[PATCH v3 0/3] efi_loader: secure boot using preseed cert db

Heinrich Schuchardt heinrich.schuchardt at canonical.com
Thu Sep 2 11:35:28 CEST 2021


When implementing secure boot the database with the certificates must be
stored in tamper-resistant storage. This implies it cannot be read from
a file on the EFI system partition.

We already have the possibility to provide UEFI variables built into
U-Boot via CONFIG_EFI_VAR_SEED_FILE. If TF-A validates BL33 alias U-Boot,
this seems adequate for secure boot.

With the patch series reading or changing the certificate database is
disabled. Furthermore the variable AuditMode and DeployedMode cannot be
read from file.

The series has been split of
[PATCH v2 0/6] efi_loader: fix secure boot mode transitions
https://lists.denx.de/pipermail/u-boot/2021-August/459054.html
because the implementation of Secure Boot mode transitions need more
thought.

Heinrich Schuchardt (3):
  efi_loader: don't load signature database from file
  efi_loader: efi_auth_var_type for AuditMode, DeployedMode
  efi_loader: correct determination of secure boot state

 include/efi_variable.h          |  6 ++++-
 lib/efi_loader/efi_var_common.c | 43 +++++++++++++++++++++++++--------
 lib/efi_loader/efi_var_file.c   | 41 +++++++++++++++++++------------
 lib/efi_loader/efi_variable.c   |  6 ++---
 4 files changed, 66 insertions(+), 30 deletions(-)

-- 
2.32.0



More information about the U-Boot mailing list