[PATCH 1/4] tools: mkeficapsule: add firmwware image signing

Masami Hiramatsu masami.hiramatsu at linaro.org
Thu May 13 10:18:36 CEST 2021


2021年5月13日(木) 16:24 AKASHI Takahiro <takahiro.akashi at linaro.org>:

> > >> > BTW, IMHO, if u-boot.bin can not find the ESL in the device tree,
> > >> > it should skip authentication too.
> > >>
> > >> In this case the capsule should be rejected (if
> > >> CONFIG_EFI_CAPSULE_AUTHENTICATE=y).
> > >
> > >That's basically right.
> > >But as I mentioned in my comment against Sughosh's patch,
> > >the authentication process will be enforced only if the capsule has
> > >an attribute, IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED.
> > >
> >
> > That would be a security desaster.
>
> The requirement that I mentioned above is clearly described
> in UEFI specification.
> If you think that it is a disaster, please discuss the topic
> in UEFI Forum first.

I confirmed UEFI specification, version 2.7, Section.23.1
the last of EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo()

-----------------
If IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED is supported and clear, then
authentication is not required to perform the firmware image operations.
-----------------

Oh, this is really crazy because deciding whether to authenticate the
suspicious
package or not, depends on whether the package said "please
authenticate me" or not. :D

Anyway, since this behavior follows the specification, it should be
kept by default,
but also IMHO, there should be a CONFIG option to enforce capsule
authentication always.

Thank you,



-- 
Masami Hiramatsu


More information about the U-Boot mailing list