[U-Boot] [PATCH 12/16] cmd: env: use appropriate guid for authenticated UEFI variable

Patrick Wildt mail at patrick-wildt.de
Mon Nov 18 06:56:17 UTC 2019

On Mon, Nov 18, 2019 at 03:34:46PM +0900, AKASHI Takahiro wrote:
> Heinrich,
> On Sat, Nov 16, 2019 at 09:10:35PM +0100, Heinrich Schuchardt wrote:
> > On 11/13/19 1:53 AM, AKASHI Takahiro wrote:
> > >A signature database variable is associated with a specific guid.
> > >For convenience, if user doesn't supply any guid info, "env set|print -e"
> > >should complement it.
> > 
> > If secure boot is enforced, users should not be able to change any
> > security relevant variables.
> I disagree. In fact, UEFI specification allows users to modify
> security database variables if their signatures are verified.
> For example, "db" must be signed by one of certificates in PK or KEK,
> and updating its value will should be authenticated in SetVariable API.
> That is what my patch#7 exactly does.
> Thanks,
> -Takahiro Akashi

I agree.  It must be possible for any user of the EFI subsystem to be
able to update db/KEK/PK *if* he provides a valid signatures.  The thing
is that keys are replaced and rerolled, not only because keys were com-
promised, but also because some policies say it's useful to replace the
keys regularly so that attempts to crack the key have less time to be
successfull.  There are more use-cases then that, but what is important
is that it's possible to change them, if properly signed.


More information about the U-Boot mailing list