From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=l08M=NS=lists.denx.de=u-boot-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-10.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1F67EC432BE
	for <u-boot@archiver.kernel.org>; Fri, 27 Aug 2021 03:59:57 +0000 (UTC)
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 784C260F42
	for <u-boot@archiver.kernel.org>; Fri, 27 Aug 2021 03:59:56 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 784C260F42
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linaro.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 2E1AB8322F;
	Fri, 27 Aug 2021 05:59:54 +0200 (CEST)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="NvT9Sa39";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 077AC83249; Fri, 27 Aug 2021 05:59:53 +0200 (CEST)
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com
 [IPv6:2607:f8b0:4864:20::629])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id BD71582A01
 for <u-boot@lists.denx.de>; Fri, 27 Aug 2021 05:59:48 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=takahiro.akashi@linaro.org
Received: by mail-pl1-x629.google.com with SMTP id x16so1470064pll.2
 for <u-boot@lists.denx.de>; Thu, 26 Aug 2021 20:59:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
 h=date:from:to:cc:subject:message-id:mail-followup-to:references
 :mime-version:content-disposition:in-reply-to;
 bh=fmiVGJNqRHuVFMZtiMQm2XEc6bgBB1vHmNtnT1XfNpM=;
 b=NvT9Sa397JB8w2uNV2aUSGsGtJxigJTcprjibyt9lT8TsWF5zhjXxOmBUQGoE7/EGz
 EMe66aCoh0DiD6OcbJ0vE50P0wWES0SX0wl79DD7c+5SxDaQRn0mDduKl/gLebbekmsO
 r3jB5Sn0AbdDwFUiCyAs0wI9RpVGrsH1byrQ6hZG6gKwPEzXv7ZB4MzTpEmsDjgg134c
 pl58UcMF81+3w+3IxKd+3nkaHyZJqf/RsJ1gNPnxnNSNgQifECHiea/n71X5oKqpT7MH
 I+UZ04RetEmz8m715lmlSVAL8zNaFYPEjRkgUIgyAhI6NwTvZX7LhfyqtNEpupQfh8B6
 KjXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:from:to:cc:subject:message-id
 :mail-followup-to:references:mime-version:content-disposition
 :in-reply-to;
 bh=fmiVGJNqRHuVFMZtiMQm2XEc6bgBB1vHmNtnT1XfNpM=;
 b=Ot6F3TTNX0ZkbcIHOKEyANnUC2hX8HalL4Mbjai0Tk1xNcClvj3Znc36Po44NDag68
 7csXvEJ/RAFNMi3eUHnpS9/3dYe5gWU6xOVHzB1sbCGs+i+Xvg+9mB9kuIfyvXVs9N/t
 aXrBXMNIHsTB7JUQVGhBy8yA+Dg9ntydnVq3b4T7+K8vABx36FlcSqeG3A8jlV7Zu/RU
 59hTmp5tt6gxPqnYjwPjuC+Nqxf09yhkXzOmg5amu2Zc2Lk7bdUZSKIPU1+DBpWARrdH
 EPOhjEz//xu/0nkebyjHqobusSEYD66FzuAHWgWybkEUE5nKVRI4SuMUjVj5H9LD8rb3
 xUng==
X-Gm-Message-State: AOAM533zyTl7c/MmUpN1DBt1neYhPVY9Z+hYgq7VD79foV7nVMzarEnQ
 XdnklkRU/uJsp5OmfZSnsyst2w==
X-Google-Smtp-Source: ABdhPJyaAptL6q/bWjLpUKkivDNBNqSJ1fmvghHZPeklRbt35z2LpRMK66lYzpP3NZWn/WQl4HDzfw==
X-Received: by 2002:a17:902:aa02:b0:134:b387:facc with SMTP id
 be2-20020a170902aa0200b00134b387faccmr6628520plb.22.1630036787069; 
 Thu, 26 Aug 2021 20:59:47 -0700 (PDT)
Received: from laputa (p784a6698.tkyea130.ap.so-net.ne.jp. [120.74.102.152])
 by smtp.gmail.com with ESMTPSA id m18sm4412998pjq.32.2021.08.26.20.59.44
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 26 Aug 2021 20:59:46 -0700 (PDT)
Date: Fri, 27 Aug 2021 12:59:42 +0900
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Cc: u-boot@lists.denx.de, Alexander Graf <agraf@csgraf.de>,
 Ilias Apalodimas <ilias.apalodimas@linaro.org>,
 Heinrich Schuchardt <xypron.glpk@gmx.de>
Subject: Re: [PATCH v2 0/6] efi_loader: fix secure boot mode transitions
Message-ID: <20210827035942.GD52912@laputa>
Mail-Followup-To: AKASHI Takahiro <takahiro.akashi@linaro.org>,
 Heinrich Schuchardt <heinrich.schuchardt@canonical.com>,
 u-boot@lists.denx.de, Alexander Graf <agraf@csgraf.de>,
 Ilias Apalodimas <ilias.apalodimas@linaro.org>,
 Heinrich Schuchardt <xypron.glpk@gmx.de>
References: <20210826134805.148975-1-heinrich.schuchardt@canonical.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20210826134805.148975-1-heinrich.schuchardt@canonical.com>
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de
X-Virus-Status: Clean

On Thu, Aug 26, 2021 at 03:47:59PM +0200, Heinrich Schuchardt wrote:
> The UEFI specification 2.9 defines the different modes that secure boot may
> be in. 
> 
> The patch series adds support for the "Deployed Mode" and the "Setup Mode".

This sentence seems to be wrong, or at least inaccurate.
"Setup Mode" has been supported from the beginning when I implemented
secure boot. In other word, I implemented only the transition between
"Setup Mode" and "User Mode" only.

-Takahiro Akashi


> Furthermore the secure boot signature database must only be loaded from
> tamper-resistant storage. So we must not load it from ubootefi.var on the
> EFI system partition but only from the preseed variables store or via the
> OP-TEE driver for the eMMC replay protected memory partition.
> 
> v2:
> 	correct variable name in lib/efi_loader/efi_variable_tee.c
> 
> Heinrich Schuchardt (6):
>   efi_loader: stop recursion in efi_init_secure_state
>   efi_loader: correct determination of secure boot state
>   efi_loader: don't load signature database from file
>   efi_loader: correct secure boot state transition
>   efi_loader: writing AuditMode, DeployedMode
>   efi_loader: always initialize the secure boot state
> 
>  include/efi_variable.h            |  6 ++-
>  lib/efi_loader/efi_var_common.c   | 66 +++++++++++++++++++++++--------
>  lib/efi_loader/efi_var_file.c     | 41 +++++++++++--------
>  lib/efi_loader/efi_variable.c     | 20 ++++++----
>  lib/efi_loader/efi_variable_tee.c |  4 +-
>  5 files changed, 95 insertions(+), 42 deletions(-)
> 
> -- 
> 2.30.2
>