On Mon, Nov 18, 2019 at 03:34:46PM +0900, AKASHI Takahiro wrote: > Heinrich, > > On Sat, Nov 16, 2019 at 09:10:35PM +0100, Heinrich Schuchardt wrote: > > On 11/13/19 1:53 AM, AKASHI Takahiro wrote: > > >A signature database variable is associated with a specific guid. > > >For convenience, if user doesn't supply any guid info, "env set|print -e" > > >should complement it. > > > > If secure boot is enforced, users should not be able to change any > > security relevant variables. > > I disagree. In fact, UEFI specification allows users to modify > security database variables if their signatures are verified. > For example, "db" must be signed by one of certificates in PK or KEK, > and updating its value will should be authenticated in SetVariable API. > That is what my patch#7 exactly does. > > Thanks, > -Takahiro Akashi
I agree. It must be possible for any user of the EFI subsystem to be able to update db/KEK/PK *if* he provides a valid signatures. The thing is that keys are replaced and rerolled, not only because keys were com- promised, but also because some policies say it's useful to replace the keys regularly so that attempts to crack the key have less time to be successfull. There are more use-cases then that, but what is important is that it's possible to change them, if properly signed. Thanks, Patrick _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot