[PATCH v2 0/6] capsule: Embed the public key ESL as part of build
This series takes a different approach to embedding the public key EFI Signature List(ESL) needed for capsule authentication into the platform's DTB.
The earlier approach [1] was using a u-boot.dtsi file to embed the key. But this approach has a few issues. 1) The path of the incbin file is not relative to $(srctree), but relative to the directory of the dts file which is using incbin directive -- this causes problems when the dts files are located in different directories and they try to include the same binary. 2) The u-boot.dtsi file only gets included in the DTB if there are no other *u-boot.dtsi files being included. 3) A separate u-boot.dtsi is needed per arch.
To get around these issues, this approach generates a dtsi file(.capsule_esl.dtsi) with the public key node during build. This generated dtsi file contains the resolved path to the ESL and is then included for the DTB generation.
The first patch of the series also cleans up the logic to include the dtsi files, by collating all the dtsi files to be included into a single variable.
These patches need to be applied on top of the series for generating the capsules as part of the build [2].
[1] - https://lists.denx.de/pipermail/u-boot/2023-August/526323.html [2] - https://lore.kernel.org/u-boot/20230812153024.334563-1-sughosh.ganu@linaro.o...
Changes since V1: * New patch which only sets the dependencies for the dtb build. * Put only the setting of dtsi_include_list under the ifdef, moving the rest of the logic out of the ifdef.
Sughosh Ganu (6): scripts/Makefile.lib: Collate all dtsi files for inclusion scripts/Makefile.lib: Add dtsi include files as deps for building DTB scripts/Makefile.lib: Embed capsule public key in platform's dtb sandbox: capsule: Add path to the public key ESL file test: capsule: Remove logic to add public key ESL doc: capsule: Document the new mechanism to embed ESL file into dtb
configs/sandbox_defconfig | 1 + configs/sandbox_flattree_defconfig | 1 + doc/develop/uefi/uefi.rst | 19 ++++--------- lib/efi_loader/Kconfig | 8 ++++++ lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++ scripts/Makefile.lib | 30 ++++++++++++++++---- test/py/tests/test_efi_capsule/conftest.py | 28 +++++------------- test/py/tests/test_efi_capsule/signature.dts | 10 ------- 8 files changed, 58 insertions(+), 50 deletions(-) create mode 100644 lib/efi_loader/capsule_esl.dtsi.in delete mode 100644 test/py/tests/test_efi_capsule/signature.dts
At the time of building a device-tree file, all the *u-boot.dtsi files are looked for, in a particular order, and the first file found is included. Then, the list of files specified in the CONFIG_DEVICE_TREE_INCLUDES symbol are included.
Combine these files that are to be included into a variable, and then include all these files in one go.
Signed-off-by: Sughosh Ganu sughosh.ganu@linaro.org Reviewed-by: Tom Rini trini@konsulko.com --- Changes since V1: None
scripts/Makefile.lib | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index f5ab7af0f4..368b5a3e28 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -179,10 +179,13 @@ ifdef DEVICE_TREE_DEBUG u_boot_dtsi_options_debug = $(warning $(u_boot_dtsi_options_raw)) endif
-# We use the first match -u_boot_dtsi = $(strip $(u_boot_dtsi_options_debug) \ +# We use the first match to be included +dtsi_include_list = $(strip $(u_boot_dtsi_options_debug) \ $(notdir $(firstword $(u_boot_dtsi_options))))
+# The CONFIG_DEVICE_TREE_INCLUDES also need to be included +dtsi_include_list += $(CONFIG_DEVICE_TREE_INCLUDES) + # Modified for U-Boot dtc_cpp_flags = -Wp,-MD,$(depfile).pre.tmp -nostdinc \ $(UBOOTINCLUDE) \ @@ -320,8 +323,8 @@ quiet_cmd_dtc = DTC $@ # Bring in any U-Boot-specific include at the end of the file # And finally any custom .dtsi fragments specified with CONFIG_DEVICE_TREE_INCLUDES cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \ - (cat $<; $(if $(u_boot_dtsi),echo '$(pound)include "$(u_boot_dtsi)"')) > $(pre-tmp); \ - $(foreach f,$(subst $(quote),,$(CONFIG_DEVICE_TREE_INCLUDES)), \ + (cat $< > $(pre-tmp)); \ + $(foreach f,$(subst $(quote),,$(dtsi_include_list)), \ echo '$(pound)include "$(f)"' >> $(pre-tmp);) \ $(HOSTCC) -E $(dtc_cpp_flags) -x assembler-with-cpp -o $(dtc-tmp) $(pre-tmp) ; \ $(DTC) -O dtb -o $@ -b 0 \
On Thu, 17 Aug 2023 at 08:49, Sughosh Ganu sughosh.ganu@linaro.org wrote:
At the time of building a device-tree file, all the *u-boot.dtsi files are looked for, in a particular order, and the first file found is included. Then, the list of files specified in the CONFIG_DEVICE_TREE_INCLUDES symbol are included.
