[PATCH] efi_loader: allow disabling EFI secure boot in User Mode
Paulo Alcantara
pc at cjr.nz
Fri Dec 4 19:00:31 CET 2020
Hi Heinrich,
Heinrich Schuchardt <xypron.glpk at gmx.de> writes:
> On 11/30/20 7:22 PM, Paulo Alcantara wrote:
>> Heinrich Schuchardt <xypron.glpk at gmx.de> writes:
>>
>>> On 11/30/20 3:58 PM, Paulo Alcantara wrote:
>>>> Introduce a new config option CONFIG_EFI_SECURE_BOOT_VAR_DISABLE to
>>>> allow disabling EFI secure boot when the platform is operating in User
>>>> Mode and there is an NV+BS EFI variable called "SecureBootDisable".
>>>> Otherwise, keep it enabled by default.
>>>
>>> could you, please, explain why this is needed.
>>
>> I was just looking for an easier way to disable it without having to
>> mess with the secure boot variables and possibly breaking secure boot
>> altogether. Of course, we could do the same by creating such
>> SecureBootDisable variable and forgetting about it. Since we're gonna
>> provide u-boot package with the secure boot keys (PK, KEK, db, dbx)
>> enrolled in (ESP)/ubootefi.var (generated by efivar.py script), and
>> those certificates are only provided at build time, that would be tricky
>> to get it enabled or disabled by removing and inserting the PK, finding
>> the appropriate certificate depending on whether it is openSUSE or SLES.
>>
>> For instance, OVMF does have something like that [1].
>>
>> [1]
>> https://github.com/tianocore/edk2/blob/master/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c#L682
>>
>> Thanks.
>>
> how would you stop an attacker from disabling secure boot on your device
> and tempering with it if this configuration were enabled?
Yep. There isn't much we can do, and it is even unauthenticated.
Please ignore this patch. Thanks!
More information about the U-Boot
mailing list