validating secure boot settings

Joel Stanley joel at jms.id.au
Fri Feb 25 15:40:20 AEDT 2022


Hi Richard,

Long time listener, first time caller. I appreciate all the work you
do with fwupd.

On Mon, 21 Feb 2022 at 19:49, Richard Hughes <hughsient at gmail.com> wrote:
>
> On Mon, 21 Feb 2022 at 18:23, Andrew Geissler <geissonator at gmail.com> wrote:
> > So, anyone else interested in something like this? If so, any votes on where
> > a good place for this logic to reside would be?
>
> This seems like the kind of thing that we'd be interested in for the
> HSI specification[1], although I appreciate that's only tangentially
> OpenBMC related.

You might be interested in this patch set which Andrew's mentioned:

 https://lore.kernel.org/all/20220204072234.304543-1-joel@jms.id.au/

The idea is to have a set of sysfs files that say "this machine has
secure boot enabled", and other interesting bits about firmware boot
state.

You might already have that on EFI systems, but this would be
consistent regardless of the firmware used. Reading through your HSI
spec, we could also hook up the "read only SPI descriptor" file. I
called that opt_write_protect in an earlier version of my patches.

I have been chatting with Arnd about how to get it merged, and have
some ideas that I'll send out in a v4.

One thing we want to get right before merging is coming up with names
that are meaningful outside of a single firmware (eg EFI) or SoC
vendor (Like the ASPEED names I started with). I welcome your input.

Cheers,

Joel


More information about the openbmc mailing list