From patchwork Fri Aug 25 11:19:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 716891 Delivered-To: patch@linaro.org Received: by 2002:adf:e9ca:0:b0:317:ecd7:513f with SMTP id l10csp274959wrn; Fri, 25 Aug 2023 04:19:22 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHJmW0R8CN4cfaZnoVPQuA0WaJ4ZpDY4q1cTk+9l1LkvU95/m8RFKMXTFs/UUSauujakWnd X-Received: by 2002:adf:ea0a:0:b0:319:7ec8:53ba with SMTP id q10-20020adfea0a000000b003197ec853bamr18091347wrm.14.1692962361832; Fri, 25 Aug 2023 04:19:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692962361; cv=none; d=google.com; s=arc-20160816; b=o8p0Nortd0ev2FrUAfO0LEeJ6g+TUNnTXe+DQ47W94BI/K8XmfFktIQsaFv8M80i+E wm2Zp3wjki5VRBKtg4pJ6q043ZTITOEVNizR8q0q+u2Ei955Nm7idbl9Yvgb2ESZGKAZ QOJiSLh3JzogPHy0nHgUcYXtc2/JwrVqBEkwBttDKNPD9mrClB5+1jr/eAD90PqKSiWG V3VnP3v0xKMMpeQuKNgq3N6f1wprY3QoaR/v0wrFLzjhQvz3NeBGZEpOAwZt+3/rSAUD ZrrtzCdOvOyCrx22v3gIoVLdEKvAsHwqiluJCozVXXC0B5T4V8nqkZvFvtefa3q1M2Wf Ch2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from; bh=fD6QsPbqBxNmbn2Mn5es3ujvUn259HZhoKhqGlfdb0o=; fh=fxGZAMX2QPgZBXewu+M6Q4MKoVP+FeiBpMVpBDEwIeU=; b=DtAN7GmiT9ksVCjVtM8yKqvvo/k77/I+pFyuKGrFT0zn4+6OSVB4Pztz4XCmzEBLhv eFyNt/8jQpkxuB8SSm36cBJ8D0rhV558M9HQ719V2fnTFO0dpTQ6TgG0qIkFYupywgWX 9ruOIcEy+yjWm8izKCjUZwooDMgVr/vuAnM/4/8DSWZIAMckGyqFQOqteF80lMpG5c1j wbgrye7LrK6A4/qyJBSmE/or4EQ4o0abPmtGVga5RJDE1g5TM0MRSEH+WEK0abpFm3zl RU8xt+IxqppbgK8qTrAeMpBnybJTPi5G9wQFmhmlGQf0Kya3QGMwJh+W+kpKcAaWW75f ZuTw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id m4-20020a5d56c4000000b0031c79e388a9si686663wrw.1043.2023.08.25.04.19.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Aug 2023 04:19:21 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 364BB86923; Fri, 25 Aug 2023 13:19:21 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id AEC7C86898; Fri, 25 Aug 2023 13:19:19 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id C8B3686699 for ; Fri, 25 Aug 2023 13:19:16 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 7E8D7D75; Fri, 25 Aug 2023 04:19:56 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.46.7]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id BAD493F64C; Fri, 25 Aug 2023 04:19:14 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Tom Rini , Sughosh Ganu , Ilias Apalodimas Subject: [PATCH v12] scripts/Makefile.lib: Embed capsule public key in platform's dtb Date: Fri, 25 Aug 2023 16:49:05 +0530 Message-Id: <20230825111905.5328-1-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean The EFI capsule authentication logic in u-boot expects the public key in the form of an EFI Signature List(ESL) to be provided as part of the platform's dtb. Currently, the embedding of the ESL file into the dtb needs to be done manually. Add a target for generating a dtsi file which contains the signature node with the ESL file included as a property under the signature node. Include the dtsi file in the dtb. This brings the embedding of the ESL in the dtb into the U-Boot build flow. The path to the ESL file is specified through the CONFIG_EFI_CAPSULE_ESL_FILE symbol. Signed-off-by: Sughosh Ganu Reviewed-by: Tom Rini Reviewed-by: Ilias Apalodimas --- Changes since V11: * Added a FORCE dependency to the .capsule_esl.dtsi target to ensure the dtsi's generation on every invocation Note: This being a minor imporovement on the earlier patch version, and this being the only change in the 15 patch series, Tom Rini suggested just re-sending a v12 for this patch. lib/efi_loader/Kconfig | 8 ++++++++ lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++ scripts/Makefile.lib | 15 +++++++++++++++ 3 files changed, 34 insertions(+) create mode 100644 lib/efi_loader/capsule_esl.dtsi.in diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 9989e3f384..d20aaab6db 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX Select the max capsule index value used for capsule report variables. This value is used to create CapsuleMax variable. +config EFI_CAPSULE_ESL_FILE + string "Path to the EFI Signature List File" + depends on EFI_CAPSULE_AUTHENTICATE + help + Provides the path to the EFI Signature List file which will + be embedded in the platform's device tree and used for + capsule authentication at the time of capsule update. + config EFI_DEVICE_PATH_TO_TEXT bool "Device path to text protocol" default y diff --git a/lib/efi_loader/capsule_esl.dtsi.in b/lib/efi_loader/capsule_esl.dtsi.in new file mode 100644 index 0000000000..61a9f2b25e --- /dev/null +++ b/lib/efi_loader/capsule_esl.dtsi.in @@ -0,0 +1,11 @@ +// SPDX-License-Identifier: GPL-2.0+ +/** + * Devicetree file with the public key EFI Signature List(ESL) + * node. This file is used to generate the dtsi file to be + * included into the DTB. +*/ +/ { + signature { + capsule-key = /incbin/("ESL_BIN_FILE"); + }; +}; diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index 8c5e25c31c..8dc6ec82cd 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -334,6 +334,21 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \ ; \ sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile) +quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@ +cmd_capsule_esl_gen = \ + $(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" $(capsule_esl_input_file) > $@) + +$(obj)/.capsule_esl.dtsi: FORCE + $(call cmd_capsule_esl_gen) + +capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in +capsule_esl_dtsi = .capsule_esl.dtsi +capsule_esl_path=$(abspath $(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE))) + +ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE +dtsi_include_list += $(capsule_esl_dtsi) +endif + dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list))) $(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE