[PATCH v2 0/3] efi: Minimal revert to rodata change

KASHI Takahiro takahiro.akashi at linaro.org
Fri Aug 6 02:13:21 CEST 2021 

On Thu, Aug 05, 2021 at 09:46:07AM -0600, Simon Glass wrote:
> Hi Heinrich,
> 
> On Thu, 5 Aug 2021 at 09:29, Heinrich Schuchardt <xypron.glpk at gmx.de> wrote:
> >
> >
> >
> > On 02.08.21 16:44, Simon Glass wrote:
> > > The changes to move from devicetree to rodata take things in the wrong
> > > direction for various reasons:
> > >
> > > - devicetree is where config should be stored
> >
> > We are not talking about configuration here at all.
> 
> I thought we were talking about the public key. That is run-time
> config in my book, just like the devicetree itself, which controls all
> the devices.
> 
> >
> > > - it provides no memory production in any case, particularly when U-Boot
> >
> > No clue what you mean by "memory production".
> 
> memory protection. But it turns out this is pointless anyway. We
> discussed it at length in the contributor call. We came down to one

What was clarified and decided in that meeting?
I know you have a meeting note, but it was not very clear for me
which direction the discussion is heading now.

# Yes, I should have been there, but ...
# Simon, if possible, please announce the agenda a bit earlier
# so that I can notice that. I'm usually in the bed at that time :)

I don't think that memory protection is really a matter if there is
no assumption that the storage where the firmware resides are
securely protected.

-Takahiro Akashi

> issue with the way the firmware is packaged by users (with U-Boot
> coming from one place and TF-A another). I think Ilias is going to
> write something up to help get to the bottom of it.
> 
> >
> > >    is relocated
> > > - testing becomes harder, with the suggestion of adding an entire new
> > >    sandbox build just for this
> >
> > Having an extra config is not required when putting the certificate into
> > .rodata.
> 
> The certificate should not go in rodata, period. Please just fix it.
> It use to be fine a few weeks ago so it should not be hard.
> 
> Regards,
> Simon
> 
> >
> > Best regards
> >
> > Heinrich
> >
> > >
> > > Revert this until a new direction can be established.
> > >
> > > Changes in v2:
> > > - Also revert two other patches, based on comment from Takahiro
> > >
> > > Simon Glass (3):
> > >    Revert "doc: Update CapsuleUpdate READMEs"
> > >    Revert "mkeficapsule: Remove dtb related options"
> > >    Revert "efi_capsule: Move signature from DTB to .rodata"
> > >
> > >   board/emulation/common/Makefile             |   1 +
> > >   board/emulation/common/qemu_capsule.c       |  43 ++++
> > >   doc/board/emulation/qemu_capsule_update.rst | 203 +++++++++++++++++
> > >   doc/develop/uefi/uefi.rst                   | 125 -----------
> > >   include/asm-generic/sections.h              |   2 -
> > >   lib/efi_loader/Kconfig                      |   7 -
> > >   lib/efi_loader/Makefile                     |   8 -
> > >   lib/efi_loader/efi_capsule.c                |  18 +-
> > >   lib/efi_loader/efi_capsule_key.S            |  17 --
> > >   tools/mkeficapsule.c                        | 229 +++++++++++++++++++-
> > >   10 files changed, 472 insertions(+), 181 deletions(-)
> > >   create mode 100644 board/emulation/common/qemu_capsule.c
> > >   create mode 100644 doc/board/emulation/qemu_capsule_update.rst
> > >   delete mode 100644 lib/efi_loader/efi_capsule_key.S
> > >

More information about the U-Boot mailing list