From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=uiuh=PI=lists.denx.de=u-boot-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 422D9C433EF
	for <u-boot@archiver.kernel.org>; Wed, 20 Oct 2021 09:08:50 +0000 (UTC)
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 401CA61361
	for <u-boot@archiver.kernel.org>; Wed, 20 Oct 2021 09:08:49 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 401CA61361
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linaro.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 2EBBB8203C;
	Wed, 20 Oct 2021 11:08:47 +0200 (CEST)
Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="phC464y2";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id D80778326F; Wed, 20 Oct 2021 11:08:44 +0200 (CEST)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com
 [IPv6:2a00:1450:4864:20::52a])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id B439D8048A
 for <u-boot@lists.denx.de>; Wed, 20 Oct 2021 11:08:40 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=francois.ozog@linaro.org
Received: by mail-ed1-x52a.google.com with SMTP id y12so25504120eda.4
 for <u-boot@lists.denx.de>; Wed, 20 Oct 2021 02:08:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=UKpzRYGFXBaobUkUgXbntdtNq2bCi43fhfhZAJVsr4U=;
 b=phC464y2kVBJs1o08ifx3ZUONTWxXSJJcYmqaRTRzBKhsrfnxS+lyQNt0mf8Q9uIFw
 0Cp8ycTJr/7YnAN+vHN3koJ7FdT1I83khbLYuPFtxY7gceWu4pWOQUoPNnYNAGc+6bv0
 y0Jdm5Em7WkTLauTEJrXSDpmD5OQn20heXSfFTdYQ4y13eFLtDkrOvYU+WaioqP5rgUi
 hnqXDCxbAu60UTTBjm0UaJ0B40xsVOpfQe+NgGpZKLL0Xo0UY6iG/JVD4z95DDaT3ytu
 Zt6NIlwONClHAMCGHRqXUrc+ReTyV1P1yCLm6R1ojOiaQSugTu1gsz6WiGjqantHuEAt
 Om6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=UKpzRYGFXBaobUkUgXbntdtNq2bCi43fhfhZAJVsr4U=;
 b=mRyFLWm5cTalh5EJ3fmhVB8tfnYz77SQoma3rjvqFZKuMlZbQ21ndiQRAor0k2q9Fg
 pnR9lebIuRjDQMZmCKDfHD+tlmCqqZah0iYhr+A+nk+IAQlThd24KeU8CnpGeI2/6n7J
 mC7qjsFw+Qk7iNDK93KIo1HW2I+N4+hCHyiYJSy0SO33KtYrFp6zNAZk9TXBfWPde8/K
 AHifHRultlaYKY6z8ps8uSHq53NQKD0rRcQkJ1t98Rv7A8c1fNg3uoN3CbQZ4U0hp3i1
 PJyZS7orN7ME0Tuki55kJlEvnSgIgVZk1rpwQ+M8zqJ0v0nN22g/7/joSQLAvdIcD0h4
 qHGg==
X-Gm-Message-State: AOAM532nUMzWS54Tj8Z4EXnwFvYM0k3yH96hx5XbFBrdaMwi8zK9RsIm
 cKkWw1BAO3sx2XTAWH95pGGUJTrB6skZMtlz04mBUg==
X-Google-Smtp-Source: ABdhPJwKEVE2Gp6aCA6iLcZT2kh1/Ww/rkdoPpIhTIIXHcEKLIgZ18vUGdMmSj2fC/fGcLYeP7YZ726Ev/gj66fZH3s=
X-Received: by 2002:a17:907:338b:: with SMTP id
 zj11mr45768786ejb.284.1634720920244; 
 Wed, 20 Oct 2021 02:08:40 -0700 (PDT)
MIME-Version: 1.0
References: <20211007062340.72207-1-takahiro.akashi@linaro.org>
 <20211007062340.72207-4-takahiro.akashi@linaro.org>
 <CAPnjgZ3TvQn=bp4ZzwU2k5LbqzYpd2Eobz3_zPgY7rD54SCX1w@mail.gmail.com>
 <CAA93ih1vO_mHGh+JqZiYFkKXfk2XQqMHvaTC6DqiBi3wmcJLJQ@mail.gmail.com>
In-Reply-To: <CAA93ih1vO_mHGh+JqZiYFkKXfk2XQqMHvaTC6DqiBi3wmcJLJQ@mail.gmail.com>
From: =?UTF-8?Q?Fran=C3=A7ois_Ozog?= <francois.ozog@linaro.org>
Date: Wed, 20 Oct 2021 11:08:29 +0200
Message-ID: <CAHFG_=VFhHSg17in+7FOwu9yTovnvu6tPuOU5cG7-cfhygGpfg@mail.gmail.com>
Subject: Re: [PATCH v4 03/11] efi_loader: capsule: add back
 efi_get_public_key_data()
To: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Cc: AKASHI Takahiro <takahiro.akashi@linaro.org>, Alex Graf <agraf@csgraf.de>, 
 Heinrich Schuchardt <xypron.glpk@gmx.de>,
 Ilias Apalodimas <ilias.apalodimas@linaro.org>, 
 Simon Glass <sjg@chromium.org>, Sughosh Ganu <sughosh.ganu@linaro.org>, 
 U-Boot Mailing List <u-boot@lists.denx.de>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de
X-Virus-Status: Clean

