On 11/4/21 04:11, Rover Mo wrote:
Dear Heinrich,
Thank for your comments.
How about CONFIG_EFI_SECURE_BOOT? Should this also disable the default?
I think yes. I will update the relation to "default y if !FIT_SIGNATURE && !EFI_SECURE_BOOT", and add "!EFI_SECURE_BOOT" into LEGACY_IMAGE_FORMAT.
It is enabled by default for backward compatibility, unlessBackwards relative to UEFI?
No.
This description is from CONFIG_LEGACY_IMAGE_FORMAT.
config LEGACY_IMAGE_FORMAT bool "Enable support for the legacy image format" default y if !FIT_SIGNATURE help This option enables the legacy image format. It is enabled by default for backward compatibility, unless FIT_SIGNATURE is set where it is disabled so that unsigned images cannot be loaded. If a board needs the legacy image format support in this case, enable it here.In my understand,this backward compatibility is to support both secure boot and non-secure boot when necessary.
This focuses very much on default values. How about:
"The booti command is used for launching unsigned AArch64 and RISC-V Linux kernel images. If you want to have secure boot either via signed FIT images or via signed UEFI images, this option should be disabled."
I agree, this description is more comprehensive.
So that I want to update the commit title to "boot: don't enable thenon-secure boot commands by default ifsecure boot enabled"
Why AArch64 and not RISC-V?
The help information of CMD_BOOTI only mentions AArch64, so I followed it.
Should I update as following?
- Boot an AArch64 Linux Kernel image from memory. + Boot an AArch64/RISC-V Linux Kernel image from memory.
Yes, please.
Best regards
Heinrich
Best regards, Rover At 2021-11-04 02:24:34, "Heinrich Schuchardt" <xypron.glpk@gmx.de> wrote: >On 11/3/21 08:44, Rover Mo wrote: >> To prevent boot unsigned images, same as CONFIG_LEGACY_IMAGE_FORMAT, > >nits: >%s/boot/booting/ > >> don't enable CONFIG_CMD_BOOTI and CONFIG_CMD_BOOTI by default if >> CONFIG_FIT_SIGNATURE is enabled. > >Disabling the booti and the bootz command does not stop you from booting >unsigned images, e.g. using the bootefi command. > >> >> Signed-off-by: Yuezhang.Mo <myzmzz@126.com> >> --- >> cmd/Kconfig | 11 ++++++++++- >> 1 file changed, 10 insertions(+), 1 deletion(-) >> >> diff --git a/cmd/Kconfig b/cmd/Kconfig >> index 5b30b13e43..5f9dd91928 100644 >> --- a/cmd/Kconfig >> +++ b/cmd/Kconfig >> @@ -203,15 +203,24 @@ config BOOTM_EFI >> >> config CMD_BOOTZ >> bool "bootz" >> + default y if !FIT_SIGNATURE >> help >> Boot the Linux zImage >> + It is enabled by default for backward compatibility, unless >> + FIT_SIGNATURE is set where it is disabled so that unsigned images >> + cannot be loaded. If a board needs to boot a Linux zImage in this >> + case, enable it here. >> >> config CMD_BOOTI >> bool "booti" >> depends on ARM64 || RISCV >> - default y >> + default y if !FIT_SIGNATURE > >How about CONFIG_EFI_SECURE_BOOT? Should this also disable the default? > >> help >> Boot an AArch64 Linux Kernel image from memory. >> + It is enabled by default for backward compatibility, unless > >Backwards relative to UEFI? > >This focuses very much on default values. How about: > >"The booti command is used for launching unsigned AArch64 and RISC-V >Linux kernel images. If you want to have secure boot either via signed >FIT images or via signed UEFI images, this option should be disabled." > >> + FIT_SIGNATURE is set where it is disabled so that unsigned images >> + cannot be loaded. If a board needs to boot an AArch64 Linux Kernel > >Why AArch64 and not RISC-V? > >Who needs all those lines. > >Best regards > >Heinrich > >> + image in this case, enable it here. >> >> config BOOTM_LINUX >> bool "Support booting Linux OS images" >>