[PATCH 1/4] tools: mkeficapsule: add firmwware image signing
AKASHI Takahiro
takahiro.akashi at linaro.org
Fri May 14 08:19:49 CEST 2021
On Thu, May 13, 2021 at 08:25:56PM +0200, Heinrich Schuchardt wrote:
> On 5/13/21 10:18 AM, Masami Hiramatsu wrote:
> > 2021年5月13日(木) 16:24 AKASHI Takahiro <takahiro.akashi at linaro.org>:
> >
> > > > > > > BTW, IMHO, if u-boot.bin can not find the ESL in the device tree,
> > > > > > > it should skip authentication too.
> > > > > >
> > > > > > In this case the capsule should be rejected (if
> > > > > > CONFIG_EFI_CAPSULE_AUTHENTICATE=y).
> > > > >
> > > > > That's basically right.
> > > > > But as I mentioned in my comment against Sughosh's patch,
> > > > > the authentication process will be enforced only if the capsule has
> > > > > an attribute, IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED.
> > > > >
> > > >
> > > > That would be a security desaster.
> > >
> > > The requirement that I mentioned above is clearly described
> > > in UEFI specification.
> > > If you think that it is a disaster, please discuss the topic
> > > in UEFI Forum first.
> >
> > I confirmed UEFI specification, version 2.7, Section.23.1
> > the last of EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo()
> >
> > -----------------
> > If IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED is supported and clear, then
> > authentication is not required to perform the firmware image operations.
> > -----------------
>
> IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED bit is a property of the FMP driver.
Yes, it is. But if the attribute is not changeable at all,
why do we need this flag?
Why does a "firmware image descriptor" hold two distinct
member fields, "AttributesSupported" and "AttributesSetting"?
What does "Setting" mean? Who sets what, and when?
-Takahiro Akashi
> Best regards
>
> Heinrich
>
> >
> > Oh, this is really crazy because deciding whether to authenticate the
> > suspicious
> > package or not, depends on whether the package said "please
> > authenticate me" or not. :D
> >
> > Anyway, since this behavior follows the specification, it should be
> > kept by default,
> > but also IMHO, there should be a CONFIG option to enforce capsule
> > authentication always.
> >
> > Thank you,
> >
> >
> >
>
More information about the U-Boot
mailing list