[PATCH v5 11/11] (RFC) efi_loader, dts: add public keys for capsules to device tree
AKASHI Takahiro
takahiro.akashi at linaro.org
Thu Oct 28 08:23:56 CEST 2021
By specifying CONFIG_EFI_CAPSULE_KEY_PATH, the build process will
automatically insert the given key into the device tree.
Otherwise, users are required to do so manually, possibly, with
the utility script, fdtsig.sh.
Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
---
doc/develop/uefi/uefi.rst | 4 ++++
dts/Makefile | 23 +++++++++++++++++++++--
lib/efi_loader/Kconfig | 7 +++++++
3 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
index 54fefd76f0f5..7f85b9e5a4a6 100644
--- a/doc/develop/uefi/uefi.rst
+++ b/doc/develop/uefi/uefi.rst
@@ -347,6 +347,7 @@ following config, in addition to the configs listed above for capsule
update::
CONFIG_EFI_CAPSULE_AUTHENTICATE=y
+ CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert>
The public and private keys used for the signing process are generated
and used by the steps highlighted below.
@@ -392,6 +393,9 @@ and used by the steps highlighted below.
};
};
+ If CONFIG_EFI_CAPSULE_KEY_PATH is specified, the build process will
+ take care of it for you.
+
Executing the boot manager
~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/dts/Makefile b/dts/Makefile
index cb3111382959..6c5486719ecd 100644
--- a/dts/Makefile
+++ b/dts/Makefile
@@ -20,11 +20,30 @@ $(obj)/dt-$(SPL_NAME).dtb: dts/dt.dtb $(objtree)/tools/fdtgrep FORCE
mkdir -p $(dir $@)
$(call if_changed,fdtgrep)
+quiet_cmd_fdtsig = FDTSIG $@
+ cmd_fdtsig = \
+ cat $< > $@; \
+ $(srctree)/tools/fdtsig.sh \
+ $(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)) $@
+
+ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y)
+ifneq ($(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)),)
+DTB_ov := $(obj)/dt.dtb_ov
+
+$(obj)/dt.dtb_ov: $(DTB) FORCE
+ $(call if_changed,fdtsig)
+else
+DTB_ov := $(DTB)
+endif
+else
+DTB_ov := $(DTB)
+endif
+
ifeq ($(CONFIG_OF_DTB_PROPS_REMOVE),y)
-$(obj)/dt.dtb: $(DTB) $(objtree)/tools/fdtgrep FORCE
+$(obj)/dt.dtb: $(DTB_ov) $(objtree)/tools/fdtgrep FORCE
$(call if_changed,fdt_rm_props)
else
-$(obj)/dt.dtb: $(DTB) FORCE
+$(obj)/dt.dtb: $(DTB_ov) FORCE
$(call if_changed,shipped)
endif
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 52f71c07c991..d12b1e56ae80 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -208,6 +208,13 @@ config EFI_CAPSULE_AUTHENTICATE
Select this option if you want to enable capsule
authentication
+config EFI_CAPSULE_KEY_PATH
+ string "Path to .esl cert for capsule authentication"
+ depends on EFI_CAPSULE_AUTHENTICATE
+ help
+ Provide the EFI signature list (esl) certificate used for capsule
+ authentication
+
config EFI_DEVICE_PATH_TO_TEXT
bool "Device path to text protocol"
default y
--
2.33.0
More information about the U-Boot
mailing list