[PATCH v6 3/9] capsule: authenticate: Add capsule public key in platform's dtb

Fri Aug 4 21:05:58 CEST 2023

On Thu, Aug 03, 2023 at 06:18:24PM -0600, Simon Glass wrote:
> Hi Sughosh,
> 
> On Thu, 3 Aug 2023 at 05:12, Sughosh Ganu <sughosh.ganu at linaro.org> wrote:
> >
> > hi Simon,
> >
> > On Wed, 2 Aug 2023 at 19:04, Simon Glass <sjg at chromium.org> wrote:
> > >
> > > Hi Sughosh,
> > >
> > > On Wed, 2 Aug 2023 at 06:52, Simon Glass <sjg at chromium.org> wrote:
> > > >
> > > > Hi Sughosh,
> > > >
> > > > On Tue, 1 Aug 2023 at 11:40, Sughosh Ganu <sughosh.ganu at linaro.org> wrote:
> > > > >
> > > > > The EFI capsule authentication logic in u-boot expects the public key
> > > > > in the form of an EFI Signature List(ESL) to be provided as part of
> > > > > the platform's dtb. Currently, the embedding of the ESL file into the
> > > > > dtb needs to be done manually.
> > > > >
> > > > > Add a signature node in the u-boot dtsi file and include the public
> > > > > key through the capsule-key property. This file is per architecture,
> > > > > and is currently being added for sandbox and arm architectures. It
> > > > > will have to be added for other architectures which need to enable
> > > > > capsule authentication support.
> > > > >
> > > > > The path to the ESL file is specified through the
> > > > > CONFIG_EFI_CAPSULE_ESL_FILE symbol.
> > > > >
> > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu at linaro.org>
> > > > > ---
> > > > > Changes since V5:
> > > > > * None
> > > > >
> > > > >  arch/arm/dts/u-boot.dtsi     | 14 ++++++++++++++
> > > > >  arch/sandbox/dts/u-boot.dtsi | 17 +++++++++++++++++
> > > > >  lib/efi_loader/Kconfig       |  9 +++++++++
> > > > >  3 files changed, 40 insertions(+)
> > > > >  create mode 100644 arch/arm/dts/u-boot.dtsi
> > > > >  create mode 100644 arch/sandbox/dts/u-boot.dtsi
> > > > >
> > > > > diff --git a/arch/arm/dts/u-boot.dtsi b/arch/arm/dts/u-boot.dtsi
> > > > > new file mode 100644
> > > > > index 0000000000..4f31da4521
> > > > > --- /dev/null
> > > > > +++ b/arch/arm/dts/u-boot.dtsi
> > > > > @@ -0,0 +1,14 @@
> > > > > +// SPDX-License-Identifier: GPL-2.0+
> > > > > +/**
> > > > > + * Devicetree file with miscellaneous nodes that will be included
> > > > > + * at build time into the DTB. Currently being used for including
> > > > > + * capsule related information.
> > > > > + */
> > > > > +
> > > > > +#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
> > > > > +/ {
> > > > > +       signature {
> > > > > +               capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);
> > > > > +       };
> > > > > +};
> > > > > +#endif /* CONFIG_EFI_CAPSULE_AUTHENTICATE */
> > >
> > > Ilias mentioned that this binding can cause problems if it not
> > > upstream, causing the platform to fail validation. So we need to agree
> > > a binding for it in dt-schema. Can you send a patch to we can discuss
> > > it there?
> >
> > There was an effort from Jassi earlier [1] to upstream one such
> > binding for the FWU node. But Rob had asked to remove this in u-boot
> > before the DT was passed over to the kernel.
> 
> I don't like that idea...U-Boot's DT needs to pass validation too, of course!

We're about 30 steps away from being able to just validate our trees
too.  We shouldn't make things intentionally harder but we will need to
have some local schemas or something for cases where they've already
been intentionally submitted and rejected by dt-schema for being a
purely internal need.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20230804/df445761/attachment.sig>