hi Simon,
On Wed, 2 Aug 2023 at 19:04, Simon Glass sjg@chromium.org wrote:
Hi Sughosh,
On Wed, 2 Aug 2023 at 06:52, Simon Glass sjg@chromium.org wrote:
Hi Sughosh,
On Tue, 1 Aug 2023 at 11:40, Sughosh Ganu sughosh.ganu@linaro.org wrote:
The EFI capsule authentication logic in u-boot expects the public key in the form of an EFI Signature List(ESL) to be provided as part of the platform's dtb. Currently, the embedding of the ESL file into the dtb needs to be done manually.
Add a signature node in the u-boot dtsi file and include the public key through the capsule-key property. This file is per architecture, and is currently being added for sandbox and arm architectures. It will have to be added for other architectures which need to enable capsule authentication support.
The path to the ESL file is specified through the CONFIG_EFI_CAPSULE_ESL_FILE symbol.
Signed-off-by: Sughosh Ganu sughosh.ganu@linaro.org
Changes since V5:
- None
arch/arm/dts/u-boot.dtsi | 14 ++++++++++++++ arch/sandbox/dts/u-boot.dtsi | 17 +++++++++++++++++ lib/efi_loader/Kconfig | 9 +++++++++ 3 files changed, 40 insertions(+) create mode 100644 arch/arm/dts/u-boot.dtsi create mode 100644 arch/sandbox/dts/u-boot.dtsi
diff --git a/arch/arm/dts/u-boot.dtsi b/arch/arm/dts/u-boot.dtsi new file mode 100644 index 0000000000..4f31da4521 --- /dev/null +++ b/arch/arm/dts/u-boot.dtsi @@ -0,0 +1,14 @@ +// SPDX-License-Identifier: GPL-2.0+ +/**
- Devicetree file with miscellaneous nodes that will be included
- at build time into the DTB. Currently being used for including
- capsule related information.
- */
+#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE +/ {
signature {capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);};+}; +#endif /* CONFIG_EFI_CAPSULE_AUTHENTICATE */
Ilias mentioned that this binding can cause problems if it not upstream, causing the platform to fail validation. So we need to agree a binding for it in dt-schema. Can you send a patch to we can discuss it there?
There was an effort from Jassi earlier [1] to upstream one such binding for the FWU node. But Rob had asked to remove this in u-boot before the DT was passed over to the kernel.
-sughosh
[1] - https://lore.kernel.org/u-boot/CAL_JsqJN4FeHomL7z3yj0WJ9bpx1oSE7zf26L_GV2oS6...
Regards, Simon