From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <df7729@gmail.com>
Received: from mail-pg0-x234.google.com (mail-pg0-x234.google.com
 [IPv6:2607:f8b0:400e:c05::234])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 5BD7F21CEB0FA
 for <edk2-devel@lists.01.org>; Thu,  7 Sep 2017 12:57:13 -0700 (PDT)
Received: by mail-pg0-x234.google.com with SMTP id d8so1238117pgt.4
 for <edk2-devel@lists.01.org>; Thu, 07 Sep 2017 13:00:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
 bh=0Eq0egnQ9LVmmoQDu1YTkhrOJp3fnD2+pDmgkJExFJo=;
 b=faoNvOqL/VLnyi6g0FYzCc3p3VWtz2vOBHoTo9/R2mpqiJRtcWbbYKEggpNdrYqWLR
 qXd4ec4UzYamlvo56/yiin/T8z1bkhg4JUzCN7wGPjWH9at8BgT4exrBG6yPcjz6Cs/7
 y3FxJ6Te8FxdgFyNP9bZOT3dVE+i64bvqS5ROfrqplQ9YG1FNAd9xDwl94QkEcj8FOwe
 JJvmBpU0ZXPSCTCnLVUpWVLF839XDSzEr0Vrsp9SXG19404Htvn/DrT5RqV90a5x4C0w
 vPSLIzQwvyD+CuoqeULxTNfqNxGcEEMvMTbh2Z0uSjFiBRZVnekILSTk1UtZ2XTLDg+7
 WJUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to;
 bh=0Eq0egnQ9LVmmoQDu1YTkhrOJp3fnD2+pDmgkJExFJo=;
 b=ozMmNvJyoK65P/WGWrNWwyYOxhJD7eW4XxA5PF0FYQ16ubj6sD3251JPh8VstdKYLf
 /4oqDNaithRTe+QuVUTqZZLJOfI0RbxRPD10WhLAOPSWOHaddxLzVqzl1upl3GBcplWN
 J1UV/8azgSy3PxDEEXWtICAvAijud7uPqOSq2C/LxXTTnScWK90EWD9nsI2uixS9Lwoo
 9h5l2EPnpEECPh9lNvTsQuWBiGepPUbE1WsOgWMw5fBVMbg6AgG+kAbUdtVdygVKW23e
 uKZviA8gNEjaLPhSqdgMy7Egv1nyGGzb/e0rHEdMqmWM2nUwiRSyHz6PIf/Uqh1ndw1M
 Jb1g==
X-Gm-Message-State: AHPjjUjh2NATlIm3f3AsVilGD0jAUjxXIVUsOirf79NA8F2njNAPGpxc
 njH5+VWa9nrLr8jcoKgIQG65M4xGg8xKsjyYeMY=
X-Google-Smtp-Source: ADKCNb7dY93wg/rkyK4f+Heknn1hNB6cE7Fsrd0ru9mXAsvuODFHc1+3+29chqW+yvPkexnDApclbAeYEFk0C97mCJw=
X-Received: by 10.99.120.202 with SMTP id t193mr518397pgc.419.1504814404395;
 Thu, 07 Sep 2017 13:00:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.148.198 with HTTP; Thu, 7 Sep 2017 13:00:03 -0700 (PDT)
In-Reply-To: <CAGRSmLuQ3prdU1D_PDfzZpWHdnMjQfzKzzU8EpvOMX4BWvcxQA@mail.gmail.com>
References: <CAGRSmLuQ3prdU1D_PDfzZpWHdnMjQfzKzzU8EpvOMX4BWvcxQA@mail.gmail.com>
From: "David F." <df7729@gmail.com>
Date: Thu, 7 Sep 2017 13:00:03 -0700
Message-ID: <CAGRSmLsh31v+nKSzMD+Yb-9JBPkRW9FPw6q=AgH=JUkc9sTvSw@mail.gmail.com>
To: edk2-devel@lists.01.org
Subject: StartImage with Secure Boot on Self-Signed App
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2017 19:57:13 -0000
Content-Type: text/plain; charset="UTF-8"

Hello,

What is the proper way to allow running another app that is verified
with a self-signed certificate?

Example, App1 is signed with one that allows secure boot booting (in
firmware) and has a public key embedded in the signed code, App2 is
verified by App1 and so is allowed to run, but because the key is not
in secure boot firmware, StartImage will not run it (although
LoadImage did what it needed to do and already reported the security
violation potential).   Do we have to roll our own StartImage?  or is
something already in place?  I can't rely on changing an internal
private structure field to allow StartImage to work since each
firmware platform may change the way it all works, looking for the
proper method as designed.

TIA!!