From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 20F60C4332F for ; Fri, 25 Nov 2022 13:30:20 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 6AE7C8568C; Fri, 25 Nov 2022 14:30:18 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="ZPbftDds"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 8E27A8569F; Fri, 25 Nov 2022 14:30:17 +0100 (CET) Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 28D8385144 for ; Fri, 25 Nov 2022 14:30:15 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=luca.boccassi@gmail.com Received: by mail-wr1-x42d.google.com with SMTP id s5so6808062wru.1 for ; Fri, 25 Nov 2022 05:30:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=inIeoqUb3KRp1TsImZ00fMun7Lf6LZxNkRz/rLe81vE=; b=ZPbftDdsVgcNmAVQmNDy09GQIxBcvpPiC8VMSnjnqis55N5J2eRyFuwPjaot8P5TkX RPKeoEy8dOEWFOy9moldBrell4YvgSLEY7tA21YIYb32KYbE9G2WGmJRVxe937IONGsG 7eU5VRApvpZpy1UijjI6uaMIOkIfvo2D2lU+QG/5z3LT6NC25VRSL/0gU0PdQQ9SViGp l/usI6OCgxz/CkCW5dlCZmEQu/JqIoG/sKc6Hf8F8mAI2nKeYBWjLVmv0KD/G63Ktj33 lamrutoos5BfTI46BoAhBOJYDxUDIm5+AyfZyL7u2XDYtiy0c5inKdhgrr/ehbiyEA6l rxbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=inIeoqUb3KRp1TsImZ00fMun7Lf6LZxNkRz/rLe81vE=; b=uHI4TyjFNNks7CT26GBA3eedoMjSoDmzbVVKX93rKvye0PYMMUo5cxg3Ux6N31/6Y/ LXc5a0kItN+17J8A6lX1zEXpTdC/rGE2lwi0LSWbfVoW0Zu1ylIKDyv/uYNGem9QBuhI OmKtgFKD37a7W+xdTWcCub+N+0UkdZ+JdQGU6cZmldqKb4fhDfj62pcGA/lTVGeV/jL7 nOuWlGsCisFFjVrLLU1KHnctxLevtOxgYtr1rPL7WPIZF+gV3LW6rayogk2qTOPtiSJF +kkjZekNjUz3N0/C1P21B4i6asC+BINXBaj4rNRTU4L6lT9JaDJgDb5qEv1p6xcNVEiT hq2w== X-Gm-Message-State: ANoB5pmj7go8mKnl9Cyxt85QdCFgQVBQ58o6djMd9Aqwd9I3oqyNXnCm 8cbwbjIBPfyufRT1mlh+I1cnjII03m+qsg== X-Google-Smtp-Source: AA0mqf4iQpbu41pfMne+AQzHogIhRkYtw4bt5X6N7glYefdxUHGo55m40UB8KQuUhhn1sG5XfTJSlw== X-Received: by 2002:adf:dd50:0:b0:22e:597:8541 with SMTP id u16-20020adfdd50000000b0022e05978541mr24057216wrm.612.1669383014181; Fri, 25 Nov 2022 05:30:14 -0800 (PST) Received: from localhost ([137.220.119.58]) by smtp.gmail.com with ESMTPSA id x8-20020a5d6508000000b0022eafed36ebsm3703812wru.73.2022.11.25.05.30.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Nov 2022 05:30:13 -0800 (PST) From: luca.boccassi@gmail.com To: u-boot@lists.denx.de Subject: [PATCH] EFI: update the documentation to correctly order loading SB keys Date: Fri, 25 Nov 2022 13:30:11 +0000 Message-Id: <20221125133011.1270745-1-luca.boccassi@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean From: Luca Boccassi Loading the PK locks down the EFI variables, so it needs to be done last. Fix the order in the documentation and add a note. Signed-off-by: Luca Boccassi --- doc/develop/uefi/uefi.rst | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index e0835beba4..68a0bb6832 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -169,12 +169,16 @@ Sign an image with one of the keys in "db" on your host Now in U-Boot install the keys on your board:: - fatload mmc 0:1 PK.auth - setenv -e -nv -bs -rt -at -i :$filesize PK - fatload mmc 0:1 KEK.auth - setenv -e -nv -bs -rt -at -i :$filesize KEK fatload mmc 0:1 db.auth setenv -e -nv -bs -rt -at -i :$filesize db + fatload mmc 0:1 KEK.auth + setenv -e -nv -bs -rt -at -i :$filesize KEK + fatload mmc 0:1 PK.auth + setenv -e -nv -bs -rt -at -i :$filesize PK + +Note that loading a key into PK automatically enables Secure Boot, and further +unsigned updates of secure EFI variables will no longer be allowed, so PK should +be loaded last. Set up boot parameters on your board:: -- 2.34.1