From: Takahiro Akashi <takahiro.akashi@linaro.org>
To: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Masahisa Kojima <masahisa.kojima@linaro.org>,
Ilias Apalodimas <ilias.apalodimas@linaro.org>,
u-boot@lists.denx.de
Subject: Re: [PATCH] doc: uefi: explicitly describe manual dtb update is required
Date: Mon, 19 Jun 2023 14:46:22 +0900 [thread overview]
Message-ID: <ZI_rrqIUXTS4A4YU@laputa> (raw)
In-Reply-To: <FD1DCFAA-E369-4204-A782-FF71B6A97361@gmx.de>
Hi Heinrich,
On Mon, Jun 19, 2023 at 06:37:14AM +0200, Heinrich Schuchardt wrote:
>
>
> Am 19. Juni 2023 02:49:54 MESZ schrieb Takahiro Akashi <takahiro.akashi@linaro.org>:
> >On Sat, Jun 17, 2023 at 09:58:13PM +0200, Heinrich Schuchardt wrote:
> >> On 6/15/23 10:03, Masahisa Kojima wrote:
> >> > To enforce anti-rollback to any older version, dtb must be
> >> > always update manually. This should be described in the
> >> > documentation.
> >> >
> >> > Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
> >> > ---
> >> > doc/develop/uefi/uefi.rst | 3 +++
> >> > 1 file changed, 3 insertions(+)
> >> >
> >> > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
> >> > index ffd13cebe9..d5f8c5f236 100644
> >> > --- a/doc/develop/uefi/uefi.rst
> >> > +++ b/doc/develop/uefi/uefi.rst
> >> > @@ -552,6 +552,9 @@ update using a capsule file with --fw-version of 5, the update will fail.
> >> > When the --fw-version in the capsule file is updated, lowest-supported-version
> >> > in the dtb might be updated accordingly.
> >> >
> >> > +If user needs to enroce anti-rollback to any older version,
> >> > +the lowest-supported-version property in dtb must be always updated manually.
> >>
> >> Thank you for updating the documentation.
> >>
> >> Allowing to circumvent the rollback protection is a security issue. On a
> >> secure system you would probably want to disable console commands like
> >> mc and fdt. Shouldn't we provide an advice for safe settings?
> >
> >Is there any case where a user wants to use fdt for some reason,
> >for example, in CONFIG_PREBOOT or CONFIG_BOOTCOMMAND?
> >
> >-Takahiro Akashi
>
> Dtb overlays can applied via the fdt command.
What I meant to say was that, if there is an useful use case of fdt
command, it would be too restrictive to recommend disabling the command.
(Questioning if a device tree is the right place to put the data.)
-Takahiro Akashi
> Best regards
>
> Heinrich
>
>
> >
> >> E.g.
> >>
> >> "If a user wanted to enable a rollback to a version forbidden by the
> >> lowest-supported-version property specified in U-Boot's control
> >> device-tree, they could change this property using the fdt command.
> >> Secure systems should not enable this command."
> >>
> >> Best regards
> >>
> >> Heinrich
> >>
> >> > +
> >> > To insert the lowest supported version into a dtb
> >> >
> >> > .. code-block:: console
> >> >
> >> > base-commit: e350d0c60d413d441cbdfa9432ebadb56f625903
> >>
prev parent reply other threads:[~2023-06-19 5:46 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-15 8:03 [PATCH] doc: uefi: explicitly describe manual dtb update is required Masahisa Kojima
2023-06-17 19:58 ` Heinrich Schuchardt
2023-06-19 0:49 ` Takahiro Akashi
2023-06-19 4:37 ` Heinrich Schuchardt
2023-06-19 5:46 ` Takahiro Akashi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZI_rrqIUXTS4A4YU@laputa \
--to=takahiro.akashi@linaro.org \
--cc=ilias.apalodimas@linaro.org \
--cc=masahisa.kojima@linaro.org \
--cc=u-boot@lists.denx.de \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.