| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1342203970.3039.35.camel@dabdike.int.hansenpartnership.com> Date: Fri, 13 Jul 2012 19:26:10 +0100 From: James Bottomley <James.Bottomley@...senPartnership.com> To: Matthew Garrett <mjg59@...f.ucam.org> Cc: linux-efi@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: Runtime updates to EFI secure variables On Fri, 2012-07-13 at 19:02 +0100, Matthew Garrett wrote: > On Fri, Jul 13, 2012 at 06:12:26PM +0100, James Bottomley wrote: > > > This means (provided we have access to the relevant keys) we can move > > the platform into and out of Setup Mode as well as add signing and other > > keys. > > I'm pretty sure that the expected behaviour is to use > EFI_VARIABLE_APPEND_WRITE for these updates, which means you don't need > to worry about the timestamp. Actually, as long as the timestamp is current (as in > previous timstamp) it updates the private timestamp stored with the variable. It's minor, and you're right, the timestamp could be zero, but it's best practice. As far as moving the platform into setup mode, that can only be done by clearing PK, which has to be a non append write, so I need to worry about both modes. It's useful to make sure this works, just in case we run into some OEM accidentally forgetting to allow a user present reset to setup mode, because it allows us to create an EFI program for them that will have the same effect. James -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists