[PATCH v2 0/2] scripts/Makefile.lib: EFI: Use capsule CRT instead of ESL

Ilias Apalodimas ilias.apalodimas at linaro.org
Wed Jul 3 17:25:03 CEST 2024 

On Fri, Jun 14, 2024 at 11:54:41AM -0500, Jon Humphreys wrote:
> Ilias Apalodimas <ilias.apalodimas at linaro.org> writes:
> 
> > Hi Jonathan
> >
> > On Thu, 13 Jun 2024 at 23:28, Jonathan Humphreys <j-humphreys at ti.com> wrote:
> >>
> >> Use the capsule's public key certificate rather than a prebuilt ESL
> >> generated from the certificate. The ESL is now generated as part of the
> >> build.
> >
> > Is there a reason to do this? I understand that the .crt extension
> > might be well known while the .esl is not, but OTOH the system you
> > build on after this change *needs* to have cert-to-efi-sig-list
> > installed
> >
> Hi Ilias,
> 
> In general, I am following the principle that it is better to not include
> in your source repo derived binaries that can be built at buildtime.
> 
> As far as the need to have cert-to-efi-sig-list, it is part of efitools and
> that is already documented as a requirement for the build host ([0] and
> [1]), and our baseline Docker file also includes it.

Ok we already have the tool on the CI

Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>

> 
> [0] https://docs.u-boot.org/en/latest/develop/uefi/uefi.html#enabling-capsule-authentication
> [1] https://docs.u-boot.org/en/latest/develop/uefi/uefi.html#configuring-uefi-secure-boot
> 
> Jon
> 
> > Thanks
> > /Ilias
> >>
> >> Changes from v1:
> >> - Converted the single patch to a series to include a bug fix found during
> >>   development.
> >> - Created an explicit rule for creating the ESL file for proper makefile
> >>   dependency tracking.  v1 had combined creating the ESL file and
> >>   generating the .dtsi include in a single command.
> >>
> >> Jonathan Humphreys (2):
> >>   scripts/Makefile.lib: fixes: Embed capsule public key in platform's
> >>     dtb
> >>   scripts/Makefile.lib: EFI: Use capsule CRT instead of ESL file
> >>
> >>  board/sandbox/capsule_pub_esl_good.esl | Bin 831 -> 0 bytes
> >>  configs/sandbox_defconfig              |   2 +-
> >>  configs/sandbox_flattree_defconfig     |   2 +-
> >>  doc/develop/uefi/uefi.rst              |   8 ++++----
> >>  lib/efi_loader/Kconfig                 |  12 +++++++-----
> >>  scripts/Makefile.lib                   |  24 +++++++++++++++---------
> >>  6 files changed, 28 insertions(+), 20 deletions(-)
> >>  delete mode 100644 board/sandbox/capsule_pub_esl_good.esl
> >>
> >> --
> >> 2.34.1
> >>

More information about the U-Boot mailing list