Hi James, thanks for the answer. I will try to explain my scenario in simple words. In my case, what I would like to do is to create a runtime uefi var, that would be changed only by one .exe I have developed. So other .exe would not be able to perform changes at this uefi var.
Any ideia? Thanks Rafael On Tue, Jul 26, 2022, 10:17 AM James Bottomley < james.bottom...@hansenpartnership.com> wrote: > On Tue, 2022-07-26 at 10:09 -0300, Rafael Machado wrote: > > Hey everyone > > > > I have a question for the experts. > > > > Suppose I have a BIOS feature that can be set from the OS via some OS > > application (.exe) that calls the runtime services set variable (). > > > > To set this feature I have a UEFI var, that during DXE is processed > > by some uefi module. > > > > In case I define this UEFI var as signed var > > (EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS or > > EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCES), at my OS > > application I will have to add the signing key, so it would be > > possible to create new signed data to change the uefi variable as > > needed from the OS level. > > > > So my question is: > > What is the correct way of creating a UEFI variable that is protected > > and that can be changed, by authorized person only, from OS level > > without the need of embedding my secret at the OS application (.exe)? > > You don't give your use case, so it's hard to answer the above. > However, the signing process of the update must be guarded because of > the need to keep the key secret, so update bundles are usually created > away from the system to be updated to preserve this. If you want your > application to make arbitrary updates while it's running, you probably > don't want to be using signed variables. > > James > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#91977): https://edk2.groups.io/g/devel/message/91977 Mute This Topic: https://groups.io/mt/92626771/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
