On Thu, 22 Jun 2023 at 16:21, Ilias Apalodimas <ilias.apalodi...@linaro.org> wrote: > > Hi Kojima-san > > On Thu, 22 Jun 2023 at 08:51, Masahisa Kojima > <masahisa.koj...@linaro.org> wrote: > > > > To enforce anti-rollback to any older version, dtb must be > > always update manually. This should be described in the > > documentation. > > > > This commit also adds the recommendation that secure system should not > > enable the fdt command because lowest-supported-version > > property in device tree can be changed by fdt command. > > > > Signed-off-by: Masahisa Kojima <masahisa.koj...@linaro.org> > > --- > > doc/develop/uefi/uefi.rst | 7 +++++++ > > 1 file changed, 7 insertions(+) > > > > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst > > index ffd13cebe9..7407f178f5 100644 > > --- a/doc/develop/uefi/uefi.rst > > +++ b/doc/develop/uefi/uefi.rst > > @@ -552,6 +552,13 @@ update using a capsule file with --fw-version of 5, > > the update will fail. > > When the --fw-version in the capsule file is updated, > > lowest-supported-version > > in the dtb might be updated accordingly. > > > > +If user needs to enroce anti-rollback to any older version, > > enforce* > > > +the lowest-supported-version property in dtb must be always updated > > manually. > > + > > +Note that the lowest-supported-version property specified in U-Boot's > > control > > +device tree can be changed by U-Boot fdt command. > > +Secure systems should not enable this command. > > + > > Other than than > Reviewed-by: Ilias Apalodimas <ilias.apalodi...@linaro.org>
Thank you for pointing out the typo. I will fix and send v3 soon. Thanks, Masahisa Kojima > > > To insert the lowest supported version into a dtb > > > > .. code-block:: console > > -- > > 2.34.1 > >