From patchwork Tue Aug 15 16:26:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 713787 Delivered-To: patch@linaro.org Received: by 2002:a5d:4012:0:b0:317:ecd7:513f with SMTP id n18csp1875491wrp; Tue, 15 Aug 2023 09:26:53 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHf/0KOkJqrvmftzm7e/MnqkdxLPu1RfWYumtct993u9NqMLSpVRIZdhoqhJ3qj5eP/rGLU X-Received: by 2002:adf:ec82:0:b0:319:785a:fce0 with SMTP id z2-20020adfec82000000b00319785afce0mr5091345wrn.26.1692116812826; Tue, 15 Aug 2023 09:26:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692116812; cv=none; d=google.com; s=arc-20160816; b=LG2vPPEcPkQitf5Ezj9rEMOmIpWn80/pKEy8FeL9URS+KzV0jiUh2C4iCiD+DnqIUO FKz7ktXIlkL6K4JY/mTQSTNBmlIsxFdaEWsaUiwsxA8kTYbGsnSZ3vMEDcR49WrX0/+C u3N6jjWEbsE2WQStUUctCjEFyzXXMFhJFV0vAHsB4B0Ik6JjZTewexxwO0yuzjMjKRGD GfXaTnIHEqb4FVbuGxnIuswuTdF5VjT4zmozXf1CT45yYisSUZ9k7c04UiF4OKZ/O741 jL9hmcHJc5YSVPVGhx+GlFMxeR9vquAKSxU4uIuZV8OYc9yPb5bsRoc9LK39qlDvTE4E PQ/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from; bh=GswELWKJA/oXiskKRT2Id6VKNhChecynFHf8NEyp+I8=; fh=/Yu38Pgq7D5OzJNkd+QPrthx10+S8MtoZEzbDIahAwY=; b=ZPQdA1moeu5gP2VBzHd+BxSKNoyUrEqdYVBCa/WOKKmQq6PXn5Whky8z2d9db3lEh4 /sOOs+vULw4fvlpKS0p1FdRguS0O5Wr1iVSqtE5CJehMblB9nqmdBDxv2KvNWFrxfIKw F+vIxkllXd9jb0uTzv5/FcS2SA8Up0hwvjOb1N8qxky/FgivOfvBDjEY159bQ8ANTxZs XYF5wSKi84cYDPR0yHqsHZv5NYFQZIeUhaOOvhiqS4znq7AogTpTMgN08vi7a2iU/Jti cMypnHKA1SFbtm/GABg64WNjzGk873AdO9tPuU2H/+Yty6MKjWVMFvyQLk9ADi9zhCMA nU+g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id d2-20020a5d5382000000b003177f481ab3si6233973wrv.437.2023.08.15.09.26.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Aug 2023 09:26:52 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 6D32786995; Tue, 15 Aug 2023 18:26:51 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 9FC768698D; Tue, 15 Aug 2023 18:26:49 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 63EDF8671F for ; Tue, 15 Aug 2023 18:26:47 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 0B20F1063; Tue, 15 Aug 2023 09:27:29 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.46.7]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id B98CD3F6C4; Tue, 15 Aug 2023 09:26:44 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Simon Glass , Takahiro Akashi , Tom Rini Subject: [PATCH 0/5] capsule: Embed the public key ESL as part of build Date: Tue, 15 Aug 2023 21:56:18 +0530 Message-Id: <20230815162623.1824357-1-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean This series takes a different approach to embedding the public key EFI Signature List(ESL) needed for capsule authentication into the platform's DTB. The earlier approach [1] was using a u-boot.dtsi file to embed the key. But this approach has a few issues. 1) The path of the incbin file is not relative to $(srctree), but relative to the directory of the dts file which is including the dtsi -- this causes problems when the dts file are located in different directories. 2) The u-boot.dtsi file only gets included in the DTB if there are no other *u-boot.dtsi files being included. 3) A separate u-boot.dtsi is needed per arch. To get around these issues, this approach generates a dtsi file(.capsule_esl.dtsi) with the public key node during build. This generated dtsi file contains the resolved path to the ESL and is then included for the DTB generation. The first patch of the series also cleans up the logic to include the dtsi files, by collating all the dtsi files to be included into a single variable. These patches need to be applied on top of the series for generating the capsules as part of the build [2]. [1] - https://lists.denx.de/pipermail/u-boot/2023-August/526323.html [2] - https://lore.kernel.org/u-boot/20230812153024.334563-1-sughosh.ganu@linaro.org/T/#m85a50079007acf8943cfe8efcc7d78d23a40db7c Changes since RFC series: * s/include_files/dtsi_include_list * Remove the default value of the config symbol. * s/include_files/dtsi_include_list * Add all the dtsi files being included as dependency for the dtb target. * s/u-boot/U-Boot in the commit message. * New patch for removing superfluous logic from efi capsule update test setup. Sughosh Ganu (5): scripts/Makefile.lib: Collate all dtsi files for inclusion scripts/Makefile.lib: Embed capsule public key in platform's dtb sandbox: capsule: Add path to the public key ESL file doc: capsule: Document the new mechanism to embed ESL file into dtb test: capsule: Remove logic to add public key ESL configs/sandbox_defconfig | 1 + configs/sandbox_flattree_defconfig | 1 + doc/develop/uefi/uefi.rst | 19 ++++--------- lib/efi_loader/Kconfig | 8 ++++++ lib/efi_loader/capsule_esl.dtsi.in | 11 ++++++++ scripts/Makefile.lib | 29 ++++++++++++++++---- test/py/tests/test_efi_capsule/conftest.py | 28 +++++-------------- test/py/tests/test_efi_capsule/signature.dts | 10 ------- 8 files changed, 57 insertions(+), 50 deletions(-) create mode 100644 lib/efi_loader/capsule_esl.dtsi.in delete mode 100644 test/py/tests/test_efi_capsule/signature.dts