efi_loader: secure mode transitions, VendorKeys

Heinrich Schuchardt xypron.glpk at gmx.de
Sun Jul 5 01:16:17 CEST 2020

Hello Takahiro,

in the current code you have left a comment:

         * TODO:
         * Since there is currently no "platform-specific" installation
         * method of Platform Key, we can't say if VendorKeys is 0 or 1
         * precisely.

We do not supply vendor keys. So currently any secure boot setup is
defined by a user and not by the vendor. So we should keep this variable
at zero.

EDK2's way to keep track of changes to Secure Boot Policy Variables is a
non-volatile variable VendorKeysNv which is set to 1 when first created
and to 0 (in VendorKeyIsModified()) upon the first relevant change. EDK2
ignores changes in setup mode.

According to the UEFI specification Secure Boot Policy Variables are:

* PK, KEK, OsRecoveryOrder, OsRecovery####

efi_set_secure_state() currently sets all mode variables to read-only.
This should only be the case in Audit Mode and Deployed Mode, see figure
90 "Secure Modes" in the 2.8A spec.

Best regards


More information about the U-Boot mailing list