diff options
| author | Masahisa Kojima <masahisa.kojima@linaro.org> | 2023-06-22 17:06:29 +0900 |
|---|---|---|
| committer | Heinrich Schuchardt <heinrich.schuchardt@canonical.com> | 2023-07-15 11:20:41 +0200 |
| commit | 345a8b15acf228c4a429f6569c34cbc0232e76eb (patch) | |
| tree | 385c25c3bd11311d53cc32f218a59e0303bed8c4 /doc | |
| parent | a12b36434d822ef1c4f6631314a8ea229e68c520 (diff) | |
| download | u-boot-345a8b15acf228c4a429f6569c34cbc0232e76eb.zip u-boot-345a8b15acf228c4a429f6569c34cbc0232e76eb.tar.gz u-boot-345a8b15acf228c4a429f6569c34cbc0232e76eb.tar.bz2 | |
doc: uefi: enhance anti-rollback documentation
To enforce anti-rollback to any older version, dtb must be
always update manually. This should be described in the
documentation.
This commit also adds the recommendation that secure system should not
enable the fdt command because lowest-supported-version
property in device tree can be changed by fdt command.
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/develop/uefi/uefi.rst | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 6626cee..a7a41f2 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -552,6 +552,13 @@ update using a capsule file with --fw-version of 5, the update will fail. When the --fw-version in the capsule file is updated, lowest-supported-version in the dtb might be updated accordingly. +If user needs to enforce anti-rollback to any older version, +the lowest-supported-version property in dtb must be always updated manually. + +Note that the lowest-supported-version property specified in U-Boot's control +device tree can be changed by U-Boot fdt command. +Secure systems should not enable this command. + To insert the lowest supported version into a dtb .. code-block:: console |