From patchwork Tue Aug 22 17:40:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 715779 Delivered-To: patch@linaro.org Received: by 2002:adf:f747:0:b0:317:ecd7:513f with SMTP id z7csp393386wrp; Tue, 22 Aug 2023 10:42:52 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFYLQ7sX234sfqdWBq+8CWnR5Z1Dpk0sYG/wa4KQl6RNb3IF27YvM+gUO7mJhrSuYJHNDFU X-Received: by 2002:adf:de07:0:b0:319:6b56:94d9 with SMTP id b7-20020adfde07000000b003196b5694d9mr11362895wrm.2.1692726172363; Tue, 22 Aug 2023 10:42:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692726172; cv=none; d=google.com; s=arc-20160816; b=LBHLbtBIWKhs9EpOA3G3MgzZ9CMdhhS/zcLWgkSrF/hPYXYml91xhrK0w26SOTTKn4 dCsvRmf9lgL6krcIwaXj2oOZLbW4eBs4DU+ZYI+6NmHMSSUzy9BbCEqeu6Gje10liwui a25nWFUCekhDwvH1Nlxw3GwJT3IXcdu8pvSkjy2B3y7IV/PvGtrZSqPj4/P4SBnN6aUr 2HoQP82nBvuM4huCLh18IzMvfQrjrQ2jh9sgQwCxVmJ0XjkjQquEgBl09m6/E6QlDagI 08QuQwoJ74V5TUKY5+Krx85xmEYtDNjj44ZYJpRFHy2Bf1MQpIce1QgjwrEczSluDo/6 YFeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=54hFep+7yxftXHnnzm3lxefwWCnKYMOeW2sGh6IwU38=; fh=ikJSK2WVWLZPtKfyjzYjMbDKcRMYT5CY2x/iGdlGnWY=; b=vfgzcG7d0YKHPFOtFvRSiBLq0qCw4UZoeodvjseu9X3vSNWcgGs43kNMu1d5ejKvG8 17FsHu8SDORxFprcvj1sWwzL2xmDye18v03abVVzwE5iCjFZFnSYt/GptsjORDXMD3xi Kq59HcPEl58gYCQo9GMLiRvby6jjCtGYavy+pwY2oR1y5Lfl3NEUeJXyys7FqpBWX8ZS iCpnGfYzJXHgarj7bDS4jXTokCu2gQUP7uoJsP2Cg2jQMUgGIVoZiUdCy0WFhhS6PCYN aJPDdoV4D6QbWPZ0vTU2vQckFbDitbSYYttl8gE0LqUMpPQ6ZIhgHcixMGMg3QQOTTOF sE3A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id d1-20020adfe881000000b003176aed8c4asi5324957wrm.187.2023.08.22.10.42.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Aug 2023 10:42:52 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D41AB864EE; Tue, 22 Aug 2023 19:41:11 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 0DA2B864FA; Tue, 22 Aug 2023 19:41:11 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 3005F86503 for ; Tue, 22 Aug 2023 19:41:08 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 7F90911FB; Tue, 22 Aug 2023 10:41:48 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.46.7]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 692803F762; Tue, 22 Aug 2023 10:41:05 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Simon Glass , Takahiro Akashi , Tom Rini , Sughosh Ganu Subject: [PATCH v11 12/15] scripts/Makefile.lib: Embed capsule public key in platform's dtb Date: Tue, 22 Aug 2023 23:10:05 +0530 Message-Id: <20230822174008.626239-13-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230822174008.626239-1-sughosh.ganu@linaro.org> References: <20230822174008.626239-1-sughosh.ganu@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean The EFI capsule authentication logic in u-boot expects the public key in the form of an EFI Signature List(ESL) to be provided as part of the platform's dtb. Currently, the embedding of the ESL file into the dtb needs to be done manually. Add a target for generating a dtsi file which contains the signature node with the ESL file included as a property under the signature node. Include the dtsi file in the dtb. This brings the embedding of the ESL in the dtb into the U-Boot build flow. The path to the ESL file is specified through the CONFIG_EFI_CAPSULE_ESL_FILE symbol. Signed-off-by: Sughosh Ganu Reviewed-by: Tom Rini Reviewed-by: Ilias Apalodimas --- Changes since V10: None lib/efi_loader/Kconfig | 8 ++++++++ lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++ scripts/Makefile.lib | 15 +++++++++++++++ 3 files changed, 34 insertions(+) create mode 100644 lib/efi_loader/capsule_esl.dtsi.in diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 9989e3f384..d20aaab6db 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX Select the max capsule index value used for capsule report variables. This value is used to create CapsuleMax variable. +config EFI_CAPSULE_ESL_FILE + string "Path to the EFI Signature List File" + depends on EFI_CAPSULE_AUTHENTICATE + help + Provides the path to the EFI Signature List file which will + be embedded in the platform's device tree and used for + capsule authentication at the time of capsule update. + config EFI_DEVICE_PATH_TO_TEXT bool "Device path to text protocol" default y diff --git a/lib/efi_loader/capsule_esl.dtsi.in b/lib/efi_loader/capsule_esl.dtsi.in new file mode 100644 index 0000000000..61a9f2b25e --- /dev/null +++ b/lib/efi_loader/capsule_esl.dtsi.in @@ -0,0 +1,11 @@ +// SPDX-License-Identifier: GPL-2.0+ +/** + * Devicetree file with the public key EFI Signature List(ESL) + * node. This file is used to generate the dtsi file to be + * included into the DTB. +*/ +/ { + signature { + capsule-key = /incbin/("ESL_BIN_FILE"); + }; +}; diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index 8c5e25c31c..3cec46bb15 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -334,6 +334,21 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \ ; \ sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile) +quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@ +cmd_capsule_esl_gen = \ + $(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" $(capsule_esl_input_file) > $@) + +$(obj)/.capsule_esl.dtsi: + $(call cmd_capsule_esl_gen) + +capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in +capsule_esl_dtsi = .capsule_esl.dtsi +capsule_esl_path=$(abspath $(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE))) + +ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE +dtsi_include_list += $(capsule_esl_dtsi) +endif + dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list))) $(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE