From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 7A7ABEB64D9 for ; Thu, 6 Jul 2023 09:26:06 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 069008624A; Thu, 6 Jul 2023 11:26:04 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="SnaS8Nw5"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id D85C586261; Thu, 6 Jul 2023 11:26:01 +0200 (CEST) Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 0733684768 for ; Thu, 6 Jul 2023 11:25:59 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x631.google.com with SMTP id d9443c01a7336-1b8c364ad3bso668005ad.1 for ; Thu, 06 Jul 2023 02:25:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1688635557; x=1691227557; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:mail-followup-to:message-id:subject:cc:to :from:date:from:to:cc:subject:date:message-id:reply-to; bh=Y7cyS7YJFoJOH3mUpQ6ZVzbmeRbL2vyKxTn7IrHkkVo=; b=SnaS8Nw5CA5Dbsu/zdBw2cVD5jDfAMzME1+BHICqEh8AiZZPr4krIdEkoEYhLnR1q0 qd4c/8xu7k6iX+dTxxAoDhlEhOnIznDeFXmYDs0tdL3NFnI42D8XaYa0PMK7H59Elsej Uri6kf9rDmbQLckSnG+qW1Os14G5CfiWxnaRr723cwRFTcfh7tmYVYDzl+Cexk3plaLw 0amZRH8LrXkAdHnVGVAPZvtypa1/0McuTdfyPb7OEpkUmj8Sy5BWk/SodplBhOG8r2F2 t3aEhF0UhkBrTgWytXCtBD5gzXwZj+e93Rrq/YVxEkPMNq6Ir6biD+7YPY3rmN6NmtuZ /Ifw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688635557; x=1691227557; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:mail-followup-to:message-id:subject:cc:to :from:date:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Y7cyS7YJFoJOH3mUpQ6ZVzbmeRbL2vyKxTn7IrHkkVo=; b=Ik+LbKoEbCyyz5kv+5CHY71MYEp3EsSXLBv07x9j0nDhWqP9GueVG0AfMyOLkZCZgO mrML5GlyVSNozXBqWYswb6wHwm6eF/X6rXPD7QxoWc3SxNLy41eG0YDhL9D06cuKs3AV ++05nIoExTGJtRK8umefgAobZp1MnJdhGL/jEejdQsWcPU+xyFppuPK32m2O6XNNzjYJ f48jQAFXErepxjHD8kHFdNk0fjesSMfzlfyjfBgTBmtrTKUh3ORNzXSPA9On84yh/U3z bfPixttuZTvFqwD4asM/wIJTzto09wqlLfprnJmPfPKSR8FK1liBUG4+ONEBqjQlw9fP 6Oqg== X-Gm-Message-State: ABy/qLZviI2zBgHKIIjKDw3undz0uWo8+JRXO9xs/dralEfo8JPqedbQ F1Z6eyRjqdta13tII3zmfV/BOg== X-Google-Smtp-Source: APBJJlFlxcpaJqvpPBPfyA6AqbTMy2BcS7r5xADKNmwezUMIjNC1/DHNczNy2nq+TIpaHB7tUfPWHA== X-Received: by 2002:a17:902:e809:b0:1b8:1591:9f81 with SMTP id u9-20020a170902e80900b001b815919f81mr1758463plg.4.1688635557163; Thu, 06 Jul 2023 02:25:57 -0700 (PDT) Received: from laputa ([2400:4050:c3e1:100:1e92:d178:775b:10fe]) by smtp.gmail.com with ESMTPSA id u2-20020a170902e80200b001b567bbe82dsm944130plg.150.2023.07.06.02.25.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 06 Jul 2023 02:25:56 -0700 (PDT) Date: Thu, 6 Jul 2023 18:25:53 +0900 From: AKASHI Takahiro To: Neil Jones Cc: "xypron.glpk@gmx.de" , "u-boot@lists.denx.de" Subject: Re: EFI Secure boot default keys Message-ID: Mail-Followup-To: AKASHI Takahiro , Neil Jones , "xypron.glpk@gmx.de" , "u-boot@lists.denx.de" References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean On Thu, Jul 06, 2023 at 08:23:06AM +0000, Neil Jones wrote: > >> >> Please can someone describe the format of the file needed for the default / built-in EFI secure boot keys (ubootefi.var) > >> >> > >> >> The only docs I have found suggest its best to enroll the keys from within u-boot onto some removable media, then copy this off and use this as the default, this is not very helpful and doesn't work for me: > >> >> > >> >> => fatload mmc 0:1 ${loadaddr} PK.aut > >> >> 2053 bytes read in 18 ms (111.3 KiB/s) > >> >> => setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize PK > >> >> setenv - set environment variables > >> >> > >> >> Usage: > >> >> setenv setenv [-f] name value ... > >> >>     - [forcibly] set environment variable 'name' to 'value ...' > >> >> setenv [-f] name > >> >>     - [forcibly] delete environment variable 'name' > >> >> > >> >> my setenv doesn't support all the extra switches ? This is with 2022.04, all other EFI options seem to be in this release and I can boot unsigned EFI images ok. > >> > > >> >Please turn on CONFIG_CMD_NVEDIT_EFI when building your U-Boot. > >> > > >> >This option was disabled by the commit: > >> >        commit 3b728f8728fa (tag: efi-2020-01-rc1) > >> >        Author: Heinrich Schuchardt > >> >        Date:   Sun Oct 6 15:44:22 2019 +0200 > >> > > >> >        cmd: disable CMD_NVEDIT_EFI by default > >> > > >> >The binary size of efi has grown much since in the past, though. > >> > > >> >-Takahiro