| Message ID | 20210412150526.29822-3-sughosh.ganu@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | Add support for embedding public key in platform's dtb | expand |
On 4/12/21 5:05 PM, Sughosh Ganu wrote: > Add config options EFI_PKEY_DTB_EMBED and EFI_PKEY_FILE which are to > be used for embedding the public key to be used for capsule > authentication into the platform's device tree. > > The embedding of the public key would take place during the platform > build process. > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > --- > > Changes since V1: > * Provide a default name for public key file, eficapsule.esl as > suggested by Heinrich. > * Remove the superfluous default n statement for EFI_PKEY_DTB_EMBED > > lib/efi_loader/Kconfig | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig > index 79b488823a..089accaaaa 100644 > --- a/lib/efi_loader/Kconfig > +++ b/lib/efi_loader/Kconfig > @@ -179,6 +179,21 @@ config EFI_CAPSULE_AUTHENTICATE > Select this option if you want to enable capsule > authentication > > +config EFI_PKEY_DTB_EMBED > + bool "Embed the public key in the Device Tree" > + depends on EFI_CAPSULE_AUTHENTICATE > + help > + Select this option if the public key used for capsule > + authentication is to be embedded into the platform's > + device tree. > + > +config EFI_PKEY_FILE > + string "Public Key esl file to be embedded into the Device Tree" > + default "eficapsule.esl" This config symbol should depend on EFI_PKEY_DTB_EMBED. Best regards Heinrich > + help > + Specify the absolute path of the public key esl file that is > + to be embedded in the platform's device tree. > + > config EFI_CAPSULE_FIRMWARE_FIT > bool "FMP driver for FIT image" > depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT >
On Sun, Apr 25, 2021 at 09:24:39AM +0200, Heinrich Schuchardt wrote: > On 4/12/21 5:05 PM, Sughosh Ganu wrote: > > Add config options EFI_PKEY_DTB_EMBED and EFI_PKEY_FILE which are to > > be used for embedding the public key to be used for capsule > > authentication into the platform's device tree. > > > > The embedding of the public key would take place during the platform > > build process. > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > > --- > > > > Changes since V1: > > * Provide a default name for public key file, eficapsule.esl as > > suggested by Heinrich. > > * Remove the superfluous default n statement for EFI_PKEY_DTB_EMBED > > > > lib/efi_loader/Kconfig | 15 +++++++++++++++ > > 1 file changed, 15 insertions(+) > > > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig > > index 79b488823a..089accaaaa 100644 > > --- a/lib/efi_loader/Kconfig > > +++ b/lib/efi_loader/Kconfig > > @@ -179,6 +179,21 @@ config EFI_CAPSULE_AUTHENTICATE > > Select this option if you want to enable capsule > > authentication > > > > +config EFI_PKEY_DTB_EMBED > > + bool "Embed the public key in the Device Tree" > > + depends on EFI_CAPSULE_AUTHENTICATE > > + help > > + Select this option if the public key used for capsule > > + authentication is to be embedded into the platform's > > + device tree. > > + > > +config EFI_PKEY_FILE > > + string "Public Key esl file to be embedded into the Device Tree" > > + default "eficapsule.esl" > > This config symbol should depend on EFI_PKEY_DTB_EMBED. What is embedded here is a *list* of X509 certificate, not a single public key. "esl" stands for EFI Signature List. The symbol name as well as help text are confusing. -Takahiro Akashi > Best regards > > Heinrich > > > + help > > + Specify the absolute path of the public key esl file that is > > + to be embedded in the platform's device tree. > > + > > config EFI_CAPSULE_FIRMWARE_FIT > > bool "FMP driver for FIT image" > > depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT > > >
On Wed, Apr 28, 2021 at 01:55:18PM +0900, AKASHI Takahiro wrote: > On Sun, Apr 25, 2021 at 09:24:39AM +0200, Heinrich Schuchardt wrote: > > On 4/12/21 5:05 PM, Sughosh Ganu wrote: > > > Add config options EFI_PKEY_DTB_EMBED and EFI_PKEY_FILE which are to > > > be used for embedding the public key to be used for capsule > > > authentication into the platform's device tree. > > > > > > The embedding of the public key would take place during the platform > > > build process. > > > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > > > --- > > > > > > Changes since V1: > > > * Provide a default name for public key file, eficapsule.esl as > > > suggested by Heinrich. > > > * Remove the superfluous default n statement for EFI_PKEY_DTB_EMBED > > > > > > lib/efi_loader/Kconfig | 15 +++++++++++++++ > > > 1 file changed, 15 