[PATCH v2 0/2] scripts/Makefile.lib: EFI: Use capsule CRT instead of ESL
Use the capsule's public key certificate rather than a prebuilt ESL generated from the certificate. The ESL is now generated as part of the build.
Changes from v1: - Converted the single patch to a series to include a bug fix found during development. - Created an explicit rule for creating the ESL file for proper makefile dependency tracking. v1 had combined creating the ESL file and generating the .dtsi include in a single command.
Jonathan Humphreys (2): scripts/Makefile.lib: fixes: Embed capsule public key in platform's dtb scripts/Makefile.lib: EFI: Use capsule CRT instead of ESL file
board/sandbox/capsule_pub_esl_good.esl | Bin 831 -> 0 bytes configs/sandbox_defconfig | 2 +- configs/sandbox_flattree_defconfig | 2 +- doc/develop/uefi/uefi.rst | 8 ++++---- lib/efi_loader/Kconfig | 12 +++++++----- scripts/Makefile.lib | 24 +++++++++++++++--------- 6 files changed, 28 insertions(+), 20 deletions(-) delete mode 100644 board/sandbox/capsule_pub_esl_good.esl
The call to cmd_capsule_esl_gen was made directly rather than using the "cmd,xxx" syntax.
Fixes: c7d4dfcd ("scripts/Makefile.lib: Embed capsule public key in platform's dtb")
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com --- scripts/Makefile.lib | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index 62f87517c09..af97fcfe4bb 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -351,7 +351,7 @@ ifeq ($(CONFIG_EFI_CAPSULE_ESL_FILE),"") $(error "CONFIG_EFI_CAPSULE_ESL_FILE is empty, EFI capsule authentication \ public key must be specified when CONFIG_EFI_CAPSULE_AUTHENTICATE is enabled") else - $(call cmd_capsule_esl_gen) + $(call cmd,capsule_esl_gen) endif
capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in
The EFI Capsule ESL file (EFI Signature List File) used for authentication is a binary generated from the EFI Capsule public key certificate. Instead of including it in the source repo, automatically generate it from the certificate file during the build process.
Currently, sandbox is the only device using this, so removed its ESL file and set the (new) CONFIG_EFI_CAPSULE_CRT_FILE config to point to its public key certificate.
Signed-off-by: Jonathan Humphreys j-humphreys@ti.com --- board/sandbox/capsule_pub_esl_good.esl | Bin 831 -> 0 bytes configs/sandbox_defconfig | 2 +- configs/sandbox_flattree_defconfig | 2 +- doc/develop/uefi/uefi.rst | 8 ++++---- lib/efi_loader/Kconfig | 12 +++++++----- scripts/Makefile.lib | 22 ++++++++++++++-------- 6 files changed, 27 insertions(+), 19 deletions(-) delete mode 100644 board/sandbox/capsule_pub_esl_good.esl
diff --git a/board/sandbox/capsule_pub_esl_good.esl b/board/sandbox/capsule_pub_esl_good.esl deleted file mode 100644 index f8cc272309b2f80113c29e22bc9fdd5c767b4667..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001
