[PATCH 01/13] ti:keys Add EFI signature list
Ilias Apalodimas
ilias.apalodimas at linaro.org
Wed Apr 10 11:38:49 CEST 2024
On Tue, 9 Apr 2024 at 23:14, Andrew Davis <afd at ti.com> wrote:
>
> On 4/9/24 2:26 PM, Heinrich Schuchardt wrote:
> > On 4/9/24 14:14, Andrew Davis wrote:
> >> On 4/8/24 10:34 PM, Heinrich Schuchardt wrote:
> >>> On 4/8/24 23:33, Jonathan Humphreys wrote:
> >>>> EFI signature list using TI dummy keys.
> >>>
> >>> Adding vendor public keys into the code base to lock down generated
> >>> binaries to the vendors unpublished private key does not match well with
> >>> the intent of the GNU public license.
> >>>
> >>
> >> The matching private keys are already published in this same
> >> repo/directory (arch/arm/mach-k3/keys).
> >>
> >> Andrew
> >
> > Why should we create signed capsules which are already compromised by
> > publishing the private key?
> >
>
> If you buy these devices you have two options, you can burn real
> keys, or you can burn these dummy keys. If you burn dummy keys
> then these images will boot and so will any image you or anyone
> else wants to boot on the device. (since the keys are published
> anyone can make images for them, that is how we do GP (general
> purpose) devices these days)
>
> If you burn your own keys, then you switch out these keys here
> and your device will only boot images that you permit by signing
> with your keys.
I am not sure I am following you here. We don't burn anything in the
case of EFI keys. They are placed in an elf section and we assume the
device will have a chain of trust enabled, naturally verifying those
keys along with the u-boot binary.
>
> You'll find plenty of open source projects do the same and
> give out example keys to show how to use real keys, even
> official GNU projects.
Yes, but the keys defined here are useless unless you have a default
defconfig that uses them and embeds them in the binary. I am not cc'ed
in all the patches of the series, is that added somewhere? And if you
unconditionally enable secure boot It would be far more interesting to
embed the MS SHIM key along with that special key you are trying to
define, so that firmware can boot COTS distros as well
Thanks
/Ilias
>
> https://github.com/gpg/gnupg/tree/master/tests/openpgp/samplekeys
>
> Andrew
>
> > Best regards
> >
> > Heinrich
> >
> >>
> >>> Best regards
> >>>
> >>> Heinrich
> >>>
> >>>>
> >>>> Signed-off-by: Jonathan Humphreys <j-humphreys at ti.com>
> >>>> ---
> >>>> arch/arm/mach-k3/keys/custMpk.esl | Bin 0 -> 1523 bytes
