[PATCH v8 12/12] (RFC) efi_loader, dts: add public keys for capsules to device tree

Heinrich Schuchardt xypron.glpk at gmx.de
Sat Jan 1 23:53:32 CET 2022 

On 12/20/21 06:02, AKASHI Takahiro wrote:
> By specifying CONFIG_EFI_CAPSULE_KEY_PATH, the build process will
> automatically insert the given key into the device tree.
> Otherwise, users are required to do so manually, possibly, with
> the utility script, fdtsig.sh.

Why do we need a script fdtsig.sh? Can't you integrate this into the
Makefile?

>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
> ---
>   doc/develop/uefi/uefi.rst |  4 ++++
>   dts/Makefile              | 23 +++++++++++++++++++++--
>   lib/efi_loader/Kconfig    |  7 +++++++
>   3 files changed, 32 insertions(+), 2 deletions(-)
>
> diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
> index 54fefd76f0f5..7f85b9e5a4a6 100644
> --- a/doc/develop/uefi/uefi.rst
> +++ b/doc/develop/uefi/uefi.rst
> @@ -347,6 +347,7 @@ following config, in addition to the configs listed above for capsule
>   update::
>
>       CONFIG_EFI_CAPSULE_AUTHENTICATE=y
> +    CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert>
>
>   The public and private keys used for the signing process are generated
>   and used by the steps highlighted below.
> @@ -392,6 +393,9 @@ and used by the steps highlighted below.
>                   };
>           };
>
> +   If CONFIG_EFI_CAPSULE_KEY_PATH is specified, the build process will
> +   take care of it for you.
> +
>   Executing the boot manager
>   ~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> diff --git a/dts/Makefile b/dts/Makefile
> index cb3111382959..6c5486719ecd 100644
> --- a/dts/Makefile
> +++ b/dts/Makefile
> @@ -20,11 +20,30 @@ $(obj)/dt-$(SPL_NAME).dtb: dts/dt.dtb $(objtree)/tools/fdtgrep FORCE
>   	mkdir -p $(dir $@)
>   	$(call if_changed,fdtgrep)
>
> +quiet_cmd_fdtsig = FDTSIG $@
> +	cmd_fdtsig = \
> +		cat $< > $@; \
> +		$(srctree)/tools/fdtsig.sh \
> +			$(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)) $@
> +
> +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y)
> +ifneq ($(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)),)

Shouldn't I get a build error if the path is not specified?

Best regards

Heinrich

> +DTB_ov := $(obj)/dt.dtb_ov
> +
> +$(obj)/dt.dtb_ov: $(DTB) FORCE
> +	$(call if_changed,fdtsig)
> +else
> +DTB_ov := $(DTB)
> +endif
> +else
> +DTB_ov := $(DTB)
> +endif
> +
>   ifeq ($(CONFIG_OF_DTB_PROPS_REMOVE),y)
> -$(obj)/dt.dtb: $(DTB) $(objtree)/tools/fdtgrep FORCE
> +$(obj)/dt.dtb: $(DTB_ov) $(objtree)/tools/fdtgrep FORCE
>   	$(call if_changed,fdt_rm_props)
>   else
> -$(obj)/dt.dtb: $(DTB) FORCE
> +$(obj)/dt.dtb: $(DTB_ov) FORCE
>   	$(call if_changed,shipped)
>   endif
>
> diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> index 700dc838ddb9..8c8d14d46433 100644
> --- a/lib/efi_loader/Kconfig
> +++ b/lib/efi_loader/Kconfig
> @@ -209,6 +209,13 @@ config EFI_CAPSULE_AUTHENTICATE
>   	  Select this option if you want to enable capsule
>   	  authentication
>
> +config EFI_CAPSULE_KEY_PATH
> +	string "Path to .esl cert for capsule authentication"
> +	depends on EFI_CAPSULE_AUTHENTICATE
> +	help
> +	  Provide the EFI signature list (esl) certificate used for capsule
> +	  authentication
> +
>   config EFI_DEVICE_PATH_TO_TEXT
>   	bool "Device path to text protocol"
>   	default y

More information about the U-Boot mailing list