Hi Sughosh, On Sat, 5 Aug 2023 at 05:35, Sughosh Ganu <sughosh.g...@linaro.org> wrote: > > The EFI capsule authentication logic in u-boot expects the public key > in the form of an EFI Signature List(ESL) to be provided as part of > the platform's dtb. Currently, the embedding of the ESL file into the > dtb needs to be done manually. > > Add a signature node in the u-boot dtsi file and include the public > key through the capsule-key property. This file is per architecture, > and is currently being added for sandbox and arm architectures. It > will have to be added for other architectures which need to enable > capsule authentication support. > > The path to the ESL file is specified through the > CONFIG_EFI_CAPSULE_ESL_FILE symbol. > > Signed-off-by: Sughosh Ganu <sughosh.g...@linaro.org> > --- > Changes since V6: > * Populate the CONFIG_EFI_CAPSULE_ESL_FILE symbol for sandbox and > sandbox_flattree which enable capsule authentication. > > Note: > Simon Glass had asked me to rid of the CONFIG_EFI_HAVE_CAPSULE_SUPPORT > ifdef used in the sandbox' u-boot.dtsi file. However, that results in > the sandbox_vpl test failing in CI. Hence that check has been kept. > > > arch/arm/dts/u-boot.dtsi | 14 ++++++++++++++ > arch/sandbox/dts/u-boot.dtsi | 17 +++++++++++++++++ > configs/sandbox_defconfig | 1 + > configs/sandbox_flattree_defconfig | 1 + > lib/efi_loader/Kconfig | 9 +++++++++ > 5 files changed, 42 insertions(+) > create mode 100644 arch/arm/dts/u-boot.dtsi > create mode 100644 arch/sandbox/dts/u-boot.dtsi > > diff --git a/arch/arm/dts/u-boot.dtsi b/arch/arm/dts/u-boot.dtsi > new file mode 100644 > index 0000000000..4f31da4521 > --- /dev/null > +++ b/arch/arm/dts/u-boot.dtsi > @@ -0,0 +1,14 @@ > +// SPDX-License-Identifier: GPL-2.0+ > +/** > + * Devicetree file with miscellaneous nodes that will be included > + * at build time into the DTB. Currently being used for including > + * capsule related information. > + */ > + > +#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE > +/ { > + signature { > + capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE); > + }; > +}; > +#endif /* CONFIG_EFI_CAPSULE_AUTHENTICATE */ > diff --git a/arch/sandbox/dts/u-boot.dtsi b/arch/sandbox/dts/u-boot.dtsi > new file mode 100644 > index 0000000000..60bd004937 > --- /dev/null > +++ b/arch/sandbox/dts/u-boot.dtsi > @@ -0,0 +1,17 @@ > +// SPDX-License-Identifier: GPL-2.0+ > +/* > + * Devicetree file with miscellaneous nodes that will be included > + * at build time into the DTB. Currently being used for including > + * capsule related information. > + * > + */ > + > +#ifdef CONFIG_EFI_HAVE_CAPSULE_SUPPORT > +/ { > +#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE > + signature { > + capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE); > + }; > +#endif > +}; > +#endif /* CONFIG_EFI_HAVE_CAPSULE_SUPPORT */ > diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig > index b6c4f735f2..779af4abc8 100644 > --- a/configs/sandbox_defconfig > +++ b/configs/sandbox_defconfig > @@ -341,6 +341,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y > CONFIG_EFI_CAPSULE_ON_DISK=y > CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y > CONFIG_EFI_CAPSULE_AUTHENTICATE=y > +CONFIG_EFI_CAPSULE_ESL_FILE="../../../board/sandbox/SIGNER.esl"
Can we avoid the path here, and just use e.g. good.esl ? Perhaps this could be fixed up later, e.g. by adding the board directory as an include dir when building the DT? > CONFIG_EFI_SECURE_BOOT=y > CONFIG_TEST_FDTDEC=y > CONFIG_UNIT_TEST=y > diff --git a/configs/sandbox_flattree_defconfig > b/configs/sandbox_flattree_defconfig > index 8aa295686d..0ca2e4a5ae 100644 > --- a/configs/sandbox_flattree_defconfig > +++ b/configs/sandbox_flattree_defconfig > @@ -227,6 +227,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y > CONFIG_EFI_CAPSULE_ON_DISK=y > CONFIG_EFI_CAPSULE_FIRMWARE_FIT=y > CONFIG_EFI_CAPSULE_AUTHENTICATE=y > +CONFIG_EFI_CAPSULE_ESL_FILE="../../../board/sandbox/SIGNER.esl" > CONFIG_UNIT_TEST=y > CONFIG_UT_TIME=y > CONFIG_UT_DM=y > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig > index a22e47616f..0d559ff3a1 100644 > --- a/lib/efi_loader/Kconfig > +++ b/lib/efi_loader/Kconfig > @@ -235,6 +235,15 @@ config EFI_CAPSULE_MAX > Select the max capsule index value used for capsule report > variables. This value is used to create CapsuleMax variable. > > +config EFI_CAPSULE_ESL_FILE > + string "Path to the EFI Signature List File" > + default "" > + depends on EFI_CAPSULE_AUTHENTICATE > + help > + Provides the absolute path to the EFI Signature List file which It isn't really an absolute path as it doesn't start with / You really can't/shouldn't use absolute paths in a U-Boot build. > + will be embedded in the platform's device tree and used for > + capsule authentication at the time of capsule update. > + > config EFI_DEVICE_PATH_TO_TEXT > bool "Device path to text protocol" > default y > -- > 2.34.1 > Regards, Simon