Adventures with the UEFI shim
Paul Moore
paul at paul-moore.com
Fri Dec 11 22:39:15 GMT 2020
On Fri, Dec 11, 2020 at 5:30 PM Peter Jones <pjones at redhat.com> wrote:
> On Tue, Dec 08, 2020 at 01:51:02PM -0500, Paul Moore wrote:
> > On Mon, Dec 7, 2020 at 6:29 PM Jeremiah Cox
> > <Unhandled.Exception at hotmail.com> wrote:
> > > Yes?
> >
> > :)
> >
> > > I think I asked Peter to add the defense in depth trap to prevent
> > > accidents. If the chain of authentication is maintained throughout
> > > boot and ring 0 (or higher privilege) for the duration of the boot
> > > cycle, then you’ve likely satisfied the threat model.
> >
> > I think it's arguable how effective it is as a trap, as ultimately it
> > relies on a loader further down the line to behave appropriately.
> > Regardless, thanks for responding.
>
> I don't have a problem with adding a config/define to disable it,
> defaulted to off. The check is there in part to keep people from doing
> something incredibly stupid /by accident/, and so it'll get caught in
> review. But with what you're doing, it makes sense to disable that. We
> should support that use case.
Great, thank you.
--
paul moore
www.paul-moore.com
More information about the Efi
mailing list