[PATCH 1/7] capsule: authenticate: Embed capsule public key in platform's dtb

Tue Jun 13 12:38:00 CEST 2023

The EFI capsule authentication logic in u-boot expects the public key
in the form of an EFI Signature List(ESL) to be provided as part of
the platform's dtb. Currently, the embedding of the ESL file into the
dtb needs to be done manually.

Add a script for embedding the ESL used for capsule authentication in
the platform's dtb, and call this as part of building the dtb(s). This
brings the embedding of the ESL in the dtb into the u-boot build flow.

The path to the ESL file is specified through the
CONFIG_EFI_CAPSULE_ESL_FILE symbol.

Signed-off-by: Sughosh Ganu <sughosh.ganu at linaro.org>
---
 lib/efi_loader/Kconfig       | 11 +++++++++++
 scripts/Makefile.lib         |  8 ++++++++
 scripts/embed_capsule_key.sh | 25 +++++++++++++++++++++++++
 3 files changed, 44 insertions(+)
 create mode 100755 scripts/embed_capsule_key.sh

diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index c5835e6ef6..1326a1d109 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -234,6 +234,17 @@ config EFI_CAPSULE_MAX
 	  Select the max capsule index value used for capsule report
 	  variables. This value is used to create CapsuleMax variable.
 
+config EFI_CAPSULE_ESL_FILE
+	string "Path to the EFI Signature List File"
+	default ""
+	depends on EFI_CAPSULE_AUTHENTICATE
+	help
+	  Provides the absolute path to the EFI Signature List
+	  file which will be embedded in the platform's device
+	  tree and used for capsule authentication at the time
+	  of capsule update.
+
+
 config EFI_DEVICE_PATH_TO_TEXT
 	bool "Device path to text protocol"
 	default y
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index 7b27224b5d..a4083d0a26 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -192,6 +192,8 @@ dtc_cpp_flags  = -Wp,-MD,$(depfile).pre.tmp -nostdinc                    \
 		 -D__ASSEMBLY__                                          \
 		 -undef -D__DTS__
 
+export dtc_cpp_flags
+
 # Finds the multi-part object the current object will be linked into
 modname-multi = $(sort $(foreach m,$(multi-used),\
 		$(if $(filter $(subst $(obj)/,,$*.o), $($(m:.o=-objs)) $($(m:.o=-y))),$(m:.o=))))
@@ -315,6 +317,9 @@ ifeq ($(CONFIG_OF_LIBFDT_OVERLAY),y)
 DTC_FLAGS += -@
 endif
 
+quiet_cmd_embedcapsulekey = EMBEDCAPSULEKEY $@
+cmd_embedcapsulekey = $(srctree)/scripts/embed_capsule_key.sh $@
+
 quiet_cmd_dtc = DTC     $@
 # Modified for U-Boot
 # Bring in any U-Boot-specific include at the end of the file
@@ -333,6 +338,9 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \
 
 $(obj)/%.dtb: $(src)/%.dts FORCE
 	$(call if_changed_dep,dtc)
+ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y)
+	$(call cmd,embedcapsulekey,$@)
+endif
 
 pre-tmp = $(subst $(comma),_,$(dot-target).pre.tmp)
 dtc-tmp = $(subst $(comma),_,$(dot-target).dts.tmp)
diff --git a/scripts/embed_capsule_key.sh b/scripts/embed_capsule_key.sh
new file mode 100755
index 0000000000..1c2e45f758
--- /dev/null
+++ b/scripts/embed_capsule_key.sh
@@ -0,0 +1,25 @@
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0+
+#
+# Copyright (C) 2023, Linaro Limited
+#
+
+gen_capsule_signature_file() {
+cat >> $1 << EOF
+/dts-v1/;
+/plugin/;
+
+&{/} {
+	signature {
+		capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);
+	};
+};
+EOF
+}
+
+gen_capsule_signature_file signature.$$.dts > /dev/null 2>&1
+$CPP $dtc_cpp_flags -x assembler-with-cpp -o signature.$$.tmp signature.$$.dts > /dev/null 2>&1
+dtc -@ -O dtb -o signature.$$.dtbo signature.$$.tmp > /dev/null 2>&1
+fdtoverlay -i $1 -o temp.$$.dtb -v signature.$$.dtbo > /dev/null 2>&1
+mv temp.$$.dtb $1 > /dev/null 2>&1
+rm -f signature.$$.* > /dev/null 2>&1
-- 
2.34.1

