From patchwork Wed Apr 7 14:41:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 416715 Delivered-To: patch@linaro.org Received: by 2002:a02:8562:0:0:0:0:0 with SMTP id g89csp531251jai; Wed, 7 Apr 2021 07:42:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwbdCdUBeCejp/oJaEK1K7TyYRv/5zlNA3Hz87FZSaGPXt+UFqm16vtgkefHF+6t9ElIdtK X-Received: by 2002:a17:906:2cd1:: with SMTP id r17mr4021314ejr.429.1617806561488; Wed, 07 Apr 2021 07:42:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617806561; cv=none; d=google.com; s=arc-20160816; b=0kUVfVq+i8ey9NhLSUfmmebllaMlvpZgXnfRO6Rgf+wJ2M2bzWcElLHc1/U0qsKPBN IHqi+/jcazyUKze9ZgjS1aUJ/uIodMq/UQVKIXgLb+ZpDjDktSKLEiwVKRAeEIcLBfZD l5TSbz6QNqgOeOI9ukp5zMOWjkzonuMLh0Tw1oRYviNVl3qHiGrE02pifHGgm3eoShq2 usjWkiYIlNU6ZqdVwuLnuqVlgJy9tgNrqwVxAvIA3FyOIjRu7lYakMKv0fQmeXVVBAuc WjrCJfPcq+DB3Stf4J94fOpJjUZIK/65d7od6hiKBfqDGOUxum5GMrIcW+EpB51452q+ SCRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=IIcCQt0Jspmz9M6StM2QXBfd7LrW6CYZ9Ah+vzVK0yc=; b=qAPwQg5c6E938uK12Dm7FSGrFcuv2TK7qTgZHvAKD3nBO+swIpLqChKl31Q8ppjR5G v82JINX2y+ZTkcK77RMmx2HGpBB8691pSIfWbR6Wl4ibiJXleCVH6JuP3ua/zmGA4vnZ ODJpHtX1d4aLwOFn+Yafk1Gez0FhVXS5+Waed3KwJBrhYsnFy2Lrf0jKri4hDbgmu1KQ tj+DALuh7AE1R+qb9cocDawMJF+kDcWHUD8L1+ziJyt2JxK0V4LELHVMkuABsa/tp0ki NJGfDn1NxSmq8xxILdZSonUcB1F2pit4qQwZgB6QOyB0hDbxemLlPC9i64bGbYMrwkQn KW1w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id go8si600934ejc.645.2021.04.07.07.42.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Apr 2021 07:42:41 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 6488A816C4; Wed, 7 Apr 2021 16:42:25 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id A3D6B816C4; Wed, 7 Apr 2021 16:42:21 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 098C4805B4 for ; Wed, 7 Apr 2021 16:42:17 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 02148106F; Wed, 7 Apr 2021 07:42:15 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id DEF793F792; Wed, 7 Apr 2021 07:42:12 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Alexander Graf , Simon Glass , Bin Meng , Pali Rohar , Sughosh Ganu Subject: [RESEND PATCH v1 1/5] efi_loader: Kconfig: Select IMAGE_SIGN_INFO when capsule authentication is enabled Date: Wed, 7 Apr 2021 20:11:43 +0530 Message-Id: <20210407144147.29251-2-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210407144147.29251-1-sughosh.ganu@linaro.org> References: <20210407144147.29251-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean Enable building of the crypto helper functions used during capsule authentication by selecting IMAGE_SIGN_INFO. Signed-off-by: Sughosh Ganu --- This was not detected when support for capsule auth was added to the qemu arm64 platform. This is because the platform includes CONFIG_FIT_SIGNATURE which selects IMAGE_SIGN_INFO. lib/efi_loader/Kconfig | 1 + 1 file changed, 1 insertion(+) -- 2.17.1 Reviewed-by: Simon Glass diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index e44f004f3f..0b99d7c774 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -173,6 +173,7 @@ config EFI_CAPSULE_AUTHENTICATE select X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER select