From owner-freebsd-hackers@freebsd.org Mon Oct 7 13:29:20 2019 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5665112F85A for ; Mon, 7 Oct 2019 13:29:20 +0000 (UTC) (envelope-from dcrosstech@gmail.com) Received: from mail-ot1-x335.google.com (mail-ot1-x335.google.com [IPv6:2607:f8b0:4864:20::335]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46n1Xv202dz41qf for ; Mon, 7 Oct 2019 13:29:19 +0000 (UTC) (envelope-from dcrosstech@gmail.com) Received: by mail-ot1-x335.google.com with SMTP id g13so10923262otp.8 for ; Mon, 07 Oct 2019 06:29:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SLSuRM2sDV8XiJ2+JfPzei6zUyOIX2nseen1S2F/EFE=; b=eAcJWT3YMAVF6QcCnoTF0JNlHgi7Uj1VjYegOW1gps0gEZd6WllsKSWxWet560VD95 5BNlpAtIrlH9YoJwOzgKINT5a5CKGbjhkNRGB8ufO/KElWNRtcPPDcQdTvAYu9OlwFVk BbGmmsMsaetKflu7m+vof4xu4rouzIamI355/3YfuojmPfi2+Uzo6KnrE4ZqON/wg+Gg DTDwzKUuBb4u+a+mSz3fK5pIxObsNYBFdCkCaHClYKG/hRT0w7PcCfG4Nh1cNkbZoTSW 6XsryXUXpKmKzqQuXTz+y6AR4+nSS3y8JkyvCyocCBVCIPzkOtRqvyMNMqOTKfW3+9sj pRTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SLSuRM2sDV8XiJ2+JfPzei6zUyOIX2nseen1S2F/EFE=; b=li8RbPap+h9KgkkWHOxGR7YypwudsNDch3VRKHmVPPzZdXnPEjYLQF76iq2WSWqEZz I3EzyCY1NcvyyCkH64VSEkdfpAS2mZEKNLHmMpsxZhEcI84c70zl8bpyGF1QmFXnkM75 RA0/Y98MRj/ohnJgPNL3q5Fz3y5Erl7RDp8FSYRBcPefOZwgdSuD5ytYwqWHnQI6txGb 07WBkpgxvBm8oYKDARPxiigesAHFDqEdVu2BC8O/Lurn6JRAYf0aexTCh9l/b32sp19J 897xsSAX+mHylq0oNNje0Im3bw4MFQS/l1n0p5F9KOn+48vhRQlJNWCM8shvpKVTUjEY 59Dg== X-Gm-Message-State: APjAAAVWKtj+J7UDrvvkuwRb0fmy9QWYvQYJSBsnGFWUpUe7pImbYxAL RVgRp78tnDZz8nBUCEh8WhJJ3KIADyxOTxlju/2L2g== X-Google-Smtp-Source: APXvYqwkRfUWtuo5TUApWTDcOYORX+tqc0sz8tA18llFOu/4qMrgUli+Rzoq2xHgCNCkAwZO3chJWy6/Mnc10ZiEea0= X-Received: by 2002:a05:6830:1bda:: with SMTP id v26mr21348262ota.139.1570454957547; Mon, 07 Oct 2019 06:29:17 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: David Cross Date: Mon, 7 Oct 2019 09:29:06 -0400 Message-ID: Subject: Re: uefisign and loader To: Warner Losh Cc: FreeBSD Hackers X-Rspamd-Queue-Id: 46n1Xv202dz41qf X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=eAcJWT3Y; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of dcrosstech@gmail.com designates 2607:f8b0:4864:20::335 as permitted sender) smtp.mailfrom=dcrosstech@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[5.3.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; IP_SCORE(0.00)[ip: (-7.27), ipnet: 2607:f8b0::/32(-2.55), asn: 15169(-2.14), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Oct 2019 13:29:20 -0000 On Mon, Oct 7, 2019 at 1:02 AM Warner Losh wrote: > > > On Sun, Oct 6, 2019, 10:58 PM David Cross wrote: > >> I've been working on getting secureboot working under freebsd (I today >> just >> finished off a REALLY rough tool that lets one tweak uefi authenticated >> variables under freebsd, with an eye to try to get a patch to put this >> into >> efivar). After setting the PK, the KEK, and the db, I was super excited >> to >> finally secure-boot my machine, and discovered that I could not uefisign >> loader. Attempting to sign loader returns a cryptic: "section points >> inside the headers" and then hangs in pipe-read (via siginfo). (this is >> under 12.0 FWIW). >> >> I am able to sign boot1, however boot1.efi doesn't handle GELI keys so its >> not really useful for me. >> >> Suggestions? >> > > Use loader.efi directly instead? > >> >> I currently do use loader.efi directly, however not being able to sign loader.efi directly complicates things a bit (using hash based signature lists for the 'db' variable); and it seems we *should* be able to sign loader. From some other posts on the internet it seems that at some point we could.