Re: Runtime updates to EFI secure variables

From: James Bottomley
Date: Fri Jul 13 2012 - 14:26:18 EST

Next message: Thomas Gleixner: "Re: [GIT PULL] KVM fixes for 3.5-rc6"
Previous message: Michael S. Tsirkin: "Re: UIO: missing resource mapping"
In reply to: Matthew Garrett: "Re: Runtime updates to EFI secure variables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2012-07-13 at 19:02 +0100, Matthew Garrett wrote:
> On Fri, Jul 13, 2012 at 06:12:26PM +0100, James Bottomley wrote:
>
> > This means (provided we have access to the relevant keys) we can move
> > the platform into and out of Setup Mode as well as add signing and other
> > keys.
>
> I'm pretty sure that the expected behaviour is to use
> EFI_VARIABLE_APPEND_WRITE for these updates, which means you don't need
> to worry about the timestamp.

Actually, as long as the timestamp is current (as in > previous
timstamp) it updates the private timestamp stored with the variable.
It's minor, and you're right, the timestamp could be zero, but it's best
practice.

As far as moving the platform into setup mode, that can only be done by
clearing PK, which has to be a non append write, so I need to worry
about both modes. It's useful to make sure this works, just in case we
run into some OEM accidentally forgetting to allow a user present reset
to setup mode, because it allows us to create an EFI program for them
that will have the same effect.

James

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Thomas Gleixner: "Re: [GIT PULL] KVM fixes for 3.5-rc6"
Previous message: Michael S. Tsirkin: "Re: UIO: missing resource mapping"
In reply to: Matthew Garrett: "Re: Runtime updates to EFI secure variables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]