[PATCH 5/5] Makefile: Add provision for embedding public key in platform's dtb

Sat May 8 05:32:30 CEST 2021

2021年5月7日(金) 18:57 Masami Hiramatsu <masami.hiramatsu at linaro.org>:
>
> Hi,
>
> 2021年5月7日(金) 17:15 AKASHI Takahiro <takahiro.akashi at linaro.org>:
> >
> > On Wed, Apr 28, 2021 at 03:31:36PM +0900, Masami Hiramatsu wrote:
> > > 2021年4月28日(水) 14:44 AKASHI Takahiro <takahiro.akashi at linaro.org>:
> > > >
> > > > On Thu, Apr 08, 2021 at 09:58:17PM +0200, Heinrich Schuchardt wrote:
> > > > > On 4/7/21 1:53 PM, Sughosh Ganu wrote:
> > > > > > Add provision for embedding the public key used for capsule
> > > > > > authentication in the platform's dtb. This is done by invoking the
> > > > > > mkeficapsule utility which puts the public key in the efi signature
> > > > > > list(esl) format into the dtb.
> > > > > >
> > > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu at linaro.org>
> > > > > > ---
> > > > > >   Makefile | 10 ++++++++++
> > > > > >   1 file changed, 10 insertions(+)
> > > > > >
> > > > > > diff --git a/Makefile b/Makefile
> > > > > > index 193aa4d1c9..0d50c6a805 100644
> > > > > > --- a/Makefile
> > > > > > +++ b/Makefile
> > > > > > @@ -1010,6 +1010,10 @@ cmd_pad_cat = $(cmd_objcopy) && $(append) || { rm -f $@; false; }
> > > > > >   quiet_cmd_lzma = LZMA    $@
> > > > > >   cmd_lzma = lzma -c -z -k -9 $< > $@
> > > > > >
> > > > > > +quiet_cmd_mkeficapsule = MKEFICAPSULE     $@
> > > > > > +cmd_mkeficapsule = $(objtree)/tools/mkeficapsule -K $(CONFIG_EFI_PKEY_FILE) \
> > > > > > +   -D $@
> > > > > > +
> > > > >
> > > > > tools/mkeficapsule --help does neither show a parameter -K nor a
> > > > > parameter -D.
> > > >
> > > > This clearly shows that the feature with -K/-D has nothing to do with
> > > > creating a capsule file.
> > > > Two totally different things in one place (command).
> > > > And the dtb overlay operation can be achieved by using standard commands.
> > >
> > > If I understand correctly,  we need the following steps,
> > > 1. prepare the key for signing
> > > 2. make dtb overlay from that key
> > > 3. sign the capsule with the key
> > >
> > > And Sughosh's implementation is using mkeficapsule for 2 and 3.
> > > Takahiro pointed that mkeficapsule is only for 3 because of its name
> > > and avoid confusion.
> > >
> > > Is that correct?
> > >
> > > What would you think about changing the tool name?
> > > E.g.
> > >
> > > For step 2.
> > > capsuletool dtb --public-key pubkey [--overlay] target.dtb
> >
> > My point is: as this command line shows, it has nothing to do
> > with a capsule file. It simply deals with dtb blob for overlaying.
> > (So 'capsuletool' is not appropriate.)
>
> But if the capsuletool provide the devicetree template for the capsule
> something like test/py/tests/test_efi_capsule/pubkey.dts, we can say
> it is related to the capsule, because the dts is obviously for capsule.
> What would you think?

Ah, wait. I misunderstood. It seems that the efi_get_public_key_data() is
platform dependent. Thus isn't it hard to provide a unified tool to embed
the key data into the dtb because it is usable for some platform but
not usable for others?

Thank you,

-- 
Masami Hiramatsu