SecureBoot spec requires that no unsigned code is executed before ExitBootServices() is called.
The difference between before and after call is that EfiBootServicesCode & EfiBootServicesData memory types are unloaded and become available to be freely used by the EfiLoaderCode/EfiLoaderData. I don't see a way to set the memory maps before ExitBootServices, and it seems that BootServices update the memory map and one needs to retrieve latest/current one with GetMemoryMap(). As the key to current MemoryMap is required parameter that needs to match for ExitBootServices code to succeed. After ExitBootServices(), hell breaks loose and one can execute unsigned code. And if the signed binary that does ExitBootServices() is actually somehow rouge or executes unsigned code, its signature can be revoked.
Above seems to rely on a linux kernel (the one that is used as a bootloader) signed by the Trusted key. Is there such a kernel/signature available?
On Ubuntu, no unsigned code is executed before ExitBootServices() call. It is called before kernel is loaded. Why bother with kexec, when one can boot unsigned kernel? =) That was an a design decision, to make sure, for now, that one can easily boot custom / modified kernels.
Where is the subverted security?
The difference between before and after call is that EfiBootServicesCode & EfiBootServicesData memory types are unloaded and become available to be freely used by the EfiLoaderCode/EfiLoaderData. I don't see a way to set the memory maps before ExitBootServices, and it seems that BootServices update the memory map and one needs to retrieve latest/current one with GetMemoryMap(). As the key to current MemoryMap is required parameter that needs to match for ExitBootServices code to succeed. After ExitBootServices(), hell breaks loose and one can execute unsigned code. And if the signed binary that does ExitBootServices() is actually somehow rouge or executes unsigned code, its signature can be revoked.
Above seems to rely on a linux kernel (the one that is used as a bootloader) signed by the Trusted key. Is there such a kernel/signature available?
On Ubuntu, no unsigned code is executed before ExitBootServices() call. It is called before kernel is loaded. Why bother with kexec, when one can boot unsigned kernel? =) That was an a design decision, to make sure, for now, that one can easily boot custom / modified kernels.
- xnox