[PATCH v2] doc: uefi: enhance anti-rollback documentation
To enforce anti-rollback to any older version, dtb must be always update manually. This should be described in the documentation.
This commit also adds the recommendation that secure system should not enable the fdt command because lowest-supported-version property in device tree can be changed by fdt command.
Signed-off-by: Masahisa Kojima masahisa.kojima@linaro.org --- doc/develop/uefi/uefi.rst | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index ffd13cebe9..7407f178f5 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -552,6 +552,13 @@ update using a capsule file with --fw-version of 5, the update will fail. When the --fw-version in the capsule file is updated, lowest-supported-version in the dtb might be updated accordingly.
+If user needs to enroce anti-rollback to any older version, +the lowest-supported-version property in dtb must be always updated manually. + +Note that the lowest-supported-version property specified in U-Boot's control +device tree can be changed by U-Boot fdt command. +Secure systems should not enable this command. + To insert the lowest supported version into a dtb
.. code-block:: console
Hi Kojima-san
On Thu, 22 Jun 2023 at 08:51, Masahisa Kojima masahisa.kojima@linaro.org wrote:
To enforce anti-rollback to any older version, dtb must be always update manually. This should be described in the documentation.
This commit also adds the recommendation that secure system should not enable the fdt command because lowest-supported-version property in device tree can be changed by fdt command.
Signed-off-by: Masahisa Kojima masahisa.kojima@linaro.org
doc/develop/uefi/uefi.rst | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index ffd13cebe9..7407f178f5 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -552,6 +552,13 @@ update using a capsule file with --fw-version of 5, the update will fail. When the --fw-version in the capsule file is updated, lowest-supported-version in the dtb might be updated accordingly.
+If user needs to enroce anti-rollback to any older version,
enforce*
+the lowest-supported-version property in dtb must be always updated manually.
+Note that the lowest-supported-version property specified in U-Boot's control +device tree can be changed by U-Boot fdt command. +Secure systems should not enable this command.
Other than than Reviewed-by: Ilias Apalodimas ilias.apalodimas@linaro.org
To insert the lowest supported version into a dtb
.. code-block:: console
2.34.1
On Thu, 22 Jun 2023 at 16:21, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
Hi Kojima-san
On Thu, 22 Jun 2023 at 08:51, Masahisa Kojima masahisa.kojima@linaro.org wrote:
To enforce anti-rollback to any older version, dtb must be always update manually. This should be described in the documentation.
This commit also adds the recommendation that secure system should not enable the fdt command because lowest-supported-version property in device tree can be changed by fdt command.
Signed-off-by: Masahisa Kojima masahisa.kojima@linaro.org
doc/develop/uefi/uefi.rst | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index ffd13cebe9..7407f178f5 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -552,6 +552,13 @@ update using a capsule file with --fw-version of 5, the update will fail. When the --fw-version in the capsule file is updated, lowest-supported-version in the dtb might be updated accordingly.
+If user needs to enroce anti-rollback to any older version,
enforce*
+the lowest-supported-version property in dtb must be always updated manually.
+Note that the lowest-supported-version property specified in U-Boot's control +device tree can be changed by U-Boot fdt command. +Secure systems should not enable this command.
Other than than Reviewed-by: Ilias Apalodimas ilias.apalodimas@linaro.org
Thank you for pointing out the typo. I will fix and send v3 soon.
Thanks, Masahisa Kojima
To insert the lowest supported version into a dtb
.. code-block:: console
2.34.1
participants (2)
-
Ilias Apalodimas -
Masahisa Kojima