From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 12100D80D0C for ; Mon, 4 Dec 2023 16:10:01 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=gsK2EzFI6EKZlMVO1BiDXEapE9K3zU7r+aHfi7NxlnM=; c=relaxed/simple; d=groups.io; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:To:Cc:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type; s=20140610; t=1701706200; v=1; b=AboRmjXfEkhvJgOsok6a+c7BpBfZQZ8Ls4Vc0sI1S0ChSCWbQVPjeB/sOzhU+girQHKgoiwU el/J8tWuxqXOc2hkwubSYt5v3FCd1teNtVgMsvHaYzoqzTTlz80psxxUEqSIlsa2dMgeGjMBzM6 JhxR+jrZv3B/Dk9P+ZpVonUs= X-Received: by 127.0.0.2 with SMTP id f7bgYY7687511xEjhVrr0BN0; Mon, 04 Dec 2023 08:10:00 -0800 X-Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by mx.groups.io with SMTP id smtpd.web11.72682.1701706199537533982 for ; Mon, 04 Dec 2023 08:10:00 -0800 X-Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id 1FA4CCE11BB for ; Mon, 4 Dec 2023 16:09:56 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 60409C433CA for ; Mon, 4 Dec 2023 16:09:55 +0000 (UTC) X-Received: by mail-lf1-f43.google.com with SMTP id 2adb3069b0e04-50bfd7be487so831403e87.0 for ; Mon, 04 Dec 2023 08:09:55 -0800 (PST) X-Gm-Message-State: e4YpbnlrlfF6C0YzhWXeQJxTx7686176AA= X-Google-Smtp-Source: AGHT+IFzFV+nYDldDch2h9O8nksMvqU1VoR1PG2G4uzrcfB+qyzQn1z5H9dsPBXnVtHfZr99JrxguTRYENtC+tex/p8= X-Received: by 2002:a19:ee07:0:b0:50b:f51a:2997 with SMTP id g7-20020a19ee07000000b0050bf51a2997mr945291lfb.83.1701706193568; Mon, 04 Dec 2023 08:09:53 -0800 (PST) MIME-Version: 1.0 References: <20231204095215.1053032-1-ardb@google.com> <0d62a08e-a153-447a-acb9-b937a74f35f3@amazon.com> In-Reply-To: From: "Ard Biesheuvel" Date: Mon, 4 Dec 2023 17:09:42 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [edk2-devel] [PATCH] ArmVirtPkg: Allow EFI memory attributes protocol to be disabled To: Gerd Hoffmann Cc: Alexander Graf , Ard Biesheuvel , devel@edk2.groups.io, =?UTF-8?B?TO+/vXN6bO+/vSDvv71yc2Vr?= , Oliver Steffen , "Herrenschmidt, Benjamin" , Lennart Poettering , Peter Jones , Matthew Garrett Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Type: text/plain; charset="UTF-8" X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=AboRmjXf; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=kernel.org (policy=none) On Mon, 4 Dec 2023 at 15:52, Gerd Hoffmann wrote: > > Hi, > > > > > That way you at least you know who you trust. Just remove shim. Have a look > > > > at how Amazon Linux 2023 did it [2] :)) > > > > You are in the luxurious position to run your own distro on your own > > > platform, which makes this totally easy. > > > Sure, we're cheating a bit on x86. But for ARM, the same story holds true > > for RH as well. There are a solid number of ARM systems that implement UEFI > > Secure Boot today - and none of them (that I'm aware of) provision a > > Microsoft 3rd party key. > > Didn't got my hands on any such arm system. > > How do you enroll the keys on those systems? > > Do they offer the option to read the 'db' keys from files on distro boot > media? Or do they expect the distro boot loader (or installer) to enroll > keys and enable secure boot (which is supported by systemd-boot I think)? > > > In fact, for virtual machines you're in the exact same position as EC2: If > > virt-install only provisions Red Hat Secure Boot keys by default when you > > install Fedora or RHEL guests, you've already increased your guests' > > security posture significantly. > > Well, no. One problem is install media, where you really have only > one entry point (EFI/BOOT/BOOT${ARCH}.EFI) which must work under all > circumstances. Which must be shim with microsoft signature (and ideally > distro signature too) on x64. > > When booting cloud images and the platform allowing for > 'bring-your-own-varstore', then yes, it is simpler and doable. > > > > The RH bootloader team considers shim.efi being an essential part of the > > > boot chain (to the point that the distro grub.efi throws errors with > > > secure boot being enabled and shim.efi missing), and on x86 bare metal > > > it actually is essential because hardware usually ships with only the > > > microsoft certificate enrolled. > > > See above, the key (in your case) is to not treat ARM and x86 identical. And > > yes, the (downstream) shim patches for grub break normal grub secure boot > > support. But that's a bug - not a feature :). > > I'm with you on that. Unfortunately the boot loader team is not. > > https://bugzilla.redhat.com/show_bug.cgi?id=2108083 > > tl;dr: You can't boot Fedora in secure boot mode without microsoft keys > today. grub.efi refuses to work without shim.efi, and shim.efi exists > only in a microsoft-signed version (which differed from rhel were a > second, redhat-signed shim binary exists). > > Oh, and the above applies to x86 only. On arm fedora shim.efi is not > signed and grub.efi is signed with the (public) redhat test keys. > So what is holding Fedora back from providing a fixed shim binary if it doesn't need to be signed by Microsoft? And also, the only problematic binary in the boot chain appears to be fbaa64.efi - that one could be fixed as well, by using 4k aligned executable sections. To be honest (and I know I am preaching to the choir here), the more i learn about this, the less I am inclined to make *any* accommodations whatsoever, given that the boot loader team obviously does not give a shit about their crappy boot chain. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#112046): https://edk2.groups.io/g/devel/message/112046 Mute This Topic: https://groups.io/mt/102967690/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-