Date: Mon, 14 Oct 2019 11:52:29 -0700 From: "Simon J. Gerraty" <sjg@juniper.net> To: Tomasz CEDRO <tomek@cedro.info> Cc: grarpamp <grarpamp@gmail.com>, <freebsd-security@freebsd.org>, <freebsd-current@freebsd.org>, <freebsd-virtualization@freebsd.org>, <sjg@juniper.net> Subject: Re: AMD Secure Encrypted Virtualization - FreeBSD Status? Message-ID: <76102.1571079149@kaos.jnpr.net> In-Reply-To: <CAFYkXj=f0NEQ%2B=WQ_y8_RZtOc3-%2BHkoBreAgRM669R6s4cWSmQ@mail.gmail.com> References: <CAD2Ti2-2TWZEcCdyg1seHHdWRVSC9v_kuMe4f-ERo1LNdJAnmw@mail.gmail.com> <CAFYkXj=f0NEQ%2B=WQ_y8_RZtOc3-%2BHkoBreAgRM669R6s4cWSmQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Tomasz CEDRO <tomek@cedro.info> wrote: > would be really nice also to get UEFI BOOT compatible with SECURE BOOT :-) Unless you are using your own BIOS, the above means getting Microsoft to sign boot1.efi or similar. Shims that simply work around lack of acceptible signature don't help. That would need to then verify loader.efi - which can be built to to verify all the modules and kernel. In my implementation (uses the non efi loader) trust anchors are embedded in loader but there is code in current to lookup trust anchors in /efi I think which would be more generally useful - I've not looked at the attack vectors that introduces though. --sjg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?76102.1571079149>