Ilias Apalodimas <ilias.apalodi...@linaro.org> writes: > On Tue, 9 Apr 2024 at 23:14, Andrew Davis <a...@ti.com> wrote: >> >> On 4/9/24 2:26 PM, Heinrich Schuchardt wrote: >> > On 4/9/24 14:14, Andrew Davis wrote: >> >> On 4/8/24 10:34 PM, Heinrich Schuchardt wrote: >> >>> On 4/8/24 23:33, Jonathan Humphreys wrote: >> >>>> EFI signature list using TI dummy keys. >> >>> >> >>> Adding vendor public keys into the code base to lock down generated >> >>> binaries to the vendors unpublished private key does not match well with >> >>> the intent of the GNU public license. >> >>> >> >> >> >> The matching private keys are already published in this same >> >> repo/directory (arch/arm/mach-k3/keys). >> >> >> >> Andrew >> > >> > Why should we create signed capsules which are already compromised by >> > publishing the private key? >> > >> >> If you buy these devices you have two options, you can burn real >> keys, or you can burn these dummy keys. If you burn dummy keys >> then these images will boot and so will any image you or anyone >> else wants to boot on the device. (since the keys are published >> anyone can make images for them, that is how we do GP (general >> purpose) devices these days) >> >> If you burn your own keys, then you switch out these keys here >> and your device will only boot images that you permit by signing >> with your keys. > > I am not sure I am following you here. We don't burn anything in the > case of EFI keys. They are placed in an elf section and we assume the > device will have a chain of trust enabled, naturally verifying those > keys along with the u-boot binary. > >> >> You'll find plenty of open source projects do the same and >> give out example keys to show how to use real keys, even >> official GNU projects. > > Yes, but the keys defined here are useless unless you have a default > defconfig that uses them and embeds them in the binary. I am not cc'ed > in all the patches of the series, is that added somewhere? And if you
Yes, they are part of this series https://lore.kernel.org/r/20240408213349.96610-1-j-humphr...@ti.com. Thanks for the reviews. > unconditionally enable secure boot It would be far more interesting to > embed the MS SHIM key along with that special key you are trying to > define, so that firmware can boot COTS distros as well Yes, we should consider. But since that is outside of the EFI capsule use case, I would rather take it up in a separate patch. > > Thanks > /Ilias > > >> >> https://github.com/gpg/gnupg/tree/master/tests/openpgp/samplekeys >> >> Andrew >> >> > Best regards >> > >> > Heinrich >> > >> >> >> >>> Best regards >> >>> >> >>> Heinrich >> >>> >> >>>> >> >>>> Signed-off-by: Jonathan Humphreys <j-humphr...