[PATCH v2 6/9] sandbox: add config for efi capsule authentication test

Simon Glass sjg at chromium.org
Mon Aug 2 21:19:59 CEST 2021 

Hi Takahiro,

On Sun, 1 Aug 2021 at 16:57, AKASHI Takahiro <takahiro.akashi at linaro.org> wrote:
>
> Simon,
>
> On Sun, Aug 01, 2021 at 01:00:20PM -0600, Simon Glass wrote:
> > Hi Takahiro,
> >
> > On Sat, 31 Jul 2021 at 22:29, AKASHI Takahiro
> > <takahiro.akashi at linaro.org> wrote:
> > >
> > > Simon,
> > >
> > > On Sat, Jul 31, 2021 at 10:59:32AM -0600, Simon Glass wrote:
> > > > Hi Takahiro,
> > > >
> > > > On Tue, 27 Jul 2021 at 03:12, AKASHI Takahiro
> > > > <takahiro.akashi at linaro.org> wrote:
> > > > >
> > > > > This new configuration, which was derived from sandbox_defconfig, will be
> > > > > used solely to run efi capsule authentication test as the test requires
> > > > > a public key (esl file) to be embedded in U-Boot binary.
> > > > >
> > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
> > > > > ---
> > > > >  configs/sandbox_capsule_auth_defconfig | 307 +++++++++++++++++++++++++
> > > > >  1 file changed, 307 insertions(+)
> > > > >  create mode 100644 configs/sandbox_capsule_auth_defconfig
> > > >
> > > > NAK.
> > > >
> > > > Please just add it to sandbox_defconfig. We sometimes have to create
> > >
> > > Unfortunately, I can't.
> > > Look, we now have two tests, test_capsule_firmware.py and
> > > test_capsule_firmware_signed.py, and we need U-Boot binaries,
> > > respectively, without a key and with a key.
> > > A single configuration cannot satisfy both.
> > >
> > > > new variants when dealing with actual build variations (e.g. SPL,
> > > > building without OF_LIVE), but here we should just enable the feature
> > > > in sandbox_defconfig.
> > > >
> > > > We already covered embedding key in the binary on another thread.
> > > > Please don't do that. After that debacle I sent a patch explaining
> > > > this:
> > > >
> > > > http://patchwork.ozlabs.org/project/uboot/patch/20210725164400.468319-3-sjg@chromium.org/
> > >
> > > Please discuss and make an agreement with Heinrich.
> > > The patch for embedding a key has already been merged in -rc1.
> >
> > Which patch was that? I thought I pushed back on the one that did that.
>
> The commit ddf67daac39d
>   Author: Ilias Apalodimas <ilias.apalodimas at linaro.org>
>   Date:   Sat Jul 17 17:26:44 2021 +0300
>
>     efi_capsule: Move signature from DTB to .rodata

OK I sent a revert of that as you saw. Then I sent a v2 revert of
three patches when you explained that was not enough. I hope we can
figure this out quickly.

>
>
> > > In my personal opinion, neither approaches won't apply to production
> > > any way.

I have not seen any design for how EFI signing would work in
production but I am happy to review it. The existing FIT-signing
scheme is widely used in production environments. If we use similar
processes then we should be OK.

Regards,
Simon

More information about the U-Boot mailing list