efi_loader: secure mode transitions, VendorKeys
Heinrich Schuchardt
xypron.glpk at gmx.de
Sun Jul 5 01:16:17 CEST 2020
Hello Takahiro,
in the current code you have left a comment:
/*
* TODO:
* Since there is currently no "platform-specific" installation
* method of Platform Key, we can't say if VendorKeys is 0 or 1
* precisely.
*/
We do not supply vendor keys. So currently any secure boot setup is
defined by a user and not by the vendor. So we should keep this variable
at zero.
EDK2's way to keep track of changes to Secure Boot Policy Variables is a
non-volatile variable VendorKeysNv which is set to 1 when first created
and to 0 (in VendorKeyIsModified()) upon the first relevant change. EDK2
ignores changes in setup mode.
According to the UEFI specification Secure Boot Policy Variables are:
* PK, KEK, OsRecoveryOrder, OsRecovery####
* variables with EFI_IMAGE_SECURITY_DATABASE_GUID
efi_set_secure_state() currently sets all mode variables to read-only.
This should only be the case in Audit Mode and Deployed Mode, see figure
90 "Secure Modes" in the 2.8A spec.
Best regards
Heinrich
More information about the U-Boot
mailing list