[RFC] efi_loader: improve firmware capsule authentication

AKASHI Takahiro takahiro.akashi at linaro.org
Fri Apr 23 07:47:31 CEST 2021 

Heinrich,

I'm currently thinking of improving capsule authentication
that Sughosh has made, particularly around mkeficapsule command:

1) Add a signing feature to the command
   This will allow us to create a *signed* capsule file solely
   with mkeficapsule. We will no longer rely on EDK2's script.
2) Delete "-K" and "-D" option
   Specifically, revert 322c813f4bec ("mkeficapsule: Add support
   for embedding public key in a dtb")
   As I said, this feature doesn't have anything to do with
   creating a capsule file. Above all, we can do the same thing
   with the existing commands (dtc and fdtoverlay).
3) Add pytest for capsule authentication with sandbox

Now I have done all of them above although some cleanup work is
still needed. I think that (2) should be done in 2021.04.

I plan to send patches for 1-3 (and maybe 5 and 7 below) if you agree.

Other concerns:
4) Documentation
   Currently, "doc/board/emulation/qemu_capsule_update.rst" is
   the only document about the usage of UEFI capsule on U-Boot.
   Unfortunately, it contains some errors and more importantly,
   most of the content are generic, not qemu-specific.

5) Certificate (public key) in dtb
   That's fine, but again "board/emulation/common/qemu_capsule.c"
   is naturally generic. It should be available for other platforms
   with a new Kconfig option.

   # IMHO, I don't understand why the data in dtb needs be in
   efi-signature-list structure. A single key (cert) would be enough.

6) "capsule_authentication_enabled"
   I think that we have agreed with deleting this variable.
   But I don't see any patch.
   Moreover, capsule authentication must be enforced only
   if the attribute, IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED,
   is set. But there is no code to check the flag.

7) Pytest is broken
   Due to your and Ilias' recent patches, existing pytests for
   secure boot as well as capsule update are now broken.
   I'm not sure why you have not yet noticed.
   Presumably, Travis CI now skips those tests?

If I have some time in the future, I will address them.
But Sughosh can do as well.

-Takahiro Akashi

More information about the U-Boot mailing list