From patchwork Fri Dec 2 04:59:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 630195 Delivered-To: patch@linaro.org Received: by 2002:a17:906:9c8c:b0:7c0:a5ce:226a with SMTP id fj12csp903710ejc; Thu, 1 Dec 2022 21:01:14 -0800 (PST) X-Google-Smtp-Source: AA0mqf7GJV0BOBQgBSv/bni07j2zbnrdsqn05LD1MUUcjzOGEnaUfm3sWI9hUnd7CRQxudSDV5wA X-Received: by 2002:a05:6e02:d94:b0:302:a008:83e5 with SMTP id i20-20020a056e020d9400b00302a00883e5mr22049794ilj.293.1669957274261; Thu, 01 Dec 2022 21:01:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669957274; cv=none; d=google.com; s=arc-20160816; b=W8UziSXe1KTtSfMty+iOG3chdBfjJg60q0VrNIJ02CTLASODa589qcbdb2daXHjzj5 tsl6wzXcd2e/Uf8IXkgQJ1W9wn1o1y4VhyzfsBv7PQwwLiJpoR8kNnMuCWZ1o1qpkrzC zwyjP8oehjVOXZr6f2g0hMXPrE/B90VqH4TsKIaRPqQmyGuNs7Skv2PykA/fs3aKn7zM uhtBSjT3QkWX4TXCqD+wr3tehKTRe412a0lhoT8hx64juMP9y2/j78gy8It1frWKn0bt aSxKT33HBHI5bM0O5FAJoMkePyGb4sDdl8Q/UFCUSFTDGRCPvl2FFF7E8EmbtpMoTmXG sS9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=O8mWAAwKdfybUlXpGFE+LMAc3b8fp6XdKJhw/TdjzEU=; b=en/lfKw6NlZv0CZK9gFP64CNB9LIT0y/7OIm6X1egjweI4fMQyUlf0CLfA4S9v5Kb9 bDuPtCS8fBT924L4QR3aV29ceUWtS4zsYcnE32f/8tSXy/U5mfY5yzRWQa+jbiEwkBrZ XU3uDlCtF9aNLdpl8T5TO0bl1CpYbr0iIczE6BDIx49K/oNoJUPSybHqNU+rrJZwIjxN 7u3giyPf5rUTJkbS2ggbGR1JDCIo0FpN9Mx4MJt0TX5a6xGAZVqyMUG4fsBhrCgiO21u lJrQWvM0oMT7SNVBn+hdnITZF6dTwhOpX5qKtWuBZpLpp1N8C1BZ78WdeP6OZLddxRCI MqJA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=rwukqj0w; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id d14-20020a056e02214e00b00300033748b6si5137744ilv.44.2022.12.01.21.01.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 01 Dec 2022 21:01:14 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=rwukqj0w; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B80F88545F; Fri, 2 Dec 2022 06:00:41 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="rwukqj0w"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 1607B85466; Fri, 2 Dec 2022 06:00:33 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id DE47085452 for ; Fri, 2 Dec 2022 06:00:12 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pg1-x535.google.com with SMTP id 82so3534613pgc.0 for ; Thu, 01 Dec 2022 21:00:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=references:in-reply-to:message-id:date:subject:cc:to:from:from:to :cc:subject:date:message-id:reply-to; bh=O8mWAAwKdfybUlXpGFE+LMAc3b8fp6XdKJhw/TdjzEU=; b=rwukqj0wt7ulKBx2QPTOvw59CDcL+wH3+H7lpaf1gui0JW35oZFi0rJqwd19UPUC6j PDyG0OyFP4mggqOaWlIbWQrEPZsHw11nszSAH+Y8/5PrYRcFlD/caJ1v6u9NH+s0AbPs 2gB1rndorPWbOM60nx57dqEBUFVx3SAY9DHXeHqiddX2zdhlccAb42JryQAGU9KoSMT0 5ukSUG92jzQW2wXGzp0MjjjDLU34GIsepl41QzYR+FntszDtVflNtlaljw8wE+ArkNz9 oNsf9TGnLCsM+fH8+W0zS1cmSyBpnwsMT7QgTugEapMB1zNkxa4fxsRhRY2LE9xDd2LU Y+4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:in-reply-to:message-id:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=O8mWAAwKdfybUlXpGFE+LMAc3b8fp6XdKJhw/TdjzEU=; b=kuqesq2Tagu6SGrBwY5/xwGynK+9foM4Yud8fQ6/K3R27t9r4ShMfUtYXs06/9oNxW hQ5xqNcNVBGGdG53n3EjVf6HuFTGw75ErujeXPtYNIkOCu7irqR2ShOvqEnyectLh6QW 3Si4wU2YfFpuNjs/Lt9hDYgP6AGvsm7hU932dKOsoMhlqtgm2miUm/LCvIG6G+hWH1sN Be2qN58fItYiEwuaXWOEXlNeem37CyHkx9XELsIAeQrdzSCNbe+lsXHmIgsirynDHFC4 rdcrTS4T/p4D44lu/EoWGwR5/PB14XbeQ1youzHU3YFFDXfhMPgcXwD4UY14g3KJNcf3 425Q== X-Gm-Message-State: ANoB5pmUXWGdp+L697hGqNRfGcLmRaFtvENj+QcPUO3m4e7ZQYARQC+l FMEjNgT6EhPni7kzCGe49OG6fhKFHAe7lCTy X-Received: by 2002:a62:ab18:0:b0:56b:9ae8:ca05 with SMTP id p24-20020a62ab18000000b0056b9ae8ca05mr50872380pff.59.1669957200544; Thu, 01 Dec 2022 21:00:00 -0800 (PST) Received: from localhost.localdomain ([240d:1a:cf7:5800:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id z27-20020aa7949b000000b00575fbe1cf31sm3234456pfk.67.2022.12.01.20.59.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 01 Dec 2022 20:59:59 -0800 (PST) From: Masahisa Kojima To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Jerome Forissier , Masahisa Kojima Subject: [PATCH v3 5/5] doc:eficonfig: add description for UEFI Secure Boot Configuration Date: Fri, 2 Dec 2022 13:59:37 +0900 Message-Id: <20221202045937.7846-6-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20221202045937.7846-1-masahisa.kojima@linaro.org> References: <20221202045937.7846-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean This commits add the description for the UEFI Secure Boot Configuration through the eficonfig menu. Signed-off-by: Masahisa Kojima --- No update since v2 Newly created in v2 doc/usage/cmd/eficonfig.rst | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/doc/usage/cmd/eficonfig.rst b/doc/usage/cmd/eficonfig.rst index 340ebc80db..67c859964f 100644 --- a/doc/usage/cmd/eficonfig.rst +++ b/doc/usage/cmd/eficonfig.rst @@ -31,6 +31,9 @@ Change Boot Order Delete Boot Option Delete the UEFI Boot Option +Secure Boot Configuration + Edit UEFI Secure Boot Configuration + Configuration ------------- @@ -44,6 +47,16 @@ U-Boot console. In this case, bootmenu can be used to invoke "eficonfig":: CONFIG_USE_PREBOOT=y CONFIG_PREBOOT="setenv bootmenu_0 UEFI Maintenance Menu=eficonfig" +UEFI specification requires that UEFI Secure Boot Configuration (especially +for PK and KEK) is stored in non-volatile storage which is tamper resident. +CONFIG_EFI_MM_COMM_TEE is mandatory to provide the secure storage in U-Boot. +UEFI Secure Boot Configuration menu entry is enabled when the following +options are enabled:: + + CONFIG_EFI_SECURE_BOOT=y + CONFIG_EFI_MM_COMM_TEE=y + + How to boot the system with newly added UEFI Boot Option '''''''''''''''''''''''''''''''''''''''''''''''''''''''' @@ -66,6 +79,15 @@ add "bootefi bootmgr" entry as a default or first bootmenu entry:: CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig" +UEFI Secure Boot Configuration +'''''''''''''''''''''''''''''' + +User can enroll PK, KEK, db and dbx by selecting file. +"eficonfig" command only accepts the signed EFI Signature List(s) +with an authenticated header, typically ".auth" file. +To clear the PK, KEK, db and dbx, user needs to enroll the null key +signed by PK or KEK. + See also -------- * :doc:`bootmenu` provides a simple mechanism for creating menus with different boot items