[PATCH 1/4] tools: mkeficapsule: add firmwware image signing

Ilias Apalodimas ilias.apalodimas at linaro.org
Thu May 13 18:42:04 CEST 2021

> > > FWIW I personally don't think we should even have a config option. But even
> > > if we did it certainly must not be dictated by a hardware config.
> > > 
> > > When you install distro packages you accept whatever dependencies the
> > > package has. mkeficapsule is a capsule creation and signing tool.  I don't
> > > see any reason for keeping the creation and signing apart.
> > 
> > My question is, since the U-Boot binary is heavily dependent on the target
> > platform, can we split the u-boot.bin creation (may include embedding keys)
> > and the capsule file creation (including signing)?
> Building U-Boot and creating a capsule are totally separate. Maybe you
> get the first capsule years after you buy your board. But this should
> not stop us from building mkeficapsule when building U-Boot.

Based on what was discussed in the thread waht I think would make more
sense is:
- Build u-boot and use the script Akashi sent to inject the certificate. 
  Whether we create a single binary (always signed if a config option is
  there) or 2 binaries (1 signed. 1 unsigned) is an implemetation detail
  and I am fine with either.
- Use mkefi capsule to create the final capsule

> If you want to build tools only, you can do so with 'make tools'. The
> tools target must include mkeficapsule irrespective of configuration.
> This line in tools/Makefile must be corrected:
> -hostprogs-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += mkeficapsule
> +hostprogs-y += mkeficapsule

So that's the point exactly. Building the tool is completely disjoint from
building a u-boot binary.   Also you usually start adding config options to
an app, when it starts getting to big and you want discrete functionality. 
I don't see any reason for making a simple tool, which is supposed to do 2
things (create/sign), require config options and more over config options
*for U-Boot*. I also think it's extremely unlikely to get any working distro 
without libssl. 

> Best regards
> Heinrich

More information about the U-Boot mailing list