Re: [PATCH v2 1/4] efi_loader: capsule: Remove the check for capsule_authentication_enabled environment variable

On 4/12/21 5:05 PM, Sughosh Ganu wrote:

The current capsule authentication code checks if the environment variable capsule_authentication_enabled is set, for authenticating the capsule. This is in addition to the check for the config symbol CONFIG_EFI_CAPSULE_AUTHENTICATE. Remove the check for the environment variable. The capsule will now be authenticated if the config symbol is set.

Signed-off-by: Sughosh Ganu sughosh.ganu@linaro.org

doc/board/emulation/qemu_capsule_update.rst mentions the environment variable. So this file needs to be updated too.

Will you provide an extra patch or update this one?

Best regards

Heinrich

---

Changes since V1:

• As pointed out by Heinrich in the review, remove the extra check of the env variable 'capsule_authentication_enabled'for authenticating the capsule. The capsule authentication will now be done based on whether the corresponding config symbol is enabled.

  board/emulation/common/qemu_capsule.c | 6 ------ lib/efi_loader/efi_firmware.c | 5 ++--- 2 files changed, 2 insertions(+), 9 deletions(-)

diff --git a/board/emulation/common/qemu_capsule.c b/board/emulation/common/qemu_capsule.c index 5cb461d52b..6b8a87022a 100644 --- a/board/emulation/common/qemu_capsule.c +++ b/board/emulation/common/qemu_capsule.c @@ -41,9 +41,3 @@ int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)

return 0; }

-bool efi_capsule_auth_enabled(void) -{

• return env_get("capsule_authentication_enabled") != NULL ?

• true : false;
  

-} diff --git a/lib/efi_loader/efi_firmware.c b/lib/efi_loader/efi_firmware.c index 7a3cca2793..a1b88dbfc2 100644 --- a/lib/efi_loader/efi_firmware.c +++ b/lib/efi_loader/efi_firmware.c @@ -190,7 +190,7 @@ static efi_status_t efi_get_dfu_info( IMAGE_ATTRIBUTE_IMAGE_UPDATABLE;

/* Check if the capsule authentication is enabled */

• if (env_get("capsule_authentication_enabled"))
  

• if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE))
  image_info[0].attributes_setting |=
  	IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED;
  
  

@@ -421,8 +421,7 @@ efi_status_t EFIAPI efi_firmware_raw_set_image( return EFI_EXIT(EFI_INVALID_PARAMETER);

/* Authenticate the capsule if authentication enabled */

• if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) &&

•    env_get("capsule_authentication_enabled")) {
  

• if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE)) { capsule_payload = NULL; capsule_payload_size = 0; status = efi_capsule_authenticate(image, image_size,