insertions(+) > > > > > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig > > > index 79b488823a..089accaaaa 100644 > > > --- a/lib/efi_loader/Kconfig > > > +++ b/lib/efi_loader/Kconfig > > > @@ -179,6 +179,21 @@ config EFI_CAPSULE_AUTHENTICATE > > > Select this option if you want to enable capsule > > > authentication > > > > > > +config EFI_PKEY_DTB_EMBED > > > + bool "Embed the public key in the Device Tree" > > > + depends on EFI_CAPSULE_AUTHENTICATE > > > + help > > > + Select this option if the public key used for capsule > > > + authentication is to be embedded into the platform's > > > + device tree. > > > + > > > +config EFI_PKEY_FILE > > > + string "Public Key esl file to be embedded into the Device Tree" > > > + default "eficapsule.esl" > > > > This config symbol should depend on EFI_PKEY_DTB_EMBED. > > What is embedded here is a *list* of X509 certificate, not a single public key. > "esl" stands for EFI Signature List. > The symbol name as well as help text are confusing. In addition, "signature" means a hash value of image as well as X509 in UEFI terms. So as far as we use efi_signature_verify(), any type of "signature" will be allowed. We must be clear here. -Takahiro Akashi > -Takahiro Akashi > > > Best regards > > > > Heinrich > > > > > + help > > > + Specify the absolute path of the public key esl file that is > > > + to be embedded in the platform's device tree. > > > + > > > config EFI_CAPSULE_FIRMWARE_FIT > > > bool "FMP driver for FIT image" > > > depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT > > > > >
On Mon, Apr 12, 2021 at 08:35:24PM +0530, Sughosh Ganu wrote: > Add config options EFI_PKEY_DTB_EMBED and EFI_PKEY_FILE which are to > be used for embedding the public key to be used for capsule > authentication into the platform's device tree. > > The embedding of the public key would take place during the platform > build process. > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > --- > > Changes since V1: > * Provide a default name for public key file, eficapsule.esl as > suggested by Heinrich. > * Remove the superfluous default n statement for EFI_PKEY_DTB_EMBED > > lib/efi_loader/Kconfig | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig > index 79b488823a..089accaaaa 100644 > --- a/lib/efi_loader/Kconfig > +++ b/lib/efi_loader/Kconfig > @@ -179,6 +179,21 @@ config EFI_CAPSULE_AUTHENTICATE > Select this option if you want to enable capsule > authentication > > +config EFI_PKEY_DTB_EMBED > + bool "Embed the public key in the Device Tree" > + depends on EFI_CAPSULE_AUTHENTICATE > + help > + Select this option if the public key used for capsule > + authentication is to be embedded into the platform's > + device tree. > + > +config EFI_PKEY_FILE > + string "Public Key esl file to be embedded into the Device Tree" > + default "eficapsule.esl" > + help > + Specify the absolute path of the public key esl file that is While requiring the *absolute* path, the *default* value is not. -Takahiro Akashi > + to be embedded in the platform's device tree. > + > config EFI_CAPSULE_FIRMWARE_FIT > bool "FMP driver for FIT image" > depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT > -- > 2.17.1 >
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 79b488823a..089accaaaa 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -179,6 +179,21 @@ config EFI_CAPSULE_AUTHENTICATE Select this option if you want to enable capsule authentication +config EFI_PKEY_DTB_EMBED + bool "Embed the public key in the Device Tree" + depends on EFI_CAPSULE_AUTHENTICATE + help + Select this option if the public key used for capsule + authentication is to be embedded into the platform's + device tree. + +config EFI_PKEY_FILE + string "Public Key esl file to be embedded into the Device Tree" + default "eficapsule.esl" + help + Specify the absolute path of the public key esl file that is + to be embedded in the platform's device tree. + config EFI_CAPSULE_FIRMWARE_FIT bool "FMP driver for FIT image" depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
Add config options EFI_PKEY_DTB_EMBED and EFI_PKEY_FILE which are to be used for embedding the public key to be used for capsule authentication into the platform's device tree. The embedding of the public key would take place during the platform build process. Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> --- Changes since V1: * Provide a default name for public key file, eficapsule.esl as suggested by Heinrich. * Remove the superfluous default n statement for EFI_PKEY_DTB_EMBED lib/efi_loader/Kconfig | 15 +++++++++++++++ 1 file changed, 15 insertions(+) -- 2.17.1