From patchwork Wed Apr 7 11:53:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 416679 Delivered-To: patch@linaro.org Received: by 2002:a02:8562:0:0:0:0:0 with SMTP id g89csp393626jai; Wed, 7 Apr 2021 04:54:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJywgyDlGO8DbjVwsteGD3YL8ZKuO3Q9IqylTln6v1lQOOS+N6H2+u5r71LVqQjaMJ7Py09B X-Received: by 2002:a17:906:3f88:: with SMTP id b8mr3375354ejj.36.1617796486299; Wed, 07 Apr 2021 04:54:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617796486; cv=none; d=google.com; s=arc-20160816; b=JQbLZBzzT66o0vyT84rXCc6hR+EVmux/s4BGjs6LBKDXiGtf3Za3bvdMivoui9MZdv FJztODTQvJ9+0eonHy8/3tewp0oUDbYavKUTqnT6HL9vmwxfhvzrZp9goUDr9Vr72Dey bGBKD0KVTTEKfQ6lSTKPBZCbg2SosAVrKuYl3Xk1JaOfcRssizstT/JbR6e3+sI0Wn37 08U6ABZfg2uKuuzZ1nAnHsZDBYP4WFZep3yT8BHPOeWzyk1Kbl1DOQulCSLnTeU0Ps81 8SD9/KzzaO210ldGRx0oECjbNeJFwa/uM0nAqWrvcdprgbUyk/RroYpANF2qLQtTrOmP tWQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=IIcCQt0Jspmz9M6StM2QXBfd7LrW6CYZ9Ah+vzVK0yc=; b=COArk9YYPOcFirD1lFgcxSCLSsNzwRaqX8Nr1brZ+cZpHpEO7DNE0SRVfQFV5TG1Km w3kaSs0iHcOBnsUPjrWbm+iFF653SRGabuoFeDbV9r8g195CihANRwBl3NXIcrIrfAP3 Lg5igTOujASA8kpHtzg2Nu2EFtSg6fuKRzS+kquVyhO5402ckz3L1u1AwTlkbcnFv0dr HkV5loBt14J7Z5Fkf41dBweLAKDdtzqa0hPhhdoZA4V9OmsxW//MR7CRKtt8hQgqa2Pj DPckQbKdcLQHvfd4gM0UiyvLNmTdmEHL6I4Jxvp8fCASVEdSwJEWTJv+V1rcwH4gqZHT tA3g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id ds7si21536880ejc.534.2021.04.07.04.54.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Apr 2021 04:54:46 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id AB85F80EFE; Wed, 7 Apr 2021 13:54:25 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 683D780C67; Wed, 7 Apr 2021 13:54:20 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 73DD280C66 for ; Wed, 7 Apr 2021 13:54:17 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id AB0AA106F; Wed, 7 Apr 2021 04:54:16 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 93B323F792; Wed, 7 Apr 2021 04:54:14 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Alexander Graf , Simon Glass , Bin Meng , =?utf-8?q?Pali_Roh=C3=A1r?= , Sughosh Ganu Subject: [PATCH 1/5] efi_loader: Kconfig: Select IMAGE_SIGN_INFO when capsule authentication is enabled Date: Wed, 7 Apr 2021 17:23:31 +0530 Message-Id: <20210407115335.8615-2-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210407115335.8615-1-sughosh.ganu@linaro.org> References: <20210407115335.8615-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean Enable building of the crypto helper functions used during capsule authentication by selecting IMAGE_SIGN_INFO. Signed-off-by: Sughosh Ganu --- This was not detected when support for capsule auth was added to the qemu arm64 platform. This is because the platform includes CONFIG_FIT_SIGNATURE which selects IMAGE_SIGN_INFO. lib/efi_loader/Kconfig | 1 + 1 file changed, 1 insertion(+) -- 2.17.1 Reviewed-by: Heinrich Schuchardt diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index e44f004f3f..0b99d7c774 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -173,6 +173,7 @@ config EFI_CAPSULE_AUTHENTICATE select X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER