Cryptosystems with greater flexibility can have new kinds ofSorry, I think I am not clear on what exactly you mean here.Can youSince OPAL can support different types of backend which can vary in the(Firstly, apologies that I haven't got around to asking about this yet!)
variable interpretation, a new OPAL API call named OPAL_SECVAR_BACKEND, is
added to retrieve the supported backend version. This helps the consumer
to know how to interpret the variable.
Are pluggable/versioned backend a good idea?
There are a few things that worry me about the idea:
- It adds complexity in crypto (or crypto-adjacent) code, and that
increases the likelihood that we'll accidentally add a bug with bad
please elaborate or give specifics ?
vulnerabilities arise from the greater complexity. The first sort of
thing that comes to mind is a downgrade attack like from TLS. I think
you're protected from this because the mode cannot be negotiatied at run
time, but in general it's security sensitive code so I'd like it to be
as simple as possible.
Yes, because I expect the scheme would change very, very rarely.- If we are worried about a long-term-future change to how secure-bootThe intention is to avoid to re-implement the key/value interface for
works, would it be better to just add more get/set calls to opal at
the point at which we actually implement the new system?
each scheme. Do you mean to deprecate the old APIs and add new APIs with
every scheme ?
I still feel like this is holding onto ongoing complexity for very- Under what circumstances would would we change the kernel-visibleBackends are intended to be an agreement for firmware, kernel and
behaviour of skiboot? Are we expecting to change the behaviour,
content or names of the variables in future? Otherwise the only
relevant change I can think of is a change to hardware platforms, and
I'm not sure how a change in hardware would lead to change in
behaviour in the kernel. Wouldn't Skiboot hide h/w differences?
userspace on what the format of variables are, what variables should be
expected, how they should be signed, etc. Though we don't expect it to
happen very often, we want to anticipate possible changes in the
firmware which may affect the kernel such as new features, support of
new authentication mechanisms, addition of new variables. Corresponding
skiboot patches are on -
little gain, but perhaps this is because I can't picture a specific
change that would actually require a wholesale change to the scheme.
You mention new features, support for new authentication mechanisms, and
addition of new variables.
- New features is a bit too generic to answer specifically. In general
I accept that there exists some new feature that would be
sufficiently backwards-incompatible as to require a new version. I
just can't think of one off the top of my head and so I'm not
convinced it's worth the complexity. Did you have something in mind?
- By support for new authentication mechanisms, I assume you mean new
mechanisms for authenticating variable updates? This is communicated
in edk2 via the attributes field. Looking at patch 5 from the skiboot
+ * When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is set,
+ * then the Data buffer shall begin with an instance of a complete (and
+ * serialized) EFI_VARIABLE_AUTHENTICATION_2 descriptor.
Could a new authentication scheme be communicated by setting a
different attribute value? Or are we not carrying attributes in the
- For addition of new variables, I'm confused as to why this would
require a new API - wouldn't it just be exposed in the normal way via
I guess I also somewhat object to calling it a 'backend' if we're using
it as a version scheme. I think the skiboot storage backends are true
backends - they provide different implementations of the same
functionality with the same API, but this seems like you're using it to
indicate different functionality. It seems like we're using it as if it
were called OPAL_SECVAR_VERSION.