From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+112038+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id F2E23AC12C5
	for <rebecca@openfw.io>; Mon,  4 Dec 2023 12:20:10 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=e2mqGcqObMVQGFk2MMMuw6uPVU+HzLNtlftlrb1s3WY=;
 c=relaxed/simple; d=groups.io;
 h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Disposition;
 s=20140610; t=1701692409; v=1;
 b=PZ2oqcwiFRSGHVlXb82RWkzJnmiU0f4qNcAPdn1z1wILiHFUlMsqJNZhbeoEa4cj2PVdAXho
 oVhbL6z4/QPYigdxd4/a28ZmkcbT2961puuFaJUbQGan8a0xwZSEAK3SfsSD95bY+hmehtJmhEf
 9Hleo78RqJn6KUd79lTOlB/Q=
X-Received: by 127.0.0.2 with SMTP id qfVMYY7687511xHkUru1Ju7W; Mon, 04 Dec 2023 04:20:09 -0800
X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by mx.groups.io with SMTP id smtpd.web11.67287.1701692408937947791
 for <devel@edk2.groups.io>;
 Mon, 04 Dec 2023 04:20:09 -0800
X-Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73])
 by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-407-GE2yB60CNmuvjuJqdjhYSA-1; Mon,
 04 Dec 2023 07:20:05 -0500
X-MC-Unique: GE2yB60CNmuvjuJqdjhYSA-1
X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A7A871C0513D;
	Mon,  4 Dec 2023 12:20:04 +0000 (UTC)
X-Received: from dobby.home.kraxel.org (unknown [10.39.194.201])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 6A6DF5028;
	Mon,  4 Dec 2023 12:20:04 +0000 (UTC)
X-Received: by dobby.home.kraxel.org (Postfix, from userid 1000)
	id CFD7D76074; Mon,  4 Dec 2023 13:20:02 +0100 (CET)
Date: Mon, 4 Dec 2023 13:20:02 +0100
From: "Gerd Hoffmann" <kraxel@redhat.com>
To: Alexander Graf <graf@amazon.com>
Cc: Ard Biesheuvel <ardb@google.com>, devel@edk2.groups.io, 
	Ard Biesheuvel <ardb@kernel.org>, =?utf-8?B?TO+/vXN6bO+/vSDvv71yc2Vr?= <lersek@redhat.com>, 
	Oliver Steffen <osteffen@redhat.com>, "Herrenschmidt, Benjamin" <benh@amazon.com>
Subject: Re: [edk2-devel] [PATCH] ArmVirtPkg: Allow EFI memory attributes protocol to be disabled
Message-ID: <qq64mdak2lvrvte5wzcplwrwkwwmkne3qm6v2ah5w4ykzldoat@4hlxm2sglrtx>
References: <20231204095215.1053032-1-ardb@google.com>
 <0d62a08e-a153-447a-acb9-b937a74f35f3@amazon.com>
MIME-Version: 1.0
In-Reply-To: <0d62a08e-a153-447a-acb9-b937a74f35f3@amazon.com>
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.5
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,kraxel@redhat.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: anSIMMKmEn7PE9Ed3kwbpJvax7686176AA=
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20140610 header.b=PZ2oqcwi;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none);
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io

  Hi,

> (hint: You really don't want or need shim on ARM. The only reason for shim
> is that on most x86 desktop systems, users will have the MS keys
> preinstalled. The MS Secure Boot concept however is terribly broken: Any
> compromise of any of the MS signed binaries jeopardizes your boot chain.
> You're a lot better off installing *only* your distribution's key material.
> That way you at least you know who you trust. Just remove shim. Have a look
> at how Amazon Linux 2023 did it [2] :))

You are in the luxurious position to run your own distro on your own
platform, which makes this totally easy.

The RH bootloader team considers shim.efi being an essential part of the
boot chain (to the point that the distro grub.efi throws errors with
secure boot being enabled and shim.efi missing), and on x86 bare metal
it actually is essential because hardware usually ships with only the
microsoft certificate enrolled.

At least they promised to sign shim with both distro and microsoft keys
on the next update, so I have the option to enroll the distro instead of
the micosoft keys in 'db' on platforms where this is possible.

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112038): https://edk2.groups.io/g/devel/message/112038
Mute This Topic: https://groups.io/mt/102967690/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-