[PATCH 1/3] efi_capsule: Move signature from DTB to .rodata
Simon Glass
sjg at chromium.org
Fri Jul 16 15:49:09 CEST 2021
Hi Ilias,
On Thu, 15 Jul 2021 at 11:00, Ilias Apalodimas
<ilias.apalodimas at linaro.org> wrote:
>
> The capsule signature is now part of our DTB. This is problematic when a
> user is allowed to change/fixup that DTB from U-Boots command line since he
> can overwrite the signature as well.
Do you mean with the 'fdt' command?
If you mean the FDT fixups, they happen to a different DT, the one
being passed to Linux.
> So Instead of adding the key on the DTB, embed it in the u-boot binary it
> self as part of it's .rodata. This assumes that the U-Boot binary we load
> is authenticated by a previous boot stage loader.
>
> Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> ---
> board/emulation/common/Makefile | 1 -
> board/emulation/common/qemu_capsule.c | 43 ---------------------------
> include/asm-generic/sections.h | 2 ++
> lib/efi_loader/Kconfig | 6 ++++
> lib/efi_loader/Makefile | 8 +++++
> lib/efi_loader/efi_capsule.c | 18 +++++++++--
> lib/efi_loader/efi_capsule_key.S | 8 +++++
> 7 files changed, 39 insertions(+), 47 deletions(-)
> delete mode 100644 board/emulation/common/qemu_capsule.c
> create mode 100644 lib/efi_loader/efi_capsule_key.S
Regards,
Simon
More information about the U-Boot
mailing list