[PATCH 01/13] ti:keys Add EFI signature list
Ilias Apalodimas
ilias.apalodimas at linaro.org
Fri Apr 12 11:55:30 CEST 2024
Hi Jon,
On Wed, 10 Apr 2024 at 20:35, Jon Humphreys <j-humphreys at ti.com> wrote:
>
> Ilias Apalodimas <ilias.apalodimas at linaro.org> writes:
>
> > On Tue, 9 Apr 2024 at 23:14, Andrew Davis <afd at ti.com> wrote:
> >>
> >> On 4/9/24 2:26 PM, Heinrich Schuchardt wrote:
> >> > On 4/9/24 14:14, Andrew Davis wrote:
> >> >> On 4/8/24 10:34 PM, Heinrich Schuchardt wrote:
> >> >>> On 4/8/24 23:33, Jonathan Humphreys wrote:
> >> >>>> EFI signature list using TI dummy keys.
> >> >>>
> >> >>> Adding vendor public keys into the code base to lock down generated
> >> >>> binaries to the vendors unpublished private key does not match well with
> >> >>> the intent of the GNU public license.
> >> >>>
> >> >>
> >> >> The matching private keys are already published in this same
> >> >> repo/directory (arch/arm/mach-k3/keys).
> >> >>
> >> >> Andrew
> >> >
> >> > Why should we create signed capsules which are already compromised by
> >> > publishing the private key?
> >> >
> >>
> >> If you buy these devices you have two options, you can burn real
> >> keys, or you can burn these dummy keys. If you burn dummy keys
> >> then these images will boot and so will any image you or anyone
> >> else wants to boot on the device. (since the keys are published
> >> anyone can make images for them, that is how we do GP (general
> >> purpose) devices these days)
> >>
> >> If you burn your own keys, then you switch out these keys here
> >> and your device will only boot images that you permit by signing
> >> with your keys.
> >
> > I am not sure I am following you here. We don't burn anything in the
> > case of EFI keys. They are placed in an elf section and we assume the
> > device will have a chain of trust enabled, naturally verifying those
> > keys along with the u-boot binary.
> >
> >>
> >> You'll find plenty of open source projects do the same and
> >> give out example keys to show how to use real keys, even
> >> official GNU projects.
> >
> > Yes, but the keys defined here are useless unless you have a default
> > defconfig that uses them and embeds them in the binary. I am not cc'ed
> > in all the patches of the series, is that added somewhere? And if you
>
> Yes, they are part of this series
> https://lore.kernel.org/r/20240408213349.96610-1-j-humphreys@ti.com.
> Thanks for the reviews.
>
> > unconditionally enable secure boot It would be far more interesting to
> > embed the MS SHIM key along with that special key you are trying to
> > define, so that firmware can boot COTS distros as well
>
> Yes, we should consider. But since that is outside of the EFI capsule
> use case, I would rather take it up in a separate patch.
Ok, the commit message wasn't clear, and based on Andrews's initial
response I thought you wanted to use those for UEFI secure boot, not
capsule updates.
Those are your boards so I won't NAK this, but I'd strongly advise
*not* to add this. I assume you want capsule auth by default because
SystemReady-IR >=2.0 mandates it?
In that case, it would be a far better idea to document the process of
