| Message ID | 20211102005512.96019-13-takahiro.akashi@linaro.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | efi_loader: capsule: improve capsule authentication support | expand |
Hi Takahiro, On Mon, 1 Nov 2021 at 18:56, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote: > > By specifying CONFIG_EFI_CAPSULE_KEY_PATH, the build process will > automatically insert the given key into the device tree. > Otherwise, users are required to do so manually, possibly, with > the utility script, fdtsig.sh. > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > --- > doc/develop/uefi/uefi.rst | 4 ++++ > dts/Makefile | 23 +++++++++++++++++++++-- > lib/efi_loader/Kconfig | 7 +++++++ > 3 files changed, 32 insertions(+), 2 deletions(-) I'd like to explore how binman could handle this, perhaps by calling the capsule tool you have written. What do you think? Regards, Simon
On Tue, Nov 02, 2021 at 08:58:30AM -0600, Simon Glass wrote: > Hi Takahiro, > > On Mon, 1 Nov 2021 at 18:56, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote: > > > > By specifying CONFIG_EFI_CAPSULE_KEY_PATH, the build process will > > automatically insert the given key into the device tree. > > Otherwise, users are required to do so manually, possibly, with > > the utility script, fdtsig.sh. > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > > --- > > doc/develop/uefi/uefi.rst | 4 ++++ > > dts/Makefile | 23 +++++++++++++++++++++-- > > lib/efi_loader/Kconfig | 7 +++++++ > > 3 files changed, 32 insertions(+), 2 deletions(-) > > I'd like to explore how binman could handle this, perhaps by calling > the capsule tool you have written. What do you think? Please do so if you like :) -Takahiro Akashi > Regards, > Simon
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 54fefd76f0f5..7f85b9e5a4a6 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -347,6 +347,7 @@ following config, in addition to the configs listed above for capsule update:: CONFIG_EFI_CAPSULE_AUTHENTICATE=y + CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert> The public and private keys used for the signing process are generated and used by the steps highlighted below. @@ -392,6 +393,9 @@ and used by the steps highlighted below. }; }; + If CONFIG_EFI_CAPSULE_KEY_PATH is specified, the build process will + take care of it for you. + Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/dts/Makefile b/dts/Makefile index cb3111382959..6c5486719ecd 100644 --- a/dts/Makefile +++ b/dts/Makefile @@ -20,11 +20,30 @@ $(obj)/dt-$(SPL_NAME).dtb: dts/dt.dtb $(objtree)/tools/fdtgrep FORCE mkdir -p $(dir $@) $(call if_changed,fdtgrep) +quiet_cmd_fdtsig = FDTSIG $@ + cmd_fdtsig = \ + cat $< > $@; \ + $(srctree)/tools/fdtsig.sh \ + $(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)) $@ + +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y) +ifneq ($(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)),) +DTB_ov := $(obj)/dt.dtb_ov + +$(obj)/dt.dtb_ov: $(DTB) FORCE + $(call if_changed,fdtsig) +else +DTB_ov := $(DTB) +endif +else +DTB_ov := $(DTB) +endif + ifeq ($(CONFIG_OF_DTB_PROPS_REMOVE),y) -$(obj)/dt.dtb: $(DTB) $(objtree)/tools/fdtgrep FORCE +$(obj)/dt.dtb: $(DTB_ov) $(objtree)/tools/fdtgrep FORCE $(call if_changed,fdt_rm_props) else -$(obj)/dt.dtb: $(DTB) FORCE +$(obj)/dt.dtb: $(DTB_ov) FORCE $(call if_changed,shipped) endif diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 52f71c07c991..d12b1e56ae80 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -208,6 +208,13 @@ config EFI_CAPSULE_AUTHENTICATE Select this option if you want to enable capsule authentication +config EFI_CAPSULE_KEY_PATH + string "Path to .esl cert for capsule authentication" + depends on EFI_CAPSULE_AUTHENTICATE + help + Provide the EFI signature list (esl) certificate used for capsule + authentication + config EFI_DEVICE_PATH_TO_TEXT bool "Device path to text protocol" default y
By specifying CONFIG_EFI_CAPSULE_KEY_PATH, the build process will automatically insert the given key into the device tree. Otherwise, users are required to do so manually, possibly, with the utility script, fdtsig.sh. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> --- doc/develop/uefi/uefi.rst | 4 ++++ dts/Makefile | 23 +++++++++++++++++++++-- lib/efi_loader/Kconfig | 7 +++++++ 3 files changed, 32 insertions(+), 2 deletions(-) -- 2.33.0