[PATCH] Revert "efi_capsule: Move signature from DTB to .rodata"
Simon Glass
sjg at chromium.org
Mon Aug 2 04:47:15 CEST 2021
Hi Ilias,
On Sun, 1 Aug 2021 at 20:28, Ilias Apalodimas
<ilias.apalodimas at linaro.org> wrote:
>
> Hi Simon,
>
> On Sun, Aug 01, 2021 at 07:46:21PM -0600, Simon Glass wrote:
> > This was unfortunately applied despite much discussion about it being
> > the wrong way to implement this feature.
>
> No this was applied *before* the discussion, not despite.
Oh sorry...I didn't notice either way. Normally there is an email on
the patch saying it was applied. Perhaps I missed it.
>
> >
> > Revert it before too many other things are built on top of it.
>
> I don't really mind if this gets reverted but there's things that haven't
> been answered on that discussion [1] and my concern is what happens if
> CONFIG_OF_EMBED is not selected.
Can we start a new discussion perhaps? Or use one of the contributor
calls to talk about it?
We should not be using OF_EMBED except for testing.
>
> Also you need to revert the entire series, not just one of the patches,
> as it changes the QEMU documentation for enabling authenticated capsule
> updates, as well as the mkeficapsule app.
Heinrich, do you have any thoughts on this?
Regards,
Simon
>
> [1] https://lore.kernel.org/u-boot/YPna8Aiaoov6h50K@enceladus/
>
> Regards
> /Ilias
> >
> > This reverts commit ddf67daac39de76d2697d587148f4c2cb768f492.
> >
> > Signed-off-by: Simon Glass <sjg at chromium.org>
> > ---
> >
> > board/emulation/common/Makefile | 1 +
> > board/emulation/common/qemu_capsule.c | 43 +++++++++++++++++++++++++++
> > include/asm-generic/sections.h | 2 --
> > lib/efi_loader/Kconfig | 7 -----
> > lib/efi_loader/Makefile | 8 -----
> > lib/efi_loader/efi_capsule.c | 18 ++---------
> > lib/efi_loader/efi_capsule_key.S | 17 -----------
> > 7 files changed, 47 insertions(+), 49 deletions(-)
> > create mode 100644 board/emulation/common/qemu_capsule.c
> > delete mode 100644 lib/efi_loader/efi_capsule_key.S
> >
> > diff --git a/board/emulation/common/Makefile b/board/emulation/common/Makefile
> > index c5b452e7e34..7ed447a69dc 100644
> > --- a/board/emulation/common/Makefile
> > +++ b/board/emulation/common/Makefile
> > @@ -2,3 +2,4 @@
> >
> > obj-$(CONFIG_SYS_MTDPARTS_RUNTIME) += qemu_mtdparts.o
> > obj-$(CONFIG_SET_DFU_ALT_INFO) += qemu_dfu.o
> > +obj-$(CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT) += qemu_capsule.o
> > diff --git a/board/emulation/common/qemu_capsule.c b/board/emulation/common/qemu_capsule.c
> > new file mode 100644
> > index 00000000000..6b8a87022a4
> > --- /dev/null
> > +++ b/board/emulation/common/qemu_capsule.c
> > @@ -0,0 +1,43 @@
> > +// SPDX-License-Identifier: GPL-2.0+
> > +/*
> > + * Copyright (c) 2020 Linaro Limited
> > + */
> > +
> > +#include <common.h>
> > +#include <efi_api.h>
> > +#include <efi_loader.h>
> > +#include <env.h>
> > +#include <fdtdec.h>
> > +#include <asm/global_data.h>
> > +
> > +DECLARE_GLOBAL_DATA_PTR;
> > +
> > +int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)
> > +{
> > + const void *fdt_blob = gd->fdt_blob;
> > + const void *blob;
> > + const char *cnode_name = "capsule-key";
> > + const char *snode_name = "signature";
> > + int sig_node;
> > + int len;
> > +
> > + sig_node = fdt_subnode_offset(fdt_blob, 0, snode_name);
> > + if (sig_node < 0) {
> > + EFI_PRINT("Unable to get signature node offset\n");
> > + return -FDT_ERR_NOTFOUND;
> > + }
> > +
> > + blob = fdt_getprop(fdt_blob, sig_node, cnode_name, &len);
> > +
> > + if (!blob || len < 0) {
> > + EFI_PRINT("Unable to get capsule-key value\n");
> > + *pkey = NULL;
> > + *pkey_len = 0;
> > + return -FDT_ERR_NOTFOUND;
> > + }
> > +
> > + *pkey = (void *)blob;
> > + *pkey_len = len;
> > +
> > + return 0;
> > +}
> > diff --git a/include/asm-generic/sections.h b/include/asm-generic/sections.h
> > index ec992b0c2e3..267f1db73f2 100644
> > --- a/include/asm-generic/sections.h
> > +++ b/include/asm-generic/sections.h
> > @@ -27,8 +27,6 @@ extern char __efi_helloworld_begin[];
> > extern char __efi_helloworld_end[];
> > extern char __efi_var_file_begin[];
> > extern char __efi_var_file_end[];
> > -extern char __efi_capsule_sig_begin[];
