From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <df7729@gmail.com>
Received: from mail-pg0-x233.google.com (mail-pg0-x233.google.com
 [IPv6:2607:f8b0:400e:c05::233])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 0B84620945BE6
 for <edk2-devel@lists.01.org>; Thu,  7 Sep 2017 19:48:37 -0700 (PDT)
Received: by mail-pg0-x233.google.com with SMTP id q68so2688006pgq.1
 for <edk2-devel@lists.01.org>; Thu, 07 Sep 2017 19:51:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=Rof/0wuVAkAQF783BvZ0Fk0MhhpUYCI8deo6ck+vBEg=;
 b=p8MDzvCP4g5ZleVd4GCSfNo0vjkJESqTHJ/YKhqw98Fgv2sl3qMp7OgGSRbcYuWkOn
 ORC7tJre6rzEpH7S1W0Xu9kz1SDc8UU2hE9iZffAtEyK5GxLxflZj6TI8BlvdTt1G1FB
 rpgWXUai6JUvGonEQlSyicAaZpC6RM6nwAuGF8ZF7SlCE7BChnqJ8wyhgFo5SFDEzvKX
 j9RJWYZ2Yahpf5Lpe+cOldNN6BIkbSmVUhd1bfmoW3FdSIxIjNUCX7DHY+wKz9df+JIR
 gfBwu+jEWRbus921bL9jvFtEYPe4U/UrvK3kBUnG7AIBdPKROBATsOoQSjJNhNLhn9na
 e/7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=Rof/0wuVAkAQF783BvZ0Fk0MhhpUYCI8deo6ck+vBEg=;
 b=lDKKxFu6T+RaS8TheTKeAu+DLJikhinCTLRfEf674Yw/rtXjtMBS+5Wr4uLDrkPYnY
 SHVGwxygvSl2BHz1jqI0ibB9ziV2aLMIIS/GbNtHFqKKGJdMdarpSKKo6pupywWUog5V
 HSQJ2eufWRfpdvnB1Ev9WkcBA2Cs2OTZOt1wQ45HhnZC8AIsQyJG8uHdB7VRy6MiEha2
 6sfOGGzFGQqXv2Xe/JJRyxSqAT+wh5xkzRXMqYMtevcEc+Qd4MqbucRmmuiM4XkQ0srQ
 kk78CgLTCK+Bdd1FPW5+KL4LbCHhG7+jsZrIzs6+ym+Lbz6S6QCixOO8iM2tgPtJH9Zq
 vfgw==
X-Gm-Message-State: AHPjjUgc9sY73whrFqVfgESRAdjXBMVEC2SpkCt8e8vISwLsMsBquL6J
 Bl59nIafAExDqNHOr0N86yWCFzxrgRZVkXtUxN0=
X-Google-Smtp-Source: ADKCNb6/3MWTFOjUgmz+q26oX3OZ2XXdT2yzmLeD9+q/a0vDnOpABXnMsBY4gNc5AZ/THqKkKQ5CWXHKD/HllhW6Av4=
X-Received: by 10.99.109.142 with SMTP id i136mr1516863pgc.353.1504839088703; 
 Thu, 07 Sep 2017 19:51:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.148.198 with HTTP; Thu, 7 Sep 2017 19:51:28 -0700 (PDT)
In-Reply-To: <20170908021116.6ksnrkapj3dvuder@localhost>
References: <CAGRSmLuQ3prdU1D_PDfzZpWHdnMjQfzKzzU8EpvOMX4BWvcxQA@mail.gmail.com>
 <CAGRSmLsh31v+nKSzMD+Yb-9JBPkRW9FPw6q=AgH=JUkc9sTvSw@mail.gmail.com>
 <20170908021116.6ksnrkapj3dvuder@localhost>
From: "David F." <df7729@gmail.com>
Date: Thu, 7 Sep 2017 19:51:28 -0700
Message-ID: <CAGRSmLue80aZ=0Su_SC=hE_FimAO7A4rNbkiMLMrXfcXmTmq+Q@mail.gmail.com>
To: Gary Lin <glin@suse.com>
Cc: edk2-devel@lists.01.org
Subject: Re: StartImage with Secure Boot on Self-Signed App
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Sep 2017 02:48:37 -0000
Content-Type: text/plain; charset="UTF-8"

Thanks, looking forward, can the people on the board dealing with the
specification please consider revising EFI_LOADED_IMAGE_PROTOCOL to
include a new "Flags" field and one of the bits allows StartImage to
start the image even if LoadImage reported a EFI_SECURITY_VIOLATION
was reported.  defined bit name could be #define
EFI_LOADED_IMAGE_PROTOCOL_FLAG_SELF_VALIDATED  0x0000000000000001ULL.
 This provides a clean interface for applications without having to
hack StartImage() with a potential conflict with future changes to the
internal firmware.


On Thu, Sep 7, 2017 at 7:11 PM, Gary Lin <glin@suse.com> wrote:
> On Thu, Sep 07, 2017 at 01:00:03PM -0700, David F. wrote:
>> Hello,
>>
>> What is the proper way to allow running another app that is verified
>> with a self-signed certificate?
>>
>> Example, App1 is signed with one that allows secure boot booting (in
>> firmware) and has a public key embedded in the signed code, App2 is
>> verified by App1 and so is allowed to run, but because the key is not
>> in secure boot firmware, StartImage will not run it (although
>> LoadImage did what it needed to do and already reported the security
>> violation potential).   Do we have to roll our own StartImage?  or is
>> something already in place?  I can't rely on changing an internal
>> private structure field to allow StartImage to work since each
>> firmware platform may change the way it all works, looking for the
>> proper method as designed.
>>
> The major linux distros are using shim(*) to verify the bootloaders and
> kernels signed by ourselves, and shim implements its own StartImage.
>
> If your application is going to be deployed to the newer UEFI, instead
> of using the built-in openssl, you can try EFI_PKCS7_VERIFY_PROTOCOL to
> verify the UEFI images. It will make your application much slimmer and
> easier to maintain.
>
> Cheers,
>
> Gary Lin
>
> (*) https://github.com/rhboot/shim