Question about signed uefi vars at OS level


Rafael Machado
 

Hey everyone

I have a question for the experts.

Suppose I have a BIOS feature that can be set from the OS via some OS application (.exe) that calls the runtime services set variable ().

To set this feature I have a UEFI var, that during DXE is processed by some uefi module.

In case I define this UEFI var as signed var (EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS or EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCES), at my OS application I will have to add the signing key, so it would be possible to create new signed data to change the uefi variable as needed from the OS level.

So my question is: 
What is the correct way of creating a UEFI variable that is protected and that can be changed, by authorized person only, from OS level without the need of embedding my secret at the OS application (.exe) ?

Thanks
Rafael

Join devel@edk2.groups.io to automatically receive all group messages.