| Message ID | 20211220050253.31163-13-takahiro.akashi@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | efi_loader: capsule: improve capsule authentication support | expand |
On 12/20/21 06:02, AKASHI Takahiro wrote: > By specifying CONFIG_EFI_CAPSULE_KEY_PATH, the build process will > automatically insert the given key into the device tree. > Otherwise, users are required to do so manually, possibly, with > the utility script, fdtsig.sh. Why do we need a script fdtsig.sh? Can't you integrate this into the Makefile? > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > --- > doc/develop/uefi/uefi.rst | 4 ++++ > dts/Makefile | 23 +++++++++++++++++++++-- > lib/efi_loader/Kconfig | 7 +++++++ > 3 files changed, 32 insertions(+), 2 deletions(-) > > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst > index 54fefd76f0f5..7f85b9e5a4a6 100644 > --- a/doc/develop/uefi/uefi.rst > +++ b/doc/develop/uefi/uefi.rst > @@ -347,6 +347,7 @@ following config, in addition to the configs listed above for capsule > update:: > > CONFIG_EFI_CAPSULE_AUTHENTICATE=y > + CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert> > > The public and private keys used for the signing process are generated > and used by the steps highlighted below. > @@ -392,6 +393,9 @@ and used by the steps highlighted below. > }; > }; > > + If CONFIG_EFI_CAPSULE_KEY_PATH is specified, the build process will > + take care of it for you. > + > Executing the boot manager > ~~~~~~~~~~~~~~~~~~~~~~~~~~ > > diff --git a/dts/Makefile b/dts/Makefile > index cb3111382959..6c5486719ecd 100644 > --- a/dts/Makefile > +++ b/dts/Makefile > @@ -20,11 +20,30 @@ $(obj)/dt-$(SPL_NAME).dtb: dts/dt.dtb $(objtree)/tools/fdtgrep FORCE > mkdir -p $(dir $@) > $(call if_changed,fdtgrep) > > +quiet_cmd_fdtsig = FDTSIG $@ > + cmd_fdtsig = \ > + cat $< > $@; \ > + $(srctree)/tools/fdtsig.sh \ > + $(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)) $@ > + > +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y) > +ifneq ($(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)),) Shouldn't I get a build error if the path is not specified? Best regards Heinrich > +DTB_ov := $(obj)/dt.dtb_ov > + > +$(obj)/dt.dtb_ov: $(DTB) FORCE > + $(call if_changed,fdtsig) > +else > +DTB_ov := $(DTB) > +endif > +else > +DTB_ov := $(DTB) > +endif > + > ifeq ($(CONFIG_OF_DTB_PROPS_REMOVE),y) > -$(obj)/dt.dtb: $(DTB) $(objtree)/tools/fdtgrep FORCE > +$(obj)/dt.dtb: $(DTB_ov) $(objtree)/tools/fdtgrep FORCE > $(call if_changed,fdt_rm_props) > else > -$(obj)/dt.dtb: $(DTB) FORCE > +$(obj)/dt.dtb: $(DTB_ov) FORCE > $(call if_changed,shipped) > endif > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig > index 700dc838ddb9..8c8d14d46433 100644 > --- a/lib/efi_loader/Kconfig > +++ b/lib/efi_loader/Kconfig > @@ -209,6 +209,13 @@ config EFI_CAPSULE_AUTHENTICATE > Select this option if you want to enable capsule > authentication > > +config EFI_CAPSULE_KEY_PATH > + string "Path to .esl cert for capsule authentication" > + depends on EFI_CAPSULE_AUTHENTICATE > + help > + Provide the EFI signature list (esl) certificate used for capsule > + authentication > + > config EFI_DEVICE_PATH_TO_TEXT > bool "Device path to text protocol" > default y
Hi Heinrich, On Sat, 1 Jan 2022 at 15:53, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote: > > On 12/20/21 06:02, AKASHI Takahiro wrote: > > By specifying CONFIG_EFI_CAPSULE_KEY_PATH, the build process will > > automatically insert the given key into the device tree. > > Otherwise, users are required to do so manually, possibly, with > > the utility script, fdtsig.sh. > > Why do we need a script fdtsig.sh? Can't you integrate this into the > Makefile? It should be handled by binman, IMO. Regards, Simon
On Wed, Jan 12, 2022 at 01:03:54PM -0700, Simon Glass wrote: > Hi Heinrich, > > On Sat, 1 Jan 2022 at 15:53, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote: > > > > On 12/20/21 06:02, AKASHI Takahiro wrote: > > > By specifying CONFIG_EFI_CAPSULE_KEY_PATH, the build process will > > > automatically insert the given key into the device tree. > > > Otherwise, users are required to do so manually, possibly, with > > > the utility script, fdtsig.sh. > > > > Why do we need a script fdtsig.sh? Can't you integrate this into the > > Makefile? Because signing phase of capsules would be different from compiling phase of U-Boot. So, > It should be handled by binman, IMO. Yes, either way, we should have a separate script/command. -Takahiro Akashi > Regards, > Simon
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 54fefd76f0f5..7f85b9e5a4a6 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -347,6 +347,7 @@ following config, in addition to the configs listed above for capsule update:: CONFIG_EFI_CAPSULE_AUTHENTICATE=y + CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert> The public and private keys used for the signing process are generated and used by the steps highlighted below. @@ -392,6 +393,9 @@ and used by the steps highlighted below. }; }; + If CONFIG_EFI_CAPSULE_KEY_PATH is specified, the build process will + take care of it for you. + Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/dts/Makefile b/dts/Makefile index cb3111382959..6c5486719ecd 100644 --- a/dts/Makefile +++ b/dts/Makefile @@ -20,11 +20,30 @@ $(obj)/dt-$(SPL_NAME).dtb: dts/dt.dtb $(objtree)/tools/fdtgrep FORCE mkdir -p $(dir $@) $(call if_changed,fdtgrep) +quiet_cmd_fdtsig = FDTSIG $@ + cmd_fdtsig = \ + cat $< > $@; \ + $(srctree)/tools/fdtsig.sh \ + $(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)) $@ + +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y) +ifneq ($(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)),) +DTB_ov := $(obj)/dt.dtb_ov + +$(obj)/dt.dtb_ov: $(DTB) FORCE + $(call if_changed,fdtsig) +else +DTB_ov := $(DTB) +endif +else +DTB_ov := $(DTB) +endif + ifeq ($(CONFIG_OF_DTB_PROPS_REMOVE),y) -$(obj)/dt.dtb: $(DTB) $(objtree)/tools/fdtgrep FORCE +$(obj)/dt.dtb: $(DTB_ov) $(objtree)/tools/fdtgrep FORCE $(call if_changed,fdt_rm_props) else -$(obj)/dt.dtb: $(DTB) FORCE +$(obj)/dt.dtb: $(DTB_ov) FORCE $(call if_changed,shipped) endif diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 700dc838ddb9..8c8d14d46433 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -209,6 +209,13 @@ config EFI_CAPSULE_AUTHENTICATE Select this option if you want to enable capsule authentication +config EFI_CAPSULE_KEY_PATH + string "Path to .esl cert for capsule authentication" + depends on EFI_CAPSULE_AUTHENTICATE + help + Provide the EFI signature list (esl) certificate used for capsule + authentication + config EFI_DEVICE_PATH_TO_TEXT bool "Device path to text protocol" default y
By specifying CONFIG_EFI_CAPSULE_KEY_PATH, the build process will automatically insert the given key into the device tree. Otherwise, users are required to do so manually, possibly, with the utility script, fdtsig.sh. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> --- doc/develop/uefi/uefi.rst | 4 ++++ dts/Makefile | 23 +++++++++++++++++++++-- lib/efi_loader/Kconfig | 7 +++++++ 3 files changed, 32 insertions(+), 2 deletions(-)