2021年5月13日(木) 16:24 AKASHI Takahiro takahiro.akashi@linaro.org:
BTW, IMHO, if u-boot.bin can not find the ESL in the device tree, it should skip authentication too.
In this case the capsule should be rejected (if CONFIG_EFI_CAPSULE_AUTHENTICATE=y).
That's basically right. But as I mentioned in my comment against Sughosh's patch, the authentication process will be enforced only if the capsule has an attribute, IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED.
That would be a security desaster.
The requirement that I mentioned above is clearly described in UEFI specification. If you think that it is a disaster, please discuss the topic in UEFI Forum first.
I confirmed UEFI specification, version 2.7, Section.23.1 the last of EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo()
----------------- If IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED is supported and clear, then authentication is not required to perform the firmware image operations. -----------------
Oh, this is really crazy because deciding whether to authenticate the suspicious package or not, depends on whether the package said "please authenticate me" or not. :D
Anyway, since this behavior follows the specification, it should be kept by default, but also IMHO, there should be a CONFIG option to enforce capsule authentication always.
Thank you,