On Sun, Sep 01, 2013 at 06:40:41PM +0200, Florian Weimer wrote: > * Matthew Garrett: > > > On Sun, Sep 01, 2013 at 12:41:22PM +0200, Florian Weimer wrote: > > > >> But if you don't generate fresh keys on every boot, the persistent > >> keys are mor exposed to other UEFI applications. Correct me if I'm > >> wrong, but I don't think UEFI variables are segregated between > >> different UEFI applications, so if anyone gets a generic UEFI variable > >> dumper (or setter) signed by the trusted key, this cryptographic > >> validation of hibernate snapshots is bypassable. > > > > If anyone can execute arbitrary code in your UEFI environment then > > you've already lost. > > This is not about arbitrary code execution. The problematic > applications which conflict with this proposed functionality are not > necessarily malicious by themselves and even potentially useful. A signed application that permits the modification of arbitrary boot services variables *is* malicious. No implementation is designed to be safe in that scenario. Why bother with modifying encryption keys when you can just modify MOK instead? -- Matthew Garrett | mjg59@xxxxxxxxxxxxx -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html