select PKCS7_VERIFY + select IMAGE_SIGN_INFO default n help Select this option if you want to enable capsule From patchwork Wed Apr 7 11:53:32 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 416680 Delivered-To: patch@linaro.org Received: by 2002:a02:8562:0:0:0:0:0 with SMTP id g89csp393739jai; Wed, 7 Apr 2021 04:54:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzGYDZpvtIk8p2HSFypgwg7vbA8hi66GLYhyeTe6i/axbfUAs3x/a3GVcAYDJ60oaL2Ysyz X-Received: by 2002:a17:906:b20f:: with SMTP id p15mr108422ejz.64.1617796498130; Wed, 07 Apr 2021 04:54:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617796498; cv=none; d=google.com; s=arc-20160816; b=xu+SLYtCiYbvu363KQXRExdW7v/zpZuaeSCaJ7jw72XF21FGyc7Q0op1I7hZgHKqNB 6+WA/OC+DB9B9TCboqjcBN+/zsnm/rXGnDPdtv/Og1SMJFpjEghQIQiQwNxhFMYHqcNJ cscGD0+RL23uN58rB6sVE3rAAj8rQJcP9/QBl5TO4rhFEHD1IlfkqiwuQwRLPMk1+7TP 0Xjliav9+x3gJY30be27V0Oz9S8XqzGzPWeCkRtiVPFyzDAR8t0cYcIQnmHuRuPlIWzw TFKpVnC4LDGUN5RRDtt2RS+Koe6pZUn2kdhvOOgirCHxiMG/G/Ab558Ehy+u4ebppESo 03VA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=UO+zI44bv9eoBYDn2athkpJ6l6vpa7QbRJaIhESOB50=; b=K9g9nLptDbFA9y2vTlu1VAnmFv7NKGpj7UxMct5hJsRB8Q92vxcd1qDeos4/s/UTlZ Dhq/KwKna58cfsC3KUXir65sudHc8uwnop8/disaWEqcjsO8PS5CsMQ7Prg8oMFe4PvW 2Rfv87fjiFFvWeHfnvp4pYn0v8xy58Dg00dWof9wHVQfTt7UEC3Eu82A6GPtbdPK4zCy Uu/4YoJa8ask2nf3Pr++a4FEmudJPf0j4hkIZ2nUKFXB48Iv7nll0M/DAEraNjQCctRj Px+P9Rv86DNO8SamEJpl6CbJsMg2hn41EE62U6gVGE/HN2yuDxlOyrK5MZGOu/jOLwEP X+MA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id z16si19808221edd.298.2021.04.07.04.54.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Apr 2021 04:54:58 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 0F7E681693; Wed, 7 Apr 2021 13:54:30 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id C5D38812B2; Wed, 7 Apr 2021 13:54:24 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 82313805B4 for ; Wed, 7 Apr 2021 13:54:20 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 3B81511FB; Wed, 7 Apr 2021 04:54:19 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 2462B3F792; Wed, 7 Apr 2021 04:54:16 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Alexander Graf , Simon Glass , Bin Meng , =?utf-8?q?Pali_Roh=C3=A1r?= , Sughosh Ganu Subject: [PATCH 2/5] efi_loader: Kconfig: Add symbols for embedding the public key into the platform's dtb Date: Wed, 7 Apr 2021 17:23:32 +0530 Message-Id: <20210407115335.8615-3-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210407115335.8615-1-sughosh.ganu@linaro.org> References: <20210407115335.8615-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean Add config options EFI_PKEY_DTB_EMBED and EFI_PKEY_FILE which are to be used for embedding the public key to be used for capsule authentication into the platform's device tree. The embedding of the public key would take place during the platform build process. Signed-off-by: Sughosh Ganu --- lib/efi_loader/Kconfig | 15 +++++++++++++++ 1 file changed, 15 insertions(+) -- 2.17.1 diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 0b99d7c774..de3083a979 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -179,6 +179,21 @@ config EFI_CAPSULE_AUTHENTICATE Select