From: Jan Kiszka <jan.kiszka-kv7WeFo6aLtBDgjK7y7TUQ@public.gmane.org>
To: Bryan O'Donoghue
<pure.logic-SyKdqv6vbfZdzvEItQ6vdLNAH6kLmebB@public.gmane.org>,
"Kweh,
Hock Leong"
<hock.leong.kweh-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>,
Andy Shevchenko
<andy.shevchenko-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: Matt Fleming
<matt-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org>,
Ard Biesheuvel
<ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>,
"linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux Kernel Mailing List
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Borislav Petkov <bp-Gina5bIWoIWzQB+pC5nmwQ@public.gmane.org>,
"Ong,
Boon Leong"
<boon.leong.ong-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>,
"Mok,
Tze Siong"
<tze.siong.mok-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
Subject: Re: [PATCH 0/2] efi: Enhance capsule loader to support signed Quark images
Date: Fri, 17 Feb 2017 11:14:46 +0100 [thread overview]
Message-ID: <87df71cd-8f45-351f-30bb-ac7e66005c2a@siemens.com> (raw)
In-Reply-To: <89831548-506f-9199-57ae-400ce020081a-SyKdqv6vbfZdzvEItQ6vdLNAH6kLmebB@public.gmane.org>
On 2017-02-17 10:51, Bryan O'Donoghue wrote:
> On 17/02/17 08:23, Kweh, Hock Leong wrote:
>> And to have UEFI expand
>> it capsule support and take in signed binary would be a more secured way.
>> So, influencing UEFI community to have such support would be the right
>> move throughout the discussion. That is my summary.
>
> CSH stands for "Clanton Secure Header" - Clanton being the internal
> code-name for Quark X1000 prior to release.
>
> There is no chance the UEFI standard (which can be used on ARM and
> potentially other architectures) will accept a SoC specific
> route-of-trust prepended header.
>
> Sure some kind of binary signed headers might become part of the
> standard eventually but, definitely _not_ a CSH.
>
> The fact is CSH exists in the real-world and a UEFI firmware supports
> accepting the CSH/UEFI-capsule pair for updating itself.
>
> I think a far more practical solution is to accommodate the defacto
> implementation (the only ? current implementation). To me it defies
> reason to have Quark X1000 be the only system (that I know of) capable
> of doing a capsule update - have capsule code in the kernel - but _not_
> support the header prepended to that capsule that the Quark
> firmware/bootrom require.
>
> Right now the capsule code is dead code on Quark x1000. Let's do the
> right thing and make it usable. I fully support having a
> separate/parallel conversation with the UEFI body but, I'd be amazed if
> the "Clanton Secure Header" made it into the standard...
>
To be precise, CSH is only required on X102x. The X100x SoCs, those are
also found on the Galileo Gen2 maker board, do not support secure boot
and do not use the header. IIRC, there used to be an eval system with
the X1020 as well, but I think it's no longer available.
Interestingly, the capsule file found in Intel's Galileo firmware update
package [1] contains the CSH header. But I only succeeded flashing it on
a Gen2 by removing the header first.
Jan
[1]
https://downloadcenter.intel.com/download/26417/Intel-Galileo-Firmware-Updater-and-Drivers?product=83137
--
Siemens AG, Corporate Technology, CT RDA ITP SES-DE
Corporate Competence Center Embedded Linux
next prev parent reply other threads:[~2017-02-17 10:14 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-15 18:14 [PATCH 0/2] efi: Enhance capsule loader to support signed Quark images Jan Kiszka
2017-02-15 18:14 ` [PATCH 1/2] efi/capsule: Prepare for loading images with security header Jan Kiszka
2017-02-15 18:14 ` [PATCH 2/2] efi/capsule: Add support for Quark " Jan Kiszka
[not found] ` <47e493c47aa79b68be52f743ac1790fddab22938.1487182480.git.jan.kiszka-kv7WeFo6aLtBDgjK7y7TUQ@public.gmane.org>
2017-02-17 1:30 ` Bryan O'Donoghue
[not found] ` <9949ecad-4b73-cccc-7e66-0afe0d2f4087-SyKdqv6vbfZdzvEItQ6vdLNAH6kLmebB@public.gmane.org>
