Simon, please do elaborate more on your implementation. I suspect you are talking about libsecureboot? I have played with the generation of certs with OpenSSL & LibreSSL, but libsecureboot seems to take a different approach. Please tell us more. Clay On Mon, Oct 14, 2019 at 1:52 PM Simon J. Gerraty via freebsd-security < freebsd-security_at_freebsd.org> wrote: > Tomasz CEDRO <tomek_at_cedro.info> wrote: > > > would be really nice also to get UEFI BOOT compatible with SECURE BOOT > :-) > > Unless you are using your own BIOS, the above means getting Microsoft > to sign boot1.efi or similar. Shims that simply work around lack of > acceptible signature don't help. > > That would need to then verify loader.efi - which can be built to > to verify all the modules and kernel. > > In my implementation (uses the non efi loader) trust anchors are > embedded in loader but there is code in current to lookup trust anchors > in /efi I think which would be more generally useful - I've not looked > at the attack vectors that introduces though. > > --sjg > _______________________________________________ > freebsd-security_at_freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe_at_freebsd.org > " >Received on Mon Oct 14 2019 - 17:18:31 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:22 UTC