[PATCH 1/3] efi_capsule: Move signature from DTB to .rodata
Ilias Apalodimas
ilias.apalodimas at linaro.org
Sat Jul 17 13:36:47 CEST 2021
On Fri, Jul 16, 2021 at 07:49:09AM -0600, Simon Glass wrote:
> Hi Ilias,
>
> On Thu, 15 Jul 2021 at 11:00, Ilias Apalodimas
> <ilias.apalodimas at linaro.org> wrote:
> >
> > The capsule signature is now part of our DTB. This is problematic when a
> > user is allowed to change/fixup that DTB from U-Boots command line since he
> > can overwrite the signature as well.
>
> Do you mean with the 'fdt' command?
>
> If you mean the FDT fixups, they happen to a different DT, the one
> being passed to Linux.
>
This was only usable in QEMU pre-patch. I think Sughosh replaced the
entire DTB (including the signature) on his tests.
Sughosh?
Cheers
/Ilias
> > So Instead of adding the key on the DTB, embed it in the u-boot binary it
> > self as part of it's .rodata. This assumes that the U-Boot binary we load
> > is authenticated by a previous boot stage loader.
> >
> > Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> > ---
> > board/emulation/common/Makefile | 1 -
> > board/emulation/common/qemu_capsule.c | 43 ---------------------------
> > include/asm-generic/sections.h | 2 ++
> > lib/efi_loader/Kconfig | 6 ++++
> > lib/efi_loader/Makefile | 8 +++++
> > lib/efi_loader/efi_capsule.c | 18 +++++++++--
> > lib/efi_loader/efi_capsule_key.S | 8 +++++
> > 7 files changed, 39 insertions(+), 47 deletions(-)
> > delete mode 100644 board/emulation/common/qemu_capsule.c
> > create mode 100644 lib/efi_loader/efi_capsule_key.S
>
> Regards,
> Simon
More information about the U-Boot
mailing list