> > -extern char __efi_capsule_sig_end[];
> >
> > /* Private data used by of-platdata devices/uclasses */
> > extern char __priv_data_start[], __priv_data_end[];
> > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> > index dacc3b58810..7a469f22721 100644
> > --- a/lib/efi_loader/Kconfig
> > +++ b/lib/efi_loader/Kconfig
> > @@ -214,13 +214,6 @@ config EFI_CAPSULE_AUTHENTICATE
> > Select this option if you want to enable capsule
> > authentication
> >
> > -config EFI_CAPSULE_KEY_PATH
> > - string "Path to .esl cert for capsule authentication"
> > - depends on EFI_CAPSULE_AUTHENTICATE
> > - help
> > - Provide the EFI signature list (esl) certificate used for capsule
> > - authentication
> > -
> > config EFI_DEVICE_PATH_TO_TEXT
> > bool "Device path to text protocol"
> > default y
> > diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile
> > index 9b369430e25..fd344cea29b 100644
> > --- a/lib/efi_loader/Makefile
> > +++ b/lib/efi_loader/Makefile
> > @@ -20,19 +20,11 @@ always += helloworld.efi
> > targets += helloworld.o
> > endif
> >
> > -ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y)
> > -EFI_CAPSULE_KEY_PATH := $(subst $\",,$(CONFIG_EFI_CAPSULE_KEY_PATH))
> > -ifeq ("$(wildcard $(EFI_CAPSULE_KEY_PATH))","")
> > -$(error .esl cerificate not found. Configure your CONFIG_EFI_CAPSULE_KEY_PATH)
> > -endif
> > -endif
> > -
> > obj-$(CONFIG_CMD_BOOTEFI_HELLO) += helloworld_efi.o
> > obj-$(CONFIG_CMD_BOOTEFI_BOOTMGR) += efi_bootmgr.o
> > obj-y += efi_boottime.o
> > obj-y += efi_helper.o
> > obj-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += efi_capsule.o
> > -obj-$(CONFIG_EFI_CAPSULE_AUTHENTICATE) += efi_capsule_key.o
> > obj-$(CONFIG_EFI_CAPSULE_FIRMWARE) += efi_firmware.o
> > obj-y += efi_console.o
> > obj-y += efi_device_path.o
> > diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c
> > index 26990bc2df4..b75e4bcba1a 100644
> > --- a/lib/efi_loader/efi_capsule.c
> > +++ b/lib/efi_loader/efi_capsule.c
> > @@ -16,7 +16,6 @@
> > #include <mapmem.h>
> > #include <sort.h>
> >
> > -#include <asm/sections.h>
> > #include <crypto/pkcs7.h>
> > #include <crypto/pkcs7_parser.h>
> > #include <linux/err.h>
> > @@ -253,23 +252,12 @@ out:
> >
> > #if defined(CONFIG_EFI_CAPSULE_AUTHENTICATE)
> >
> > -static int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)
> > -{
> > - const void *blob = __efi_capsule_sig_begin;
> > - const int len = __efi_capsule_sig_end - __efi_capsule_sig_begin;
> > -
> > - *pkey = (void *)blob;
> > - *pkey_len = len;
> > -
> > - return 0;
> > -}
> > -
> > efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size,
> > void **image, efi_uintn_t *image_size)
> > {
> > u8 *buf;
> > int ret;
> > - void *stored_pkey, *pkey;
> > + void *fdt_pkey, *pkey;
> > efi_uintn_t pkey_len;
> > uint64_t monotonic_count;
> > struct efi_signature_store *truststore;
> > @@ -322,7 +310,7 @@ efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_s
> > goto out;
> > }
> >
> > - ret = efi_get_public_key_data(&stored_pkey, &pkey_len);
> > + ret = efi_get_public_key_data(&fdt_pkey, &pkey_len);
> > if (ret < 0)
> > goto out;
> >
> > @@ -330,7 +318,7 @@ efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_s
> > if (!pkey)
> > goto out;
> >
> > - memcpy(pkey, stored_pkey, pkey_len);
> > + memcpy(pkey, fdt_pkey, pkey_len);
> > truststore = efi_build_signature_store(pkey, pkey_len);
> > if (!truststore)
> > goto out;
> > diff --git a/lib/efi_loader/efi_capsule_key.S b/lib/efi_loader/efi_capsule_key.S
> > deleted file mode 100644
> > index 58f00b8e4bc..00000000000
> > --- a/lib/efi_loader/efi_capsule_key.S
> > +++ /dev/null
> > @@ -1,17 +0,0 @@
> > -/* SPDX-License-Identifier: GPL-2.0+ */
> > -/*
> > - * .esl cert for capsule authentication
> > - *
> > - * Copyright (c) 2021, Ilias Apalodimas <ilias.apalodimas at linaro.org>
> > - */
> > -
> > -#include <config.h>
> > -
> > -.section .rodata.capsule_key.init,"a"
> > -.balign 16
> > -.global __efi_capsule_sig_begin
> > -__efi_capsule_sig_begin:
> > -.incbin CONFIG_EFI_CAPSULE_KEY_PATH
> > -__efi_capsule_sig_end:
> > -.global __efi_capsule_sig_end
> > -.balign 16
> > --
> > 2.32.0.554.ge1b32706d8-goog
> >
More information about the U-Boot
mailing list