[PATCH v2 0/2] scripts/Makefile.lib: EFI: Use capsule CRT instead of ESL

Jon Humphreys j-humphreys at ti.com
Fri Jun 14 18:54:41 CEST 2024 

Ilias Apalodimas <ilias.apalodimas at linaro.org> writes:

> Hi Jonathan
>
> On Thu, 13 Jun 2024 at 23:28, Jonathan Humphreys <j-humphreys at ti.com> wrote:
>>
>> Use the capsule's public key certificate rather than a prebuilt ESL
>> generated from the certificate. The ESL is now generated as part of the
>> build.
>
> Is there a reason to do this? I understand that the .crt extension
> might be well known while the .esl is not, but OTOH the system you
> build on after this change *needs* to have cert-to-efi-sig-list
> installed
>
Hi Ilias,

In general, I am following the principle that it is better to not include
in your source repo derived binaries that can be built at buildtime.

As far as the need to have cert-to-efi-sig-list, it is part of efitools and
that is already documented as a requirement for the build host ([0] and
[1]), and our baseline Docker file also includes it.

[0] https://docs.u-boot.org/en/latest/develop/uefi/uefi.html#enabling-capsule-authentication
[1] https://docs.u-boot.org/en/latest/develop/uefi/uefi.html#configuring-uefi-secure-boot

Jon

> Thanks
> /Ilias
>>
>> Changes from v1:
>> - Converted the single patch to a series to include a bug fix found during
>>   development.
>> - Created an explicit rule for creating the ESL file for proper makefile
>>   dependency tracking.  v1 had combined creating the ESL file and
>>   generating the .dtsi include in a single command.
>>
>> Jonathan Humphreys (2):
>>   scripts/Makefile.lib: fixes: Embed capsule public key in platform's
>>     dtb
>>   scripts/Makefile.lib: EFI: Use capsule CRT instead of ESL file
>>
>>  board/sandbox/capsule_pub_esl_good.esl | Bin 831 -> 0 bytes
>>  configs/sandbox_defconfig              |   2 +-
>>  configs/sandbox_flattree_defconfig     |   2 +-
>>  doc/develop/uefi/uefi.rst              |   8 ++++----
>>  lib/efi_loader/Kconfig                 |  12 +++++++-----
>>  scripts/Makefile.lib                   |  24 +++++++++++++++---------
>>  6 files changed, 28 insertions(+), 20 deletions(-)
>>  delete mode 100644 board/sandbox/capsule_pub_esl_good.esl
>>
>> --
>> 2.34.1
>>

More information about the U-Boot mailing list