[v2,2/4] efi_loader: Kconfig: Add symbols for embedding the public key into the platform's dtb

Message ID 20210412150526.29822-3-sughosh.ganu@linaro.org
State New
Headers show
Series
  • Add support for embedding public key in platform's dtb
Related show

Commit Message

Sughosh Ganu April 12, 2021, 3:05 p.m.
Add config options EFI_PKEY_DTB_EMBED and EFI_PKEY_FILE which are to
be used for embedding the public key to be used for capsule
authentication into the platform's device tree.

The embedding of the public key would take place during the platform
build process.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>

---

Changes since V1:
* Provide a default name for public key file, eficapsule.esl as
  suggested by Heinrich.
* Remove the superfluous default n statement for EFI_PKEY_DTB_EMBED

 lib/efi_loader/Kconfig | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

-- 
2.17.1

Comments

Heinrich Schuchardt April 25, 2021, 7:24 a.m. | #1
On 4/12/21 5:05 PM, Sughosh Ganu wrote:
> Add config options EFI_PKEY_DTB_EMBED and EFI_PKEY_FILE which are to

> be used for embedding the public key to be used for capsule

> authentication into the platform's device tree.

>

> The embedding of the public key would take place during the platform

> build process.

>

> Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>

> ---

>

> Changes since V1:

> * Provide a default name for public key file, eficapsule.esl as

>    suggested by Heinrich.

> * Remove the superfluous default n statement for EFI_PKEY_DTB_EMBED

>

>   lib/efi_loader/Kconfig | 15 +++++++++++++++

>   1 file changed, 15 insertions(+)

>

> diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig

> index 79b488823a..089accaaaa 100644

> --- a/lib/efi_loader/Kconfig

> +++ b/lib/efi_loader/Kconfig

> @@ -179,6 +179,21 @@ config EFI_CAPSULE_AUTHENTICATE

>   	  Select this option if you want to enable capsule

>   	  authentication

>

> +config EFI_PKEY_DTB_EMBED

> +	bool "Embed the public key in the Device Tree"

> +	depends on EFI_CAPSULE_AUTHENTICATE

> +	help

> +	  Select this option if the public key used for capsule

> +	  authentication is to be embedded into the platform's

> +	  device tree.

> +

> +config EFI_PKEY_FILE

> +	string "Public Key esl file to be embedded into the Device Tree"

> +	default "eficapsule.esl"


This config symbol should depend on EFI_PKEY_DTB_EMBED.

Best regards

Heinrich

> +	help

> +	  Specify the absolute path of the public key esl file that is

> +	  to be embedded in the platform's device tree.

> +

>   config EFI_CAPSULE_FIRMWARE_FIT

>   	bool "FMP driver for FIT image"

>   	depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT

>
AKASHI Takahiro April 28, 2021, 4:55 a.m. | #2
On Sun, Apr 25, 2021 at 09:24:39AM +0200, Heinrich Schuchardt wrote:
> On 4/12/21 5:05 PM, Sughosh Ganu wrote:

> > Add config options EFI_PKEY_DTB_EMBED and EFI_PKEY_FILE which are to

> > be used for embedding the public key to be used for capsule

> > authentication into the platform's device tree.

> > 

> > The embedding of the public key would take place during the platform

> > build process.

> > 

> > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>

> > ---

> > 

> > Changes since V1:

> > * Provide a default name for public key file, eficapsule.esl as

> >    suggested by Heinrich.

> > * Remove the superfluous default n statement for EFI_PKEY_DTB_EMBED

> > 

> >   lib/efi_loader/Kconfig | 15 +++++++++++++++

> >   1 file changed, 15 insertions(+)

> > 

> > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig

> > index 79b488823a..089accaaaa 100644

> > --- a/lib/efi_loader/Kconfig

> > +++ b/lib/efi_loader/Kconfig

> > @@ -179,6 +179,21 @@ config EFI_CAPSULE_AUTHENTICATE

> >   	  Select this option if you want to enable capsule

> >   	  authentication

> > 

> > +config EFI_PKEY_DTB_EMBED

> > +	bool "Embed the public key in the Device Tree"

> > +	depends on EFI_CAPSULE_AUTHENTICATE

> > +	help

> > +	  Select this option if the public key used for capsule

> > +	  authentication is to be embedded into the platform's

> > +	  device tree.

> > +

> > +config EFI_PKEY_FILE

> > +	string "Public Key esl file to be embedded into the Device Tree"

> > +	default "eficapsule.esl"

> 

> This config symbol should depend on EFI_PKEY_DTB_EMBED.


What is embedded here is a *list* of X509 certificate, not a single public key.
"esl" stands for EFI Signature List.
The symbol name as well as help text are confusing.

-Takahiro Akashi

> Best regards

> 

> Heinrich

> 

> > +	help

> > +	  Specify the absolute path of the public key esl file that is

> > +	  to be embedded in the platform's device tree.

> > +

> >   config EFI_CAPSULE_FIRMWARE_FIT

> >   	bool "FMP driver for FIT image"

> >   	depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT

> > 

>
AKASHI Takahiro April 28, 2021, 5:01 a.m. | #3
On Wed, Apr 28, 2021 at 01:55:18PM +0900, AKASHI Takahiro wrote:
> On Sun, Apr 25, 2021 at 09:24:39AM +0200, Heinrich Schuchardt wrote:

> > On 4/12/21 5:05 PM, Sughosh Ganu wrote:

> > > Add config options EFI_PKEY_DTB_EMBED and EFI_PKEY_FILE which are to

> > > be used for embedding the public key to be used for capsule

> > > authentication into the platform's device tree.

