On Sun, Sep 01, 2013 at 06:40:41PM +0200, Florian Weimer wrote:
* Matthew Garrett:
On Sun, Sep 01, 2013 at 12:41:22PM +0200, Florian Weimer wrote:
But if you don't generate fresh keys on every boot, the persistent keys are mor exposed to other UEFI applications. Correct me if I'm wrong, but I don't think UEFI variables are segregated between different UEFI applications, so if anyone gets a generic UEFI variable dumper (or setter) signed by the trusted key, this cryptographic validation of hibernate snapshots is bypassable.
If anyone can execute arbitrary code in your UEFI environment then you've already lost.
This is not about arbitrary code execution. The problematic applications which conflict with this proposed functionality are not necessarily malicious by themselves and even potentially useful.
A signed application that permits the modification of arbitrary boot services variables *is* malicious. No implementation is designed to be safe in that scenario. Why bother with modifying encryption keys when you can just modify MOK instead? -- Matthew Garrett | mjg59@srcf.ucam.org -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org