From mboxrd@z Thu Jan  1 00:00:00 1970
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
Date: Fri, 14 May 2021 18:51:38 +0900
Subject: [PATCH 1/4] tools: mkeficapsule: add firmwware image signing
In-Reply-To: <054f760d-6b03-534c-1b05-0537f5d7a5be@gmx.de>
References: <b25e1fbf-655e-6ed0-5bf5-77714cf48e41@gmx.de>
 <20210513065054.GF16848@laputa>
 <0686AB79-8431-43A2-8EF6-7853DD29524B@gmx.de>
 <20210513072359.GI16848@laputa>
 <CAA93ih3aJmgnHiuYOF3vSJeo3CBie6QGNKg70B+0QUTxZytp=g@mail.gmail.com>
 <9d698932-ede5-eeea-b3d4-d2342675ac04@gmx.de>
 <20210514061949.GE15502@laputa>
 <75d6f7c5-5300-4abc-3c78-02dc062f094c@gmx.de>
 <20210514071356.GA28950@laputa>
 <054f760d-6b03-534c-1b05-0537f5d7a5be@gmx.de>
Message-ID: <20210514095138.GB28950@laputa>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

Heinrich,

Can you please reply to each of my replies?
Otherwise, I don't know which one of my comments/opinions you agree to
and which one not.

On Fri, May 14, 2021 at 10:45:48AM +0200, Heinrich Schuchardt wrote:
> On 5/14/21 9:13 AM, AKASHI Takahiro wrote:
> > > E.g for IMAGE_ATTRIBUTE_IN_USE
> > > 
> > > AttributesSupported | AttributesSetting | Meaning
> > > --------------------+-------------------+--------------------
> > > 0                   | 0                 | state is unknown
> > > 0                   | 1                 | state is unknown
> > > 1                   | 0                 | image is not in use
> > > 1                   | 1                 | image is in use
> > We are discussing *_REQUIRED.
> > Can you give me the same table for *_REQUIRED?
> > 
> > -Takahiro Akashi
> > 
> > 
> 
> IMAGE_ATTRIBUTE_RESET_REQUIRED
> 
> AttributesSupported | AttributesSetting | Meaning
> --------------------+-------------------+--------------------
> 0                   | 0                 | state is unknown
> 0                   | 1                 | state is unknown
> 1                   | 0                 | reset is not needed
>                     |                   | to complete upgrade
> 1                   | 1                 | reset is needed
>                     |                   | to complete upgrade
> 
> 
> IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED
> 
> AttributesSupported | AttributesSetting | Meaning
> --------------------+-------------------+--------------------
> 0                   | 0                 | state is unknown
> 0                   | 1                 | state is unknown
> 1                   | 0                 | signed and unsigned
>                     |                   | capsules are accepted
> 1                   | 1                 | capsules are only
>                     |                   | accepted after
>                     |                   | checking the signature

So what?
This table shows there is a case where the authentication will be
skipped even if CONFIG_EFI_CAPSULE_AUTHETICATE is on and
it is completely compliant with UEFI specification.

That is what I and Masami was discussing.

> > > > > But as I mentioned in my comment against Sughosh's patch,
> > > > > the authentication process will be enforced only if the capsule has
> > > > > an attribute, IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED.
> > > > >
> > > >
> > > > That would be a security desaster.

So I said that you should discuss the topic in UEFI forum first
if you think so.

-Takahiro Akashi


> For both bits AttributesSupported=0 does not make much sense.
> 
> IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED is a property of the current
> image and should only be deleted by installing a new capsule.
> 
> A vendor might send you a special firmware image for unlocking your
> device after registering as a developer. Xiaomi handled it like this for
> one of my routers.
> 
> Best regards
> 
> Heinrich