From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 7B50BC433FE
	for <u-boot@archiver.kernel.org>; Mon, 28 Nov 2022 03:04:41 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id EF82784C47;
	Mon, 28 Nov 2022 04:04:38 +0100 (CET)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="i9ZyO/YQ";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 55A1E84E3B; Mon, 28 Nov 2022 04:04:37 +0100 (CET)
Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com
 [IPv6:2607:f8b0:4864:20::102b])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 117C984AB6
 for <u-boot@lists.denx.de>; Mon, 28 Nov 2022 04:04:34 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=takahiro.akashi@linaro.org
Received: by mail-pj1-x102b.google.com with SMTP id mv18so8248337pjb.0
 for <u-boot@lists.denx.de>; Sun, 27 Nov 2022 19:04:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
 h=in-reply-to:content-disposition:mime-version:references
 :mail-followup-to:message-id:subject:cc:to:from:date:from:to:cc
 :subject:date:message-id:reply-to;
 bh=0oC0PrJzCnzt/LkdGhoJgoAo9WHhefCtMAMsqWWLmJI=;
 b=i9ZyO/YQg8LmQU2L+7MFZAsVgMBJ3BkznT01RTOz5oGZQRL9zuEoscfSpLs4jFCMd5
 QQxKEIcYxrTH7qyooUJRyyOjeBV2U6Mxu+UHtEjQklWDcBc8grQZ/Ft5mXqvLOU45spI
 gJ2qdMX40XN+ItPDaFN4J9TZGeFBvp/JUO4LOXfpY4ES65wfJJQB/qZg0naj0REhxANg
 3ohTRZSn4EHDZ+CAoK1j/rtObYPLvPuqnDjlaZHNTILLdg+vPYnpKhaKq0cQjYNzwxYl
 DaMr0S87yg1p3FqVemOfdd7rGk01nlZUeGYwaxj6ZPPHp75Sneljg/8wPVukhvfKqELV
 N8BQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=in-reply-to:content-disposition:mime-version:references
 :mail-followup-to:message-id:subject:cc:to:from:date
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=0oC0PrJzCnzt/LkdGhoJgoAo9WHhefCtMAMsqWWLmJI=;
 b=VdXj/OWMaBiHtH3Rf3N0hRYam8JD5nXXW4wbI8l1kZYIJwLg/0m4yUnACGaeurVYRE
 XCLQx4ZS0u+j7nPEIbShgzccZGGvcghi5CDNWJqxOI2nPGX8qnAMDMHBinXkescmD2+W
 hWSlHIH8pKDQmH1i78cEaDwDuP2Hj6QlrVfa0UJrnpo/pB/va+AqzlDGVqkZXz97gDgg
 iYmDIcC6FYrUld3QBKnelaYkXbTfseXYF0KrDLecdZ5rEVYrTKCb+hdIXwCLkK7BMofb
 0UhyOxq1xK1I6xV/z1hMrW+4iDLLZKEeAXLmYcgVsGVgn+8jrw1gMtSSrStEZZWgJ1uo
 7nVg==
X-Gm-Message-State: ANoB5pkmhFYnIRch52ka8G3MnukVslJ7MZQRBPCHtcM56SfSOOJjIGJb
 0o0F60M+Vi+Z5gm/gzJz9vLKUg==
X-Google-Smtp-Source: AA0mqf6x2gYyM8A3k4En4EKDUoJNliB9ZD676VHrmA7FpH2uL6V1MTqNoensuLNy7ZMUIIIF/qlHSA==
X-Received: by 2002:a17:90a:fa46:b0:200:1df3:a7a9 with SMTP id
 dt6-20020a17090afa4600b002001df3a7a9mr56671259pjb.202.1669604672088; 
 Sun, 27 Nov 2022 19:04:32 -0800 (PST)
Received: from laputa ([2400:4050:c3e1:100:f25d:da35:f4:112])
 by smtp.gmail.com with ESMTPSA id
 x8-20020a17090a2b0800b00212d9a06edcsm5496121pjc.42.2022.11.27.19.04.30
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sun, 27 Nov 2022 19:04:31 -0800 (PST)
Date: Mon, 28 Nov 2022 12:04:28 +0900
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: Luca Boccassi <luca.boccassi@gmail.com>
Cc: u-boot@lists.denx.de
Subject: Re: [PATCH] EFI: update the documentation to correctly order loading
 SB keys
Message-ID: <20221128030428.GA30007@laputa>
Mail-Followup-To: AKASHI Takahiro <takahiro.akashi@linaro.org>,
 Luca Boccassi <luca.boccassi@gmail.com>, u-boot@lists.denx.de
References: <20221125133011.1270745-1-luca.boccassi@gmail.com>
 <20221128004529.GA6711@laputa>
 <CAMw=ZnRPnGNiO3anCd0J-xNPpJvehr_zSb1=LkdXf78JdEZvuA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAMw=ZnRPnGNiO3anCd0J-xNPpJvehr_zSb1=LkdXf78JdEZvuA@mail.gmail.com>
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

