Simon, please do elaborate more on your implementation. I suspect you are talking about libsecureboot? I have played with the generation of certs with OpenSSL & LibreSSL, but libsecureboot seems to take a different approach. Please tell us more.
Clay On Mon, Oct 14, 2019 at 1:52 PM Simon J. Gerraty via freebsd-security < [email protected]> wrote: > Tomasz CEDRO <[email protected]> wrote: > > > would be really nice also to get UEFI BOOT compatible with SECURE BOOT > :-) > > Unless you are using your own BIOS, the above means getting Microsoft > to sign boot1.efi or similar. Shims that simply work around lack of > acceptible signature don't help. > > That would need to then verify loader.efi - which can be built to > to verify all the modules and kernel. > > In my implementation (uses the non efi loader) trust anchors are > embedded in loader but there is code in current to lookup trust anchors > in /efi I think which would be more generally useful - I've not looked > at the attack vectors that introduces though. > > --sjg > _______________________________________________ > [email protected] mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "[email protected] > " > _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
