Re: [PATCH v3 1/2] boot: don't enable the non-secure boot commands by default if secure boot enabled

Heinrich Schuchardt xypron.glpk at gmx.de
Fri May 20 08:34:18 CEST 2022 

Am 20. Mai 2022 04:58:46 MESZ schrieb Rover Mo <myzmzz at 126.com>:
>To prevent booting unsigned images, don't enable the non-secure boot
>commands(booti, bootz .etc) by default if secure boot enabled.
>
>Signed-off-by: Rover Mo <myzmzz at 126.com>
>---
> boot/Kconfig |  2 +-
> cmd/Kconfig  | 11 +++++++++--
> 2 files changed, 10 insertions(+), 3 deletions(-)
>
>diff --git a/boot/Kconfig b/boot/Kconfig
>index dff4d23b88..cebe4e24fe 100644
>--- a/boot/Kconfig
>+++ b/boot/Kconfig
>@@ -407,7 +407,7 @@ endif
> 
> config LEGACY_IMAGE_FORMAT
> 	bool "Enable support for the legacy image format"
>-	default y if !FIT_SIGNATURE && !TI_SECURE_DEVICE
>+	default y if !FIT_SIGNATURE && !TI_SECURE_DEVICE && !EFI_SECURE_BOOT

Having EFI_SECURE_BOOT=y is not enough to use secure boot. You must also supply variables PK, KEK, db, dbx.

Furthermore you would have to disable a whole lot more commands to secure the device.

Currently we have patches in review to provide a bootmenu with optionally no access to the console. This is a better approach.

Best regards

Heinrich


> 	help
> 	  This option enables the legacy image format. It is enabled by
> 	  default for backward compatibility, unless FIT_SIGNATURE is
>diff --git a/cmd/Kconfig b/cmd/Kconfig
>index 69c1814d24..6baa85bfdd 100644
>--- a/cmd/Kconfig
>+++ b/cmd/Kconfig
>@@ -259,15 +259,22 @@ config BOOTM_EFI
> 
> config CMD_BOOTZ
> 	bool "bootz"
>+	default y if !FIT_SIGNATURE && !EFI_SECURE_BOOT
> 	help
> 	  Boot the Linux zImage
>+	  The booti command is used for launching unsigned Linux zImage.
>+	  If you want to have secure boot either via signed FIT images or via
>+	  signed UEFI images, this option should be disabled.
> 
> config CMD_BOOTI
> 	bool "booti"
> 	depends on ARM64 || RISCV
>-	default y
>+	default y if !FIT_SIGNATURE && !EFI_SECURE_BOOT
> 	help
>-	  Boot an AArch64 Linux Kernel image from memory.
>+	  Boot an AArch64/RISC-V Linux Kernel image from memory.
>+	  The booti command is used for launching unsigned AArch64 and RISC-V
>+	  Linux kernel images. If you want to have secure boot either via signed
>+	  FIT images or via signed UEFI images, this option should be disabled.
> 
> config BOOTM_LINUX
> 	bool "Support booting Linux OS images"
>-- 
>2.25.1

More information about the U-Boot mailing list