[PATCH 1/4] tools: mkeficapsule: add firmwware image signing

Ilias Apalodimas ilias.apalodimas at linaro.org
Fri May 14 09:56:39 CEST 2021


> > 
[...]
> > Based on what was discussed in the thread waht I think would make more
> > sense is:
> > - Build u-boot and use the script Akashi sent to inject the certificate. 
> >   Whether we create a single binary (always signed if a config option is
> >   there) or 2 binaries (1 signed. 1 unsigned) is an implemetation detail
> >   and I am fine with either.
> 
> Let me make clear: "a single binary or 2 binaries" is not
> an implementation detail, but it's a matter of user's (, distro's
> or whoever wants to provide a capsule) policy.
> 
> > - Use mkefi capsule to create the final capsule
> 
> If signing feature is enabled in mkeficapsule, you can create
> both a signed capsule and an unsigned capsule.
> And yet, some users may totally had no need to authentication
> for firmware update using UEFI interfaces on their systems.
> For them, signing should be able to be disabled.
> 

They should use the non signed capsule.

> > 
> > > If you want to build tools only, you can do so with 'make tools'. The
> > > tools target must include mkeficapsule irrespective of configuration.
> > > 
> > > This line in tools/Makefile must be corrected:
> > > 
> > > -hostprogs-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += mkeficapsule
> > > +hostprogs-y += mkeficapsule
> > 
> > So that's the point exactly. Building the tool is completely disjoint from
> > building a u-boot binary.   Also you usually start adding config options to
> > an app, when it starts getting to big and you want discrete functionality. 
> 
> I don't get your point.
> As far as we maintain CONFIG_(HOST_)_EFI_CAPSULE_AUTHENTICATE,
> we can and should guarantee the compatibility.
> 
> > I don't see any reason for making a simple tool, which is supposed to do 2
> > things (create/sign), require config options and more over config options
> > *for U-Boot*.
> 
> I don't get you point neither.

The point is that the tool should always have the ability to generate
authenticated capsules, regardless of the fact that someone wants to shoot 
himself in the foot.

> 
> > I also think it's extremely unlikely to get any working distro 
> > without libssl. 
> 
> Again, (major) distros are ones of users.
> There may be bunch of users who may build/maintain their systems
> on their way and not expect any authentication.
> 

And again that's completely disjoint with what the userspace tool that's
there to create your capsule can do.

[...]

Thanks
/Ilias


More information about the U-Boot mailing list