From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A4FC8C4332F for ; Mon, 28 Nov 2022 00:45:42 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id C357B84E3B; Mon, 28 Nov 2022 01:45:39 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="vDgux0fb"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 0D5D48502B; Mon, 28 Nov 2022 01:45:38 +0100 (CET) Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7A2EF84D45 for ; Mon, 28 Nov 2022 01:45:35 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x62e.google.com with SMTP id j12so8692948plj.5 for ; Sun, 27 Nov 2022 16:45:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=/ZQLY3T8htEgWGfrgeDHJZMMk+YEdvmx2mdmMNody9g=; b=vDgux0fblh564aCfYGpzXcvNBcLuuJXngej9gWgbjuI1Ufz3KIOSKGNuh5744EfOQH u8iDQg2CL73A68MliyicSY17G9tQeznuyX3P47QcSEhQfN11XUmbQUeiHKFpWXW32/TS kugAeIu+1+QDIPXeomF4EpmNiHgWx4e9davF+YojpELyfPUcV8yzOWPdFpXcYysU3Il/ Y9UYif/ts2aPieEBKbj+qIr00eV6vM2EjLrM6atk4dmlvrT2EDUga7VpG3ngJRAs1SvY raYfQexkINvReR/hylOq/Y/PqHKSL+CkZqiL71w/cfo92DV4r90xZafUFnLGFIS/ANe3 O3Lg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=/ZQLY3T8htEgWGfrgeDHJZMMk+YEdvmx2mdmMNody9g=; b=DOu8aUcvkp2FSVNZEz+wt+pZDWIWAoiY/zZ1jJpc3dmYXav2MNyo7j21j4G5W5NolA b7s341SKFRJKg6Eac1ZgvGlJGXNYQeeBTvloLJGrJu/FJ5Wt4IA7sFlnWYEblWBe1gmW F9bFcr3nQCG17dq36CLEFyazjVKoBuXChC8bwbdY2YnxDmdfYvNNekkR37qEQvk0kcnb KP4oJ6GcaxNbjQAxeUItbK9bG8C0UyZmRxss9xZ6qOYE8Qsq0RBCt3n0oQ2hsE90yEcE RzWjL07JKAuC/q+ngmaWQe0st5Pop6OvNWvjT6C0wtaCQbgceWVpQMCbIAul5gbu/RAO 9GrA== X-Gm-Message-State: ANoB5pkHA9sSSK1/aSllEK0vVFICDSczRJWDwvxPue2M56ECZAy68SiE C09UFLdN1mOJlCeDRGFgp+H65g== X-Google-Smtp-Source: AA0mqf7+U4LdLwpk1WO6NrbFnwG4Zsl7WeODxizc212AZhUedTLcGbTjbC9XydEQg3Kgh+0U7pxtgQ== X-Received: by 2002:a17:90b:4fcc:b0:219:1b9c:4682 with SMTP id qa12-20020a17090b4fcc00b002191b9c4682mr9304698pjb.1.1669596333540; Sun, 27 Nov 2022 16:45:33 -0800 (PST) Received: from laputa ([2400:4050:c3e1:100:f25d:da35:f4:112]) by smtp.gmail.com with ESMTPSA id j3-20020a17090a94c300b00213202d77d9sm6358789pjw.43.2022.11.27.16.45.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 27 Nov 2022 16:45:32 -0800 (PST) Date: Mon, 28 Nov 2022 09:45:29 +0900 From: AKASHI Takahiro To: luca.boccassi@gmail.com Cc: u-boot@lists.denx.de Subject: Re: [PATCH] EFI: update the documentation to correctly order loading SB keys Message-ID: <20221128004529.GA6711@laputa> Mail-Followup-To: AKASHI Takahiro , luca.boccassi@gmail.com, u-boot@lists.denx.de References: <20221125133011.1270745-1-luca.boccassi@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221125133011.1270745-1-luca.boccassi@gmail.com> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean On Fri, Nov 25, 2022 at 01:30:11PM +0000, luca.boccassi@gmail.com wrote: > From: Luca Boccassi > > Loading the PK locks down the EFI variables, so it needs to be done last. No, it's not (always) correct. > Fix the order in the documentation and add a note. > > Signed-off-by: Luca Boccassi > --- > doc/develop/uefi/uefi.rst | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst > index e0835beba4..68a0bb6832 100644 > --- a/doc/develop/uefi/uefi.rst > +++ b/doc/develop/uefi/uefi.rst > @@ -169,12 +169,16 @@ Sign an image with one of the keys in "db" on your host > > Now in U-Boot install the keys on your board:: > > - fatload mmc 0:1 PK.auth > - setenv -e -nv -bs -rt -at -i :$filesize PK > - fatload mmc 0:1 KEK.auth > - setenv -e -nv -bs -rt -at -i :$filesize KEK > fatload mmc 0:1 db.auth > setenv -e -nv -bs -rt -at -i :$filesize db > + fatload mmc 0:1 KEK.auth > + setenv -e -nv -bs -rt -at -i :$filesize KEK > + fatload mmc 0:1 PK.auth > + setenv -e -nv -bs -rt -at -i :$filesize PK > + > +Note that loading a key into PK automatically enables Secure Boot, and further > +unsigned updates of secure EFI variables will no longer be allowed, so PK should > +be loaded last. KEK.auth and db.auth are created by sign-efi-sig-list command (with valid keys) and contain authentication headers necessary for signature verification. So the original sequence works perfectly. -Takahiro Akashi > Set up boot parameters on your board:: > > -- > 2.34.1 >