From patchwork Mon Nov 28 12:45:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 628987 Delivered-To: patch@linaro.org Received: by 2002:a17:522:c983:b0:460:3032:e3c4 with SMTP id kr3csp2913299pvb; Mon, 28 Nov 2022 04:46:21 -0800 (PST) X-Google-Smtp-Source: AA0mqf7/1tu17iBLzik9boJy8fx5iP2VMMzKJ/ApojQLynoXOdvhLOyN8L/PahRAJBf5Hc/LL2aH X-Received: by 2002:a05:6e02:50e:b0:303:d01:eb31 with SMTP id d14-20020a056e02050e00b003030d01eb31mr2708591ils.188.1669639581100; Mon, 28 Nov 2022 04:46:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669639581; cv=none; d=google.com; s=arc-20160816; b=GJG7/jPwr6+BOXRJUWloas2xZjz089dNAubIYa5vX91+05Mpgv01OaAZlV3dTPoEeA Opv7/8MUVa08nUDpl2VugmWGBke3sNmxxfEghKiiW7vnyUaZ3+pc0qBjFkT1xJkb39Un m3gFssMrQhZTeRe1kJUWVuFfD7EQ0Fhonzxb3uVdY9XK7oYjm1GcHwLP4+M1O2MUqZMO lUy6XjhmP1YaJApxtlRJziEY1OmWqqkhlssutiWozf0AC1rw0SQF544vZ7KqxA91fxSI vUwDFUvekQHaVn66l/PrscvqUBdLJdRTYo0zkeMm3A2Zt23ZtmZLOJ+7yrPQbpFvWaOM xn1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=eG65erNUMV3tR1yBaVwihzSzeab2+GnhuxTVCJA3EMM=; b=MeMC53R+nznmtTupPbKZbvI2bBJi7i8KK1cap91AOUJtK30JRkWgYvEwl2P/4dJv4u tmQX2wBpXmdowJgspfkPckDmr8ZxeSPBZP+5rgNImys68Tn4iBD0LgF+ZDarQRHt0AGm qVM1CAyLnSBQXGFvfS6WpBRSAv4rtZzaAw7pReZKYQ56EYT2dhu7TknCAHl5+Oz7FOt4 n6iSyTa4YNqYq2NJG2+72/n0QmBeO0is13ElhtEtsW9h4LeZW1kF+SsQ0YKaE0t/y+6G kB6n5BGK51hs2yR8u0C7/wgt0ATWA6ZeXBa1GnLijkxIVXQroQiIlj09jk2nx9x79pbv c7aw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=dsRz1ay9; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id h10-20020a92c26a000000b002f6ab84e5d9si9640723ild.65.2022.11.28.04.46.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 28 Nov 2022 04:46:21 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=dsRz1ay9; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 1F41C8524F; Mon, 28 Nov 2022 13:45:40 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="dsRz1ay9"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id BD8888527D; Mon, 28 Nov 2022 13:45:27 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id B1F5E8525A for ; Mon, 28 Nov 2022 13:45:17 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pf1-x42e.google.com with SMTP id c15so1034832pfb.13 for ; Mon, 28 Nov 2022 04:45:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=references:in-reply-to:message-id:date:subject:cc:to:from:from:to :cc:subject:date:message-id:reply-to; bh=eG65erNUMV3tR1yBaVwihzSzeab2+GnhuxTVCJA3EMM=; b=dsRz1ay9aMSN0LqE4XrY3qNBLP1yCAaDzD+REOtw3bG2zkMGmQyKVnxFL+a+vqeRHV W3dVvNKCHgDfT1bho8bao0Sx3AFWCnq/zEtkOgqfVKwTrB2TGoy9uvJPt3xQxtE9MhtE KdtwyxbalSIsIaXJN6ffFZ6OGOEqjkdqQwbCYACdYglQEn4B1CkHpWrSCAPHp1RSLs7+ pucfOiZUjsbUr7uuIHg7WALoqIaWD2vTD7yr+86TOkQStMtWCBKAdbeGf/vK6c/eMzbF orypV3EGI27bzWawsLdxtuEdLoWucpij8PbNQG92SAJEu+T6dfZLTsv5bPMtbmzuLthY wQLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:in-reply-to:message-id:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=eG65erNUMV3tR1yBaVwihzSzeab2+GnhuxTVCJA3EMM=; b=Kub+bLtTI0X6jojjrLg9ullixFP2uZHlFk/i1Dci+O6UuBOk1BOxGJMbB8ts0kGQ/P 6jMjF4rQbelUzCSLvnIQLY4KTQ1LZGNSQj1ycWHF1+a4whP05WYoNx5NRQ+O8sAAuBGe +pnKZuiILz6bRYqwZU7fBRuPo9W5fQ4a81xjiZzZTyljT8sinekXjWkFsDJfvtt6227h cA0z5Ye6RdbU76UbiNjluCcjMQbU0DoeYqTT85k9H2R2U90xbqx7In+WxDNqx2i1/pak EI2XJJkLmDLQLRwQpY4gGeD62Uh1+xFZh/vxtMX78J+sCKld5mKxUYSqkmv7HQ00dRUW bQ2A== X-Gm-Message-State: ANoB5pmjY8V3kOiWHiEnwDSS0BY0ddMhfSfi+RY78+TKnb0tjka5eIAG cvFf7Ua/sWaxzwXSs69doHF0TalByhquag== X-Received: by 2002:aa7:91d6:0:b0:574:c543:f804 with SMTP id z22-20020aa791d6000000b00574c543f804mr15077819pfa.51.1669639514169; Mon, 28 Nov 2022 04:45:14 -0800 (PST) Received: from localhost.localdomain ([240d:1a:cf7:5800:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id w27-20020a63475b000000b0047681fa88d1sm3925303pgk.53.2022.11.28.04.45.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 28 Nov 2022 04:45:13 -0800 (PST) From: Masahisa Kojima To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Jerome Forissier , Masahisa Kojima Subject: [PATCH v2 5/5] doc:eficonfig: add description for UEFI Secure Boot Configuration Date: Mon, 28 Nov 2022 21:45:09 +0900 Message-Id: <20221128124509.6939-6-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20221128124509.6939-1-masahisa.kojima@linaro.org> References: <20221128124509.6939-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean This commits add the description for the UEFI Secure Boot Configuration through the eficonfig menu. Signed-off-by: Masahisa Kojima --- Newly created in v2 doc/usage/cmd/eficonfig.rst | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/doc/usage/cmd/eficonfig.rst b/doc/usage/cmd/eficonfig.rst index 340ebc80db..67c859964f 100644 --- a/doc/usage/cmd/eficonfig.rst +++ b/doc/usage/cmd/eficonfig.rst @@ -31,6 +31,9 @@ Change Boot Order Delete Boot Option Delete the UEFI Boot Option +Secure Boot Configuration + Edit UEFI Secure Boot Configuration + Configuration ------------- @@ -44,6 +47,16 @@ U-Boot console. In this case, bootmenu can be used to invoke "eficonfig":: CONFIG_USE_PREBOOT=y CONFIG_PREBOOT="setenv bootmenu_0 UEFI Maintenance Menu=eficonfig" +UEFI specification requires that UEFI Secure Boot Configuration (especially +for PK and KEK) is stored in non-volatile storage which is tamper resident. +CONFIG_EFI_MM_COMM_TEE is mandatory to provide the secure storage in U-Boot. +UEFI Secure Boot Configuration menu entry is enabled when the following +options are enabled:: + + CONFIG_EFI_SECURE_BOOT=y + CONFIG_EFI_MM_COMM_TEE=y + + How to boot the system with newly added UEFI Boot Option '''''''''''''''''''''''''''''''''''''''''''''''''''''''' @@ -66,6 +79,15 @@ add "bootefi bootmgr" entry as a default or first bootmenu entry:: CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig" +UEFI Secure Boot Configuration +'''''''''''''''''''''''''''''' + +User can enroll PK, KEK, db and dbx by selecting file. +"eficonfig" command only accepts the signed EFI Signature List(s) +with an authenticated header, typically ".auth" file. +To clear the PK, KEK, db and dbx, user needs to enroll the null key +signed by PK or KEK. + See also -------- * :doc:`bootmenu` provides a simple mechanism for creating menus with different boot items