On Thu, May 13, 2021 at 08:25:56PM +0200, Heinrich Schuchardt wrote:
On 5/13/21 10:18 AM, Masami Hiramatsu wrote:
2021年5月13日(木) 16:24 AKASHI Takahiro takahiro.akashi@linaro.org:
> BTW, IMHO, if u-boot.bin can not find the ESL in the device tree, > it should skip authentication too.
In this case the capsule should be rejected (if CONFIG_EFI_CAPSULE_AUTHENTICATE=y).
That's basically right. But as I mentioned in my comment against Sughosh's patch, the authentication process will be enforced only if the capsule has an attribute, IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED.
That would be a security desaster.
The requirement that I mentioned above is clearly described in UEFI specification. If you think that it is a disaster, please discuss the topic in UEFI Forum first.
I confirmed UEFI specification, version 2.7, Section.23.1 the last of EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo()
If IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED is supported and clear, then authentication is not required to perform the firmware image operations.
IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED bit is a property of the FMP driver.
Yes, it is. But if the attribute is not changeable at all, why do we need this flag? Why does a "firmware image descriptor" hold two distinct member fields, "AttributesSupported" and "AttributesSetting"? What does "Setting" mean? Who sets what, and when?
-Takahiro Akashi
Best regards
Heinrich
Oh, this is really crazy because deciding whether to authenticate the suspicious package or not, depends on whether the package said "please authenticate me" or not. :D
Anyway, since this behavior follows the specification, it should be kept by default, but also IMHO, there should be a CONFIG option to enforce capsule authentication always.
Thank you,