literal 831 zcmZ1&d0^?2Da*aux2_hA(f&|m&&&V@%1|1@gOCPI%=`vTjNcb9GchtTi3D3+YdNud z!N;6d=3f<&F-6ONS4$i4vT<s)d9;1!Wn|=LWiSvk6fqEDV-96u=HU);4GxJ9_H_4i z4Kh#==QT1murM$&v@kF?F^ZDlH#RUZHZ(9Wg9_l(*~F-XYzZSP19KB2KLgNRTue=j zj0_uCzfHaHH`(1}*Y#3U|97H!k3}~NhPN}GOrG;oTyFi(qmA`NTh~3>_x7NA^t?#f z>a)U0PLquF6_u8?^dHul+F@6qxB0YdssF`W?=n<3b^P4dmiKI#^@p}E)#B;%RW0;Z z-#n?@Et9eDfUQTgV&QR*{b|~VRC6NVv@WS%&0hbnAnbMH)s>m<ruWw!o9KU&t7IaN z^ws?)fy!Y!PA6wHM9oeqJuYyoIO0;duj#}3>jlOWk4kw?f2&||$2#il@?9KqESXN5 zbz2wTe>RVi?d~3_cT1K9oDaUDRd@aM1GkLbi{)<QcW%>Ma(#i_ui5G`j(PuTIhpoN z73DslYiZhJ`RkA&6Eh<N<Kke0Km%D|xXbdfh_Q&secT;;BI`VRLX*$F#X3)yTwnIl z%Rn9^t;`}}Al86g0Y6BAFeBrC7FGjhAcY+4z_<klJ0n9-ZF-^Byx1)aGPkZ;M8@iK z@4h6QYApWke51U4vh|)B+RHfwcQh8f`Fd8-Ad#bU?mv#SCl^~!ojUbKMpn)-Kd>zH z-bULy5-~dZsg>zZPS-w(zNM;c<#N4ar|5@t2FY2AoF7{4IWYI(=HR-Vl;VtSQGM$z zG&LhNEwesN5|ez&@#Le<mt%k4Ngp{`oU3!I!!G(r+O78=mGAf;yBNLt_LaVmLHB2w zF3Vp(*($;GmPMkjzjWQf=x-~Qozl?NwEilS|Lo7%xGP$f^Riek&1Q@!w>qJ9NJDsL xX})Fc$L0Fj-&QP|CD!3Bu=aCF<a-t|<@nrhQ$HQy*tL7JV9T^r#)tp!0|2#rO&9<G
diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig index 93b52f2de5c..d6c7d7a4ad3 100644 --- a/configs/sandbox_defconfig +++ b/configs/sandbox_defconfig @@ -352,7 +352,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y CONFIG_EFI_CAPSULE_ON_DISK=y CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y CONFIG_EFI_CAPSULE_AUTHENTICATE=y -CONFIG_EFI_CAPSULE_ESL_FILE="board/sandbox/capsule_pub_esl_good.esl" +CONFIG_EFI_CAPSULE_CRT_FILE="board/sandbox/capsule_pub_key_good.crt" CONFIG_EFI_SECURE_BOOT=y CONFIG_TEST_FDTDEC=y CONFIG_UNIT_TEST=y diff --git a/configs/sandbox_flattree_defconfig b/configs/sandbox_flattree_defconfig index 6bf8874e722..049a606613e 100644 --- a/configs/sandbox_flattree_defconfig +++ b/configs/sandbox_flattree_defconfig @@ -227,7 +227,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y CONFIG_EFI_CAPSULE_ON_DISK=y CONFIG_EFI_CAPSULE_FIRMWARE_FIT=y CONFIG_EFI_CAPSULE_AUTHENTICATE=y -CONFIG_EFI_CAPSULE_ESL_FILE="board/sandbox/capsule_pub_esl_good.esl" +CONFIG_EFI_CAPSULE_CRT_FILE="board/sandbox/capsule_pub_key_good.crt" CONFIG_UNIT_TEST=y CONFIG_UT_TIME=y CONFIG_UT_DM=y diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 36ac75278fa..985956ab85c 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -580,10 +580,10 @@ and used by the steps highlighted below. }
You can perform step-4 through the Kconfig symbol -CONFIG_EFI_CAPSULE_ESL_FILE. This symbol points to the esl file -generated in step-2. Once the symbol has been populated with the path -to the esl file, it will automatically get embedded into the -platform's dtb as part of U-Boot build. +CONFIG_EFI_CAPSULE_CRT_FILE. This symbol points to the signing key +generated in step-2. As part of U-Boot build, the ESL certificate file will +be generated from the signing key and automatically get embedded into the +platform's dtb.
Anti-rollback Protection ************************ diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 430bb7f0f7d..23079a5709d 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -298,13 +298,15 @@ config EFI_CAPSULE_MAX Select the max capsule index value used for capsule report variables. This value is used to create CapsuleMax variable.
-config EFI_CAPSULE_ESL_FILE - string "Path to the EFI Signature List File" +config EFI_CAPSULE_CRT_FILE + string "Path to the EFI capsule public key certificate" depends on EFI_CAPSULE_AUTHENTICATE help - Provides the path to the EFI Signature List file which will - be embedded in the platform's device tree and used for - capsule authentication at the time of capsule update. + Provides the path to the EFI capsule public key certificate that + corresponds to the capsule signing key. This certificate will be used + to generate the EFI capsule ESL (signature list file) that gets + embedded in the platform's device tree and used for capsule + authentication at the time of capsule update.
config EFI_DEVICE_PATH_TO_TEXT bool "Device path to text protocol" diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index af97fcfe4bb..0faa849a345 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -342,21 +342,27 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \ ; \ sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile)
+capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in +capsule_crt_file=$(subst $(quote),,$(CONFIG_EFI_CAPSULE_CRT_FILE)) +capsule_esl_dtsi=.capsule_esl.dtsi + quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@ -cmd_capsule_esl_gen = \ - $(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" $(capsule_esl_input_file) > $@) +cmd_capsule_esl_gen = cert-to-efi-sig-list $< $@
-$(obj)/.capsule_esl.dtsi: FORCE -ifeq ($(CONFIG_EFI_CAPSULE_ESL_FILE),"") - $(error "CONFIG_EFI_CAPSULE_ESL_FILE is empty, EFI capsule authentication \ +$(obj)/capsule_esl_file: $(capsule_crt_file) FORCE +ifeq ($(CONFIG_EFI_CAPSULE_CRT_FILE),"") + $(error "CONFIG_EFI_CAPSULE_CRT_FILE is empty, EFI capsule authentication \ public key must be specified when CONFIG_EFI_CAPSULE_AUTHENTICATE is enabled") else $(call cmd,capsule_esl_gen) endif
-capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in -capsule_esl_dtsi = .capsule_esl.dtsi -capsule_esl_path=$(abspath $(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE))) +quiet_cmd_capsule_dtsi_gen = CAPSULE_DTSI_GEN $@ +cmd_capsule_dtsi_gen = \ + $(shell sed "s:ESL_BIN_FILE:$(abspath $<):" $(capsule_esl_input_file) > $@) + +$(obj)/$(capsule_esl_dtsi): $(obj)/capsule_esl_file FORCE + $(call cmd,capsule_dtsi_gen)
dtsi_include_list_deps := $(addprefix $(u_boot_dtsi_loc),$(subst $(quote),,$(dtsi_include_list)))
Hi Jonathan
On Thu, 13 Jun 2024 at 23:28, Jonathan Humphreys j-humphreys@ti.com wrote:
Use the capsule's public key certificate rather than a prebuilt ESL generated from the certificate. The ESL is now generated as part of the build.
Is there a reason to do this? I understand that the .crt extension might be well known while the .esl is not, but OTOH the system you build on after this change *needs* to have cert-to-efi-sig-list installed
Thanks /Ilias
Changes from v1:
- Converted the single patch to a series to include a bug fix found during development.
- Created an explicit rule for creating the ESL file for proper makefile dependency tracking. v1 had combined creating the ESL file and generating the .dtsi include in a single command.
Jonathan Humphreys (2): scripts/Makefile.lib: fixes: Embed capsule public key in platform's dtb scripts/Makefile.lib: EFI: Use capsule CRT instead of ESL file
board/sandbox/capsule_pub_esl_good.esl | Bin 831 -> 0 bytes configs/sandbox_defconfig | 2 +- configs/sandbox_flattree_defconfig | 2 +- doc/develop/uefi/uefi.rst | 8 ++++---- lib/efi_loader/Kconfig | 12 +++++++----- scripts/Makefile.lib | 24 +++++++++++++++--------- 6 files changed, 28 insertions(+), 20 deletions(-) delete mode 100644 board/sandbox/capsule_pub_esl_good.esl
-- 2.34.1
Ilias Apalodimas ilias.apalodimas@linaro.org writes:
Hi Jonathan
On Thu, 13 Jun 2024 at 23:28, Jonathan Humphreys j-humphreys@ti.com wrote:
Use the capsule's public key certificate rather than a prebuilt ESL generated from the certificate. The ESL is now generated as part of the build.
