[PATCH 1/4] tools: mkeficapsule: add firmwware image signing

Masami Hiramatsu masami.hiramatsu at linaro.org
Sat May 15 04:14:31 CEST 2021 

Hi Heinrich,

2021年5月15日(土) 11:03 Heinrich Schuchardt <xypron.glpk at gmx.de>:
>
> On 5/14/21 3:09 PM, Masami Hiramatsu wrote:
> > Hi all,
> >
> > I think it's time to summarize the topics on this thread.
> >
> > 1. tools/mkeficapsule, config options dependency
> >    - The tools, especially useful and distributable tools like
> > mkeficapsule should not be changed by the target board configuration.
> >    - Since there are target boards which don't need capsule
> > authentication, it should be configurable. That also can optimize the
> > library dependency.
>
> Thank you for providing this summary.
>
> You described that the tool shall not depend on the target board
> configuration. Your sentence starting with "Since" contradicts this.

Ah, sorry for the confusion. Each bullet shows a different opinion on the topic.


> As Ilias pointed out all Linux distributions come with an OpenSSL
> package. The library dependency is nothing to worry about.

OK, so this is for topic #1.

>
> Capsule updates without authentication don't not make much sense in a
> world full of attacks.

and this is for topic #1 and maybe related to #4?

>
> Hence, a configuration switch for the tool is not needed.

Thanks for clarifying your opinion!

>
> Best regards
>
> Heinrich
>
> >
> > 2. tools/mkeficapsule, revert -K/-D options
> >    - Since these options are for embedding a public key in the
> > devicetree, that is not related to the capsule file. Also, the same
> > feature can be provided by a simple shell script.
> >
> > 3. capsule authentication, key embedding method
> >    - Embedding key in the devicetree is too fragile, especially, the
> > document says overwriting new device tree including key with fdt
> > command. That is not for the product, only for proof of concept.
> >    - Such a key should be embedded in the U-Boot, or hardware secure
> > storage so that the user can not change it.
> >      (BTW, I think there are more options, like embedding keys in SCP
> > firmware, TF-A, or OP-TEE, outside of U-Boot)
> >
> > 4. capsule authentication, authentication enablement
> >    - The UEFI spec said IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED can be
> > supported but cleared (for the current running firmware). This means
> > it is possible that the authentication feature is supported, but not
> > enabled.
> >    - For ensuring security, if U-Boot is compiled with
> > CONFIG_EFI_CAPSULE_AUTHETICATE=y,
> > IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED must always be set.
> >
> > Are there any other topics on this thread? and any other comments on
> > these topics?
> >
> > Thank you,



-- 
Masami Hiramatsu

More information about the U-Boot mailing list