On Fri, Jul 16, 2021 at 07:49:09AM -0600, Simon Glass wrote: > Hi Ilias, > > On Thu, 15 Jul 2021 at 11:00, Ilias Apalodimas > <ilias.apalodi...@linaro.org> wrote: > > > > The capsule signature is now part of our DTB. This is problematic when a > > user is allowed to change/fixup that DTB from U-Boots command line since he > > can overwrite the signature as well. > > Do you mean with the 'fdt' command? > > If you mean the FDT fixups, they happen to a different DT, the one > being passed to Linux. >
This was only usable in QEMU pre-patch. I think Sughosh replaced the entire DTB (including the signature) on his tests. Sughosh? Cheers /Ilias > > So Instead of adding the key on the DTB, embed it in the u-boot binary it > > self as part of it's .rodata. This assumes that the U-Boot binary we load > > is authenticated by a previous boot stage loader. > > > > Signed-off-by: Ilias Apalodimas <ilias.apalodi...@linaro.org> > > --- > > board/emulation/common/Makefile | 1 - > > board/emulation/common/qemu_capsule.c | 43 --------------------------- > > include/asm-generic/sections.h | 2 ++ > > lib/efi_loader/Kconfig | 6 ++++ > > lib/efi_loader/Makefile | 8 +++++ > > lib/efi_loader/efi_capsule.c | 18 +++++++++-- > > lib/efi_loader/efi_capsule_key.S | 8 +++++ > > 7 files changed, 39 insertions(+), 47 deletions(-) > > delete mode 100644 board/emulation/common/qemu_capsule.c > > create mode 100644 lib/efi_loader/efi_capsule_key.S > > Regards, > Simon