PKCS7_VERIFY + select IMAGE_SIGN_INFO default n help Select this option if you want to enable capsule From patchwork Wed Apr 7 14:41:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 416716 Delivered-To: patch@linaro.org Received: by 2002:a02:8562:0:0:0:0:0 with SMTP id g89csp531375jai; Wed, 7 Apr 2021 07:42:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy8/1ltQemuQXCXiBTarc0IiIUUGWLU3eXLBtYulR/fdSKWyBVMIQZ4RU9wHA/HhWV4q4Hn X-Received: by 2002:aa7:c351:: with SMTP id j17mr1866230edr.199.1617806573304; Wed, 07 Apr 2021 07:42:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617806573; cv=none; d=google.com; s=arc-20160816; b=WWwKNivqYmAra/glMSfVcxIslMROnOZ8enk/aOEB0iZCP58Hz9WyMzYBzD0sdqIoHc e355UspTzbr1eDxkym6RrWqmWOOvwOWzA7kdEoZhvotzk+aVrGYsUJERQ5ttce+RlftD FhZRFPsxwZgwVI3oMcJzq7o5AK5Gr0YrAdG50yg57UbZ8+vQ+VjrUhLcjml/Xwk4MPHD v158DbE3knV4+X/hGQg3HL1ZGsTE0JJ369q5NUi4UJVjPF/TSNQwcRr8Ygpf6a2K7MYv e+91OBMVDhY0oCsRpZl4R6weOglftHXfHiB1zL6um3rk0bJ24fR9fd0xxrqIuc1Fit8I WLHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=UO+zI44bv9eoBYDn2athkpJ6l6vpa7QbRJaIhESOB50=; b=TnhHPAYtfitMb2GwbOZFJiLtzIpSyhoAn2XAi3fD2MNttcXufkeupkaAr6yBPEL7Fw qi6skorfxK3RoiyjwBlKxJZh6f+grgu9krpjSal73lfDlHGRPbApq4WnZPVDQ/1AjuIM OvVXQdRhXDo55VBG4molv5zSSfUyYu9ZEgxRip5Yfrkan2DvO0Zvpj7DQBcqAELPlcIQ 4qxHLlrGMS5jIli7M6Z1wsHhCvDpnxPJ1xI7W5rKrxWxy2G571usGkSV+jR2skzenP4Y ffDlO3H3m0d81bsJ+azKD9a1uf6idKTHx2eiIXd1FWrJKEspcHItEgXe4VJcKu8WZWtA KTAg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id u19si20381229edo.410.2021.04.07.07.42.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Apr 2021 07:42:53 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 7489581777; Wed, 7 Apr 2021 16:42:32 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id CFAFE8039D; Wed, 7 Apr 2021 16:42:23 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id D7C628039D for ; Wed, 7 Apr 2021 16:42:18 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 86AED11FB; Wed, 7 Apr 2021 07:42:17 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 6F91F3F792; Wed, 7 Apr 2021 07:42:15 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Alexander Graf , Simon Glass , Bin Meng , Pali Rohar , Sughosh Ganu Subject: [RESEND PATCH v1 2/5] efi_loader: Kconfig: Add symbols for embedding the public key into the platform's dtb Date: Wed, 7 Apr 2021 20:11:44 +0530 Message-Id: <20210407144147.29251-3-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210407144147.29251-1-sughosh.ganu@linaro.org> References: <20210407144147.29251-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean Add config options EFI_PKEY_DTB_EMBED and EFI_PKEY_FILE which are to be used for embedding the public key to be used for capsule authentication into the platform's device tree. The embedding of the public key would take place during the platform build process. Signed-off-by: Sughosh Ganu --- lib/efi_loader/Kconfig | 15 +++++++++++++++ 1 file changed, 15 insertions(+) -- 2.17.1 diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 0b99d7c774..de3083a979 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -179,6 +179,21 @@ config EFI_CAPSULE_AUTHENTICATE Select