[PATCH 2/5] scripts/Makefile.lib: Embed capsule public key in platform's dtb

Simon Glass sjg at chromium.org
Thu Aug 17 15:41:33 CEST 2023


Hi Tom,

On Wed, 16 Aug 2023 at 15:26, Tom Rini <trini at konsulko.com> wrote:
>
> On Wed, Aug 16, 2023 at 09:58:42AM +0530, Sughosh Ganu wrote:
> > hi Simon,
> >
> > On Wed, 16 Aug 2023 at 00:09, Simon Glass <sjg at chromium.org> wrote:
> > >
> > > Hi Sughosh,
> > >
> > > On Tue, 15 Aug 2023 at 10:26, Sughosh Ganu <sughosh.ganu at linaro.org> wrote:
> > > >
> > > > The EFI capsule authentication logic in u-boot expects the public key
> > > > in the form of an EFI Signature List(ESL) to be provided as part of
> > > > the platform's dtb. Currently, the embedding of the ESL file into the
> > > > dtb needs to be done manually.
> > > >
> > > > Add a target for generating a dtsi file which contains the signature
> > > > node with the ESL file included as a property under the signature
> > > > node. Include the dtsi file in the dtb. This brings the embedding of
> > > > the ESL in the dtb into the U-Boot build flow.
> > > >
> > > > The path to the ESL file is specified through the
> > > > CONFIG_EFI_CAPSULE_ESL_FILE symbol.
> > > >
> > > > Signed-off-by: Sughosh Ganu <sughosh.ganu at linaro.org>
> > > > ---
> > > > Changes since RFC series:
> > > > * Remove the default value of the config symbol.
> > > > * s/include_files/dtsi_include_list
> > > > * Add all the dtsi files being included as dependency for the dtb
> > > >   target.
> > > >
> > > >  lib/efi_loader/Kconfig             |  8 ++++++++
> > > >  lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++
> > > >  scripts/Makefile.lib               | 18 +++++++++++++++++-
> > > >  3 files changed, 36 insertions(+), 1 deletion(-)
> > > >  create mode 100644 lib/efi_loader/capsule_esl.dtsi.in
> > > >
> > > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> > > > index 9989e3f384..d20aaab6db 100644
> > > > --- a/lib/efi_loader/Kconfig
> > > > +++ b/lib/efi_loader/Kconfig
> > > > @@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX
> > > >           Select the max capsule index value used for capsule report
> > > >           variables. This value is used to create CapsuleMax variable.
> > > >
> > > > +config EFI_CAPSULE_ESL_FILE
> > > > +       string "Path to the EFI Signature List File"
> > >
> > > Do we need this, or could we name it as we do with the .env file? It
> > > seems confusing to have to set this for each board - it might be
> > > better to have it in a defined location.
> >
> > The reason I put this is because I thought this gave the user the
> > flexibility to provide the location and name of the ESL. But I suppose
> > that the board directory would be a good location to expect this file.
> > Then this file can have a name like capsule_pub_key,esl. Tom, what are
> > your thoughts on this?
>
> I feel like an automatic name we can guess isn't likely how this will be
> used in the real world, so we should leave this as configurable.

Are we expecting these files to end up in the source tree? Where would they go?

Regards,
Simon


More information about the U-Boot mailing list