[PATCH] boot: don't enable booti/bootz by default if FIT_SIGNATURE is set
Rover Mo
myzmzz at 126.com
Thu Nov 4 04:11:17 CET 2021
Dear Heinrich,
Thank for your comments.
>How about CONFIG_EFI_SECURE_BOOT? Should this also disable the default?
I think yes.
I will update the relation to "default y if !FIT_SIGNATURE && !EFI_SECURE_BOOT",
and add "!EFI_SECURE_BOOT" into LEGACY_IMAGE_FORMAT.
>> + It is enabled by default for backward compatibility, unless
>
>Backwards relative to UEFI?
No.
This description is from CONFIG_LEGACY_IMAGE_FORMAT.
```
config LEGACY_IMAGE_FORMAT
bool "Enable support for the legacy image format"
default y if !FIT_SIGNATURE
help
This option enables the legacy image format. It is enabled by
default for backward compatibility, unless FIT_SIGNATURE is
set where it is disabled so that unsigned images cannot be
loaded. If a board needs the legacy image format support in this
case, enable it here.
```
In my understand, this backward compatibility is to support both secure boot and non-secure boot when necessary.
>This focuses very much on default values. How about:
>
>"The booti command is used for launching unsigned AArch64 and RISC-V
>Linux kernel images. If you want to have secure boot either via signed
>FIT images or via signed UEFI images, this option should be disabled."
I agree, this description is more comprehensive.
So that I want to update the commit title to "boot: don't enable the non-secure boot commands by default if secure boot enabled"
>Why AArch64 and not RISC-V?
The help information of CMD_BOOTI only mentions AArch64, so I followed it.
Should I update as following?
```diff
- Boot an AArch64 Linux Kernel image from memory.
+ Boot an AArch64/RISC-V Linux Kernel image from memory.
```
Best regards,
Rover
At 2021-11-04 02:24:34, "Heinrich Schuchardt" <xypron.glpk at gmx.de> wrote:
>On 11/3/21 08:44, Rover Mo wrote:
>> To prevent boot unsigned images, same as CONFIG_LEGACY_IMAGE_FORMAT,
>
>nits:
>%s/boot/booting/
>
>> don't enable CONFIG_CMD_BOOTI and CONFIG_CMD_BOOTI by default if
>> CONFIG_FIT_SIGNATURE is enabled.
>
>Disabling the booti and the bootz command does not stop you from booting
>unsigned images, e.g. using the bootefi command.
>
>>
>> Signed-off-by: Yuezhang.Mo <myzmzz at 126.com>
>> ---
>> cmd/Kconfig | 11 ++++++++++-
>> 1 file changed, 10 insertions(+), 1 deletion(-)
>>
>> diff --git a/cmd/Kconfig b/cmd/Kconfig
>> index 5b30b13e43..5f9dd91928 100644
>> --- a/cmd/Kconfig
>> +++ b/cmd/Kconfig
>> @@ -203,15 +203,24 @@ config BOOTM_EFI
>>
>> config CMD_BOOTZ
>> bool "bootz"
>> + default y if !FIT_SIGNATURE
>> help
>> Boot the Linux zImage
>> + It is enabled by default for backward compatibility, unless
>> + FIT_SIGNATURE is set where it is disabled so that unsigned images
>> + cannot be loaded. If a board needs to boot a Linux zImage in this
>> + case, enable it here.
>>
>> config CMD_BOOTI
>> bool "booti"
>> depends on ARM64 || RISCV
>> - default y
>> + default y if !FIT_SIGNATURE
>
>How about CONFIG_EFI_SECURE_BOOT? Should this also disable the default?
>
>> help
>> Boot an AArch64 Linux Kernel image from memory.
>> + It is enabled by default for backward compatibility, unless
>
>Backwards relative to UEFI?
>
>This focuses very much on default values. How about:
>
>"The booti command is used for launching unsigned AArch64 and RISC-V
>Linux kernel images. If you want to have secure boot either via signed
>FIT images or via signed UEFI images, this option should be disabled."
>
>> + FIT_SIGNATURE is set where it is disabled so that unsigned images
>> + cannot be loaded. If a board needs to boot an AArch64 Linux Kernel
>
>Why AArch64 and not RISC-V?
>
>Who needs all those lines.
>
>Best regards
>
>Heinrich
>
>> + image in this case, enable it here.
>>
>> config BOOTM_LINUX
>> bool "Support booting Linux OS images"
>>
More information about the U-Boot
mailing list