| Message ID | 20230817054856.2019253-4-sughosh.ganu@linaro.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | capsule: Embed the public key ESL as part of build | expand |
Hi Sughosh On Thu, 17 Aug 2023 at 08:49, Sughosh Ganu <sughosh.ganu@linaro.org> wrote: > > The EFI capsule authentication logic in u-boot expects the public key > in the form of an EFI Signature List(ESL) to be provided as part of > the platform's dtb. Currently, the embedding of the ESL file into the > dtb needs to be done manually. > > Add a target for generating a dtsi file which contains the signature > node with the ESL file included as a property under the signature > node. Include the dtsi file in the dtb. This brings the embedding of > the ESL in the dtb into the U-Boot build flow. > > The path to the ESL file is specified through the > CONFIG_EFI_CAPSULE_ESL_FILE symbol. > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > --- > Changes since V1: > * Put only the setting of dtsi_include_list under the ifdef, moving > the rest of the logic out of the ifdef. > > lib/efi_loader/Kconfig | 8 ++++++++ > lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++ > scripts/Makefile.lib | 15 +++++++++++++++ > 3 files changed, 34 insertions(+) > create mode 100644 lib/efi_loader/capsule_esl.dtsi.in > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig > index 9989e3f384..d20aaab6db 100644 > --- a/lib/efi_loader/Kconfig > +++ b/lib/efi_loader/Kconfig > @@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX > Select the max capsule index value used for capsule report > variables. This value is used to create CapsuleMax variable. > > +config EFI_CAPSULE_ESL_FILE > + string "Path to the EFI Signature List File" > + depends on EFI_CAPSULE_AUTHENTICATE > + help > + Provides the path to the EFI Signature List file which will > + be embedded in the platform's device tree and used for > + capsule authentication at the time of capsule update. > + > config EFI_DEVICE_PATH_TO_TEXT > bool "Device path to text protocol" > default y > diff --git a/lib/efi_loader/capsule_esl.dtsi.in b/lib/efi_loader/capsule_esl.dtsi.in > new file mode 100644 > index 0000000000..61a9f2b25e > --- /dev/null > +++ b/lib/efi_loader/capsule_esl.dtsi.in > @@ -0,0 +1,11 @@ > +// SPDX-License-Identifier: GPL-2.0+ > +/** > + * Devicetree file with the public key EFI Signature List(ESL) > + * node. This file is used to generate the dtsi file to be > + * included into the DTB. > +*/ > +/ { > + signature { > + capsule-key = /incbin/("ESL_BIN_FILE"); > + }; > +}; > diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib > index 8c5e25c31c..3cec46bb15 100644 > --- a/scripts/Makefile.lib > +++ b/scripts/Makefile.lib > @@ -334,6 +334,21 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \ > ; \ > sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile) > > +quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@ > +cmd_capsule_esl_gen = \ > + $(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" $(capsule_esl_input_file) > $@) > + > +$(obj)/.capsule_esl.dtsi: > + $(call cmd_capsule_esl_gen) > + > +capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in > +capsule_esl_dtsi = .capsule_esl.dtsi Any reason why cant reuse $capsule_esl_dtsi in capsule_esl_input_file? Thanks /Ilias > +capsule_esl_path=$(abspath $(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE))) > + > +ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE > +dtsi_include_list += $(capsule_esl_dtsi) > +endif > + > dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list))) > > $(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE > -- > 2.34.1 >
hi Ilias, On Thu, 17 Aug 2023 at 17:29, Ilias Apalodimas <ilias.apalodimas@linaro.org> wrote: > > Hi Sughosh > > On Thu, 17 Aug 2023 at 08:49, Sughosh Ganu <sughosh.ganu@linaro.org> wrote: > > > > The EFI capsule authentication logic in u-boot expects the public key > > in the form of an EFI Signature List(ESL) to be provided as part of > > the platform's dtb. Currently, the embedding of the ESL file into the > > dtb needs to be done manually. > > > > Add a target for generating a dtsi file which contains the signature > > node with the ESL file included as a property under the signature > > node. Include the dtsi file in the dtb. This brings the embedding of > > the ESL in the dtb into the U-Boot build flow. > > > > The path to the ESL file is specified through the > > CONFIG_EFI_CAPSULE_ESL_FILE symbol. > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > > --- > > Changes since V1: > > * Put only the setting of dtsi_include_list under the ifdef, moving > > the rest of the logic out of the ifdef. > > > > lib/efi_loader/Kconfig | 8 ++++++++ > > lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++ > > scripts/Makefile.lib | 15 +++++++++++++++ > > 3 files changed, 34 insertions(+) > > create mode 100644 lib/efi_loader/capsule_esl.dtsi.in > > > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig > > index 9989e3f384..d20aaab6db 100644 > > --- a/lib/efi_loader/Kconfig > > +++ b/lib/efi_loader/Kconfig > > @@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX > > Select the max capsule index value used for capsule report > > variables. This value is used to create CapsuleMax variable. > > > > +config EFI_CAPSULE_ESL_FILE > > + string "Path to the EFI Signature List File" > > + depends on EFI_CAPSULE_AUTHENTICATE > > + help > > + Provides the path to the EFI Signature List file which will > > + be embedded in the platform's device tree and used for > > + capsule authentication at the time of capsule update. > > + > > config EFI_DEVICE_PATH_TO_TEXT > > bool "Device path to text protocol" > > default