On Sat, Aug 05, 2023 at 09:03:53AM -0600, Simon Glass wrote:
Hi Sughosh,
On Sat, 5 Aug 2023 at 05:35, Sughosh Ganu sughosh.ganu@linaro.org wrote:
The EFI capsule authentication logic in u-boot expects the public key in the form of an EFI Signature List(ESL) to be provided as part of the platform's dtb. Currently, the embedding of the ESL file into the dtb needs to be done manually.
Add a signature node in the u-boot dtsi file and include the public key through the capsule-key property. This file is per architecture, and is currently being added for sandbox and arm architectures. It will have to be added for other architectures which need to enable capsule authentication support.
The path to the ESL file is specified through the CONFIG_EFI_CAPSULE_ESL_FILE symbol.
Signed-off-by: Sughosh Ganu sughosh.ganu@linaro.org
Changes since V6:
- Populate the CONFIG_EFI_CAPSULE_ESL_FILE symbol for sandbox and sandbox_flattree which enable capsule authentication.
Note: Simon Glass had asked me to rid of the CONFIG_EFI_HAVE_CAPSULE_SUPPORT ifdef used in the sandbox' u-boot.dtsi file. However, that results in the sandbox_vpl test failing in CI. Hence that check has been kept.
arch/arm/dts/u-boot.dtsi | 14 ++++++++++++++ arch/sandbox/dts/u-boot.dtsi | 17 +++++++++++++++++
We've already had some go-round as to why this basically identical file can't be in like lib/efi_loader/ or something, yes?
configs/sandbox_defconfig | 1 + configs/sandbox_flattree_defconfig | 1 + lib/efi_loader/Kconfig | 9 +++++++++ 5 files changed, 42 insertions(+) create mode 100644 arch/arm/dts/u-boot.dtsi create mode 100644 arch/sandbox/dts/u-boot.dtsi
diff --git a/arch/arm/dts/u-boot.dtsi b/arch/arm/dts/u-boot.dtsi new file mode 100644 index 0000000000..4f31da4521 --- /dev/null +++ b/arch/arm/dts/u-boot.dtsi @@ -0,0 +1,14 @@ +// SPDX-License-Identifier: GPL-2.0+ +/**
- Devicetree file with miscellaneous nodes that will be included
- at build time into the DTB. Currently being used for including
- capsule related information.
- */
+#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE +/ {
signature {capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);};+}; +#endif /* CONFIG_EFI_CAPSULE_AUTHENTICATE */ diff --git a/arch/sandbox/dts/u-boot.dtsi b/arch/sandbox/dts/u-boot.dtsi new file mode 100644 index 0000000000..60bd004937 --- /dev/null +++ b/arch/sandbox/dts/u-boot.dtsi @@ -0,0 +1,17 @@ +// SPDX-License-Identifier: GPL-2.0+ +/*
- Devicetree file with miscellaneous nodes that will be included
- at build time into the DTB. Currently being used for including
- capsule related information.
- */
+#ifdef CONFIG_EFI_HAVE_CAPSULE_SUPPORT +/ { +#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
signature {capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);};+#endif +}; +#endif /* CONFIG_EFI_HAVE_CAPSULE_SUPPORT */
And why are these two different?
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index a22e47616f..0d559ff3a1 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -235,6 +235,15 @@ config EFI_CAPSULE_MAX Select the max capsule index value used for capsule report variables. This value is used to create CapsuleMax variable.
+config EFI_CAPSULE_ESL_FILE
string "Path to the EFI Signature List File"default ""
No default.
depends on EFI_CAPSULE_AUTHENTICATEhelpProvides the absolute path to the EFI Signature List file whichIt isn't really an absolute path as it doesn't start with /
You really can't/shouldn't use absolute paths in a U-Boot build.
You can't as it will break reproducible builds (or make them harder than required).