Is there a reason to do this? I understand that the .crt extension might be well known while the .esl is not, but OTOH the system you build on after this change *needs* to have cert-to-efi-sig-list installed
Hi Ilias,
In general, I am following the principle that it is better to not include in your source repo derived binaries that can be built at buildtime.
As far as the need to have cert-to-efi-sig-list, it is part of efitools and that is already documented as a requirement for the build host ([0] and [1]), and our baseline Docker file also includes it.
[0] https://docs.u-boot.org/en/latest/develop/uefi/uefi.html#enabling-capsule-au... [1] https://docs.u-boot.org/en/latest/develop/uefi/uefi.html#configuring-uefi-se...
Jon
Thanks /Ilias
Changes from v1:
- Converted the single patch to a series to include a bug fix found during development.
- Created an explicit rule for creating the ESL file for proper makefile dependency tracking. v1 had combined creating the ESL file and generating the .dtsi include in a single command.
Jonathan Humphreys (2): scripts/Makefile.lib: fixes: Embed capsule public key in platform's dtb scripts/Makefile.lib: EFI: Use capsule CRT instead of ESL file
board/sandbox/capsule_pub_esl_good.esl | Bin 831 -> 0 bytes configs/sandbox_defconfig | 2 +- configs/sandbox_flattree_defconfig | 2 +- doc/develop/uefi/uefi.rst | 8 ++++---- lib/efi_loader/Kconfig | 12 +++++++----- scripts/Makefile.lib | 24 +++++++++++++++--------- 6 files changed, 28 insertions(+), 20 deletions(-) delete mode 100644 board/sandbox/capsule_pub_esl_good.esl
-- 2.34.1
On Fri, Jun 14, 2024 at 11:54:41AM -0500, Jon Humphreys wrote:
Ilias Apalodimas ilias.apalodimas@linaro.org writes:
Hi Jonathan
On Thu, 13 Jun 2024 at 23:28, Jonathan Humphreys j-humphreys@ti.com wrote:
Use the capsule's public key certificate rather than a prebuilt ESL generated from the certificate. The ESL is now generated as part of the build.
Is there a reason to do this? I understand that the .crt extension might be well known while the .esl is not, but OTOH the system you build on after this change *needs* to have cert-to-efi-sig-list installed
Hi Ilias,
In general, I am following the principle that it is better to not include in your source repo derived binaries that can be built at buildtime.
As far as the need to have cert-to-efi-sig-list, it is part of efitools and that is already documented as a requirement for the build host ([0] and [1]), and our baseline Docker file also includes it.
Ok we already have the tool on the CI
Reviewed-by: Ilias Apalodimas ilias.apalodimas@linaro.org
[0] https://docs.u-boot.org/en/latest/develop/uefi/uefi.html#enabling-capsule-au... [1] https://docs.u-boot.org/en/latest/develop/uefi/uefi.html#configuring-uefi-se...
Jon
Thanks /Ilias
Changes from v1:
- Converted the single patch to a series to include a bug fix found during development.
- Created an explicit rule for creating the ESL file for proper makefile dependency tracking. v1 had combined creating the ESL file and generating the .dtsi include in a single command.
Jonathan Humphreys (2): scripts/Makefile.lib: fixes: Embed capsule public key in platform's dtb scripts/Makefile.lib: EFI: Use capsule CRT instead of ESL file
board/sandbox/capsule_pub_esl_good.esl | Bin 831 -> 0 bytes configs/sandbox_defconfig | 2 +- configs/sandbox_flattree_defconfig | 2 +- doc/develop/uefi/uefi.rst | 8 ++++---- lib/efi_loader/Kconfig | 12 +++++++----- scripts/Makefile.lib | 24 +++++++++++++++--------- 6 files changed, 28 insertions(+), 20 deletions(-) delete mode 100644 board/sandbox/capsule_pub_esl_good.esl
-- 2.34.1
participants (3)
-
Ilias Apalodimas -
Jon Humphreys -
Jonathan Humphreys