this option if you want to enable capsule authentication +config EFI_PKEY_DTB_EMBED + bool "Embed the public key in the Device Tree" + default n + depends on EFI_CAPSULE_AUTHENTICATE + help + Select this option if the public key used for capsule + authentication is to be embedded into the platform's + device tree. + +config EFI_PKEY_FILE + string "Public Key esl file to be embedded into the Device Tree" + help + Specify the absolute path of the public key esl file that is + to be embedded in the platform's device tree. + config EFI_CAPSULE_FIRMWARE_FIT bool "FMP driver for FIT image" depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT From patchwork Wed Apr 7 14:41:45 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 416717 Delivered-To: patch@linaro.org Received: by 2002:a02:8562:0:0:0:0:0 with SMTP id g89csp531528jai; Wed, 7 Apr 2021 07:43:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzJekhyRwmHcnk29BZIqyfY2Wkp70AYfKnIki0QCQvtsQPGAUuZPepfdqHjZHZ0ltJtKp3j X-Received: by 2002:a05:6402:10c9:: with SMTP id p9mr4954720edu.268.1617806586457; Wed, 07 Apr 2021 07:43:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617806586; cv=none; d=google.com; s=arc-20160816; b=XELZlkdNyE7wfh/EPngajbH56ARjlcja6QhSOR4QVwtC0/lOF6RGXqup+9EmEWdSXq RIhGaefX91tcycFWj2MktLT3fiMlPTgwTi88YKkfqT9GChQOT2aGpkBSdXuIR0rsIA9t N2WIj3brLXrYtEGPHBuBgu4p9EVy0NeniJB1fDfN9OP4GtEQp1cfzs9b61SeobDqJt7i r6H/m9pxvOkWrnAbc2Xk91HcZuxAfSbxPD3QIGBhzY8gWwUzT+gptxC7WkZXZHQpDIxu XAEIREn+1wW2E1xuuVE1JT74o2QpNyxfKXDNRrY7lDSxSGKK+7/6ZL2rUCqTefYo7K7N UVvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=t205bdVzpcL9aEMd2sIIkmG3I7d3gfmpDyql/kiO2SA=; b=kOWDTzSeS2cy/tlyzYppY8dNX2+5a8wMmSPRRxPEYd4xKq6nFllUdFXWSdpNNLXF0s /pLArPaCvaB1atFJ3+fNXJwl7yz0/Vuqef9qWzy8s4YZfjxYdnbaYcg9u6nWKWM7PxGY aXOqQjA61d8wieD3tthrBBe8Hgusmx2mepACVdJgDlrupHLIalX0+iB+3QJxmVeGPsns 7kmyjlPezxdKYm2JqUYUXbIsUZa0qr1hmwiJ4q5pM3Bf6R0WXzmCe4o9aP9/YF07mX0G 7vMGsvxE9e8PBN2MXB9Iknmjf3aN2URjgfOol+iQs83kiIbjcDBt4hO2g+ZWqWeCk6aT BTuw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id t8si18463297ejj.661.2021.04.07.07.43.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Apr 2021 07:43:06 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B29148187C; Wed, 7 Apr 2021 16:42:38 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 7B7C68179F; Wed, 7 Apr 2021 16:42:27 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 1D52E81743 for ; Wed, 7 Apr 2021 16:42:20 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 194B8139F; Wed, 7 Apr 2021 07:42:20 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 0002A3F792; Wed, 7 Apr 2021 07:42:17 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Alexander Graf , Simon Glass , Bin Meng , Pali Rohar , Sughosh Ganu Subject: [RESEND PATCH v1 3/5] efi_capsule: Add a weak function to check whether capsule authentication is enabled Date: Wed, 7 Apr 2021 20:11:45 +0530 Message-Id: <20210407144147.29251-4-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210407144147.29251-1-sughosh.ganu@linaro.org> References: <20210407144147.29251-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean Define a weak function which