From patchwork Mon Apr 12 15:05:23 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 419561 Delivered-To: patch@linaro.org Received: by 2002:a17:906:6d12:0:0:0:0 with SMTP id m18csp1702756ejr; Mon, 12 Apr 2021 08:06:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxCagrQMeCpGnZ30pcqosOo4L8MOAViRknY2LTAJE3WII9fUlajGuQaX76yX532WbymBMyz X-Received: by 2002:a17:907:e9e:: with SMTP id ho30mr28158892ejc.300.1618239998755; Mon, 12 Apr 2021 08:06:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618239998; cv=none; d=google.com; s=arc-20160816; b=VVK5a2RCB3xtp3IO3ALjdQZJLL9wXIdPicrMib2vk7e42Tv6Y1OZeJzYsDCHxFxG5L Zbh2evgeP0hSPTcKsFK/9BbCmrVArYikIEkkgUwjjhwA3Qh7PR49a7qhvyxZmA/gZjgY ocefvgSwqLnUqdVbqlzVHGkKsUAol9fXeaathzsKCrm4OvOdPg9DJVjp89CXI7kIE8LO eAycDfMI34SPUh7b/PK0asTGUnwjhOEw1uE4O7rBLNtJnUy+2dIP0dJp/Hze32AHr8fo vLuD6YaVC/1ZED75hHiYDNPh69xTyNRDrHSLfqvofE4n8shEOHkQGN/0agbwn+GpJztN 5F+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=hW/uFeyNX0PnSeG4RdrU7AddhTWldQWnFSF7S+yH5A0=; b=HjnHONh+wIaspooojdJ+eMZ0qP1IJmKB9y0cZFvFNVGn9RqR9N1IdGaHzCfjWagF6v vz0FuWBUQ6DINuEgeyuw+KfRnw0/+3JQm6r7DnstNERumFdXHm/125b1yBxiFxA/8T0B u5kCYgC44JHHp632HO91P+TClXAdxn4M2d/1FSkyyUhJdETpsmF0cPnru9DJ4+NZWFSJ 0RjaVjIc0DFQvXoFRBfCxfJgX47Ndqhn5VXTnP6To+J0ruQ2rPcelIPtr7BkHeU5UsbX AlR63O2+5SfQSC2cxFyFbmILEcvHCOf4Jke4lab5tPBjG06jYqTYrWnIpCj5HhvMIFgM erNA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id v11si7710761eje.681.2021.04.12.08.06.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Apr 2021 08:06:38 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id E67B2817C4; Mon, 12 Apr 2021 17:06:13 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 05A1281607; Mon, 12 Apr 2021 17:05:57 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id AA5D881743 for ; Mon, 12 Apr 2021 17:05:53 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 8A058113E; Mon, 12 Apr 2021 08:05:52 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 727293F694; Mon, 12 Apr 2021 08:05:50 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Alexander Graf , Simon Glass , Bin Meng , Pali Rohar , Sughosh Ganu Subject: [PATCH v2 1/4] efi_loader: capsule: Remove the check for capsule_authentication_enabled environment variable Date: Mon, 12 Apr 2021 20:35:23 +0530 Message-Id: <20210412150526.29822-2-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210412150526.29822-1-sughosh.ganu@linaro.org> References: <20210412150526.29822-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean The current capsule authentication code checks if the environment variable capsule_authentication_enabled is set, for authenticating the capsule. This is in addition to the check for the config symbol CONFIG_EFI_CAPSULE_AUTHENTICATE. Remove the check for the environment variable. The capsule will now be authenticated if the config symbol is set. Signed-off-by: Sughosh Ganu --- Changes since V1: * As pointed out by Heinrich in the review, remove the extra check of the env variable 'capsule_authentication_enabled'for authenticating the capsule. The capsule authentication will now be done based on whether the corresponding config symbol is enabled. board/emulation/common/qemu_capsule.c | 6 ------ lib/efi_loader/efi_firmware.c | 5 ++--- 2 files changed, 2 insertions(+), 9 deletions(-) -- 2.17.1 Reviewed-by: Heinrich Schuchardt diff --git a/board/emulation/common/qemu_capsule.c b/board/emulation/common/qemu_capsule.c index 5cb461d52b..6b8a87022a 100644 --- a/board/emulation/common/qemu_capsule.c +++ b/board/emulation/common/qemu_capsule.c @@ -41,9 +41,3 @@ int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) return 0; } - -bool efi_capsule_auth_enabled(void) -{ - return env_get("capsule_authentication_enabled") != NULL ? - true : false; -} diff --git a/lib/efi_loader/efi_firmware.c b/lib/efi_loader/efi_firmware.c index 7a3cca2793..a1b88dbfc2 100644 --- a/lib/efi_loader/efi_firmware.c +++ b/lib/efi_loader/efi_firmware.c @@ -190,7 +190,7 @@ static efi_status_t efi_get_dfu_info( IMAGE_ATTRIBUTE_IMAGE_UPDATABLE; /* Check if the capsule authentication is enabled */ - if (env_get("capsule_authentication_enabled")) + if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE)) image_info[0].attributes_setting |= IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED; @@ -421,8 +421,7 @@ efi_status_t EFIAPI efi_firmware_raw_set_image( return EFI_EXIT(EFI_INVALID_PARAMETER); /* Authenticate the capsule if authentication enabled */ - if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) && - env_get("capsule_authentication_enabled")) { + if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE)) { capsule_payload = NULL; capsule_payload_size = 0; status = efi_capsule_authenticate(image, image_size, From patchwork Mon Apr 12 15:05:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 419562 Delivered-To: patch@linaro.org Received: by 2002:a17:906:6d12:0:0:0:0 with SMTP id m18csp1703123ejr; Mon, 12 Apr 2021 08:07:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyebAJ8pf2JAq3UblK+nuSgmcLqsyb5YFQPAgI25X9kkGyOlsSB95BiS7RrpwUB8qKSd6hJ X-Received: by 2002:a05:6402:105a:: with SMTP id e26mr29692302edu.164.1618240021136; Mon, 12 Apr 2021 08:07:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618240021; cv=none; d=google.com; s=arc-20160816; b=0gCzpReeGN0OuOBuK5RScN2Wp+DVrrkvgh+M21ZPzm08lBex0ql7co6peD/mIuxByg bTPOzaypEGgHfOu6cCvZD5aTAuDAGipJiWBomLMNSkW3B6etPGcMHCFsNbz72Ld/DqUZ l0jWUyyGL/a+q9ceLmCSqKr7Nvip/Y33J7PHZfEMwcsDXDuzTfU3vrlWaAmOxUyTWF9A yMBiiJMzE4PJrJSRVF4dVNVurH5ZyJZGW3nqJd8cZpPXgtT6soovIUuTfD+0U79JSXs5 KuYU3D9ttTv5ZuH5fwh3uJ6VknYcqN5xqJKRYBJmIko1TrNRO8bGI4SNEIAdAfYMynZ4 FjwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=cJn00+5+IP8+4xS2Cf5KQe2xZs675gDnX8n9jmDdF4s=; b=C2x5uWF9f9qaed2aHJ0Lf5kR9hHKOgYXMKC0JM06YaKcgCqnHw8sEFpPTDg19nDwpB Yzs3bACP/km2FBxSSXdWFI6GO2LU/+DEXtMBq0NLVYsiOsyNgtPuZNyHrjpJ1tzt1H02 JgRXqosf9Dq3OxElo8QRCNCAF+YDm6aqhKqGmhNemMYzMrBXx9DnWTkmp4sIly/WQeq+ o1yXraj13G3SC0Uwhxwt/7hwPPZoBSYFZr5BAoCDYHosMLls9UNc7ZKSk4uKO6VYa60g pv8vNhPc0gknr6p69zAUoJeCbWQn+IRsmp3Ue0SOMVug/E1ghh374ieB/hnhE802qB/e EEpQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id do7si7561361ejc.307.2021.04.12.08.07.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Apr 2021 08:07:01 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id A478E8187F; Mon, 12 Apr 2021 17:06:23 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 2774981782; Mon, 12 Apr 2021 17:06:05 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 5C63180C65 for ; Mon, 12 Apr 2021 17:05:56 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 1B125113E; Mon, 12 Apr 2021 08:05:55 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 038AE3F694; Mon, 12 Apr 2021 08:05:52 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Alexander Graf , Simon Glass , Bin Meng , Pali Rohar , Sughosh Ganu Subject: [PATCH v2 2/4] efi_loader: Kconfig: Add symbols for embedding the public key