From owner-freebsd-current@freebsd.org Sat Oct 5 01:49:53 2019 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0CA1DF9D28 for ; Sat, 5 Oct 2019 01:49:53 +0000 (UTC) (envelope-from clay.daniels.jr@gmail.com) Received: from mail-vs1-xe29.google.com (mail-vs1-xe29.google.com [IPv6:2607:f8b0:4864:20::e29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46lV6l5nfWz48y2 for ; Sat, 5 Oct 2019 01:49:51 +0000 (UTC) (envelope-from clay.daniels.jr@gmail.com) Received: by mail-vs1-xe29.google.com with SMTP id p13so5348116vsr.4 for ; Fri, 04 Oct 2019 18:49:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Q18hJOCEHZdxA4VWDE9GYHnwDL4u1eiCKxIRxHL3Wyg=; b=kUUU/sDa4RTTrvsqE9q92Fi1+T/nZd0n/txuY0aCHqu0KIJsLflGZQORRTb0Q50aJG HJqkO59fD5pH42Q/PZK5OU3pYT3KQc3PF0ZjJZOOj06aHabSXqbglS9UkV/oCalqTfs8 UVB9LKo9/MwRA2i+kVebiVmkKdEguoS5UYbtBAk49y559xI9jYzZ+ayFJtxDH6DWnQbC mVQl+mE7GXi563jS3ED6rVspYHIguzenW8aoDPxeDrxiWsQgYd9y1HkHHQV5lyLYv8qg JmG9aV7t6vrzgs+Q39FXmCRYXWZJJ/eAZMOnwpCeDrsdocE5TuCColMS82g2rH0d/Hfb P0Yg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Q18hJOCEHZdxA4VWDE9GYHnwDL4u1eiCKxIRxHL3Wyg=; b=fabG+ghcso/dhj3bD2E7hIm1lJAL89JICTYDUOMm/aSGu6yVpoYbA05mswh65sEhlA YxZRSZ3L3JwWK2VayLyl1ARcyooeTcNxvmX7Ra3gtX5k8L4PvZviT9WSDYSbwSrN+txn 20d7p+S0YNkalVHBzh46BGET95InfqpRC25yQifgWNS9cQZRGaOGTHfQhD2w0bfAn6Ls SBbRfOnuEE/QyD1P21PHJKV6xGqtoPMZNZG8MCHsB2O2SQV8Kp/PGfYPNoShUd5zm6VH h9+zZboF79i0HLSg0cZVkFF6ljWLcPFQla9GX42d4kKKgvgI9ovjl5a8kZPl3slv4w4M 0jFg== X-Gm-Message-State: APjAAAU1GYlk2zItqR6jltyFoLPKIG2ttLiqxY2nWxpa68dg32loUZNX f3lPrYEK9s1cboQ/vYZIO8sMCojN3N0STIOMBQ== X-Google-Smtp-Source: APXvYqwijoifJBbNGfMEKc7mgfPlNJmHixDUQLV7m6v3d9mOcVNdehnXkN88LDBZTPVGe6qH8fzJdZp3L7FgiGNzjd0= X-Received: by 2002:a67:31d3:: with SMTP id x202mr10169763vsx.125.1570240190134; Fri, 04 Oct 2019 18:49:50 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: "Clay Daniels Jr." Date: Fri, 4 Oct 2019 20:49:39 -0500 Message-ID: Subject: Re: AMD Secure Encrypted Virtualization - FreeBSD Status? To: grarpamp , "tomek@cedro.info" Cc: "freebsd-current@freebsd.org" X-Rspamd-Queue-Id: 46lV6l5nfWz48y2 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=kUUU/sDa; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of claydanielsjr@gmail.com designates 2607:f8b0:4864:20::e29 as permitted sender) smtp.mailfrom=claydanielsjr@gmail.com X-Spamd-Result: default: False [-1.00 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; URI_COUNT_ODD(1.00)[33]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[9.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(0.00)[ip: (-9.66), ipnet: 2607:f8b0::/32(-2.56), asn: 15169(-2.16), country: US(-0.05)]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Oct 2019 01:49:53 -0000 Grarpamp,Tomasz, and all: Thanks for all the reference documents. I looked through them, and did some more research myself: Creating Secure Boot Keys --- 0. https://wiki.freebsd.org/SecureBoot A work in progress. --- 1. http://www.rodsbooks.com/efi-bootloaders/controlling-sb.html Need: openssl - pkg on freebsd efitools - not found freebsd, source available elswhere Note that efitools is dependent upon sbsigntool (aka sbsigntools), so you may need to install it, too. sbsigntool - not found freebsd, source available elswhere --- 2. https://www.linuxjournal.com/content/take-control-your-pc-uefi-secure-boot Similar tools to Rod's, added osslsigncode as possible substitute for sbsigntool --- My situation in life does not really seem to demand secure boot as I can always wipe the drive and rebuild. However it was pointed out that malware can continue to hide in the bios cmos nvram, so there is really no hiding and yes, we do need to consider shaping up. I am a big fan of Rod Smith ( http://www.rodsbooks.com/ ) and use his rEFInd boot loader on both my machines. It was a little trouble to set up the first time, but well worth the effort. I suspect that creating secure boot keys is a bit more complicated, but I'm going to look into it deeper. Any help & suggestions would be appreciated. My trusty old 2014 HP Pavilion has it's HP vendor platform keys, but they are not enabled. I have it in CSM mode, not UEFI mode, hence no secure boot as uefi must be enabled for secure boot. My new Ryzen 7 3700X & MSI X570 motherboard has UEFI boot set, but secure boot is not enabled. I have not even "enrolled" the vendor keys yet. So I have a lab setup to play with two machines, old & new, and the time & patience to play with this. I do welcome any suggestions and help Clay On Thu, Oct 3, 2019 at 7:01 PM grarpamp wrote: > >> Just whose secure keys do you suggest? I go to a lot of trouble to > disable > >> secure boot so I can load any operating system I want. > > Some motherboards have BIOS that allows you to both > - Upload your own keys > - Delete all the spooky Microsoft keys > > Read the UEFI Secure Boot specification document. > Then paste all the key management specs into a ticket > with your motherboard vendor and get on them to publish > a BIOS release that has proper key management functions. > > Some BIOS makers have this as selectable options in their > BIOS reference build routines... ie: the motherboard maker doesn't > have to write any code, they just point and click, and the option > appears in a BIOS release for mobo end user customers. > > Sometimes you have to bug and escalate the mobo makers > and threaten to walk your next purchase to another mobo maker > to get them to cut and post the new BIOS release. > > https://www.uefi.org/ > https://uefi.org/learning_center/papers > https://uefi.org/specsandtesttools > https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf > > > https://uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2019.pdf > > https://uefi.org/sites/default/files/resources/UEFI%20Forum%20White%20Paper%20-%20Chain%20of%20Trust%20Introduction_2019.pdf > > > > The goal would be not to disable secure boot and have FreeBSD running > > with a secured bootloader :-) > > > > At the moment we have insecure boot + insecure kernel + possible > > encrypted data partition.. > > > would be really nice also to get UEFI BOOT compatible with SECURE BOOT > :-) > > Yes. > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" >