From: "David F." <df7729@gmail.com>
To: Gary Lin <glin@suse.com>
Cc: edk2-devel@lists.01.org
Subject: Re: StartImage with Secure Boot on Self-Signed App
Date: Fri, 8 Sep 2017 08:33:51 -0700 [thread overview]
Message-ID: <CAGRSmLsRYdt5M9+nXZYX-sHP4chG5S2xz7X17XBgBuhm25ksGg@mail.gmail.com> (raw)
In-Reply-To: <CAGRSmLue80aZ=0Su_SC=hE_FimAO7A4rNbkiMLMrXfcXmTmq+Q@mail.gmail.com>
Actually, even a StartImageEx() would be fine with parameter to allow options.
On Thu, Sep 7, 2017 at 7:51 PM, David F. <df7729@gmail.com> wrote:
> Thanks, looking forward, can the people on the board dealing with the
> specification please consider revising EFI_LOADED_IMAGE_PROTOCOL to
> include a new "Flags" field and one of the bits allows StartImage to
> start the image even if LoadImage reported a EFI_SECURITY_VIOLATION
> was reported. defined bit name could be #define
> EFI_LOADED_IMAGE_PROTOCOL_FLAG_SELF_VALIDATED 0x0000000000000001ULL.
> This provides a clean interface for applications without having to
> hack StartImage() with a potential conflict with future changes to the
> internal firmware.
>
>
> On Thu, Sep 7, 2017 at 7:11 PM, Gary Lin <glin@suse.com> wrote:
>> On Thu, Sep 07, 2017 at 01:00:03PM -0700, David F. wrote:
>>> Hello,
>>>
>>> What is the proper way to allow running another app that is verified
>>> with a self-signed certificate?
>>>
>>> Example, App1 is signed with one that allows secure boot booting (in
>>> firmware) and has a public key embedded in the signed code, App2 is
>>> verified by App1 and so is allowed to run, but because the key is not
>>> in secure boot firmware, StartImage will not run it (although
>>> LoadImage did what it needed to do and already reported the security
>>> violation potential). Do we have to roll our own StartImage? or is
>>> something already in place? I can't rely on changing an internal
>>> private structure field to allow StartImage to work since each
>>> firmware platform may change the way it all works, looking for the
>>> proper method as designed.
>>>
>> The major linux distros are using shim(*) to verify the bootloaders and
>> kernels signed by ourselves, and shim implements its own StartImage.
>>
>> If your application is going to be deployed to the newer UEFI, instead
>> of using the built-in openssl, you can try EFI_PKCS7_VERIFY_PROTOCOL to
>> verify the UEFI images. It will make your application much slimmer and
>> easier to maintain.
>>
>> Cheers,
>>
>> Gary Lin
>>
>> (*) https://github.com/rhboot/shim
next prev parent reply other threads:[~2017-09-08 15:30 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAGRSmLuQ3prdU1D_PDfzZpWHdnMjQfzKzzU8EpvOMX4BWvcxQA@mail.gmail.com>
2017-09-07 20:00 ` StartImage with Secure Boot on Self-Signed App David F.
2017-09-08 2:11 ` Gary Lin
2017-09-08 2:51 ` David F.
2017-09-08 15:33 ` David F. [this message]
2017-09-12 7:32 ` Gao, Liming
2017-10-06 0:27 ` David F.
2017-10-09 6:56 ` Gao, Liming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGRSmLsRYdt5M9+nXZYX-sHP4chG5S2xz7X17XBgBuhm25ksGg@mail.gmail.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox