On Thu, May 13, 2021 at 05:18:36PM +0900, Masami Hiramatsu wrote: > 2021年5月13日(木) 16:24 AKASHI Takahiro <[email protected]>: > > > > >> > BTW, IMHO, if u-boot.bin can not find the ESL in the device tree, > > > >> > it should skip authentication too. > > > >> > > > >> In this case the capsule should be rejected (if > > > >> CONFIG_EFI_CAPSULE_AUTHENTICATE=y). > > > > > > > >That's basically right. > > > >But as I mentioned in my comment against Sughosh's patch, > > > >the authentication process will be enforced only if the capsule has > > > >an attribute, IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED. > > > > > > > > > > That would be a security desaster. > > > > The requirement that I mentioned above is clearly described > > in UEFI specification. > > If you think that it is a disaster, please discuss the topic > > in UEFI Forum first. > > I confirmed UEFI specification, version 2.7, Section.23.1 > the last of EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo() > > ----------------- > If IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED is supported and clear, then > authentication is not required to perform the firmware image operations. > -----------------
Thank you for citing this. > Oh, this is really crazy because deciding whether to authenticate the > suspicious > package or not, depends on whether the package said "please > authenticate me" or not. :D Well, the attributes can been fetched with GetInfo API, but how it is managed depends on the implementation of FMP drivers. As I proposed somewhere else, those attributes should be maintained in a separate place (maybe as part of system's policy), presumably ESRT or platform-specific internal database? -Takahiro Akashi > Anyway, since this behavior follows the specification, it should be > kept by default, > but also IMHO, there should be a CONFIG option to enforce capsule > authentication always. > > Thank you, > > > > -- > Masami Hiramatsu
