 bytes --]

Hey everyone

I have a question for the experts.

Suppose I have a BIOS feature that can be set from the OS via some OS
application (.exe) that calls the runtime services set variable ().

To set this feature I have a UEFI var, that during DXE is processed by some
uefi module.

In case I define this UEFI var as signed var
(EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS or
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCES), at my OS application I
will have to add the signing key, so it would be possible to create new
signed data to change the uefi variable as needed from the OS level.

So my question is:
What is the correct way of creating a UEFI variable that is protected and
that can be changed, by authorized person only, from OS level without the
need of embedding my secret at the OS application (.exe) ?

Thanks
Rafael

[-- Attachment #2: Type: text/html, Size: 1015 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-07-29 20:03 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-07-26 13:09 Question about signed uefi vars at OS level Rafael Machado
2022-07-26 13:17 ` [edk2-devel] " James Bottomley
2022-07-29 18:40   ` Rafael Machado
2022-07-29 20:03     ` Bill Paul

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox