From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: [RFC] efi_loader: improve firmware capsule authentication
Date: Fri, 23 Apr 2021 14:47:31 +0900 [thread overview]
Message-ID: <20210423054731.GA23309@laputa> (raw)
Heinrich,
I'm currently thinking of improving capsule authentication
that Sughosh has made, particularly around mkeficapsule command:
1) Add a signing feature to the command
This will allow us to create a *signed* capsule file solely
with mkeficapsule. We will no longer rely on EDK2's script.
2) Delete "-K" and "-D" option
Specifically, revert 322c813f4bec ("mkeficapsule: Add support
for embedding public key in a dtb")
As I said, this feature doesn't have anything to do with
creating a capsule file. Above all, we can do the same thing
with the existing commands (dtc and fdtoverlay).
3) Add pytest for capsule authentication with sandbox
Now I have done all of them above although some cleanup work is
still needed. I think that (2) should be done in 2021.04.
I plan to send patches for 1-3 (and maybe 5 and 7 below) if you agree.
Other concerns:
4) Documentation
Currently, "doc/board/emulation/qemu_capsule_update.rst" is
the only document about the usage of UEFI capsule on U-Boot.
Unfortunately, it contains some errors and more importantly,
most of the content are generic, not qemu-specific.
5) Certificate (public key) in dtb
That's fine, but again "board/emulation/common/qemu_capsule.c"
is naturally generic. It should be available for other platforms
with a new Kconfig option.
# IMHO, I don't understand why the data in dtb needs be in
efi-signature-list structure. A single key (cert) would be enough.
6) "capsule_authentication_enabled"
I think that we have agreed with deleting this variable.
But I don't see any patch.
Moreover, capsule authentication must be enforced only
if the attribute, IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED,
is set. But there is no code to check the flag.
7) Pytest is broken
Due to your and Ilias' recent patches, existing pytests for
secure boot as well as capsule update are now broken.
I'm not sure why you have not yet noticed.
Presumably, Travis CI now skips those tests?
If I have some time in the future, I will address them.
But Sughosh can do as well.
-Takahiro Akashi
next reply other threads:[~2021-04-23 5:47 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-23 5:47 AKASHI Takahiro [this message]
2021-04-23 6:25 ` [RFC] efi_loader: improve firmware capsule authentication Sughosh Ganu
2021-04-23 7:00 ` AKASHI Takahiro
2021-04-23 9:08 ` Sughosh Ganu
2021-04-26 2:44 ` AKASHI Takahiro
2021-05-07 4:29 ` AKASHI Takahiro
2021-05-07 18:47 ` Heinrich Schuchardt
2021-05-10 0:31 ` AKASHI Takahiro
2021-04-23 7:21 ` Ilias Apalodimas
2021-04-23 7:50 ` AKASHI Takahiro
2021-04-23 8:03 ` Ilias Apalodimas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210423054731.GA23309@laputa \
--to=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox