Adventures with the UEFI shim
Jeremiah Cox
Unhandled.Exception at hotmail.com
Mon Dec 7 23:29:19 GMT 2020
Yes?
I think I asked Peter to add the defense in depth trap to prevent accidents. If the chain of authentication is maintained throughout boot and ring 0 (or higher privilege) for the duration of the boot cycle, then you’ve likely satisfied the threat model. At present, I believe the SHIM developers and review folks, they’re time is focused on revocation improvements to SHIM.
Kind regards,
Jeremiah
From: Paul Moore<mailto:paul at paul-moore.com>
Sent: Monday, December 7, 2020 07:58
To: Javier Martinez Canillas<mailto:fmartine at redhat.com>; Peter Jones<mailto:pjones at redhat.com>
Cc: Roberts, William C<mailto:william.c.roberts at intel.com>; efi at lists.einval.com<mailto:efi at lists.einval.com>; James Bottomley<mailto:James.Bottomley at hansenpartnership.com>; Matthew Garrett<mailto:mjg59 at google.com>; nicolasoliver03 at gmail.com<mailto:nicolasoliver03 at gmail.com>
Subject: Re: Adventures with the UEFI shim
On Wed, Dec 2, 2020 at 5:02 PM Paul Moore <paul at paul-moore.com> wrote:
> On Wed, Dec 2, 2020 at 1:37 PM Javier Martinez Canillas
> <fmartine at redhat.com> wrote:
> > On 12/2/20 6:49 PM, Paul Moore wrote:
> > > On Tue, Nov 24, 2020 at 1:58 PM Paul Moore <paul at paul-moore.com> wrote:
> > >> On Tue, Nov 17, 2020 at 11:34 AM Paul Moore <paul at paul-moore.com> wrote:
> > >>> Relying on the signed distro build highlights the idea that the
> > >>> ExitBootServices check isn't critical to the UEFI SB security model;
> > >>> the important authorization is the signature on the bootloader itself,
> > >>> not whether or not the bootloader calls into the shim verification
> > >>> protocol.
> > >>>
> > >>> Regardless, as you said, this isn't our code, it would be nice to hear
> > >>> a verdict from the shim maintainers on the ExitBootServices check.
> > >>
> > >> Thoughts Peter?
> > >
> > > Peter? Javier? Any of the UEFI shim folks?
> >
> > I already gave you my opinion about it but I'm not that familiar with
> > that part of the shim code to have an authoritative answer on this.
>
> Thanks Javier. Perhaps I should change my question slightly; who is
> responsible for maintaining the UEFI shim, or in other words who is
> going to make the final decision to accept or reject this? Is that
> Peter?
Bueller? Bueller?
So nobody wants to claim responsibility here? That isn't very reassuring ... ;)
--
paul moore
https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.paul-moore.com%2F&data=04%7C01%7C%7C7aaa0229f98541cd072708d89ac8f5e2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637429535188894272%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=62SCpurwUa1Ch2IGBHOylWiekyHvOZLOFrbvPrBVce8%3D&reserved=0
_______________________________________________
Efi mailing list
Efi at lists.einval.com
https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.einval.com%2Fcgi-bin%2Fmailman%2Flistinfo%2Fefi&data=04%7C01%7C%7C7aaa0229f98541cd072708d89ac8f5e2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637429535188904270%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=T1Wax0fMwtvq6ptgnJdW3JcJqDpzh2%2FSh%2Fvcg1ZVzeA%3D&reserved=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.einval.com/pipermail/efi/attachments/20201207/0f038f94/attachment.htm>
More information about the Efi
mailing list