| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 30 Nov 2016 16:51:18 +0000
From: David Howells <dhowells@...hat.com>
To: Mark Rutland <mark.rutland@....com>
Cc: dhowells@...hat.com, lukas@...ner.de, linux-efi@...r.kernel.org,
linux-security-module@...r.kernel.org, keyrings@...r.kernel.org,
linux-kernel@...r.kernel.org, Matthew Garrett <mjg59@...eos.com>
Subject: Re: [PATCH 4/6] efi: Get the secure boot status [ver #2]
Mark Rutland <mark.rutland@....com> wrote:
> > + boot_params->secure_boot = (efi_get_secureboot(sys_table) == 1);
>
> In the arm stub's efi_entry(), we fail-safe, and assume secure boot for any
> non-zero status (including errors). e.g.
Okay, given what Matthew said:
A conforming implementation that supports secure boot should always
return those variables without error. If they're not present (which is
valid for x86 systems - many predate the feature) then assuming Secure
Boot is disabled is correct. The question of what to do in the event
of other errors is more open, but it wouldn't surprise me if there are
implementations that return non-spec errors for missing variables
under certain circumstances.
I think I have to assume the default to be that secure boot is *not* enabled
in the case of one of the variables we need to check is not being present.
As for getting other errors, I think we have to assume a buggy BIOS. In this
case, I would also go with assuming we're not in secure boot.
Another possibility is to punt the decision and make it compile-time
configurable.
David
Powered by blists - more mailing lists