This is a RFC series which takes a different approach to embedding the public key EFI Signature List(ESL) needed for capsule authentication into the platform's DTB.
The earlier approach [1] was using a u-boot.dtsi file to embed the key. But this approach has a few issues. 1) The path of the incbin file is not relative to $(srctree), but relative to the directory of the dts file which is including the dtsi. 2) The u-boot.dtsi file only gets included in the DTB if there are no other *u-boot.dtsi files being included. 3) A separate u-boot.dtsi is needed per arch. To get around these issues, this approach generates a dtsi file(.capsule_esl.dtsi) with the public key node during build. This generated dtsi file contains the resolved path to the ESL and is then included for the DTB generation. The first patch of the series also cleans up the logic to include the dtsi files, by collating all the dtsi files to be included into a single variable. Since this is a RFC, I have only build tested this on sandbox variants and not put this through a CI run. These patches need to be applied on top of the series for generating the capsules as part of the build [2]. [1] - https://lists.denx.de/pipermail/u-boot/2023-August/526323.html [2] - https://lore.kernel.org/u-boot/20230812153024.334563-1-sughosh.g...@linaro.org/T/#m85a50079007acf8943cfe8efcc7d78d23a40db7c Sughosh Ganu (4): scripts/Makefile.lib: Collate all dtsi files for inclusion scripts/Makefile.lib: Embed capsule public key in platform's dtb sandbox: capsule: Add path to the public key ESL file doc: capsule: Document the new mechanism to embed ESL file into dtb configs/sandbox_defconfig | 1 + configs/sandbox_flattree_defconfig | 1 + doc/develop/uefi/uefi.rst | 19 +++++-------------- lib/efi_loader/Kconfig | 9 +++++++++ lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++ scripts/Makefile.lib | 28 ++++++++++++++++++++++++---- 6 files changed, 51 insertions(+), 18 deletions(-) create mode 100644 lib/efi_loader/capsule_esl.dtsi.in -- 2.34.1