Combine these files that are to be included into a variable, and then include all these files in one go.
Signed-off-by: Sughosh Ganu sughosh.ganu@linaro.org Reviewed-by: Tom Rini trini@konsulko.com
Changes since V1: None
scripts/Makefile.lib | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index f5ab7af0f4..368b5a3e28 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -179,10 +179,13 @@ ifdef DEVICE_TREE_DEBUG u_boot_dtsi_options_debug = $(warning $(u_boot_dtsi_options_raw)) endif
-# We use the first match -u_boot_dtsi = $(strip $(u_boot_dtsi_options_debug) \ +# We use the first match to be included +dtsi_include_list = $(strip $(u_boot_dtsi_options_debug) \ $(notdir $(firstword $(u_boot_dtsi_options))))
+# The CONFIG_DEVICE_TREE_INCLUDES also need to be included +dtsi_include_list += $(CONFIG_DEVICE_TREE_INCLUDES)
# Modified for U-Boot dtc_cpp_flags = -Wp,-MD,$(depfile).pre.tmp -nostdinc \ $(UBOOTINCLUDE) \ @@ -320,8 +323,8 @@ quiet_cmd_dtc = DTC $@ # Bring in any U-Boot-specific include at the end of the file # And finally any custom .dtsi fragments specified with CONFIG_DEVICE_TREE_INCLUDES cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \
(cat $<; $(if $(u_boot_dtsi),echo '$(pound)include "$(u_boot_dtsi)"')) > $(pre-tmp); \$(foreach f,$(subst $(quote),,$(CONFIG_DEVICE_TREE_INCLUDES)), \
(cat $< > $(pre-tmp)); \$(foreach f,$(subst $(quote),,$(dtsi_include_list)), \ echo '$(pound)include "$(f)"' >> $(pre-tmp);) \ $(HOSTCC) -E $(dtc_cpp_flags) -x assembler-with-cpp -o $(dtc-tmp) $(pre-tmp) ; \ $(DTC) -O dtb -o $@ -b 0 \-- 2.34.1
Acked-by: Ilias Apalodimas ilias.apalodimas@linaro.org
At the time of building the DTB, some dtsi files can be selected for inclusion. Have these dtsi files as dependencies for the DTB target. This also ensures generation or updating the dtsi files if need be.
Signed-off-by: Sughosh Ganu sughosh.ganu@linaro.org --- Changes since V1: * New patch which only sets the dependencies for the dtb build.
scripts/Makefile.lib | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index 368b5a3e28..8c5e25c31c 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -334,7 +334,9 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \ ; \ sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile)
-$(obj)/%.dtb: $(src)/%.dts $(DTC) FORCE +dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list))) + +$(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE $(call if_changed_dep,dtc)
pre-tmp = $(subst $(comma),_,$(dot-target).pre.tmp)
On Thu, 17 Aug 2023 at 08:49, Sughosh Ganu sughosh.ganu@linaro.org wrote:
At the time of building the DTB, some dtsi files can be selected for inclusion. Have these dtsi files as dependencies for the DTB target. This also ensures generation or updating the dtsi files if need be.
Signed-off-by: Sughosh Ganu sughosh.ganu@linaro.org
Changes since V1:
- New patch which only sets the dependencies for the dtb build.
scripts/Makefile.lib | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index 368b5a3e28..8c5e25c31c 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -334,7 +334,9 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \ ; \ sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile)
-$(obj)/%.dtb: $(src)/%.dts $(DTC) FORCE +dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list)))
+$(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE $(call if_changed_dep,dtc)
pre-tmp = $(subst $(comma),_,$(dot-target).pre.tmp)
2.34.1
Acked-by: Ilias Apalodimas ilias.apalodimas@linaro.org
On Thu, Aug 17, 2023 at 11:18:52AM +0530, Sughosh Ganu wrote:
At the time of building the DTB, some dtsi files can be selected for inclusion. Have these dtsi files as dependencies for the DTB target. This also ensures generation or updating the dtsi files if need be.
Signed-off-by: Sughosh Ganu sughosh.ganu@linaro.org
Reviewed-by: Tom Rini trini@konsulko.com
The EFI capsule authentication logic in u-boot expects the public key in the form of an EFI Signature List(ESL) to be provided as part of the platform's dtb. Currently, the embedding of the ESL file into the dtb needs to be done manually.
Add a target for generating a dtsi file which contains the signature node with the ESL file included as a property under the signature node. Include the dtsi file in the dtb. This brings the embedding of the ESL in the dtb into the U-Boot build flow.
The path to the ESL file is specified through the CONFIG_EFI_CAPSULE_ESL_FILE symbol.
Signed-off-by: Sughosh Ganu sughosh.ganu@linaro.org --- Changes since V1: * Put only the setting of dtsi_include_list under the ifdef, moving the rest of the logic out of the ifdef.
lib/efi_loader/Kconfig | 8 ++++++++ lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++ scripts/Makefile.lib | 15 +++++++++++++++ 3 files changed, 34 insertions(+) create mode 100644 lib/efi_loader/capsule_esl.dtsi.in
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 9989e3f384..d20aaab6db 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX Select the max capsule index value used for capsule report variables. This value is used to create CapsuleMax variable.
+config EFI_CAPSULE_ESL_FILE + string "Path to the EFI Signature List File" + depends on EFI_CAPSULE_AUTHENTICATE + help + Provides the path to the EFI Signature List file which will + be embedded in the platform's device tree and used for + capsule authentication at the time of capsule update. + config EFI_DEVICE_PATH_TO_TEXT bool "Device path to text protocol" default y diff --git a/lib/efi_loader/capsule_esl.dtsi.in b/lib/efi_loader/capsule_esl.dtsi.in new file mode 100644 index 0000000000..61a9f2b25e --- /dev/null +++ b/lib/efi_loader/capsule_esl.dtsi.in @@ -0,0 +1,11 @@ +// SPDX-License-Identifier: GPL-2.0+ +/** + * Devicetree file with the public key EFI Signature List(ESL) + * node. This file is used to generate the dtsi file to be + * included into the DTB. +*/ +/ { + signature { + capsule-key = /incbin/("ESL_BIN_FILE"); + }; +}; diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index 8c5e25c31c..3cec46bb15 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -334,6 +334,21 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \ ; \ sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile)
+quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@ +cmd_capsule_esl_gen = \ + $(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" $(capsule_esl_input_file) > $@) + +$(obj)/.capsule_esl.dtsi: + $(call cmd_capsule_esl_gen) + +capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in +capsule_esl_dtsi = .capsule_esl.dtsi +capsule_esl_path=$(abspath $(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE))) + +ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE +dtsi_include_list += $(capsule_esl_dtsi) +endif + dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list)))
$(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE
Hi Sughosh
On Thu, 17 Aug 2023 at 08:49, Sughosh Ganu sughosh.ganu@linaro.org wrote:
The EFI capsule authentication logic in u-boot expects the public key in the form of an EFI Signature List(ESL) to be provided as part of the platform's dtb. Currently, the embedding of the ESL file into the dtb needs to be done manually.
Add a target for generating a dtsi file which contains the signature node with the ESL file included as a property under the signature node. Include the dtsi file in the dtb. This brings the embedding of the ESL in the dtb into the U-Boot build flow.
The path to the ESL file is specified through the CONFIG_EFI_CAPSULE_ESL_FILE symbol.
Signed-off-by: Sughosh Ganu sughosh.ganu@linaro.org
Changes since V1:
- Put only the setting of dtsi_include_list under the ifdef, moving the rest of the logic out of the ifdef.
lib/efi_loader/Kconfig | 8 ++++++++ lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++ scripts/Makefile.lib | 15 +++++++++++++++ 3 files changed, 34 insertions(+) create mode 100644 lib/efi_loader/capsule_esl.dtsi.in
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 9989e3f384..d20aaab6db 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX Select the max capsule index value used for capsule report variables. This value is used to create CapsuleMax variable.
