[PATCH] efi_loader: allow disabling EFI secure boot in User Mode
Heinrich Schuchardt
xypron.glpk at gmx.de
Fri Dec 4 03:23:07 CET 2020
On 11/30/20 7:22 PM, Paulo Alcantara wrote:
> Hi Heinrich,
>
> Heinrich Schuchardt <xypron.glpk at gmx.de> writes:
>
>> On 11/30/20 3:58 PM, Paulo Alcantara wrote:
>>> Introduce a new config option CONFIG_EFI_SECURE_BOOT_VAR_DISABLE to
>>> allow disabling EFI secure boot when the platform is operating in User
>>> Mode and there is an NV+BS EFI variable called "SecureBootDisable".
>>> Otherwise, keep it enabled by default.
>>
>> could you, please, explain why this is needed.
>
> I was just looking for an easier way to disable it without having to
> mess with the secure boot variables and possibly breaking secure boot
> altogether. Of course, we could do the same by creating such
> SecureBootDisable variable and forgetting about it. Since we're gonna
> provide u-boot package with the secure boot keys (PK, KEK, db, dbx)
> enrolled in (ESP)/ubootefi.var (generated by efivar.py script), and
> those certificates are only provided at build time, that would be tricky
> to get it enabled or disabled by removing and inserting the PK, finding
> the appropriate certificate depending on whether it is openSUSE or SLES.
>
> For instance, OVMF does have something like that [1].
>
> [1]
> https://github.com/tianocore/edk2/blob/master/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c#L682
>
> Thanks.
>
Hello Paulo,
how would you stop an attacker from disabling secure boot on your device
and tempering with it if this configuration were enabled?
Best regard
Heinrich
More information about the U-Boot
mailing list