Re: [PATCH v3 5/5] doc:eficonfig: add description for UEFI Secure Boot Configuration

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: Masahisa Kojima <masahisa.kojima@linaro.org>
Cc: u-boot@lists.denx.de, Heinrich Schuchardt <xypron.glpk@gmx.de>,
	Jerome Forissier <jerome.forissier@linaro.org>
Subject: Re: [PATCH v3 5/5] doc:eficonfig: add description for UEFI Secure Boot Configuration
Date: Fri, 2 Dec 2022 09:17:35 +0200	[thread overview]
Message-ID: <Y4mmj9laMqZvCp9e@hera> (raw)
In-Reply-To: <20221202045937.7846-6-masahisa.kojima@linaro.org>

On Fri, Dec 02, 2022 at 01:59:37PM +0900, Masahisa Kojima wrote:
> This commits add the description for the UEFI Secure Boot
> Configuration through the eficonfig menu.
> 
> Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
> ---
> No update since v2
> 
> Newly created in v2
> 
>  doc/usage/cmd/eficonfig.rst | 22 ++++++++++++++++++++++
>  1 file changed, 22 insertions(+)
> 
> diff --git a/doc/usage/cmd/eficonfig.rst b/doc/usage/cmd/eficonfig.rst
> index 340ebc80db..67c859964f 100644
> --- a/doc/usage/cmd/eficonfig.rst
> +++ b/doc/usage/cmd/eficonfig.rst
> @@ -31,6 +31,9 @@ Change Boot Order
>  Delete Boot Option
>      Delete the UEFI Boot Option
>  
> +Secure Boot Configuration
> +    Edit UEFI Secure Boot Configuration
> +
>  Configuration
>  -------------
>  
> @@ -44,6 +47,16 @@ U-Boot console. In this case, bootmenu can be used to invoke "eficonfig"::
>      CONFIG_USE_PREBOOT=y
>      CONFIG_PREBOOT="setenv bootmenu_0 UEFI Maintenance Menu=eficonfig"
>  
> +UEFI specification requires that UEFI Secure Boot Configuration (especially
> +for PK and KEK) is stored in non-volatile storage which is tamper resident.

s/resident/resistant

> +CONFIG_EFI_MM_COMM_TEE is mandatory to provide the secure storage in U-Boot.

Can we be a bit more clear here. Something along the lines of 
"The only way U-Boot can currently store EFI variables on a tamper
resistant medium is via OP-TEE.  The Kconfig option that enables that is 
CONFIG_EFI_MM_COMM_TEE and ends up storing EFI variables on an RPMB
partition of an eMMC"

> +UEFI Secure Boot Configuration menu entry is enabled when the following
> +options are enabled::
> +
> +    CONFIG_EFI_SECURE_BOOT=y
> +    CONFIG_EFI_MM_COMM_TEE=y
> +
> +
>  How to boot the system with newly added UEFI Boot Option
>  ''''''''''''''''''''''''''''''''''''''''''''''''''''''''
>  
> @@ -66,6 +79,15 @@ add "bootefi bootmgr" entry as a default or first bootmenu entry::
>  
>      CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig"
>  
> +UEFI Secure Boot Configuration
> +''''''''''''''''''''''''''''''
> +
> +User can enroll PK, KEK, db and dbx by selecting file.

selecting a file

> +"eficonfig" command only accepts the signed EFI Signature List(s)
> +with an authenticated header, typically ".auth" file.
> +To clear the PK, KEK, db and dbx, user needs to enroll the null key
> +signed by PK or KEK.
> +
>  See also
>  --------
>  * :doc:`bootmenu<bootmenu>` provides a simple mechanism for creating menus with different boot items
> -- 
> 2.17.1
> 

Thanks
/Ilias

next prev parent reply	other threads:[~2022-12-02  7:17 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-02  4:59 [PATCH v3 0/5] miscellaneous fixes of eficonfig Masahisa Kojima
2022-12-02  4:59 ` [PATCH v3 1/5] eficonfig: fix going one directory up issue Masahisa Kojima
2022-12-02  4:59 ` [PATCH v3 2/5] eficonfig: use u16_strsize() to get u16 string buffer size Masahisa Kojima
2022-12-02  4:59 ` [PATCH v3 3/5] efi_loader: utility function to check the variable name is "Boot####" Masahisa Kojima
2022-12-02  4:59 ` [PATCH v3 4/5] eficonfig: use efi_get_next_variable_name_int() Masahisa Kojima
2022-12-02  7:35   ` Ilias Apalodimas
2022-12-02 16:59     ` Heinrich Schuchardt
2022-12-03  0:56     ` Masahisa Kojima
2022-12-06 14:12       ` Ilias Apalodimas
2022-12-07  7:19         ` Masahisa Kojima
2022-12-02  4:59 ` [PATCH v3 5/5] doc:eficonfig: add description for UEFI Secure Boot Configuration Masahisa Kojima
2022-12-02  7:17   ` Ilias Apalodimas [this message]
2022-12-02 13:23     ` Masahisa Kojima

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y4mmj9laMqZvCp9e@hera \
    --to=ilias.apalodimas@linaro.org \
    --cc=jerome.forissier@linaro.org \
    --cc=masahisa.kojima@linaro.org \
    --cc=u-boot@lists.denx.de \
    --cc=xypron.glpk@gmx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.