[4/5] efi_capsule: Add a weak function to get the public key needed for capsule authentication

Message ID 20210407115335.8615-5-sughosh.ganu@linaro.org
State Superseded
Headers show
Series
  • Add support for embedding public key in platform's dtb
Related show

Commit Message

Sughosh Ganu April 7, 2021, 11:53 a.m.
Define a weak function which would be used in the scenario where the
public key is stored on the platform's dtb. This dtb is concatenated
with the u-boot binary during the build process. Platforms which have
a different mechanism for getting the public key would define their
own platform specific function.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>

---
 lib/efi_loader/efi_capsule.c | 38 ++++++++++++++++++++++++++++++++----
 1 file changed, 34 insertions(+), 4 deletions(-)

-- 
2.17.1

Comments

Heinrich Schuchardt April 8, 2021, 7:48 p.m. | #1
On 4/7/21 1:53 PM, Sughosh Ganu wrote:
> Define a weak function which would be used in the scenario where the

> public key is stored on the platform's dtb. This dtb is concatenated

> with the u-boot binary during the build process. Platforms which have

> a different mechanism for getting the public key would define their

> own platform specific function.


Storing the public key in U-Boot's dtb is reasonable. But what is the
use case for a weak function?

Best regards

Heinrich

>

> Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>

> ---

>   lib/efi_loader/efi_capsule.c | 38 ++++++++++++++++++++++++++++++++----

>   1 file changed, 34 insertions(+), 4 deletions(-)

>

> diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c

> index 1423b675c8..fc5e1c0856 100644

> --- a/lib/efi_loader/efi_capsule.c

> +++ b/lib/efi_loader/efi_capsule.c

> @@ -14,10 +14,13 @@

>   #include <mapmem.h>

>   #include <sort.h>

>

> +#include <asm/global_data.h>

>   #include <crypto/pkcs7.h>

>   #include <crypto/pkcs7_parser.h>

>   #include <linux/err.h>

>

> +DECLARE_GLOBAL_DATA_PTR;

> +

>   const efi_guid_t efi_guid_capsule_report = EFI_CAPSULE_REPORT_GUID;

>   static const efi_guid_t efi_guid_firmware_management_capsule_id =

>   		EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID;

> @@ -210,11 +213,38 @@ const efi_guid_t efi_guid_capsule_root_cert_guid =

>

>   __weak int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)

>   {

> -	/* The platform is supposed to provide

> -	 * a method for getting the public key

> -	 * stored in the form of efi signature

> -	 * list

> +	/*

> +	 * This is a function for retrieving the public key from the

> +	 * platform's device tree. The platform's device tree has been

> +	 * concatenated with the u-boot binary.

> +	 * If a platform has a different mechanism to get the public

> +	 * key, it can define it's own function.

>   	 */

> +	const void *fdt_blob = gd->fdt_blob;

> +	const void *blob;

> +	const char *cnode_name = "capsule-key";

> +	const char *snode_name = "signature";

> +	int sig_node;

> +	int len;

> +

> +	sig_node = fdt_subnode_offset(fdt_blob, 0, snode_name);

> +	if (sig_node < 0) {

> +		EFI_PRINT("Unable to get signature node offset\n");

> +		return -FDT_ERR_NOTFOUND;

> +	}

> +

> +	blob = fdt_getprop(fdt_blob, sig_node, cnode_name, &len);

> +

> +	if (!blob || len < 0) {

> +		EFI_PRINT("Unable to get capsule-key value\n");

> +		*pkey = NULL;

> +		*pkey_len = 0;

> +		return -FDT_ERR_NOTFOUND;

> +	}

> +

> +	*pkey = (void *)blob;

> +	*pkey_len = len;

> +

>   	return 0;

>   }

>

>
Sughosh Ganu April 9, 2021, 6:25 a.m. | #2
On Fri, 9 Apr 2021 at 01:23, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote:

> On 4/7/21 1:53 PM, Sughosh Ganu wrote:

> > Define a weak function which would be used in the scenario where the

> > public key is stored on the platform's dtb. This dtb is concatenated

> > with the u-boot binary during the build process. Platforms which have

> > a different mechanism for getting the public key would define their

> > own platform specific function.

>

> Storing the public key in U-Boot's dtb is reasonable. But what is the

> use case for a weak function?

>


This point was discussed in another mail thread[1].