creating signed capsules clearly either in U-Boots EFI docs and/or
your board docs.
I am pretty confident that if we merge this now we will have future
products using the keys above
Thanks
/Ilias
>
> >
> > Thanks
> > /Ilias
> >
> >
> >>
> >> https://github.com/gpg/gnupg/tree/master/tests/openpgp/samplekeys
> >>
> >> Andrew
> >>
> >> > Best regards
> >> >
> >> > Heinrich
> >> >
> >> >>
> >> >>> Best regards
> >> >>>
> >> >>> Heinrich
> >> >>>
> >> >>>>
> >> >>>> Signed-off-by: Jonathan Humphreys <j-humphreys at ti.com>
> >> >>>> ---
> >> >>>> arch/arm/mach-k3/keys/custMpk.esl | Bin 0 -> 1523 bytes
> >> >>>> 1 file changed, 0 insertions(+), 0 deletions(-)
> >> >>>> create mode 100644 arch/arm/mach-k3/keys/custMpk.esl
> >> >>>>
> >> >>>> diff --git a/arch/arm/mach-k3/keys/custMpk.esl
> >> >>>> b/arch/arm/mach-k3/keys/custMpk.esl
> >> >>>> new file mode 100644
> >> >>>> index
> >> >>>> 0000000000000000000000000000000000000000..2feb704e0a5fd126410de451d3c0fa4d3edccc52
> >> >>>> GIT binary patch
> >> >>>> literal 1523
> >> >>>> zcmZ1&d0^?2Da*aux2_hA(f&~MnUw(yu0v at E4?-F=u^u*PVqVQ8QZ((-^A*$m*Kg7c
> >> >>>> z&78AJODc2mtxpELY at Awc9&O)w85y}*84Mcd8gd(OvN4CUun9AT2E#ZUJWL at GhWtR)
> >> >>>> zKpA!(HkZVloWx>7bput902hy3NNPo5v4Uq_aY<2WZfaf$h at G5YRFGekSdyAzC~P1I
> >> >>>> zQpnB26;PC)oLXF*UsMbeWai-t at l*&dEdVMmF_blshP#N9QH-w`BJNO<sh6CeYal1i
> >> >>>> zYh-L-W?*PwYGi0=7A4MWYz$;tLb-$9{Y^|t$U)A?%D~*j#Lr;R#Kgta#Kg$3Uu2!<
> >> >>>> zjryX?*~({Md+?>+QS$x7=il`0?bc6sZ`Vxxl^6N{>i2E;SY*4-T$+0G;)5dxe+2CR
> >> >>>> z at 4+)sDPWdQb@%6KTpDVdm)v}?GSpG(w_UV)&i+#e3fJowDZO)JR83lIcbw(hMu}}Y
> >> >>>> z2ZZwYAI-LVx@^G;HdkgxaX&Hnl_l3&{H|3l7uX at Vl5di{>fQQ{pDynFlySp2(z~g)
> >> >>>> z{LIBUzm&K9j_CMw_SIFfPdcT#zmg6g<ji}(R`6geJLk-#o7bK^&&fT}#2zsD`=c9g
> >> >>>> zFUCK<Fz@{2kel&$W6zl<d|WNk#ZsNRd{_N_SJxWvh0*K$j!m)c at oT>{#b(Lp`M3Uj
> >> >>>> zGOKycyEe+n{G(Rmg}jB!)0ySk-!kkj_R7#OT+}pcG0VXh?f+ftRvnyw#hUea^Iyfn
> >> >>>> ze|zgKPKrqe at jYWU?v<50X(n^lZ*G%j$JyCh`*Px|H*K=2WXP)hx>jng+}Q}N^KoDN
> >> >>>> z8dh8T-~Dmrp2?yk3O6Gqbz7O@<TEz<^zIa7d#PKtHKHeAg?V0DMSin^o3F|IEfQWk
> >> >>>> zcmJwBy6&2hKub%G{j3IK(?7m at uI43#1e~wSZJ5sTtDjrp at 7@{O3(faN{`Gp}x{$M5
> >> >>>> z{A7`c at pjfYq1Z=JvgZ^-zCC<(HFTBwYhTX$k`7IJX`SM!H}f`Mv+(Op6uVY(<(^o4
> >> >>>> zpyXAj9nF_c-1A<UIel9%6Eh<NBXSA>W=dcRVPvS;*B%(4`P|iK>Vg$XDgN9sr}Df{
> >> >>>> z7X0es=RPHr8RB+*)}q}h%gn?x9PO4y*Qog};x<<LS+lxk$@$kYlG_hXu6p%jvB<%l
> >> >>>> zmcsdI9w!^rFPt^&c~{1?L~DJ4TRPv>t%rn8xi;KBE9A!Dppb9yru|>RCb9PcXWpE>
> >> >>>> zKlQ}fzw*izXI|}|r!O*nb&cP9#VhHRn;B<SRflN2Jl(*;W4e0LD$ORRIdjjhURZH+
> >> >>>> zXWR0Vllb2@>`1LC^xvIctvLCYhRA_6yCS~2&!0SH1xwv(O~<l(HQxHJxzF!T_>+5t
> >> >>>> z^|E$S{MM^8j9J5`sQ6pud{2Lz?k`zncbjvHj%eutjusUol}8;%cbPLCO|e;ZJ^tXe
> >> >>>> z_N{pmM}uCi3UWO3=hMc<s}m1Jx4GS4F(<_N`R|o+)eAK3Yx{o$ygRe!;<_EoF&UhP
> >> >>>> zrslJ=2XA9^$j#UDYwo;ZvZwb!|L%YP%v|ie|7-1PP+q3DZ&vEWgHHrjHv|NzEVjO?
> >> >>>> zKFeRbXv>iTPl?N16Xv at buq_d@TU<MB;uD_jX^$J`&*C>`uX0_s&g9M2C6cKx4E;{?
> >> >>>> zt`1&)Tk-yb?sKMPI~!}xt*d*!tMat!r1`}jul#i at lDB8rnu>ba_-^4!iQ5{|tb3TX
> >> >>>> z>fTMIw2!Me3{Dw*WZotC<4 at h<H`zaL+~Es<{Ccj5yS7zyNU!YsTG`^JqA6NkU%vnV
> >> >>>> D66<<J
> >> >>>>
> >> >>>> literal 0
> >> >>>> HcmV?d00001
> >> >>>>
> >> >>>
> >> >
More information about the U-Boot
mailing list