[PATCH 1/4] tools: mkeficapsule: add firmwware image signing

AKASHI Takahiro takahiro.akashi at linaro.org
Fri May 14 11:51:38 CEST 2021 

Heinrich,

Can you please reply to each of my replies?
Otherwise, I don't know which one of my comments/opinions you agree to
and which one not.

On Fri, May 14, 2021 at 10:45:48AM +0200, Heinrich Schuchardt wrote:
> On 5/14/21 9:13 AM, AKASHI Takahiro wrote:
> > > E.g for IMAGE_ATTRIBUTE_IN_USE
> > > 
> > > AttributesSupported | AttributesSetting | Meaning
> > > --------------------+-------------------+--------------------
> > > 0                   | 0                 | state is unknown
> > > 0                   | 1                 | state is unknown
> > > 1                   | 0                 | image is not in use
> > > 1                   | 1                 | image is in use
> > We are discussing *_REQUIRED.
> > Can you give me the same table for *_REQUIRED?
> > 
> > -Takahiro Akashi
> > 
> > 
> 
> IMAGE_ATTRIBUTE_RESET_REQUIRED
> 
> AttributesSupported | AttributesSetting | Meaning
> --------------------+-------------------+--------------------
> 0                   | 0                 | state is unknown
> 0                   | 1                 | state is unknown
> 1                   | 0                 | reset is not needed
>                     |                   | to complete upgrade
> 1                   | 1                 | reset is needed
>                     |                   | to complete upgrade
> 
> 
> IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED
> 
> AttributesSupported | AttributesSetting | Meaning
> --------------------+-------------------+--------------------
> 0                   | 0                 | state is unknown
> 0                   | 1                 | state is unknown
> 1                   | 0                 | signed and unsigned
>                     |                   | capsules are accepted
> 1                   | 1                 | capsules are only
>                     |                   | accepted after
>                     |                   | checking the signature

So what?
This table shows there is a case where the authentication will be
skipped even if CONFIG_EFI_CAPSULE_AUTHETICATE is on and
it is completely compliant with UEFI specification.

That is what I and Masami was discussing.

> > > > > But as I mentioned in my comment against Sughosh's patch,
> > > > > the authentication process will be enforced only if the capsule has
> > > > > an attribute, IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED.
> > > > >
> > > >
> > > > That would be a security desaster.

So I said that you should discuss the topic in UEFI forum first
if you think so.

-Takahiro Akashi


> For both bits AttributesSupported=0 does not make much sense.
> 
> IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED is a property of the current
> image and should only be deleted by installing a new capsule.
> 
> A vendor might send you a special firmware image for unlocking your
> device after registering as a developer. Xiaomi handled it like this for
> one of my routers.
> 
> Best regards
> 
> Heinrich

More information about the U-Boot mailing list