[PATCH] doc: uefi: explicitly describe manual dtb update is required
To enforce anti-rollback to any older version, dtb must be always update manually. This should be described in the documentation.
Signed-off-by: Masahisa Kojima masahisa.kojima@linaro.org --- doc/develop/uefi/uefi.rst | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index ffd13cebe9..d5f8c5f236 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -552,6 +552,9 @@ update using a capsule file with --fw-version of 5, the update will fail. When the --fw-version in the capsule file is updated, lowest-supported-version in the dtb might be updated accordingly.
+If user needs to enroce anti-rollback to any older version, +the lowest-supported-version property in dtb must be always updated manually. + To insert the lowest supported version into a dtb
.. code-block:: console
base-commit: e350d0c60d413d441cbdfa9432ebadb56f625903
On 6/15/23 10:03, Masahisa Kojima wrote:
To enforce anti-rollback to any older version, dtb must be always update manually. This should be described in the documentation.
Signed-off-by: Masahisa Kojima masahisa.kojima@linaro.org
doc/develop/uefi/uefi.rst | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index ffd13cebe9..d5f8c5f236 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -552,6 +552,9 @@ update using a capsule file with --fw-version of 5, the update will fail. When the --fw-version in the capsule file is updated, lowest-supported-version in the dtb might be updated accordingly.
+If user needs to enroce anti-rollback to any older version, +the lowest-supported-version property in dtb must be always updated manually.
Thank you for updating the documentation.
Allowing to circumvent the rollback protection is a security issue. On a secure system you would probably want to disable console commands like mc and fdt. Shouldn't we provide an advice for safe settings?
E.g.
"If a user wanted to enable a rollback to a version forbidden by the lowest-supported-version property specified in U-Boot's control device-tree, they could change this property using the fdt command. Secure systems should not enable this command."
Best regards
Heinrich
To insert the lowest supported version into a dtb
.. code-block:: console
base-commit: e350d0c60d413d441cbdfa9432ebadb56f625903
On Sat, Jun 17, 2023 at 09:58:13PM +0200, Heinrich Schuchardt wrote:
On 6/15/23 10:03, Masahisa Kojima wrote:
To enforce anti-rollback to any older version, dtb must be always update manually. This should be described in the documentation.
Signed-off-by: Masahisa Kojima masahisa.kojima@linaro.org
doc/develop/uefi/uefi.rst | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index ffd13cebe9..d5f8c5f236 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -552,6 +552,9 @@ update using a capsule file with --fw-version of 5, the update will fail. When the --fw-version in the capsule file is updated, lowest-supported-version in the dtb might be updated accordingly.
+If user needs to enroce anti-rollback to any older version, +the lowest-supported-version property in dtb must be always updated manually.
Thank you for updating the documentation.
Allowing to circumvent the rollback protection is a security issue. On a secure system you would probably want to disable console commands like mc and fdt. Shouldn't we provide an advice for safe settings?
Is there any case where a user wants to use fdt for some reason, for example, in CONFIG_PREBOOT or CONFIG_BOOTCOMMAND?
-Takahiro Akashi
E.g.
"If a user wanted to enable a rollback to a version forbidden by the lowest-supported-version property specified in U-Boot's control device-tree, they could change this property using the fdt command. Secure systems should not enable this command."
Best regards
Heinrich
To insert the lowest supported version into a dtb
.. code-block:: console
base-commit: e350d0c60d413d441cbdfa9432ebadb56f625903
Am 19. Juni 2023 02:49:54 MESZ schrieb Takahiro Akashi takahiro.akashi@linaro.org:
On Sat, Jun 17, 2023 at 09:58:13PM +0200, Heinrich Schuchardt wrote:
On 6/15/23 10:03, Masahisa Kojima wrote:
To enforce anti-rollback to any older version, dtb must be always update manually. This should be described in the documentation.
Signed-off-by: Masahisa Kojima masahisa.kojima@linaro.org
doc/develop/uefi/uefi.rst | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index ffd13cebe9..d5f8c5f236 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -552,6 +552,9 @@ update using a capsule file with --fw-version of 5, the update will fail. When the --fw-version in the capsule file is updated, lowest-supported-version in the dtb might be updated accordingly.
+If user needs to enroce anti-rollback to any older version, +the lowest-supported-version property in dtb must be always updated manually.
Thank you for updating the documentation.
Allowing to circumvent the rollback protection is a security issue. On a secure system you would probably want to disable console commands like mc and fdt. Shouldn't we provide an advice for safe settings?
Is there any case where a user wants to use fdt for some reason, for example, in CONFIG_PREBOOT or CONFIG_BOOTCOMMAND?
-Takahiro Akashi
Dtb overlays can applied via the fdt command.
Best regards
Heinrich
E.g.
"If a user wanted to enable a rollback to a version forbidden by the lowest-supported-version property specified in U-Boot's control device-tree, they could change this property using the fdt command. Secure systems should not enable this command."
Best regards
Heinrich
To insert the lowest supported version into a dtb
.. code-block:: console
base-commit: e350d0c60d413d441cbdfa9432ebadb56f625903
Hi Heinrich,
On Mon, Jun 19, 2023 at 06:37:14AM +0200, Heinrich Schuchardt wrote:
Am 19. Juni 2023 02:49:54 MESZ schrieb Takahiro Akashi takahiro.akashi@linaro.org:
On Sat, Jun 17, 2023 at 09:58:13PM +0200, Heinrich Schuchardt wrote:
On 6/15/23 10:03, Masahisa Kojima wrote:
To enforce anti-rollback to any older version, dtb must be always update manually. This should be described in the documentation.
Signed-off-by: Masahisa Kojima masahisa.kojima@linaro.org
doc/develop/uefi/uefi.rst | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index ffd13cebe9..d5f8c5f236 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -552,6 +552,9 @@ update using a capsule file with --fw-version of 5, the update will fail. When the --fw-version in the capsule file is updated, lowest-supported-version in the dtb might be updated accordingly.
+If user needs to enroce anti-rollback to any older version, +the lowest-supported-version property in dtb must be always updated manually.
Thank you for updating the documentation.
Allowing to circumvent the rollback protection is a security issue. On a secure system you would probably want to disable console commands like mc and fdt. Shouldn't we provide an advice for safe settings?
Is there any case where a user wants to use fdt for some reason, for example, in CONFIG_PREBOOT or CONFIG_BOOTCOMMAND?
-Takahiro Akashi
Dtb overlays can applied via the fdt command.
What I meant to say was that, if there is an useful use case of fdt command, it would be too restrictive to recommend disabling the command. (Questioning if a device tree is the right place to put the data.)
-Takahiro Akashi
Best regards
Heinrich
E.g.
"If a user wanted to enable a rollback to a version forbidden by the lowest-supported-version property specified in U-Boot's control device-tree, they could change this property using the fdt command. Secure systems should not enable this command."
Best regards
Heinrich
To insert the lowest supported version into a dtb
.. code-block:: console
base-commit: e350d0c60d413d441cbdfa9432ebadb56f625903
participants (3)
-
Heinrich Schuchardt -
Masahisa Kojima -
Takahiro Akashi