Heinrich,
Can you please reply to each of my replies? Otherwise, I don't know which one of my comments/opinions you agree to and which one not.
On Fri, May 14, 2021 at 10:45:48AM +0200, Heinrich Schuchardt wrote:
On 5/14/21 9:13 AM, AKASHI Takahiro wrote:
E.g for IMAGE_ATTRIBUTE_IN_USE
AttributesSupported | AttributesSetting | Meaning --------------------+-------------------+-------------------- 0 | 0 | state is unknown 0 | 1 | state is unknown 1 | 0 | image is not in use 1 | 1 | image is in use
We are discussing *_REQUIRED. Can you give me the same table for *_REQUIRED?
-Takahiro Akashi
IMAGE_ATTRIBUTE_RESET_REQUIRED
AttributesSupported | AttributesSetting | Meaning --------------------+-------------------+-------------------- 0 | 0 | state is unknown 0 | 1 | state is unknown 1 | 0 | reset is not needed | | to complete upgrade 1 | 1 | reset is needed | | to complete upgrade
IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED
AttributesSupported | AttributesSetting | Meaning --------------------+-------------------+-------------------- 0 | 0 | state is unknown 0 | 1 | state is unknown 1 | 0 | signed and unsigned | | capsules are accepted 1 | 1 | capsules are only | | accepted after | | checking the signature
So what? This table shows there is a case where the authentication will be skipped even if CONFIG_EFI_CAPSULE_AUTHETICATE is on and it is completely compliant with UEFI specification.
That is what I and Masami was discussing.
But as I mentioned in my comment against Sughosh's patch, the authentication process will be enforced only if the capsule has an attribute, IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED.
That would be a security desaster.
So I said that you should discuss the topic in UEFI forum first if you think so.
-Takahiro Akashi
For both bits AttributesSupported=0 does not make much sense.
IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED is a property of the current image and should only be deleted by installing a new capsule.
A vendor might send you a special firmware image for unlocking your device after registering as a developer. Xiaomi handled it like this for one of my routers.
Best regards
Heinrich