On Wed, Apr 28, 2021 at 03:31:36PM +0900, Masami Hiramatsu wrote:
> 2021年4月28日(水) 14:44 AKASHI Takahiro <takahiro.aka...@linaro.org>:
> >
> > On Thu, Apr 08, 2021 at 09:58:17PM +0200, Heinrich Schuchardt wrote:
> > > On 4/7/21 1:53 PM, Sughosh Ganu wrote:
> > > > Add provision for embedding the public key used for capsule
> > > > authentication in the platform's dtb. This is done by invoking the
> > > > mkeficapsule utility which puts the public key in the efi signature
> > > > list(esl) format into the dtb.
> > > >
> > > > Signed-off-by: Sughosh Ganu <sughosh.g...@linaro.org>
> > > > ---
> > > > Makefile | 10 ++++++++++
> > > > 1 file changed, 10 insertions(+)
> > > >
> > > > diff --git a/Makefile b/Makefile
> > > > index 193aa4d1c9..0d50c6a805 100644
> > > > --- a/Makefile
> > > > +++ b/Makefile
> > > > @@ -1010,6 +1010,10 @@ cmd_pad_cat = $(cmd_objcopy) && $(append) || {
> > > > rm -f $@; false; }
> > > > quiet_cmd_lzma = LZMA $@
> > > > cmd_lzma = lzma -c -z -k -9 $< > $@
> > > >
> > > > +quiet_cmd_mkeficapsule = MKEFICAPSULE $@
> > > > +cmd_mkeficapsule = $(objtree)/tools/mkeficapsule -K
> > > > $(CONFIG_EFI_PKEY_FILE) \
> > > > + -D $@
> > > > +
> > >
> > > tools/mkeficapsule --help does neither show a parameter -K nor a
> > > parameter -D.
> >
> > This clearly shows that the feature with -K/-D has nothing to do with
> > creating a capsule file.
> > Two totally different things in one place (command).
> > And the dtb overlay operation can be achieved by using standard commands.
>
> If I understand correctly, we need the following steps,
> 1. prepare the key for signing
> 2. make dtb overlay from that key
> 3. sign the capsule with the key
>
> And Sughosh's implementation is using mkeficapsule for 2 and 3.
> Takahiro pointed that mkeficapsule is only for 3 because of its name
> and avoid confusion.
>
> Is that correct?
>
> What would you think about changing the tool name?
> E.g.
>
> For step 2.
> capsuletool dtb --public-key pubkey [--overlay] target.dtb
My point is: as this command line shows, it has nothing to do
with a capsule file. It simply deals with dtb blob for overlaying.
(So 'capsuletool' is not appropriate.)
-Takahiro Akashi
> For step 3.
> capsuletool capsule --raw u-boot.bin --index 1 --public-key pubkey u-boot.cap
>
> Then we can expand it for inspection, verify etc.
>
> Thank you,
>
> >
> > I believe that the feature should be removed from mkeficapsule.
> >
> > -Takahiro Akashi
> >
> >
> > > Please, update tools/mkeficapsule.c before using these. A
> > > man-page for mkeficapsule in doc/usage/ would be helpful.
> > >
> > > $ tools/mkeficapsule --help
> > > Usage: mkeficapsule [options] <output file>
> > > Options:
> > > --fit <fit image> new FIT image file
> > > --raw <raw image> new raw image file
> > > --index <index> update image index
> > > --instance <instance> update hardware instance
> > > --public-key <key file> public key esl file
> > > --dtb <dtb file> dtb file
> > > --overlay the dtb file is an overlay
> > > --help print a help message
> > >
> > > Best regards
> > >
> > > Heinrich
> > >
> > > > cfg: u-boot.cfg
> > > >
> > > > quiet_cmd_cfgcheck = CFGCHK $2
> > > > @@ -1104,8 +1108,14 @@ endif
> > > > PHONY += dtbs
> > > > dtbs: dts/dt.dtb
> > > > @:
> > > > +ifeq
> > > > ($(CONFIG_EFI_CAPSULE_AUTHENTICATE)$(CONFIG_EFI_PKEY_DTB_EMBED),yy)
> > > > +dts/dt.dtb: u-boot tools
> > > > + $(Q)$(MAKE) $(build)=dts dtbs
> > > > + $(call cmd,mkeficapsule)
> > > > +else
> > > > dts/dt.dtb: u-boot
> > > > $(Q)$(MAKE) $(build)=dts dtbs
> > > > +endif
> > > >
> > > > quiet_cmd_copy = COPY $@
> > > > cmd_copy = cp $< $@
> > > >
> > >
>
>
>
> --
> Masami Hiramatsu
