[PATCH 1/4] tools: mkeficapsule: add firmwware image signing
masami.hiramatsu at linaro.org
Sat May 15 04:14:31 CEST 2021
2021年5月15日(土) 11:03 Heinrich Schuchardt <xypron.glpk at gmx.de>:
> On 5/14/21 3:09 PM, Masami Hiramatsu wrote:
> > Hi all,
> > I think it's time to summarize the topics on this thread.
> > 1. tools/mkeficapsule, config options dependency
> > - The tools, especially useful and distributable tools like
> > mkeficapsule should not be changed by the target board configuration.
> > - Since there are target boards which don't need capsule
> > authentication, it should be configurable. That also can optimize the
> > library dependency.
> Thank you for providing this summary.
> You described that the tool shall not depend on the target board
> configuration. Your sentence starting with "Since" contradicts this.
Ah, sorry for the confusion. Each bullet shows a different opinion on the topic.
> As Ilias pointed out all Linux distributions come with an OpenSSL
> package. The library dependency is nothing to worry about.
OK, so this is for topic #1.
> Capsule updates without authentication don't not make much sense in a
> world full of attacks.
and this is for topic #1 and maybe related to #4?
> Hence, a configuration switch for the tool is not needed.
Thanks for clarifying your opinion!
> Best regards
> > 2. tools/mkeficapsule, revert -K/-D options
> > - Since these options are for embedding a public key in the
> > devicetree, that is not related to the capsule file. Also, the same
> > feature can be provided by a simple shell script.
> > 3. capsule authentication, key embedding method
> > - Embedding key in the devicetree is too fragile, especially, the
> > document says overwriting new device tree including key with fdt
> > command. That is not for the product, only for proof of concept.
> > - Such a key should be embedded in the U-Boot, or hardware secure
> > storage so that the user can not change it.
> > (BTW, I think there are more options, like embedding keys in SCP
> > firmware, TF-A, or OP-TEE, outside of U-Boot)
> > 4. capsule authentication, authentication enablement
> > - The UEFI spec said IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED can be
> > supported but cleared (for the current running firmware). This means
> > it is possible that the authentication feature is supported, but not
> > enabled.
> > - For ensuring security, if U-Boot is compiled with
> > CONFIG_EFI_CAPSULE_AUTHETICATE=y,
> > IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED must always be set.
> > Are there any other topics on this thread? and any other comments on
> > these topics?
> > Thank you,
More information about the U-Boot