[PATCH] efi_loader: capsule: add a debug message in case of no key

Heinrich Schuchardt xypron.glpk at gmx.de
Thu May 20 04:06:12 CEST 2021

On 5/10/21 10:19 AM, AKASHI Takahiro wrote:
> It will probably be a common error case that a certificate (public key)
> is not provided by the system while capsule authentication is enabled.
> So add a debug message.
> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
> ---
>   lib/efi_loader/efi_capsule.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c
> index 90893f85e22c..84ddaf50d13f 100644
> --- a/lib/efi_loader/efi_capsule.c
> +++ b/lib/efi_loader/efi_capsule.c
> @@ -316,8 +316,10 @@ efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_s
>   	}
>   	ret = efi_get_public_key_data(&fdt_pkey, &pkey_len);
> -	if (ret < 0)
> +	if (ret < 0) {
> +		debug("Public key/certificate not found\n");

Currently the only implementation of efi_get_public_key_data() actually
providing keys is the one in board/emulation/common/qemu_capsule.c where
the user has to manually upload the esl file.

For future implementation it is preferable to build the public key data
into the U-Boot binary. If it is part of the build process then the only
error that could come up is that the public key data has the wrong format.

If we are using the weak implementation of efi_get_public_key_data() in
lib/efi_loader/efi_capsule.cwith CONFIG_EFI_CAPSULE_AUTHENTICATE=y, the
system is misconfigured. Do we need that weak implementation at all? I
would prefer to remove to get a build error.

I suggest that you add a log_err() message with above text into the
board/emulation/common/qemu_capsule.c implementation of
efi_get_public_key_data(). This way the user will see that he forgot a step.

Best regards


>   		goto out;
> +	}
>   	pkey = malloc(pkey_len);
>   	if (!pkey)

More information about the U-Boot mailing list