| Message ID | 20221202045937.7846-6-masahisa.kojima@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | miscellaneous fixes of eficonfig | expand |
On Fri, Dec 02, 2022 at 01:59:37PM +0900, Masahisa Kojima wrote: > This commits add the description for the UEFI Secure Boot > Configuration through the eficonfig menu. > > Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> > --- > No update since v2 > > Newly created in v2 > > doc/usage/cmd/eficonfig.rst | 22 ++++++++++++++++++++++ > 1 file changed, 22 insertions(+) > > diff --git a/doc/usage/cmd/eficonfig.rst b/doc/usage/cmd/eficonfig.rst > index 340ebc80db..67c859964f 100644 > --- a/doc/usage/cmd/eficonfig.rst > +++ b/doc/usage/cmd/eficonfig.rst > @@ -31,6 +31,9 @@ Change Boot Order > Delete Boot Option > Delete the UEFI Boot Option > > +Secure Boot Configuration > + Edit UEFI Secure Boot Configuration > + > Configuration > ------------- > > @@ -44,6 +47,16 @@ U-Boot console. In this case, bootmenu can be used to invoke "eficonfig":: > CONFIG_USE_PREBOOT=y > CONFIG_PREBOOT="setenv bootmenu_0 UEFI Maintenance Menu=eficonfig" > > +UEFI specification requires that UEFI Secure Boot Configuration (especially > +for PK and KEK) is stored in non-volatile storage which is tamper resident. s/resident/resistant > +CONFIG_EFI_MM_COMM_TEE is mandatory to provide the secure storage in U-Boot. Can we be a bit more clear here. Something along the lines of "The only way U-Boot can currently store EFI variables on a tamper resistant medium is via OP-TEE. The Kconfig option that enables that is CONFIG_EFI_MM_COMM_TEE and ends up storing EFI variables on an RPMB partition of an eMMC" > +UEFI Secure Boot Configuration menu entry is enabled when the following > +options are enabled:: > + > + CONFIG_EFI_SECURE_BOOT=y > + CONFIG_EFI_MM_COMM_TEE=y > + > + > How to boot the system with newly added UEFI Boot Option > '''''''''''''''''''''''''''''''''''''''''''''''''''''''' > > @@ -66,6 +79,15 @@ add "bootefi bootmgr" entry as a default or first bootmenu entry:: > > CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig" > > +UEFI Secure Boot Configuration > +'''''''''''''''''''''''''''''' > + > +User can enroll PK, KEK, db and dbx by selecting file. selecting a file > +"eficonfig" command only accepts the signed EFI Signature List(s) > +with an authenticated header, typically ".auth" file. > +To clear the PK, KEK, db and dbx, user needs to enroll the null key > +signed by PK or KEK. > + > See also > -------- > * :doc:`bootmenu<bootmenu>` provides a simple mechanism for creating menus with different boot items > -- > 2.17.1 > Thanks /Ilias
Hi Ilias, On Fri, 2 Dec 2022 at 16:17, Ilias Apalodimas <ilias.apalodimas@linaro.org> wrote: > > On Fri, Dec 02, 2022 at 01:59:37PM +0900, Masahisa Kojima wrote: > > This commits add the description for the UEFI Secure Boot > > Configuration through the eficonfig menu. > > > > Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> > > --- > > No update since v2 > > > > Newly created in v2 > > > > doc/usage/cmd/eficonfig.rst | 22 ++++++++++++++++++++++ > > 1 file changed, 22 insertions(+) > > > > diff --git a/doc/usage/cmd/eficonfig.rst b/doc/usage/cmd/eficonfig.rst > > index 340ebc80db..67c859964f 100644 > > --- a/doc/usage/cmd/eficonfig.rst > > +++ b/doc/usage/cmd/eficonfig.rst > > @@ -31,6 +31,9 @@ Change Boot Order > > Delete Boot Option > > Delete the UEFI Boot Option > > > > +Secure Boot Configuration > > + Edit UEFI Secure Boot Configuration > > + > > Configuration > > ------------- > > > > @@ -44,6 +47,16 @@ U-Boot console. In this case, bootmenu can be used to invoke "eficonfig":: > > CONFIG_USE_PREBOOT=y > > CONFIG_PREBOOT="setenv bootmenu_0 UEFI Maintenance Menu=eficonfig" > > > > +UEFI specification requires that UEFI Secure Boot Configuration (especially > > +for PK and KEK) is stored in non-volatile storage which is tamper resident. > > s/resident/resistant Thank you for pointing out the typo. > > > +CONFIG_EFI_MM_COMM_TEE is mandatory to provide the secure storage in U-Boot. > > Can we be a bit more clear here. Something along the lines of > "The only way U-Boot can currently store EFI variables on a tamper > resistant medium is via OP-TEE. The Kconfig option that enables that is > CONFIG_EFI_MM_COMM_TEE and ends up storing EFI variables on an RPMB > partition of an eMMC" OK, it is clearer. > > > +UEFI Secure Boot Configuration menu entry is enabled when the following > > +options are enabled:: > > + > > + CONFIG_EFI_SECURE_BOOT=y > > + CONFIG_EFI_MM_COMM_TEE=y > > + > > + > > How to boot the system with newly added UEFI Boot Option > > '''''''''''''''''''''''''''''''''''''''''''''''''''''''' > > > > @@ -66,6 +79,15 @@ add "bootefi bootmgr" entry as a default or first bootmenu entry:: > > > > CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig" > > > > +UEFI Secure Boot Configuration > > +'''''''''''''''''''''''''''''' > > + > > +User can enroll PK, KEK, db and dbx by selecting file. > > selecting a file OK. Thanks, Masahisa Kojima > > > +"eficonfig" command only accepts the signed EFI Signature List(s) > > +with an authenticated header, typically ".auth" file. > > +To clear the PK, KEK, db and dbx, user needs to enroll the null key > > +signed by PK or KEK. > > + > > See also > > -------- > > * :doc:`bootmenu<bootmenu>` provides a simple mechanism for creating menus with different boot items > > -- > > 2.17.1 > > > > Thanks > /Ilias
diff --git a/doc/usage/cmd/eficonfig.rst b/doc/usage/cmd/eficonfig.rst index 340ebc80db..67c859964f 100644 --- a/doc/usage/cmd/eficonfig.rst +++ b/doc/usage/cmd/eficonfig.rst @@ -31,6 +31,9 @@ Change Boot Order Delete Boot Option Delete the UEFI Boot Option +Secure Boot Configuration + Edit UEFI Secure Boot Configuration + Configuration ------------- @@ -44,6 +47,16 @@ U-Boot console. In this case, bootmenu can be used to invoke "eficonfig":: CONFIG_USE_PREBOOT=y CONFIG_PREBOOT="setenv bootmenu_0 UEFI Maintenance Menu=eficonfig" +UEFI specification requires that UEFI Secure Boot Configuration (especially +for PK and KEK) is stored in non-volatile storage which is tamper resident. +CONFIG_EFI_MM_COMM_TEE is mandatory to provide the secure storage in U-Boot. +UEFI Secure Boot Configuration menu entry is enabled when the following +options are enabled:: + + CONFIG_EFI_SECURE_BOOT=y + CONFIG_EFI_MM_COMM_TEE=y + + How to boot the system with newly added UEFI Boot Option '''''''''''''''''''''''''''''''''''''''''''''''''''''''' @@ -66,6 +79,15 @@ add "bootefi bootmgr" entry as a default or first bootmenu entry:: CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig" +UEFI Secure Boot Configuration +'''''''''''''''''''''''''''''' + +User can enroll PK, KEK, db and dbx by selecting file. +"eficonfig" command only accepts the signed EFI Signature List(s) +with an authenticated header, typically ".auth" file. +To clear the PK, KEK, db and dbx, user needs to enroll the null key +signed by PK or KEK. + See also -------- * :doc:`bootmenu<bootmenu>` provides a simple mechanism for creating menus with different boot items
This commits add the description for the UEFI Secure Boot Configuration through the eficonfig menu. Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> --- No update since v2 Newly created in v2 doc/usage/cmd/eficonfig.rst | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+)