this option if you want to enable capsule authentication +config EFI_PKEY_DTB_EMBED + bool "Embed the public key in the Device Tree" + default n + depends on EFI_CAPSULE_AUTHENTICATE + help + Select this option if the public key used for capsule + authentication is to be embedded into the platform's + device tree. + +config EFI_PKEY_FILE + string "Public Key esl file to be embedded into the Device Tree" + help + Specify the absolute path of the public key esl file that is + to be embedded in the platform's device tree. + config EFI_CAPSULE_FIRMWARE_FIT bool "FMP driver for FIT image" depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT From patchwork Wed Apr 7 11:53:33 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 416681 Delivered-To: patch@linaro.org Received: by 2002:a02:8562:0:0:0:0:0 with SMTP id g89csp393866jai; Wed, 7 Apr 2021 04:55:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyFvZsgIRVGw44G6wBIsXB9pZuW+y9HQJYtUrhgyvOiov3VVOWldFqsTYHr0AGDyi1L06Qd X-Received: by 2002:a17:906:2e0f:: with SMTP id n15mr3271572eji.447.1617796510248; Wed, 07 Apr 2021 04:55:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617796510; cv=none; d=google.com; s=arc-20160816; b=qpd6mT2UHu9BdqRD6nlFMUC5fUQMyLECBbyG6BBlwPd/ybfBoQjbS3RSmzExoDwrt6 +4rLilwm93xLBpzSdyvoOFR2IWjYtsvm+gx526eAK4AJdXWJih5bwgyJTcLJM+P7Yhkx 56gBGJazFNw09xc99QUpS/6+1hVkHJjqi4GINMqKRAfFFgZFEj5tgYjUbcio4KFLKOy0 TE8ICF+EIQ2Yf+OHbDphAEdDJYFPZL002fC89DIYQDIqpjY/1C4R+IdPEonk4Jq5eQyV XR263dLt3Lx55qtKBi9cicODb6nYkKdoNwgQHNjav+Jyy1yppJnqCuo1t1o9Gjv1BaWW Y9Kg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=t205bdVzpcL9aEMd2sIIkmG3I7d3gfmpDyql/kiO2SA=; b=JJLcZcJ7GO8KZvCD05Xpr0pM9amVjgBQbiipgtmAkc0oOd4C5+rF82/ppIADnTYh7y 3cHib9GXdtj5jGwwDQC4TGCJvizXRZylTrJe5/JZoA+MSNM0LQsAsVDT1N5ZIgHi5PZa qFxdZw1oAZL9PPTqSNxKivcDJA1G2gwKIk5ijROeWIFbMwA1SkLELPcERe/woAQE/biy EtyzaHc56h6RZXBt76gS5cSMNAiuGp2P0QmAxsnju3xAWt4MGuIZ6kRu8D0KsulU/cEi SCLiZb6GyGtat4Hm1rWzECz0yL1PcTKdYfpu96B5aQZqsPQyiIO2tF+0ieM7GQ77WXCr TFuA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id r6si10499023edx.180.2021.04.07.04.55.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Apr 2021 04:55:10 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B82A9816AF; Wed, 7 Apr 2021 13:54:35 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 9655A81692; Wed, 7 Apr 2021 13:54:28 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 3212680C67 for ; Wed, 7 Apr 2021 13:54:23 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id BFC23139F; Wed, 7 Apr 2021 04:54:21 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id A8B803F792; Wed, 7 Apr 2021 04:54:19 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Alexander Graf , Simon Glass , Bin Meng , =?utf-8?q?Pali_Roh=C3=A1r?