> Once upon a time, Peter Robinson <pbrobinson@xxxxxxxxx> said: > > U-Boot upstream has supported UEFI secure boot for a while. I've been > > meaning on looking into it and enrolling the Fedora keys into our > > builds so it's there across all our officially supported devices. > > I saw the U-Boot supports Secure Boot, but... does that add any security > in the typical Fedora setup, where U-Boot is on the same storage as > shim, grub2, and the kernel? I would think you'd only gain security > from U-Boot's Secure Boot support if U-Boot itself was in firmware that > can't be modified (at least easily) from Linux. Without further changes, no it doesn't, a lot of the U-Boot we build now actually can go on SPI flash so in a lot of cases it's not the same storage. Of course to properly do fully secure boot chain you'd need to fully sign the firmware stack, most U-Boot builds these day for aarch64 are a collection of 3-4 firmware, and then of course burn those keys into a OTP on the chip at which point you'd have that full stack. So no it doesn't provide that full level of security because without that process you don't get a fully authenticated boot flow that has each step verify the next one, but it's possible and I think it's useful to be able to demonstrate that. I'm also working with some vendors to actually implement that full stack. Peter -- _______________________________________________ arm mailing list -- arm@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to arm-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/arm@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
