From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: [PATCH v4 10/16] cmd: env: use appropriate guid for authenticated UEFI variable
Date: Wed, 22 Jan 2020 16:15:26 +0900 [thread overview]
Message-ID: <20200122071525.GA10165@linaro.org> (raw)
In-Reply-To: <99bed5c3-b6be-8394-1711-8d59d8a8efbb@gmx.de>
On Wed, Jan 22, 2020 at 07:38:06AM +0100, Heinrich Schuchardt wrote:
> On 1/22/20 2:01 AM, AKASHI Takahiro wrote:
> >On Tue, Jan 21, 2020 at 08:13:06AM +0100, Heinrich Schuchardt wrote:
> >>On 12/18/19 1:45 AM, AKASHI Takahiro wrote:
> >>>A signature database variable is associated with a specific guid.
> >>>For convenience, if user doesn't supply any guid info, "env set|print -e"
> >>>should complement it.
> >>>
> >>>Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> >>>---
> >>> cmd/nvedit_efi.c | 18 ++++++++++++++----
> >>> 1 file changed, 14 insertions(+), 4 deletions(-)
> >>>
> >>>diff --git a/cmd/nvedit_efi.c b/cmd/nvedit_efi.c
> >>>index 8ea0da01283f..579cf430593c 100644
> >>>--- a/cmd/nvedit_efi.c
> >>>+++ b/cmd/nvedit_efi.c
> >>>@@ -41,6 +41,11 @@ static const struct {
> >>> } efi_guid_text[] = {
> >>> /* signature database */
> >>> {EFI_GLOBAL_VARIABLE_GUID, "EFI_GLOBAL_VARIABLE_GUID"},
> >>>+ {EFI_IMAGE_SECURITY_DATABASE_GUID, "EFI_IMAGE_SECURITY_DATABASE_GUID"},
> >>>+ /* certificate type */
> >>>+ {EFI_CERT_SHA256_GUID, "EFI_CERT_SHA256_GUID"},
> >>>+ {EFI_CERT_X509_GUID, "EFI_CERT_X509_GUID"},
> >>>+ {EFI_CERT_TYPE_PKCS7_GUID, "EFI_CERT_TYPE_PKCS7_GUID"},
> >>> };
> >>>
> >>> /* "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" */
> >>>@@ -525,9 +530,9 @@ int do_env_set_efi(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
> >>> if (*ep != ',')
> >>> return CMD_RET_USAGE;
> >>>
> >>>+ /* 0 should be allowed for delete */
> >>> size = simple_strtoul(++ep, NULL, 16);
> >>>- if (!size)
> >>>- return CMD_RET_FAILURE;
> >>>+
> >>> value_on_memory = true;
> >>> } else if (!strcmp(argv[0], "-v")) {
> >>> verbose = true;
> >>>@@ -539,8 +544,13 @@ int do_env_set_efi(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
> >>> return CMD_RET_USAGE;
> >>>
> >>> var_name = argv[0];
> >>>- if (default_guid)
> >>>- guid = efi_global_variable_guid;
> >>>+ if (default_guid) {
> >>>+ if (!strcmp(var_name, "db") || !strcmp(var_name, "dbx") ||
> >>>+ !strcmp(var_name, "dbt"))
> >>
> >>Why is "dbr" missing?
> >
> >Because it is not yet supported and I have no plan to support it
> >in short term.
>
> This should not stop us from adding "dbr" here just to keep the setenv
> command consistent even if the value of dbr will not yet be considered
> in our secure boot implementation.
Your comments are inconsistent from time to time.
Please remember when I submitted the patch "cmd: env: extend "env
[set|print] -e" to manage UEFI variables".
In my early versions, "-at" (TIME_BASED_AUTHENTICATED_WRITE_ACCESS)
was also supported. But you rejected it just because secure boot
was not merged yet at the moment.
So nak to your suggestion above.
-Takahiro Akashi
> Best regards
>
> Heinrich
>
> >
> >>I guess dbDefault, dbrDefault, dbxDefault, dbtDefault use
> >>EFI_GLOBAL_VARIABLE?
