From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: [RFC] efi_loader: improve firmware capsule authentication
Date: Fri, 23 Apr 2021 16:00:36 +0900 [thread overview]
Message-ID: <20210423070036.GB23309@laputa> (raw)
In-Reply-To: <CADg8p95tR25-uCumUbuyNrF0tk_e21Qg=P6_+xBykKcWRs2b_A@mail.gmail.com>
Sughosh,
On Fri, Apr 23, 2021 at 11:55:04AM +0530, Sughosh Ganu wrote:
> Takahiro,
>
> On Fri, 23 Apr 2021 at 11:17, AKASHI Takahiro <takahiro.akashi@linaro.org>
> wrote:
>
> > Heinrich,
> >
> > I'm currently thinking of improving capsule authentication
> > that Sughosh has made, particularly around mkeficapsule command:
> >
> > 1) Add a signing feature to the command
> > This will allow us to create a *signed* capsule file solely
> > with mkeficapsule. We will no longer rely on EDK2's script.
> > 2) Delete "-K" and "-D" option
> > Specifically, revert 322c813f4bec ("mkeficapsule: Add support
> > for embedding public key in a dtb")
> > As I said, this feature doesn't have anything to do with
> > creating a capsule file. Above all, we can do the same thing
> > with the existing commands (dtc and fdtoverlay).
> >
>
> I would vote against this particular revert that you are suggesting. I have
> already submitted a patchset which is under review[1], which is adding
> support for embedding the key in the platform's dtb, using the above
> functionality in mkeficapsule.
That is why I insisted "(2) should be done in 2021.04"
as we should stop it being merged immediately.
> I don't see any reason why we should be
> adding this logic in another utility,
?
I never tried to add anything about this issue. Just remove.
FYI, we can get the exact same result with:
=== pubkey.dts ===
/dts-v1/;
/plugin/;
&{/} {
signature {
capsule-key = /incbin/("CRT.esl");
};
};
===
$ dtc -@ -I dts -O dtb -o pubkey.dtbo pubkey.dts
$ fdtoverlay -i test.dtb -o test_pubkey.dtb -v pubkey.dtbo
No "C" code needed here. You also re-invented the almost same function
as fdt_overlay_apply() in mkeficapsule, and yet your function is
incompatible with dtc/fdtoverlay commands in terms of overlay syntax.
I have already confirmed the capsule file signed by my mkeficapsule
+ above dtb work perfectly with efi_capsule_authenticate()
in my pytest with sandbox.
And again, the feature has nothing to do with generating a capsule file.
It is simply to perform fdt overlay which is already supported by standard
commands.
Those are the reasons why we should revert the patch.
> and cannot use the mkeficapsule
> utility for embedding the public key in the platform's dtb.
?
No need to use mkeficapsule any more.
-Takahiro Akashi
> The
> mkeficapsule utility can be extended to add the authentication information
> that you plan to submit.
>
> -sughosh
>
> [1] - https://lists.denx.de/pipermail/u-boot/2021-April/447183.html
>
>
> > 3) Add pytest for capsule authentication with sandbox
> >
> > Now I have done all of them above although some cleanup work is
> > still needed. I think that (2) should be done in 2021.04.
> >
> > I plan to send patches for 1-3 (and maybe 5 and 7 below) if you agree.
> >
> > Other concerns:
> > 4) Documentation
> > Currently, "doc/board/emulation/qemu_capsule_update.rst" is
> > the only document about the usage of UEFI capsule on U-Boot.
> > Unfortunately, it contains some errors and more importantly,
> > most of the content are generic, not qemu-specific.
> >
> > 5) Certificate (public key) in dtb
> > That's fine, but again "board/emulation/common/qemu_capsule.c"
> > is naturally generic. It should be available for other platforms
> > with a new Kconfig option.
> >
> > # IMHO, I don't understand why the data in dtb needs be in
> > efi-signature-list structure. A single key (cert) would be enough.
> >
> > 6) "capsule_authentication_enabled"
> > I think that we have agreed with deleting this variable.
> > But I don't see any patch.
> > Moreover, capsule authentication must be enforced only
> > if the attribute, IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED,
> > is set. But there is no code to check the flag.
> >
> > 7) Pytest is broken
> > Due to your and Ilias' recent patches, existing pytests for
> > secure boot as well as capsule update are now broken.
> > I'm not sure why you have not yet noticed.
> > Presumably, Travis CI now skips those tests?
> >
> > If I have some time in the future, I will address them.
> > But Sughosh can do as well.
> >
> > -Takahiro Akashi
> >
next prev parent reply other threads:[~2021-04-23 7:00 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-23 5:47 [RFC] efi_loader: improve firmware capsule authentication AKASHI Takahiro
2021-04-23 6:25 ` Sughosh Ganu
2021-04-23 7:00 ` AKASHI Takahiro [this message]
2021-04-23 9:08 ` Sughosh Ganu
2021-04-26 2:44 ` AKASHI Takahiro
2021-05-07 4:29 ` AKASHI Takahiro
2021-05-07 18:47 ` Heinrich Schuchardt
2021-05-10 0:31 ` AKASHI Takahiro
2021-04-23 7:21 ` Ilias Apalodimas
2021-04-23 7:50 ` AKASHI Takahiro
2021-04-23 8:03 ` Ilias Apalodimas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210423070036.GB23309@laputa \
--to=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox