[PATCH v3] doc: uefi: enhance anti-rollback documentation
Masahisa Kojima
masahisa.kojima at linaro.org
Thu Jun 22 10:06:29 CEST 2023
To enforce anti-rollback to any older version, dtb must be
always update manually. This should be described in the
documentation.
This commit also adds the recommendation that secure system should not
enable the fdt command because lowest-supported-version
property in device tree can be changed by fdt command.
Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
Signed-off-by: Masahisa Kojima <masahisa.kojima at linaro.org>
---
changes in v3:
- fix typo
changes in v2:
- add recommendation not to enable fdt command
doc/develop/uefi/uefi.rst | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
index ffd13cebe9..9b7c9f19a9 100644
--- a/doc/develop/uefi/uefi.rst
+++ b/doc/develop/uefi/uefi.rst
@@ -552,6 +552,13 @@ update using a capsule file with --fw-version of 5, the update will fail.
When the --fw-version in the capsule file is updated, lowest-supported-version
in the dtb might be updated accordingly.
+If user needs to enforce anti-rollback to any older version,
+the lowest-supported-version property in dtb must be always updated manually.
+
+Note that the lowest-supported-version property specified in U-Boot's control
+device tree can be changed by U-Boot fdt command.
+Secure systems should not enable this command.
+
To insert the lowest supported version into a dtb
.. code-block:: console
--
2.34.1
More information about the U-Boot
mailing list