[PATCH v2] doc: uefi: enhance anti-rollback documentation
Ilias Apalodimas
ilias.apalodimas at linaro.org
Thu Jun 22 09:20:57 CEST 2023
Hi Kojima-san
On Thu, 22 Jun 2023 at 08:51, Masahisa Kojima
<masahisa.kojima at linaro.org> wrote:
>
> To enforce anti-rollback to any older version, dtb must be
> always update manually. This should be described in the
> documentation.
>
> This commit also adds the recommendation that secure system should not
> enable the fdt command because lowest-supported-version
> property in device tree can be changed by fdt command.
>
> Signed-off-by: Masahisa Kojima <masahisa.kojima at linaro.org>
> ---
> doc/develop/uefi/uefi.rst | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
> index ffd13cebe9..7407f178f5 100644
> --- a/doc/develop/uefi/uefi.rst
> +++ b/doc/develop/uefi/uefi.rst
> @@ -552,6 +552,13 @@ update using a capsule file with --fw-version of 5, the update will fail.
> When the --fw-version in the capsule file is updated, lowest-supported-version
> in the dtb might be updated accordingly.
>
> +If user needs to enroce anti-rollback to any older version,
enforce*
> +the lowest-supported-version property in dtb must be always updated manually.
> +
> +Note that the lowest-supported-version property specified in U-Boot's control
> +device tree can be changed by U-Boot fdt command.
> +Secure systems should not enable this command.
> +
Other than than
Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> To insert the lowest supported version into a dtb
>
> .. code-block:: console
> --
> 2.34.1
>
More information about the U-Boot
mailing list