| Message ID | 20211116043238.67226-13-takahiro.akashi@linaro.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | efi_loader: capsule: improve capsule authentication support | expand |
Hi Takahiro, On Mon, 15 Nov 2021 at 21:33, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote: > > By specifying CONFIG_EFI_CAPSULE_KEY_PATH, the build process will > automatically insert the given key into the device tree. > Otherwise, users are required to do so manually, possibly, with > the utility script, fdtsig.sh. > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > --- > doc/develop/uefi/uefi.rst | 4 ++++ > dts/Makefile | 23 +++++++++++++++++++++-- > lib/efi_loader/Kconfig | 7 +++++++ > 3 files changed, 32 insertions(+), 2 deletions(-) > This should be handled by binman. I can create an etype for it if you like. Regards, Simon
Hi Simon, On Wed, Nov 24, 2021 at 05:11:49PM -0700, Simon Glass wrote: > Hi Takahiro, > > On Mon, 15 Nov 2021 at 21:33, AKASHI Takahiro > <takahiro.akashi@linaro.org> wrote: > > > > By specifying CONFIG_EFI_CAPSULE_KEY_PATH, the build process will > > automatically insert the given key into the device tree. > > Otherwise, users are required to do so manually, possibly, with > > the utility script, fdtsig.sh. > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > > --- > > doc/develop/uefi/uefi.rst | 4 ++++ > > dts/Makefile | 23 +++++++++++++++++++++-- > > lib/efi_loader/Kconfig | 7 +++++++ > > 3 files changed, 32 insertions(+), 2 deletions(-) > > > > This should be handled by binman. I can create an etype for it if you like. Basically I'd defer to you, but I don't still understand when and how binman be invoked in this particular use case. > Regards, > Simon
Hi Takahiro, On Wed, 24 Nov 2021 at 19:21, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote: > > Hi Simon, > > On Wed, Nov 24, 2021 at 05:11:49PM -0700, Simon Glass wrote: > > Hi Takahiro, > > > > On Mon, 15 Nov 2021 at 21:33, AKASHI Takahiro > > <takahiro.akashi@linaro.org> wrote: > > > > > > By specifying CONFIG_EFI_CAPSULE_KEY_PATH, the build process will > > > automatically insert the given key into the device tree. > > > Otherwise, users are required to do so manually, possibly, with > > > the utility script, fdtsig.sh. > > > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > > > --- > > > doc/develop/uefi/uefi.rst | 4 ++++ > > > dts/Makefile | 23 +++++++++++++++++++++-- > > > lib/efi_loader/Kconfig | 7 +++++++ > > > 3 files changed, 32 insertions(+), 2 deletions(-) > > > > > > > This should be handled by binman. I can create an etype for it if you like. > > Basically I'd defer to you, but I don't still understand > when and how binman be invoked in this particular use case. OK I will give it a try. Basically we need to create an etype for with, with a entry argument that specifies the key file. See https://github.com/u-boot/u-boot/blob/master/tools/binman/etype/vblock.py This one collects the data to sign, calls a tool to sign it, then puts the signature in the entry. It is really easy (TM). Regards, SImon
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 54fefd76f0f5..7f85b9e5a4a6 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -347,6 +347,7 @@ following config, in addition to the configs listed above for capsule update:: CONFIG_EFI_CAPSULE_AUTHENTICATE=y + CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert> The public and private keys used for the signing process are generated and used by the steps highlighted below. @@ -392,6 +393,9 @@ and used by the steps highlighted below. }; }; + If CONFIG_EFI_CAPSULE_KEY_PATH is specified, the build process will + take care of it for you. + Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/dts/Makefile b/dts/Makefile index cb3111382959..6c5486719ecd 100644 --- a/dts/Makefile +++ b/dts/Makefile @@ -20,11 +20,30 @@ $(obj)/dt-$(SPL_NAME).dtb: dts/dt.dtb $(objtree)/tools/fdtgrep FORCE mkdir -p $(dir $@) $(call if_changed,fdtgrep) +quiet_cmd_fdtsig = FDTSIG $@ + cmd_fdtsig = \ + cat $< > $@; \ + $(srctree)/tools/fdtsig.sh \ + $(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)) $@ + +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y) +ifneq ($(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)),) +DTB_ov := $(obj)/dt.dtb_ov + +$(obj)/dt.dtb_ov: $(DTB) FORCE + $(call if_changed,fdtsig) +else +DTB_ov := $(DTB) +endif +else +DTB_ov := $(DTB) +endif + ifeq ($(CONFIG_OF_DTB_PROPS_REMOVE),y) -$(obj)/dt.dtb: $(DTB) $(objtree)/tools/fdtgrep FORCE +$(obj)/dt.dtb: $(DTB_ov) $(objtree)/tools/fdtgrep FORCE $(call if_changed,fdt_rm_props) else -$(obj)/dt.dtb: $(DTB) FORCE +$(obj)/dt.dtb: $(DTB_ov) FORCE $(call if_changed,shipped) endif diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 700dc838ddb9..8c8d14d46433 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -209,6 +209,13 @@ config EFI_CAPSULE_AUTHENTICATE Select this option if you want to enable capsule authentication +config EFI_CAPSULE_KEY_PATH + string "Path to .esl cert for capsule authentication" + depends on EFI_CAPSULE_AUTHENTICATE + help + Provide the EFI signature list (esl) certificate used for capsule + authentication + config EFI_DEVICE_PATH_TO_TEXT bool "Device path to text protocol" default y
By specifying CONFIG_EFI_CAPSULE_KEY_PATH, the build process will automatically insert the given key into the device tree. Otherwise, users are required to do so manually, possibly, with the utility script, fdtsig.sh. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> --- doc/develop/uefi/uefi.rst | 4 ++++ dts/Makefile | 23 +++++++++++++++++++++-- lib/efi_loader/Kconfig | 7 +++++++ 3 files changed, 32 insertions(+), 2 deletions(-)