From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ilias Apalodimas Date: Thu, 9 Jan 2020 10:02:11 +0200 Subject: [PATCH v4 00/16] efi_loader: add secure boot support In-Reply-To: References: <20191218004512.24939-1-takahiro.akashi@linaro.org> Message-ID: <20200109080211.GA33620@apalos.home> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On Thu, Jan 09, 2020 at 01:08:35AM +0100, Heinrich Schuchardt wrote: > On 12/18/19 1:44 AM, AKASHI Takahiro wrote: > > One of major missing features in current UEFI implementation is "secure boot." > > The ultimate goal of my attempt is to implement image authentication based > > on signature and provide UEFI secure boot support which would be fully > > compliant with UEFI specification, section 32[1]. > > (The code was originally developed by Patrick Wildt.) > > > > Please note, however, this patch doesn't work on its own; there are > > a couple of functional dependencies[2] and [3], that I have submitted > > before. For complete workable patch set, see my repository[4], > > which also contains experimental timestamp-based revocation suuport. > > > > My "non-volatile" support[5], which is under discussion, is not mandatory > > and so not included here, but this inevitably implies that, for example, > > signature database variables, like db and dbx, won't be persistent unless you > > explicitly run "env save" command and that UEFI variables are not separated > > from U-Boot environment. Anyhow, Linaro is also working on implementing > > real "secure storage" solution based on TF-A and OP-TEE. > > > > Device trees can be used for denial of service or to destroy hardware. > > How will you address the validation of device trees? Although this is really simple to solve, factoring in the different vendor needs makes it quite complex. There's a couple of options we can consider and not all of them are sane. 1. U-Boot embeds the DTB. This is straightforward. On Arm devices TF-A verifies U-boot so you natively end up with a verified DTB. If U-Boot does not include the proper DTB (as is the case for several devices), one can always complite the correct DTB and compile with EXT_DTB. 2. Use https://github.com/jiazhang0/SELoader which verifies non-PE files 3. Add some custom code and use UEFI keyring to verify non PE files. This is a bad idea though since you'll 'polute' the UEFI keyring. 4. FIT for DTB (??) In any case UEFI job is to verify PE/COFF executables and that's what this patch provides. DTB verification is beyond UEFI secure boot patches imho. Regards /Ilias > > Best regards > > Heinrich