Akashi > >> > >> Thanks, I have secure boot working now. A tool to generate the ubootefi.var offline or even just a description of the file format would be very useful. > > > >Thank you for the suggestion. While I'd like to defer to Heinrich, > >the C definition of the file format can be found as struct efi_var_file > >in include/efi_variable.h > > > > Thanks! > > >> I have noticed one issue when using ubootefi.var on mmc, when I switch boot order it wipes out the keys and I have to re-enrol them: > >> > >> => fatls mmc 0:1 > >>      3040   ubootefi.var > >> > >>  1 file(s), 0 dir(s) > > > >I'm not sure that secure boot related variables have been loaded > >at this point. > > This is during initial generation / enrollment of the variables > > >Anyhow, please try to enable CONFIG_EFI_VARIABLES_PRESEED with > >EFI_VAR_FILE_NAME set. Otherwise, those variables will never be > >restored. > >(This is another topic that are not described in doc/develop/uefi.) > > I have CONFIG_EFI_VARIABLES_PRESEED working, but while generating the file ubootefi.var for the first time (without CONFIG_EFI_VARIABLES_PRESEED set) you have to follow a specific order, or the file gets overwritten eg: > > Working: > > efidebug boot order 1 2 > efidebug boot add -b 1 Signed mmc 0:1 /ImageSig.efi > efidebug boot add -b 2 UnSigned mmc 0:1 /Image > fatload mmc 0:1 ${loadaddr} PK.aut  > setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize PK > fatload mmc 0:1 ${loadaddr} KEK.aut                   > setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize KEK > fatload mmc 0:1 ${loadaddr} DB.aut                     > setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize db  > > > Failing: > > setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize PK > fatload mmc 0:1 ${loadaddr} KEK.aut                   > setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize KEK > fatload mmc 0:1 ${loadaddr} DB.aut                     > setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize db  > efidebug boot order 1 2 ### This command overwrites the keys just loaded Are you sure that "env print -e" shows all the variables including PK, KEK and db at this point? Since I don't have enough time to examine this issue, can you please try to trace efi_var_collect() in efi_var_file.c which is responsible for enumerating all the non-volatile variables to be saved at each SET_VARIABLE api call? -Takahiro Akashi > Cheers, > > Neil > > > > >Thanks, > >-Takahiro Akashi > > > >> => efidebug boot order 2 1 > >> => fatls mmc 0:1 > >>       440   ubootefi.var > >> > >> (Size drops from 3040 to 440 bytes and keys have gone) >   > > ________________________________ > > From: AKASHI Takahiro > > Sent: 29 June 2023 02:01 > > To: Neil Jones > > Cc: u-boot@lists.denx.de > > Subject: Re: EFI Secure boot default keys > > > > On Wed, Jun 28, 2023 at 04:26:58PM +0000, Neil Jones wrote: > > > Please can someone describe the format of the file needed for the default / built-in EFI secure boot keys (ubootefi.var) > > > > > > The only docs I have found suggest its best to enroll the keys from within u-boot onto some removable media, then copy this off and use this as the default, this is not very helpful and doesn't work for me: > > > > > > => fatload mmc 0:1 ${loadaddr} PK.aut > > > 2053 bytes read in 18 ms (111.3 KiB/s) > > > => setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize PK > > > setenv - set environment variables > > > > > > Usage: > > > setenv setenv [-f] name value ... > > >     - [forcibly] set environment variable 'name' to 'value ...' > > > setenv [-f] name > > >     - [forcibly] delete environment variable 'name' > > > > > > my setenv doesn't support all the extra switches ? This is with 2022.04, all other EFI options seem to be in this release and I can boot unsigned EFI images ok. > > > > Please turn on CONFIG_CMD_NVEDIT_EFI when building your U-Boot. > > > > This option was disabled by the commit: > >         commit 3b728f8728fa (tag: efi-2020-01-rc1) > >         Author: Heinrich Schuchardt > >         Date:   Sun Oct 6 15:44:22 2019 +0200 > > > >             cmd: disable CMD_NVEDIT_EFI by default > > > > The binary size of efi has grown much since in the past, though. > > > > -Takahiro Akashi > > > > > Cheers, > > > > > > Neil > > > > > > > > >