On Tue, 15 Feb 2022, at 13:42, Dhananjay Phadke wrote:
On 2/14/2022 3:13 PM, Patrick Williams wrote:
On Mon, Feb 14, 2022 at 11:14:53AM -0800, Dhananjay Phadke wrote:
There's a key-requirement policy already implemented [1].
[1] https://lore.kernel.org/u-boot/cover.1597643014.git.thiruan@linux.microsoft....
Board code can patch "required-policy" = none at runtime based appropriate logic.
[...]
Isn't this jumper proposal just like the TCG Physical Presence requirements? This is a software implementation and requires a particular hardware design for it to be done right, but it seems to be along the same lines.
I'm supporting idea of having control on FIT verification, just pointed that it maybe done by board code by just patching U-Boot control FDT, either the "required-policy" property at /signature or "required" property in individual key nodes.
This might separate the logic out in a way that's acceptable to Alex.
Let me poke at it.
Thanks,
Andrew