From: "Gerd Hoffmann" <kraxel@redhat.com>
To: Alexander Graf <graf@amazon.com>
Cc: "Ard Biesheuvel" <ardb@google.com>,
devel@edk2.groups.io, "Ard Biesheuvel" <ardb@kernel.org>,
"L�szl� �rsek" <lersek@redhat.com>,
"Oliver Steffen" <osteffen@redhat.com>,
"Herrenschmidt, Benjamin" <benh@amazon.com>
Subject: Re: [edk2-devel] [PATCH] ArmVirtPkg: Allow EFI memory attributes protocol to be disabled
Date: Mon, 4 Dec 2023 13:20:02 +0100 [thread overview]
Message-ID: <qq64mdak2lvrvte5wzcplwrwkwwmkne3qm6v2ah5w4ykzldoat@4hlxm2sglrtx> (raw)
In-Reply-To: <0d62a08e-a153-447a-acb9-b937a74f35f3@amazon.com>
Hi,
> (hint: You really don't want or need shim on ARM. The only reason for shim
> is that on most x86 desktop systems, users will have the MS keys
> preinstalled. The MS Secure Boot concept however is terribly broken: Any
> compromise of any of the MS signed binaries jeopardizes your boot chain.
> You're a lot better off installing *only* your distribution's key material.
> That way you at least you know who you trust. Just remove shim. Have a look
> at how Amazon Linux 2023 did it [2] :))
You are in the luxurious position to run your own distro on your own
platform, which makes this totally easy.
The RH bootloader team considers shim.efi being an essential part of the
boot chain (to the point that the distro grub.efi throws errors with
secure boot being enabled and shim.efi missing), and on x86 bare metal
it actually is essential because hardware usually ships with only the
microsoft certificate enrolled.
At least they promised to sign shim with both distro and microsoft keys
on the next update, so I have the option to enroll the distro instead of
the micosoft keys in 'db' on platforms where this is possible.
take care,
Gerd
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112038): https://edk2.groups.io/g/devel/message/112038
Mute This Topic: https://groups.io/mt/102967690/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2023-12-04 12:20 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-04 9:52 [edk2-devel] [PATCH] ArmVirtPkg: Allow EFI memory attributes protocol to be disabled Ard Biesheuvel
2023-12-04 9:59 ` Ard Biesheuvel
2023-12-04 10:45 ` Alexander Graf via groups.io
2023-12-04 10:55 ` Ard Biesheuvel
2023-12-04 12:20 ` Gerd Hoffmann [this message]
2023-12-04 12:38 ` Alexander Graf via groups.io
2023-12-04 12:58 ` Ard Biesheuvel
2023-12-05 9:56 ` Marcin Juszkiewicz
2023-12-07 8:04 ` Ard Biesheuvel
2023-12-04 14:52 ` Gerd Hoffmann
2023-12-04 16:09 ` Ard Biesheuvel
2023-12-04 22:24 ` Gerd Hoffmann
2023-12-05 10:44 ` Alexander Graf via groups.io
2023-12-05 12:56 ` Gerd Hoffmann
2023-12-04 10:53 ` Gerd Hoffmann
2023-12-04 10:57 ` Ard Biesheuvel
2023-12-04 11:40 ` Gerd Hoffmann
2023-12-06 12:51 ` Gerd Hoffmann
2023-12-06 13:23 ` Ard Biesheuvel
2023-12-06 15:27 ` Gerd Hoffmann
2023-12-06 20:00 ` Taylor Beebe
2023-12-06 18:37 ` Oliver Smith-Denny
2023-12-07 7:59 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=qq64mdak2lvrvte5wzcplwrwkwwmkne3qm6v2ah5w4ykzldoat@4hlxm2sglrtx \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox