| Message ID | 20210407115335.8615-6-sughosh.ganu@linaro.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Add support for embedding public key in platform's dtb | expand |
On 4/7/21 1:53 PM, Sughosh Ganu wrote: > Add provision for embedding the public key used for capsule > authentication in the platform's dtb. This is done by invoking the > mkeficapsule utility which puts the public key in the efi signature > list(esl) format into the dtb. > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > --- > Makefile | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/Makefile b/Makefile > index 193aa4d1c9..0d50c6a805 100644 > --- a/Makefile > +++ b/Makefile > @@ -1010,6 +1010,10 @@ cmd_pad_cat = $(cmd_objcopy) && $(append) || { rm -f $@; false; } > quiet_cmd_lzma = LZMA $@ > cmd_lzma = lzma -c -z -k -9 $< > $@ > > +quiet_cmd_mkeficapsule = MKEFICAPSULE $@ > +cmd_mkeficapsule = $(objtree)/tools/mkeficapsule -K $(CONFIG_EFI_PKEY_FILE) \ > + -D $@ > + tools/mkeficapsule --help does neither show a parameter -K nor a parameter -D. Please, update tools/mkeficapsule.c before using these. A man-page for mkeficapsule in doc/usage/ would be helpful. $ tools/mkeficapsule --help Usage: mkeficapsule [options] <output file> Options: --fit <fit image> new FIT image file --raw <raw image> new raw image file --index <index> update image index --instance <instance> update hardware instance --public-key <key file> public key esl file --dtb <dtb file> dtb file --overlay the dtb file is an overlay --help print a help message Best regards Heinrich > cfg: u-boot.cfg > > quiet_cmd_cfgcheck = CFGCHK $2 > @@ -1104,8 +1108,14 @@ endif > PHONY += dtbs > dtbs: dts/dt.dtb > @: > +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE)$(CONFIG_EFI_PKEY_DTB_EMBED),yy) > +dts/dt.dtb: u-boot tools > + $(Q)$(MAKE) $(build)=dts dtbs > + $(call cmd,mkeficapsule) > +else > dts/dt.dtb: u-boot > $(Q)$(MAKE) $(build)=dts dtbs > +endif > > quiet_cmd_copy = COPY $@ > cmd_copy = cp $< $@ >
On Thu, Apr 08, 2021 at 09:58:17PM +0200, Heinrich Schuchardt wrote: > On 4/7/21 1:53 PM, Sughosh Ganu wrote: > > Add provision for embedding the public key used for capsule > > authentication in the platform's dtb. This is done by invoking the > > mkeficapsule utility which puts the public key in the efi signature > > list(esl) format into the dtb. > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > > --- > > Makefile | 10 ++++++++++ > > 1 file changed, 10 insertions(+) > > > > diff --git a/Makefile b/Makefile > > index 193aa4d1c9..0d50c6a805 100644 > > --- a/Makefile > > +++ b/Makefile > > @@ -1010,6 +1010,10 @@ cmd_pad_cat = $(cmd_objcopy) && $(append) || { rm -f $@; false; } > > quiet_cmd_lzma = LZMA $@ > > cmd_lzma = lzma -c -z -k -9 $< > $@ > > > > +quiet_cmd_mkeficapsule = MKEFICAPSULE $@ > > +cmd_mkeficapsule = $(objtree)/tools/mkeficapsule -K $(CONFIG_EFI_PKEY_FILE) \ > > + -D $@ > > + > > tools/mkeficapsule --help does neither show a parameter -K nor a > parameter -D. This clearly shows that the feature with -K/-D has nothing to do with creating a capsule file. Two totally different things in one place (command). And the dtb overlay operation can be achieved by using standard commands. I believe that the feature should be removed from mkeficapsule. -Takahiro Akashi > Please, update tools/mkeficapsule.c before using these. A > man-page for mkeficapsule in doc/usage/ would be helpful. > > $ tools/mkeficapsule --help > Usage: mkeficapsule [options] <output file> > Options: > --fit <fit image> new FIT image file > --raw <raw image> new raw image file > --index <index> update image index > --instance <instance> update hardware instance > --public-key <key file> public key esl file > --dtb <dtb file> dtb file > --overlay the dtb file is an overlay > --help print a help message > > Best regards > > Heinrich > > > cfg: u-boot.cfg > > > > quiet_cmd_cfgcheck = CFGCHK $2 > > @@ -1104,8 +1108,14 @@ endif > > PHONY += dtbs > > dtbs: dts/dt.dtb > > @: > > +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE)$(CONFIG_EFI_PKEY_DTB_EMBED),yy) > > +dts/dt.dtb: u-boot tools > > + $(Q)$(MAKE) $(build)=dts dtbs > > + $(call cmd,mkeficapsule) > > +else > > dts/dt.dtb: u-boot > > $(Q)$(MAKE) $(build)=dts dtbs > > +endif > > > > quiet_cmd_copy = COPY $@ > > cmd_copy = cp $< $@ > > >
2021年4月28日(水) 14:44 AKASHI Takahiro <takahiro.akashi@linaro.org>: > > On Thu, Apr 08, 2021 at 09:58:17PM +0200, Heinrich Schuchardt wrote: > > On 4/7/21 1:53 PM, Sughosh Ganu wrote: > > > Add provision for embedding the public key used for capsule > > > authentication in the platform's dtb. This is done by invoking the > > > mkeficapsule utility which puts the public key in the efi signature > > > list(esl) format into the dtb. > > > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > > > --- > > > Makefile | 10 ++++++++++ > > > 1 file changed, 10 insertions(+) > > > > > > diff --git a/Makefile b/Makefile > > > index 193aa4d1c9..0d50c6a805 100644 > > > --- a/Makefile > > > +++ b/Makefile > > > @@ -1010,6 +1010,10 @@ cmd_pad_cat = $(cmd_objcopy) && $(append) || { rm -f $@; false; } > > > quiet_cmd_lzma = LZMA $@ > > > cmd_lzma = lzma -c -z -k -9 $< > $@ > > > > > > +quiet_cmd_mkeficapsule = MKEFICAPSULE $@ > > > +cmd_mkeficapsule = $(objtree)/tools/mkeficapsule -K $(CONFIG_EFI_PKEY_FILE) \ > > > + -D $@ > > > + > > > > tools/mkeficapsule --help does neither show a parameter -K nor a > > parameter -D. > > This clearly shows that the feature with -K/-D has nothing to do with > creating a capsule file. > Two totally different things in one place (command). > And the dtb overlay operation can be achieved by using standard commands. If I understand correctly, we need the following steps, 1. prepare the key for signing 2. make dtb overlay from that key 3. sign the capsule with the key And Sughosh's implementation is using mkeficapsule for 2 and 3. Takahiro pointed that mkeficapsule is only for 3 because of its name and avoid confusion. Is that correct? What would you think about changing the tool name? E.g. For step 2. capsuletool dtb --public-key pubkey [--overlay] target.dtb For step 3. capsuletool capsule --raw u-boot.bin --index 1 --public-key pubkey u-boot.cap Then we can expand it for inspection, verify etc. Thank you, > > I believe that the feature should be removed from mkeficapsule. > > -Takahiro Akashi > > > > Please, update tools/mkeficapsule.c before using these. A > > man-page for mkeficapsule in doc/usage/ would be helpful. > > > > $ tools/mkeficapsule --help > > Usage: mkeficapsule [options] <output file> > > Options: > > --fit <fit image> new FIT image file > > --raw <raw image> new raw image file > > --index <index> update image index > > --instance <instance> update hardware instance > > --public-key <key file> public key esl file > > --dtb <dtb file> dtb file > > --overlay the dtb file is an overlay > > --help print a help message > > > > Best regards > > > > Heinrich > > > > > cfg: u-boot.cfg > > > > > > quiet_cmd_cfgcheck = CFGCHK $2 > > > @@ -1104,8 +1108,14 @@ endif > > > PHONY += dtbs > > > dtbs: dts/dt.dtb > > > @: > > > +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE)$(CONFIG_EFI_PKEY_DTB_EMBED),yy) > > > +dts/dt.dtb: u-boot tools > > > + $(Q)$(MAKE) $(build)=dts dtbs > > > + $(call cmd,mkeficapsule) > > > +else > > > dts/dt.dtb: u-boot > > > $(Q)$(MAKE) $(build)=dts dtbs > > > +endif > > > > > > quiet_cmd_copy = COPY $@ > > > cmd_copy = cp $< $@ > > > > > -- Masami Hiramatsu
