On 5/10/21 10:19 AM, AKASHI Takahiro wrote:
It will probably be a common error case that a certificate (public key) is not provided by the system while capsule authentication is enabled. So add a debug message.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
lib/efi_loader/efi_capsule.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c index 90893f85e22c..84ddaf50d13f 100644 --- a/lib/efi_loader/efi_capsule.c +++ b/lib/efi_loader/efi_capsule.c @@ -316,8 +316,10 @@ efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_s }
ret = efi_get_public_key_data(&fdt_pkey, &pkey_len);
- if (ret < 0)
- if (ret < 0) {
debug("Public key/certificate not found\n");
Currently the only implementation of efi_get_public_key_data() actually providing keys is the one in board/emulation/common/qemu_capsule.c where the user has to manually upload the esl file.
For future implementation it is preferable to build the public key data into the U-Boot binary. If it is part of the build process then the only error that could come up is that the public key data has the wrong format.
If we are using the weak implementation of efi_get_public_key_data() in lib/efi_loader/efi_capsule.cwith CONFIG_EFI_CAPSULE_AUTHENTICATE=y, the system is misconfigured. Do we need that weak implementation at all? I would prefer to remove to get a build error.
I suggest that you add a log_err() message with above text into the board/emulation/common/qemu_capsule.c implementation of efi_get_public_key_data(). This way the user will see that he forgot a step.
Best regards
Heinrich
goto out;
}
pkey = malloc(pkey_len); if (!pkey)