[PATCH 01/13] ti:keys Add EFI signature list
Andrew Davis
afd at ti.com
Tue Apr 9 23:14:49 CEST 2024
On 4/9/24 2:26 PM, Heinrich Schuchardt wrote:
> On 4/9/24 14:14, Andrew Davis wrote:
>> On 4/8/24 10:34 PM, Heinrich Schuchardt wrote:
>>> On 4/8/24 23:33, Jonathan Humphreys wrote:
>>>> EFI signature list using TI dummy keys.
>>>
>>> Adding vendor public keys into the code base to lock down generated
>>> binaries to the vendors unpublished private key does not match well with
>>> the intent of the GNU public license.
>>>
>>
>> The matching private keys are already published in this same
>> repo/directory (arch/arm/mach-k3/keys).
>>
>> Andrew
>
> Why should we create signed capsules which are already compromised by
> publishing the private key?
>
If you buy these devices you have two options, you can burn real
keys, or you can burn these dummy keys. If you burn dummy keys
then these images will boot and so will any image you or anyone
else wants to boot on the device. (since the keys are published
anyone can make images for them, that is how we do GP (general
purpose) devices these days)
If you burn your own keys, then you switch out these keys here
and your device will only boot images that you permit by signing
with your keys.
You'll find plenty of open source projects do the same and
give out example keys to show how to use real keys, even
official GNU projects.
https://github.com/gpg/gnupg/tree/master/tests/openpgp/samplekeys
Andrew
> Best regards
>
> Heinrich
>
>>
>>> Best regards
>>>
>>> Heinrich
>>>
>>>>
>>>> Signed-off-by: Jonathan Humphreys <j-humphreys at ti.com>
>>>> ---
>>>> arch/arm/mach-k3/keys/custMpk.esl | Bin 0 -> 1523 bytes
>>>> 1 file changed, 0 insertions(+), 0 deletions(-)
>>>> create mode 100644 arch/arm/mach-k3/keys/custMpk.esl
>>>>
>>>> diff --git a/arch/arm/mach-k3/keys/custMpk.esl
>>>> b/arch/arm/mach-k3/keys/custMpk.esl
>>>> new file mode 100644
>>>> index
>>>> 0000000000000000000000000000000000000000..2feb704e0a5fd126410de451d3c0fa4d3edccc52
>>>> GIT binary patch
>>>> literal 1523
>>>> zcmZ1&d0^?2Da*aux2_hA(f&~MnUw(yu0v at E4?-F=u^u*PVqVQ8QZ((-^A*$m*Kg7c
>>>> z&78AJODc2mtxpELY at Awc9&O)w85y}*84Mcd8gd(OvN4CUun9AT2E#ZUJWL at GhWtR)
>>>> zKpA!(HkZVloWx>7bput902hy3NNPo5v4Uq_aY<2WZfaf$h at G5YRFGekSdyAzC~P1I
>>>> zQpnB26;PC)oLXF*UsMbeWai-t at l*&dEdVMmF_blshP#N9QH-w`BJNO<sh6CeYal1i
>>>> zYh-L-W?*PwYGi0=7A4MWYz$;tLb-$9{Y^|t$U)A?%D~*j#Lr;R#Kgta#Kg$3Uu2!<
>>>> zjryX?*~({Md+?>+QS$x7=il`0?bc6sZ`Vxxl^6N{>i2E;SY*4-T$+0G;)5dxe+2CR
>>>> z at 4+)sDPWdQb@%6KTpDVdm)v}?GSpG(w_UV)&i+#e3fJowDZO)JR83lIcbw(hMu}}Y
>>>> z2ZZwYAI-LVx@^G;HdkgxaX&Hnl_l3&{H|3l7uX at Vl5di{>fQQ{pDynFlySp2(z~g)
>>>> z{LIBUzm&K9j_CMw_SIFfPdcT#zmg6g<ji}(R`6geJLk-#o7bK^&&fT}#2zsD`=c9g
>>>> zFUCK<Fz@{2kel&$W6zl<d|WNk#ZsNRd{_N_SJxWvh0*K$j!m)c at oT>{#b(Lp`M3Uj
>>>> zGOKycyEe+n{G(Rmg}jB!)0ySk-!kkj_R7#OT+}pcG0VXh?f+ftRvnyw#hUea^Iyfn
>>>> ze|zgKPKrqe at jYWU?v<50X(n^lZ*G%j$JyCh`*Px|H*K=2WXP)hx>jng+}Q}N^KoDN
>>>> z8dh8T-~Dmrp2?yk3O6Gqbz7O@<TEz<^zIa7d#PKtHKHeAg?V0DMSin^o3F|IEfQWk
>>>> zcmJwBy6&2hKub%G{j3IK(?7m at uI43#1e~wSZJ5sTtDjrp at 7@{O3(faN{`Gp}x{$M5
>>>> z{A7`c at pjfYq1Z=JvgZ^-zCC<(HFTBwYhTX$k`7IJX`SM!H}f`Mv+(Op6uVY(<(^o4
>>>> zpyXAj9nF_c-1A<UIel9%6Eh<NBXSA>W=dcRVPvS;*B%(4`P|iK>Vg$XDgN9sr}Df{
>>>> z7X0es=RPHr8RB+*)}q}h%gn?x9PO4y*Qog};x<<LS+lxk$@$kYlG_hXu6p%jvB<%l
>>>> zmcsdI9w!^rFPt^&c~{1?L~DJ4TRPv>t%rn8xi;KBE9A!Dppb9yru|>RCb9PcXWpE>
>>>> zKlQ}fzw*izXI|}|r!O*nb&cP9#VhHRn;B<SRflN2Jl(*;W4e0LD$ORRIdjjhURZH+
>>>> zXWR0Vllb2@>`1LC^xvIctvLCYhRA_6yCS~2&!0SH1xwv(O~<l(HQxHJxzF!T_>+5t
>>>> z^|E$S{MM^8j9J5`sQ6pud{2Lz?k`zncbjvHj%eutjusUol}8;%cbPLCO|e;ZJ^tXe
>>>> z_N{pmM}uCi3UWO3=hMc<s}m1Jx4GS4F(<_N`R|o+)eAK3Yx{o$ygRe!;<_EoF&UhP
>>>> zrslJ=2XA9^$j#UDYwo;ZvZwb!|L%YP%v|ie|7-1PP+q3DZ&vEWgHHrjHv|NzEVjO?
>>>> zKFeRbXv>iTPl?N16Xv at buq_d@TU<MB;uD_jX^$J`&*C>`uX0_s&g9M2C6cKx4E;{?
>>>> zt`1&)Tk-yb?sKMPI~!}xt*d*!tMat!r1`}jul#i at lDB8rnu>ba_-^4!iQ5{|tb3TX
>>>> z>fTMIw2!Me3{Dw*WZotC<4 at h<H`zaL+~Es<{Ccj5yS7zyNU!YsTG`^JqA6NkU%vnV
>>>> D66<<J
>>>>
>>>> literal 0
>>>> HcmV?d00001
>>>>
>>>
>
More information about the U-Boot
mailing list