= , Sughosh Ganu Subject: [PATCH 3/5] efi_capsule: Add a weak function to check whether capsule authentication is enabled Date: Wed, 7 Apr 2021 17:23:33 +0530 Message-Id: <20210407115335.8615-4-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210407115335.8615-1-sughosh.ganu@linaro.org> References: <20210407115335.8615-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean Define a weak function which checks if the environment variable capsule_authentication_enabled has been set, for enabling capsule authentication. Other platforms might have a different mechanism to determine this, and would then define their own platform specific function. Signed-off-by: Sughosh Ganu --- board/emulation/common/qemu_capsule.c | 6 ------ lib/efi_loader/efi_capsule.c | 6 ++++++ 2 files changed, 6 insertions(+), 6 deletions(-) -- 2.17.1 diff --git a/board/emulation/common/qemu_capsule.c b/board/emulation/common/qemu_capsule.c index 5cb461d52b..6b8a87022a 100644 --- a/board/emulation/common/qemu_capsule.c +++ b/board/emulation/common/qemu_capsule.c @@ -41,9 +41,3 @@ int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) return 0; } - -bool efi_capsule_auth_enabled(void) -{ - return env_get("capsule_authentication_enabled") != NULL ? - true : false; -} diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c index 0cfff0daf7..1423b675c8 100644 --- a/lib/efi_loader/efi_capsule.c +++ b/lib/efi_loader/efi_capsule.c @@ -218,6 +218,12 @@ __weak int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) return 0; } +__weak bool efi_capsule_auth_enabled(void) +{ + return env_get("capsule_authentication_enabled") ? + true : false; +} + efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size, void **image, efi_uintn_t *image_size) { From patchwork Wed Apr 7 11:53:34 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 416683 Delivered-To: patch@linaro.org Received: by 2002:a02:8562:0:0:0:0:0 with SMTP id g89csp394133jai; Wed, 7 Apr 2021 04:55:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxpnTIxwp64/rqS5YPA0xEbYgEYY7MsTgbw7+ynhncVxtmeIGwYGdKV0VycFZyUzvMsx5C3 X-Received: by 2002:a17:906:f8d7:: with SMTP id lh23mr3308277ejb.457.1617796533203; Wed, 07 Apr 2021 04:55:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617796533; cv=none; d=google.com; s=arc-20160816; b=u4VgBxgui9uWAjJt3Kqpba0L5xd5rehMntwI0E4ITK9Bcxe3A2HoGlGKLpBxO9u7mU Pu472vndShyNOX+v7cLx7y1Our1t7OWIJpnmyPQjDhwiof1hj+1Mz1vrryaj7lzxzdrc fmnOUBBDD5fWq/l+YANglNzM7WPPP90v6evtv9BaNnbkNX6xLQ0tLcNCIFOHjoE/WB/c eNvmNjzQYFz8KQ6ROADfcJc5JxQZxrqrXnX+WeuRQ4prg+DV3vApQjbkHAVqnVClw+wY RJfHDaCawB7lcR2I43ULNwoKxzB8HCiShzQZPLfFqMWs+Oj7S6zp+cNEsysaim0C2zPK /Pog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=IXhcdHmnGpVLiA+Hz9oe/zBMjeTLsf1VRaP75r2Gclg=; b=MmhZG6iNjlTGIaxLCibjIsjV7Zs8ua4rzhl1d4/oMqjc/sF3G2aymmWgK1aPXl3ddN lEmcBnEtEaRiHYANx27c4B+GYkm7bU3b57RxXpGYEYe0iURB9luwnZP4yig3AH1zUn7J Mx3t0ud2758RiBfp2Crb/mtYMVe2KCHqS05YG6GGICTCpCqHkv8T1OxPBvK+auzKNGbW Xs/hX1lxQwXs2VVI9NBEpv0ioT75VFCUxLtLC2EqsqPgUF/722DhV1hAoojP6juNXgdF 3wGXgbiQY1l6Lska47hVvkM9dDm0JhctYiLKQzPZi0N1mZZP2J+We7qZgD71EZmBrfqd zYTQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id da2si7658941edb.506.2021.04.07.04.55.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Apr 2021 04:55:33 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 636F681777; Wed, 7 Apr 2021 13:54:44 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 1A365816A4; Wed, 7 Apr 2021 13:54:31 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id B988881578 for ; Wed, 7 Apr 2021 13:54:25 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5049F13A1; Wed, 7 Apr 2021 04:54:24 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 3840C3F792; Wed, 7 Apr 2021 04:54:21 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Alexander Graf , Simon Glass , Bin Meng , =?utf-8?q?Pali_Roh=C3=A1r?