lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAMw=ZnRtLSQ38csrOU1aSjq2JoE4up5i5KciONJcS_T8ggB3LA@mail.gmail.com>
Date:   Fri, 14 Jul 2023 10:25:45 +0100
From:   Luca Boccassi <bluca@...ian.org>
To:     Ard Biesheuvel <ardb@...nel.org>
Cc:     Peter Jones <pjones@...hat.com>,
        Matthew Garrett <mjg59@...f.ucam.org>,
        Emanuele Giuseppe Esposito <eesposit@...hat.com>,
        x86@...nel.org, Thomas Gleixner <tglx@...utronix.de>,
        lennart@...ttering.net, Ingo Molnar <mingo@...hat.com>,
        Borislav Petkov <bp@...en8.de>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Masahiro Yamada <masahiroy@...nel.org>,
        Alexander Potapenko <glider@...gle.com>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Vitaly Kuznetsov <vkuznets@...hat.com>,
        Daniel P . Berrangé <berrange@...hat.com>,
        linux-kernel@...r.kernel.org, linux-efi@...r.kernel.org
Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage

On Fri, 14 Jul 2023 at 09:52, Ard Biesheuvel <ardb@...nel.org> wrote:
>
> (cc Peter and Matthew)
>
> On Fri, 14 Jul 2023 at 00:32, Luca Boccassi <bluca@...ian.org> wrote:
> >
> > On Thu, 13 Jul 2023 at 14:52, Ard Biesheuvel <ardb@...nel.org> wrote:
> > >
> > >
> > > Note that by Windows-crippled, I mean x86 PCs built by OEMs who care
> > > about nothing other than the Windows logo sticker. These PCs often don't
> > > allow secure boot keys to be modified by the owner of the machine, or
> > > secure boot to be disabled at all. This is why shim exists, not because
> > > UEFI secure boot is broken by design.
> >
> > AFAIK that's not only against the spec but also the logo
> > certification, which x86 OEMs are doing that and in which models?
> > Happy to flag that and inquire.
>
> Thanks. My Yoga C630 Snapdragon laptop definitely does not allow me to
> update the keys from the UI, but it does allow me to disable secure
> boot. It might work with SetVariable() directly but I've never tried.

That's not an x86 machine though? For Arm IIRC the logo certification
requirement was more lax there (or more locked down, depending on your
point of view), at least in the past. I am not sure what is the
current state.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