On Wed, Apr 28, 2021 at 03:31:36PM +0900, Masami Hiramatsu wrote: > 2021年4月28日(水) 14:44 AKASHI Takahiro <takahiro.akashi@linaro.org>: > > > > On Thu, Apr 08, 2021 at 09:58:17PM +0200, Heinrich Schuchardt wrote: > > > On 4/7/21 1:53 PM, Sughosh Ganu wrote: > > > > Add provision for embedding the public key used for capsule > > > > authentication in the platform's dtb. This is done by invoking the > > > > mkeficapsule utility which puts the public key in the efi signature > > > > list(esl) format into the dtb. > > > > > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > > > > --- > > > > Makefile | 10 ++++++++++ > > > > 1 file changed, 10 insertions(+) > > > > > > > > diff --git a/Makefile b/Makefile > > > > index 193aa4d1c9..0d50c6a805 100644 > > > > --- a/Makefile > > > > +++ b/Makefile > > > > @@ -1010,6 +1010,10 @@ cmd_pad_cat = $(cmd_objcopy) && $(append) || { rm -f $@; false; } > > > > quiet_cmd_lzma = LZMA $@ > > > > cmd_lzma = lzma -c -z -k -9 $< > $@ > > > > > > > > +quiet_cmd_mkeficapsule = MKEFICAPSULE $@ > > > > +cmd_mkeficapsule = $(objtree)/tools/mkeficapsule -K $(CONFIG_EFI_PKEY_FILE) \ > > > > + -D $@ > > > > + > > > > > > tools/mkeficapsule --help does neither show a parameter -K nor a > > > parameter -D. > > > > This clearly shows that the feature with -K/-D has nothing to do with > > creating a capsule file. > > Two totally different things in one place (command). > > And the dtb overlay operation can be achieved by using standard commands. > > If I understand correctly, we need the following steps, > 1. prepare the key for signing > 2. make dtb overlay from that key > 3. sign the capsule with the key > > And Sughosh's implementation is using mkeficapsule for 2 and 3. > Takahiro pointed that mkeficapsule is only for 3 because of its name > and avoid confusion. > > Is that correct? > > What would you think about changing the tool name? > E.g. > > For step 2. > capsuletool dtb --public-key pubkey [--overlay] target.dtb My point is: as this command line shows, it has nothing to do with a capsule file. It simply deals with dtb blob for overlaying. (So 'capsuletool' is not appropriate.) -Takahiro Akashi > For step 3. > capsuletool capsule --raw u-boot.bin --index 1 --public-key pubkey u-boot.cap > > Then we can expand it for inspection, verify etc. > > Thank you, > > > > > I believe that the feature should be removed from mkeficapsule. > > > > -Takahiro Akashi > > > > > > > Please, update tools/mkeficapsule.c before using these. A > > > man-page for mkeficapsule in doc/usage/ would be helpful. > > > > > > $ tools/mkeficapsule --help > > > Usage: mkeficapsule [options] <output file> > > > Options: > > > --fit <fit image> new FIT image file > > > --raw <raw image> new raw image file > > > --index <index> update image index > > > --instance <instance> update hardware instance > > > --public-key <key file> public key esl file > > > --dtb <dtb file> dtb file > > > --overlay the dtb file is an overlay > > > --help print a help message > > > > > > Best regards > > > > > > Heinrich > > > > > > > cfg: u-boot.cfg > > > > > > > > quiet_cmd_cfgcheck = CFGCHK $2 > > > > @@ -1104,8 +1108,14 @@ endif > > > > PHONY += dtbs > > > > dtbs: dts/dt.dtb > > > > @: > > > > +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE)$(CONFIG_EFI_PKEY_DTB_EMBED),yy) > > > > +dts/dt.dtb: u-boot tools > > > > + $(Q)$(MAKE) $(build)=dts dtbs > > > > + $(call cmd,mkeficapsule) > > > > +else > > > > dts/dt.dtb: u-boot > > > > $(Q)$(MAKE) $(build)=dts dtbs > > > > +endif > > > > > > > > quiet_cmd_copy = COPY $@ > > > > cmd_copy = cp $< $@ > > > > > > > > > > > -- > Masami Hiramatsu
