From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: [RFC] efi_loader: improve firmware capsule authentication
Date: Fri, 23 Apr 2021 16:00:36 +0900 [thread overview]
Message-ID: <20210423070036.GB23309@laputa> (raw)
In-Reply-To: <CADg8p95tR25-uCumUbuyNrF0tk_e21Qg=P6_+xBykKcWRs2b_A@mail.gmail.com>
Sughosh,
On Fri, Apr 23, 2021 at 11:55:04AM +0530, Sughosh Ganu wrote:
> Takahiro,
>
> On Fri, 23 Apr 2021 at 11:17, AKASHI Takahiro <takahiro.akashi@linaro.org>
> wrote:
>
> > Heinrich,
> >
> > I'm currently thinking of improving capsule authentication
> > that Sughosh has made, particularly around mkeficapsule command:
> >
> > 1) Add a signing feature to the command
> > This will allow us to create a *signed* capsule file solely
> > with mkeficapsule. We will no longer rely on EDK2's script.
> > 2) Delete "-K" and "-D" option
> > Specifically, revert 322c813f4bec ("mkeficapsule: Add support
> > for embedding public key in a dtb")
> > As I said, this feature doesn't have anything to do with
> > creating a capsule file. Above all, we can do the same thing
> > with the existing commands (dtc and fdtoverlay).
> >
>
> I would vote against this particular revert that you are suggesting. I have
> already submitted a patchset which is under review[1], which is adding
> support for embedding the key in the platform's dtb, using the above
> functionality in mkeficapsule.
That is why I insisted "(2) should be done in 2021.04"
as we should stop it being merged immediately.
> I don't see any reason why we should be
> adding this logic in another utility,
?
I never tried to add anything about this issue. Just remove.
FYI, we can get the exact same result with:
=== pubkey.dts ===
/dts-v1/;
/plugin/;
&{/} {
signature {
capsule-key = /incbin/("CRT.esl");
};
};
===
$ dtc -@ -I dts -O dtb -o pubkey.dtbo pubkey.dts
$ fdtoverlay -i test.dtb -o test_pubkey.dtb -v pubkey.dtbo
No "C" code needed here. You also re-invented the almost same function
as fdt_overlay_apply() in mkeficapsule, and yet your function is
incompatible with dtc/fdtoverlay commands in terms of overlay syntax.
I have already confirmed the capsule file signed by my mkeficapsule
+ above dtb work perfectly with efi_capsule_authenticate()
in my pytest with sandbox.
And again, the feature has nothing to do with generating a capsule file.
It is simply to perform fdt overlay which is already supported by standard
commands.
Those are the reasons why we should revert the patch.
> and cannot use the mkeficapsule
> utility for embedding the public key in the platform's dtb.
?
No need to use mkeficapsule any more.
-Takahiro Akashi
> The
> mkeficapsule utility can be extended to add the authentication information
> that you plan to submit.
>
> -sughosh
>
> [1] - https://lists.denx.de/pipermail/u-boot/2021-April/447183.html
>
>
> > 3) Add pytest for capsule authentication with sandbox
> >
> > Now I have done all of them above although some cleanup work is
> > still needed. I think that (2) should be done in 2021.04.
> >
> > I plan to send patches for 1-3 (and maybe 5 and 7 below) if you agree.
> >
> > Other concerns:
> > 4) Documentation
> > Currently, "doc/board/emulation/qemu_capsule_update.rst" is
> > the only document about the usage of UEFI capsule on U-Boot.
> > Unfortunately, it contains some errors and more importantly,
> > most of the content are generic, not qemu-specific.
> >
> > 5) Certificate (public key) in dtb
> > That's fine, but again "board/emulation/common/qemu_capsule.c"
> > is naturally generic. It should be available for other platforms
> > with a new Kconfig option.
> >
> > # IMHO, I don't understand why the data in dtb needs be in
> > efi-signature-list structure. A single key (cert) would be enough.
> >
> > 6) "capsule_authentication_enabled"
> > I think that we have agreed with deleting this variable.
> > But I don't see any patch.
> > Moreover, capsule authentication must be enforced only
> > if the attribute, IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED,
> > is set. But there is no code to check the flag.
> >
> > 7) Pytest is broken
> > Due to your and Ilias' recent patches, existing pytests for
> > secure boot as well as capsule update are now broken.
> > I'm not sure why you have not yet noticed.
> > Presumably, Travis CI now skips those tests?
> >
> > If I have some time in the future, I will address them.
> > But Sughosh can do as well.
> >
> > -Takahiro Akashi
> >
next prev parent reply other threads:[~2021-04-23 7:00 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-23 5:47 [RFC] efi_loader: improve firmware capsule authentication AKASHI Takahiro
2021-04-23 6:25 ` Sughosh Ganu
2021-04-23 7:00 ` AKASHI Takahiro [this message]
2021-04-23 9:08 ` Sughosh Ganu
2021-04-26 2:44 ` AKASHI Takahiro
2021-05-07 4:29 ` AKASHI Takahiro
2021-05-07 18:47 ` Heinrich Schuchardt
2021-05-10 0:31 ` AKASHI Takahiro
2021-04-23 7:21 ` Ilias Apalodimas
2021-04-23 7:50 ` AKASHI Takahiro
2021-04-23 8:03 ` Ilias Apalodimas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210423070036.GB23309@laputa \
--to=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.