From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 16864C07E95 for ; Tue, 20 Jul 2021 18:34:06 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8896B60233 for ; Tue, 20 Jul 2021 18:34:05 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8896B60233 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 89D4C82DFF; Tue, 20 Jul 2021 20:33:51 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.b="mpwLgRd5"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 4DE6882DE7; Tue, 20 Jul 2021 20:33:35 +0200 (CEST) Received: from mail-wr1-x442.google.com (mail-wr1-x442.google.com [IPv6:2a00:1450:4864:20::442]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 39CB882DD1 for ; Tue, 20 Jul 2021 20:33:30 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=sjg@google.com Received: by mail-wr1-x442.google.com with SMTP id i94so27045135wri.4 for ; Tue, 20 Jul 2021 11:33:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TTUDSSxKZbsKWEbv8wt/abTFaWRTczjaFH017f3Wt9Y=; b=mpwLgRd5xsFsUyd2uzszEiwqsO+3+9qV/5q+Nk9Kmj9lQtLjE4i8ufRislmb0aMjO0 EHfe0XfyJ4BvfMdGjNYbuOU2rRk26RHqT/Wpoc0DczdeQN+0i1b/W4EDLrezMKqPCCGP Pa1M9cHwsBjqV6ANomE+2vewyp15++H+lU0ak= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TTUDSSxKZbsKWEbv8wt/abTFaWRTczjaFH017f3Wt9Y=; b=WsxhPEuRBQResMyNeXwhlPNW6rjfVtdArNpdvM3wW/2Rpz4AGk5EE5AR+gIrOcOtcK NuTuY2L8G4TjTlMZLiX5uzGzl6RlK0OFooLEhiflsP4lpspvS++akPqciQgM30i+8C66 pdntwmaNZdszaE8/9sTYCB3PePt2CSi6cCynJqifQghOPQ5rIGXlpiLy8IJDiAu9bIe+ HwI5j6f6M0H7ZWu1FawdwGiREbNQwb6U68xI8ThRZtTcOCaG+d2EU/poPR6mXl7N8izE zFHdf0TPhaqgAtgrJGMYjsxc29ay+sD4siMaebEy8rpahKiMjTyoVKq1Cr9A1p8BRv4F wv7g== X-Gm-Message-State: AOAM530aVg6lErQcxwhzaPH2F79zqvL6wmaJ16+J622Qu+Zr3SmUwAxV 5ivjoZhWyZ5asP5HhZ2EgJtBH0I7ztYyXS0yadU3LA== X-Google-Smtp-Source: ABdhPJx955KfnSkDCTVM3I7OozYBuP8RdfNttwDgUw4b2aGDqeTWrWwOJWil9w9CrIi3LuVyK1/97KaT+6htuBXvbK0= X-Received: by 2002:adf:e409:: with SMTP id g9mr39292458wrm.66.1626806009539; Tue, 20 Jul 2021 11:33:29 -0700 (PDT) MIME-Version: 1.0 References: <20210715170030.97758-1-ilias.apalodimas@linaro.org> <20210715170030.97758-2-ilias.apalodimas@linaro.org> In-Reply-To: From: Simon Glass Date: Tue, 20 Jul 2021 12:33:07 -0600 Message-ID: Subject: Re: [PATCH 2/3] mkeficapsule: Remove dtb related options To: Ilias Apalodimas Cc: Heinrich Schuchardt , Masami Hiramatsu , AKASHI Takahiro , Alexander Graf , Sughosh Ganu , U-Boot Mailing List Content-Type: text/plain; charset="UTF-8" X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Hi Ilias, On Sat, 17 Jul 2021 at 01:24, Ilias Apalodimas wrote: > > On Fri, Jul 16, 2021 at 08:03:23AM -0600, Simon Glass wrote: > > Hi Ilias, > > > > On Thu, 15 Jul 2021 at 11:00, Ilias Apalodimas > > wrote: > > > > > > commit 322c813f4bec ("mkeficapsule: Add support for embedding public key in a dtb") > > > added a bunch of options enabling the addition of the capsule public key > > > in a dtb. Since now we embeded the key in U-Boot's .rodata we don't this > > > this functionality anymore > > > > > > Signed-off-by: Ilias Apalodimas > > > --- > > > tools/mkeficapsule.c | 226 ++----------------------------------------- > > > 1 file changed, 7 insertions(+), 219 deletions(-) > > > > Here again I see EFI diverging from the impl in U-Boot. WIth U-Boot > > you can add the public key after the build step, e.g. in a key-signing > > server. With EFI and this change you will have to rebuild U-Boot (from > > source) every time you sign something. Seems like a pain. > > I don't see why either of this is a problem. You need the public key to > update the binary it self, so rebuilding from source is a prerequisite. Please can you have a look at binman and the concept of packaging separate from building? Rebuilding from source is definitely not needed to update a binary. > > Apart from a signing server, you can also have special hardware that provides > the public key you need (which is not implemented yet). So this is the bare > minimum functionality you need for authenticated capsule updates. As discussed on the mailing list you have not included the motivation for this. Now that I understand the motivation, which is to avoid someone changing the key at runtime, I believe that this change does not actually help...I've replied separately on the mailing list. Regards, Simon