+config EFI_CAPSULE_ESL_FILE
string "Path to the EFI Signature List File"depends on EFI_CAPSULE_AUTHENTICATEhelpProvides the path to the EFI Signature List file which willbe embedded in the platform's device tree and used forcapsule authentication at the time of capsule update.config EFI_DEVICE_PATH_TO_TEXT bool "Device path to text protocol" default y diff --git a/lib/efi_loader/capsule_esl.dtsi.in b/lib/efi_loader/capsule_esl.dtsi.in new file mode 100644 index 0000000000..61a9f2b25e --- /dev/null +++ b/lib/efi_loader/capsule_esl.dtsi.in @@ -0,0 +1,11 @@ +// SPDX-License-Identifier: GPL-2.0+ +/**
- Devicetree file with the public key EFI Signature List(ESL)
- node. This file is used to generate the dtsi file to be
- included into the DTB.
+*/ +/ {
signature {capsule-key = /incbin/("ESL_BIN_FILE");};+}; diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index 8c5e25c31c..3cec46bb15 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -334,6 +334,21 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \ ; \ sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile)
+quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@ +cmd_capsule_esl_gen = \
$(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" $(capsule_esl_input_file) > $@)+$(obj)/.capsule_esl.dtsi:
$(call cmd_capsule_esl_gen)+capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in +capsule_esl_dtsi = .capsule_esl.dtsi
Any reason why cant reuse $capsule_esl_dtsi in capsule_esl_input_file?
Thanks /Ilias
+capsule_esl_path=$(abspath $(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE)))
+ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE +dtsi_include_list += $(capsule_esl_dtsi) +endif
dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list)))
$(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE
2.34.1
hi Ilias,
On Thu, 17 Aug 2023 at 17:29, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
Hi Sughosh
On Thu, 17 Aug 2023 at 08:49, Sughosh Ganu sughosh.ganu@linaro.org wrote:
The EFI capsule authentication logic in u-boot expects the public key in the form of an EFI Signature List(ESL) to be provided as part of the platform's dtb. Currently, the embedding of the ESL file into the dtb needs to be done manually.
Add a target for generating a dtsi file which contains the signature node with the ESL file included as a property under the signature node. Include the dtsi file in the dtb. This brings the embedding of the ESL in the dtb into the U-Boot build flow.
The path to the ESL file is specified through the CONFIG_EFI_CAPSULE_ESL_FILE symbol.
Signed-off-by: Sughosh Ganu sughosh.ganu@linaro.org
Changes since V1:
- Put only the setting of dtsi_include_list under the ifdef, moving the rest of the logic out of the ifdef.
lib/efi_loader/Kconfig | 8 ++++++++ lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++ scripts/Makefile.lib | 15 +++++++++++++++ 3 files changed, 34 insertions(+) create mode 100644 lib/efi_loader/capsule_esl.dtsi.in
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 9989e3f384..d20aaab6db 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX Select the max capsule index value used for capsule report variables. This value is used to create CapsuleMax variable.
+config EFI_CAPSULE_ESL_FILE
string "Path to the EFI Signature List File"depends on EFI_CAPSULE_AUTHENTICATEhelpProvides the path to the EFI Signature List file which willbe embedded in the platform's device tree and used forcapsule authentication at the time of capsule update.config EFI_DEVICE_PATH_TO_TEXT bool "Device path to text protocol" default y diff --git a/lib/efi_loader/capsule_esl.dtsi.in b/lib/efi_loader/capsule_esl.dtsi.in new file mode 100644 index 0000000000..61a9f2b25e --- /dev/null +++ b/lib/efi_loader/capsule_esl.dtsi.in @@ -0,0 +1,11 @@ +// SPDX-License-Identifier: GPL-2.0+ +/**
- Devicetree file with the public key EFI Signature List(ESL)
- node. This file is used to generate the dtsi file to be
- included into the DTB.
+*/ +/ {
signature {capsule-key = /incbin/("ESL_BIN_FILE");};+}; diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index 8c5e25c31c..3cec46bb15 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -334,6 +334,21 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \ ; \ sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile)
+quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@ +cmd_capsule_esl_gen = \
$(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" $(capsule_esl_input_file) > $@)+$(obj)/.capsule_esl.dtsi:
$(call cmd_capsule_esl_gen)+capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in +capsule_esl_dtsi = .capsule_esl.dtsi
Any reason why cant reuse $capsule_esl_dtsi in capsule_esl_input_file?
Are you suggesting having a lib/efi_loader/.capsule_esl.dtsi as the input file? I thought having that distinction in the names between the input file and the generated file keeps things a bit more clear.
-sughosh
Thanks /Ilias
+capsule_esl_path=$(abspath $(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE)))
+ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE +dtsi_include_list += $(capsule_esl_dtsi) +endif
dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list)))
$(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE
2.34.1
On Thu, Aug 17, 2023 at 11:18:53AM +0530, Sughosh Ganu wrote:
The EFI capsule authentication logic in u-boot expects the public key in the form of an EFI Signature List(ESL) to be provided as part of the platform's dtb. Currently, the embedding of the ESL file into the dtb needs to be done manually.
Add a target for generating a dtsi file which contains the signature node with the ESL file included as a property under the signature node. Include the dtsi file in the dtb. This brings the embedding of the ESL in the dtb into the U-Boot build flow.
The path to the ESL file is specified through the CONFIG_EFI_CAPSULE_ESL_FILE symbol.
Signed-off-by: Sughosh Ganu sughosh.ganu@linaro.org
Reviewed-by: Tom Rini trini@konsulko.com
Add the path to the public key EFI Signature List(ESL) file for the sandbox variants which enable capsule authentication. This ESL file gets embedded into the platform's device-tree as part of the build.
Signed-off-by: Sughosh Ganu sughosh.ganu@linaro.org --- Changes since V1: None
configs/sandbox_defconfig | 1 + configs/sandbox_flattree_defconfig | 1 + 2 files changed, 2 insertions(+)
diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig index 1cd1c2ed7c..9f349d482b 100644 --- a/configs/sandbox_defconfig +++ b/configs/sandbox_defconfig @@ -340,6 +340,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y CONFIG_EFI_CAPSULE_ON_DISK=y CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y CONFIG_EFI_CAPSULE_AUTHENTICATE=y +CONFIG_EFI_CAPSULE_ESL_FILE="board/sandbox/capsule_pub_esl_good.esl" CONFIG_EFI_SECURE_BOOT=y CONFIG_TEST_FDTDEC=y CONFIG_UNIT_TEST=y diff --git a/configs/sandbox_flattree_defconfig b/configs/sandbox_flattree_defconfig index 8aa295686d..2a24b38cfb 100644 --- a/configs/sandbox_flattree_defconfig +++ b/configs/sandbox_flattree_defconfig @@ -227,6 +227,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y CONFIG_EFI_CAPSULE_ON_DISK=y CONFIG_EFI_CAPSULE_FIRMWARE_FIT=y CONFIG_EFI_CAPSULE_AUTHENTICATE=y +CONFIG_EFI_CAPSULE_ESL_FILE="board/sandbox/capsule_pub_esl_good.esl" CONFIG_UNIT_TEST=y CONFIG_UT_TIME=y CONFIG_UT_DM=y
The public key EFI Signature List(ESL) needed for capsule authentication is now embedded into the platform's DTB as part of the build. Remove the superfluous logic from the test setup.
Signed-off-by: Sughosh Ganu sughosh.ganu@linaro.org --- Changes since V1: None
test/py/tests/test_efi_capsule/conftest.py | 28 +++++--------------- test/py/tests/test_efi_capsule/signature.dts | 10 ------- 2 files changed, 7 insertions(+), 31 deletions(-) delete mode 100644 test/py/tests/test_efi_capsule/signature.dts
diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index 7eead9bc64..67761a9708 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -49,33 +49,19 @@ def efi_capsule_data(request, u_boot_config): check_call('cp %s/capsule_pub_key_bad.crt %s/SIGNER2.crt' % (key_dir, data_dir), shell=True)
- # Update dtb adding capsule certificate - check_call('cd %s; ' - 'cp %s/test/py/tests/test_efi_capsule/signature.dts .' - % (data_dir, u_boot_config.source_dir), shell=True) + if capsule_auth_enabled: check_call('cd %s; ' - 'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; ' - 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb ' - '-o test_sig.dtb signature.dtbo' + 'cp %s/arch/sandbox/dts/test.dtb test_sig.dtb' % (data_dir, u_boot_config.build_dir), shell=True) - # Update dtb to add the version information check_call('cd %s; ' 'cp %s/test/py/tests/test_efi_capsule/version.dts .' % (data_dir, u_boot_config.source_dir), shell=True) - if capsule_auth_enabled: - check_call('cd %s; ' - 'dtc -@ -I dts -O dtb -o version.dtbo version.dts; ' - 'fdtoverlay -i test_sig.dtb ' - '-o test_ver.dtb version.dtbo' - % (data_dir), shell=True) - else: - check_call('cd %s; ' - 'dtc -@ -I dts -O dtb -o version.dtbo version.dts; ' - 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb ' - '-o test_ver.dtb version.dtbo' - % (data_dir, u_boot_config.build_dir), shell=True) - + check_call('cd %s; ' + 'dtc -@ -I dts -O dtb -o version.dtbo version.dts; ' + 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb ' + '-o test_ver.dtb version.dtbo' + % (data_dir, u_boot_config.build_dir), shell=True)
check_call('cp %s/u-boot_bin_env.itb %s ' % (u_boot_config.build_dir, data_dir), shell=True) check_call('cp %s/Test* %s ' % (u_boot_config.build_dir, data_dir), shell=True) diff --git a/test/py/tests/test_efi_capsule/signature.dts b/test/py/tests/test_efi_capsule/signature.dts deleted file mode 100644 index 078cfc76c9..0000000000 --- a/test/py/tests/test_efi_capsule/signature.dts +++ /dev/null @@ -1,10 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0+ - -/dts-v1/; -/plugin/; - -&{/} { - signature { - capsule-key = /incbin/("SIGNER.esl"); - }; -};
Update the document to specify how the EFI Signature List(ESL) file can be embedded into the platform's dtb as part of the U-Boot build.
