From owner-freebsd-virtualization@freebsd.org  Tue Oct 15 01:59:39 2019
Return-Path: <owner-freebsd-virtualization@freebsd.org>
Delivered-To: freebsd-virtualization@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 405C0148456;
 Tue, 15 Oct 2019 01:59:39 +0000 (UTC)
 (envelope-from grarpamp@gmail.com)
Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com
 [IPv6:2607:f8b0:4864:20::d42])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46sdsQ1Q64z4QQq;
 Tue, 15 Oct 2019 01:59:37 +0000 (UTC)
 (envelope-from grarpamp@gmail.com)
Received: by mail-io1-xd42.google.com with SMTP id u8so42295720iom.5;
 Mon, 14 Oct 2019 18:59:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=9FlJis/L80zp9NhdCoReL86OUQFSm6oYFqN9sYz4+MU=;
 b=RYPNT0myM6QDjochOfcobDS0rxsut6Byi3EnTEJVa9g1qXcAHoNxBziZd/9mtXEVNX
 jDV8lPGf5tOTAZjiU1UBU7AaIMznQx6VfCgdS29NDQ3tm+ucLhFEe75zhgm3+qB+Vtxk
 uMtoMcxTE/xQxR0FYUt4/3l4Q14Gl2ERWbcY2XPHXLxNDMxF/6M1bpjzi9AwULYQLCMy
 YgmKZpoh7/rVLzroZBq82Sx4FsFTF5SUUuhcEh0D9o3mq0CzzJOJ+bjvAWD8BMuObafj
 gEMP/PcSOdKfyegNQ9hgsGEu5sJoO3c6l2JuY4pRsVAWeBfEkgL43RpVRUCO7H/SAW1Y
 rrtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=9FlJis/L80zp9NhdCoReL86OUQFSm6oYFqN9sYz4+MU=;
 b=RMAWJUts9OjiBe6153kEeT7M19rWNsN3YbaJivAqfuohzoi//Kr5SYVxnmwD1u3Wj4
 Bt7cffA4j6SOaWaSZJQbRL+oZ5XazKLLPiwu8n9k646rlmB32Fo3nQbPiR7WKT7qxKn7
 l9Om7U6ztazKmIC+hJz4ZEGwH1qJCw+mWHyGHwATWoRe6mJJRoZdbMcaI62oH0zJWSCD
 DnRWTUjebPv4zTz03AjHES3yH8sHS8qpHIP+k8Pn5L8obP99BBAyR1RbZVQfnfKuN7/U
 UDzQUkYPJh7tw5vXiFBqEKcnOab+RAwkZ7j3XYz/5sb7g8Bzk2fEuFK5veGGKSeGZBhn
 +rVQ==
X-Gm-Message-State: APjAAAXD00OEv/VTy+EHrcbOO+/S58aGT03D24onNUifCvs+7ItfsybO
 jdYQrqeIBacBZdjN5/hXr4JJa68b+3/Doe2Cli3Yw8eO
X-Google-Smtp-Source: APXvYqxTHEqLJsjTheADaA+8NrFqiK/AneoFbVxZVUwjVDNeKb/+sprHMSwRz8h0w/2KZ5/yHfkQTmleJ9BKxuwlJrU=
X-Received: by 2002:a02:c7c9:: with SMTP id s9mr39745138jao.81.1571104776400; 
 Mon, 14 Oct 2019 18:59:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:9f01:0:0:0:0:0 with HTTP; Mon, 14 Oct 2019 18:59:35
 -0700 (PDT)
In-Reply-To: <76102.1571079149@kaos.jnpr.net>
References: <CAD2Ti2-2TWZEcCdyg1seHHdWRVSC9v_kuMe4f-ERo1LNdJAnmw@mail.gmail.com>
 <CAFYkXj=f0NEQ+=WQ_y8_RZtOc3-+HkoBreAgRM669R6s4cWSmQ@mail.gmail.com>
 <76102.1571079149@kaos.jnpr.net>
From: grarpamp <grarpamp@gmail.com>
Date: Mon, 14 Oct 2019 21:59:35 -0400
Message-ID: <CAD2Ti2-vgm2DrpeSO8+huYJ9Kn2Y3N_DFwe1HQofHJ7VQcE4rQ@mail.gmail.com>
Subject: Re: AMD Secure Encrypted Virtualization - FreeBSD Status?
To: freebsd-security@freebsd.org
Cc: freebsd-current@freebsd.org, freebsd-virtualization@freebsd.org
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: 46sdsQ1Q64z4QQq
X-Spamd-Bar: -
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gmail.com header.s=20161025 header.b=RYPNT0my;
 dmarc=pass (policy=none) header.from=gmail.com;
 spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates
 2607:f8b0:4864:20::d42 as permitted sender) smtp.mailfrom=grarpamp@gmail.com
X-Spamd-Result: default: False [-2.00 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[3];
 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
 FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain];
 TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 IP_SCORE_FREEMAIL(0.00)[];
 IP_SCORE(0.00)[ip: (2.25), ipnet: 2607:f8b0::/32(-2.49), asn: 15169(-2.11),
 country: US(-0.05)]; DKIM_TRACE(0.00)[gmail.com:+];
 DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
 RCVD_IN_DNSWL_NONE(0.00)[2.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org
 : 127.0.5.0]; FROM_EQ_ENVFROM(0.00)[];
 SUBJECT_ENDS_QUESTION(1.00)[];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[];
 DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]
X-BeenThere: freebsd-virtualization@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of various virtualization techniques FreeBSD supports."
 <freebsd-virtualization.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-virtualization>, 
 <mailto:freebsd-virtualization-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-virtualization/>
List-Post: <mailto:freebsd-virtualization@freebsd.org>
List-Help: <mailto:freebsd-virtualization-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-virtualization>, 
 <mailto:freebsd-virtualization-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Oct 2019 01:59:39 -0000

>> would be really nice also to get UEFI BOOT compatible with SECURE BOOT
>> :-)
>
> Unless you are using your own BIOS, the above means getting Microsoft
> to sign boot1.efi or similar. Shims that simply work around lack of
> acceptible signature don't help.

As before in this thread, some motherboards will let you delete
the Microsoft keys from the BIOS defaults and install your own.
With those boards you do not need Microsoft, or any shims
signed by Microsoft, or anyone else but you.

See the key management parts of the UEFI SECURE BOOT spec...
https://uefi.org/

If your mobo maker does not have full key management options
in their latest BIOS, ticket and bug them until they do.