Re: [edk2-devel] Question about signed uefi vars at OS level

["Rafael Machado" <rafaelrodrigues.machado@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 1772 bytes --]

Hi James, thanks for the answer.

I will try to explain my scenario in simple words.
In my case, what I would like to do is to create a runtime uefi var, that
would be changed only by one .exe I have developed.
So other .exe would not be able to perform changes at this uefi var.

Any ideia?

Thanks
Rafael



On Tue, Jul 26, 2022, 10:17 AM James Bottomley <
James.Bottomley@hansenpartnership.com> wrote:

> On Tue, 2022-07-26 at 10:09 -0300, Rafael Machado wrote:
> > Hey everyone
> >
> > I have a question for the experts.
> >
> > Suppose I have a BIOS feature that can be set from the OS via some OS
> > application (.exe) that calls the runtime services set variable ().
> >
> > To set this feature I have a UEFI var, that during DXE is processed
> > by some uefi module.
> >
> > In case I define this UEFI var as signed var
> > (EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS or
> > EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCES), at my OS
> > application I will have to add the signing key, so it would be
> > possible to create new signed data to change the uefi variable as
> > needed from the OS level.
> >
> > So my question is:
> > What is the correct way of creating a UEFI variable that is protected
> > and that can be changed, by authorized person only, from OS level
> > without the need of embedding my secret at the OS application (.exe)?
>
> You don't give your use case, so it's hard to answer the above.
> However, the signing process of the update must be guarded because of
> the need to keep the key secret, so update bundles are usually created
> away from the system to be updated to preserve this.  If you want your
> application to make arbitrary updates while it's running, you probably
> don't want to be using signed variables.
>
> James
>
>
>

[-- Attachment #2: Type: text/html, Size: 2490 bytes --]