Hi Heinrich, 2021年5月15日(土) 11:03 Heinrich Schuchardt <xypron.g...@gmx.de>: > > On 5/14/21 3:09 PM, Masami Hiramatsu wrote: > > Hi all, > > > > I think it's time to summarize the topics on this thread. > > > > 1. tools/mkeficapsule, config options dependency > > - The tools, especially useful and distributable tools like > > mkeficapsule should not be changed by the target board configuration. > > - Since there are target boards which don't need capsule > > authentication, it should be configurable. That also can optimize the > > library dependency. > > Thank you for providing this summary. > > You described that the tool shall not depend on the target board > configuration. Your sentence starting with "Since" contradicts this.
Ah, sorry for the confusion. Each bullet shows a different opinion on the topic. > As Ilias pointed out all Linux distributions come with an OpenSSL > package. The library dependency is nothing to worry about. OK, so this is for topic #1. > > Capsule updates without authentication don't not make much sense in a > world full of attacks. and this is for topic #1 and maybe related to #4? > > Hence, a configuration switch for the tool is not needed. Thanks for clarifying your opinion! > > Best regards > > Heinrich > > > > > 2. tools/mkeficapsule, revert -K/-D options > > - Since these options are for embedding a public key in the > > devicetree, that is not related to the capsule file. Also, the same > > feature can be provided by a simple shell script. > > > > 3. capsule authentication, key embedding method > > - Embedding key in the devicetree is too fragile, especially, the > > document says overwriting new device tree including key with fdt > > command. That is not for the product, only for proof of concept. > > - Such a key should be embedded in the U-Boot, or hardware secure > > storage so that the user can not change it. > > (BTW, I think there are more options, like embedding keys in SCP > > firmware, TF-A, or OP-TEE, outside of U-Boot) > > > > 4. capsule authentication, authentication enablement > > - The UEFI spec said IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED can be > > supported but cleared (for the current running firmware). This means > > it is possible that the authentication feature is supported, but not > > enabled. > > - For ensuring security, if U-Boot is compiled with > > CONFIG_EFI_CAPSULE_AUTHETICATE=y, > > IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED must always be set. > > > > Are there any other topics on this thread? and any other comments on > > these topics? > > > > Thank you, -- Masami Hiramatsu