Hi Kojima-san On Thu, 22 Jun 2023 at 08:51, Masahisa Kojima <[email protected]> wrote: > > To enforce anti-rollback to any older version, dtb must be > always update manually. This should be described in the > documentation. > > This commit also adds the recommendation that secure system should not > enable the fdt command because lowest-supported-version > property in device tree can be changed by fdt command. > > Signed-off-by: Masahisa Kojima <[email protected]> > --- > doc/develop/uefi/uefi.rst | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst > index ffd13cebe9..7407f178f5 100644 > --- a/doc/develop/uefi/uefi.rst > +++ b/doc/develop/uefi/uefi.rst > @@ -552,6 +552,13 @@ update using a capsule file with --fw-version of 5, the > update will fail. > When the --fw-version in the capsule file is updated, > lowest-supported-version > in the dtb might be updated accordingly. > > +If user needs to enroce anti-rollback to any older version,
enforce* > +the lowest-supported-version property in dtb must be always updated manually. > + > +Note that the lowest-supported-version property specified in U-Boot's control > +device tree can be changed by U-Boot fdt command. > +Secure systems should not enable this command. > + Other than than Reviewed-by: Ilias Apalodimas <[email protected]> > To insert the lowest supported version into a dtb > > .. code-block:: console > -- > 2.34.1 >