into the platform's dtb Date: Mon, 12 Apr 2021 20:35:24 +0530 Message-Id: <20210412150526.29822-3-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210412150526.29822-1-sughosh.ganu@linaro.org> References: <20210412150526.29822-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean Add config options EFI_PKEY_DTB_EMBED and EFI_PKEY_FILE which are to be used for embedding the public key to be used for capsule authentication into the platform's device tree. The embedding of the public key would take place during the platform build process. Signed-off-by: Sughosh Ganu --- Changes since V1: * Provide a default name for public key file, eficapsule.esl as suggested by Heinrich. * Remove the superfluous default n statement for EFI_PKEY_DTB_EMBED lib/efi_loader/Kconfig | 15 +++++++++++++++ 1 file changed, 15 insertions(+) -- 2.17.1 diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 79b488823a..089accaaaa 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -179,6 +179,21 @@ config EFI_CAPSULE_AUTHENTICATE Select this option if you want to enable capsule authentication +config EFI_PKEY_DTB_EMBED + bool "Embed the public key in the Device Tree" + depends on EFI_CAPSULE_AUTHENTICATE + help + Select this option if the public key used for capsule + authentication is to be embedded into the platform's + device tree. + +config EFI_PKEY_FILE + string "Public Key esl file to be embedded into the Device Tree" + default "eficapsule.esl" + help + Specify the absolute path of the public key esl file that is + to be embedded in the platform's device tree. + config EFI_CAPSULE_FIRMWARE_FIT bool "FMP driver for FIT image" depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT From patchwork Mon Apr 12 15:05:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 419564 Delivered-To: patch@linaro.org Received: by 2002:a17:906:6d12:0:0:0:0 with SMTP id m18csp1703831ejr; Mon, 12 Apr 2021 08:07:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJztquLkQkIEBPHIu4oZ1s+Co+d+N+UuJQBG1nwFwT+Nlh61OstBsvC3BiCfUqPz8uWBZ8rw X-Received: by 2002:aa7:c7d5:: with SMTP id o21mr29827308eds.166.1618240067115; Mon, 12 Apr 2021 08:07:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618240067; cv=none; d=google.com; s=arc-20160816; b=HsDaejGha8t/qFQ6Mtj7hjIeBxx2IuK5dKYbWK1y8JuD8jXd4V/DmaDCMt6j/60iMQ l8OYQ2+WWo/7Aq4jGDIWaZwpcJUdqNWN+XnMsB4rH6NtlfDnLVCz/m3oWjHX2OOrtK3N Vq6emBS02pKPQEQRn1kmdxVGTxOSrzuYISB1JZAVnTnOjlCBX/8l0h/VKfYSBsbm2PeQ ozn0QmTFNNX35SnUZ3Bul2g984q0G4TWN0PvoAJlRiAduXc3YVnrCygkFgp/J9cBdnD3 Xy/DqLsrcMMEG6iqQnieGUq+sLtr6OmfxQUHm3jgnUqIo4sH5LZZpYGqU1jbo/JJJAFL VW6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=rCvjFyLRMH4+c+qWx9DRfA4EYvht0mkidz4FwgiNYhc=; b=AkyH/Ra/l+lLaBf10xU8vJeInoavvdInWRChoWxDQAA5leQFNvUTzXUiSdPfiee2It l8RsivHYLf+DCPTbQHbWglUQkvzs0OSKG5K89ke73n7tyLsjEJjYWqhxvPOF9NnTr4wo O69bK16/DSs6sEY3IHD6ciDBAe5Y+/wKkc7imr8LBsBSDQSnrWbaiykGiR0nCG64jyAv Q5GNcLFJ9rDOBknf563aZ0MsH8uOj68UiFaStcSDT3FjOG+5xDxU93zjrNISWMXijCHz zG1aBjEWpSx0UMQES4DhtHzkEvIzqV1mls4URhXuEq84Wi09HRaqc1V5ctq4+UhfwpFO T5TA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id du4si5271301ejc.522.2021.04.12.08.07.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Apr 2021 08:07:47 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 6C7A0818C7; Mon, 12 Apr 2021 17:06:40 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id A7F18817B4; Mon, 12 Apr 2021 17:06:11 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id B45DC816AF for ; Mon, 12 Apr 2021 17:05:58 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id A053A113E; Mon, 12 Apr 2021 08:05:57 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 88D2A3F694; Mon, 12 Apr 2021 08:05:55 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Alexander Graf , Simon Glass , Bin Meng , Pali Rohar , Sughosh Ganu Subject: [PATCH v2 3/4] efi_capsule: Add a function to get the public key needed for capsule authentication Date: Mon, 12 Apr 2021 20:35:25 +0530 Message-Id: <20210412150526.29822-4-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210412150526.29822-1-sughosh.ganu@linaro.org> References: <20210412150526.29822-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean Define a function which would be used in the scenario where the public key is stored on the platform's dtb. This dtb is concatenated with the u-boot binary during the build process. Platforms which have a different mechanism for getting the public key would define their own platform specific function under a different Kconfig symbol. Signed-off-by: Sughosh Ganu --- Changes since V1: * Remove the weak function, and add the functionality to retrieve the public key under the config symbol CONFIG_EFI_PKEY_DTB_EMBED. lib/efi_loader/efi_capsule.c | 43 +++++++++++++++++++++++++++++++----- 1 file changed, 38 insertions(+), 5 deletions(-) -- 2.17.1 diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c index 2cc8f2dee0..d95e9377fe 100644 --- a/lib/efi_loader/efi_capsule.c +++ b/lib/efi_loader/efi_capsule.c @@ -14,10 +14,13 @@ #include #include +#include #include #include #include +DECLARE_GLOBAL_DATA_PTR; + const efi_guid_t efi_guid_capsule_report = EFI_CAPSULE_REPORT_GUID; static const efi_guid_t efi_guid_firmware_management_capsule_id = EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID; @@ -208,15 +211,45 @@ skip: const efi_guid_t efi_guid_capsule_root_cert_guid = EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID; -__weak int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) +#if defined(CONFIG_EFI_PKEY_DTB_EMBED) +int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) { - /* The platform is supposed to provide - * a method for getting the public key - * stored in the form of efi signature - * list + /* + * This is a function for retrieving the public key from the + * platform's device tree. The platform's device tree has been + * concatenated with the u-boot binary. + * If a platform has a different mechanism to get the public + * key, it can define it's own kconfig symbol and define a + * function to retrieve the public key */ + const void *fdt_blob = gd->fdt_blob; + const void *blob; + const char *cnode_name = "capsule-key"; + const char *snode_name = "signature"; + int sig_node; + int len; + + sig_node = fdt_subnode_offset(fdt_blob, 0, snode_name); + if (sig_node < 0) { + EFI_PRINT("Unable to get signature node offset\n"); + return -FDT_ERR_NOTFOUND; + } + + blob = fdt_getprop(fdt_blob, sig_node, cnode_name, &len); + + if (!blob || len < 0) { + EFI_PRINT("Unable to get capsule-key value\n"); + *pkey = NULL; + *pkey_len = 0; + return -FDT_ERR_NOTFOUND; + } + + *pkey = (void *)blob; + *pkey_len = len; + return 0; } +#endif /* CONFIG_EFI_PKEY_DTB_EMBED */ efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size, void **image, efi_uintn_t *image_size) From patchwork Mon Apr 12 15:05:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 419563 Delivered-To: patch@linaro.org