From mboxrd@z Thu Jan 1 00:00:00 1970 From: Heinrich Schuchardt Date: Sat, 15 May 2021 04:03:46 +0200 Subject: [PATCH 1/4] tools: mkeficapsule: add firmwware image signing In-Reply-To: References: <20210513065054.GF16848@laputa> <0686AB79-8431-43A2-8EF6-7853DD29524B@gmx.de> <20210513072359.GI16848@laputa> <9d698932-ede5-eeea-b3d4-d2342675ac04@gmx.de> <20210514061949.GE15502@laputa> <75d6f7c5-5300-4abc-3c78-02dc062f094c@gmx.de> <20210514071356.GA28950@laputa> <054f760d-6b03-534c-1b05-0537f5d7a5be@gmx.de> <20210514095138.GB28950@laputa> Message-ID: <3f79872b-fe1b-2b87-bcdd-9dec5ebe5f2a@gmx.de> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On 5/14/21 3:09 PM, Masami Hiramatsu wrote: > Hi all, > > I think it's time to summarize the topics on this thread. > > 1. tools/mkeficapsule, config options dependency > - The tools, especially useful and distributable tools like > mkeficapsule should not be changed by the target board configuration. > - Since there are target boards which don't need capsule > authentication, it should be configurable. That also can optimize the > library dependency. Thank you for providing this summary. You described that the tool shall not depend on the target board configuration. Your sentence starting with "Since" contradicts this. As Ilias pointed out all Linux distributions come with an OpenSSL package. The library dependency is nothing to worry about. Capsule updates without authentication don't not make much sense in a world full of attacks. Hence, a configuration switch for the tool is not needed. Best regards Heinrich > > 2. tools/mkeficapsule, revert -K/-D options > - Since these options are for embedding a public key in the > devicetree, that is not related to the capsule file. Also, the same > feature can be provided by a simple shell script. > > 3. capsule authentication, key embedding method > - Embedding key in the devicetree is too fragile, especially, the > document says overwriting new device tree including key with fdt > command. That is not for the product, only for proof of concept. > - Such a key should be embedded in the U-Boot, or hardware secure > storage so that the user can not change it. > (BTW, I think there are more options, like embedding keys in SCP > firmware, TF-A, or OP-TEE, outside of U-Boot) > > 4. capsule authentication, authentication enablement > - The UEFI spec said IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED can be > supported but cleared (for the current running firmware). This means > it is possible that the authentication feature is supported, but not > enabled. > - For ensuring security, if U-Boot is compiled with > CONFIG_EFI_CAPSULE_AUTHETICATE=y, > IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED must always be set. > > Are there any other topics on this thread? and any other comments on > these topics? > > Thank you,