Le mer. 20 oct. 2021 =C3=A0 10:18, Masami Hiramatsu <masami.hiramatsu@linar=
o.org>
a =C3=A9crit :

> Hi Simon,
>
> 2021=E5=B9=B410=E6=9C=8815=E6=97=A5(=E9=87=91) 9:40 Simon Glass <sjg@chro=
mium.org>:
> >
> > Hi Takahiro,
> >
> > On Thu, 7 Oct 2021 at 00:25, AKASHI Takahiro <takahiro.akashi@linaro.or=
g>
> wrote:
> > >
> > > The commit 47a25e81d35c ("Revert "efi_capsule: Move signature from DT=
B
> to
> > > .rodata"") failed to revert the removal of efi_get_public_key_data().
> > >
> > > Add back this function and move it under lib/efi_loader so that other
> > > platforms can utilize it. It is now declared as a weak function so th=
at
> > > it can be replaced with a platform-specific implementation.
> > >
> > > Fixes: 47a25e81d35c ("Revert "efi_capsule: Move signature from DTB to
> > >         .rodata"")
> > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > > ---
> > >  lib/efi_loader/efi_capsule.c | 36 ++++++++++++++++++++++++++++++++++=
++
> > >  1 file changed, 36 insertions(+)
> > >
> > > diff --git a/lib/efi_loader/efi_capsule.c
> b/lib/efi_loader/efi_capsule.c
> > > index b75e4bcba1a9..44f5da61a9be 100644
> > > --- a/lib/efi_loader/efi_capsule.c
> > > +++ b/lib/efi_loader/efi_capsule.c
> > > @@ -11,15 +11,20 @@
> > >  #include <common.h>
> > >  #include <efi_loader.h>
> > >  #include <efi_variable.h>
> > > +#include <env.h>
> > > +#include <fdtdec.h>
> > >  #include <fs.h>
> > >  #include <malloc.h>
> > >  #include <mapmem.h>
> > >  #include <sort.h>
> > > +#include <asm/global_data.h>
> > >
> > >  #include <crypto/pkcs7.h>
> > >  #include <crypto/pkcs7_parser.h>
> > >  #include <linux/err.h>
> > >
> > > +DECLARE_GLOBAL_DATA_PTR;
> > > +
> > >  const efi_guid_t efi_guid_capsule_report =3D EFI_CAPSULE_REPORT_GUID=
;
> > >  static const efi_guid_t efi_guid_firmware_management_capsule_id =3D
> > >                 EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID;
> > > @@ -251,6 +256,37 @@ out:
> > >  }
> > >
> > >  #if defined(CONFIG_EFI_CAPSULE_AUTHENTICATE)
> > > +int __weak efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_le=
n)
> >
> > I don't think this should be weak. What other way is there of handling
> > this and why would it be platform-specific?
>
> I have a question about the current design of the capsule auth key.
> If the platform has its own key-storage, how can the platform use the
> platform specific storage? Does such platform load the key from the stora=
ge
> and generate the dtb node in the platform initialization code? (or
> device driver?)

it depends on what the capsule contains.

If the capsule contains SCP firmware or secure firmware or TAs, U-Boot may
not be even allowed to see the key.
If the capsule contains U-Boot itself it may be again outside scope of
U-Boot because that may be secure firmware that verifies the signature. We
may allow U-Boot to update itself but the final say is the secure firmware
that may prevent the boot.
If the capsule contains device firmware then it may depend on the device:
secure device U-Boot can do anything, otherwise then it is to be decided by
U-Boot.


>
> Thank you,
>
>
> >
> > > +{
> > > +       const void *fdt_blob =3D gd->fdt_blob;
> > > +       const void *blob;
> > > +       const char *cnode_name =3D "capsule-key";
> > > +       const char *snode_name =3D "signature";
> > > +       int sig_node;
> > > +       int len;
> > > +
> > > +       sig_node =3D fdt_subnode_offset(fdt_blob, 0, snode_name);
> > > +       if (sig_node < 0) {
> > > +               log_err("Unable to get signature node offset\n");
> > > +
> > > +               return -FDT_ERR_NOTFOUND;
> > > +       }
> > > +
> > > +       blob =3D fdt_getprop(fdt_blob, sig_node, cnode_name, &len);
> > > +
> > > +       if (!blob || len < 0) {
> > > +               log_err("Unable to get capsule-key value\n");
> > > +               *pkey =3D NULL;
> > > +               *pkey_len =3D 0;
> > > +
> > > +               return -FDT_ERR_NOTFOUND;
> > > +       }
> > > +
> > > +       *pkey =3D (void *)blob;
> > > +       *pkey_len =3D len;
> > > +
> > > +       return 0;
> > > +}
> > >
> > >  efi_status_t efi_capsule_authenticate(const void *capsule,
> efi_uintn_t capsule_size,
> > >                                       void **image, efi_uintn_t
> *image_size)
> > > --
> > > 2.33.0
> > >
> >
> > Regards,
> > Simon
>
>
>
> --
> Masami Hiramatsu
>
--=20
Fran=C3=A7ois-Fr=C3=A9d=C3=A9ric Ozog | *Director Business Development*
T: +33.67221.6485
francois.ozog@linaro.org | Skype: ffozog