>> Please can someone describe the format of the file needed for the default / >> built-in EFI secure boot keys (ubootefi.var) >> >> The only docs I have found suggest its best to enroll the keys from within >> u-boot onto some removable media, then copy this off and use this as the >> default, this is not very helpful and doesn't work for me: >> >> => fatload mmc 0:1 ${loadaddr} PK.aut >> 2053 bytes read in 18 ms (111.3 KiB/s) >> => setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize PK >> setenv - set environment variables >> >> Usage: >> setenv setenv [-f] name value ... >> - [forcibly] set environment variable 'name' to 'value ...' >> setenv [-f] name >> - [forcibly] delete environment variable 'name' >> >> my setenv doesn't support all the extra switches ? This is with 2022.04, all >> other EFI options seem to be in this release and I can boot unsigned EFI >> images ok. > >Please turn on CONFIG_CMD_NVEDIT_EFI when building your U-Boot. > >This option was disabled by the commit: > commit 3b728f8728fa (tag: efi-2020-01-rc1) > Author: Heinrich Schuchardt <xypron.g...@gmx.de> > Date: Sun Oct 6 15:44:22 2019 +0200 > > cmd: disable CMD_NVEDIT_EFI by default > >The binary size of efi has grown much since in the past, though. > >-Takahiro Akashi
Thanks, I have secure boot working now. A tool to generate the ubootefi.var offline or even just a description of the file format would be very useful. I have noticed one issue when using ubootefi.var on mmc, when I switch boot order it wipes out the keys and I have to re-enrol them: => fatls mmc 0:1 3040 ubootefi.var 1 file(s), 0 dir(s) => efidebug boot order 2 1 => fatls mmc 0:1 440 ubootefi.var (Size drops from 3040 to 440 bytes and keys have gone) ________________________________ From: AKASHI Takahiro <takahiro.aka...@linaro.org> Sent: 29 June 2023 02:01 To: Neil Jones <neil.jo...@blaize.com> Cc: u-boot@lists.denx.de <u-boot@lists.denx.de> Subject: Re: EFI Secure boot default keys On Wed, Jun 28, 2023 at 04:26:58PM +0000, Neil Jones wrote: > Please can someone describe the format of the file needed for the default / > built-in EFI secure boot keys (ubootefi.var) > > The only docs I have found suggest its best to enroll the keys from within > u-boot onto some removable media, then copy this off and use this as the > default, this is not very helpful and doesn't work for me: > > => fatload mmc 0:1 ${loadaddr} PK.aut > 2053 bytes read in 18 ms (111.3 KiB/s) > => setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize PK > setenv - set environment variables > > Usage: > setenv setenv [-f] name value ... > - [forcibly] set environment variable 'name' to 'value ...' > setenv [-f] name > - [forcibly] delete environment variable 'name' > > my setenv doesn't support all the extra switches ? This is with 2022.04, all > other EFI options seem to be in this release and I can boot unsigned EFI > images ok. Please turn on CONFIG_CMD_NVEDIT_EFI when building your U-Boot. This option was disabled by the commit: commit 3b728f8728fa (tag: efi-2020-01-rc1) Author: Heinrich Schuchardt <xypron.g...@gmx.de> Date: Sun Oct 6 15:44:22 2019 +0200 cmd: disable CMD_NVEDIT_EFI by default The binary size of efi has grown much since in the past, though. -Takahiro Akashi > Cheers, > > Neil > > >