Adventures with the UEFI shim
Peter Jones
pjones at redhat.com
Fri Dec 11 22:30:44 GMT 2020
On Tue, Dec 08, 2020 at 01:51:02PM -0500, Paul Moore wrote:
> On Mon, Dec 7, 2020 at 6:29 PM Jeremiah Cox
> <Unhandled.Exception at hotmail.com> wrote:
> > Yes?
>
> :)
>
> > I think I asked Peter to add the defense in depth trap to prevent
> > accidents. If the chain of authentication is maintained throughout
> > boot and ring 0 (or higher privilege) for the duration of the boot
> > cycle, then you’ve likely satisfied the threat model.
>
> I think it's arguable how effective it is as a trap, as ultimately it
> relies on a loader further down the line to behave appropriately.
> Regardless, thanks for responding.
I don't have a problem with adding a config/define to disable it,
defaulted to off. The check is there in part to keep people from doing
something incredibly stupid /by accident/, and so it'll get caught in
review. But with what you're doing, it makes sense to disable that. We
should support that use case.
--
Peter
More information about the Efi
mailing list