AMD Secure Encrypted Virtualization - FreeBSD Status?
Simon J. Gerraty
sjg at juniper.net
Mon Oct 14 18:52:37 UTC 2019
Tomasz CEDRO <tomek at cedro.info> wrote:
> would be really nice also to get UEFI BOOT compatible with SECURE BOOT :-)
Unless you are using your own BIOS, the above means getting Microsoft
to sign boot1.efi or similar. Shims that simply work around lack of
acceptible signature don't help.
That would need to then verify loader.efi - which can be built to
to verify all the modules and kernel.
In my implementation (uses the non efi loader) trust anchors are
embedded in loader but there is code in current to lookup trust anchors
in /efi I think which would be more generally useful - I've not looked
at the attack vectors that introduces though.
--sjg
More information about the freebsd-security
mailing list