2021年5月13日(木) 16:24 AKASHI Takahiro <takahiro.aka...@linaro.org>:
> > >> > BTW, IMHO, if u-boot.bin can not find the ESL in the device tree, > > >> > it should skip authentication too. > > >> > > >> In this case the capsule should be rejected (if > > >> CONFIG_EFI_CAPSULE_AUTHENTICATE=y). > > > > > >That's basically right. > > >But as I mentioned in my comment against Sughosh's patch, > > >the authentication process will be enforced only if the capsule has > > >an attribute, IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED. > > > > > > > That would be a security desaster. > > The requirement that I mentioned above is clearly described > in UEFI specification. > If you think that it is a disaster, please discuss the topic > in UEFI Forum first. I confirmed UEFI specification, version 2.7, Section.23.1 the last of EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo() ----------------- If IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED is supported and clear, then authentication is not required to perform the firmware image operations. ----------------- Oh, this is really crazy because deciding whether to authenticate the suspicious package or not, depends on whether the package said "please authenticate me" or not. :D Anyway, since this behavior follows the specification, it should be kept by default, but also IMHO, there should be a CONFIG option to enforce capsule authentication always. Thank you, -- Masami Hiramatsu