checks if the environment variable capsule_authentication_enabled has been set, for enabling capsule authentication. Other platforms might have a different mechanism to determine this, and would then define their own platform specific function. Signed-off-by: Sughosh Ganu --- board/emulation/common/qemu_capsule.c | 6 ------ lib/efi_loader/efi_capsule.c | 6 ++++++ 2 files changed, 6 insertions(+), 6 deletions(-) -- 2.17.1 diff --git a/board/emulation/common/qemu_capsule.c b/board/emulation/common/qemu_capsule.c index 5cb461d52b..6b8a87022a 100644 --- a/board/emulation/common/qemu_capsule.c +++ b/board/emulation/common/qemu_capsule.c @@ -41,9 +41,3 @@ int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) return 0; } - -bool efi_capsule_auth_enabled(void) -{ - return env_get("capsule_authentication_enabled") != NULL ? - true : false; -} diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c index 0cfff0daf7..1423b675c8 100644 --- a/lib/efi_loader/efi_capsule.c +++ b/lib/efi_loader/efi_capsule.c @@ -218,6 +218,12 @@ __weak int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) return 0; } +__weak bool efi_capsule_auth_enabled(void) +{ + return env_get("capsule_authentication_enabled") ? + true : false; +} + efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size, void **image, efi_uintn_t *image_size) { From patchwork Wed Apr 7 14:41:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 416718 Delivered-To: patch@linaro.org Received: by 2002:a02:8562:0:0:0:0:0 with SMTP id g89csp531666jai; Wed, 7 Apr 2021 07:43:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwtMjVo2hE0siJq7jwStN8DgBJ2HI5FQZd21gog4+xta5GLrAiiB1uWjJubqiy9q5wnMoIv X-Received: by 2002:a17:906:7db:: with SMTP id m27mr4165996ejc.484.1617806599201; Wed, 07 Apr 2021 07:43:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617806599; cv=none; d=google.com; s=arc-20160816; b=xaFEYSADAjLKTdftI0YZ4ebFGniF14IqrCjEL91RRbYWbs21k3rxgPolLXScIwEaro 4uRTUJt4sZpIKU6u1cnVvsPLqZcwH0j7Ua3gDqGpa3w0Dz6/IqyJWbLkPIvkHkSOTC55 w3BG+SRJ16AAs4aMSQFWlN1ChfcTEkqvric0V1cqMcmqIibA2orFaTN1En7Pk0bW+SvU DwjN22PZQpz5UWovtzYEZhUrqFmjym1Kin+3JRRJWF2Ulxa00BZ+Vo6kq8LE12zPMraj hT0FeBSEq1WCd2sajU8YDHuL0sHk7yupznlUK+JGkNcSAEVBDGUs0PSZCArQn0m8EMCp O/tw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=IXhcdHmnGpVLiA+Hz9oe/zBMjeTLsf1VRaP75r2Gclg=; b=hItczch6wK6KbNJiX8P2QY7qLzpH90m0LmYdJ5npwg4jFdedSFduWF/ZN29A0dXMZP nVNtHqlNOdyiI/D1r84/IvkBTwHZ7UQGg1AjL8AMuvdA4ZN0RIciux69qq7d/4BGw6cs ks6nmXVU9a7hKt7F0m5h3uiOwLARPOLGx3Ux4foaOXo1/AXKFt5LaBDniaq07T6uLm1J BM4NR9USiUDJVTH0MruyizvSGscaNHsWpOrgPzsuKB5164zMmUzfbVa0/myu26xVdK/d SILjOwPKW8rpb9fCHTW0eYgR1h812xkwYzmO7ee+xPj4XKBywLXBGC/jPL+VX6c8YqcU RRBA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id l7si18274122edc.307.2021.04.07.07.43.