From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 935F9EB64DA for ; Thu, 6 Jul 2023 01:38:23 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 43D3185D4E; Thu, 6 Jul 2023 03:38:21 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="rtibzHE8"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id C961585FE2; Thu, 6 Jul 2023 03:38:19 +0200 (CEST) Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 1B13C84775 for ; Thu, 6 Jul 2023 03:38:17 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x629.google.com with SMTP id d9443c01a7336-1b898cfa6a1so107465ad.1 for ; Wed, 05 Jul 2023 18:38:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1688607495; x=1691199495; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=k65TRJFi+ZSBmVKwk6KnL1kYsD9OYHmLEonqbCd2lm0=; b=rtibzHE81k6GEd/bROEm7iLj5T5HnZFoNWH9GD6p3rAA4d1O6S0Tqlnt+JOA7a92yi PXNcib4Zo6+U7/S3JxT/nxMmRkzCzaY0CUObfT5o6KdGPSgf5NmymMq6lWZuhKut8HOo I5UIn7yZ1KNtQVeXwt5XEJvY7pLcZyUEEu3UBPYF1svNmwUknvUyNVpsdm9Dp9wpifA9 ia0SWyAnFHeMb4kFsPgVbMp5NcMfOhbVbp5vKjWAvNfYe978Q5r3c8C2htvAzFw1FSpj gVAPzSGzu1eoIsrOrbQ20HBXD7oaCryuxSJDJPEuHAuKXJPqgnUVnnZF9LIooMiDlsd2 BkBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688607495; x=1691199495; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=k65TRJFi+ZSBmVKwk6KnL1kYsD9OYHmLEonqbCd2lm0=; b=YtmDP6aL5yXkuio1OYpzwva/gnPQFjP3ZRsmx3VFuVaK3iImxLjwDK9o4V3Db/tgOF 6HSuOi+i8S/h4ksqz+LRgsBNwMs55Hsj1eaCTDHfNJpHuciOc4XLjSLZdmLaLPVFWo0n ud1mnlzvXIhyMiiNM9LKTF6gbK0KgIvG4XBeyoCw2JlK3YfBLsWoSZEvrGDSdRNEgoTJ Y4kJ+qmjpgwXiekDyIOh0nFm27c96gQVa92+ycXKsMHhXDx2WDSSqTD25jxrkAqIv/Jd 3X0HSX1xm96wZUA5+fk0DWFQBVvLzOht22CrStNmSqqIaIsI9EDPu/DLrM2NluU3XvD6 iT3Q== X-Gm-Message-State: ABy/qLbLLrIS1TPJpQaGHj9tIBEsLkofSCrHAGmNj0ou2RP9Knddf+1B RlcF1Gvd2zKRX2qjJh0ebka87A== X-Google-Smtp-Source: APBJJlFpByWO959/2YD/53nPKh1+OURMkYGn8i7Hdpjp7FYHNsimtxmeDyXUOb9AcQFFDoWk1VG8kQ== X-Received: by 2002:a17:903:2451:b0:1b8:b0c4:2e3d with SMTP id l17-20020a170903245100b001b8b0c42e3dmr716445pls.4.1688607495227; Wed, 05 Jul 2023 18:38:15 -0700 (PDT) Received: from laputa ([2400:4050:c3e1:100:1e92:d178:775b:10fe]) by smtp.gmail.com with ESMTPSA id e16-20020a17090301d000b001b898595be7sm98176plh.291.2023.07.05.18.38.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Jul 2023 18:38:14 -0700 (PDT) Date: Thu, 6 Jul 2023 10:38:12 +0900 From: AKASHI Takahiro To: Neil Jones Cc: xypron.glpk@gmx.de, "u-boot@lists.denx.de" Subject: Re: EFI Secure boot default keys Message-ID: Mail-Followup-To: AKASHI Takahiro , Neil Jones , xypron.glpk@gmx.de, "u-boot@lists.denx.de" References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Hi, On Wed, Jul 05, 2023 at 01:24:32PM +0000, Neil Jones wrote: > >> Please can someone describe the format of the file needed for the default / built-in EFI secure boot keys (ubootefi.var) > >> > >> The only docs I have found suggest its best to enroll the keys from within u-boot onto some removable media, then copy this off and use this as the default, this is not very helpful and doesn't work for me: > >> > >> => fatload mmc 0:1 ${loadaddr} PK.aut > >> 2053 bytes read in 18 ms (111.3 KiB/s) > >> => setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize PK > >> setenv - set environment variables > >> > >> Usage: > >> setenv setenv [-f] name value ... > >> - [forcibly] set environment variable 'name' to 'value ...' > >> setenv [-f] name > >> - [forcibly] delete environment variable 'name' > >> > >> my setenv doesn't support all the extra switches ? This is with 2022.04, all other EFI options seem to be in this release and I can boot unsigned EFI images ok. > > > >Please turn on CONFIG_CMD_NVEDIT_EFI when building your U-Boot. > > > >This option was disabled by the commit: > > commit 3b728f8728fa (tag: efi-2020-01-rc1) > > Author: Heinrich Schuchardt > > Date: Sun Oct 6 15:44:22 2019 +0200 > > > > cmd: disable CMD_NVEDIT_EFI by default > > > >The binary size of efi has grown much since in the past, though. > > > >-Takahiro Akashi > > Thanks, I have secure boot working now. A tool to generate the ubootefi.var offline or even just a description of the file format would be very useful. Thank you for the suggestion. While I'd like to defer to Heinrich, the C definition of the file format can be found as struct efi_var_file in include/efi_variable.h > I have noticed one issue when using ubootefi.var on mmc, when I switch boot order it wipes out the keys and I have to re-enrol them: > > => fatls mmc 0:1 > 3040 ubootefi.var > > 1 file(s), 0 dir(s) I'm not sure that secure boot related variables have been loaded at this point. Anyhow, please try to enable CONFIG_EFI_VARIABLES_PRESEED with EFI_VAR_FILE_NAME set. Otherwise, those variables will never be restored. (This is another topic that are not described in doc/develop/uefi.) Thanks, -Takahiro Akashi > => efidebug boot order 2 1 > => fatls mmc 0:1 > 440 ubootefi.var > > (Size drops from 3040 to 440 bytes and keys have gone) > > > > > > ________________________________ > From: AKASHI Takahiro > Sent: 29 June 2023 02:01 > To: Neil Jones > Cc: u-boot@lists.denx.de > Subject: Re: EFI Secure boot default keys > > On Wed, Jun 28, 2023 at 04:26:58PM +0000, Neil Jones wrote: > > Please can someone describe the format of the file needed for the default / built-in EFI secure boot keys (ubootefi.var) > > > > The only docs I have found suggest its best to enroll the keys from within u-boot onto some removable media, then copy this off and use this as the default, this is not very helpful and doesn't work for me: > > > > => fatload mmc 0:1 ${loadaddr} PK.aut > > 2053 bytes read in 18 ms (111.3 KiB/s) > > => setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize PK > > setenv - set environment variables > > > > Usage: > > setenv setenv [-f] name value ... > > - [forcibly] set environment variable 'name' to 'value ...' > > setenv [-f] name > > - [forcibly] delete environment variable 'name' > > > > my setenv doesn't support all the extra switches ? This is with 2022.04, all other EFI options seem to be in this release and I can boot unsigned EFI images ok. > > Please turn on CONFIG_CMD_NVEDIT_EFI when building your U-Boot. > > This option was disabled by the commit: > commit 3b728f8728fa (tag: efi-2020-01-rc1) > Author: Heinrich Schuchardt > Date: Sun Oct 6 15:44:22 2019 +0200 > > cmd: disable CMD_NVEDIT_EFI by default > > The binary size of efi has grown much since in the past, though. > > -Takahiro Akashi > > > Cheers, > > > > Neil > > > > > >