> > > 

> > > The embedding of the public key would take place during the platform

> > > build process.

> > > 

> > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>

> > > ---

> > > 

> > > Changes since V1:

> > > * Provide a default name for public key file, eficapsule.esl as

> > >    suggested by Heinrich.

> > > * Remove the superfluous default n statement for EFI_PKEY_DTB_EMBED

> > > 

> > >   lib/efi_loader/Kconfig | 15 +++++++++++++++

> > >   1 file changed, 15 insertions(+)

> > > 

> > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig

> > > index 79b488823a..089accaaaa 100644

> > > --- a/lib/efi_loader/Kconfig

> > > +++ b/lib/efi_loader/Kconfig

> > > @@ -179,6 +179,21 @@ config EFI_CAPSULE_AUTHENTICATE

> > >   	  Select this option if you want to enable capsule

> > >   	  authentication

> > > 

> > > +config EFI_PKEY_DTB_EMBED

> > > +	bool "Embed the public key in the Device Tree"

> > > +	depends on EFI_CAPSULE_AUTHENTICATE

> > > +	help

> > > +	  Select this option if the public key used for capsule

> > > +	  authentication is to be embedded into the platform's

> > > +	  device tree.

> > > +

> > > +config EFI_PKEY_FILE

> > > +	string "Public Key esl file to be embedded into the Device Tree"

> > > +	default "eficapsule.esl"

> > 

> > This config symbol should depend on EFI_PKEY_DTB_EMBED.

> 

> What is embedded here is a *list* of X509 certificate, not a single public key.

> "esl" stands for EFI Signature List.

> The symbol name as well as help text are confusing.


In addition, "signature" means a hash value of image
as well as X509 in UEFI terms.
So as far as we use efi_signature_verify(), any type of
"signature" will be allowed.

We must be clear here.

-Takahiro Akashi


> -Takahiro Akashi

> 

> > Best regards

> > 

> > Heinrich

> > 

> > > +	help

> > > +	  Specify the absolute path of the public key esl file that is

> > > +	  to be embedded in the platform's device tree.

> > > +

> > >   config EFI_CAPSULE_FIRMWARE_FIT

> > >   	bool "FMP driver for FIT image"

> > >   	depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT

> > > 

> >
AKASHI Takahiro May 10, 2021, 6:45 a.m. | #4
On Mon, Apr 12, 2021 at 08:35:24PM +0530, Sughosh Ganu wrote:
> Add config options EFI_PKEY_DTB_EMBED and EFI_PKEY_FILE which are to

> be used for embedding the public key to be used for capsule

> authentication into the platform's device tree.

> 

> The embedding of the public key would take place during the platform

> build process.

> 

> Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>

> ---

> 

> Changes since V1:

> * Provide a default name for public key file, eficapsule.esl as

>   suggested by Heinrich.

> * Remove the superfluous default n statement for EFI_PKEY_DTB_EMBED

> 

>  lib/efi_loader/Kconfig | 15 +++++++++++++++

>  1 file changed, 15 insertions(+)

> 

> diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig

> index 79b488823a..089accaaaa 100644

> --- a/lib/efi_loader/Kconfig

> +++ b/lib/efi_loader/Kconfig

> @@ -179,6 +179,21 @@ config EFI_CAPSULE_AUTHENTICATE

>  	  Select this option if you want to enable capsule

>  	  authentication

>  

> +config EFI_PKEY_DTB_EMBED

> +	bool "Embed the public key in the Device Tree"

> +	depends on EFI_CAPSULE_AUTHENTICATE

> +	help

> +	  Select this option if the public key used for capsule

> +	  authentication is to be embedded into the platform's

> +	  device tree.

> +

> +config EFI_PKEY_FILE

> +	string "Public Key esl file to be embedded into the Device Tree"

> +	default "eficapsule.esl"

> +	help

> +	  Specify the absolute path of the public key esl file that is


While requiring the *absolute* path, the *default* value is not.

-Takahiro Akashi


> +	  to be embedded in the platform's device tree.

> +

>  config EFI_CAPSULE_FIRMWARE_FIT

>  	bool "FMP driver for FIT image"

>  	depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT

> -- 

> 2.17.1

>

Patch

diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 79b488823a..089accaaaa 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -179,6 +179,21 @@  config EFI_CAPSULE_AUTHENTICATE
 	  Select this option if you want to enable capsule
 	  authentication
 
+config EFI_PKEY_DTB_EMBED
+	bool "Embed the public key in the Device Tree"
+	depends on EFI_CAPSULE_AUTHENTICATE
+	help
+	  Select this option if the public key used for capsule
+	  authentication is to be embedded into the platform's
+	  device tree.
+
+config EFI_PKEY_FILE
+	string "Public Key esl file to be embedded into the Device Tree"
+	default "eficapsule.esl"
+	help
+	  Specify the absolute path of the public key esl file that is
+	  to be embedded in the platform's device tree.
+
 config EFI_CAPSULE_FIRMWARE_FIT
 	bool "FMP driver for FIT image"
 	depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT