From owner-freebsd-security@freebsd.org Thu Oct 3 20:32:37 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9997513FD9A for ; Thu, 3 Oct 2019 20:32:37 +0000 (UTC) (envelope-from tomek@cedro.info) Received: from mail-ot1-x335.google.com (mail-ot1-x335.google.com [IPv6:2607:f8b0:4864:20::335]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46kl785mtYz4hCD for ; Thu, 3 Oct 2019 20:32:36 +0000 (UTC) (envelope-from tomek@cedro.info) Received: by mail-ot1-x335.google.com with SMTP id c10so3468949otd.9 for ; Thu, 03 Oct 2019 13:32:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cedro.info; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=b1VV6VCDh0McNccdZXiyMdDdQ3nk1nObf+12RvEqMb0=; b=dB7S3Cdw8lpHiC+lmQysWY8GO9c1MDBr9egfIEdhsCFHVQFP4wEPEztmyOrLfSx5eW bMXU6IkYxiKf9i3DpworVHZQKV/km/ZQA8fw6V4+sI763adYGI5EKiz6R7SswZxA/l5x d/ogkVGz6is6ckrj/rAFVkQWDdIeyaUv/Am9SDBaojhxDywYluXVRJogchll2VxxGgt9 FE4Z/d0WNp6R1Kk3PQHyhZrltbJf1OHPCmNoUx/yiQIaMDVk6+WrHeG2PZeQyCySO2pB GZg9zdeBSX525QLLibshaDnQ7Of7wPWbzWMJEDXvFu5J/EKnXQtORAzHoCTnMueI8r1n lgGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=b1VV6VCDh0McNccdZXiyMdDdQ3nk1nObf+12RvEqMb0=; b=WOm230IojtZ24OT9RDL2GpwgysMxzJAhp6BT13nbR4KbO41XNKT0TIJQV4kjzoMWeO xaJt1HRqmdxjVi2KDaC+CHnVW95Wlj6SRa5RND34tpg2DR4uTvLxxQSifpEewOUAqWhV 88D+RQ4w07H2hVQ/AzdIBy+hBZ/dl0pZIYr4BHfropkVO4MvufHiOYmwA3H9ceK+9nEU RbqHL7hk6wzkp4sj0LewclFPBMds0Srro/T1srix+XGGpVC9McF+fZyU5h1lMI4n3vht wt7aZ1vN7hsnyUEqkybvEU8xPbvp3TjPMMdniSVQpLpmb+6V2ARjJS8mtYZF9SN0XLVD K9tg== X-Gm-Message-State: APjAAAVAeGAKjtwRrOCjFcSiBzNe44WHkGGNno33C/+MtTZCe2PFqapi bBMGggdC4mRpU/5psfg2LRJW3+hVBH4= X-Google-Smtp-Source: APXvYqy4Phg2t3Lnpo8faedCrMWrbA/xMVSDuDutSFiQBvNmbi/FGtJdQyNPZNBu1IRCYxM2JZf8/Q== X-Received: by 2002:a9d:2f09:: with SMTP id h9mr7677339otb.21.1570134755421; Thu, 03 Oct 2019 13:32:35 -0700 (PDT) Received: from mail-oi1-f169.google.com (mail-oi1-f169.google.com. [209.85.167.169]) by smtp.gmail.com with ESMTPSA id n4sm1138284oij.9.2019.10.03.13.32.34 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 03 Oct 2019 13:32:34 -0700 (PDT) Received: by mail-oi1-f169.google.com with SMTP id k9so3848617oib.7; Thu, 03 Oct 2019 13:32:34 -0700 (PDT) X-Received: by 2002:aca:72d2:: with SMTP id p201mr4417825oic.45.1570134754274; Thu, 03 Oct 2019 13:32:34 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Tomasz CEDRO Date: Thu, 3 Oct 2019 22:32:21 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: AMD Secure Encrypted Virtualization - FreeBSD Status? To: "Clay Daniels Jr." Cc: grarpamp , freebsd-security@freebsd.org, "freebsd-current@freebsd.org" , freebsd-virtualization@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 46kl785mtYz4hCD X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=cedro.info header.s=google header.b=dB7S3Cdw; dmarc=none; spf=none (mx1.freebsd.org: domain of tomek@cedro.info has no SPF policy when checking 2607:f8b0:4864:20::335) smtp.mailfrom=tomek@cedro.info X-Spamd-Result: default: False [-2.20 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; RCPT_COUNT_FIVE(0.00)[5]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[cedro.info:+]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(-2.40)[ip: (-7.20), ipnet: 2607:f8b0::/32(-2.57), asn: 15169(-2.16), country: US(-0.05)]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[cedro.info:s=google]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TAGGED_RCPT(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[cedro.info]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[5.3.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; R_SPF_NA(0.00)[]; FREEMAIL_CC(0.00)[gmail.com]; RCVD_TLS_ALL(0.00)[]; SUSPICIOUS_RECIPS(1.50)[] X-Mailman-Approved-At: Sat, 12 Oct 2019 23:27:58 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Oct 2019 20:32:37 -0000 On Thu, Oct 3, 2019 at 10:29 PM Clay Daniels Jr. wrote: > Just whose secure keys do you suggest? I go to a lot of trouble to disable secure boot so I can load any operating system I want. The goal would be not to disable secure boot and have FreeBSD running with a secured bootloader :-) At the moment we have insecure boot + insecure kernel + possible encrypted data partition.. -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info