[PATCH 2/3] mkeficapsule: Remove dtb related options
Ilias Apalodimas
ilias.apalodimas at linaro.org
Sat Jul 17 09:24:05 CEST 2021
On Fri, Jul 16, 2021 at 08:03:23AM -0600, Simon Glass wrote:
> Hi Ilias,
>
> On Thu, 15 Jul 2021 at 11:00, Ilias Apalodimas
> <ilias.apalodimas at linaro.org> wrote:
> >
> > commit 322c813f4bec ("mkeficapsule: Add support for embedding public key in a dtb")
> > added a bunch of options enabling the addition of the capsule public key
> > in a dtb. Since now we embeded the key in U-Boot's .rodata we don't this
> > this functionality anymore
> >
> > Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> > ---
> > tools/mkeficapsule.c | 226 ++-----------------------------------------
> > 1 file changed, 7 insertions(+), 219 deletions(-)
>
> Here again I see EFI diverging from the impl in U-Boot. WIth U-Boot
> you can add the public key after the build step, e.g. in a key-signing
> server. With EFI and this change you will have to rebuild U-Boot (from
> source) every time you sign something. Seems like a pain.
I don't see why either of this is a problem. You need the public key to
update the binary it self, so rebuilding from source is a prerequisite.
Apart from a signing server, you can also have special hardware that provides
the public key you need (which is not implemented yet). So this is the bare
minimum functionality you need for authenticated capsule updates.
Regards
/Ilias
>
> Regards,
> Simon
More information about the U-Boot
mailing list