[PATCH 1/4] tools: mkeficapsule: add firmwware image signing
Heinrich Schuchardt
xypron.glpk at gmx.de
Fri May 14 12:08:19 CEST 2021
On 5/14/21 11:51 AM, AKASHI Takahiro wrote:
> Heinrich,
>
> Can you please reply to each of my replies?
> Otherwise, I don't know which one of my comments/opinions you agree to
> and which one not.
>
> On Fri, May 14, 2021 at 10:45:48AM +0200, Heinrich Schuchardt wrote:
>> On 5/14/21 9:13 AM, AKASHI Takahiro wrote:
>>>> E.g for IMAGE_ATTRIBUTE_IN_USE
>>>>
>>>> AttributesSupported | AttributesSetting | Meaning
>>>> --------------------+-------------------+--------------------
>>>> 0 | 0 | state is unknown
>>>> 0 | 1 | state is unknown
>>>> 1 | 0 | image is not in use
>>>> 1 | 1 | image is in use
>>> We are discussing *_REQUIRED.
>>> Can you give me the same table for *_REQUIRED?
>>>
>>> -Takahiro Akashi
>>>
>>>
>>
>> IMAGE_ATTRIBUTE_RESET_REQUIRED
>>
>> AttributesSupported | AttributesSetting | Meaning
>> --------------------+-------------------+--------------------
>> 0 | 0 | state is unknown
>> 0 | 1 | state is unknown
>> 1 | 0 | reset is not needed
>> | | to complete upgrade
>> 1 | 1 | reset is needed
>> | | to complete upgrade
>>
>>
>> IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED
>>
>> AttributesSupported | AttributesSetting | Meaning
>> --------------------+-------------------+--------------------
>> 0 | 0 | state is unknown
>> 0 | 1 | state is unknown
>> 1 | 0 | signed and unsigned
>> | | capsules are accepted
>> 1 | 1 | capsules are only
>> | | accepted after
>> | | checking the signature
>
> So what?
> This table shows there is a case where the authentication will be
> skipped even if CONFIG_EFI_CAPSULE_AUTHETICATE is on and
> it is completely compliant with UEFI specification.
No. You have to set IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED=1 if
CONFIG_EFI_CAPSULE_AUTHENTICATE=y.
Best regards
Heinrich
More information about the U-Boot
mailing list