2017-03-24 16:44 ` Jan Kiszka
[not found] ` <cover.1487182480.git.jan.kiszka-kv7WeFo6aLtBDgjK7y7TUQ@public.gmane.org>
2017-02-15 18:17 ` [PATCH 0/2] efi: Enhance capsule loader to support signed Quark images Ard Biesheuvel
[not found] ` <CAKv+Gu_4UVAVp0WJT4drY8MijD7-CuhLUghVNhoLA-1VjQ_m4w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-15 18:47 ` Jan Kiszka
2017-02-15 18:41 ` Andy Shevchenko
2017-02-15 18:46 ` Andy Shevchenko
[not found] ` <CAHp75VeVZo8f_aXZ=R8Y+++RSQeT=tFZmL6NNfekKJTkJc-nZA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-15 18:50 ` Jan Kiszka
[not found] ` <1bf3c9d8-56aa-818b-350f-deb62ad14e08-kv7WeFo6aLtBDgjK7y7TUQ@public.gmane.org>
2017-02-15 18:59 ` Jan Kiszka
[not found] ` <4014c5e6-b5a0-7552-166f-a42992532c09-kv7WeFo6aLtBDgjK7y7TUQ@public.gmane.org>
2017-02-16 3:00 ` Kweh, Hock Leong
[not found] ` <F54AEECA5E2B9541821D670476DAE19C5DE533B3-j2khPEwRog0FyVwBAnZdSLfspsVTdybXVpNB7YpNyf8@public.gmane.org>
2017-02-16 7:29 ` Jan Kiszka
2017-02-18 21:48 ` Ard Biesheuvel
[not found] ` <CAKv+Gu_2edBA++6ywE4FE2NSbkCWjEULPmriS1iBifsRCgA+OA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-19 13:33 ` Jan Kiszka
2017-02-20 1:33 ` Bryan O'Donoghue
[not found] ` <c1beeeb5-2359-d9c1-4759-b112c7d1a613-SyKdqv6vbfZdzvEItQ6vdLNAH6kLmebB@public.gmane.org>
2017-02-20 1:52 ` Jan Kiszka
2017-03-24 15:18 ` Jan Kiszka
2017-02-17 0:53 ` Bryan O'Donoghue
[not found] ` <f4f63644-e099-b192-5337-15c07d761fb4-SyKdqv6vbfZdzvEItQ6vdLNAH6kLmebB@public.gmane.org>
2017-02-17 8:23 ` Kweh, Hock Leong
[not found] ` <F54AEECA5E2B9541821D670476DAE19C5DE5373E-j2khPEwRog0FyVwBAnZdSLfspsVTdybXVpNB7YpNyf8@public.gmane.org>
2017-02-17 9:24 ` Jan Kiszka
[not found] ` <5da59d02-d299-f5c7-48fa-a67bdd017252-kv7WeFo6aLtBDgjK7y7TUQ@public.gmane.org>
2017-02-28 12:12 ` Matt Fleming
[not found] ` <20170228121255.GD28416-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org>
2017-02-28 12:20 ` Jan Kiszka
2017-02-28 12:29 ` Matt Fleming
[not found] ` <20170228122947.GE28416-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org>
2017-02-28 13:25 ` Ard Biesheuvel
[not found] ` <CAKv+Gu-OCr1nX0-kWnWg4=DnDpZvM-ipSCfLbBA8h1e5eJYBbw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-28 13:35 ` Andy Shevchenko
[not found] ` <CAHp75VcQ8ZoGqR=iOzVq0WbieMvGFnkTQZ-TBmwBTZT0B1NS_Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-28 13:36 ` Andy Shevchenko
[not found] ` <CAHp75VcQcALWdcWAM-odAAnR1uEwE=4rOhtB2E9WtS84ORH8Qw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-28 15:07 ` Bryan O'Donoghue
2017-02-28 15:09 ` Bryan O'Donoghue
2017-02-28 15:27 ` Andy Shevchenko
2017-02-28 16:52 ` Bryan O'Donoghue
2017-02-28 17:18 ` Andy Shevchenko
[not found] ` <CAHp75VdELFFeoJXXHbsHHuyd2xBY0y4T+M7q5+ZFN=ep3Qy9HQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-28 17:42 ` Bryan O'Donoghue
[not found] ` <ce0ddedb-ee72-8dba-0e60-8d5e2d7a69a0-SyKdqv6vbfZdzvEItQ6vdLNAH6kLmebB@public.gmane.org>
2017-03-01 14:02 ` Bryan O'Donoghue
2017-03-01 14:55 ` Andy Shevchenko
2017-02-17 9:51 ` Bryan O'Donoghue
[not found] ` <89831548-506f-9199-57ae-400ce020081a-SyKdqv6vbfZdzvEItQ6vdLNAH6kLmebB@public.gmane.org>
2017-02-17 10:14 ` Jan Kiszka [this message]
2017-02-17 11:42 ` Bryan O'Donoghue
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87df71cd-8f45-351f-30bb-ac7e66005c2a@siemens.com \
--to=jan.kiszka-kv7wefo6altbdgjk7y7tuq@public.gmane.org \
--cc=andy.shevchenko-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org \
--cc=boon.leong.ong-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \
--cc=bp-Gina5bIWoIWzQB+pC5nmwQ@public.gmane.org \
--cc=hock.leong.kweh-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \
--cc=linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=matt-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org \
--cc=pure.logic-SyKdqv6vbfZdzvEItQ6vdLNAH6kLmebB@public.gmane.org \
--cc=tze.siong.mok-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox