doc: uefi: enhance anti-rollback documentation

To enforce anti-rollback to any older version, dtb must be
always update manually. This should be described in the
documentation.

This commit also adds the recommendation that secure system should not
enable the fdt command because lowest-supported-version
property in device tree can be changed by fdt command.

Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>

diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
index 6626ceec52b4cb630c328d4ab3661d6c2cb99c2c..a7a41f2facf2c7f0ee9a1b2058279e1c329eb0d3 100644 (file)
--- a/doc/develop/uefi/uefi.rst
+++ b/doc/develop/uefi/uefi.rst
@@ -552,6 +552,13 @@ update using a capsule file with --fw-version of 5, the update will fail.
 When the --fw-version in the capsule file is updated, lowest-supported-version
 in the dtb might be updated accordingly.
 
+If user needs to enforce anti-rollback to any older version,
+the lowest-supported-version property in dtb must be always updated manually.
+
+Note that the lowest-supported-version property specified in U-Boot's control
+device tree can be changed by U-Boot fdt command.
+Secure systems should not enable this command.
+
 To insert the lowest supported version into a dtb
 
 .. code-block:: console