| Message ID | 20230821072909.2387400-4-sughosh.ganu@linaro.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | capsule: Embed the public key ESL as part of build | expand |
On Mon, 21 Aug 2023 at 10:29, Sughosh Ganu <sughosh.ganu@linaro.org> wrote: > > The EFI capsule authentication logic in u-boot expects the public key > in the form of an EFI Signature List(ESL) to be provided as part of > the platform's dtb. Currently, the embedding of the ESL file into the > dtb needs to be done manually. > > Add a target for generating a dtsi file which contains the signature > node with the ESL file included as a property under the signature > node. Include the dtsi file in the dtb. This brings the embedding of > the ESL in the dtb into the U-Boot build flow. > > The path to the ESL file is specified through the > CONFIG_EFI_CAPSULE_ESL_FILE symbol. > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > Reviewed-by: Tom Rini <trini@konsulko.com> > --- > Changes since V2: None > > lib/efi_loader/Kconfig | 8 ++++++++ > lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++ > scripts/Makefile.lib | 15 +++++++++++++++ > 3 files changed, 34 insertions(+) > create mode 100644 lib/efi_loader/capsule_esl.dtsi.in > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig > index 9989e3f384..d20aaab6db 100644 > --- a/lib/efi_loader/Kconfig > +++ b/lib/efi_loader/Kconfig > @@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX > Select the max capsule index value used for capsule report > variables. This value is used to create CapsuleMax variable. > > +config EFI_CAPSULE_ESL_FILE > + string "Path to the EFI Signature List File" > + depends on EFI_CAPSULE_AUTHENTICATE > + help > + Provides the path to the EFI Signature List file which will > + be embedded in the platform's device tree and used for > + capsule authentication at the time of capsule update. > + > config EFI_DEVICE_PATH_TO_TEXT > bool "Device path to text protocol" > default y > diff --git a/lib/efi_loader/capsule_esl.dtsi.in b/lib/efi_loader/capsule_esl.dtsi.in > new file mode 100644 > index 0000000000..61a9f2b25e > --- /dev/null > +++ b/lib/efi_loader/capsule_esl.dtsi.in > @@ -0,0 +1,11 @@ > +// SPDX-License-Identifier: GPL-2.0+ > +/** > + * Devicetree file with the public key EFI Signature List(ESL) > + * node. This file is used to generate the dtsi file to be > + * included into the DTB. > +*/ > +/ { > + signature { > + capsule-key = /incbin/("ESL_BIN_FILE"); > + }; > +}; > diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib > index 8c5e25c31c..3cec46bb15 100644 > --- a/scripts/Makefile.lib > +++ b/scripts/Makefile.lib > @@ -334,6 +334,21 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \ > ; \ > sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile) > > +quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@ > +cmd_capsule_esl_gen = \ > + $(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" $(capsule_esl_input_file) > $@) > + > +$(obj)/.capsule_esl.dtsi: > + $(call cmd_capsule_esl_gen) > + > +capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in > +capsule_esl_dtsi = .capsule_esl.dtsi > +capsule_esl_path=$(abspath $(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE))) > + > +ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE > +dtsi_include_list += $(capsule_esl_dtsi) > +endif > + > dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list))) > > $(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE > -- > 2.34.1 > Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 9989e3f384..d20aaab6db 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX Select the max capsule index value used for capsule report variables. This value is used to create CapsuleMax variable. +config EFI_CAPSULE_ESL_FILE + string "Path to the EFI Signature List File" + depends on EFI_CAPSULE_AUTHENTICATE + help + Provides the path to the EFI Signature List file which will + be embedded in the platform's device tree and used for + capsule authentication at the time of capsule update. + config EFI_DEVICE_PATH_TO_TEXT bool "Device path to text protocol" default y diff --git a/lib/efi_loader/capsule_esl.dtsi.in b/lib/efi_loader/capsule_esl.dtsi.in new file mode 100644 index 0000000000..61a9f2b25e --- /dev/null +++ b/lib/efi_loader/capsule_esl.dtsi.in @@ -0,0 +1,11 @@ +// SPDX-License-Identifier: GPL-2.0+ +/** + * Devicetree file with the public key EFI Signature List(ESL) + * node. This file is used to generate the dtsi file to be + * included into the DTB. +*/ +/ { + signature { + capsule-key = /incbin/("ESL_BIN_FILE"); + }; +}; diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index 8c5e25c31c..3cec46bb15 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -334,6 +334,21 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \ ; \ sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile) +quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@ +cmd_capsule_esl_gen = \ + $(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" $(capsule_esl_input_file) > $@) + +$(obj)/.capsule_esl.dtsi: + $(call cmd_capsule_esl_gen) + +capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in +capsule_esl_dtsi = .capsule_esl.dtsi +capsule_esl_path=$(abspath $(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE))) + +ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE +dtsi_include_list += $(capsule_esl_dtsi) +endif + dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list))) $(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE