From patchwork Mon Aug 14 09:03:05 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sughosh Ganu <sughosh.ganu@linaro.org>
X-Patchwork-Id: 713464
Delivered-To: patch@linaro.org
Received: by 2002:a5d:4012:0:b0:317:ecd7:513f with SMTP id n18csp1129739wrp;
 Mon, 14 Aug 2023 02:03:48 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFcQ/vpbh4K/M+DZ5ehy1aOkVFciFgyRrH9ktYjyA6sZIk1ZexWKuKzjABrH+Vpem+0t9VZ
X-Received: by 2002:adf:f7c2:0:b0:309:1532:8287 with SMTP id
 a2-20020adff7c2000000b0030915328287mr6420888wrq.19.1692003828304;
 Mon, 14 Aug 2023 02:03:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1692003828; cv=none;
 d=google.com; s=arc-20160816;
 b=Qb4MLGlFKZDo2A0KzXyH3W0sCZcIpgHcJycT1MBzz9gu8LPANQ4C1SWcivl41LmNE0
 q643FSh753+e+Yk9f9xT2Wq9XleJXoQYWo9LVyybGCyoklty48k3X/4tHaTMCkH9j+A/
 mAIec4bcqkAMm4E3bq0U9/uj2fRZw5gRXL9fjvIupAF6vhDm49uuDKCaqfRUe8qCwewf
 9XX+F9oeiHMeuptOk02C0Ys5YSTe34nmJDE3BPVhVaUkzInQbiLdYbQVgQ3pwD6NO8TR
 5sGgbwCmwzIQ1PXoXh6xjQ28MAOTowVjs7+61sb6C/cYCwF05F8qKDKzeDd3H5UAsWGv
 92cQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:message-id:date:subject:cc:to:from;
 bh=lHp65S0R7SV+nue5KW5kwni/5AgLsyPWcnVhbh6JD40=;
 fh=/Yu38Pgq7D5OzJNkd+QPrthx10+S8MtoZEzbDIahAwY=;
 b=D2fe0XzB1b9AljV2cGIiQy8VQBZoHjyFxbRq8b8me9a0JSfsZB5NZNXkr65bQHeAUi
 uN9OaeCWB7J3yBIJpRXnxR3tQ0+chuaQMJtyyAhqDHSMf/HDm12gFpfVqE5sAiNvPkdd
 QN+Ao1WemuMQqHhSDOBnxjXX6Jlc97OJ0VKGf+FILSfA0l7l+Pdxvq7vyDBLr8ARrJMS
 s0LUCGwN9XLnRak0SIOQ9Y9pfsiVVG7VecGdNMAU36x0qux2JgpAeI4C52MhNm6D78ow
 zqTcFzxtQRbUxw2Iv3TVh0n+gG7wHYSz6bUqHZLch1tMvdYl1au6TwIDkk35sVJZMyMg
 wNng==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates
 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender)
 smtp.mailfrom=u-boot-bounces@lists.denx.de;
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <u-boot-bounces@lists.denx.de>
Received: from phobos.denx.de (phobos.denx.de.
 [2a01:238:438b:c500:173d:9f52:ddab:ee01])
 by mx.google.com with ESMTPS id
 p16-20020a5d4590000000b003142e654d6fsi4801484wrq.733.2023.08.14.02.03.47
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 14 Aug 2023 02:03:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender)
 client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01;
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates
 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender)
 smtp.mailfrom=u-boot-bounces@lists.denx.de;
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
 by phobos.denx.de (Postfix) with ESMTP id E9C41866D4;
 Mon, 14 Aug 2023 11:03:46 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=fail (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Received: by phobos.denx.de (Postfix, from userid 109)
 id 81D6586679; Mon, 14 Aug 2023 11:03:45 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
 SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.2
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by phobos.denx.de (Postfix) with ESMTP id 3B08786614
 for <u-boot@lists.denx.de>; Mon, 14 Aug 2023 11:03:43 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=fail (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=fail smtp.mailfrom=sughosh.ganu@linaro.org
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
 by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 9F7C92F4;
 Mon, 14 Aug 2023 02:04:24 -0700 (PDT)
Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.46.7])
 by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 517473F6C4;
 Mon, 14 Aug 2023 02:03:40 -0700 (PDT)
From: Sughosh Ganu <sughosh.ganu@linaro.org>
To: u-boot@lists.denx.de
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>,
 Ilias Apalodimas <ilias.apalodimas@linaro.org>,
 Simon Glass <sjg@chromium.org>,
 Takahiro Akashi <takahiro.akashi@linaro.org>, Tom Rini <trini@konsulko.com>
Subject: [RFC PATCH 0/4] capsule: Embed the public key ESL as part of build
Date: Mon, 14 Aug 2023 14:33:05 +0530
Message-Id: <20230814090309.1548310-1-sughosh.ganu@linaro.org>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de
X-Virus-Status: Clean

This is a RFC series which takes a different approach to embedding the
public key EFI Signature List(ESL) needed for capsule authentication
into the platform's DTB.

The earlier approach [1] was using a u-boot.dtsi file to embed the
key. But this approach has a few issues. 1) The path of the incbin file
is not relative to $(srctree), but relative to the directory of the
dts file which is including the dtsi. 2) The u-boot.dtsi file only
gets included in the DTB if there are no other *u-boot.dtsi files
being included. 3) A separate u-boot.dtsi is needed per arch.

To get around these issues, this approach generates a dtsi
file(.capsule_esl.dtsi) with the public key node during build. This
generated dtsi file contains the resolved path to the ESL and is then
included for the DTB generation.

The first patch of the series also cleans up the logic to include the
dtsi files, by collating all the dtsi files to be included into a
single variable.

Since this is a RFC, I have only build tested this on sandbox variants
and not put this through a CI run.

These patches need to be applied on top of the series for generating
the capsules as part of the build [2].

[1] - https://lists.denx.de/pipermail/u-boot/2023-August/526323.html
[2] - https://lore.kernel.org/u-boot/20230812153024.334563-1-sughosh.ganu@linaro.org/T/#m85a50079007acf8943cfe8efcc7d78d23a40db7c


Sughosh Ganu (4):
  scripts/Makefile.lib: Collate all dtsi files for inclusion
  scripts/Makefile.lib: Embed capsule public key in platform's dtb
  sandbox: capsule: Add path to the public key ESL file
  doc: capsule: Document the new mechanism to embed ESL file into dtb

 configs/sandbox_defconfig          |  1 +
 configs/sandbox_flattree_defconfig |  1 +
 doc/develop/uefi/uefi.rst          | 19 +++++--------------
 lib/efi_loader/Kconfig             |  9 +++++++++
 lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++
 scripts/Makefile.lib               | 28 ++++++++++++++++++++++++----
 6 files changed, 51 insertions(+), 18 deletions(-)
 create mode 100644 lib/efi_loader/capsule_esl.dtsi.in