Hi, 2021年5月7日(金) 17:15 AKASHI Takahiro <takahiro.akashi@linaro.org>: > > On Wed, Apr 28, 2021 at 03:31:36PM +0900, Masami Hiramatsu wrote: > > 2021年4月28日(水) 14:44 AKASHI Takahiro <takahiro.akashi@linaro.org>: > > > > > > On Thu, Apr 08, 2021 at 09:58:17PM +0200, Heinrich Schuchardt wrote: > > > > On 4/7/21 1:53 PM, Sughosh Ganu wrote: > > > > > Add provision for embedding the public key used for capsule > > > > > authentication in the platform's dtb. This is done by invoking the > > > > > mkeficapsule utility which puts the public key in the efi signature > > > > > list(esl) format into the dtb. > > > > > > > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > > > > > --- > > > > > Makefile | 10 ++++++++++ > > > > > 1 file changed, 10 insertions(+) > > > > > > > > > > diff --git a/Makefile b/Makefile > > > > > index 193aa4d1c9..0d50c6a805 100644 > > > > > --- a/Makefile > > > > > +++ b/Makefile > > > > > @@ -1010,6 +1010,10 @@ cmd_pad_cat = $(cmd_objcopy) && $(append) || { rm -f $@; false; } > > > > > quiet_cmd_lzma = LZMA $@ > > > > > cmd_lzma = lzma -c -z -k -9 $< > $@ > > > > > > > > > > +quiet_cmd_mkeficapsule = MKEFICAPSULE $@ > > > > > +cmd_mkeficapsule = $(objtree)/tools/mkeficapsule -K $(CONFIG_EFI_PKEY_FILE) \ > > > > > + -D $@ > > > > > + > > > > > > > > tools/mkeficapsule --help does neither show a parameter -K nor a > > > > parameter -D. > > > > > > This clearly shows that the feature with -K/-D has nothing to do with > > > creating a capsule file. > > > Two totally different things in one place (command). > > > And the dtb overlay operation can be achieved by using standard commands. > > > > If I understand correctly, we need the following steps, > > 1. prepare the key for signing > > 2. make dtb overlay from that key > > 3. sign the capsule with the key > > > > And Sughosh's implementation is using mkeficapsule for 2 and 3. > > Takahiro pointed that mkeficapsule is only for 3 because of its name > > and avoid confusion. > > > > Is that correct? > > > > What would you think about changing the tool name? > > E.g. > > > > For step 2. > > capsuletool dtb --public-key pubkey [--overlay] target.dtb > > My point is: as this command line shows, it has nothing to do > with a capsule file. It simply deals with dtb blob for overlaying. > (So 'capsuletool' is not appropriate.) But if the capsuletool provide the devicetree template for the capsule something like test/py/tests/test_efi_capsule/pubkey.dts, we can say it is related to the capsule, because the dts is obviously for capsule. What would you think? Thank you, > > -Takahiro Akashi > > > > For step 3. > > capsuletool capsule --raw u-boot.bin --index 1 --public-key pubkey u-boot.cap > > > > Then we can expand it for inspection, verify etc. > > > > Thank you, > > > > > > > > I believe that the feature should be removed from mkeficapsule. > > > > > > -Takahiro Akashi > > > > > > > > > > Please, update tools/mkeficapsule.c before using these. A > > > > man-page for mkeficapsule in doc/usage/ would be helpful. > > > > > > > > $ tools/mkeficapsule --help > > > > Usage: mkeficapsule [options] <output file> > > > > Options: > > > > --fit <fit image> new FIT image file > > > > --raw <raw image> new raw image file > > > > --index <index> update image index > > > > --instance <instance> update hardware instance > > > > --public-key <key file> public key esl file > > > > --dtb <dtb file> dtb file > > > > --overlay the dtb file is an overlay > > > > --help print a help message > > > > > > > > Best regards > > > > > > > > Heinrich > > > > > > > > > cfg: u-boot.cfg > > > > > > > > > > quiet_cmd_cfgcheck = CFGCHK $2 > > > > > @@ -1104,8 +1108,14 @@ endif > > > > > PHONY += dtbs > > > > > dtbs: dts/dt.dtb > > > > > @: > > > > > +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE)$(CONFIG_EFI_PKEY_DTB_EMBED),yy) > > > > > +dts/dt.dtb: u-boot tools > > > > > + $(Q)$(MAKE) $(build)=dts dtbs > > > > > + $(call cmd,mkeficapsule) > > > > > +else > > > > > dts/dt.dtb: u-boot > > > > > $(Q)$(MAKE) $(build)=dts dtbs > > > > > +endif > > > > > > > > > > quiet_cmd_copy = COPY $@ > > > > > cmd_copy = cp $< $@ > > > > > > > > > > > > > > > > > -- > > Masami Hiramatsu -- Masami Hiramatsu
