Received: by 10.223.185.116 with SMTP id b49csp4169111wrg; Mon, 19 Feb 2018 12:26:52 -0800 (PST) X-Google-Smtp-Source: AH8x224XnREMCzRF7jy8u59+bVIbt2DuCNiTg6Y9CwZ6SN9dvbp5m29dMgeL06Y1Otbc89MR/D83 X-Received: by 2002:a17:902:6a81:: with SMTP id n1-v6mr15367265plk.11.1519072012401; Mon, 19 Feb 2018 12:26:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519072012; cv=none; d=google.com; s=arc-20160816; b=05OvDyqGGJLQYH4/ZWrxDCV7LGfUmCi/Bd+HeB2Tj5PJNhj5WJfYaFJUPMVNJOXJib GDUsL+UfhsqoBou7xwCNrkcSR6UT3DWvkj5CH3penmJYTclBAP7LXkkiPYucCV9NCRlx Mi9zSNh+3UQE9QpFbdJgx8CoKWL5vKDPmMwU8ozwbRcWz9uR0LvRiGsBNjFeVHrFiisW z5aZfq2ezgTWMN055tz3xD2zYfkdoT+TBQ/0vlPC52vtIQSQOe1++ueNcW3f36gyRFxi MvuzsfIGsJSoGJbdR8Yi1p6mppWpD5hSt9KxR8OYW5s198Mae8fy7p0s1fKm7gzNULqN xGgg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date:arc-authentication-results; bh=Y2TjE2Rk5BSH1TKfrilefFnd93/3p9bEMTkdNq8d8IY=; b=BQXzwMyrMuXo32e65UVAjHJC/GFkcr3GPvRSmAi25hwOLjiGZOjkdbSYN98m8onO5/ JYpV6YQBiRCCRAq4pGWSbjK4dvJpc5L/wWIcUqIijUCWqBYEdEVJuA2l9ftK3Yla8A79 gbGy7dUEQ92Egjb9pM3af9F7YWoydQgURxY6ySCa+OpTzH9vYAmjw0GQmf8hz4O+UE7x Zk3bL6Q3aMWWO/SzV0cDHDJRef39I4qMkEOkcnMRY6+PEQHNe7X6ZOjPPuRL4sfsOm0U sLsdeGZPaPwrx15RDgf7ySaVb5uCEGbiBMA+Fkcftus0Q8s+1UXySiH02cRvL4S7emzB 3yCw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x18si841832pgv.268.2018.02.19.12.26.38; Mon, 19 Feb 2018 12:26:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932340AbeBSUZA (ORCPT + 99 others); Mon, 19 Feb 2018 15:25:00 -0500 Received: from www.llwyncelyn.cymru ([82.70.14.225]:60402 "EHLO fuzix.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932098AbeBSUY6 (ORCPT ); Mon, 19 Feb 2018 15:24:58 -0500 Received: from alans-desktop (82-70-14-226.dsl.in-addr.zen.co.uk [82.70.14.226]) by fuzix.org (8.15.2/8.15.2) with ESMTP id w1JKOeLA005863; Mon, 19 Feb 2018 20:24:40 GMT Date: Mon, 19 Feb 2018 20:24:40 +0000 From: Alan Cox To: Benjamin Drung Cc: Ard Biesheuvel , Matthew Garrett , Jeremy Kerr , Matt Fleming , linux-efi@vger.kernel.org, Linux Kernel Mailing List Subject: Re: Read-protected UEFI variables Message-ID: <20180219202440.2e80dfbc@alans-desktop> In-Reply-To: <1518614486.4749.33.camel@profitbricks.com> References: <1518612748.4749.29.camel@profitbricks.com> <1518614486.4749.33.camel@profitbricks.com> Organization: Intel Corporation X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.31; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > If the UEFI is as secure as storing an unencrypted file on a hard > drive, I am satisfied. Or do you have a better idea where to store the > SSH keys for a diskless system that boots via network? Store them in the TPM ? If you are booting over a network and not doing some kind of TPM based trusted boot check you already lost to a network attacker Alan