Adventures with the UEFI shim
James Bottomley
James.Bottomley at HansenPartnership.com
Mon Nov 16 02:53:37 GMT 2020
On Sun, 2020-11-15 at 18:21 -0500, Paul Moore wrote:
[...]
> Do you see any reason why the PCR extensions I'm proposing as build
> time options are a bad idea and not something that should be merged
> into shim?
Well I don't understand what you're actually trying to do. What are
you trying to seal that would be significantly disrupted by periodic
updates to dbx (I really don't think db updates often enough to be a
significant problem)? Plus you seem to have a broken security chain:
your PCR8 chain doesn't measure the key that signed shim although this
might be explained if I understood what you were trying to seal ... but
it does look odd that your variable chain is SecureBoot, PK, KEK, shim
signing key.
> Do you see any reason why we need to keep the existing
> ExitBootServices check as discussed above? If yes, are you okay with
> allowing the ExitBootServices check to be disabled via a build time
> option?
Well, it's not my code, but it does seem to provide additional belt and
braces security against someone tricking grub into booting an unsigned
kernel. I suppose the real question is did we ever sell this to
Microsoft as a security feature? Because if so they're unlikely to
sign a version of shim that has it turned off.
James
More information about the Efi
mailing list