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Apr 2021 07:43:19 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B13788039D; Wed, 7 Apr 2021 16:42:48 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id DAFED81780; Wed, 7 Apr 2021 16:42:29 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 4F4AC81777 for ; Wed, 7 Apr 2021 16:42:23 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 9D72013A1; Wed, 7 Apr 2021 07:42:22 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 859913F792; Wed, 7 Apr 2021 07:42:20 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Alexander Graf , Simon Glass , Bin Meng , Pali Rohar , Sughosh Ganu Subject: [RESEND PATCH v1 4/5] efi_capsule: Add a weak function to get the public key needed for capsule authentication Date: Wed, 7 Apr 2021 20:11:46 +0530 Message-Id: <20210407144147.29251-5-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210407144147.29251-1-sughosh.ganu@linaro.org> References: <20210407144147.29251-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean Define a weak function which would be used in the scenario where the public key is stored on the platform's dtb. This dtb is concatenated with the u-boot binary during the build process. Platforms which have a different mechanism for getting the public key would define their own platform specific function. Signed-off-by: Sughosh Ganu --- lib/efi_loader/efi_capsule.c | 38 ++++++++++++++++++++++++++++++++---- 1 file changed, 34 insertions(+), 4 deletions(-) -- 2.17.1 diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c index 1423b675c8..fc5e1c0856 100644 --- a/lib/efi_loader/efi_capsule.c +++ b/lib/efi_loader/efi_capsule.c @@ -14,10 +14,13 @@ #include #include +#include #include #include #include +DECLARE_GLOBAL_DATA_PTR; + const efi_guid_t efi_guid_capsule_report = EFI_CAPSULE_REPORT_GUID; static const efi_guid_t efi_guid_firmware_management_capsule_id = EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID; @@ -210,11 +213,38 @@ const efi_guid_t efi_guid_capsule_root_cert_guid = __weak int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) { - /* The platform is supposed to provide - * a method for getting the public key - * stored in the form of efi signature - * list + /* + * This is a function for retrieving the public key from the + * platform's device tree. The platform's device tree has been + * concatenated with the u-boot binary. + * If a platform has a different mechanism to get the public + * key, it can define it's own function. */ + const void *fdt_blob = gd->fdt_blob; + const void *blob; + const char *cnode_name = "capsule-key"; + const char *snode_name = "signature"; + int sig_node; + int len; + + sig_node = fdt_subnode_offset(fdt_blob, 0, snode_name); + if (sig_node < 0) { + EFI_PRINT("Unable to get signature node offset\n"); + return -FDT_ERR_NOTFOUND; + } + + blob = fdt_getprop(fdt_blob, sig_node, cnode_name, &len); + + if (!blob || len < 0) { + EFI_PRINT("Unable to get capsule-key value\n"); + *pkey = NULL; + *pkey_len = 0; + return -FDT_ERR_NOTFOUND; + } + + *pkey = (void *)blob; + *pkey_len = len; + return 0; } From patchwork Wed Apr 7 14:41:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 416719 Delivered-To: patch@linaro.org Received: by 2002:a02:8562:0:0:0:0:0 with SMTP id g89csp531774jai; Wed, 7 Apr 2021 07:43:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxfnnm+zuxoryEYrGWzr1mqK0jhOF/wVwYHPSNXh59dd9bSStS39suOV0UDFoNy5g294PJL X-Received: by 2002:a50:9b12:: with SMTP id