-sughosh

[1] - https://lists.denx.de/pipermail/u-boot/2021-April/446694.html


> Best regards

>

> Heinrich

>

> >

> > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>

> > ---

> >   lib/efi_loader/efi_capsule.c | 38 ++++++++++++++++++++++++++++++++----

> >   1 file changed, 34 insertions(+), 4 deletions(-)

> >

> > diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c

> > index 1423b675c8..fc5e1c0856 100644

> > --- a/lib/efi_loader/efi_capsule.c

> > +++ b/lib/efi_loader/efi_capsule.c

> > @@ -14,10 +14,13 @@

> >   #include <mapmem.h>

> >   #include <sort.h>

> >

> > +#include <asm/global_data.h>

> >   #include <crypto/pkcs7.h>

> >   #include <crypto/pkcs7_parser.h>

> >   #include <linux/err.h>

> >

> > +DECLARE_GLOBAL_DATA_PTR;

> > +

> >   const efi_guid_t efi_guid_capsule_report = EFI_CAPSULE_REPORT_GUID;

> >   static const efi_guid_t efi_guid_firmware_management_capsule_id =

> >               EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID;

> > @@ -210,11 +213,38 @@ const efi_guid_t efi_guid_capsule_root_cert_guid =

> >

> >   __weak int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)

> >   {

> > -     /* The platform is supposed to provide

> > -      * a method for getting the public key

> > -      * stored in the form of efi signature

> > -      * list

> > +     /*

> > +      * This is a function for retrieving the public key from the

> > +      * platform's device tree. The platform's device tree has been

> > +      * concatenated with the u-boot binary.

> > +      * If a platform has a different mechanism to get the public

> > +      * key, it can define it's own function.

> >        */

> > +     const void *fdt_blob = gd->fdt_blob;

> > +     const void *blob;

> > +     const char *cnode_name = "capsule-key";

> > +     const char *snode_name = "signature";

> > +     int sig_node;

> > +     int len;

> > +

> > +     sig_node = fdt_subnode_offset(fdt_blob, 0, snode_name);

> > +     if (sig_node < 0) {

> > +             EFI_PRINT("Unable to get signature node offset\n");

> > +             return -FDT_ERR_NOTFOUND;

> > +     }

> > +

> > +     blob = fdt_getprop(fdt_blob, sig_node, cnode_name, &len);

> > +

> > +     if (!blob || len < 0) {

> > +             EFI_PRINT("Unable to get capsule-key value\n");

> > +             *pkey = NULL;

> > +             *pkey_len = 0;

> > +             return -FDT_ERR_NOTFOUND;

> > +     }

> > +

> > +     *pkey = (void *)blob;

> > +     *pkey_len = len;

> > +

> >       return 0;

> >   }

> >

> >

>

>

Patch

diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c
index 1423b675c8..fc5e1c0856 100644
--- a/lib/efi_loader/efi_capsule.c
+++ b/lib/efi_loader/efi_capsule.c
@@ -14,10 +14,13 @@ 
 #include <mapmem.h>
 #include <sort.h>
 
+#include <asm/global_data.h>
 #include <crypto/pkcs7.h>
 #include <crypto/pkcs7_parser.h>
 #include <linux/err.h>
 
+DECLARE_GLOBAL_DATA_PTR;
+
 const efi_guid_t efi_guid_capsule_report = EFI_CAPSULE_REPORT_GUID;
 static const efi_guid_t efi_guid_firmware_management_capsule_id =
 		EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID;
@@ -210,11 +213,38 @@  const efi_guid_t efi_guid_capsule_root_cert_guid =
 
 __weak int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)
 {
-	/* The platform is supposed to provide
-	 * a method for getting the public key
-	 * stored in the form of efi signature
-	 * list
+	/*
+	 * This is a function for retrieving the public key from the
+	 * platform's device tree. The platform's device tree has been
+	 * concatenated with the u-boot binary.
+	 * If a platform has a different mechanism to get the public
+	 * key, it can define it's own function.
 	 */
+	const void *fdt_blob = gd->fdt_blob;
+	const void *blob;
+	const char *cnode_name = "capsule-key";
+	const char *snode_name = "signature";
+	int sig_node;
+	int len;
+
+	sig_node = fdt_subnode_offset(fdt_blob, 0, snode_name);
+	if (sig_node < 0) {
+		EFI_PRINT("Unable to get signature node offset\n");
+		return -FDT_ERR_NOTFOUND;
+	}
+
+	blob = fdt_getprop(fdt_blob, sig_node, cnode_name, &len);
+
+	if (!blob || len < 0) {
+		EFI_PRINT("Unable to get capsule-key value\n");
+		*pkey = NULL;
+		*pkey_len = 0;
+		return -FDT_ERR_NOTFOUND;
+	}
+
+	*pkey = (void *)blob;
+	*pkey_len = len;
+
 	return 0;
 }