Hi Ilias,
On Fri, 2 Dec 2022 at 16:17, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
On Fri, Dec 02, 2022 at 01:59:37PM +0900, Masahisa Kojima wrote:
This commits add the description for the UEFI Secure Boot Configuration through the eficonfig menu.
Signed-off-by: Masahisa Kojima masahisa.kojima@linaro.org
No update since v2
Newly created in v2
doc/usage/cmd/eficonfig.rst | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+)
diff --git a/doc/usage/cmd/eficonfig.rst b/doc/usage/cmd/eficonfig.rst index 340ebc80db..67c859964f 100644 --- a/doc/usage/cmd/eficonfig.rst +++ b/doc/usage/cmd/eficonfig.rst @@ -31,6 +31,9 @@ Change Boot Order Delete Boot Option Delete the UEFI Boot Option
+Secure Boot Configuration
- Edit UEFI Secure Boot Configuration
Configuration
@@ -44,6 +47,16 @@ U-Boot console. In this case, bootmenu can be used to invoke "eficonfig":: CONFIG_USE_PREBOOT=y CONFIG_PREBOOT="setenv bootmenu_0 UEFI Maintenance Menu=eficonfig"
+UEFI specification requires that UEFI Secure Boot Configuration (especially +for PK and KEK) is stored in non-volatile storage which is tamper resident.
s/resident/resistant
Thank you for pointing out the typo.
+CONFIG_EFI_MM_COMM_TEE is mandatory to provide the secure storage in U-Boot.
Can we be a bit more clear here. Something along the lines of "The only way U-Boot can currently store EFI variables on a tamper resistant medium is via OP-TEE. The Kconfig option that enables that is CONFIG_EFI_MM_COMM_TEE and ends up storing EFI variables on an RPMB partition of an eMMC"
OK, it is clearer.
+UEFI Secure Boot Configuration menu entry is enabled when the following +options are enabled::
- CONFIG_EFI_SECURE_BOOT=y
- CONFIG_EFI_MM_COMM_TEE=y
How to boot the system with newly added UEFI Boot Option ''''''''''''''''''''''''''''''''''''''''''''''''''''''''
@@ -66,6 +79,15 @@ add "bootefi bootmgr" entry as a default or first bootmenu entry::
CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig"+UEFI Secure Boot Configuration +''''''''''''''''''''''''''''''
+User can enroll PK, KEK, db and dbx by selecting file.
selecting a file
OK.
Thanks, Masahisa Kojima
+"eficonfig" command only accepts the signed EFI Signature List(s) +with an authenticated header, typically ".auth" file. +To clear the PK, KEK, db and dbx, user needs to enroll the null key +signed by PK or KEK.
See also
- :doc:`bootmenu<bootmenu>` provides a simple mechanism for creating menus with different boot items
-- 2.17.1
Thanks /Ilias