On Mon, 21 Aug 2023 at 10:29, Sughosh Ganu <sughosh.g...@linaro.org> wrote:
>
> The EFI capsule authentication logic in u-boot expects the public key
> in the form of an EFI Signature List(ESL) to be provided as part of
> the platform's dtb. Currently, the embedding of the ESL file into the
> dtb needs to be done manually.
>
> Add a target for generating a dtsi file which contains the signature
> node with the ESL file included as a property under the signature
> node. Include the dtsi file in the dtb. This brings the embedding of
> the ESL in the dtb into the U-Boot build flow.
>
> The path to the ESL file is specified through the
> CONFIG_EFI_CAPSULE_ESL_FILE symbol.
>
> Signed-off-by: Sughosh Ganu <sughosh.g...@linaro.org>
> Reviewed-by: Tom Rini <tr...@konsulko.com>
> ---
> Changes since V2: None
>
> lib/efi_loader/Kconfig | 8 ++++++++
> lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++
> scripts/Makefile.lib | 15 +++++++++++++++
> 3 files changed, 34 insertions(+)
> create mode 100644 lib/efi_loader/capsule_esl.dtsi.in
>
> diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> index 9989e3f384..d20aaab6db 100644
> --- a/lib/efi_loader/Kconfig
> +++ b/lib/efi_loader/Kconfig
> @@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX
> Select the max capsule index value used for capsule report
> variables. This value is used to create CapsuleMax variable.
>
> +config EFI_CAPSULE_ESL_FILE
> + string "Path to the EFI Signature List File"
> + depends on EFI_CAPSULE_AUTHENTICATE
> + help
> + Provides the path to the EFI Signature List file which will
> + be embedded in the platform's device tree and used for
> + capsule authentication at the time of capsule update.
> +
> config EFI_DEVICE_PATH_TO_TEXT
> bool "Device path to text protocol"
> default y
> diff --git a/lib/efi_loader/capsule_esl.dtsi.in
> b/lib/efi_loader/capsule_esl.dtsi.in
> new file mode 100644
> index 0000000000..61a9f2b25e
> --- /dev/null
> +++ b/lib/efi_loader/capsule_esl.dtsi.in
> @@ -0,0 +1,11 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +/**
> + * Devicetree file with the public key EFI Signature List(ESL)
> + * node. This file is used to generate the dtsi file to be
> + * included into the DTB.
> +*/
> +/ {
> + signature {
> + capsule-key = /incbin/("ESL_BIN_FILE");
> + };
> +};
> diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
> index 8c5e25c31c..3cec46bb15 100644
> --- a/scripts/Makefile.lib
> +++ b/scripts/Makefile.lib
> @@ -334,6 +334,21 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \
> ; \
> sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp >
> $(depfile)
>
> +quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@
> +cmd_capsule_esl_gen = \
> + $(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):"
> $(capsule_esl_input_file) > $@)
> +
> +$(obj)/.capsule_esl.dtsi:
> + $(call cmd_capsule_esl_gen)
> +
> +capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in
> +capsule_esl_dtsi = .capsule_esl.dtsi
> +capsule_esl_path=$(abspath $(srctree)/$(subst
> $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE)))
> +
> +ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
> +dtsi_include_list += $(capsule_esl_dtsi)
> +endif
> +
> dtsi_include_list_deps = $(addprefix $(obj)/,$(subst
> $(quote),,$(dtsi_include_list)))
>
> $(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE
> --
> 2.34.1
>
Reviewed-by: Ilias Apalodimas <ilias.apalodi...@linaro.org>
