[PATCH v5 02/11] tools: mkeficapsule: add firmwware image signing

Simon Glass sjg at chromium.org
Fri Oct 29 05:17:45 CEST 2021


Hi Takahiro,

On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro
<takahiro.akashi at linaro.org> wrote:
>
> With this enhancement, mkeficapsule will be able to sign a capsule
> file when it is created. A signature added will be used later
> in the verification at FMP's SetImage() call.
>
> To do that, We need specify additional command parameters:
>   -monotonic-cout <count> : monotonic count
>   -private-key <private key file> : private key file
>   -certificate <certificate file> : certificate file
> Only when all of those parameters are given, a signature will be added
> to a capsule file.
>
> Users are expected to maintain and increment the monotonic count at
> every time of the update for each firmware image.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
> ---
>  tools/Kconfig        |   8 +
>  tools/Makefile       |   8 +-
>  tools/mkeficapsule.c | 435 +++++++++++++++++++++++++++++++++++++++----
>  3 files changed, 417 insertions(+), 34 deletions(-)

Reviewed-by: Simon Glass <sjg at chromium.org>

This looks OK but I have some suggestions

- I don't think you should return -1 from main
- could you split up your create_fwbin() to return the number of gotos?
- could we have a man page for the tool?
- should the files be opened in binary mode?
- can we just build the tool always?

Regards,
Simon


More information about the U-Boot mailing list