When implementing secure boot the database with the certificates must be stored in tamper-resistant storage. This implies it cannot be read from a file on the EFI system partition.
We already have the possibility to provide UEFI variables built into U-Boot via CONFIG_EFI_VAR_SEED_FILE. If TF-A validates BL33 alias U-Boot, this seems adequate for secure boot.
With the patch series reading or changing the certificate database is disabled. Furthermore the variable AuditMode and DeployedMode cannot be read from file.
The series has been split of [PATCH v2 0/6] efi_loader: fix secure boot mode transitions https://lists.denx.de/pipermail/u-boot/2021-August/459054.html because the implementation of Secure Boot mode transitions need more thought.
Heinrich Schuchardt (3): efi_loader: don't load signature database from file efi_loader: efi_auth_var_type for AuditMode, DeployedMode efi_loader: correct determination of secure boot state
include/efi_variable.h | 6 ++++- lib/efi_loader/efi_var_common.c | 43 +++++++++++++++++++++++++-------- lib/efi_loader/efi_var_file.c | 41 +++++++++++++++++++------------ lib/efi_loader/efi_variable.c | 6 ++--- 4 files changed, 66 insertions(+), 30 deletions(-)