[v2,0/4] Add support for embedding public key in platform's dtb

Message ID 20210412150526.29822-1-sughosh.ganu@linaro.org
Headers show
  • Add support for embedding public key in platform's dtb
Related show


Sughosh Ganu April 12, 2021, 3:05 p.m.
These patches add support for embedding the public key efi signature
list(esl) file into the platform's device tree. The current solution
for the Qemu arm64 platform has the public key as part of an overlay,
and stored on the Efi System Partition(ESP). Having the provision to
embed the public key into the platform's dtb which is then
concatenated with the u-boot binary is a better approach, recommended
by Heinrich[1].

Patch 1 removes the existing additional check for authenticating the
capsule using the env variable.

Patch 2 add two config symbols, EFI_PKEY_DTB_EMBED and EFI_PKEY_FILE
which are used for enabling embedding of the public key in the dtb,
and specifying the esl file name.

Patch 3 adds a function for retrieving the public key which has been
embedded in the platform's dtb.

Patch 4 adds the functionality to embed the esl file into the
platform's dtb during the platform build.

I have tested this functionality on the STM32MP157C DK2 board, and it
works as expected.

[1] - https://lists.denx.de/pipermail/u-boot/2021-March/442867.html 

Changes since V1:

* As pointed out by Heinrich in the review, remove the extra check of
  the env variable 'capsule_authentication_enabled'for authenticating
  the capsule. The capsule authentication will now be done based on
  whether the corresponding config symbol is enabled.
* Provide a default name for public key file, eficapsule.esl as
  suggested by Heinrich.
* Remove the superfluous default n statement for EFI_PKEY_DTB_EMBED
* Remove the weak function, and add the functionality to retrieve the
  public key under the config symbol CONFIG_EFI_PKEY_DTB_EMBED.

Sughosh Ganu (4):
  efi_loader: capsule: Remove the check for
    capsule_authentication_enabled environment variable
  efi_loader: Kconfig: Add symbols for embedding the public key into the
    platform's dtb
  efi_capsule: Add a function to get the public key needed for capsule
  Makefile: Add provision for embedding public key in platform's dtb

 Makefile                              | 10 +++++++
 board/emulation/common/qemu_capsule.c |  6 ----
 lib/efi_loader/Kconfig                | 15 ++++++++++
 lib/efi_loader/efi_capsule.c          | 43 +++++++++++++++++++++++----
 lib/efi_loader/efi_firmware.c         |  5 ++--
 5 files changed, 65 insertions(+), 14 deletions(-)