Ilias Apalodimas ilias.apalodimas@linaro.org writes:
Hi Jonathan
On Thu, 13 Jun 2024 at 23:28, Jonathan Humphreys j-humphreys@ti.com wrote:
Use the capsule's public key certificate rather than a prebuilt ESL generated from the certificate. The ESL is now generated as part of the build.
Is there a reason to do this? I understand that the .crt extension might be well known while the .esl is not, but OTOH the system you build on after this change *needs* to have cert-to-efi-sig-list installed
Hi Ilias,
In general, I am following the principle that it is better to not include in your source repo derived binaries that can be built at buildtime.
As far as the need to have cert-to-efi-sig-list, it is part of efitools and that is already documented as a requirement for the build host ([0] and [1]), and our baseline Docker file also includes it.
[0] https://docs.u-boot.org/en/latest/develop/uefi/uefi.html#enabling-capsule-au... [1] https://docs.u-boot.org/en/latest/develop/uefi/uefi.html#configuring-uefi-se...
Jon
Thanks /Ilias
Changes from v1:
- Converted the single patch to a series to include a bug fix found during development.
- Created an explicit rule for creating the ESL file for proper makefile dependency tracking. v1 had combined creating the ESL file and generating the .dtsi include in a single command.
Jonathan Humphreys (2): scripts/Makefile.lib: fixes: Embed capsule public key in platform's dtb scripts/Makefile.lib: EFI: Use capsule CRT instead of ESL file
board/sandbox/capsule_pub_esl_good.esl | Bin 831 -> 0 bytes configs/sandbox_defconfig | 2 +- configs/sandbox_flattree_defconfig | 2 +- doc/develop/uefi/uefi.rst | 8 ++++---- lib/efi_loader/Kconfig | 12 +++++++----- scripts/Makefile.lib | 24 +++++++++++++++--------- 6 files changed, 28 insertions(+), 20 deletions(-) delete mode 100644 board/sandbox/capsule_pub_esl_good.esl
-- 2.34.1