On 5/13/21 10:18 AM, Masami Hiramatsu wrote:
2021年5月13日(木) 16:24 AKASHI Takahiro <takahiro.aka...@linaro.org>:
BTW, IMHO, if u-boot.bin can not find the ESL in the device tree,
it should skip authentication too.
In this case the capsule should be rejected (if
CONFIG_EFI_CAPSULE_AUTHENTICATE=y).
That's basically right.
But as I mentioned in my comment against Sughosh's patch,
the authentication process will be enforced only if the capsule has
an attribute, IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED.
That would be a security desaster.
The requirement that I mentioned above is clearly described
in UEFI specification.
If you think that it is a disaster, please discuss the topic
in UEFI Forum first.
I confirmed UEFI specification, version 2.7, Section.23.1
the last of EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo()
-----------------
If IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED is supported and clear, then
authentication is not required to perform the firmware image operations.
-----------------
IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED bit is a property of the FMP driver.
Best regards
Heinrich
Oh, this is really crazy because deciding whether to authenticate the
suspicious
package or not, depends on whether the package said "please
authenticate me" or not. :D
Anyway, since this behavior follows the specification, it should be
kept by default,
but also IMHO, there should be a CONFIG option to enforce capsule
authentication always.
Thank you,