2021年5月7日(金) 18:57 Masami Hiramatsu <masami.hiramatsu@linaro.org>: > > Hi, > > 2021年5月7日(金) 17:15 AKASHI Takahiro <takahiro.akashi@linaro.org>: > > > > On Wed, Apr 28, 2021 at 03:31:36PM +0900, Masami Hiramatsu wrote: > > > 2021年4月28日(水) 14:44 AKASHI Takahiro <takahiro.akashi@linaro.org>: > > > > > > > > On Thu, Apr 08, 2021 at 09:58:17PM +0200, Heinrich Schuchardt wrote: > > > > > On 4/7/21 1:53 PM, Sughosh Ganu wrote: > > > > > > Add provision for embedding the public key used for capsule > > > > > > authentication in the platform's dtb. This is done by invoking the > > > > > > mkeficapsule utility which puts the public key in the efi signature > > > > > > list(esl) format into the dtb. > > > > > > > > > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > > > > > > --- > > > > > > Makefile | 10 ++++++++++ > > > > > > 1 file changed, 10 insertions(+) > > > > > > > > > > > > diff --git a/Makefile b/Makefile > > > > > > index 193aa4d1c9..0d50c6a805 100644 > > > > > > --- a/Makefile > > > > > > +++ b/Makefile > > > > > > @@ -1010,6 +1010,10 @@ cmd_pad_cat = $(cmd_objcopy) && $(append) || { rm -f $@; false; } > > > > > > quiet_cmd_lzma = LZMA $@ > > > > > > cmd_lzma = lzma -c -z -k -9 $< > $@ > > > > > > > > > > > > +quiet_cmd_mkeficapsule = MKEFICAPSULE $@ > > > > > > +cmd_mkeficapsule = $(objtree)/tools/mkeficapsule -K $(CONFIG_EFI_PKEY_FILE) \ > > > > > > + -D $@ > > > > > > + > > > > > > > > > > tools/mkeficapsule --help does neither show a parameter -K nor a > > > > > parameter -D. > > > > > > > > This clearly shows that the feature with -K/-D has nothing to do with > > > > creating a capsule file. > > > > Two totally different things in one place (command). > > > > And the dtb overlay operation can be achieved by using standard commands. > > > > > > If I understand correctly, we need the following steps, > > > 1. prepare the key for signing > > > 2. make dtb overlay from that key > > > 3. sign the capsule with the key > > > > > > And Sughosh's implementation is using mkeficapsule for 2 and 3. > > > Takahiro pointed that mkeficapsule is only for 3 because of its name > > > and avoid confusion. > > > > > > Is that correct? > > > > > > What would you think about changing the tool name? > > > E.g. > > > > > > For step 2. > > > capsuletool dtb --public-key pubkey [--overlay] target.dtb > > > > My point is: as this command line shows, it has nothing to do > > with a capsule file. It simply deals with dtb blob for overlaying. > > (So 'capsuletool' is not appropriate.) > > But if the capsuletool provide the devicetree template for the capsule > something like test/py/tests/test_efi_capsule/pubkey.dts, we can say > it is related to the capsule, because the dts is obviously for capsule. > What would you think? Ah, wait. I misunderstood. It seems that the efi_get_public_key_data() is platform dependent. Thus isn't it hard to provide a unified tool to embed the key data into the dtb because it is usable for some platform but not usable for others? Thank you, -- Masami Hiramatsu
diff --git a/Makefile b/Makefile index 193aa4d1c9..0d50c6a805 100644 --- a/Makefile +++ b/Makefile @@ -1010,6 +1010,10 @@ cmd_pad_cat = $(cmd_objcopy) && $(append) || { rm -f $@; false; } quiet_cmd_lzma = LZMA $@ cmd_lzma = lzma -c -z -k -9 $< > $@ +quiet_cmd_mkeficapsule = MKEFICAPSULE $@ +cmd_mkeficapsule = $(objtree)/tools/mkeficapsule -K $(CONFIG_EFI_PKEY_FILE) \ + -D $@ + cfg: u-boot.cfg quiet_cmd_cfgcheck = CFGCHK $2 @@ -1104,8 +1108,14 @@ endif PHONY += dtbs dtbs: dts/dt.dtb @: +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE)$(CONFIG_EFI_PKEY_DTB_EMBED),yy) +dts/dt.dtb: u-boot tools + $(Q)$(MAKE) $(build)=dts dtbs + $(call cmd,mkeficapsule) +else dts/dt.dtb: u-boot $(Q)$(MAKE) $(build)=dts dtbs +endif quiet_cmd_copy = COPY $@ cmd_copy = cp $< $@
Add provision for embedding the public key used for capsule authentication in the platform's dtb. This is done by invoking the mkeficapsule utility which puts the public key in the efi signature list(esl) format into the dtb. Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> --- Makefile | 10 ++++++++++ 1 file changed, 10 insertions(+) -- 2.17.1