[PATCH 1/4] tools: mkeficapsule: add firmwware image signing
Ilias Apalodimas
ilias.apalodimas at linaro.org
Thu May 13 18:42:04 CEST 2021
[...]
> > > FWIW I personally don't think we should even have a config option. But even
> > > if we did it certainly must not be dictated by a hardware config.
> > >
> > > When you install distro packages you accept whatever dependencies the
> > > package has. mkeficapsule is a capsule creation and signing tool. I don't
> > > see any reason for keeping the creation and signing apart.
> >
> > My question is, since the U-Boot binary is heavily dependent on the target
> > platform, can we split the u-boot.bin creation (may include embedding keys)
> > and the capsule file creation (including signing)?
>
> Building U-Boot and creating a capsule are totally separate. Maybe you
> get the first capsule years after you buy your board. But this should
> not stop us from building mkeficapsule when building U-Boot.
>
Based on what was discussed in the thread waht I think would make more
sense is:
- Build u-boot and use the script Akashi sent to inject the certificate.
Whether we create a single binary (always signed if a config option is
there) or 2 binaries (1 signed. 1 unsigned) is an implemetation detail
and I am fine with either.
- Use mkefi capsule to create the final capsule
> If you want to build tools only, you can do so with 'make tools'. The
> tools target must include mkeficapsule irrespective of configuration.
>
> This line in tools/Makefile must be corrected:
>
> -hostprogs-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += mkeficapsule
> +hostprogs-y += mkeficapsule
So that's the point exactly. Building the tool is completely disjoint from
building a u-boot binary. Also you usually start adding config options to
an app, when it starts getting to big and you want discrete functionality.
I don't see any reason for making a simple tool, which is supposed to do 2
things (create/sign), require config options and more over config options
*for U-Boot*. I also think it's extremely unlikely to get any working distro
without libssl.
>
> Best regards
>
> Heinrich
More information about the U-Boot
mailing list