= , Sughosh Ganu Subject: [PATCH 4/5] efi_capsule: Add a weak function to get the public key needed for capsule authentication Date: Wed, 7 Apr 2021 17:23:34 +0530 Message-Id: <20210407115335.8615-5-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210407115335.8615-1-sughosh.ganu@linaro.org> References: <20210407115335.8615-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean Define a weak function which would be used in the scenario where the public key is stored on the platform's dtb. This dtb is concatenated with the u-boot binary during the build process. Platforms which have a different mechanism for getting the public key would define their own platform specific function. Signed-off-by: Sughosh Ganu --- lib/efi_loader/efi_capsule.c | 38 ++++++++++++++++++++++++++++++++---- 1 file changed, 34 insertions(+), 4 deletions(-) -- 2.17.1 diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c index 1423b675c8..fc5e1c0856 100644 --- a/lib/efi_loader/efi_capsule.c +++ b/lib/efi_loader/efi_capsule.c @@ -14,10 +14,13 @@ #include #include +#include #include #include #include +DECLARE_GLOBAL_DATA_PTR; + const efi_guid_t efi_guid_capsule_report = EFI_CAPSULE_REPORT_GUID; static const efi_guid_t efi_guid_firmware_management_capsule_id = EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID; @@ -210,11 +213,38 @@ const efi_guid_t efi_guid_capsule_root_cert_guid = __weak int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) { - /* The platform is supposed to provide - * a method for getting the public key - * stored in the form of efi signature - * list + /* + * This is a function for retrieving the public key from the + * platform's device tree. The platform's device tree has been + * concatenated with the u-boot binary. + * If a platform has a different mechanism to get the public + * key, it can define it's own function. */ + const void *fdt_blob = gd->fdt_blob; + const void *blob; + const char *cnode_name = "capsule-key"; + const char *snode_name = "signature"; + int sig_node; + int len; + + sig_node = fdt_subnode_offset(fdt_blob, 0, snode_name); + if (sig_node < 0) { + EFI_PRINT("Unable to get signature node offset\n"); + return -FDT_ERR_NOTFOUND; + } + + blob = fdt_getprop(fdt_blob, sig_node, cnode_name, &len); + + if (!blob || len < 0) { + EFI_PRINT("Unable to get capsule-key value\n"); + *pkey = NULL; + *pkey_len = 0; + return -FDT_ERR_NOTFOUND; + } + + *pkey = (void *)blob; + *pkey_len = len; + return 0; } From patchwork Wed Apr 7 11:53:35 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 416682 Delivered-To: patch@linaro.org Received: by 2002:a02:8562:0:0:0:0:0 with SMTP id g89csp393991jai; Wed, 7 Apr 2021 04:55:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwr0gCM/8mH0C1uFz3DpIxD2miM+sfXKh6tgEpN+fPftafd0Ku/xzFoVYawIQzb3U+a8N8r X-Received: by 2002:aa7:c952:: with SMTP id h18mr3962243edt.269.1617796521911; Wed, 07 Apr 2021 04:55:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617796521; cv=none; d=google.com; s=arc-20160816; b=xYOQUmlB5QUCh8MG8iU/6vCnm7OoEbETD0RKs6p1zvlVkRm+Gi6C6qj/Xa9YS0NmMW YOTJv6XVla6swE6eL9/uSgYMRB7X24MkXmujbkLofMhK625jxlR5eXdAP26FbBpuB0x7 FhIRbZPBFe6KkdFK+NyBwV5oJTpwcdfgpYYHD+W1g5dPJ7O4d4416uNKnEJwGlKD7BGj jsl6z29uHg0zo3SqZbtU8/AiFv4jGS8lCduWe7DJPbQfHj5ZEIt8mIj8ahGy+ePy5vEF W1TSlKjVyUdMWcuP3sLBF64p+M0+s9uLsZC9Ek0B2CtlXYe2NcKKjNbbcn4o4dWpji3Y 9hlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=d1r+mG5+DHpL0bjcGs1IbZDZQy+e8TjIcLyuxruKn8Y=; b=Wc3UqahOBWlG1jdq1Os3ZZMNUTaeknwCPDTpCY2TmlHLkKQfj5YqIlbsB6oCPHE6Jb 5solD8YEL56dPnFPdjVcRN6yydRMYrYsCIBMaKiCjtIkFIUt1l35bPTbV19UdXUouNIx 6PKF3Hv3ZwG32yYgTCEkq/OzQ6UWdReAT+sQuK8lCxuwGpPxmYhd2M4vYXRL/uQS4KjK jtYvwurs1VmIPw5lH2P782nL1gFM4uRkwgziuMGroT64FL76ALRMX/Lnv1u5swQmJbku g/tCDXh0bQXncbqwWdtx/2VAekiV4pDIlaE90vCZHZzGxiKeB0UUN+wNsW1JevvaljBX 84qg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id bg8si14239749ejb.592.2021.04.07.04.55.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Apr 2021 04:55:21 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 8B10481782; Wed, 7 Apr 2021 13:54:39 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id C373E816AF; Wed, 7 Apr 2021 13:54:33 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 22103812B2 for ; Wed, 7 Apr 2021 13:54:28 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id D49DE13D5; Wed, 7 Apr 2021 04:54:26 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id BDAE73F792; Wed, 7 Apr 2021 04:54:24 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Alexander Graf , Simon Glass , Bin Meng , =?utf-8?q?Pali_Roh=C3=A1r?= , Sughosh Ganu Subject: [PATCH 5/5] Makefile: Add provision for embedding public key in platform's dtb Date: Wed, 7 Apr 2021 17:23:35 +0530 Message-Id: <20210407115335.8615-6-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210407115335.8615-1-sughosh.ganu@linaro.org> References: <20210407115335.8615-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean Add provision for embedding the public key used for capsule authentication in the platform's dtb. This is done by invoking the mkeficapsule utility which puts the public key in the efi signature list(esl) format into the dtb. Signed-off-by: Sughosh Ganu --- Makefile | 10 ++++++++++ 1 file changed, 10 insertions(+) -- 2.17.1 diff --git a/Makefile b/Makefile index 193aa4d1c9..0d50c6a805 100644 --- a/Makefile +++ b/Makefile @@ -1010,6 +1010,10 @@ cmd_pad_cat = $(cmd_objcopy) && $(append) || { rm -f $@; false; } quiet_cmd_lzma = LZMA $@ cmd_lzma = lzma -c -z -k -9 $< > $@ +quiet_cmd_mkeficapsule = MKEFICAPSULE $@ +cmd_mkeficapsule = $(objtree)/tools/mkeficapsule -K $(CONFIG_EFI_PKEY_FILE) \ + -D $@ + cfg: u-boot.cfg quiet_cmd_cfgcheck = CFGCHK $2 @@ -1104,8 +1108,14 @@ endif PHONY += dtbs dtbs: dts/dt.dtb @: +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE)$(CONFIG_EFI_PKEY_DTB_EMBED),yy) +dts/dt.dtb: u-boot tools + $(Q)$(MAKE) $(build)=dts dtbs + $(call cmd,mkeficapsule) +else dts/dt.dtb: u-boot $(Q)$(MAKE) $(build)=dts dtbs +endif quiet_cmd_copy = COPY $@ cmd_copy = cp $< $@