efi_loader: SPL build fails with EFI_SECURE_BOOT=y
Heinrich Schuchardt
xypron.glpk at gmx.de
Wed Apr 15 13:01:16 CEST 2020
Hello Takahiro,
I tried to run with EFI_SECURE_BOOT enabled on pine64-lts_defconfig.
U-Boot does not succeed to move from SPL to main U-Boot. The reason is
that the SPL binary grows in size. This is due to EFI_SECURE_BOOT
selecting additional code in SPL which of cause in unexpected.
This is related to the following settings getting enabled:
lib/Makefile:130:
obj-$(CONFIG_OID_REGISTRY) += oid_registry.o
Symbol: OID_REGISTRY [=y]
Type : bool
Defined at lib/Kconfig:589
Selected by [y]:
- RSA_PUBLIC_KEY_PARSER [=y] && ASYMMETRIC_KEY_TYPE [=y] &&
ASYMMETRIC_PUBLIC_KEY_SUBTYPE [=y]
- X509_CERTIFICATE_PARSER [=y] && ASYMMETRIC_KEY_TYPE [=y] &&
ASYMMETRIC_PUBLIC_KEY_SUBTYPE [=y]
- PKCS7_MESSAGE_PARSER [=y] && ASYMMETRIC_KEY_TYPE [=y] &&
X509_CERTIFICATE_PARSER [=y]
The OID registry is only used in lib/crypto which is never built for SPL.
lib/date.c:13:
#if defined(CONFIG_LIB_DATE) || defined(CONFIG_TIMESTAMP)
lib/date.c:102:
#ifdef CONFIG_LIB_DATE
Symbol: LIB_DATE [=y]
Type : bool
Defined at lib/Kconfig:602
Selected by [y]:
- X509_CERTIFICATE_PARSER [=y] && ASYMMETRIC_KEY_TYPE [=y] &&
ASYMMETRIC_PUBLIC_KEY_SUBTYPE [=y]
Selected by [n]:
- CMD_DATE [=n]
- DM_RTC [=n] && DM [=y]
There is a symbol CONFIG_SPL_RSA. If this symbol is enabled we probably
want to enable LIB_DATE and OID_REGISTRY in SPL but not otherwise.
Furthermore common/image-sig.c is built in SPL unnecessarily:
Symbol: IMAGE_SIGN_INFO [=y]
Type : bool
Defined at common/Kconfig:1050
Selects: SHA1 [=y] && SHA256 [=y]
Selected by [y]:
- EFI_SECURE_BOOT [=y] && EFI_LOADER [=y]
Selected by [n]:
- FIT_SIGNATURE [=n] && FIT [=y] && DM [=y]
- UT_LIB_RSA [=n] && UT_LIB [=n] && RSA [=y]
&& RSA_VERIFY_WITH_PKEY [=y]
I am currently testing a patch series to avoid this:
https://gitlab.denx.de/u-boot/custodians/u-boot-efi/-/tree/rsa
Best regards
Heinrich
More information about the U-Boot
mailing list