[PATCH v12] scripts/Makefile.lib: Embed capsule public key in platform's dtb
Sughosh Ganu
sughosh.ganu at linaro.org
Fri Aug 25 13:19:05 CEST 2023
The EFI capsule authentication logic in u-boot expects the public key
in the form of an EFI Signature List(ESL) to be provided as part of
the platform's dtb. Currently, the embedding of the ESL file into the
dtb needs to be done manually.
Add a target for generating a dtsi file which contains the signature
node with the ESL file included as a property under the signature
node. Include the dtsi file in the dtb. This brings the embedding of
the ESL in the dtb into the U-Boot build flow.
The path to the ESL file is specified through the
CONFIG_EFI_CAPSULE_ESL_FILE symbol.
Signed-off-by: Sughosh Ganu <sughosh.ganu at linaro.org>
Reviewed-by: Tom Rini <trini at konsulko.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
---
Changes since V11:
* Added a FORCE dependency to the .capsule_esl.dtsi target to ensure
the dtsi's generation on every invocation
Note: This being a minor imporovement on the earlier patch version,
and this being the only change in the 15 patch series, Tom Rini
suggested just re-sending a v12 for this patch.
lib/efi_loader/Kconfig | 8 ++++++++
lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++
scripts/Makefile.lib | 15 +++++++++++++++
3 files changed, 34 insertions(+)
create mode 100644 lib/efi_loader/capsule_esl.dtsi.in
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 9989e3f384..d20aaab6db 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX
Select the max capsule index value used for capsule report
variables. This value is used to create CapsuleMax variable.
+config EFI_CAPSULE_ESL_FILE
+ string "Path to the EFI Signature List File"
+ depends on EFI_CAPSULE_AUTHENTICATE
+ help
+ Provides the path to the EFI Signature List file which will
+ be embedded in the platform's device tree and used for
+ capsule authentication at the time of capsule update.
+
config EFI_DEVICE_PATH_TO_TEXT
bool "Device path to text protocol"
default y
diff --git a/lib/efi_loader/capsule_esl.dtsi.in b/lib/efi_loader/capsule_esl.dtsi.in
new file mode 100644
index 0000000000..61a9f2b25e
--- /dev/null
+++ b/lib/efi_loader/capsule_esl.dtsi.in
@@ -0,0 +1,11 @@
+// SPDX-License-Identifier: GPL-2.0+
+/**
+ * Devicetree file with the public key EFI Signature List(ESL)
+ * node. This file is used to generate the dtsi file to be
+ * included into the DTB.
+*/
+/ {
+ signature {
+ capsule-key = /incbin/("ESL_BIN_FILE");
+ };
+};
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index 8c5e25c31c..8dc6ec82cd 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -334,6 +334,21 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \
; \
sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile)
+quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@
+cmd_capsule_esl_gen = \
+ $(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" $(capsule_esl_input_file) > $@)
+
+$(obj)/.capsule_esl.dtsi: FORCE
+ $(call cmd_capsule_esl_gen)
+
+capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in
+capsule_esl_dtsi = .capsule_esl.dtsi
+capsule_esl_path=$(abspath $(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE)))
+
+ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
+dtsi_include_list += $(capsule_esl_dtsi)
+endif
+
dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list)))
$(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE
--
2.34.1
More information about the U-Boot
mailing list