Skip to content

Auth: Add support to make KEK and DB files optional #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

Auth: Add support to make KEK and DB files optional #2

wants to merge 2 commits into from

Conversation

@tescande
Copy link
Collaborator

@tescande tescande commented Apr 4, 2024

If the host doesn't have the authentication files correctly configured for secure boot, the VM NVRAM state is always in setup mode and allows the VM to boot even if it has SecureBoot enabled.

This change allows varstored and varstore-sb-state to copy only the PK file (which is always present) and switch the VM to user mode. This will prevent the VM to boot if it has SecureBoot enabled, which is fine. Otherwise, the VM is stuck in setup mode allowing it to boot but with SecureBoot disabled, giving a false impression of security.

It's opt-out by default so DB and KEK files are set to not required only if the build macro AUTH_ONLY_PK_REQUIRED is defined.

@tescande tescande requested a review from stormi April 4, 2024 17:36
@tescande tescande self-assigned this Apr 4, 2024
stormi
stormi reviewed Apr 5, 2024
View reviewed changes
@tescande tescande force-pushed the auth-only-pk-required branch from 70f098e to 7207de9 Compare April 5, 2024 08:52
stormi
stormi reviewed Apr 5, 2024
View reviewed changes
tescande added 2 commits April 5, 2024 13:44
@tescande
Auth: Add support to make KEK and DB files optional
59b3033 
If the host doesn't have the authentication files correctly configured
for secure boot, the VM NVRAM state is always in setup mode and allows
the VM to boot even if it has SecureBoot enabled.

This change allows varstored and varstore-sb-state to copy only the PK
file (which is always present) and switch the VM to user mode. This will
prevent the VM to boot if it has SecureBoot enabled, which is fine.
Otherwise, the VM is stuck in setup mode allowing it to boot but with
SecureBoot disabled, giving a false impression of security.

It's opt-out by default so DB and KEK files are set to not required only
if the build macro AUTH_ONLY_PK_REQUIRED is defined.

Signed-off-by: Thierry Escande <[email protected]>
@tescande
Makefile: Add EXTRA_CFLAGS to CFLAGS
45c0fa8 
This patch allows passing of extra compilation flags from command line
using 'make EXTRA_CFLAGS=-DFOO'.

Signed-off-by: Thierry Escande <[email protected]>
@tescande tescande force-pushed the auth-only-pk-required branch from 7207de9 to 45c0fa8 Compare April 5, 2024 11:45
stormi
stormi reviewed Apr 5, 2024
View reviewed changes
Copy link
Member

@stormi stormi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tescande tescande changed the title Auth: Add support to make only the PK file required Auth: Add support to make KEK and DB files optional Apr 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stormi stormi stormi left review comments

Assignees

@tescande tescande

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tescande @stormi