@ti.com> >> >>>> --- >> >>>> arch/arm/mach-k3/keys/custMpk.esl | Bin 0 -> 1523 bytes >> >>>> 1 file changed, 0 insertions(+), 0 deletions(-) >> >>>> create mode 100644 arch/arm/mach-k3/keys/custMpk.esl >> >>>> >> >>>> diff --git a/arch/arm/mach-k3/keys/custMpk.esl >> >>>> b/arch/arm/mach-k3/keys/custMpk.esl >> >>>> new file mode 100644 >> >>>> index >> >>>> 0000000000000000000000000000000000000000..2feb704e0a5fd126410de451d3c0fa4d3edccc52 >> >>>> GIT binary patch >> >>>> literal 1523 >> >>>> zcmZ1&d0^?2Da*aux2_hA(f&~MnUw(yu0v@E4?-F=u^u*PVqVQ8QZ((-^A*$m*Kg7c >> >>>> z&78AJODc2mtxpELY@Awc9&O)w85y}*84Mcd8gd(OvN4CUun9AT2E#ZUJWL@GhWtR) >> >>>> zKpA!(HkZVloWx>7bput902hy3NNPo5v4Uq_aY<2WZfaf$h@G5YRFGekSdyAzC~P1I >> >>>> zQpnB26;PC)oLXF*UsMbeWai-t@l*&dEdVMmF_blshP#N9QH-w`BJNO<sh6CeYal1i >> >>>> zYh-L-W?*PwYGi0=7A4MWYz$;tLb-$9{Y^|t$U)A?%D~*j#Lr;R#Kgta#Kg$3Uu2!< >> >>>> zjryX?*~({Md+?>+QS$x7=il`0?bc6sZ`Vxxl^6N{>i2E;SY*4-T$+0G;)5dxe+2CR >> >>>> z@4+)sDPWdQb@%6KTpDVdm)v}?GSpG(w_UV)&i+#e3fJowDZO)JR83lIcbw(hMu}}Y >> >>>> z2ZZwYAI-LVx@^G;HdkgxaX&Hnl_l3&{H|3l7uX@Vl5di{>fQQ{pDynFlySp2(z~g) >> >>>> z{LIBUzm&K9j_CMw_SIFfPdcT#zmg6g<ji}(R`6geJLk-#o7bK^&&fT}#2zsD`=c9g >> >>>> zFUCK<Fz@{2kel&$W6zl<d|WNk#ZsNRd{_N_SJxWvh0*K$j!m)c@oT>{#b(Lp`M3Uj >> >>>> zGOKycyEe+n{G(Rmg}jB!)0ySk-!kkj_R7#OT+}pcG0VXh?f+ftRvnyw#hUea^Iyfn >> >>>> ze|zgKPKrqe@jYWU?v<50X(n^lZ*G%j$JyCh`*Px|H*K=2WXP)hx>jng+}Q}N^KoDN >> >>>> z8dh8T-~Dmrp2?yk3O6Gqbz7O@<TEz<^zIa7d#PKtHKHeAg?V0DMSin^o3F|IEfQWk >> >>>> zcmJwBy6&2hKub%G{j3IK(?7m@uI43#1e~wSZJ5sTtDjrp@7@{O3(faN{`Gp}x{$M5 >> >>>> z{A7`c@pjfYq1Z=JvgZ^-zCC<(HFTBwYhTX$k`7IJX`SM!H}f`Mv+(Op6uVY(<(^o4 >> >>>> zpyXAj9nF_c-1A<UIel9%6Eh<NBXSA>W=dcRVPvS;*B%(4`P|iK>Vg$XDgN9sr}Df{ >> >>>> z7X0es=RPHr8RB+*)}q}h%gn?x9PO4y*Qog};x<<LS+lxk$@$kYlG_hXu6p%jvB<%l >> >>>> zmcsdI9w!^rFPt^&c~{1?L~DJ4TRPv>t%rn8xi;KBE9A!Dppb9yru|>RCb9PcXWpE> >> >>>> zKlQ}fzw*izXI|}|r!O*nb&cP9#VhHRn;B<SRflN2Jl(*;W4e0LD$ORRIdjjhURZH+ >> >>>> zXWR0Vllb2@>`1LC^xvIctvLCYhRA_6yCS~2&!0SH1xwv(O~<l(HQxHJxzF!T_>+5t >> >>>> z^|E$S{MM^8j9J5`sQ6pud{2Lz?k`zncbjvHj%eutjusUol}8;%cbPLCO|e;ZJ^tXe >> >>>> z_N{pmM}uCi3UWO3=hMc<s}m1Jx4GS4F(<_N`R|o+)eAK3Yx{o$ygRe!;<_EoF&UhP >> >>>> zrslJ=2XA9^$j#UDYwo;ZvZwb!|L%YP%v|ie|7-1PP+q3DZ&vEWgHHrjHv|NzEVjO? >> >>>> zKFeRbXv>iTPl?N16Xv@buq_d@TU<MB;uD_jX^$J`&*C>`uX0_s&g9M2C6cKx4E;{? >> >>>> zt`1&)Tk-yb?sKMPI~!}xt*d*!tMat!r1`}jul#i@lDB8rnu>ba_-^4!iQ5{|tb3TX >> >>>> z>fTMIw2!Me3{Dw*WZotC<4@h<H`zaL+~Es<{Ccj5yS7zyNU!YsTG`^JqA6NkU%vnV >> >>>> D66<<J >> >>>> >> >>>> literal 0 >> >>>> HcmV?d00001 >> >>>> >> >>> >> >
