Re: AMD Secure Encrypted Virtualization - FreeBSD Status?

From: Clay Daniels Jr. <clay.daniels.jr_at_gmail.com>
Date: Mon, 14 Oct 2019 14:18:18 -0500
Simon, please do elaborate more on your implementation. I suspect you are
talking about libsecureboot? I have played with the generation of certs
with OpenSSL & LibreSSL, but libsecureboot seems to take a different
approach. Please tell us more.

Clay

On Mon, Oct 14, 2019 at 1:52 PM Simon J. Gerraty via freebsd-security <
freebsd-security_at_freebsd.org> wrote:

> Tomasz CEDRO <tomek_at_cedro.info> wrote:
>
> > would be really nice also to get UEFI BOOT compatible with SECURE BOOT
> :-)
>
> Unless you are using your own BIOS, the above means getting Microsoft
> to sign boot1.efi or similar. Shims that simply work around lack of
> acceptible signature don't help.
>
> That would need to then verify loader.efi - which can be built to
> to verify all the modules and kernel.
>
> In my implementation (uses the non efi loader) trust anchors are
> embedded in loader but there is code in current to lookup trust anchors
> in /efi I think which would be more generally useful - I've not looked
> at the attack vectors that introduces though.
>
> --sjg
> _______________________________________________
> freebsd-security_at_freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe_at_freebsd.org
> "
>
Received on Mon Oct 14 2019 - 17:18:31 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:22 UTC