Simon J. Gerraty
2019-Oct-14 18:52 UTC
AMD Secure Encrypted Virtualization - FreeBSD Status?
Tomasz CEDRO <tomek at cedro.info> wrote:> would be really nice also to get UEFI BOOT compatible with SECURE BOOT :-)Unless you are using your own BIOS, the above means getting Microsoft to sign boot1.efi or similar. Shims that simply work around lack of acceptible signature don't help. That would need to then verify loader.efi - which can be built to to verify all the modules and kernel. In my implementation (uses the non efi loader) trust anchors are embedded in loader but there is code in current to lookup trust anchors in /efi I think which would be more generally useful - I've not looked at the attack vectors that introduces though. --sjg
Clay Daniels Jr.
2019-Oct-14 19:18 UTC
AMD Secure Encrypted Virtualization - FreeBSD Status?
Simon, please do elaborate more on your implementation. I suspect you are talking about libsecureboot? I have played with the generation of certs with OpenSSL & LibreSSL, but libsecureboot seems to take a different approach. Please tell us more. Clay On Mon, Oct 14, 2019 at 1:52 PM Simon J. Gerraty via freebsd-security < freebsd-security at freebsd.org> wrote:> Tomasz CEDRO <tomek at cedro.info> wrote: > > > would be really nice also to get UEFI BOOT compatible with SECURE BOOT > :-) > > Unless you are using your own BIOS, the above means getting Microsoft > to sign boot1.efi or similar. Shims that simply work around lack of > acceptible signature don't help. > > That would need to then verify loader.efi - which can be built to > to verify all the modules and kernel. > > In my implementation (uses the non efi loader) trust anchors are > embedded in loader but there is code in current to lookup trust anchors > in /efi I think which would be more generally useful - I've not looked > at the attack vectors that introduces though. > > --sjg > _______________________________________________ > freebsd-security at freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org > " >
>> would be really nice also to get UEFI BOOT compatible with SECURE BOOT >> :-) > > Unless you are using your own BIOS, the above means getting Microsoft > to sign boot1.efi or similar. Shims that simply work around lack of > acceptible signature don't help.As before in this thread, some motherboards will let you delete the Microsoft keys from the BIOS defaults and install your own. With those boards you do not need Microsoft, or any shims signed by Microsoft, or anyone else but you. See the key management parts of the UEFI SECURE BOOT spec... https://uefi.org/ If your mobo maker does not have full key management options in their latest BIOS, ticket and bug them until they do.