From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: [PATCH 2/4] tools: mkeficapsule: remove device-tree related operationy
Date: Fri, 14 May 2021 11:21:10 +0900 [thread overview]
Message-ID: <20210514022110.GA15502@laputa> (raw)
In-Reply-To: <755f30f4-f0f2-5c40-751f-fd393c6e2671@gmx.de>
Heinrich,
You are discussing two different issues:
1. if we should remove "-K/-D" options from mkeficapsule
2. if it is safe or not to store a key in device tree
It makes the discussion in this thread confusing.
On Thu, May 13, 2021 at 07:42:23PM +0200, Heinrich Schuchardt wrote:
> On 5/13/21 9:13 AM, AKASHI Takahiro wrote:
> > On Thu, May 13, 2021 at 07:08:12AM +0200, Heinrich Schuchardt wrote:
> > > On 5/13/21 4:33 AM, AKASHI Takahiro wrote:
> > > > On Wed, May 12, 2021 at 12:01:32PM +0200, Heinrich Schuchardt wrote:
> > > > > On 12.05.21 10:01, Ilias Apalodimas wrote:
> > > > > > On Wed, May 12, 2021 at 04:49:02PM +0900, Masami Hiramatsu wrote:
> > > > > > > Hi Ilias,
> > > > > > >
> > > > > > > 2021?5?12?(?) 16:21 Ilias Apalodimas <ilias.apalodimas@linaro.org>:
> > > > > > > >
> > > > > > > > Akashi-san,
> > > > > > > >
> > > > > > > > On Wed, May 12, 2021 at 01:57:51PM +0900, AKASHI Takahiro wrote:
> > > > > > > > > As we discussed, "-K" and "-D" options have nothing to do with
> > > > > > > > > creating a capsule file. The same result can be obtained by
> > > > > > > > > using standard commands like:
> > > > > > > > > === signature.dts ===
> > > > > > > > > /dts-v1/;
> > > > > > > > > /plugin/;
> > > > > > > > >
> > > > > > > > > &{/} {
> > > > > > > > > signature {
> > > > > > > > > capsule-key = /incbin/("SIGNER.esl");
> > > > > > > > > };
> > > > > > > > > };
> > > > > > > > > ===
> > > > > > > > > $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts
> > > > > > > > > $ fdtoverlay -i test.dtb -o test_sig.dtb -v signature.dtbo
> > > > > > > > >
> > > > > > > > > So just remove this feature.
> > > > > > > > > (Effectively revert the commit 322c813f4bec ("mkeficapsule: Add support
> > > > > > > > > for embedding public key in a dtb").)
> > > > > > > > >
> > > > > > > > > The same feature is implemented by a shell script (tools/fdtsig.sh).
> > > > > > > >
> > > > > > > >
> > > > > > > > The only reason I can see to keep this, is if mkeficapsule gets included
> > > > > > > > intro distro packages in the future. That would make end users life a bit
> > > > > > > > easier, since they would need a single binary to create the whole
> > > > > > > > CapsuleUpdate sequence.
> > > > > > >
> > > > > > > Hmm, I think it is better to write a manpage of mkeficapsule which
> > > > > > > also describes
> > > > > > > how to embed the key into dtb as in the above example if it is so short.
> > > > > > > Or, distros can package the above shell script with mkeficapsule.
> > > > > > >
> > > > > > > Embedding a key and signing a capsule are different operations but
> > > > > > > using the same tool may confuse users (at least me).
> > > > > >
> > > > > > Sure fair enough. I am merely pointing out we need a way to explain all of
> > > > > > those to users.
> > > > >
> > > > > This is currently our only documentation:
> > > > >
> > > > > https://u-boot.readthedocs.io/en/latest/board/emulation/qemu_capsule_update.html?highlight=mkeficapsule
> > > >
> > > > As I mentioned several times (and TODO in the cover letter),
> > > > this text must be reviewed, revised and generalized
> > > > as a platform-independent document.
> > > > It contains a couple of errors.
> > > >
> > > > > For mkimage we have a man-page ./doc/mkimage.1 that is packaged with
> > > > > Debians u-boot-tools package. Please, provide a similar man-page as
> > > > > ./doc/mkeficapsule.1.
> > > >
> > > > So after all do you agree to removing "-K/-D"?
Regarding (1), you should clarify your opinion here first.
> > > I see no need to replicate in U-Boot what is already in the device tree
> > > compiler package.
> >
> > This is another reason that we should remove Sughosh's change.
Hereafter, you are talking about (2).
> > > In the current workflow the fdt command is used to load the public key.
> > > This is insecure and not usable for production.
> >
> > I totally disagree.
> > Why is using fdt command (what do you mean by fdt command, dtc/fdtoverlay?)
> > insecure?
>
> A user can load an insecure capsule.
>
> The fdt command is in /cmd/fdt.c and you are referring to it in
> board/emulation/qemu_capsule_update.rst.
OK, you meant U-Boot's fdt command.
> >
> > > The public key used to verify the capsule must be built into the U-Boot
> > > binary. This will supplant the -K and -D options.
> >
> > I don't get your point. You don't understand my code.
> >
> > Even with Sughosh's original patch, the public key (as I said,
> > it is not a public key but a X509 certificate in ESL format) is
> > embedded in the U-Boot's "control device tree".
>
> No, the ESL file it is not built into U-Boot's control device tree.
