Re: [PATCH v3 5/5] doc:eficonfig: add description for UEFI Secure Boot Configuration

public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed

From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: Masahisa Kojima <masahisa.kojima@linaro.org>
Cc: u-boot@lists.denx.de, Heinrich Schuchardt <xypron.glpk@gmx.de>,
	Jerome Forissier <jerome.forissier@linaro.org>
Subject: Re: [PATCH v3 5/5] doc:eficonfig: add description for UEFI Secure Boot Configuration
Date: Fri, 2 Dec 2022 09:17:35 +0200	[thread overview]
Message-ID: <Y4mmj9laMqZvCp9e@hera> (raw)
In-Reply-To: <20221202045937.7846-6-masahisa.kojima@linaro.org>

On Fri, Dec 02, 2022 at 01:59:37PM +0900, Masahisa Kojima wrote:
> This commits add the description for the UEFI Secure Boot
> Configuration through the eficonfig menu.
> 
> Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
> ---
> No update since v2
> 
> Newly created in v2
> 
>  doc/usage/cmd/eficonfig.rst | 22 ++++++++++++++++++++++
>  1 file changed, 22 insertions(+)
> 
> diff --git a/doc/usage/cmd/eficonfig.rst b/doc/usage/cmd/eficonfig.rst
> index 340ebc80db..67c859964f 100644
> --- a/doc/usage/cmd/eficonfig.rst
> +++ b/doc/usage/cmd/eficonfig.rst
> @@ -31,6 +31,9 @@ Change Boot Order
>  Delete Boot Option
>      Delete the UEFI Boot Option
>  
> +Secure Boot Configuration
> +    Edit UEFI Secure Boot Configuration
> +
>  Configuration
>  -------------
>  
> @@ -44,6 +47,16 @@ U-Boot console. In this case, bootmenu can be used to invoke "eficonfig"::
>      CONFIG_USE_PREBOOT=y
>      CONFIG_PREBOOT="setenv bootmenu_0 UEFI Maintenance Menu=eficonfig"
>  
> +UEFI specification requires that UEFI Secure Boot Configuration (especially
> +for PK and KEK) is stored in non-volatile storage which is tamper resident.

s/resident/resistant

> +CONFIG_EFI_MM_COMM_TEE is mandatory to provide the secure storage in U-Boot.

Can we be a bit more clear here. Something along the lines of 
"The only way U-Boot can currently store EFI variables on a tamper
resistant medium is via OP-TEE.  The Kconfig option that enables that is 
CONFIG_EFI_MM_COMM_TEE and ends up storing EFI variables on an RPMB
partition of an eMMC"

> +UEFI Secure Boot Configuration menu entry is enabled when the following
> +options are enabled::
> +
> +    CONFIG_EFI_SECURE_BOOT=y
> +    CONFIG_EFI_MM_COMM_TEE=y
> +
> +
>  How to boot the system with newly added UEFI Boot Option
>  ''''''''''''''''''''''''''''''''''''''''''''''''''''''''
>  
> @@ -66,6 +79,15 @@ add "bootefi bootmgr" entry as a default or first bootmenu entry::
>  
>      CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig"
>  
> +UEFI Secure Boot Configuration
> +''''''''''''''''''''''''''''''
> +
> +User can enroll PK, KEK, db and dbx by selecting file.

selecting a file

> +"eficonfig" command only accepts the signed EFI Signature List(s)
> +with an authenticated header, typically ".auth" file.
> +To clear the PK, KEK, db and dbx, user needs to enroll the null key
> +signed by PK or KEK.
> +
>  See also
>  --------
>  * :doc:`bootmenu<bootmenu>` provides a simple mechanism for creating menus with different boot items
> -- 
> 2.17.1
> 

Thanks
/Ilias

next prev parent reply	other threads:[~2022-12-02  7:17 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-02  4:59 [PATCH v3 0/5] miscellaneous fixes of eficonfig Masahisa Kojima
2022-12-02  4:59 ` [PATCH v3 1/5] eficonfig: fix going one directory up issue Masahisa Kojima
2022-12-02  4:59 ` [PATCH v3 2/5] eficonfig: use u16_strsize() to get u16 string buffer size Masahisa Kojima
2022-12-02  4:59 ` [PATCH v3 3/5] efi_loader: utility function to check the variable name is "Boot####" Masahisa Kojima
2022-12-02  4:59 ` [PATCH v3 4/5] eficonfig: use efi_get_next_variable_name_int() Masahisa Kojima
2022-12-02  7:35   ` Ilias Apalodimas
2022-12-02 16:59     ` Heinrich Schuchardt
2022-12-03  0:56     ` Masahisa Kojima
2022-12-06 14:12       ` Ilias Apalodimas
2022-12-07  7:19         ` Masahisa Kojima
2022-12-02  4:59 ` [PATCH v3 5/5] doc:eficonfig: add description for UEFI Secure Boot Configuration Masahisa Kojima
2022-12-02  7:17   ` Ilias Apalodimas [this message]
2022-12-02 13:23     ` Masahisa Kojima

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y4mmj9laMqZvCp9e@hera \
    --to=ilias.apalodimas@linaro.org \
    --cc=jerome.forissier@linaro.org \
    --cc=masahisa.kojima@linaro.org \
    --cc=u-boot@lists.denx.de \
    --cc=xypron.glpk@gmx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox