[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: EFI BoF at DebConf

On Tue, Jul 31, 2012 at 02:40:25PM -0600, Paul Wise wrote:

> > Here's a summary of what we discussed in the EFI BoF [1] last week
> > (9th July). Thanks to the awesome efforts of the DebConf video team,
> > the video of the session is already online [2] in case you missed
> > it. I've also attached the Gobby notes that were taken during the
> > session. Again, thanks to the people who took part - we had a useful
> > discussion.

> One thing I don't think anyone has discussed yet is how key
> transitions will work, if a distro-specific key is compromised, is the
> OS able to update the SB keys?

Any OS will be able to push signed updates to the DB and DBX variables,
adding new trusted keys or revoking keys / individual binaries.  However,
the only signed updates that will be accepted by the firmware are those
signed by keys already trusted /by the firmware/ (i.e., those present in the
kEK).  This means that in general, if you have a compromised key or
compromised binary, you need to go back to the CA (i.e., whoever is
providing a trust path back to KEK for you) and ask them to issue a

> > Any one binary can only be signed by one key.

> Would it be possible/useful to circumvent this limitation by making
> copies of the binary and then signing them?

It's certainly straightforward to take copies of a single binary and have it
signed by multiple keys.  It's even straightforward to remove one signature
from a binary and replace it with another.  What's not straightforward is to
provide a single boot image that can reasonably make use of such things,
since UEFI boots by looking for a single well-known path to boot from.

FWIW the UEFI working group seems to consider it an oversight that only one
signature is allowed per binary, and work is afoot to correct this.  But as
with other issues, it's probably too late to make a difference for the first
iteration of hardware.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: Digital signature

Reply to: