From patchwork Thu Jun 22 08:06:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 694890 Delivered-To: patch@linaro.org Received: by 2002:adf:e885:0:0:0:0:0 with SMTP id d5csp1266626wrm; Thu, 22 Jun 2023 01:08:17 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7f1cJiIhz182zCyLzrxBaePzbKYCiMEa0Ha6eJJe++MoiScviVzRGNYTZYEa5iUun8c503 X-Received: by 2002:a05:622a:198c:b0:3fe:8a95:40d3 with SMTP id u12-20020a05622a198c00b003fe8a9540d3mr14731530qtc.5.1687421297432; Thu, 22 Jun 2023 01:08:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687421297; cv=none; d=google.com; s=arc-20160816; b=L9oF50Z5rK3U7E8ceFmAvAI+IqHjaGCFFo7m2iy7ZttpTxO8C/4oZrrD06IA+PtGzI b2dGJeIFTQmJgFsSUrg6hAAojaAcS+v8Vc4f9Vs7qicDDK0tvKyQBt4GrTz9UphXJVQr zopBe2Q64s3UPY/b60lEW5qNwPk9vHfTclM0BuJ8M+GYiW/+lhPGGoaCMeklwwu8Yuc6 ARGmtRBA3dmYLcUfRiMkYsRw2k9jKRUjvkqqIkeonA7+OjzzYHiQUxHyQ/JWMrTMuXAm 1zcRp76BzltsiOg2QWevZ7WFbXwv5uANgBwFfrBpiQKShWExMRhMRoshnLrhrh1I15GK WC4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature; bh=qRMRRSGHk9dCoUeFmnDqjV2VzGmiPQEgbO6VEqWCBxU=; b=oOokVziKx5wxqqwSmI6Hwq7G7oHCINAdTl6GfbIA/MLE7nDq7lRb8f15TAtiHavHjA R3VJEmZ0oLGwe4e/NxlnwdEz1QS2GSU8O5x21RmdmM5socDtmf0NoYa1/Vy0eXH82EiJ B6yZ8cbUnBERJD4wd4ib4lqF/cPS/R6TPKGXYP8swiXpoAOW3bYWEI3kUzN2PKP/SS7w eQL088sq9u/0pPRDdvPvzYkWv/HprHhDvI68w3WxGZAjRlJacss08YdoxaW64QNrgP4l ILiRfUL3OSjcHA5VYppaPdslSLNBjJCqqsvJlTpt1KIqOSQnIxDZEqVHtiEcm7kSinf7 x1Ag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=eMqbBink; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id d1-20020a05622a15c100b003f3a13dbfd3si2445072qty.498.2023.06.22.01.08.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Jun 2023 01:08:17 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=eMqbBink; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 49C9C86368; Thu, 22 Jun 2023 10:08:12 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="eMqbBink"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 7CB8385F79; Thu, 22 Jun 2023 10:07:09 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 1939D86139 for ; Thu, 22 Jun 2023 10:06:58 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pj1-x102a.google.com with SMTP id 98e67ed59e1d1-25f0e0bbcaaso2387038a91.3 for ; Thu, 22 Jun 2023 01:06:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1687421216; x=1690013216; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=qRMRRSGHk9dCoUeFmnDqjV2VzGmiPQEgbO6VEqWCBxU=; b=eMqbBinkZgNoxlqNwxafSr0KLTJAbUnWXVcbUDL4Zg4/LJ7dZHWiaUENgcCrHgtCTQ tYzVMadNsIbSPPpVCbmWWCdeuaw/NocunzOTi5N+wuYFqscV3qOLCkKwYj/W41AoYIam r+UngLoi7gCChSoV9ZBG1tpEiRRXZefyhwspVqW39ygB/l7kyhrD9+B8OeMSRij2tiMt v8gogppV1ZzMnM8zowzhV3PXKEV7WnsGnh0HFWbGdz686W7Yn0x0V2hQ2n6rjRntR7tR B6sKYTZXXe2NSG3TxntJ/mjzYXnwKPeP+X4wtjSAQBf9dvanmq2R2E3wTLtd1aVBa+R0 EqGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687421216; x=1690013216; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qRMRRSGHk9dCoUeFmnDqjV2VzGmiPQEgbO6VEqWCBxU=; b=SNwafDTHWNru44xRjYaaHGfe1k4ln5pGBH0ZV1mCwGtHqZKEPTcEeIpms+o9Xbu+6k C3zmTPKrKDILq6ZR7vSutYsx840HMepicTu8XlEEjaJRenGGaJgsOJb1S3gKFkrhMGJB NxsSEGNJfqgzdG+8F2Rt1P7Tdj0ugW1SERh/VoIv/oXXpdDGdVSnfGnW182jotP/C9JF D/WMDj/0GLhsKEvk/WjQ7hyQMFFULy5Wozzk+AcdZPDtsBD2kJmJ3GJcmCd6oLE0QNyV 0a74HWr9eJRlu74IKPK7E/R5rTH0yJSMBQyyDDQN2MH7aphN1xr5yK9l6RLXKKvTWLwi Sr0g== X-Gm-Message-State: AC+VfDxHX+jnpdxk5jbfO3KTe5UA/qINsnPq8u8N8Qxg0XXpRFE8Sdp5 ikgleYzlFuuPu0RaTo+DVF681AiyWzLP6H5aQJQ= X-Received: by 2002:a17:90a:55c7:b0:25b:b88b:bd41 with SMTP id o7-20020a17090a55c700b0025bb88bbd41mr11455007pjm.43.1687421216105; Thu, 22 Jun 2023 01:06:56 -0700 (PDT) Received: from localhost ([164.70.16.189]) by smtp.gmail.com with ESMTPSA id t8-20020a17090a3b4800b0025c1cfdb93esm4692444pjf.13.2023.06.22.01.06.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Jun 2023 01:06:55 -0700 (PDT) From: Masahisa Kojima To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Takahiro Akashi , Masahisa Kojima Subject: [PATCH v3] doc: uefi: enhance anti-rollback documentation Date: Thu, 22 Jun 2023 17:06:29 +0900 Message-Id: <20230622080629.136938-1-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean To enforce anti-rollback to any older version, dtb must be always update manually. This should be described in the documentation. This commit also adds the recommendation that secure system should not enable the fdt command because lowest-supported-version property in device tree can be changed by fdt command. Reviewed-by: Ilias Apalodimas Signed-off-by: Masahisa Kojima --- changes in v3: - fix typo changes in v2: - add recommendation not to enable fdt command doc/develop/uefi/uefi.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index ffd13cebe9..9b7c9f19a9 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -552,6 +552,13 @@ update using a capsule file with --fw-version of 5, the update will fail. When the --fw-version in the capsule file is updated, lowest-supported-version in the dtb might be updated accordingly. +If user needs to enforce anti-rollback to any older version, +the lowest-supported-version property in dtb must be always updated manually. + +Note that the lowest-supported-version property specified in U-Boot's control +device tree can be changed by U-Boot fdt command. +Secure systems should not enable this command. + To insert the lowest supported version into a dtb .. code-block:: console