public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "David F." <df7729@gmail.com>
To: Bill Paul <wpaul@windriver.com>
Cc: edk2 developers list <edk2-devel@lists.01.org>
Subject: Re: Set "db" variable in secure boot setup mode still requires generating PKCS#7?
Date: Tue, 1 May 2018 19:23:39 -0700	[thread overview]
Message-ID: <CAGRSmLs+712iq3qzRowaPXVB9kJrjYHT0W6f_EFSa5R7iOVnhw@mail.gmail.com> (raw)
In-Reply-To: <201805011425.24074.wpaul@windriver.com>

I'm with you, but the question I would have is how much checking does
it end up doing?  In other words, how can a fake PKCS#7 be created in
a small amount of code that would make the guard happy enough to let
it through in setup mode?   I just don't see the point of even having
to create one when it is going to be ignored anyway?

Thanks.

On Tue, May 1, 2018 at 2:25 PM, Bill Paul <wpaul@windriver.com> wrote:
> Of all the gin joints in all the towns in all the world, David F. had to walk
> into mine at 14:13 on Tuesday 01 May 2018 and say:
>
>> Hi,
>>
>> Had a fairly simple task of wanting to install the latest MS .crt
>> files for KEK, and their two files for the "db" (the Windows CA and
>> UEFI CA) in a system placed in setup/custom mode.  However, even
>> though it seemed to take the KEK, it never took the "db", always had a
>> problem on a DH77KC mobo (dumped data headers looked as expected).
>> Now when I constructed it, I thought I could leave out any PKCS#7 data
>> (set the expected CertType but in the Hdr dwLength only included
>> CertType and not any CertData), but looking at the algo in UEFI Spec
>> 2.6 page 245, it looks like we'd always have to generate the hash,
>> sign it, create all the PKCS stuff even in setup mode?    That would
>> surely unnecessarily bloat any apps that really only need to update
>> things in setup mode wouldn't it?   So to confirm, that is a
>> requirement even in setup mode?    If so, why?
>>
>
> If I understand correctly, I think the issue is that the PK, KEK, db and dbx
> are always considered to be secure environment variables, which means when you
> try to update them with SetVariable(), you always have to include one of the
> authentication flags and a properly formated authentication header.
>
> The difference between variable updates in secure mode vs. setup/custom mode
> is that in setup/custom mode, the signature is not validated. It still has to
> be there, but the firmware doesn't care what it says. So the db update could
> be signed with a completely different KEK than the one loaded into the KEK
> variable, and it would still be accepted.
>
> -Bill
>
>
>
>> TIA!!
>> _______________________________________________
>> edk2-devel mailing list
>> edk2-devel@lists.01.org
>> https://lists.01.org/mailman/listinfo/edk2-devel
> --
> =============================================================================
> -Bill Paul            (510) 749-2329 | Senior Member of Technical Staff,
>                  wpaul@windriver.com | Master of Unix-Fu - Wind River Systems
> =============================================================================
>    "I put a dollar in a change machine. Nothing changed." - George Carlin
> =============================================================================


  reply	other threads:[~2018-05-02  2:23 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-01 21:13 Set "db" variable in secure boot setup mode still requires generating PKCS#7? David F.
2018-05-01 21:25 ` Bill Paul
2018-05-02  2:23   ` David F. [this message]
2018-05-02 10:21 ` Laszlo Ersek
2018-05-02 16:26   ` David F.
2018-05-03  3:09     ` Long, Qin
2018-05-20 19:54       ` David F.
2018-05-21  1:46         ` Zhang, Chao B

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAGRSmLs+712iq3qzRowaPXVB9kJrjYHT0W6f_EFSa5R7iOVnhw@mail.gmail.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox