[PATCH 1/4] tools: mkeficapsule: add firmwware image signing

Heinrich Schuchardt xypron.glpk at gmx.de
Thu May 13 20:25:56 CEST 2021


On 5/13/21 10:18 AM, Masami Hiramatsu wrote:
> 2021年5月13日(木) 16:24 AKASHI Takahiro <takahiro.akashi at linaro.org>:
>
>>>>>> BTW, IMHO, if u-boot.bin can not find the ESL in the device tree,
>>>>>> it should skip authentication too.
>>>>>
>>>>> In this case the capsule should be rejected (if
>>>>> CONFIG_EFI_CAPSULE_AUTHENTICATE=y).
>>>>
>>>> That's basically right.
>>>> But as I mentioned in my comment against Sughosh's patch,
>>>> the authentication process will be enforced only if the capsule has
>>>> an attribute, IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED.
>>>>
>>>
>>> That would be a security desaster.
>>
>> The requirement that I mentioned above is clearly described
>> in UEFI specification.
>> If you think that it is a disaster, please discuss the topic
>> in UEFI Forum first.
>
> I confirmed UEFI specification, version 2.7, Section.23.1
> the last of EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo()
>
> -----------------
> If IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED is supported and clear, then
> authentication is not required to perform the firmware image operations.
> -----------------

IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED bit is a property of the FMP driver.

Best regards

Heinrich

>
> Oh, this is really crazy because deciding whether to authenticate the
> suspicious
> package or not, depends on whether the package said "please
> authenticate me" or not. :D
>
> Anyway, since this behavior follows the specification, it should be
> kept by default,
> but also IMHO, there should be a CONFIG option to enforce capsule
> authentication always.
>
> Thank you,
>
>
>



More information about the U-Boot mailing list