> >
> >Yes.
> >I have a patch for supporting those *Default now, but will submit it
> >once my core secure boot patch is accepted.
> >
> >Thanks,
> >-Takahiro Akashi
> >
> >>Best regards
> >>
> >>Heinrich
> >>
> >>>+ guid = efi_guid_image_security_database;
> >>>+ else
> >>>+ guid = efi_global_variable_guid;
> >>>+ }
> >>>
> >>> if (verbose) {
> >>> printf("GUID: %s\n", efi_guid_to_str((const efi_guid_t *)
> >>>
> >>
> >
>
next prev parent reply other threads:[~2020-01-22 7:15 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-18 0:44 [PATCH v4 00/16] efi_loader: add secure boot support AKASHI Takahiro
2019-12-18 0:44 ` [PATCH v4 01/16] include: pe.h: add signature-related definitions AKASHI Takahiro
2019-12-18 0:44 ` [PATCH v4 02/16] efi_loader: add CONFIG_EFI_SECURE_BOOT config option AKASHI Takahiro
2019-12-18 0:44 ` [PATCH v4 03/16] efi_loader: add signature verification functions AKASHI Takahiro
2020-01-14 23:43 ` Heinrich Schuchardt
2020-01-15 0:13 ` Heinrich Schuchardt
2020-01-17 2:20 ` AKASHI Takahiro
2020-01-17 5:37 ` Heinrich Schuchardt
2020-01-21 6:00 ` AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 04/16] efi_loader: add signature database parser AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 05/16] efi_loader: variable: support variable authentication AKASHI Takahiro
2020-01-08 22:54 ` Heinrich Schuchardt
2020-01-17 5:35 ` AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 06/16] efi_loader: variable: add secure boot state transition AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 07/16] efi_loader: variable: add VendorKeys variable AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 08/16] efi_loader: image_loader: support image authentication AKASHI Takahiro
2020-01-08 23:55 ` Heinrich Schuchardt
2020-01-17 5:11 ` AKASHI Takahiro
2020-01-17 5:51 ` Heinrich Schuchardt
2020-01-21 6:12 ` AKASHI Takahiro
2020-01-21 7:15 ` Heinrich Schuchardt
2020-01-22 1:13 ` AKASHI Takahiro
2020-01-22 7:42 ` AKASHI Takahiro
2020-01-23 17:41 ` Heinrich Schuchardt
2020-01-27 6:52 ` AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 09/16] efi_loader: set up secure boot AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 10/16] cmd: env: use appropriate guid for authenticated UEFI variable AKASHI Takahiro
2020-01-21 7:13 ` Heinrich Schuchardt
2020-01-22 1:01 ` AKASHI Takahiro
2020-01-22 6:38 ` Heinrich Schuchardt
2020-01-22 7:15 ` AKASHI Takahiro [this message]
2019-12-18 0:45 ` [PATCH v4 11/16] cmd: env: add "-at" option to "env set -e" command AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 12/16] efi_loader, pytest: set up secure boot environment AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 13/16] efi_loader, pytest: add UEFI secure boot tests (authenticated variables) AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 14/16] efi_loader, pytest: add UEFI secure boot tests (image) AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 15/16] sandbox: add extra configurations for UEFI and related tests AKASHI Takahiro
2019-12-28 2:26 ` Simon Glass
2019-12-18 0:45 ` [PATCH v4 16/16] travis: add packages for UEFI secure boot test AKASHI Takahiro
2020-01-08 23:11 ` [PATCH v4 00/16] efi_loader: add secure boot support Heinrich Schuchardt
2020-01-09 0:08 ` Heinrich Schuchardt
2020-01-09 8:02 ` Ilias Apalodimas
2020-01-09 19:09 ` Heinrich Schuchardt
2020-01-09 20:03 ` Ilias Apalodimas
2020-01-17 5:59 ` AKASHI Takahiro
2020-01-17 6:39 ` Ilias Apalodimas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200122071525.GA10165@linaro.org \
--to=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox