Re: [PATCH] docs: UEFI Secure Boot security policy

2025-06-20 Thread Ross Lagerwall
On Thu, Jun 19, 2025 at 11:06 PM Marek Marczykowski-Górecki wrote: > > On Thu, Jun 19, 2025 at 12:56:12PM -0700, Stefano Stabellini wrote: > > On Thu, 19 Jun 2025, Marek Marczykowski-Górecki wrote: > > > On Thu, Jun 19, 2025 at 03:16:51PM +0100, Ross Lagerwall wrote: > > > > I think a section on P

Re: [PATCH] docs: UEFI Secure Boot security policy

2025-06-19 Thread Marek Marczykowski-Górecki
On Thu, Jun 19, 2025 at 12:56:12PM -0700, Stefano Stabellini wrote: > On Thu, 19 Jun 2025, Marek Marczykowski-Górecki wrote: > > On Thu, Jun 19, 2025 at 03:16:51PM +0100, Ross Lagerwall wrote: > > > I think a section on PCI passthrough is also warranted. i.e. preventing > > > misuse > > > of a dev

Re: [PATCH] docs: UEFI Secure Boot security policy

2025-06-19 Thread Stefano Stabellini
On Thu, 19 Jun 2025, Marek Marczykowski-Górecki wrote: > On Thu, Jun 19, 2025 at 03:16:51PM +0100, Ross Lagerwall wrote: > > I think a section on PCI passthrough is also warranted. i.e. preventing > > misuse > > of a device to exploit Secure Boot. > > While I agree it makes sense, I wonder if it'

Re: [PATCH] docs: UEFI Secure Boot security policy

2025-06-19 Thread Marek Marczykowski-Górecki
On Thu, Jun 19, 2025 at 03:16:51PM +0100, Ross Lagerwall wrote: > I think a section on PCI passthrough is also warranted. i.e. preventing misuse > of a device to exploit Secure Boot. While I agree it makes sense, I wonder if it's in scope for UEFI Secure Boot as defined by Microsoft? It may have i

Re: [PATCH] docs: UEFI Secure Boot security policy

2025-06-19 Thread Ross Lagerwall
On Thu, Jun 12, 2025 at 12:58 AM Andrew Cooper wrote: ... > +In Progress > +--- > + > +.. warning:: > + > + The following work is still in progress. It is provisional, and not > + security supported yet. > + > + > +Secure Boot Advanced Targeting > +^^ > + >

Re: [PATCH] docs: UEFI Secure Boot security policy

2025-06-19 Thread Ross Lagerwall
On Thu, Jun 12, 2025 at 1:21 PM Teddy Astie wrote: > > Le 12/06/2025 à 12:08, Jan Beulich a écrit : > > On 12.06.2025 01:58, Andrew Cooper wrote: > >> + > >> +Lockdown Mode > >> +^ > >> + > >> +A mode which causes the enforcement of the properties necessary to > >> conform to > >> +th

Re: [PATCH] docs: UEFI Secure Boot security policy

2025-06-13 Thread Stefano Stabellini
On Fri, 13 Jun 2025, Marek Marczykowski-Górecki wrote: > On Fri, Jun 13, 2025 at 08:35:26AM +0200, Jan Beulich wrote: > > On 12.06.2025 23:32, Stefano Stabellini wrote: > > > On Thu, 12 Jun 2025, Andrew Cooper wrote: > > >> +Support in Xen > > >> +-- > > >> + > > >> +There are multiple

Re: [PATCH] docs: UEFI Secure Boot security policy

2025-06-13 Thread Marek Marczykowski-Górecki
On Fri, Jun 13, 2025 at 08:35:26AM +0200, Jan Beulich wrote: > On 12.06.2025 23:32, Stefano Stabellini wrote: > > On Thu, 12 Jun 2025, Andrew Cooper wrote: > >> +Support in Xen > >> +-- > >> + > >> +There are multiple ways to achieve this security goal, with differing > >> +tradeoffs fo

Re: [PATCH] docs: UEFI Secure Boot security policy

2025-06-12 Thread Jan Beulich
On 12.06.2025 23:32, Stefano Stabellini wrote: > On Thu, 12 Jun 2025, Andrew Cooper wrote: >> +Support in Xen >> +-- >> + >> +There are multiple ways to achieve this security goal, with differing >> +tradeoffs for the eventual system. >> + >> +On one end of the spectrum is the Unified K

Re: [PATCH] docs: UEFI Secure Boot security policy

2025-06-12 Thread Stefano Stabellini
On Thu, 12 Jun 2025, Andrew Cooper wrote: > Written to be solution and deployment neutral in order to focus on the > technology itself. This policy is intended to work as well for UKI as for the > "classic server setup" approach. > > Signed-off-by: Andrew Cooper > --- > CC: Anthony PERARD > CC:

Re: [PATCH] docs: UEFI Secure Boot security policy

2025-06-12 Thread Marek Marczykowski-Górecki
On Thu, Jun 12, 2025 at 11:22:39AM -0400, Demi Marie Obenour wrote: > On 6/12/25 06:06, Jan Beulich wrote: > > On 12.06.2025 01:58, Andrew Cooper wrote: > >> 2) Pre-boot DMA Protection. Microsoft consider this a platform feature > >> requiring OEM enablement, and do not consider its absence to be

Re: [PATCH] docs: UEFI Secure Boot security policy

2025-06-12 Thread Demi Marie Obenour
On 6/12/25 06:06, Jan Beulich wrote: > On 12.06.2025 01:58, Andrew Cooper wrote: >> 2) Pre-boot DMA Protection. Microsoft consider this a platform feature >> requiring OEM enablement, and do not consider its absence to be a Secure Boot >> vulnerability. But, it is less clear what the policy ought

Re: [PATCH] docs: UEFI Secure Boot security policy

2025-06-12 Thread Tu Dinh
On 12/06/2025 15:22, Jan Beulich wrote: > On 12.06.2025 15:15, Tu Dinh wrote: >> On 12/06/2025 02:03, Andrew Cooper wrote: >>> +Secure Boot Advanced Targeting >>> +^^ >>> + >>> +SBAT is a recovation scheme for Secure Boot enabled components, using a >>> +generation based

Re: [PATCH] docs: UEFI Secure Boot security policy

2025-06-12 Thread Jan Beulich
On 12.06.2025 15:15, Tu Dinh wrote: > On 12/06/2025 02:03, Andrew Cooper wrote: >> +Secure Boot Advanced Targeting >> +^^ >> + >> +SBAT is a recovation scheme for Secure Boot enabled components, using a >> +generation based scheme. See `Shim SBAT.md >> +

Re: [PATCH] docs: UEFI Secure Boot security policy

2025-06-12 Thread Tu Dinh
On 12/06/2025 02:03, Andrew Cooper wrote: > Written to be solution and deployment neutral in order to focus on the > technology itself. This policy is intended to work as well for UKI as for the > "classic server setup" approach. > > Signed-off-by: Andrew Cooper > --- > CC: Anthony PERARD > CC:

Re: [PATCH] docs: UEFI Secure Boot security policy

2025-06-12 Thread Teddy Astie
Le 12/06/2025 à 12:08, Jan Beulich a écrit : > On 12.06.2025 01:58, Andrew Cooper wrote: >> + >> +Lockdown Mode >> +^ >> + >> +A mode which causes the enforcement of the properties necessary to conform >> to >> +the Secure Boot specification. Lockdown Mode is forced active when Secure

Re: [PATCH] docs: UEFI Secure Boot security policy

2025-06-12 Thread Jan Beulich
On 12.06.2025 01:58, Andrew Cooper wrote: > Obviously RFC at this point. It's worth saying that XenServer is intending to > use Shim and get a signature from Microsoft, retaining all exiting features > such as Livepatching and Kexec crash reporting. > > This trails off into more TODOs towards the

Re: [PATCH] docs: UEFI Secure Boot security policy

2025-06-12 Thread Jan Beulich
On 12.06.2025 09:50, Marek Marczykowski-Górecki wrote: > On Thu, Jun 12, 2025 at 12:58:51AM +0100, Andrew Cooper wrote: >> Several things are hard to express and want further discussion. Suggestions >> welcome: >> >> 1) Content of CONFIG_CMDLINE and the various CONFIG_*_DEFAULT options. Xen >> i

Re: [PATCH] docs: UEFI Secure Boot security policy

2025-06-12 Thread Marek Marczykowski-Górecki
On Thu, Jun 12, 2025 at 12:58:51AM +0100, Andrew Cooper wrote: > Written to be solution and deployment neutral in order to focus on the > technology itself. This policy is intended to work as well for UKI as for the > "classic server setup" approach. > > Signed-off-by: Andrew Cooper > --- > CC:

[PATCH] docs: UEFI Secure Boot security policy

2025-06-11 Thread Andrew Cooper
Written to be solution and deployment neutral in order to focus on the technology itself. This policy is intended to work as well for UKI as for the "classic server setup" approach. Signed-off-by: Andrew Cooper --- CC: Anthony PERARD CC: Michal Orzel CC: Jan Beulich CC: Julien Grall CC: Roge

Re: [PATCH] docs: UEFI Secure Boot security policy

2025-06-11 Thread Demi Marie Obenour
On 6/11/25 19:58, Andrew Cooper wrote: > Written to be solution and deployment neutral in order to focus on the > technology itself. This policy is intended to work as well for UKI as for the > "classic server setup" approach. > > Signed-off-by: Andrew Cooper > --- > CC: Anthony PERARD > CC: Mi