[PATCH 1/4] tools: mkeficapsule: add firmwware image signing
Ilias Apalodimas
ilias.apalodimas at linaro.org
Thu May 13 12:27:27 CEST 2021
On Thu, May 13, 2021 at 05:38:51PM +0900, AKASHI Takahiro wrote:
> On Thu, May 13, 2021 at 05:18:36PM +0900, Masami Hiramatsu wrote:
> > 2021年5月13日(木) 16:24 AKASHI Takahiro <takahiro.akashi at linaro.org>:
> >
> > > > >> > BTW, IMHO, if u-boot.bin can not find the ESL in the device tree,
> > > > >> > it should skip authentication too.
> > > > >>
> > > > >> In this case the capsule should be rejected (if
> > > > >> CONFIG_EFI_CAPSULE_AUTHENTICATE=y).
> > > > >
> > > > >That's basically right.
> > > > >But as I mentioned in my comment against Sughosh's patch,
> > > > >the authentication process will be enforced only if the capsule has
> > > > >an attribute, IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED.
> > > > >
> > > >
> > > > That would be a security desaster.
> > >
> > > The requirement that I mentioned above is clearly described
> > > in UEFI specification.
> > > If you think that it is a disaster, please discuss the topic
> > > in UEFI Forum first.
> >
> > I confirmed UEFI specification, version 2.7, Section.23.1
> > the last of EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo()
> >
> > -----------------
> > If IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED is supported and clear, then
> > authentication is not required to perform the firmware image operations.
> > -----------------
>
> Thank you for citing this.
>
> > Oh, this is really crazy because deciding whether to authenticate the
> > suspicious
> > package or not, depends on whether the package said "please
> > authenticate me" or not. :D
>
> Well, the attributes can been fetched with GetInfo API, but
> how it is managed depends on the implementation of FMP drivers.
>
> As I proposed somewhere else, those attributes should be
> maintained in a separate place (maybe as part of system's policy),
> presumably ESRT or platform-specific internal database?
FWIW I personally don't think we should even have a config option. But even
if we did it certainly must not be dictated by a hardware config.
When you install distro packages you accept whatever dependencies the
package has. mkeficapsule is a capsule creation and signing tool. I don't
see any reason for keeping the creation and signing apart.
Regards
/Ilias
>
> -Takahiro Akashi
>
>
> > Anyway, since this behavior follows the specification, it should be
> > kept by default,
> > but also IMHO, there should be a CONFIG option to enforce capsule
> > authentication always.
> >
> > Thank you,
> >
> >
> >
> > --
> > Masami Hiramatsu
More information about the U-Boot
mailing list