On Mon, Nov 28, 2022 at 01:27:53AM +0000, Luca Boccassi wrote:
> On Mon, 28 Nov 2022 at 00:45, AKASHI Takahiro
> <takahiro.akashi@linaro.org> wrote:
> >
> > On Fri, Nov 25, 2022 at 01:30:11PM +0000, luca.boccassi@gmail.com wrote:
> > > From: Luca Boccassi <bluca@debian.org>
> > >
> > > Loading the PK locks down the EFI variables, so it needs to be done last.
> >
> > No, it's not (always) correct.
> >
> > > Fix the order in the documentation and add a note.
> > >
> > > Signed-off-by: Luca Boccassi <bluca@debian.org>
> > > ---
> > >  doc/develop/uefi/uefi.rst | 12 ++++++++----
> > >  1 file changed, 8 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
> > > index e0835beba4..68a0bb6832 100644
> > > --- a/doc/develop/uefi/uefi.rst
> > > +++ b/doc/develop/uefi/uefi.rst
> > > @@ -169,12 +169,16 @@ Sign an image with one of the keys in "db" on your host
> > >
> > >  Now in U-Boot install the keys on your board::
> > >
> > > -    fatload mmc 0:1 <tmpaddr> PK.auth
> > > -    setenv -e -nv -bs -rt -at -i <tmpaddr>:$filesize PK
> > > -    fatload mmc 0:1 <tmpaddr> KEK.auth
> > > -    setenv -e -nv -bs -rt -at -i <tmpaddr>:$filesize KEK
> > >      fatload mmc 0:1 <tmpaddr> db.auth
> > >      setenv -e -nv -bs -rt -at -i <tmpaddr>:$filesize db
> > > +    fatload mmc 0:1 <tmpaddr> KEK.auth
> > > +    setenv -e -nv -bs -rt -at -i <tmpaddr>:$filesize KEK
> > > +    fatload mmc 0:1 <tmpaddr> PK.auth
> > > +    setenv -e -nv -bs -rt -at -i <tmpaddr>:$filesize PK
> > > +
> > > +Note that loading a key into PK automatically enables Secure Boot, and further
> > > +unsigned updates of secure EFI variables will no longer be allowed, so PK should
> > > +be loaded last.
> >
> > KEK.auth and db.auth are created by sign-efi-sig-list command
> > (with valid keys) and contain authentication headers necessary
> > for signature verification.
> > So the original sequence works perfectly.
> 
> In theory. In practice u-boot (both 2022.07 and 2022.10 in qemu)
> refused to allow setting those variables after PK is set, which made
> me waste an unnecessary amount of time. Otherwise I wouldn't have
> bothered sending this...

I re-ran my test_efi_secboot test on v2022.10 with sandbox_defconfig
and didn't see any error.
(Test case 1 verified that we could install PK, KEK and db
in this order.)

If you see this kind of error, it's likely that you have
wrong configuration.
If you're not sure, please describe what you did and saw
in details.

-Takahiro Akashi


> Kind regards,
> Luca Boccassi