On Thu, May 13, 2021 at 05:38:51PM +0900, AKASHI Takahiro wrote: > On Thu, May 13, 2021 at 05:18:36PM +0900, Masami Hiramatsu wrote: > > 2021年5月13日(木) 16:24 AKASHI Takahiro <[email protected]>: > > > > > > >> > BTW, IMHO, if u-boot.bin can not find the ESL in the device tree, > > > > >> > it should skip authentication too. > > > > >> > > > > >> In this case the capsule should be rejected (if > > > > >> CONFIG_EFI_CAPSULE_AUTHENTICATE=y). > > > > > > > > > >That's basically right. > > > > >But as I mentioned in my comment against Sughosh's patch, > > > > >the authentication process will be enforced only if the capsule has > > > > >an attribute, IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED. > > > > > > > > > > > > > That would be a security desaster. > > > > > > The requirement that I mentioned above is clearly described > > > in UEFI specification. > > > If you think that it is a disaster, please discuss the topic > > > in UEFI Forum first. > > > > I confirmed UEFI specification, version 2.7, Section.23.1 > > the last of EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo() > > > > ----------------- > > If IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED is supported and clear, then > > authentication is not required to perform the firmware image operations. > > ----------------- > > Thank you for citing this. > > > Oh, this is really crazy because deciding whether to authenticate the > > suspicious > > package or not, depends on whether the package said "please > > authenticate me" or not. :D > > Well, the attributes can been fetched with GetInfo API, but > how it is managed depends on the implementation of FMP drivers. > > As I proposed somewhere else, those attributes should be > maintained in a separate place (maybe as part of system's policy), > presumably ESRT or platform-specific internal database?
FWIW I personally don't think we should even have a config option. But even if we did it certainly must not be dictated by a hardware config. When you install distro packages you accept whatever dependencies the package has. mkeficapsule is a capsule creation and signing tool. I don't see any reason for keeping the creation and signing apart. Regards /Ilias > > -Takahiro Akashi > > > > Anyway, since this behavior follows the specification, it should be > > kept by default, > > but also IMHO, there should be a CONFIG option to enforce capsule > > authentication always. > > > > Thank you, > > > > > > > > -- > > Masami Hiramatsu
