Date: Mon, 14 Oct 2019 14:18:18 -0500 From: "Clay Daniels Jr." <clay.daniels.jr@gmail.com> To: "Simon J. Gerraty" <sjg@juniper.net> Cc: Tomasz CEDRO <tomek@cedro.info>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>, grarpamp <grarpamp@gmail.com>, freebsd-virtualization@freebsd.org Subject: Re: AMD Secure Encrypted Virtualization - FreeBSD Status? Message-ID: <CAGLDxTWm-u56ZH33=cmvC986XF-eya_Vpjh8tDaHZL5Ojt=iLg@mail.gmail.com> In-Reply-To: <76102.1571079149@kaos.jnpr.net> References: <CAD2Ti2-2TWZEcCdyg1seHHdWRVSC9v_kuMe4f-ERo1LNdJAnmw@mail.gmail.com> <CAFYkXj=f0NEQ%2B=WQ_y8_RZtOc3-%2BHkoBreAgRM669R6s4cWSmQ@mail.gmail.com> <76102.1571079149@kaos.jnpr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Simon, please do elaborate more on your implementation. I suspect you are talking about libsecureboot? I have played with the generation of certs with OpenSSL & LibreSSL, but libsecureboot seems to take a different approach. Please tell us more. Clay On Mon, Oct 14, 2019 at 1:52 PM Simon J. Gerraty via freebsd-security < freebsd-security@freebsd.org> wrote: > Tomasz CEDRO <tomek@cedro.info> wrote: > > > would be really nice also to get UEFI BOOT compatible with SECURE BOOT > :-) > > Unless you are using your own BIOS, the above means getting Microsoft > to sign boot1.efi or similar. Shims that simply work around lack of > acceptible signature don't help. > > That would need to then verify loader.efi - which can be built to > to verify all the modules and kernel. > > In my implementation (uses the non efi loader) trust anchors are > embedded in loader but there is code in current to lookup trust anchors > in /efi I think which would be more generally useful - I've not looked > at the attack vectors that introduces though. > > --sjg > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGLDxTWm-u56ZH33=cmvC986XF-eya_Vpjh8tDaHZL5Ojt=iLg>