On 5/14/21 11:51 AM, AKASHI Takahiro wrote:
Heinrich,
Can you please reply to each of my replies?
Otherwise, I don't know which one of my comments/opinions you agree to
and which one not.
On Fri, May 14, 2021 at 10:45:48AM +0200, Heinrich Schuchardt wrote:
On 5/14/21 9:13 AM, AKASHI Takahiro wrote:
E.g for IMAGE_ATTRIBUTE_IN_USE
AttributesSupported | AttributesSetting | Meaning
--------------------+-------------------+--------------------
0 | 0 | state is unknown
0 | 1 | state is unknown
1 | 0 | image is not in use
1 | 1 | image is in use
We are discussing *_REQUIRED.
Can you give me the same table for *_REQUIRED?
-Takahiro Akashi
IMAGE_ATTRIBUTE_RESET_REQUIRED
AttributesSupported | AttributesSetting | Meaning
--------------------+-------------------+--------------------
0 | 0 | state is unknown
0 | 1 | state is unknown
1 | 0 | reset is not needed
| | to complete upgrade
1 | 1 | reset is needed
| | to complete upgrade
IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED
AttributesSupported | AttributesSetting | Meaning
--------------------+-------------------+--------------------
0 | 0 | state is unknown
0 | 1 | state is unknown
1 | 0 | signed and unsigned
| | capsules are accepted
1 | 1 | capsules are only
| | accepted after
| | checking the signature
So what?
This table shows there is a case where the authentication will be
skipped even if CONFIG_EFI_CAPSULE_AUTHETICATE is on and
it is completely compliant with UEFI specification.
No. You have to set IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED=1 if
CONFIG_EFI_CAPSULE_AUTHENTICATE=y.
Best regards
Heinrich
