On Wed, May 12, 2021 at 12:01:32PM +0200, Heinrich Schuchardt wrote:
> On 12.05.21 10:01, Ilias Apalodimas wrote:
> > On Wed, May 12, 2021 at 04:49:02PM +0900, Masami Hiramatsu wrote:
> >> Hi Ilias,
> >>
> >> 2021年5月12日(水) 16:21 Ilias Apalodimas <ilias.apalodi...@linaro.org>:
> >>>
> >>> Akashi-san,
> >>>
> >>> On Wed, May 12, 2021 at 01:57:51PM +0900, AKASHI Takahiro wrote:
> >>>> As we discussed, "-K" and "-D" options have nothing to do with
> >>>> creating a capsule file. The same result can be obtained by
> >>>> using standard commands like:
> >>>> === signature.dts ===
> >>>> /dts-v1/;
> >>>> /plugin/;
> >>>>
> >>>> &{/} {
> >>>> signature {
> >>>> capsule-key = /incbin/("SIGNER.esl");
> >>>> };
> >>>> };
> >>>> ===
> >>>> $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts
> >>>> $ fdtoverlay -i test.dtb -o test_sig.dtb -v signature.dtbo
> >>>>
> >>>> So just remove this feature.
> >>>> (Effectively revert the commit 322c813f4bec ("mkeficapsule: Add support
> >>>> for embedding public key in a dtb").)
> >>>>
> >>>> The same feature is implemented by a shell script (tools/fdtsig.sh).
> >>>
> >>>
> >>> The only reason I can see to keep this, is if mkeficapsule gets included
> >>> intro distro packages in the future. That would make end users life a bit
> >>> easier, since they would need a single binary to create the whole
> >>> CapsuleUpdate sequence.
> >>
> >> Hmm, I think it is better to write a manpage of mkeficapsule which
> >> also describes
> >> how to embed the key into dtb as in the above example if it is so short.
> >> Or, distros can package the above shell script with mkeficapsule.
> >>
> >> Embedding a key and signing a capsule are different operations but
> >> using the same tool may confuse users (at least me).
> >
> > Sure fair enough. I am merely pointing out we need a way to explain all of
> > those to users.
>
> This is currently our only documentation:
>
> https://u-boot.readthedocs.io/en/latest/board/emulation/qemu_capsule_update.html?highlight=mkeficapsule
As I mentioned several times (and TODO in the cover letter),
this text must be reviewed, revised and generalized
as a platform-independent document.
It contains a couple of errors.
> For mkimage we have a man-page ./doc/mkimage.1 that is packaged with
> Debians u-boot-tools package. Please, provide a similar man-page as
> ./doc/mkeficapsule.1.
So after all do you agree to removing "-K/-D"?
Otherwise, I cannot complete the man page.
-Takahiro Akashi
> Best regards
>
> Heinrich
