From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id ACA8AC636C9 for ; Sat, 17 Jul 2021 07:24:16 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 6AAB7611C1 for ; Sat, 17 Jul 2021 07:24:15 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6AAB7611C1 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id E744680A22; Sat, 17 Jul 2021 09:24:12 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="MJM853W3"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 600A38296A; Sat, 17 Jul 2021 09:24:11 +0200 (CEST) Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id BDAA0805DF for ; Sat, 17 Jul 2021 09:24:08 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-ed1-x529.google.com with SMTP id dj21so16052533edb.0 for ; Sat, 17 Jul 2021 00:24:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=fA0N4T4WMP1vb0NNSkK6FlcV1oISAxtTGe0HOizDnlw=; b=MJM853W3Hya+hdr1Avf7apZwgnJJN7xCvdqQZ4fQTPtW6R2+WlGAKz7IwG7opamam4 QIKA74G10rPc6WHJHd1GtbWYfD52Vs87rv3pbLPX9r4Dw1fl/pTG2o46GUJQUs6X+Cn+ Gz5fNldA6R9tIYA1vOeLSv/VkhJ/3u5rBDWQ5nHSx1dZzKOHZ2Db50KsPCAD9pESXbsK jCkEVXWZtEJ57mfltCE8wi9Ok+iGYpO/hraAdCUdc2iJ9P7LGTEY32+a4dK8V1hZ4GPg +gEcUypqIdWjbviB0cPBfPJu/tozHA3hfif2D/Mm3IPoBsxgFW64Gk4Wpi+nFAtS3H1m C+yA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=fA0N4T4WMP1vb0NNSkK6FlcV1oISAxtTGe0HOizDnlw=; b=naepVnE/ucfDVz6KAkseBQDDOSvZqdOSXZlWxnLKJhRqOdRSoiOu/oOmJh+UKmBg+s PjV4mxBFK3S1a0E1RLop9tUsBz6Z7r0Dply7wcm48ZvGB7UuXt6Qb8gFEsgIAoddcjeJ jdKPH9JhxRC0gJv32N6kE9RB6oYuClT5jOaLSd4NKlhAdgJTWPji2Lou8eOG+ouEP0kz zSWzCzjxZSQsTHE86583Gu/aug0Qfk2qsr7XuSoVP4G5KFQTNsZ3vzL+bN1krsChdscp C88z/TZQUKX1qSXomBzct/Bi1UqKlQkcomhMNTiBYhJSUQEDIJO2Jd2V74++FSwhM2Tg q/kA== X-Gm-Message-State: AOAM533KrwBI7NpglBBAytFrWaZfaQPCDzJpAHx6FoCMO0B8fWjFXaLN hpsDmc0MriLOXUVSDOPoyWFcwQ== X-Google-Smtp-Source: ABdhPJx7CBoE0u/vi5gTwMoNmldmDNxgslCSahkaoPX5h73w+7yRW9y0Kr3CufLPKP4TPmuPpdGocg== X-Received: by 2002:a50:fd8e:: with SMTP id o14mr20238556edt.80.1626506648424; Sat, 17 Jul 2021 00:24:08 -0700 (PDT) Received: from apalos.home (ppp-94-66-220-20.home.otenet.gr. [94.66.220.20]) by smtp.gmail.com with ESMTPSA id n3sm4701450edd.53.2021.07.17.00.24.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 17 Jul 2021 00:24:07 -0700 (PDT) Date: Sat, 17 Jul 2021 10:24:05 +0300 From: Ilias Apalodimas To: Simon Glass Cc: Heinrich Schuchardt , Masami Hiramatsu , AKASHI Takahiro , Alexander Graf , Sughosh Ganu , U-Boot Mailing List Subject: Re: [PATCH 2/3] mkeficapsule: Remove dtb related options Message-ID: References: <20210715170030.97758-1-ilias.apalodimas@linaro.org> <20210715170030.97758-2-ilias.apalodimas@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean On Fri, Jul 16, 2021 at 08:03:23AM -0600, Simon Glass wrote: > Hi Ilias, > > On Thu, 15 Jul 2021 at 11:00, Ilias Apalodimas > wrote: > > > > commit 322c813f4bec ("mkeficapsule: Add support for embedding public key in a dtb") > > added a bunch of options enabling the addition of the capsule public key > > in a dtb. Since now we embeded the key in U-Boot's .rodata we don't this > > this functionality anymore > > > > Signed-off-by: Ilias Apalodimas > > --- > > tools/mkeficapsule.c | 226 ++----------------------------------------- > > 1 file changed, 7 insertions(+), 219 deletions(-) > > Here again I see EFI diverging from the impl in U-Boot. WIth U-Boot > you can add the public key after the build step, e.g. in a key-signing > server. With EFI and this change you will have to rebuild U-Boot (from > source) every time you sign something. Seems like a pain. I don't see why either of this is a problem. You need the public key to update the binary it self, so rebuilding from source is a prerequisite. Apart from a signing server, you can also have special hardware that provides the public key you need (which is not implemented yet). So this is the bare minimum functionality you need for authenticated capsule updates. Regards /Ilias > > Regards, > Simon