Thanks Heinrich,
I now see how EFIBootGuard integrates in the secureboot process.
If we wan to push integrity checking beyond executable image, for instance validating:
- Linux initrd and commandline - grub modules and configfile. - efibootguard configuration files
It starts to look hairy.
Would validation of the entire EFI boot partition be just good enough? (using dm-verity, fs-verity or whatever mechanism)
Cheers
FF
On Mon, 22 Apr 2019 at 19:55, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
On Fri Apr 19 10:48:51 UTC 2019 François Ozog francois.ozog@linaro.org wrote
We will be conducting a UEFI gap analysis to support EFIBootGuard in U-Boot.
As we are working on UEFI SecureBoot implementation in U-Boot, how do you expect the boot process to be secured? Would U-Boot UEFI SecureBoot verify EFIBootGuard signature and in turn EFIBootGuard will check either grub or Linux signature?
Please elaborate on your vision of a secured boot process.
The UEFI spec is quite clear about this:
An implementation of SecureBoot will check the signature of any EFI binary before starting it. StartImage() will return EFI_SECURITY_VIOLATION when trying to start an image that is neither correctly signed nor whose hash is known.
As we use StartImage() for starting any image the signature of EFIBootGuard would be checked first and then any of the child applications it starts.
You will not be able to start GRUB or the Linux kernel if their signature are not added to U-Boot's key database.
Of cause you could implement inside EFIBootGuard your own mechanism to start a loaded image without calling StartImage(). In this case U-Boot cannot protect you from invalid images.
Best regards
Heinrich