Date: Mon, 7 Oct 2019 09:29:06 -0400 From: David Cross <dcrosstech@gmail.com> To: Warner Losh <imp@bsdimp.com> Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: uefisign and loader Message-ID: <CAM9edeP%2BbvKzOuuGMXLvgczzkaDCCuDJdH7C%2BnRanXp=3w6Fdg@mail.gmail.com> In-Reply-To: <CANCZdfqdbKgRqF7AhsfjNwQdzbwA7uSuQoWzWvHQrwkJ2p4AXg@mail.gmail.com> References: <CAM9edeOTrNev=izkp2R3C5A0geHRe51m71BPn1OrXSn_QWFaGQ@mail.gmail.com> <CANCZdfqdbKgRqF7AhsfjNwQdzbwA7uSuQoWzWvHQrwkJ2p4AXg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 7, 2019 at 1:02 AM Warner Losh <imp@bsdimp.com> wrote: > > > On Sun, Oct 6, 2019, 10:58 PM David Cross <dcrosstech@gmail.com> wrote: > >> I've been working on getting secureboot working under freebsd (I today >> just >> finished off a REALLY rough tool that lets one tweak uefi authenticated >> variables under freebsd, with an eye to try to get a patch to put this >> into >> efivar). After setting the PK, the KEK, and the db, I was super excited >> to >> finally secure-boot my machine, and discovered that I could not uefisign >> loader. Attempting to sign loader returns a cryptic: "section points >> inside the headers" and then hangs in pipe-read (via siginfo). (this is >> under 12.0 FWIW). >> >> I am able to sign boot1, however boot1.efi doesn't handle GELI keys so its >> not really useful for me. >> >> Suggestions? >> > > Use loader.efi directly instead? > >> >> I currently do use loader.efi directly, however not being able to sign loader.efi directly complicates things a bit (using hash based signature lists for the 'db' variable); and it seems we *should* be able to sign loader. From some other posts on the internet it seems that at some point we could.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM9edeP%2BbvKzOuuGMXLvgczzkaDCCuDJdH7C%2BnRanXp=3w6Fdg>