>> Please can someone describe the format of the file needed for the default /
>> built-in EFI secure boot keys (ubootefi.var)
>>
>> The only docs I have found suggest its best to enroll the keys from within
>> u-boot onto some removable media, then copy this off and use this as the
>> default, this is not very helpful and doesn't work for me:
>>
>> => fatload mmc 0:1 ${loadaddr} PK.aut
>> 2053 bytes read in 18 ms (111.3 KiB/s)
>> => setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize PK
>> setenv - set environment variables
>>
>> Usage:
>> setenv setenv [-f] name value ...
>> - [forcibly] set environment variable 'name' to 'value ...'
>> setenv [-f] name
>> - [forcibly] delete environment variable 'name'
>>
>> my setenv doesn't support all the extra switches ? This is with 2022.04, all
>> other EFI options seem to be in this release and I can boot unsigned EFI
>> images ok.
>
>Please turn on CONFIG_CMD_NVEDIT_EFI when building your U-Boot.
>
>This option was disabled by the commit:
> commit 3b728f8728fa (tag: efi-2020-01-rc1)
> Author: Heinrich Schuchardt <xypron.g...@gmx.de>
> Date: Sun Oct 6 15:44:22 2019 +0200
>
> cmd: disable CMD_NVEDIT_EFI by default
>
>The binary size of efi has grown much since in the past, though.
>
>-Takahiro Akashi
Thanks, I have secure boot working now. A tool to generate the ubootefi.var
offline or even just a description of the file format would be very useful. I
have noticed one issue when using ubootefi.var on mmc, when I switch boot order
it wipes out the keys and I have to re-enrol them:
=> fatls mmc 0:1
3040 ubootefi.var
1 file(s), 0 dir(s)
=> efidebug boot order 2 1
=> fatls mmc 0:1
440 ubootefi.var
(Size drops from 3040 to 440 bytes and keys have gone)
________________________________
From: AKASHI Takahiro <takahiro.aka...@linaro.org>
Sent: 29 June 2023 02:01
To: Neil Jones <neil.jo...@blaize.com>
Cc: u-boot@lists.denx.de <u-boot@lists.denx.de>
Subject: Re: EFI Secure boot default keys
On Wed, Jun 28, 2023 at 04:26:58PM +0000, Neil Jones wrote:
> Please can someone describe the format of the file needed for the default /
> built-in EFI secure boot keys (ubootefi.var)
>
> The only docs I have found suggest its best to enroll the keys from within
> u-boot onto some removable media, then copy this off and use this as the
> default, this is not very helpful and doesn't work for me:
>
> => fatload mmc 0:1 ${loadaddr} PK.aut
> 2053 bytes read in 18 ms (111.3 KiB/s)
> => setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize PK
> setenv - set environment variables
>
> Usage:
> setenv setenv [-f] name value ...
> - [forcibly] set environment variable 'name' to 'value ...'
> setenv [-f] name
> - [forcibly] delete environment variable 'name'
>
> my setenv doesn't support all the extra switches ? This is with 2022.04, all
> other EFI options seem to be in this release and I can boot unsigned EFI
> images ok.
Please turn on CONFIG_CMD_NVEDIT_EFI when building your U-Boot.
This option was disabled by the commit:
commit 3b728f8728fa (tag: efi-2020-01-rc1)
Author: Heinrich Schuchardt <xypron.g...@gmx.de>
Date: Sun Oct 6 15:44:22 2019 +0200
cmd: disable CMD_NVEDIT_EFI by default
The binary size of efi has grown much since in the past, though.
-Takahiro Akashi
> Cheers,
>
> Neil
>
>
>
