Re: [PATCH 5/5] Makefile: Add provision for embedding public key in platform's dtb

Tue, 27 Apr 2021 22:44:11 -0700 

On Thu, Apr 08, 2021 at 09:58:17PM +0200, Heinrich Schuchardt wrote:
> On 4/7/21 1:53 PM, Sughosh Ganu wrote:
> > Add provision for embedding the public key used for capsule
> > authentication in the platform's dtb. This is done by invoking the
> > mkeficapsule utility which puts the public key in the efi signature
> > list(esl) format into the dtb.
> > 
> > Signed-off-by: Sughosh Ganu <sughosh.g...@linaro.org>
> > ---
> >   Makefile | 10 ++++++++++
> >   1 file changed, 10 insertions(+)
> > 
> > diff --git a/Makefile b/Makefile
> > index 193aa4d1c9..0d50c6a805 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -1010,6 +1010,10 @@ cmd_pad_cat = $(cmd_objcopy) && $(append) || { rm -f 
> > $@; false; }
> >   quiet_cmd_lzma = LZMA    $@
> >   cmd_lzma = lzma -c -z -k -9 $< > $@
> > 
> > +quiet_cmd_mkeficapsule = MKEFICAPSULE     $@
> > +cmd_mkeficapsule = $(objtree)/tools/mkeficapsule -K 
> > $(CONFIG_EFI_PKEY_FILE) \
> > +   -D $@
> > +
> 
> tools/mkeficapsule --help does neither show a parameter -K nor a
> parameter -D.

This clearly shows that the feature with -K/-D has nothing to do with
creating a capsule file.
Two totally different things in one place (command).
And the dtb overlay operation can be achieved by using standard commands.

I believe that the feature should be removed from mkeficapsule.

-Takahiro Akashi


> Please, update tools/mkeficapsule.c before using these. A
> man-page for mkeficapsule in doc/usage/ would be helpful.
> 
> $ tools/mkeficapsule --help
> Usage: mkeficapsule [options] <output file>
> Options:
>         --fit <fit image>       new FIT image file
>         --raw <raw image>       new raw image file
>         --index <index>         update image index
>         --instance <instance>   update hardware instance
>         --public-key <key file> public key esl file
>         --dtb <dtb file>        dtb file
>         --overlay               the dtb file is an overlay
>         --help                  print a help message
> 
> Best regards
> 
> Heinrich
> 
> >   cfg: u-boot.cfg
> > 
> >   quiet_cmd_cfgcheck = CFGCHK  $2
> > @@ -1104,8 +1108,14 @@ endif
> >   PHONY += dtbs
> >   dtbs: dts/dt.dtb
> >     @:
> > +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE)$(CONFIG_EFI_PKEY_DTB_EMBED),yy)
> > +dts/dt.dtb: u-boot tools
> > +   $(Q)$(MAKE) $(build)=dts dtbs
> > +   $(call cmd,mkeficapsule)
> > +else
> >   dts/dt.dtb: u-boot
> >     $(Q)$(MAKE) $(build)=dts dtbs
> > +endif
> > 
> >   quiet_cmd_copy = COPY    $@
> >         cmd_copy = cp $< $@
> > 
>

Reply via email to