From mboxrd@z Thu Jan  1 00:00:00 1970
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
Date: Thu, 13 May 2021 17:38:51 +0900
Subject: [PATCH 1/4] tools: mkeficapsule: add firmwware image signing
In-Reply-To: <CAA93ih3aJmgnHiuYOF3vSJeo3CBie6QGNKg70B+0QUTxZytp=g@mail.gmail.com>
References: <20210512045753.62288-2-takahiro.akashi@linaro.org>
 <c6b21901-15e0-2b24-22a2-5e4b4e293311@gmx.de>
 <20210513030839.GC16848@laputa>
 <6876a081-8f16-e747-6036-471b48f60318@gmx.de>
 <CAA93ih3rhuWwEfn1GbqPnXc0zZcSe1pw_zc2mX5dP6Hstng4Dw@mail.gmail.com>
 <b25e1fbf-655e-6ed0-5bf5-77714cf48e41@gmx.de>
 <20210513065054.GF16848@laputa>
 <0686AB79-8431-43A2-8EF6-7853DD29524B@gmx.de>
 <20210513072359.GI16848@laputa>
 <CAA93ih3aJmgnHiuYOF3vSJeo3CBie6QGNKg70B+0QUTxZytp=g@mail.gmail.com>
Message-ID: <20210513083851.GA35365@laputa>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

On Thu, May 13, 2021 at 05:18:36PM +0900, Masami Hiramatsu wrote:
> 2021?5?13?(?) 16:24 AKASHI Takahiro <takahiro.akashi@linaro.org>:
> 
> > > >> > BTW, IMHO, if u-boot.bin can not find the ESL in the device tree,
> > > >> > it should skip authentication too.
> > > >>
> > > >> In this case the capsule should be rejected (if
> > > >> CONFIG_EFI_CAPSULE_AUTHENTICATE=y).
> > > >
> > > >That's basically right.
> > > >But as I mentioned in my comment against Sughosh's patch,
> > > >the authentication process will be enforced only if the capsule has
> > > >an attribute, IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED.
> > > >
> > >
> > > That would be a security desaster.
> >
> > The requirement that I mentioned above is clearly described
> > in UEFI specification.
> > If you think that it is a disaster, please discuss the topic
> > in UEFI Forum first.
> 
> I confirmed UEFI specification, version 2.7, Section.23.1
> the last of EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo()
> 
> -----------------
> If IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED is supported and clear, then
> authentication is not required to perform the firmware image operations.
> -----------------

Thank you for citing this.

> Oh, this is really crazy because deciding whether to authenticate the
> suspicious
> package or not, depends on whether the package said "please
> authenticate me" or not. :D

Well, the attributes can been fetched with GetInfo API, but
how it is managed depends on the implementation of FMP drivers.

As I proposed somewhere else, those attributes should be
maintained in a separate place (maybe as part of system's policy),
presumably ESRT or platform-specific internal database?

-Takahiro Akashi


> Anyway, since this behavior follows the specification, it should be
> kept by default,
> but also IMHO, there should be a CONFIG option to enforce capsule
> authentication always.
> 
> Thank you,
> 
> 
> 
> -- 
> Masami Hiramatsu