From patchwork Mon Apr 12 15:05:22 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sughosh Ganu <sughosh.ganu@linaro.org>
X-Patchwork-Id: 419560
Delivered-To: patch@linaro.org
Received: by 2002:a17:906:6d12:0:0:0:0 with SMTP id m18csp1702288ejr;
 Mon, 12 Apr 2021 08:06:07 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwReEbBA22JHtOat9VLkbtK+ffoynbacG5grE5hCMywFvJANB4J5y3gtINALo2m94ebgjcT
X-Received: by 2002:a05:6402:27ce:: with SMTP id
 c14mr29700769ede.263.1618239966955; 
 Mon, 12 Apr 2021 08:06:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1618239966; cv=none;
 d=google.com; s=arc-20160816;
 b=wZ8dR6LSa0sa+m3PkykYE3xKEmqr4zF6WB6AuW5/urpZLC2z+SGIZJoylnSPtLg9ZM
 J9WTRPg2+PVoPbMcsPVoYKcwta1VzsRqaZzox9/CVbAvGKFkVCRROqT8Dhhfrtby4RS2
 oTOEZJ/rZnN3UjGsRoOGT6pFfgyGBTTw9n25+jMolQSgFS+4Eqalx/sPOLEWzX++B1c2
 xGyq896cyXgqMsHBD3BSjlMJDI7Lk9f+c3ehnnW7EUIKfewMBFPKM8+sYnb1fQGBONes
 02/syzEydR0HqT8vaypUnCaIfJfi4PXd2wjc7nuOnkjdSIi5X1kwKWkm6qj5RhcD2vHQ
 u1fQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:message-id:date:subject:cc:to
 :from; bh=eWGL1VqL8hUkt4IYBcjupb/KJELXkrbWM7oMtN3HFY4=;
 b=wDYMBsWXu2od+xgoXKhc68QBlEI3FphruVW0BurP6UsifuB8WkknV1P1ZOe+4/qoLS
 XQKOERpKUZWHCovNwgZ5ZHCRJMn2lWfYc21SbuDJYwEnnlBzWRBZ/WJxb2OFxLMNuo4Q
 f7LyRPU1aAbVk0aujLYby/76npJh0reyYcfXUxypIGENIQQWuZKOVK9axI3IONKpIA/e
 EP4g4BXX698K4Yjv5HXJMxoWSug5gg86qZ13vitX5AI76bV+CyZkdVTs2bSGBZKQNAOx
 AlRlCoL9EUtiMToZPTNm+V7SdwECeCe1OgB6CrhZOgWwir+zdGeZVAtQpjwlCFcq8+ew
 XY9g==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as
 permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <u-boot-bounces@lists.denx.de>
Received: from phobos.denx.de (phobos.denx.de.
 [2a01:238:438b:c500:173d:9f52:ddab:ee01])
 by mx.google.com with ESMTPS id
 jp23si8159820ejb.643.2021.04.12.08.06.06
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 12 Apr 2021 08:06:06 -0700 (PDT)
Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as
 permitted sender)
 client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as
 permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
 by phobos.denx.de (Postfix) with ESMTP id 0ED9281607;
 Mon, 12 Apr 2021 17:05:58 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=fail (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Received: by phobos.denx.de (Postfix, from userid 109)
 id 8CA6C81607; Mon, 12 Apr 2021 17:05:55 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE
 autolearn=ham autolearn_force=no version=3.4.2
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by phobos.denx.de (Postfix) with ESMTP id 6DB1281578
 for <u-boot@lists.denx.de>; Mon, 12 Apr 2021 17:05:51 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=fail (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=fail smtp.mailfrom=sughosh.ganu@linaro.org
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
 by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 05EE911FB;
 Mon, 12 Apr 2021 08:05:50 -0700 (PDT)
Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44])
 by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id
 24E0B3F694; Mon, 12 Apr 2021 08:05:47 -0700 (PDT)
From: Sughosh Ganu <sughosh.ganu@linaro.org>
To: u-boot@lists.denx.de
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>,
 Alexander Graf <agraf@csgraf.de>, 
 Simon Glass <sjg@chromium.org>, Bin Meng <bmeng.cn@gmail.com>,
 Pali Rohar <pali@kernel.org>
Subject: [PATCH v2 0/4] Add support for embedding public key in platform's dtb
Date: Mon, 12 Apr 2021 20:35:22 +0530
Message-Id: <20210412150526.29822-1-sughosh.ganu@linaro.org>
X-Mailer: git-send-email 2.17.1
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de
X-Virus-Status: Clean

These patches add support for embedding the public key efi signature
list(esl) file into the platform's device tree. The current solution
for the Qemu arm64 platform has the public key as part of an overlay,
and stored on the Efi System Partition(ESP). Having the provision to
embed the public key into the platform's dtb which is then
concatenated with the u-boot binary is a better approach, recommended
by Heinrich[1].

Patch 1 removes the existing additional check for authenticating the
capsule using the env variable.

Patch 2 add two config symbols, EFI_PKEY_DTB_EMBED and EFI_PKEY_FILE
which are used for enabling embedding of the public key in the dtb,
and specifying the esl file name.

Patch 3 adds a function for retrieving the public key which has been
embedded in the platform's dtb.

Patch 4 adds the functionality to embed the esl file into the
platform's dtb during the platform build.

I have tested this functionality on the STM32MP157C DK2 board, and it
works as expected.

[1] - https://lists.denx.de/pipermail/u-boot/2021-March/442867.html 


Changes since V1:

* As pointed out by Heinrich in the review, remove the extra check of
  the env variable 'capsule_authentication_enabled'for authenticating
  the capsule. The capsule authentication will now be done based on
  whether the corresponding config symbol is enabled.
* Provide a default name for public key file, eficapsule.esl as
  suggested by Heinrich.
* Remove the superfluous default n statement for EFI_PKEY_DTB_EMBED
* Remove the weak function, and add the functionality to retrieve the
  public key under the config symbol CONFIG_EFI_PKEY_DTB_EMBED.

Sughosh Ganu (4):
  efi_loader: capsule: Remove the check for
    capsule_authentication_enabled environment variable
  efi_loader: Kconfig: Add symbols for embedding the public key into the
    platform's dtb
  efi_capsule: Add a function to get the public key needed for capsule
    authentication
  Makefile: Add provision for embedding public key in platform's dtb

 Makefile                              | 10 +++++++
 board/emulation/common/qemu_capsule.c |  6 ----
 lib/efi_loader/Kconfig                | 15 ++++++++++
 lib/efi_loader/efi_capsule.c          | 43 +++++++++++++++++++++++----
 lib/efi_loader/efi_firmware.c         |  5 ++--
 5 files changed, 65 insertions(+), 14 deletions(-)

-- 
2.17.1