[PATCH 1/4] tools: mkeficapsule: add firmwware image signing
xypron.glpk at gmx.de
Thu May 13 20:25:56 CEST 2021
On 5/13/21 10:18 AM, Masami Hiramatsu wrote:
> 2021年5月13日(木) 16:24 AKASHI Takahiro <takahiro.akashi at linaro.org>:
>>>>>> BTW, IMHO, if u-boot.bin can not find the ESL in the device tree,
>>>>>> it should skip authentication too.
>>>>> In this case the capsule should be rejected (if
>>>> That's basically right.
>>>> But as I mentioned in my comment against Sughosh's patch,
>>>> the authentication process will be enforced only if the capsule has
>>>> an attribute, IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED.
>>> That would be a security desaster.
>> The requirement that I mentioned above is clearly described
>> in UEFI specification.
>> If you think that it is a disaster, please discuss the topic
>> in UEFI Forum first.
> I confirmed UEFI specification, version 2.7, Section.23.1
> the last of EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo()
> If IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED is supported and clear, then
> authentication is not required to perform the firmware image operations.
IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED bit is a property of the FMP driver.
> Oh, this is really crazy because deciding whether to authenticate the
> package or not, depends on whether the package said "please
> authenticate me" or not. :D
> Anyway, since this behavior follows the specification, it should be
> kept by default,
> but also IMHO, there should be a CONFIG option to enforce capsule
> authentication always.
> Thank you,
More information about the U-Boot