On Thu, Aug 17, 2023 at 07:41:33AM -0600, Simon Glass wrote:
Hi Tom,
On Wed, 16 Aug 2023 at 15:26, Tom Rini trini@konsulko.com wrote:
On Wed, Aug 16, 2023 at 09:58:42AM +0530, Sughosh Ganu wrote:
hi Simon,
On Wed, 16 Aug 2023 at 00:09, Simon Glass sjg@chromium.org wrote:
Hi Sughosh,
On Tue, 15 Aug 2023 at 10:26, Sughosh Ganu sughosh.ganu@linaro.org wrote:
The EFI capsule authentication logic in u-boot expects the public key in the form of an EFI Signature List(ESL) to be provided as part of the platform's dtb. Currently, the embedding of the ESL file into the dtb needs to be done manually.
Add a target for generating a dtsi file which contains the signature node with the ESL file included as a property under the signature node. Include the dtsi file in the dtb. This brings the embedding of the ESL in the dtb into the U-Boot build flow.
The path to the ESL file is specified through the CONFIG_EFI_CAPSULE_ESL_FILE symbol.
Signed-off-by: Sughosh Ganu sughosh.ganu@linaro.org
Changes since RFC series:
- Remove the default value of the config symbol.
- s/include_files/dtsi_include_list
- Add all the dtsi files being included as dependency for the dtb target.
lib/efi_loader/Kconfig | 8 ++++++++ lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++ scripts/Makefile.lib | 18 +++++++++++++++++- 3 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 lib/efi_loader/capsule_esl.dtsi.in
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 9989e3f384..d20aaab6db 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX Select the max capsule index value used for capsule report variables. This value is used to create CapsuleMax variable.
+config EFI_CAPSULE_ESL_FILE
string "Path to the EFI Signature List File"Do we need this, or could we name it as we do with the .env file? It seems confusing to have to set this for each board - it might be better to have it in a defined location.
The reason I put this is because I thought this gave the user the flexibility to provide the location and name of the ESL. But I suppose that the board directory would be a good location to expect this file. Then this file can have a name like capsule_pub_key,esl. Tom, what are your thoughts on this?
I feel like an automatic name we can guess isn't likely how this will be used in the real world, so we should leave this as configurable.
Are we expecting these files to end up in the source tree? Where would they go?
Yes, they should be board/vendor/common/whatever-vendor-uses-internally.esl or so. As I think I mentioned on IRC, in theory someone like Asus should be using the same file here for their rockchip-based tinker board and their x8664 based motherboards too. And it's a public key, not a private key. But we still need to ask here because a vendor may care more about "security" and so have the key /over/somewhere/else more than reproducible builds.