From owner-freebsd-security@freebsd.org Fri Oct 4 00:00:55 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4F539143E0C; Fri, 4 Oct 2019 00:00:55 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-io1-xd41.google.com (mail-io1-xd41.google.com [IPv6:2607:f8b0:4864:20::d41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46kqlT5ydvz4t7J; Fri, 4 Oct 2019 00:00:53 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-io1-xd41.google.com with SMTP id n26so9606289ioj.8; Thu, 03 Oct 2019 17:00:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=G5KQqjzd8wSb7VfMjU9SQ3LKRqYSvNG84JAE+iQ95vg=; b=Cr+f0zMqZlkkOYl3aoSlb7dKUmWafLTYkmlyw3ZOghVRNaQVA46mJ6Lxk3pDrdVvef rByOVNmmZm6WbTvCUSksobd3YY6WNpP5L85mSzu9S+wx7rDPKk1s7tl51aDJYd5DayzF BJWv0isu4J2CG5dHOeYG7Flfu3txlj7jg19WPVtAgMdrKYS9LYV2DR+RUQtlnYUY2k9b aa+hTfLlUVplbVjD8YYezWz210/QE58Y6qPHuvH48Tpc/Cdqp2eQjU436DYUonsty+0L bZuQo1jVClMWXnCjAI+blJsYmObv4a+W/nHgHOMJUl+fBWOo7nzjmfC5tRB2hLWb9lfa HXXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=G5KQqjzd8wSb7VfMjU9SQ3LKRqYSvNG84JAE+iQ95vg=; b=lBzK11ImVAX4MjdqAEb51p2qVMklXNaFzn19sv7Bh10n3bhiIun3ZvWhmkmGhBQZ4b IRh5vXthQFjSgQ80CMXGxbcxN3hMvGzAwa0ZXCDsBzv7IMxedwqIh71ZnBZkmvrN+pXE eRw5vjt9Dr2GRB87GA0Cx9hEGfoM1AHdCiqDxc7nOPakabXW42lK1j07tVg0Jz5020pw alKG8qa02ft/n4MZm8qpJKQNc+Cu8ZlggYD4ip2kN9LcTGi1KzkWyICMCUuQkDcw+Ck8 4lNSdLJhGo4ooB1tINiXoc4m0g48yVs88CAaxmul7PdIJPbyCqxeoGtpxb6XkOwHC949 iQ4Q== X-Gm-Message-State: APjAAAVBb/4JWWWgbQN3hDdmYdl9CYm0X2a/cgi5h+g/pivtKraOeGPR bfg+ISDyFFMSkYDPhOB/S6uylrnWs7qqGgTcrr0d32YM X-Google-Smtp-Source: APXvYqxbJEBK/peV7zcX+VoUHQ0LEIo5Nki7mq9eIGBMtyh/R+0a4pgJfNYX59iKgeOPkzhZmwKOGrMo9W30QXHYYDY= X-Received: by 2002:a6b:2bc1:: with SMTP id r184mr10422400ior.146.1570147251646; Thu, 03 Oct 2019 17:00:51 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:9f01:0:0:0:0:0 with HTTP; Thu, 3 Oct 2019 17:00:51 -0700 (PDT) In-Reply-To: References: From: grarpamp Date: Thu, 3 Oct 2019 20:00:51 -0400 Message-ID: Subject: Re: AMD Secure Encrypted Virtualization - FreeBSD Status? To: freebsd-current@freebsd.org Cc: freebsd-security@freebsd.org, freebsd-virtualization@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 46kqlT5ydvz4t7J X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=Cr+f0zMq; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::d41 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-2.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE_FREEMAIL(0.00)[]; IP_SCORE(0.00)[ip: (2.10), ipnet: 2607:f8b0::/32(-2.57), asn: 15169(-2.16), country: US(-0.05)]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[1.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; FROM_EQ_ENVFROM(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Oct 2019 00:00:55 -0000 >> Just whose secure keys do you suggest? I go to a lot of trouble to disable >> secure boot so I can load any operating system I want. Some motherboards have BIOS that allows you to both - Upload your own keys - Delete all the spooky Microsoft keys Read the UEFI Secure Boot specification document. Then paste all the key management specs into a ticket with your motherboard vendor and get on them to publish a BIOS release that has proper key management functions. Some BIOS makers have this as selectable options in their BIOS reference build routines... ie: the motherboard maker doesn't have to write any code, they just point and click, and the option appears in a BIOS release for mobo end user customers. Sometimes you have to bug and escalate the mobo makers and threaten to walk your next purchase to another mobo maker to get them to cut and post the new BIOS release. https://www.uefi.org/ https://uefi.org/learning_center/papers https://uefi.org/specsandtesttools https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf https://uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2019.pdf https://uefi.org/sites/default/files/resources/UEFI%20Forum%20White%20Paper%20-%20Chain%20of%20Trust%20Introduction_2019.pdf > The goal would be not to disable secure boot and have FreeBSD running > with a secured bootloader :-) > > At the moment we have insecure boot + insecure kernel + possible > encrypted data partition.. > would be really nice also to get UEFI BOOT compatible with SECURE BOOT :-) Yes.