From patchwork Tue Jun 13 10:38:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 691957 Delivered-To: patch@linaro.org Received: by 2002:a5d:4d91:0:0:0:0:0 with SMTP id b17csp341915wru; Tue, 13 Jun 2023 03:39:19 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5nNII9Mdb51QWTDanUH+FkJLgVDLgpy0LiQ+/cZSbvMfFsOmCbla5nfguqzthqPOWDr0+q X-Received: by 2002:a17:902:a40b:b0:1b1:78ba:f350 with SMTP id p11-20020a170902a40b00b001b178baf350mr9269542plq.46.1686652759294; Tue, 13 Jun 2023 03:39:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686652759; cv=none; d=google.com; s=arc-20160816; b=EZSlk66NNdHmLKHZNfqOBE+93ruH0795FaexKvuWfnvRyHqrLJqNgnkIlpteXDUn+S Syr9S7wf8fspz7aoSEuvvZnvzUhbNKlcLzENHnGzLfNG9NNdioCj42IdFxjn5H1HUOUC vp1aBFZWwzvPleKCQJ1iBpvDrbGJOxsecHYku5KRlIQZut5d8fuvV+VKckW0KACBbR39 0ungZPjhnoBGxNPRvZ4wNyiKSTGPSpK2D1E9eStBZgZZeEAQmlk9eh00qcbqBayOBHii goCDSHdI6Let+e02+4DquwoCw6r2tfaq0UUnwKzRmkIglLobLTQm5k3eFhFtyiOpgNzX wXRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=cehOCx0pi/cvWqoXglnfOlgfpIvbWkIm94Wo1SYii2I=; b=TVTsrtXCCh9+ZscRiExWqqBBdvW1y21tIoDlrfEpX4WN3emiy6xTJuzj6SshjjJGPB sT5I9DgzPZypIej8jBXuvSZWAegzgBtoc3kHK+cSfJkI2A0d5xgeaY74KlvZdffzHqLG eiRKI9XO//HVuVBnvrExdMpUbJ9Jw8yEPyBhxvp3GUMp3ehr8rvoXgb1OIJJedGKWF1x U05qxnzpO44SKUKXuyryj5ZsCwzAjuoATPZ2Rue2qK0GFYvkdILibtCtSeGQr/Yp8Z6O jf3zTK/kZPzNHHKsgLPg0USF+VgpsiSFMhftUGqYn7PPY2vBb4/fMLWHndGfsGMHMu5V AkVA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id j4-20020a170903028400b001ab0c00aec4si8256209plr.482.2023.06.13.03.39.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Jun 2023 03:39:19 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B096D86262; Tue, 13 Jun 2023 12:38:53 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 8F74E8621C; Tue, 13 Jun 2023 12:38:51 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_SOFTFAIL,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id E0EC3860AA for ; Tue, 13 Jun 2023 12:38:48 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 2A81B1FB; Tue, 13 Jun 2023 03:39:33 -0700 (PDT) Received: from a076522.blr.arm.com (unknown [10.162.46.7]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 28A5C3F71E; Tue, 13 Jun 2023 03:38:45 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Simon Glass , Michal Simek , Takahiro Akashi , Sughosh Ganu Subject: [PATCH 1/7] capsule: authenticate: Embed capsule public key in platform's dtb Date: Tue, 13 Jun 2023 16:08:00 +0530 Message-Id: <20230613103806.812065-2-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230613103806.812065-1-sughosh.ganu@linaro.org> References: <20230613103806.812065-1-sughosh.ganu@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean The EFI capsule authentication logic in u-boot expects the public key in the form of an EFI Signature List(ESL) to be provided as part of the platform's dtb. Currently, the embedding of the ESL file into the dtb needs to be done manually. Add a script for embedding the ESL used for capsule authentication in the platform's dtb, and call this as part of building the dtb(s). This brings the embedding of the ESL in the dtb into the u-boot build flow. The path to the ESL file is specified through the CONFIG_EFI_CAPSULE_ESL_FILE symbol. Signed-off-by: Sughosh Ganu --- lib/efi_loader/Kconfig | 11 +++++++++++ scripts/Makefile.lib | 8 ++++++++ scripts/embed_capsule_key.sh | 25 +++++++++++++++++++++++++ 3 files changed, 44 insertions(+) create mode 100755 scripts/embed_capsule_key.sh diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index c5835e6ef6..1326a1d109 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -234,6 +234,17 @@ config EFI_CAPSULE_MAX Select the max capsule index value used for capsule report variables. This value is used to create CapsuleMax variable. +config EFI_CAPSULE_ESL_FILE + string "Path to the EFI Signature List File" + default "" + depends on EFI_CAPSULE_AUTHENTICATE + help + Provides the absolute path to the EFI Signature List + file which will be embedded in the platform's device + tree and used for capsule authentication at the time + of capsule update. + + config EFI_DEVICE_PATH_TO_TEXT bool "Device path to text protocol" default y diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index 7b27224b5d..a4083d0a26 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -192,6 +192,8 @@ dtc_cpp_flags = -Wp,-MD,$(depfile).pre.tmp -nostdinc \ -D__ASSEMBLY__ \ -undef -D__DTS__ +export dtc_cpp_flags + # Finds the multi-part object the current object will be linked into modname-multi = $(sort $(foreach m,$(multi-used),\ $(if $(filter $(subst $(obj)/,,$*.o), $($(m:.o=-objs)) $($(m:.o=-y))),$(m:.o=)))) @@ -315,6 +317,9 @@ ifeq ($(CONFIG_OF_LIBFDT_OVERLAY),y) DTC_FLAGS += -@ endif +quiet_cmd_embedcapsulekey = EMBEDCAPSULEKEY $@ +cmd_embedcapsulekey = $(srctree)/scripts/embed_capsule_key.sh $@ + quiet_cmd_dtc = DTC $@ # Modified for U-Boot # Bring in any U-Boot-specific include at the end of the file @@ -333,6 +338,9 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \ $(obj)/%.dtb: $(src)/%.dts FORCE $(call if_changed_dep,dtc) +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y) + $(call cmd,embedcapsulekey,$@) +endif pre-tmp = $(subst $(comma),_,$(dot-target).pre.tmp) dtc-tmp = $(subst $(comma),_,$(dot-target).dts.tmp) diff --git a/scripts/embed_capsule_key.sh b/scripts/embed_capsule_key.sh new file mode 100755 index 0000000000..1c2e45f758 --- /dev/null +++ b/scripts/embed_capsule_key.sh @@ -0,0 +1,25 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0+ +# +# Copyright (C) 2023, Linaro Limited +# + +gen_capsule_signature_file() { +cat >> $1 << EOF +/dts-v1/; +/plugin/; + +&{/} { + signature { + capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE); + }; +}; +EOF +} + +gen_capsule_signature_file signature.$$.dts > /dev/null 2>&1 +$CPP $dtc_cpp_flags -x assembler-with-cpp -o signature.$$.tmp signature.$$.dts > /dev/null 2>&1 +dtc -@ -O dtb -o signature.$$.dtbo signature.$$.tmp > /dev/null 2>&1 +fdtoverlay -i $1 -o temp.$$.dtb -v signature.$$.dtbo > /dev/null 2>&1 +mv temp.$$.dtb $1 > /dev/null 2>&1 +rm -f signature.$$.* > /dev/null 2>&1