[PATCH 01/13] ti:keys Add EFI signature list

Wed Apr 10 20:34:57 CEST 2024

Ilias Apalodimas <ilias.apalodimas at linaro.org> writes:

> On Tue, 9 Apr 2024 at 23:14, Andrew Davis <afd at ti.com> wrote:
>>
>> On 4/9/24 2:26 PM, Heinrich Schuchardt wrote:
>> > On 4/9/24 14:14, Andrew Davis wrote:
>> >> On 4/8/24 10:34 PM, Heinrich Schuchardt wrote:
>> >>> On 4/8/24 23:33, Jonathan Humphreys wrote:
>> >>>> EFI signature list using TI dummy keys.
>> >>>
>> >>> Adding vendor public keys into the code base to lock down generated
>> >>> binaries to the vendors unpublished private key does not match well with
>> >>> the intent of the GNU public license.
>> >>>
>> >>
>> >> The matching private keys are already published in this same
>> >> repo/directory (arch/arm/mach-k3/keys).
>> >>
>> >> Andrew
>> >
>> > Why should we create signed capsules which are already compromised by
>> > publishing the private key?
>> >
>>
>> If you buy these devices you have two options, you can burn real
>> keys, or you can burn these dummy keys. If you burn dummy keys
>> then these images will boot and so will any image you or anyone
>> else wants to boot on the device. (since the keys are published
>> anyone can make images for them, that is how we do GP (general
>> purpose) devices these days)
>>
>> If you burn your own keys, then you switch out these keys here
>> and your device will only boot images that you permit by signing
>> with your keys.
>
> I am not sure I am following you here.  We don't burn anything in the
> case of EFI keys. They are placed in an elf section and we assume the
> device will have a chain of trust enabled, naturally verifying those
> keys along with the u-boot binary.
>
>>
>> You'll find plenty of open source projects do the same and
>> give out example keys to show how to use real keys, even
>> official GNU projects.
>
> Yes, but the keys defined here are useless unless you have a default
> defconfig that uses them and embeds them in the binary. I am not cc'ed
> in all the patches of the series, is that added somewhere? And if you

Yes, they are part of this series
https://lore.kernel.org/r/20240408213349.96610-1-j-humphreys@ti.com.
Thanks for the reviews.

> unconditionally enable secure boot It would be far more interesting to
> embed the MS SHIM key along with that special key you are trying to
> define, so that firmware can boot COTS distros as well

Yes, we should consider.  But since that is outside of the EFI capsule
use case, I would rather take it up in a separate patch.

>
> Thanks
> /Ilias
>
>
>>
>> https://github.com/gpg/gnupg/tree/master/tests/openpgp/samplekeys
>>
>> Andrew
>>
>> > Best regards
>> >
>> > Heinrich
>> >
>> >>
>> >>> Best regards
>> >>>
>> >>> Heinrich
>> >>>
>> >>>>
>> >>>> Signed-off-by: Jonathan Humphreys <j-humphreys at ti.com>
>> >>>> ---
>> >>>>   arch/arm/mach-k3/keys/custMpk.esl | Bin 0 -> 1523 bytes
>> >>>>   1 file changed, 0 insertions(+), 0 deletions(-)
>> >>>>   create mode 100644 arch/arm/mach-k3/keys/custMpk.esl
>> >>>>
>> >>>> diff --git a/arch/arm/mach-k3/keys/custMpk.esl
>> >>>> b/arch/arm/mach-k3/keys/custMpk.esl
>> >>>> new file mode 100644
>> >>>> index
>> >>>> 0000000000000000000000000000000000000000..2feb704e0a5fd126410de451d3c0fa4d3edccc52
>> >>>> GIT binary patch
>> >>>> literal 1523
>> >>>> zcmZ1&d0^?2Da*aux2_hA(f&~MnUw(yu0v at E4?-F=u^u*PVqVQ8QZ((-^A*$m*Kg7c
>> >>>> z&78AJODc2mtxpELY at Awc9&O)w85y}*84Mcd8gd(OvN4CUun9AT2E#ZUJWL at GhWtR)
>> >>>> zKpA!(HkZVloWx>7bput902hy3NNPo5v4Uq_aY<2WZfaf$h at G5YRFGekSdyAzC~P1I
>> >>>> zQpnB26;PC)oLXF*UsMbeWai-t at l*&dEdVMmF_blshP#N9QH-w`BJNO<sh6CeYal1i
>> >>>> zYh-L-W?*PwYGi0=7A4MWYz$;tLb-$9{Y^|t$U)A?%D~*j#Lr;R#Kgta#Kg$3Uu2!<
>> >>>> zjryX?*~({Md+?>+QS$x7=il`0?bc6sZ`Vxxl^6N{>i2E;SY*4-T$+0G;)5dxe+2CR
>> >>>> z at 4+)sDPWdQb@%6KTpDVdm)v}?GSpG(w_UV)&i+#e3fJowDZO)JR83lIcbw(hMu}}Y
>> >>>> z2ZZwYAI-LVx@^G;HdkgxaX&Hnl_l3&{H|3l7uX at Vl5di{>fQQ{pDynFlySp2(z~g)
>> >>>> z{LIBUzm&K9j_CMw_SIFfPdcT#zmg6g<ji}(R`6geJLk-#o7bK^&&fT}#2zsD`=c9g
>> >>>> zFUCK<Fz@{2kel&$W6zl<d|WNk#ZsNRd{_N_SJxWvh0*K$j!m)c at oT>{#b(Lp`M3Uj
>> >>>> zGOKycyEe+n{G(Rmg}jB!)0ySk-!kkj_R7#OT+}pcG0VXh?f+ftRvnyw#hUea^Iyfn
>> >>>> ze|zgKPKrqe at jYWU?v<50X(n^lZ*G%j$JyCh`*Px|H*K=2WXP)hx>jng+}Q}N^KoDN
>> >>>> z8dh8T-~Dmrp2?yk3O6Gqbz7O@<TEz<^zIa7d#PKtHKHeAg?V0DMSin^o3F|IEfQWk
>> >>>> zcmJwBy6&2hKub%G{j3IK(?7m at uI43#1e~wSZJ5sTtDjrp at 7@{O3(faN{`Gp}x{$M5
>> >>>> z{A7`c at pjfYq1Z=JvgZ^-zCC<(HFTBwYhTX$k`7IJX`SM!H}f`Mv+(Op6uVY(<(^o4
>> >>>> zpyXAj9nF_c-1A<UIel9%6Eh<NBXSA>W=dcRVPvS;*B%(4`P|iK>Vg$XDgN9sr}Df{
>> >>>> z7X0es=RPHr8RB+*)}q}h%gn?x9PO4y*Qog};x<<LS+lxk$@$kYlG_hXu6p%jvB<%l
>> >>>> zmcsdI9w!^rFPt^&c~{1?L~DJ4TRPv>t%rn8xi;KBE9A!Dppb9yru|>RCb9PcXWpE>
>> >>>> zKlQ}fzw*izXI|}|r!O*nb&cP9#VhHRn;B<SRflN2Jl(*;W4e0LD$ORRIdjjhURZH+
>> >>>> zXWR0Vllb2@>`1LC^xvIctvLCYhRA_6yCS~2&!0SH1xwv(O~<l(HQxHJxzF!T_>+5t
>> >>>> z^|E$S{MM^8j9J5`sQ6pud{2Lz?k`zncbjvHj%eutjusUol}8;%cbPLCO|e;ZJ^tXe
>> >>>> z_N{pmM}uCi3UWO3=hMc<s}m1Jx4GS4F(<_N`R|o+)eAK3Yx{o$ygRe!;<_EoF&UhP
>> >>>> zrslJ=2XA9^$j#UDYwo;ZvZwb!|L%YP%v|ie|7-1PP+q3DZ&vEWgHHrjHv|NzEVjO?
>> >>>> zKFeRbXv>iTPl?N16Xv at buq_d@TU<MB;uD_jX^$J`&*C>`uX0_s&g9M2C6cKx4E;{?
>> >>>> zt`1&)Tk-yb?sKMPI~!}xt*d*!tMat!r1`}jul#i at lDB8rnu>ba_-^4!iQ5{|tb3TX
>> >>>> z>fTMIw2!Me3{Dw*WZotC<4 at h<H`zaL+~Es<{Ccj5yS7zyNU!YsTG`^JqA6NkU%vnV
>> >>>> D66<<J
>> >>>>
>> >>>> literal 0
>> >>>> HcmV?d00001
>> >>>>
>> >>>
>> >