Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 3 Oct 2019 20:00:51 -0400
From:      grarpamp <grarpamp@gmail.com>
To:        freebsd-current@freebsd.org
Cc:        freebsd-security@freebsd.org, freebsd-virtualization@freebsd.org
Subject:   Re: AMD Secure Encrypted Virtualization - FreeBSD Status?
Message-ID:  <CAD2Ti28fDwCyn2Xe%2BruKKjcRNPoXP20Yq_QXMd88B5YYxtzF_w@mail.gmail.com>
In-Reply-To: <CAFYkXjm36_5hTVu8xCdLdmXY_Sdte3zcL069BQfZvFVwkfhK8w@mail.gmail.com>
References:  <CAD2Ti2-2TWZEcCdyg1seHHdWRVSC9v_kuMe4f-ERo1LNdJAnmw@mail.gmail.com> <CAFYkXj=f0NEQ%2B=WQ_y8_RZtOc3-%2BHkoBreAgRM669R6s4cWSmQ@mail.gmail.com> <CAGLDxTVrN6m9VLppjv68RpnR2pAxMoPQLD0we2R6mjqcmhO8Ew@mail.gmail.com> <CAFYkXjm36_5hTVu8xCdLdmXY_Sdte3zcL069BQfZvFVwkfhK8w@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
>> Just whose secure keys do you suggest? I go to a lot of trouble to disable
>> secure boot so I can load any operating system I want.

Some motherboards have BIOS that allows you to both
- Upload your own keys
- Delete all the spooky Microsoft keys

Read the UEFI Secure Boot specification document.
Then paste all the key management specs into a ticket
with your motherboard vendor and get on them to publish
a BIOS release that has proper key management functions.

Some BIOS makers have this as selectable options in their
BIOS reference build routines... ie: the motherboard maker doesn't
have to write any code, they just point and click, and the option
appears in a BIOS release for mobo end user customers.

Sometimes you have to bug and escalate the mobo makers
and threaten to walk your next purchase to another mobo maker
to get them to cut and post the new BIOS release.

https://www.uefi.org/
https://uefi.org/learning_center/papers
https://uefi.org/specsandtesttools
https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf

https://uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2019.pdf
https://uefi.org/sites/default/files/resources/UEFI%20Forum%20White%20Paper%20-%20Chain%20of%20Trust%20Introduction_2019.pdf


> The goal would be not to disable secure boot and have FreeBSD running
> with a secured bootloader :-)
>
> At the moment we have insecure boot + insecure kernel + possible
> encrypted data partition..

> would be really nice also to get UEFI BOOT compatible with SECURE BOOT :-)

Yes.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAD2Ti28fDwCyn2Xe%2BruKKjcRNPoXP20Yq_QXMd88B5YYxtzF_w>