[PATCH 4/5] efi_capsule: Add a weak function to get the public key needed for capsule authentication

Fri Apr 9 08:25:57 CEST 2021

On Fri, 9 Apr 2021 at 01:23, Heinrich Schuchardt <xypron.glpk at gmx.de> wrote:

> On 4/7/21 1:53 PM, Sughosh Ganu wrote:
> > Define a weak function which would be used in the scenario where the
> > public key is stored on the platform's dtb. This dtb is concatenated
> > with the u-boot binary during the build process. Platforms which have
> > a different mechanism for getting the public key would define their
> > own platform specific function.
>
> Storing the public key in U-Boot's dtb is reasonable. But what is the
> use case for a weak function?
>

This point was discussed in another mail thread[1].

-sughosh

[1] - https://lists.denx.de/pipermail/u-boot/2021-April/446694.html

> Best regards
>
> Heinrich
>
> >
> > Signed-off-by: Sughosh Ganu <sughosh.ganu at linaro.org>
> > ---
> >   lib/efi_loader/efi_capsule.c | 38 ++++++++++++++++++++++++++++++++----
> >   1 file changed, 34 insertions(+), 4 deletions(-)
> >
> > diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c
> > index 1423b675c8..fc5e1c0856 100644
> > --- a/lib/efi_loader/efi_capsule.c
> > +++ b/lib/efi_loader/efi_capsule.c
> > @@ -14,10 +14,13 @@
> >   #include <mapmem.h>
> >   #include <sort.h>
> >
> > +#include <asm/global_data.h>
> >   #include <crypto/pkcs7.h>
> >   #include <crypto/pkcs7_parser.h>
> >   #include <linux/err.h>
> >
> > +DECLARE_GLOBAL_DATA_PTR;
> > +
> >   const efi_guid_t efi_guid_capsule_report = EFI_CAPSULE_REPORT_GUID;
> >   static const efi_guid_t efi_guid_firmware_management_capsule_id =
> >               EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID;
> > @@ -210,11 +213,38 @@ const efi_guid_t efi_guid_capsule_root_cert_guid =
> >
> >   __weak int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)
> >   {
> > -     /* The platform is supposed to provide
> > -      * a method for getting the public key
> > -      * stored in the form of efi signature
> > -      * list
> > +     /*
> > +      * This is a function for retrieving the public key from the
> > +      * platform's device tree. The platform's device tree has been
> > +      * concatenated with the u-boot binary.
> > +      * If a platform has a different mechanism to get the public
> > +      * key, it can define it's own function.
> >        */
> > +     const void *fdt_blob = gd->fdt_blob;
> > +     const void *blob;
> > +     const char *cnode_name = "capsule-key";
> > +     const char *snode_name = "signature";
> > +     int sig_node;
> > +     int len;
> > +
> > +     sig_node = fdt_subnode_offset(fdt_blob, 0, snode_name);
> > +     if (sig_node < 0) {
> > +             EFI_PRINT("Unable to get signature node offset\n");
> > +             return -FDT_ERR_NOTFOUND;
> > +     }
> > +
> > +     blob = fdt_getprop(fdt_blob, sig_node, cnode_name, &len);
> > +
> > +     if (!blob || len < 0) {
> > +             EFI_PRINT("Unable to get capsule-key value\n");
> > +             *pkey = NULL;
> > +             *pkey_len = 0;
> > +             return -FDT_ERR_NOTFOUND;
> > +     }
> > +
> > +     *pkey = (void *)blob;
> > +     *pkey_len = len;
> > +
> >       return 0;
> >   }
> >
> >
>
>