| Message ID | 1cdb2c6b.3591.17ce4c1b569.Coremail.myzmzz@126.com |
|---|---|
| State | Superseded |
| Delegated to: | Tom Rini |
| Headers | show |
| Series | boot: don't enable booti/bootz by default if FIT_SIGNATURE is set | expand |
Dear Heinrich, Thank for your comments. >How about CONFIG_EFI_SECURE_BOOT? Should this also disable the default? I think yes. I will update the relation to "default y if !FIT_SIGNATURE && !EFI_SECURE_BOOT", and add "!EFI_SECURE_BOOT" into LEGACY_IMAGE_FORMAT. >> + It is enabled by default for backward compatibility, unless > >Backwards relative to UEFI? No. This description is from CONFIG_LEGACY_IMAGE_FORMAT. ``` config LEGACY_IMAGE_FORMAT bool "Enable support for the legacy image format" default y if !FIT_SIGNATURE help This option enables the legacy image format. It is enabled by default for backward compatibility, unless FIT_SIGNATURE is set where it is disabled so that unsigned images cannot be loaded. If a board needs the legacy image format support in this case, enable it here. ``` In my understand, this backward compatibility is to support both secure boot and non-secure boot when necessary. >This focuses very much on default values. How about: > >"The booti command is used for launching unsigned AArch64 and RISC-V >Linux kernel images. If you want to have secure boot either via signed >FIT images or via signed UEFI images, this option should be disabled." I agree, this description is more comprehensive. So that I want to update the commit title to "boot: don't enable the non-secure boot commands by default if secure boot enabled" >Why AArch64 and not RISC-V? The help information of CMD_BOOTI only mentions AArch64, so I followed it. Should I update as following? ```diff - Boot an AArch64 Linux Kernel image from memory. + Boot an AArch64/RISC-V Linux Kernel image from memory. ``` Best regards, Rover At 2021-11-04 02:24:34, "Heinrich Schuchardt" <xypron.glpk@gmx.de> wrote: >On 11/3/21 08:44, Rover Mo wrote: >> To prevent boot unsigned images, same as CONFIG_LEGACY_IMAGE_FORMAT, > >nits: >%s/boot/booting/ > >> don't enable CONFIG_CMD_BOOTI and CONFIG_CMD_BOOTI by default if >> CONFIG_FIT_SIGNATURE is enabled. > >Disabling the booti and the bootz command does not stop you from booting >unsigned images, e.g. using the bootefi command. > >> >> Signed-off-by: Yuezhang.Mo <myzmzz@126.com> >> --- >> cmd/Kconfig | 11 ++++++++++- >> 1 file changed, 10 insertions(+), 1 deletion(-) >> >> diff --git a/cmd/Kconfig b/cmd/Kconfig >> index 5b30b13e43..5f9dd91928 100644 >> --- a/cmd/Kconfig >> +++ b/cmd/Kconfig >> @@ -203,15 +203,24 @@ config BOOTM_EFI >> >> config CMD_BOOTZ >> bool "bootz" >> + default y if !FIT_SIGNATURE >> help >> Boot the Linux zImage >> + It is enabled by default for backward compatibility, unless >> + FIT_SIGNATURE is set where it is disabled so that unsigned images >> + cannot be loaded. If a board needs to boot a Linux zImage in this >> + case, enable it here. >> >> config CMD_BOOTI >> bool "booti" >> depends on ARM64 || RISCV >> - default y >> + default y if !FIT_SIGNATURE > >How about CONFIG_EFI_SECURE_BOOT? Should this also disable the default? > >> help >> Boot an AArch64 Linux Kernel image from memory. >> + It is enabled by default for backward compatibility, unless > >Backwards relative to UEFI? > >This focuses very much on default values. How about: > >"The booti command is used for launching unsigned AArch64 and RISC-V >Linux kernel images. If you want to have secure boot either via signed >FIT images or via signed UEFI images, this option should be disabled." > >> + FIT_SIGNATURE is set where it is disabled so that unsigned images >> + cannot be loaded. If a board needs to boot an AArch64 Linux Kernel > >Why AArch64 and not RISC-V? > >Who needs all those lines. > >Best regards > >Heinrich > >> + image in this case, enable it here. >> >> config BOOTM_LINUX >> bool "Support booting Linux OS images" >>
On 11/4/21 04:11, Rover Mo wrote: > Dear Heinrich, > > > Thank for your comments. > > > >How about CONFIG_EFI_SECURE_BOOT? Should this also disable the default? > > I think yes. > I will update the relation to "default y if !FIT_SIGNATURE && > !EFI_SECURE_BOOT", > and add "!EFI_SECURE_BOOT" into LEGACY_IMAGE_FORMAT. > >>> + It is enabled by default for backward compatibility, unless >> >>Backwards relative to UEFI? > > No. > > This description is from CONFIG_LEGACY_IMAGE_FORMAT. > > ``` > config LEGACY_IMAGE_FORMAT > bool "Enable support for the legacy image format" > default y if !FIT_SIGNATURE > help > This option enables the legacy image format. It is enabled by > default for backward compatibility, unless FIT_SIGNATURE is > set where it is disabled so that unsigned images cannot be > loaded. If a board needs the legacy image format support in this > case, enable it here. > ``` > > In my understand,this backward compatibility is to support both secure boot and > non-secure boot when necessary. > >>This focuses very much on default values. How about: >> >>"The booti command is used for launching unsigned AArch64 and RISC-V >>Linux kernel images. If you want to have secure boot either via signed >>FIT images or via signed UEFI images, this option should be disabled." > > I agree, this description is more comprehensive. > > So that I want to update the commit title to "boot: don't enable thenon-secure boot commands by default ifsecure boot enabled" > >>Why AArch64 and not RISC-V? > > The help information of CMD_BOOTI only mentions AArch64, so I followed it. > > Should I update as following? > ```diff > - Boot an AArch64 Linux Kernel image from memory. > + Boot an AArch64/RISC-V Linux Kernel image from memory. Yes, please. Best regards Heinrich > ``` > > Best regards, > Rover > > At 2021-11-04 02:24:34, "Heinrich Schuchardt" <xypron.glpk@gmx.de> wrote: >>On 11/3/21 08:44, Rover Mo wrote: >>> To prevent boot unsigned images, same as CONFIG_LEGACY_IMAGE_FORMAT, >> >>nits: >>%s/boot/booting/ >> >>> don't enable CONFIG_CMD_BOOTI and CONFIG_CMD_BOOTI by default if >>> CONFIG_FIT_SIGNATURE is enabled. >> >>Disabling the booti and the bootz command does not stop you from booting >>unsigned images, e.g. using the bootefi command. >> >>> >>> Signed-off-by: Yuezhang.Mo <myzmzz@126.com> >>> --- >>> cmd/Kconfig | 11 ++++++++++- >>> 1 file changed, 10 insertions(+), 1 deletion(-) >>> >>> diff --git a/cmd/Kconfig b/cmd/Kconfig >>> index 5b30b13e43..5f9dd91928 100644 >>> --- a/cmd/Kconfig >>> +++ b/cmd/Kconfig >>> @@ -203,15 +203,24 @@ config BOOTM_EFI >>> >>> config CMD_BOOTZ >>> bool "bootz" >>> + default y if !FIT_SIGNATURE >>> help >>> Boot the Linux zImage >>> + It is enabled by default for backward compatibility, unless >>> + FIT_SIGNATURE is set where it is disabled so that unsigned images >>> + cannot be loaded. If a board needs to boot a Linux zImage in this >>> + case, enable it here. >>> >>> config CMD_BOOTI >>> bool "booti" >>> depends on ARM64 || RISCV >>> - default y >>> + default y if !FIT_SIGNATURE >> >>How about CONFIG_EFI_SECURE_BOOT? Should this also disable the default? >> >>> help >>> Boot an AArch64 Linux Kernel image from memory. >>> + It is enabled by default for backward compatibility, unless >> >>Backwards relative to UEFI? >> >>This focuses very much on default values. How about: >> >>"The booti command is used for launching unsigned AArch64 and RISC-V >>Linux kernel images. If you want to have secure boot either via signed >>FIT images or via signed UEFI images, this option should be disabled." >> >>> + FIT_SIGNATURE is set where it is disabled so that unsigned images >>> + cannot be loaded. If a board needs to boot an AArch64 Linux Kernel >> >>Why AArch64 and not RISC-V? >> >>Who needs all those lines. >> >>Best regards >> >>Heinrich >> >>> + image in this case, enable it here. >>> >>> config BOOTM_LINUX >>> bool "Support booting Linux OS images" >>> > > >
Hi, On Thu, 4 Nov 2021 at 05:23, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote: > > > > On 11/4/21 04:11, Rover Mo wrote: > > Dear Heinrich, > > > > > > Thank for your comments. > > > > > > >How about CONFIG_EFI_SECURE_BOOT? Should this also disable the default? > > > > I think yes. > > I will update the relation to "default y if !FIT_SIGNATURE && > > !EFI_SECURE_BOOT", > > and add "!EFI_SECURE_BOOT" into LEGACY_IMAGE_FORMAT. > > > >>> + It is enabled by default for backward compatibility, unless > >> > >>Backwards relative to UEFI? > > > > No. > > > > This description is from CONFIG_LEGACY_IMAGE_FORMAT. > > > > ``` > > config LEGACY_IMAGE_FORMAT > > bool "Enable support for the legacy image format" > > default y if !FIT_SIGNATURE > > help > > This option enables the legacy image format. It is enabled by > > default for backward compatibility, unless FIT_SIGNATURE is > > set where it is disabled so that unsigned images cannot be > > loaded. If a board needs the legacy image format support in this > > case, enable it here. > > ``` > > > > In my understand,this backward compatibility is to support both secure boot and > > non-secure boot when necessary. > > > >>This focuses very much on default values. How about: > >> > >>"The booti command is used for launching unsigned AArch64 and RISC-V > >>Linux kernel images. If you want to have secure boot either via signed > >>FIT images or via signed UEFI images, this option should be disabled." > > > > I agree, this description is more comprehensive. > > > > So that I want to update the commit title to "boot: don't enable thenon-secure boot commands by default ifsecure boot enabled" > > > >>Why AArch64 and not RISC-V? > > > > The help information of CMD_BOOTI only mentions AArch64, so I followed it. > > > > Should I update as following? > > ```diff > > - Boot an AArch64 Linux Kernel image from memory. > > + Boot an AArch64/RISC-V Linux Kernel image from memory. > > Yes, please. Also please do check tests (make qcheck) since sandbox enables more options than most boards. - Simon > > Best regards > > Heinrich > > > ``` > > > > Best regards, > > Rover > > > > At 2021-11-04 02:24:34, "Heinrich Schuchardt" <xypron.glpk@gmx.de> wrote: > >>On 11/3/21 08:44, Rover Mo wrote: > >>> To prevent boot unsigned images, same as CONFIG_LEGACY_IMAGE_FORMAT, > >> > >>nits: > >>%s/boot/booting/ > >> > >>> don't enable CONFIG_CMD_BOOTI and CONFIG_CMD_BOOTI by default if > >>> CONFIG_FIT_SIGNATURE is enabled. > >> > >>Disabling the booti and the bootz command does not stop you from booting > >>unsigned images, e.g. using the bootefi command. > >> > >>> > >>> Signed-off-by: Yuezhang.Mo <myzmzz@126.com> > >>> --- > >>> cmd/Kconfig | 11 ++++++++++- > >>> 1 file changed, 10 insertions(+), 1 deletion(-) > >>> > >>> diff --git a/cmd/Kconfig b/cmd/Kconfig > >>> index 5b30b13e43..5f9dd91928 100644 > >>> --- a/cmd/Kconfig > >>> +++ b/cmd/Kconfig > >>> @@ -203,15 +203,24 @@ config BOOTM_EFI > >>> > >>> config CMD_BOOTZ > >>> bool "bootz" > >>> + default y if !FIT_SIGNATURE > >>> help > >>> Boot the Linux zImage > >>> + It is enabled by default for backward compatibility, unless > >>> + FIT_SIGNATURE is set where it is disabled so that unsigned images > >>> + cannot be loaded. If a board needs to boot a Linux zImage in this > >>> + case, enable it here. > >>> > >>> config CMD_BOOTI > >>> bool "booti" > >>> depends on ARM64 || RISCV > >>> - default y > >>> + default y if !FIT_SIGNATURE > >> > >>How about CONFIG_EFI_SECURE_BOOT? Should this also disable the default? > >> > >>> help > >>> Boot an AArch64 Linux Kernel image from memory. > >>> + It is enabled by default for backward compatibility, unless > >> > >>Backwards relative to UEFI? > >> > >>This focuses very much on default values. How about: > >> > >>"The booti command is used for launching unsigned AArch64 and RISC-V > >>Linux kernel images. If you want to have secure boot either via signed > >>FIT images or via signed UEFI images, this option should be disabled." > >> > >>> + FIT_SIGNATURE is set where it is disabled so that unsigned images > >>> + cannot be loaded. If a board needs to boot an AArch64 Linux Kernel > >> > >>Why AArch64 and not RISC-V? > >> > >>Who needs all those lines. > >> > >>Best regards > >> > >>Heinrich > >> > >>> + image in this case, enable it here. > >>> > >>> config BOOTM_LINUX > >>> bool "Support booting Linux OS images" > >>> > > > > > >
diff --git a/cmd/Kconfig b/cmd/Kconfig index 5b30b13e43..5f9dd91928 100644 --- a/cmd/Kconfig +++ b/cmd/Kconfig @@ -203,15 +203,24 @@ config BOOTM_EFI config CMD_BOOTZ bool "bootz" + default y if !FIT_SIGNATURE help Boot the Linux zImage + It is enabled by default for backward compatibility, unless + FIT_SIGNATURE is set where it is disabled so that unsigned images + cannot be loaded. If a board needs to boot a Linux zImage in this + case, enable it here. config CMD_BOOTI bool "booti" depends on ARM64 || RISCV - default y + default y if !FIT_SIGNATURE help Boot an AArch64 Linux Kernel image from memory. + It is enabled by default for backward compatibility, unless + FIT_SIGNATURE is set where it is disabled so that unsigned images + cannot be loaded. If a board needs to boot an AArch64 Linux Kernel + image in this case, enable it here. config BOOTM_LINUX bool "Support booting Linux OS images"
To prevent boot unsigned images, same as CONFIG_LEGACY_IMAGE_FORMAT, don't enable CONFIG_CMD_BOOTI and CONFIG_CMD_BOOTI by default if CONFIG_FIT_SIGNATURE is enabled. Signed-off-by: Yuezhang.Mo <myzmzz@126.com> --- cmd/Kconfig | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-)