Adventures with the UEFI shim
Paul Moore
paul at paul-moore.com
Tue Dec 8 18:51:02 GMT 2020
On Mon, Dec 7, 2020 at 6:29 PM Jeremiah Cox
<Unhandled.Exception at hotmail.com> wrote:
> Yes?
:)
> I think I asked Peter to add the defense in depth trap to prevent accidents. If the chain of authentication is maintained throughout boot and ring 0 (or higher privilege) for the duration of the boot cycle, then you’ve likely satisfied the threat model.
I think it's arguable how effective it is as a trap, as ultimately it
relies on a loader further down the line to behave appropriately.
Regardless, thanks for responding.
> At present, I believe the SHIM developers and review folks, they’re time is focused on revocation improvements to SHIM.
I understand that everyone is buried with work, but I'm getting to the
point where I *really* need to submit a shim for review. I was hoping
to discuss some of these things here in an effort to save the
reviewers time, but perhaps the only way to get a proper,
authoritative response is to submit a review request with the changes
and go through the full process.
--
paul moore
www.paul-moore.com
More information about the Efi
mailing list