Received: by 2002:a17:906:6d12:0:0:0:0 with SMTP id m18csp1703409ejr; Mon, 12 Apr 2021 08:07:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx7aWohvPnFt9ED66X4YsK9/QW5U+RSfn2YUqae2nIEBgCQtFgmvRutRFC1gDJIQtNvMQH3 X-Received: by 2002:a17:906:349b:: with SMTP id g27mr5484366ejb.306.1618240040375; Mon, 12 Apr 2021 08:07:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618240040; cv=none; d=google.com; s=arc-20160816; b=M63Mp5vLPIIKXSVIJdpn18iBKXa9jairDmrYv1kVlechxZsZYSGwcb3GElzTyc3enA hWrND6ANxsLU0Str6ed4kyDaPMj4SP3u9XvArmWkgAmJAeFMrS+4hR7WNSUKnbi8GjHX o2Q+B6mzo8UJEEb76WteZlk9hG2RYP/wwW+6Rjm0arfiXC9KNc2YsT6pDFn4hSDgxCrg 3iu2XbZGtLeVMUd+KbK8d9qU141TFXdHvw9uJ3EnMQ0IcXpSRL9iAWyO/ZDdf7DegROp OzWq57wzh/9xC5xO7v/q8luK+K2K2B3U6Wxhzdw5sNgXr8o782HTiQuXGrITNy5D/sf1 DRLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=ApsSmZrHrb+4CCsUB2VkBJNE+AcHkrYYCmlUYyLNo4Q=; b=YgygX2k2gAR4AqCY1tAo8uBwNeD6qmdBszMMBrlNGl0WrJ1Sxi1WLLEGZAJcggkPCa UEKiLDZPNvh6Tbf9IqP0AWuhhjSzpuUCrcVUwDmfL+YYlgEcKpBV115LEGYQqfYj7y8N CoZM7/6B9wlYUU76wLUAbuBBMDJB2+jHM9hC6sijS+I9utuU4maD+sCS65csUyfNdYPH x+MCdIdCIr0/N/QcOtgaT/qvBD5OWabKVR8OMli+VDJvxBqUBlFWm07nzuGr7DX7PxVL qN2HRn0dI4ChnflQyZiuU4chLgWSWYYn6eJH9qzKq8TsB5CLnYRX5RvcejJ6RXv8vKzC oTLQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id y15si8440990edv.49.2021.04.12.08.07.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Apr 2021 08:07:20 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2ABD681A04; Mon, 12 Apr 2021 17:06:29 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 7E69E816AF; Mon, 12 Apr 2021 17:06:12 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 7476C817A5 for ; Mon, 12 Apr 2021 17:06:02 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 313E111FB; Mon, 12 Apr 2021 08:06:00 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 1A0003F694; Mon, 12 Apr 2021 08:05:57 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Alexander Graf , Simon Glass , Bin Meng , Pali Rohar , Sughosh Ganu Subject: [PATCH v2 4/4] Makefile: Add provision for embedding public key in platform's dtb Date: Mon, 12 Apr 2021 20:35:26 +0530 Message-Id: <20210412150526.29822-5-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210412150526.29822-1-sughosh.ganu@linaro.org> References: <20210412150526.29822-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean Add provision for embedding the public key used for capsule authentication in the platform's dtb. This is done by invoking the mkeficapsule utility which puts the public key in the efi signature list(esl) format into the dtb. Signed-off-by: Sughosh Ganu --- Changes since V1: None Makefile | 10 ++++++++++ 1 file changed, 10 insertions(+) -- 2.17.1 diff --git a/Makefile b/Makefile index b72d8d20c0..ebd4a6477c 100644 --- a/Makefile +++ b/Makefile @@ -1011,6 +1011,10 @@ cmd_pad_cat = $(cmd_objcopy) && $(append) || { rm -f $@; false; } quiet_cmd_lzma = LZMA $@ cmd_lzma = lzma -c -z -k -9 $< > $@ +quiet_cmd_mkeficapsule = MKEFICAPSULE $@ +cmd_mkeficapsule = $(objtree)/tools/mkeficapsule -K $(CONFIG_EFI_PKEY_FILE) \ + -D $@ + cfg: u-boot.cfg quiet_cmd_cfgcheck = CFGCHK $2 @@ -1161,8 +1165,14 @@ endif PHONY += dtbs dtbs: dts/dt.dtb @: +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE)$(CONFIG_EFI_PKEY_DTB_EMBED),yy) +dts/dt.dtb: u-boot tools + $(Q)$(MAKE) $(build)=dts dtbs + $(call cmd,mkeficapsule) +else dts/dt.dtb: u-boot $(Q)$(MAKE) $(build)=dts dtbs +endif quiet_cmd_copy = COPY $@ cmd_copy = cp $< $@