What I meant by "control device tree" is the feature
provided by OF_CONTROL+OF_EMBED with Sughosh's patch[1]
which is also a prerequisite for my patch series.
!config OF_EMBED
! bool "Embedded DTB for DT control"
! help
! If this option is enabled, the device tree will be picked up and
! built into the U-Boot image.
> A user is loading it and updating the control device tree.
>
> You shouldn't trust anything a user has loaded. You need at least the
> public key of the root CA built somewhere into U-Boot.
>
> The 'fdt resize' command may overwrite code. This is not what you want
> to do with the control device tree.
>
> If CONFIG_OF_LIVE=y, the active device tree is not at $fdtcontroladdr
> but in a hierarchical structure. You cannot update it via the fdt command.
>
> >
> > Even after applying my patch, this is true.
> >
> > Or are you insisting that the key should not be in the device tree?
>
> The public key of the root CA must not be in a place where it can be
> changed by a user while the device is in deployed mode.
UEFI secure boot and capsule update are totally independent concepts
as we discussed a long time ago. The notion of "deployed mode" is
only valid for secure boot.
> The device-tree based design is a good feasibility study but not
> suitable for production.
Nevertheless,
I agree, even I have already mentioned the similar concern in [2],
additionally saying we should turn off "fdt" command.
[1] https://lists.denx.de/pipermail/u-boot/2021-April/447183.html
[2] (oops, my message seems to have been lost.)
-Takahiro Akashi
> Best regards
>
> Heinrich
next prev parent reply other threads:[~2021-05-14 2:21 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-12 4:57 [PATCH 0/4] efi_loader: capsule: improve capsule authentication support AKASHI Takahiro
2021-05-12 4:57 ` [PATCH 1/4] tools: mkeficapsule: add firmwware image signing AKASHI Takahiro
2021-05-12 8:56 ` Heinrich Schuchardt
2021-05-13 3:08 ` AKASHI Takahiro
2021-05-13 4:22 ` Heinrich Schuchardt
2021-05-13 5:00 ` AKASHI Takahiro
2021-05-13 5:35 ` Heinrich Schuchardt
2021-05-13 6:36 ` AKASHI Takahiro
2021-05-13 6:45 ` Heinrich Schuchardt
2021-05-13 7:45 ` AKASHI Takahiro
2021-05-13 5:12 ` Masami Hiramatsu
2021-05-13 5:50 ` Heinrich Schuchardt
2021-05-13 6:44 ` Masami Hiramatsu
2021-05-13 6:52 ` Heinrich Schuchardt
2021-05-13 7:38 ` AKASHI Takahiro
2021-05-13 6:50 ` AKASHI Takahiro
2021-05-13 6:55 ` Heinrich Schuchardt
2021-05-13 7:23 ` AKASHI Takahiro
2021-05-13 8:18 ` Masami Hiramatsu
2021-05-13 8:38 ` AKASHI Takahiro
2021-05-13 10:27 ` Ilias Apalodimas
2021-05-13 16:12 ` Masami Hiramatsu
2021-05-13 16:32 ` Heinrich Schuchardt
2021-05-13 16:42 ` Ilias Apalodimas
2021-05-14 4:50 ` AKASHI Takahiro
2021-05-14 7:56 ` Ilias Apalodimas
2021-05-14 4:13 ` AKASHI Takahiro
2021-05-13 10:40 ` Heinrich Schuchardt
2021-05-13 18:25 ` Heinrich Schuchardt
2021-05-14 6:19 ` AKASHI Takahiro
2021-05-14 6:59 ` Heinrich Schuchardt
2021-05-14 7:13 ` AKASHI Takahiro
2021-05-14 8:45 ` Heinrich Schuchardt
2021-05-14 9:51 ` AKASHI Takahiro
2021-05-14 10:08 ` Heinrich Schuchardt
2021-05-14 13:09 ` Masami Hiramatsu
2021-05-14 13:39 ` Ilias Apalodimas
2021-05-15 2:03 ` Heinrich Schuchardt
2021-05-15 2:14 ` Masami Hiramatsu
2021-05-12 4:57 ` [PATCH 2/4] tools: mkeficapsule: remove device-tree related operation AKASHI Takahiro
2021-05-12 7:20 ` Ilias Apalodimas
2021-05-12 7:49 ` Masami Hiramatsu
2021-05-12 8:01 ` Ilias Apalodimas
2021-05-12 10:01 ` Heinrich Schuchardt
2021-05-13 2:33 ` AKASHI Takahiro
2021-05-13 5:08 ` Heinrich Schuchardt
2021-05-13 7:13 ` AKASHI Takahiro
2021-05-13 17:42 ` Heinrich Schuchardt
2021-05-14 2:21 ` AKASHI Takahiro [this message]
2021-05-14 2:23 ` Masami Hiramatsu
2021-05-12 4:57 ` [PATCH 3/4] tools: add fdtsig command AKASHI Takahiro
2021-05-13 5:23 ` Heinrich Schuchardt
2021-05-13 7:03 ` AKASHI Takahiro
2021-05-12 4:57 ` [PATCH 4/4] test/py: efi_capsule: add image authentication test AKASHI Takahiro
2021-05-12 5:04 ` [PATCH 0/4] efi_loader: capsule: improve capsule authentication support Heinrich Schuchardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210514022110.GA15502@laputa \
--to=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.