Hi Heinrich, Heinrich Schuchardt <xypron.g...@gmx.de> writes:
> On 11/30/20 7:22 PM, Paulo Alcantara wrote: >> Heinrich Schuchardt <xypron.g...@gmx.de> writes: >> >>> On 11/30/20 3:58 PM, Paulo Alcantara wrote: >>>> Introduce a new config option CONFIG_EFI_SECURE_BOOT_VAR_DISABLE to >>>> allow disabling EFI secure boot when the platform is operating in User >>>> Mode and there is an NV+BS EFI variable called "SecureBootDisable". >>>> Otherwise, keep it enabled by default. >>> >>> could you, please, explain why this is needed. >> >> I was just looking for an easier way to disable it without having to >> mess with the secure boot variables and possibly breaking secure boot >> altogether. Of course, we could do the same by creating such >> SecureBootDisable variable and forgetting about it. Since we're gonna >> provide u-boot package with the secure boot keys (PK, KEK, db, dbx) >> enrolled in (ESP)/ubootefi.var (generated by efivar.py script), and >> those certificates are only provided at build time, that would be tricky >> to get it enabled or disabled by removing and inserting the PK, finding >> the appropriate certificate depending on whether it is openSUSE or SLES. >> >> For instance, OVMF does have something like that [1]. >> >> [1] >> https://github.com/tianocore/edk2/blob/master/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c#L682 >> >> Thanks. >> > how would you stop an attacker from disabling secure boot on your device > and tempering with it if this configuration were enabled? Yep. There isn't much we can do, and it is even unauthenticated. Please ignore this patch. Thanks!
