From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 0D255C4332F for ; Fri, 2 Dec 2022 07:17:44 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 76D79851D4; Fri, 2 Dec 2022 08:17:42 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="fdmTTfGh"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 270B785205; Fri, 2 Dec 2022 08:17:41 +0100 (CET) Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id BC40D82F7F for ; Fri, 2 Dec 2022 08:17:38 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-wm1-x32d.google.com with SMTP id m19so2905204wms.5 for ; Thu, 01 Dec 2022 23:17:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=ALw6p3d47wtPNkh5p9IF6NAzYUerQuACMpbhPSBDYr0=; b=fdmTTfGhuTSG1IRBamRyvE8WwsS7OMsTdkt6N5QuryfP+xCVNyBhkshMW0IV0ees++ GhHpydJzdfnIrnOxIPOwMT/0X1KAmsYSN0scMmfR6my/p2XwbCp97iJJiSFcOlFaj6Aw DtqBm/IChYVyNARvb6TBf2G1x140XvWJfqzOkFlSfL5GzLmCP8mm91sMjpB9Eg0yJUyu b4FTFJ6t6gCkhRiEQbolMU3pU61KkXIff2BsdkmzhpDyrTf97OXzs/Cjb/Lur3VBm16r IhkaGh8rsDbVrhEeuBs1kCQUiI81QMaO2ldDvUBeV4+fu2uHYfRGjSSRpgoeFq6+mz+2 Mzew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ALw6p3d47wtPNkh5p9IF6NAzYUerQuACMpbhPSBDYr0=; b=1DHPk/jzm6F5+Iutns6iPSrcEPqHFsJAz7OqFz+BjqAimccjVi1ufDxlQ6ufyQeqSt TZMtlj1E+fc+SVUtgoMFC7xuaKIDfnUqmFAAjyjznPBi1miTIWda/B3COUltXFtDp7XR z8uAHMzCq/5Auf87sXYUUPdzkHXrKib+40aMyt206A5PBR5P6RazzMo4/o9T0Khnb37j 0PUTqiqkoGLG4e8pcHMx11EjLhiZHNFSjU81Z1RLXVTz7TKUQGF8OoVvIQpk2Zqcu/of /vHFUhCEHZTKYZq3oCbEWeex/FB6YMLEXBEutnms5TvpDUBmJ3Xn00W9y6OO9SB37b9O O3bw== X-Gm-Message-State: ANoB5pmLQdV0Lg4AzppjJNuY/jHvGxhjNzKlRjhZ2aI/JII11bRAOPIq gW9/J+ys3eR/DugFoU49BZuBPQ== X-Google-Smtp-Source: AA0mqf5vOl+EQakt1DfQsjlz1clTsTXk2gr5vcT4mGVfVgu2ruiuB/CrSwqjFrZtVFmDpICKgmpI1Q== X-Received: by 2002:a05:600c:1c12:b0:3c6:d8ba:eeb5 with SMTP id j18-20020a05600c1c1200b003c6d8baeeb5mr55211956wms.201.1669965458194; Thu, 01 Dec 2022 23:17:38 -0800 (PST) Received: from hera (ppp078087234022.access.hol.gr. [78.87.234.22]) by smtp.gmail.com with ESMTPSA id f7-20020adffcc7000000b00236883f2f5csm6279335wrs.94.2022.12.01.23.17.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 01 Dec 2022 23:17:37 -0800 (PST) Date: Fri, 2 Dec 2022 09:17:35 +0200 From: Ilias Apalodimas To: Masahisa Kojima Cc: u-boot@lists.denx.de, Heinrich Schuchardt , Jerome Forissier Subject: Re: [PATCH v3 5/5] doc:eficonfig: add description for UEFI Secure Boot Configuration Message-ID: References: <20221202045937.7846-1-masahisa.kojima@linaro.org> <20221202045937.7846-6-masahisa.kojima@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221202045937.7846-6-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean On Fri, Dec 02, 2022 at 01:59:37PM +0900, Masahisa Kojima wrote: > This commits add the description for the UEFI Secure Boot > Configuration through the eficonfig menu. > > Signed-off-by: Masahisa Kojima > --- > No update since v2 > > Newly created in v2 > > doc/usage/cmd/eficonfig.rst | 22 ++++++++++++++++++++++ > 1 file changed, 22 insertions(+) > > diff --git a/doc/usage/cmd/eficonfig.rst b/doc/usage/cmd/eficonfig.rst > index 340ebc80db..67c859964f 100644 > --- a/doc/usage/cmd/eficonfig.rst > +++ b/doc/usage/cmd/eficonfig.rst > @@ -31,6 +31,9 @@ Change Boot Order > Delete Boot Option > Delete the UEFI Boot Option > > +Secure Boot Configuration > + Edit UEFI Secure Boot Configuration > + > Configuration > ------------- > > @@ -44,6 +47,16 @@ U-Boot console. In this case, bootmenu can be used to invoke "eficonfig":: > CONFIG_USE_PREBOOT=y > CONFIG_PREBOOT="setenv bootmenu_0 UEFI Maintenance Menu=eficonfig" > > +UEFI specification requires that UEFI Secure Boot Configuration (especially > +for PK and KEK) is stored in non-volatile storage which is tamper resident. s/resident/resistant > +CONFIG_EFI_MM_COMM_TEE is mandatory to provide the secure storage in U-Boot. Can we be a bit more clear here. Something along the lines of "The only way U-Boot can currently store EFI variables on a tamper resistant medium is via OP-TEE. The Kconfig option that enables that is CONFIG_EFI_MM_COMM_TEE and ends up storing EFI variables on an RPMB partition of an eMMC" > +UEFI Secure Boot Configuration menu entry is enabled when the following > +options are enabled:: > + > + CONFIG_EFI_SECURE_BOOT=y > + CONFIG_EFI_MM_COMM_TEE=y > + > + > How to boot the system with newly added UEFI Boot Option > '''''''''''''''''''''''''''''''''''''''''''''''''''''''' > > @@ -66,6 +79,15 @@ add "bootefi bootmgr" entry as a default or first bootmenu entry:: > > CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig" > > +UEFI Secure Boot Configuration > +'''''''''''''''''''''''''''''' > + > +User can enroll PK, KEK, db and dbx by selecting file. selecting a file > +"eficonfig" command only accepts the signed EFI Signature List(s) > +with an authenticated header, typically ".auth" file. > +To clear the PK, KEK, db and dbx, user needs to enroll the null key > +signed by PK or KEK. > + > See also > -------- > * :doc:`bootmenu` provides a simple mechanism for creating menus with different boot items > -- > 2.17.1 > Thanks /Ilias