[PATCH] boot: don't enable booti/bootz by default if FIT_SIGNATURE is set

Simon Glass sjg at chromium.org
Thu Nov 4 16:11:54 CET 2021 

Hi,

On Thu, 4 Nov 2021 at 05:23, Heinrich Schuchardt <xypron.glpk at gmx.de> wrote:
>
>
>
> On 11/4/21 04:11, Rover Mo wrote:
> > Dear Heinrich,
> >
> >
> > Thank for your comments.
> >
> >
> >  >How about CONFIG_EFI_SECURE_BOOT? Should this also disable the default?
> >
> > I think yes.
> > I will update the relation to "default y if !FIT_SIGNATURE &&
> > !EFI_SECURE_BOOT",
> > and add "!EFI_SECURE_BOOT" into LEGACY_IMAGE_FORMAT.
> >
> >>> +     It is enabled by default for backward compatibility, unless
> >>
> >>Backwards relative to UEFI?
> >
> > No.
> >
> > This description is from CONFIG_LEGACY_IMAGE_FORMAT.
> >
> > ```
> > config LEGACY_IMAGE_FORMAT
> >          bool "Enable support for the legacy image format"
> >          default y if !FIT_SIGNATURE
> >          help
> >            This option enables the legacy image format. It is enabled by
> >            default for backward compatibility, unless FIT_SIGNATURE is
> >            set where it is disabled so that unsigned images cannot be
> >            loaded. If a board needs the legacy image format support in this
> >            case, enable it here.
> > ```
> >
> > In my understand,this backward compatibility is to support both secure boot and
> > non-secure boot when necessary.
> >
> >>This focuses very much on default values. How about:
> >>
> >>"The booti command is used for launching unsigned AArch64 and RISC-V
> >>Linux kernel images. If you want to have secure boot either via signed
> >>FIT images or via signed UEFI images, this option should be disabled."
> >
> > I agree, this description is more comprehensive.
> >
> > So that I want to update the commit title to "boot: don't enable thenon-secure boot commands  by default ifsecure boot enabled"
> >
> >>Why AArch64 and not RISC-V?
> >
> > The help information of CMD_BOOTI only mentions AArch64, so I followed it.
> >
> > Should I update as following?
> > ```diff
> > -          Boot an AArch64 Linux Kernel image from memory.
> > +         Boot an AArch64/RISC-V Linux Kernel image from memory.
>
> Yes, please.

Also please do check tests (make qcheck) since sandbox enables more
options than most boards.


- Simon

>
> Best regards
>
> Heinrich
>
> > ```
> >
> > Best regards,
> > Rover
> >
> > At 2021-11-04 02:24:34, "Heinrich Schuchardt" <xypron.glpk at gmx.de> wrote:
> >>On 11/3/21 08:44, Rover Mo wrote:
> >>> To prevent boot unsigned images, same as CONFIG_LEGACY_IMAGE_FORMAT,
> >>
> >>nits:
> >>%s/boot/booting/
> >>
> >>> don't enable CONFIG_CMD_BOOTI and CONFIG_CMD_BOOTI by default if
> >>> CONFIG_FIT_SIGNATURE is enabled.
> >>
> >>Disabling the booti and the bootz command does not stop you from booting
> >>unsigned images, e.g. using the bootefi command.
> >>
> >>>
> >>> Signed-off-by: Yuezhang.Mo <myzmzz at 126.com>
> >>> ---
> >>>   cmd/Kconfig | 11 ++++++++++-
> >>>   1 file changed, 10 insertions(+), 1 deletion(-)
> >>>
> >>> diff --git a/cmd/Kconfig b/cmd/Kconfig
> >>> index 5b30b13e43..5f9dd91928 100644
> >>> --- a/cmd/Kconfig
> >>> +++ b/cmd/Kconfig
> >>> @@ -203,15 +203,24 @@ config BOOTM_EFI
> >>>
> >>>   config CMD_BOOTZ
> >>>     bool "bootz"
> >>> +   default y if !FIT_SIGNATURE
> >>>     help
> >>>       Boot the Linux zImage
> >>> +     It is enabled by default for backward compatibility, unless
> >>> +     FIT_SIGNATURE is set where it is disabled so that unsigned images
> >>> +     cannot be loaded. If a board needs to  boot a Linux zImage in this
> >>> +     case, enable it here.
> >>>
> >>>   config CMD_BOOTI
> >>>     bool "booti"
> >>>     depends on ARM64 || RISCV
> >>> -   default y
> >>> +   default y if !FIT_SIGNATURE
> >>
> >>How about CONFIG_EFI_SECURE_BOOT? Should this also disable the default?
> >>
> >>>     help
> >>>       Boot an AArch64 Linux Kernel image from memory.
> >>> +     It is enabled by default for backward compatibility, unless
> >>
> >>Backwards relative to UEFI?
> >>
> >>This focuses very much on default values. How about:
> >>
> >>"The booti command is used for launching unsigned AArch64 and RISC-V
> >>Linux kernel images. If you want to have secure boot either via signed
> >>FIT images or via signed UEFI images, this option should be disabled."
> >>
> >>> +     FIT_SIGNATURE is set where it is disabled so that unsigned images
> >>> +     cannot be loaded. If a board needs to boot an AArch64 Linux Kernel
> >>
> >>Why AArch64 and not RISC-V?
> >>
> >>Who needs all those lines.
> >>
> >>Best regards
> >>
> >>Heinrich
> >>
> >>> +     image in this case, enable it here.
> >>>
> >>>   config BOOTM_LINUX
> >>>     bool "Support booting Linux OS images"
> >>>
> >
> >
> >

More information about the U-Boot mailing list