From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id F2E23AC12C5 for ; Mon, 4 Dec 2023 12:20:10 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=e2mqGcqObMVQGFk2MMMuw6uPVU+HzLNtlftlrb1s3WY=; c=relaxed/simple; d=groups.io; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Disposition; s=20140610; t=1701692409; v=1; b=PZ2oqcwiFRSGHVlXb82RWkzJnmiU0f4qNcAPdn1z1wILiHFUlMsqJNZhbeoEa4cj2PVdAXho oVhbL6z4/QPYigdxd4/a28ZmkcbT2961puuFaJUbQGan8a0xwZSEAK3SfsSD95bY+hmehtJmhEf 9Hleo78RqJn6KUd79lTOlB/Q= X-Received: by 127.0.0.2 with SMTP id qfVMYY7687511xHkUru1Ju7W; Mon, 04 Dec 2023 04:20:09 -0800 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.groups.io with SMTP id smtpd.web11.67287.1701692408937947791 for ; Mon, 04 Dec 2023 04:20:09 -0800 X-Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-407-GE2yB60CNmuvjuJqdjhYSA-1; Mon, 04 Dec 2023 07:20:05 -0500 X-MC-Unique: GE2yB60CNmuvjuJqdjhYSA-1 X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A7A871C0513D; Mon, 4 Dec 2023 12:20:04 +0000 (UTC) X-Received: from dobby.home.kraxel.org (unknown [10.39.194.201]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6A6DF5028; Mon, 4 Dec 2023 12:20:04 +0000 (UTC) X-Received: by dobby.home.kraxel.org (Postfix, from userid 1000) id CFD7D76074; Mon, 4 Dec 2023 13:20:02 +0100 (CET) Date: Mon, 4 Dec 2023 13:20:02 +0100 From: "Gerd Hoffmann" To: Alexander Graf Cc: Ard Biesheuvel , devel@edk2.groups.io, Ard Biesheuvel , =?utf-8?B?TO+/vXN6bO+/vSDvv71yc2Vr?= , Oliver Steffen , "Herrenschmidt, Benjamin" Subject: Re: [edk2-devel] [PATCH] ArmVirtPkg: Allow EFI memory attributes protocol to be disabled Message-ID: References: <20231204095215.1053032-1-ardb@google.com> <0d62a08e-a153-447a-acb9-b937a74f35f3@amazon.com> MIME-Version: 1.0 In-Reply-To: <0d62a08e-a153-447a-acb9-b937a74f35f3@amazon.com> X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kraxel@redhat.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: anSIMMKmEn7PE9Ed3kwbpJvax7686176AA= Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=PZ2oqcwi; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io Hi, > (hint: You really don't want or need shim on ARM. The only reason for shim > is that on most x86 desktop systems, users will have the MS keys > preinstalled. The MS Secure Boot concept however is terribly broken: Any > compromise of any of the MS signed binaries jeopardizes your boot chain. > You're a lot better off installing *only* your distribution's key material. > That way you at least you know who you trust. Just remove shim. Have a look > at how Amazon Linux 2023 did it [2] :)) You are in the luxurious position to run your own distro on your own platform, which makes this totally easy. The RH bootloader team considers shim.efi being an essential part of the boot chain (to the point that the distro grub.efi throws errors with secure boot being enabled and shim.efi missing), and on x86 bare metal it actually is essential because hardware usually ships with only the microsoft certificate enrolled. At least they promised to sign shim with both distro and microsoft keys on the next update, so I have the option to enroll the distro instead of the micosoft keys in 'db' on platforms where this is possible. take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#112038): https://edk2.groups.io/g/devel/message/112038 Mute This Topic: https://groups.io/mt/102967690/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-