[PATCH 1/4] tools: mkeficapsule: add firmwware image signing

Heinrich Schuchardt xypron.glpk at gmx.de
Thu May 13 12:40:18 CEST 2021

On 5/13/21 10:38 AM, AKASHI Takahiro wrote:
> On Thu, May 13, 2021 at 05:18:36PM +0900, Masami Hiramatsu wrote:
>> 2021年5月13日(木) 16:24 AKASHI Takahiro <takahiro.akashi at linaro.org>:
>>>>>>> BTW, IMHO, if u-boot.bin can not find the ESL in the device tree,
>>>>>>> it should skip authentication too.
>>>>>> In this case the capsule should be rejected (if
>>>>> That's basically right.
>>>>> But as I mentioned in my comment against Sughosh's patch,
>>>>> the authentication process will be enforced only if the capsule has
>>>> That would be a security desaster.
>>> The requirement that I mentioned above is clearly described
>>> in UEFI specification.
>>> If you think that it is a disaster, please discuss the topic
>>> in UEFI Forum first.
>> I confirmed UEFI specification, version 2.7, Section.23.1
>> -----------------
>> If IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED is supported and clear, then
>> authentication is not required to perform the firmware image operations.
>> -----------------
> Thank you for citing this.

This is the fraudulent code:


         /* Check if the capsule authentication is enabled */
         if (env_get("capsule_authentication_enabled"))
                 image_info[0].attributes_setting |=

It is not allowable that a user can disable image authentication by
deleting the environment.

Best regards


>> Oh, this is really crazy because deciding whether to authenticate the
>> suspicious
>> package or not, depends on whether the package said "please
>> authenticate me" or not. :D
> Well, the attributes can been fetched with GetInfo API, but
> how it is managed depends on the implementation of FMP drivers.
> As I proposed somewhere else, those attributes should be
> maintained in a separate place (maybe as part of system's policy),
> presumably ESRT or platform-specific internal database?
> -Takahiro Akashi
>> Anyway, since this behavior follows the specification, it should be
>> kept by default,
>> but also IMHO, there should be a CONFIG option to enforce capsule
>> authentication always.
>> Thank you,
>> --
>> Masami Hiramatsu

More information about the U-Boot mailing list