> >>>> 1 file changed, 0 insertions(+), 0 deletions(-)
> >>>> create mode 100644 arch/arm/mach-k3/keys/custMpk.esl
> >>>>
> >>>> diff --git a/arch/arm/mach-k3/keys/custMpk.esl
> >>>> b/arch/arm/mach-k3/keys/custMpk.esl
> >>>> new file mode 100644
> >>>> index
> >>>> 0000000000000000000000000000000000000000..2feb704e0a5fd126410de451d3c0fa4d3edccc52
> >>>> GIT binary patch
> >>>> literal 1523
> >>>> zcmZ1&d0^?2Da*aux2_hA(f&~MnUw(yu0v at E4?-F=u^u*PVqVQ8QZ((-^A*$m*Kg7c
> >>>> z&78AJODc2mtxpELY at Awc9&O)w85y}*84Mcd8gd(OvN4CUun9AT2E#ZUJWL at GhWtR)
> >>>> zKpA!(HkZVloWx>7bput902hy3NNPo5v4Uq_aY<2WZfaf$h at G5YRFGekSdyAzC~P1I
> >>>> zQpnB26;PC)oLXF*UsMbeWai-t at l*&dEdVMmF_blshP#N9QH-w`BJNO<sh6CeYal1i
> >>>> zYh-L-W?*PwYGi0=7A4MWYz$;tLb-$9{Y^|t$U)A?%D~*j#Lr;R#Kgta#Kg$3Uu2!<
> >>>> zjryX?*~({Md+?>+QS$x7=il`0?bc6sZ`Vxxl^6N{>i2E;SY*4-T$+0G;)5dxe+2CR
> >>>> z at 4+)sDPWdQb@%6KTpDVdm)v}?GSpG(w_UV)&i+#e3fJowDZO)JR83lIcbw(hMu}}Y
> >>>> z2ZZwYAI-LVx@^G;HdkgxaX&Hnl_l3&{H|3l7uX at Vl5di{>fQQ{pDynFlySp2(z~g)
> >>>> z{LIBUzm&K9j_CMw_SIFfPdcT#zmg6g<ji}(R`6geJLk-#o7bK^&&fT}#2zsD`=c9g
> >>>> zFUCK<Fz@{2kel&$W6zl<d|WNk#ZsNRd{_N_SJxWvh0*K$j!m)c at oT>{#b(Lp`M3Uj
> >>>> zGOKycyEe+n{G(Rmg}jB!)0ySk-!kkj_R7#OT+}pcG0VXh?f+ftRvnyw#hUea^Iyfn
> >>>> ze|zgKPKrqe at jYWU?v<50X(n^lZ*G%j$JyCh`*Px|H*K=2WXP)hx>jng+}Q}N^KoDN
> >>>> z8dh8T-~Dmrp2?yk3O6Gqbz7O@<TEz<^zIa7d#PKtHKHeAg?V0DMSin^o3F|IEfQWk
> >>>> zcmJwBy6&2hKub%G{j3IK(?7m at uI43#1e~wSZJ5sTtDjrp at 7@{O3(faN{`Gp}x{$M5
> >>>> z{A7`c at pjfYq1Z=JvgZ^-zCC<(HFTBwYhTX$k`7IJX`SM!H}f`Mv+(Op6uVY(<(^o4
> >>>> zpyXAj9nF_c-1A<UIel9%6Eh<NBXSA>W=dcRVPvS;*B%(4`P|iK>Vg$XDgN9sr}Df{
> >>>> z7X0es=RPHr8RB+*)}q}h%gn?x9PO4y*Qog};x<<LS+lxk$@$kYlG_hXu6p%jvB<%l
> >>>> zmcsdI9w!^rFPt^&c~{1?L~DJ4TRPv>t%rn8xi;KBE9A!Dppb9yru|>RCb9PcXWpE>
> >>>> zKlQ}fzw*izXI|}|r!O*nb&cP9#VhHRn;B<SRflN2Jl(*;W4e0LD$ORRIdjjhURZH+
> >>>> zXWR0Vllb2@>`1LC^xvIctvLCYhRA_6yCS~2&!0SH1xwv(O~<l(HQxHJxzF!T_>+5t
> >>>> z^|E$S{MM^8j9J5`sQ6pud{2Lz?k`zncbjvHj%eutjusUol}8;%cbPLCO|e;ZJ^tXe
> >>>> z_N{pmM}uCi3UWO3=hMc<s}m1Jx4GS4F(<_N`R|o+)eAK3Yx{o$ygRe!;<_EoF&UhP
> >>>> zrslJ=2XA9^$j#UDYwo;ZvZwb!|L%YP%v|ie|7-1PP+q3DZ&vEWgHHrjHv|NzEVjO?
> >>>> zKFeRbXv>iTPl?N16Xv at buq_d@TU<MB;uD_jX^$J`&*C>`uX0_s&g9M2C6cKx4E;{?
> >>>> zt`1&)Tk-yb?sKMPI~!}xt*d*!tMat!r1`}jul#i at lDB8rnu>ba_-^4!iQ5{|tb3TX
> >>>> z>fTMIw2!Me3{Dw*WZotC<4 at h<H`zaL+~Es<{Ccj5yS7zyNU!YsTG`^JqA6NkU%vnV
> >>>> D66<<J
> >>>>
> >>>> literal 0
> >>>> HcmV?d00001
> >>>>
> >>>
> >
More information about the U-Boot
mailing list