| Message ID | 20230622055130.127656-1-masahisa.kojima@linaro.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v2] doc: uefi: enhance anti-rollback documentation | expand |
Hi Kojima-san On Thu, 22 Jun 2023 at 08:51, Masahisa Kojima <masahisa.kojima@linaro.org> wrote: > > To enforce anti-rollback to any older version, dtb must be > always update manually. This should be described in the > documentation. > > This commit also adds the recommendation that secure system should not > enable the fdt command because lowest-supported-version > property in device tree can be changed by fdt command. > > Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> > --- > doc/develop/uefi/uefi.rst | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst > index ffd13cebe9..7407f178f5 100644 > --- a/doc/develop/uefi/uefi.rst > +++ b/doc/develop/uefi/uefi.rst > @@ -552,6 +552,13 @@ update using a capsule file with --fw-version of 5, the update will fail. > When the --fw-version in the capsule file is updated, lowest-supported-version > in the dtb might be updated accordingly. > > +If user needs to enroce anti-rollback to any older version, enforce* > +the lowest-supported-version property in dtb must be always updated manually. > + > +Note that the lowest-supported-version property specified in U-Boot's control > +device tree can be changed by U-Boot fdt command. > +Secure systems should not enable this command. > + Other than than Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> > To insert the lowest supported version into a dtb > > .. code-block:: console > -- > 2.34.1 >
On Thu, 22 Jun 2023 at 16:21, Ilias Apalodimas <ilias.apalodimas@linaro.org> wrote: > > Hi Kojima-san > > On Thu, 22 Jun 2023 at 08:51, Masahisa Kojima > <masahisa.kojima@linaro.org> wrote: > > > > To enforce anti-rollback to any older version, dtb must be > > always update manually. This should be described in the > > documentation. > > > > This commit also adds the recommendation that secure system should not > > enable the fdt command because lowest-supported-version > > property in device tree can be changed by fdt command. > > > > Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> > > --- > > doc/develop/uefi/uefi.rst | 7 +++++++ > > 1 file changed, 7 insertions(+) > > > > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst > > index ffd13cebe9..7407f178f5 100644 > > --- a/doc/develop/uefi/uefi.rst > > +++ b/doc/develop/uefi/uefi.rst > > @@ -552,6 +552,13 @@ update using a capsule file with --fw-version of 5, the update will fail. > > When the --fw-version in the capsule file is updated, lowest-supported-version > > in the dtb might be updated accordingly. > > > > +If user needs to enroce anti-rollback to any older version, > > enforce* > > > +the lowest-supported-version property in dtb must be always updated manually. > > + > > +Note that the lowest-supported-version property specified in U-Boot's control > > +device tree can be changed by U-Boot fdt command. > > +Secure systems should not enable this command. > > + > > Other than than > Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Thank you for pointing out the typo. I will fix and send v3 soon. Thanks, Masahisa Kojima > > > To insert the lowest supported version into a dtb > > > > .. code-block:: console > > -- > > 2.34.1 > >
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index ffd13cebe9..7407f178f5 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -552,6 +552,13 @@ update using a capsule file with --fw-version of 5, the update will fail. When the --fw-version in the capsule file is updated, lowest-supported-version in the dtb might be updated accordingly. +If user needs to enroce anti-rollback to any older version, +the lowest-supported-version property in dtb must be always updated manually. + +Note that the lowest-supported-version property specified in U-Boot's control +device tree can be changed by U-Boot fdt command. +Secure systems should not enable this command. + To insert the lowest supported version into a dtb .. code-block:: console
To enforce anti-rollback to any older version, dtb must be always update manually. This should be described in the documentation. This commit also adds the recommendation that secure system should not enable the fdt command because lowest-supported-version property in device tree can be changed by fdt command. Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> --- doc/develop/uefi/uefi.rst | 7 +++++++ 1 file changed, 7 insertions(+)