y > > diff --git a/lib/efi_loader/capsule_esl.dtsi.in b/lib/efi_loader/capsule_esl.dtsi.in > > new file mode 100644 > > index 0000000000..61a9f2b25e > > --- /dev/null > > +++ b/lib/efi_loader/capsule_esl.dtsi.in > > @@ -0,0 +1,11 @@ > > +// SPDX-License-Identifier: GPL-2.0+ > > +/** > > + * Devicetree file with the public key EFI Signature List(ESL) > > + * node. This file is used to generate the dtsi file to be > > + * included into the DTB. > > +*/ > > +/ { > > + signature { > > + capsule-key = /incbin/("ESL_BIN_FILE"); > > + }; > > +}; > > diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib > > index 8c5e25c31c..3cec46bb15 100644 > > --- a/scripts/Makefile.lib > > +++ b/scripts/Makefile.lib > > @@ -334,6 +334,21 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \ > > ; \ > > sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile) > > > > +quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@ > > +cmd_capsule_esl_gen = \ > > + $(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" $(capsule_esl_input_file) > $@) > > + > > +$(obj)/.capsule_esl.dtsi: > > + $(call cmd_capsule_esl_gen) > > + > > +capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in > > +capsule_esl_dtsi = .capsule_esl.dtsi > > Any reason why cant reuse $capsule_esl_dtsi in capsule_esl_input_file? Are you suggesting having a lib/efi_loader/.capsule_esl.dtsi as the input file? I thought having that distinction in the names between the input file and the generated file keeps things a bit more clear. -sughosh > > Thanks > /Ilias > > +capsule_esl_path=$(abspath $(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE))) > > + > > +ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE > > +dtsi_include_list += $(capsule_esl_dtsi) > > +endif > > + > > dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list))) > > > > $(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE > > -- > > 2.34.1 > >
On Thu, Aug 17, 2023 at 11:18:53AM +0530, Sughosh Ganu wrote: > The EFI capsule authentication logic in u-boot expects the public key > in the form of an EFI Signature List(ESL) to be provided as part of > the platform's dtb. Currently, the embedding of the ESL file into the > dtb needs to be done manually. > > Add a target for generating a dtsi file which contains the signature > node with the ESL file included as a property under the signature > node. Include the dtsi file in the dtb. This brings the embedding of > the ESL in the dtb into the U-Boot build flow. > > The path to the ESL file is specified through the > CONFIG_EFI_CAPSULE_ESL_FILE symbol. > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Tom Rini <trini@konsulko.com>
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 9989e3f384..d20aaab6db 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX Select the max capsule index value used for capsule report variables. This value is used to create CapsuleMax variable. +config EFI_CAPSULE_ESL_FILE + string "Path to the EFI Signature List File" + depends on EFI_CAPSULE_AUTHENTICATE + help + Provides the path to the EFI Signature List file which will + be embedded in the platform's device tree and used for + capsule authentication at the time of capsule update. + config EFI_DEVICE_PATH_TO_TEXT bool "Device path to text protocol" default y diff --git a/lib/efi_loader/capsule_esl.dtsi.in b/lib/efi_loader/capsule_esl.dtsi.in new file mode 100644 index 0000000000..61a9f2b25e --- /dev/null +++ b/lib/efi_loader/capsule_esl.dtsi.in @@ -0,0 +1,11 @@ +// SPDX-License-Identifier: GPL-2.0+ +/** + * Devicetree file with the public key EFI Signature List(ESL) + * node. This file is used to generate the dtsi file to be + * included into the DTB. +*/ +/ { + signature { + capsule-key = /incbin/("ESL_BIN_FILE"); + }; +}; diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index 8c5e25c31c..3cec46bb15 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -334,6 +334,21 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \ ; \ sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile) +quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@ +cmd_capsule_esl_gen = \ + $(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" $(capsule_esl_input_file) > $@) + +$(obj)/.capsule_esl.dtsi: + $(call cmd_capsule_esl_gen) + +capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in +capsule_esl_dtsi = .capsule_esl.dtsi +capsule_esl_path=$(abspath $(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE))) + +ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE +dtsi_include_list += $(capsule_esl_dtsi) +endif + dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list))) $(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE
The EFI capsule authentication logic in u-boot expects the public key in the form of an EFI Signature List(ESL) to be provided as part of the platform's dtb. Currently, the embedding of the ESL file into the dtb needs to be done manually. Add a target for generating a dtsi file which contains the signature node with the ESL file included as a property under the signature node. Include the dtsi file in the dtb. This brings the embedding of the ESL in the dtb into the U-Boot build flow. The path to the ESL file is specified through the CONFIG_EFI_CAPSULE_ESL_FILE symbol. Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> --- Changes since V1: * Put only the setting of dtsi_include_list under the ifdef, moving the rest of the logic out of the ifdef. lib/efi_loader/Kconfig | 8 ++++++++ lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++ scripts/Makefile.lib | 15 +++++++++++++++ 3 files changed, 34 insertions(+) create mode 100644 lib/efi_loader/capsule_esl.dtsi.in