o18mr4914211edi.376.1617806611277; Wed, 07 Apr 2021 07:43:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617806611; cv=none; d=google.com; s=arc-20160816; b=towCbi+N4affY6L6onDQB7pCpf9iASUe+hIiR1Q8v2rN8mkWbdJeZ/bAgslwUoYkQF MosaLX5TNNcDb4Y51044ivauR+n3DTpJ/g0k9BdrWKoFmQceSRUEsbvd089JBLmnJByS u+2hwgmbsokcL3UFgE9VOYLGLvs77mZl7oZ19wQ6UWveR+bgSPJ8eO3dGGtpJpLtqXcc 5NzFBEX8PIiM/wkWGHFD3ECA5OpQzMQjkjDVEH4cjKERL/DcWyXCSt++5ByF6sG7bo0G zuWJY86BAMR6n7xebWGYxYmiAx8QyLmDJlTd8gGyZ5lrQhMMZ1I31EmMbkvqMl7+QvQ0 wXsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=d1r+mG5+DHpL0bjcGs1IbZDZQy+e8TjIcLyuxruKn8Y=; b=nC0//fSFzObK6/0nIpQmLOh6g201AalwFOcbUf0M98MxKK1wlAPFQ+28s+mJisi57Q nChKFaB8MilXGSkAwuzF4VIh4OjzWe1k2EM6/gIZIUDgrjeg9pBAU9qO2h93gCTrBJWC hsBMyklZMXrhoDb5/O57rbQbZyUZrZqAJbOl7WlhT38/zYaWyYEb1UAQANa8S8W3mTSr Iinzo1kV+YjIgMYopPtDwBSI6478VqO1AnMfak9A2vE9LEJwjK7V0ifqiSe24qnxX+bZ NKindlIFok3ANEEHXwGuLIzR0xDcOLcx1he9GsmKL52QkyQMbUaxkcSbyE4QGLSNEdJ8 Kgxg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id v5si5352849edi.582.2021.04.07.07.43.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Apr 2021 07:43:31 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 59D3F817FD; Wed, 7 Apr 2021 16:42:52 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 92B1F817A1; Wed, 7 Apr 2021 16:42:32 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 370B881784 for ; Wed, 7 Apr 2021 16:42:27 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 2F88113D5; Wed, 7 Apr 2021 07:42:25 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 1712D3F792; Wed, 7 Apr 2021 07:42:22 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Alexander Graf , Simon Glass , Bin Meng , Pali Rohar , Sughosh Ganu Subject: [RESEND PATCH v1 5/5] Makefile: Add provision for embedding public key in platform's dtb Date: Wed, 7 Apr 2021 20:11:47 +0530 Message-Id: <20210407144147.29251-6-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210407144147.29251-1-sughosh.ganu@linaro.org> References: <20210407144147.29251-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean Add provision for embedding the public key used for capsule authentication in the platform's dtb. This is done by invoking the mkeficapsule utility which puts the public key in the efi signature list(esl) format into the dtb. Signed-off-by: Sughosh Ganu --- Makefile | 10 ++++++++++ 1 file changed, 10 insertions(+) -- 2.17.1 diff --git a/Makefile b/Makefile index 193aa4d1c9..0d50c6a805 100644 --- a/Makefile +++ b/Makefile @@ -1010,6 +1010,10 @@ cmd_pad_cat = $(cmd_objcopy) && $(append) || { rm -f $@; false; } quiet_cmd_lzma = LZMA $@ cmd_lzma = lzma -c -z -k -9 $< > $@ +quiet_cmd_mkeficapsule = MKEFICAPSULE $@ +cmd_mkeficapsule = $(objtree)/tools/mkeficapsule -K $(CONFIG_EFI_PKEY_FILE) \ + -D $@ + cfg: u-boot.cfg quiet_cmd_cfgcheck = CFGCHK $2 @@ -1104,8 +1108,14 @@ endif PHONY += dtbs dtbs: dts/dt.dtb @: +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE)$(CONFIG_EFI_PKEY_DTB_EMBED),yy) +dts/dt.dtb: u-boot tools + $(Q)$(MAKE) $(build)=dts dtbs + $(call cmd,mkeficapsule) +else dts/dt.dtb: u-boot $(Q)$(MAKE) $(build)=dts dtbs +endif quiet_cmd_copy = COPY $@ cmd_copy = cp $< $@