I sure hope that enrolling keys is a mandatory aspect of setup mode for Windows 8 certification on non-ARM.
The words setup mode and SetupMode only appear a few times in the Microsoft document (pages 119, 122, 124), and it's never described well there as to what capabilities it does and does not give the user.
So we're relying on transitivity of mandatoryness here? Microsoft has made some aspects of UEFI re setup mode mandatory and those parts of UEFI make it mandatory for setup mode to have this feature?
Transitivity of mandatoryness makes me less confident that the MS certification process will actually produce this outcome in shipped hardware. I'll believe it when I see it.
Looking at the UEFI spec, I only see setup mode discussed in section 3.2 Globally Defined Variables and section 27 Security - Secure boot.
All I can read into the UEFI re setup mode is that yes, it is intended for this kind of thing. It's hard to find a clear mandate in UEFI that setup mode must include a real user interface for actually putting key changes into practice. The UEFI spec is very API oriented, e.g. "The platform owner enrols the public half of the Platform Key (PKpub) by calling the UEFI Boot Service SetVariable()".
It's hard to appreciate what setup mode will actually entail in terms of relevant user interfaces being when reading the UEFI spec.
It's not going to be fun if code is present in the firmware for changing the platform key but there's not an actual user interface to let you use that code.
But this isn't my nightmare "second class" scenario as long as long as firmware can load your own code and allow you to use the firmware API to change the platform key. (presumably the firmware enters setup mode and stays in setup mode as your code takes over?). It is the extensible firmware interface after all, right? (But we'll still be prevented from installing our own firmware or firmware signing key by the time our own code kicks in, so coreboot is still locked out?)
And, assuming UEFI machines can stay in setup mode (or equivalent) while also loading your own code to take advantage of setup mode, I wonder, will my code be able to come from removable media (cd, hd, USB?) or will I need something like an option ROM to run my own setup mode code to make the UEFI calls for changing the platform key?
A slight ray of hope can be found in section 27.5 of UEFI: "While in setup mode, the platform firmware shall not require authentication in order to modify the Platform Key or the Key Enrolment Key database." but its a leap for me to read that and conclude "real user interface for making change" -- all I can read into is that if a such a user interface does exist it can't have authentication in the way.
Thank you Matthew in advance for any insight on the prospects of the Win 8 certified mandated setup mode being meaningful and useful to end users for key installation vs being a mirage.
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
Re: Isn't there a key difference from Microsoft's requirements?
Date: 2012-06-22 10:36 pm (UTC)The words setup mode and SetupMode only appear a few times in the Microsoft document (pages 119, 122, 124), and it's never described well there as to what capabilities it does and does not give the user.
So we're relying on transitivity of mandatoryness here? Microsoft has made some aspects of UEFI re setup mode mandatory and those parts of UEFI make it mandatory for setup mode to have this feature?
Transitivity of mandatoryness makes me less confident that the MS certification process will actually produce this outcome in shipped hardware. I'll believe it when I see it.
Looking at the UEFI spec, I only see setup mode discussed in section 3.2 Globally Defined Variables and section 27 Security - Secure boot.
All I can read into the UEFI re setup mode is that yes, it is intended for this kind of thing. It's hard to find a clear mandate in UEFI that setup mode must include a real user interface for actually putting key changes into practice. The UEFI spec is very API oriented, e.g. "The platform owner enrols the public half of the Platform Key (PKpub) by calling the UEFI Boot Service SetVariable()".
It's hard to appreciate what setup mode will actually entail in terms of relevant user interfaces being when reading the UEFI spec.
It's not going to be fun if code is present in the firmware for changing the platform key but there's not an actual user interface to let you use that code.
But this isn't my nightmare "second class" scenario as long as long as firmware can load your own code and allow you to use the firmware API to change the platform key. (presumably the firmware enters setup mode and stays in setup mode as your code takes over?). It is the extensible firmware interface after all, right?
(But we'll still be prevented from installing our own firmware or firmware signing key by the time our own code kicks in, so coreboot is still locked out?)
And, assuming UEFI machines can stay in setup mode (or equivalent) while also loading your own code to take advantage of setup mode, I wonder, will my code be able to come from removable media (cd, hd, USB?) or will I need something like an option ROM to run my own setup mode code to make the UEFI calls for changing the platform key?
A slight ray of hope can be found in section 27.5 of UEFI:
"While in setup mode, the platform firmware shall not require authentication in order to modify the Platform Key or the Key Enrolment Key database."
but its a leap for me to read that and conclude "real user interface for making change" -- all I can read into is that if a such a user interface does exist it can't have authentication in the way.
Thank you Matthew in advance for any insight on the prospects of the Win 8 certified mandated setup mode being meaningful and useful to end users for key installation vs being a mirage.