On 12/20/21 06:02, AKASHI Takahiro wrote:
By specifying CONFIG_EFI_CAPSULE_KEY_PATH, the build process will automatically insert the given key into the device tree. Otherwise, users are required to do so manually, possibly, with the utility script, fdtsig.sh.
Why do we need a script fdtsig.sh? Can't you integrate this into the Makefile?
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
doc/develop/uefi/uefi.rst | 4 ++++ dts/Makefile | 23 +++++++++++++++++++++-- lib/efi_loader/Kconfig | 7 +++++++ 3 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 54fefd76f0f5..7f85b9e5a4a6 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -347,6 +347,7 @@ following config, in addition to the configs listed above for capsule update::
CONFIG_EFI_CAPSULE_AUTHENTICATE=y
CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert>
The public and private keys used for the signing process are generated and used by the steps highlighted below.
@@ -392,6 +393,9 @@ and used by the steps highlighted below. }; };
- If CONFIG_EFI_CAPSULE_KEY_PATH is specified, the build process will
- take care of it for you.
- Executing the boot manager
diff --git a/dts/Makefile b/dts/Makefile index cb3111382959..6c5486719ecd 100644 --- a/dts/Makefile +++ b/dts/Makefile @@ -20,11 +20,30 @@ $(obj)/dt-$(SPL_NAME).dtb: dts/dt.dtb $(objtree)/tools/fdtgrep FORCE mkdir -p $(dir $@) $(call if_changed,fdtgrep)
+quiet_cmd_fdtsig = FDTSIG $@
- cmd_fdtsig = \
cat $< > $@; \$(srctree)/tools/fdtsig.sh \$(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)) $@+ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y) +ifneq ($(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)),)
Shouldn't I get a build error if the path is not specified?
Best regards
Heinrich
+DTB_ov := $(obj)/dt.dtb_ov
+$(obj)/dt.dtb_ov: $(DTB) FORCE
- $(call if_changed,fdtsig)
+else +DTB_ov := $(DTB) +endif +else +DTB_ov := $(DTB) +endif
- ifeq ($(CONFIG_OF_DTB_PROPS_REMOVE),y)
-$(obj)/dt.dtb: $(DTB) $(objtree)/tools/fdtgrep FORCE +$(obj)/dt.dtb: $(DTB_ov) $(objtree)/tools/fdtgrep FORCE $(call if_changed,fdt_rm_props) else -$(obj)/dt.dtb: $(DTB) FORCE +$(obj)/dt.dtb: $(DTB_ov) FORCE $(call if_changed,shipped) endif
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 700dc838ddb9..8c8d14d46433 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -209,6 +209,13 @@ config EFI_CAPSULE_AUTHENTICATE Select this option if you want to enable capsule authentication
+config EFI_CAPSULE_KEY_PATH
- string "Path to .esl cert for capsule authentication"
- depends on EFI_CAPSULE_AUTHENTICATE
- help
Provide the EFI signature list (esl) certificate used for capsuleauthentication- config EFI_DEVICE_PATH_TO_TEXT bool "Device path to text protocol" default y