[PATCH] efi_loader: allow disabling EFI secure boot in User Mode

Paulo Alcantara pc at cjr.nz
Mon Nov 30 19:22:39 CET 2020


Hi Heinrich,

Heinrich Schuchardt <xypron.glpk at gmx.de> writes:

> On 11/30/20 3:58 PM, Paulo Alcantara wrote:
>> Introduce a new config option CONFIG_EFI_SECURE_BOOT_VAR_DISABLE to
>> allow disabling EFI secure boot when the platform is operating in User
>> Mode and there is an NV+BS EFI variable called "SecureBootDisable".
>> Otherwise, keep it enabled by default.
>
> could you, please, explain why this is needed.

I was just looking for an easier way to disable it without having to
mess with the secure boot variables and possibly breaking secure boot
altogether.  Of course, we could do the same by creating such
SecureBootDisable variable and forgetting about it.  Since we're gonna
provide u-boot package with the secure boot keys (PK, KEK, db, dbx)
enrolled in (ESP)/ubootefi.var (generated by efivar.py script), and
those certificates are only provided at build time, that would be tricky
to get it enabled or disabled by removing and inserting the PK, finding
the appropriate certificate depending on whether it is openSUSE or SLES.

For instance, OVMF does have something like that [1].

[1]
https://github.com/tianocore/edk2/blob/master/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c#L682

Thanks.


More information about the U-Boot mailing list