pietrushnic
commented
2 years ago This should look as follows:
P.S. Feel free to verify me, if I made any mistake here. Spec is convoluted.
Open pietrushnic opened 2 years ago
pietrushnic
commented
2 years ago This should look as follows:
P.S. Feel free to verify me, if I made any mistake here. Spec is convoluted.
The problem you're addressing (if any)
Most modern method of creating authenticated variables described in chapter 8.2 of UEFI specification is use of
EFI_VARIABLE_AUTHENTICATION_3. In long run it would replaceEFI_VARIABLE_AUTHENTICATION_2and it seem to be most serious about maintainability of security properties.Describe the solution you'd like
First goal would be to analyze what is available in upstream and sanity check of most popular forks to see if none else have anything working. Then we would need implementation plan, which should result in task leading to fully functional implementation. By fully functional I mean support in Linux kernel efivars for new variables and if not possible then at least user space support.
Where is the value to a user, and who might that user be?
Higher security standards. Carefully reading UEFI specification release notes we can figure out why EFI_VARIABLE_AUTHENTICATION_3 was created and what problems it address, but I would expect it is related with BootHole problems.
Describe alternatives you've considered
Not much can be considered.
Additional context