Signed-off-by: Sughosh Ganu sughosh.ganu@linaro.org --- Changes since V1: None
doc/develop/uefi/uefi.rst | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 3ce579d46e..950f4d1a5a 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -539,20 +539,11 @@ and used by the steps highlighted below. ... }
-You can do step-4 manually with - -.. code-block:: console - - $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts - $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo - -where signature.dts looks like:: - - &{/} { - signature { - capsule-key = /incbin/("CRT.esl"); - }; - }; +You can perform step-4 by defining the Kconfig symbol +CONFIG_EFI_CAPSULE_ESL_FILE. This symbol defines the path to the esl +file generated in step-2. Once the symbol has been populated with the +path to the esl file, the esl file will automatically get embedded +into the platform's dtb as part of U-Boot build.
Anti-rollback Protection ************************
Hi Sughosh
On Thu, 17 Aug 2023 at 08:49, Sughosh Ganu sughosh.ganu@linaro.org wrote:
Update the document to specify how the EFI Signature List(ESL) file can be embedded into the platform's dtb as part of the U-Boot build.
Signed-off-by: Sughosh Ganu sughosh.ganu@linaro.org
Changes since V1: None
doc/develop/uefi/uefi.rst | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 3ce579d46e..950f4d1a5a 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -539,20 +539,11 @@ and used by the steps highlighted below. ... }
-You can do step-4 manually with
-.. code-block:: console
- $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts
- $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo
-where signature.dts looks like::
- &{/} {
signature {capsule-key = /incbin/("CRT.esl");};- };
+You can perform step-4 by defining the Kconfig symbol +CONFIG_EFI_CAPSULE_ESL_FILE. This symbol defines the path to the esl +file generated in step-2.
It doesn't define it. It needs to point to the file generated in step-2 no?
Once the symbol has been populated with the +path to the esl file, the esl file will automatically get embedded
it will automatically get included etc
Thanks /Ilias
+into the platform's dtb as part of U-Boot build.
Anti-rollback Protection
-- 2.34.1
hi Ilias,
On Thu, 17 Aug 2023 at 17:31, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
Hi Sughosh
On Thu, 17 Aug 2023 at 08:49, Sughosh Ganu sughosh.ganu@linaro.org wrote:
Update the document to specify how the EFI Signature List(ESL) file can be embedded into the platform's dtb as part of the U-Boot build.
Signed-off-by: Sughosh Ganu sughosh.ganu@linaro.org
Changes since V1: None
doc/develop/uefi/uefi.rst | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 3ce579d46e..950f4d1a5a 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -539,20 +539,11 @@ and used by the steps highlighted below. ... }
-You can do step-4 manually with
-.. code-block:: console
- $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts
- $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo
-where signature.dts looks like::
- &{/} {
signature {capsule-key = /incbin/("CRT.esl");};- };
+You can perform step-4 by defining the Kconfig symbol +CONFIG_EFI_CAPSULE_ESL_FILE. This symbol defines the path to the esl +file generated in step-2.
It doesn't define it. It needs to point to the file generated in step-2 no?
Yes, I will rephrase.
Once the symbol has been populated with the +path to the esl file, the esl file will automatically get embedded
it will automatically get included etc
Okay
-sughosh
Thanks /Ilias
+into the platform's dtb as part of U-Boot build.
Anti-rollback Protection
-- 2.34.1
participants (3)
-
Ilias Apalodimas -
Sughosh Ganu -
Tom Rini