[PATCH v5 11/11] (RFC) efi_loader, dts: add public keys for capsules to device tree

AKASHI Takahiro takahiro.akashi at linaro.org
Thu Oct 28 08:23:56 CEST 2021


By specifying CONFIG_EFI_CAPSULE_KEY_PATH, the build process will
automatically insert the given key into the device tree.
Otherwise, users are required to do so manually, possibly, with
the utility script, fdtsig.sh.

Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
---
 doc/develop/uefi/uefi.rst |  4 ++++
 dts/Makefile              | 23 +++++++++++++++++++++--
 lib/efi_loader/Kconfig    |  7 +++++++
 3 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
index 54fefd76f0f5..7f85b9e5a4a6 100644
--- a/doc/develop/uefi/uefi.rst
+++ b/doc/develop/uefi/uefi.rst
@@ -347,6 +347,7 @@ following config, in addition to the configs listed above for capsule
 update::
 
     CONFIG_EFI_CAPSULE_AUTHENTICATE=y
+    CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert>
 
 The public and private keys used for the signing process are generated
 and used by the steps highlighted below.
@@ -392,6 +393,9 @@ and used by the steps highlighted below.
                 };
         };
 
+   If CONFIG_EFI_CAPSULE_KEY_PATH is specified, the build process will
+   take care of it for you.
+
 Executing the boot manager
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/dts/Makefile b/dts/Makefile
index cb3111382959..6c5486719ecd 100644
--- a/dts/Makefile
+++ b/dts/Makefile
@@ -20,11 +20,30 @@ $(obj)/dt-$(SPL_NAME).dtb: dts/dt.dtb $(objtree)/tools/fdtgrep FORCE
 	mkdir -p $(dir $@)
 	$(call if_changed,fdtgrep)
 
+quiet_cmd_fdtsig = FDTSIG $@
+	cmd_fdtsig = \
+		cat $< > $@; \
+		$(srctree)/tools/fdtsig.sh \
+			$(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)) $@
+
+ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y)
+ifneq ($(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)),)
+DTB_ov := $(obj)/dt.dtb_ov
+
+$(obj)/dt.dtb_ov: $(DTB) FORCE
+	$(call if_changed,fdtsig)
+else
+DTB_ov := $(DTB)
+endif
+else
+DTB_ov := $(DTB)
+endif
+
 ifeq ($(CONFIG_OF_DTB_PROPS_REMOVE),y)
-$(obj)/dt.dtb: $(DTB) $(objtree)/tools/fdtgrep FORCE
+$(obj)/dt.dtb: $(DTB_ov) $(objtree)/tools/fdtgrep FORCE
 	$(call if_changed,fdt_rm_props)
 else
-$(obj)/dt.dtb: $(DTB) FORCE
+$(obj)/dt.dtb: $(DTB_ov) FORCE
 	$(call if_changed,shipped)
 endif
 
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 52f71c07c991..d12b1e56ae80 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -208,6 +208,13 @@ config EFI_CAPSULE_AUTHENTICATE
 	  Select this option if you want to enable capsule
 	  authentication
 
+config EFI_CAPSULE_KEY_PATH
+	string "Path to .esl cert for capsule authentication"
+	depends on EFI_CAPSULE_AUTHENTICATE
+	help
+	  Provide the EFI signature list (esl) certificate used for capsule
+	  authentication
+
 config EFI_DEVICE_PATH_TO_TEXT
 	bool "Device path to text protocol"
 	default y
-- 
2.33.0



More information about the U-Boot mailing list