2021年4月28日(水) 14:44 AKASHI Takahiro <takahiro.aka...@linaro.org>:
>
> On Thu, Apr 08, 2021 at 09:58:17PM +0200, Heinrich Schuchardt wrote:
> > On 4/7/21 1:53 PM, Sughosh Ganu wrote:
> > > Add provision for embedding the public key used for capsule
> > > authentication in the platform's dtb. This is done by invoking the
> > > mkeficapsule utility which puts the public key in the efi signature
> > > list(esl) format into the dtb.
> > >
> > > Signed-off-by: Sughosh Ganu <sughosh.g...@linaro.org>
> > > ---
> > > Makefile | 10 ++++++++++
> > > 1 file changed, 10 insertions(+)
> > >
> > > diff --git a/Makefile b/Makefile
> > > index 193aa4d1c9..0d50c6a805 100644
> > > --- a/Makefile
> > > +++ b/Makefile
> > > @@ -1010,6 +1010,10 @@ cmd_pad_cat = $(cmd_objcopy) && $(append) || { rm
> > > -f $@; false; }
> > > quiet_cmd_lzma = LZMA $@
> > > cmd_lzma = lzma -c -z -k -9 $< > $@
> > >
> > > +quiet_cmd_mkeficapsule = MKEFICAPSULE $@
> > > +cmd_mkeficapsule = $(objtree)/tools/mkeficapsule -K
> > > $(CONFIG_EFI_PKEY_FILE) \
> > > + -D $@
> > > +
> >
> > tools/mkeficapsule --help does neither show a parameter -K nor a
> > parameter -D.
>
> This clearly shows that the feature with -K/-D has nothing to do with
> creating a capsule file.
> Two totally different things in one place (command).
> And the dtb overlay operation can be achieved by using standard commands.
If I understand correctly, we need the following steps,
1. prepare the key for signing
2. make dtb overlay from that key
3. sign the capsule with the key
And Sughosh's implementation is using mkeficapsule for 2 and 3.
Takahiro pointed that mkeficapsule is only for 3 because of its name
and avoid confusion.
Is that correct?
What would you think about changing the tool name?
E.g.
For step 2.
capsuletool dtb --public-key pubkey [--overlay] target.dtb
For step 3.
capsuletool capsule --raw u-boot.bin --index 1 --public-key pubkey u-boot.cap
Then we can expand it for inspection, verify etc.
Thank you,
>
> I believe that the feature should be removed from mkeficapsule.
>
> -Takahiro Akashi
>
>
> > Please, update tools/mkeficapsule.c before using these. A
> > man-page for mkeficapsule in doc/usage/ would be helpful.
> >
> > $ tools/mkeficapsule --help
> > Usage: mkeficapsule [options] <output file>
> > Options:
> > --fit <fit image> new FIT image file
> > --raw <raw image> new raw image file
> > --index <index> update image index
> > --instance <instance> update hardware instance
> > --public-key <key file> public key esl file
> > --dtb <dtb file> dtb file
> > --overlay the dtb file is an overlay
> > --help print a help message
> >
> > Best regards
> >
> > Heinrich
> >
> > > cfg: u-boot.cfg
> > >
> > > quiet_cmd_cfgcheck = CFGCHK $2
> > > @@ -1104,8 +1108,14 @@ endif
> > > PHONY += dtbs
> > > dtbs: dts/dt.dtb
> > > @:
> > > +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE)$(CONFIG_EFI_PKEY_DTB_EMBED),yy)
> > > +dts/dt.dtb: u-boot tools
> > > + $(Q)$(MAKE) $(build)=dts dtbs
> > > + $(call cmd,mkeficapsule)
> > > +else
> > > dts/dt.dtb: u-boot
> > > $(Q)$(MAKE) $(build)=dts dtbs
> > > +endif
> > >
> > > quiet_cmd_copy = COPY $@
> > > cmd_copy = cp $< $@
> > >
> >
--
Masami Hiramatsu
