From patchwork Thu Aug 17 05:48:50 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 714382 Delivered-To: patch@linaro.org Received: by 2002:a5d:4012:0:b0:317:ecd7:513f with SMTP id n18csp2739738wrp; Wed, 16 Aug 2023 22:49:16 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE8uUneLv2OT9z+3rqFYooRpD1lYZ1hNbJ5S4mTvjX05vOCDNYwOUsgSO8/ZL/aCF5cXSij X-Received: by 2002:adf:f711:0:b0:30f:c5b1:23ef with SMTP id r17-20020adff711000000b0030fc5b123efmr3052445wrp.41.1692251356446; Wed, 16 Aug 2023 22:49:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692251356; cv=none; d=google.com; s=arc-20160816; b=A0ECfs6wfA01pC8MC9yrDOvojqDD2HSLJJUnXd/SBBPioQwu1Xz55Qkryg9fsA1Q2d /lDRUOd26c6sShYPDkbOj8Rqkxx2VhtQx7qc7oUHzBy7m36Mnk89tgj3X3i0V/yRtOAu 7KcOKHLWuObKIAFY1FYYC3/7uIE4jOvpaezgw1N1xlCIGVtS1zcmYvAxEQOlVXwY45Qn CCwhD7K7mx9juntjhcAr52h9aAnZcteJP8PkfkWtk83Lnz8YGxhlaJcCgQ3VlfZtnIQg StnPWWiK8PPocy4rWjbtV7XvE/JwR969WVWz2P/plp+orJt9MR8O8gb7wZjLFW+Q66NJ O+sg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from; bh=6KGOnKnrrcmYn6UamB3+wozd8xXnoaLGyf3iFgIAaag=; fh=/Yu38Pgq7D5OzJNkd+QPrthx10+S8MtoZEzbDIahAwY=; b=eAjMl9LdkZ5cEY306VUhuJYeUiNwzBKT6/hIHjWHkmnp6bfhe+qKujY0POD+vXlH1H Qj14HwjgmewILqm3KLf1Uem6Q98RJlIzrK6jFFAq17WxnHw2ohRNTP5HtDxu3AsG4kWY Nld8pad55afQeD7xyUgk9V71+oYjHfbLJ+7+JrwQO5+9IIFw1guW/Qa5CUUi1VlqKRjB Te87Oh9i5GxNCBPV64X1hCIE1ojcPQUoDpIx6i67BAWSj51WbL5UejkRx6u4dvTXsnML qTYzPTjQ6ZGb9y7uaTA24w6tYZ85Qs2ZMZf3VLqqdm6Fuzt1pYQd+Kx9sqSMFS8IkmzZ wNtg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id l3-20020a5d6683000000b0031455404f35si7867617wru.482.2023.08.16.22.49.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Aug 2023 22:49:16 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 5602E8693A; Thu, 17 Aug 2023 07:49:15 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 4B1EF86A2B; Thu, 17 Aug 2023 07:49:14 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 32BA9866A7 for ; Thu, 17 Aug 2023 07:49:11 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 74028D75; Wed, 16 Aug 2023 22:49:51 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.46.7]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 8663E3F762; Wed, 16 Aug 2023 22:49:08 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Simon Glass , Takahiro Akashi , Tom Rini Subject: [PATCH v2 0/6] capsule: Embed the public key ESL as part of build Date: Thu, 17 Aug 2023 11:18:50 +0530 Message-Id: <20230817054856.2019253-1-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean This series takes a different approach to embedding the public key EFI Signature List(ESL) needed for capsule authentication into the platform's DTB. The earlier approach [1] was using a u-boot.dtsi file to embed the key. But this approach has a few issues. 1) The path of the incbin file is not relative to $(srctree), but relative to the directory of the dts file which is using incbin directive -- this causes problems when the dts files are located in different directories and they try to include the same binary. 2) The u-boot.dtsi file only gets included in the DTB if there are no other *u-boot.dtsi files being included. 3) A separate u-boot.dtsi is needed per arch. To get around these issues, this approach generates a dtsi file(.capsule_esl.dtsi) with the public key node during build. This generated dtsi file contains the resolved path to the ESL and is then included for the DTB generation. The first patch of the series also cleans up the logic to include the dtsi files, by collating all the dtsi files to be included into a single variable. These patches need to be applied on top of the series for generating the capsules as part of the build [2]. [1] - https://lists.denx.de/pipermail/u-boot/2023-August/526323.html [2] - https://lore.kernel.org/u-boot/20230812153024.334563-1-sughosh.ganu@linaro.org/T/#m85a50079007acf8943cfe8efcc7d78d23a40db7c Changes since V1: * New patch which only sets the dependencies for the dtb build. * Put only the setting of dtsi_include_list under the ifdef, moving the rest of the logic out of the ifdef. Sughosh Ganu (6): scripts/Makefile.lib: Collate all dtsi files for inclusion scripts/Makefile.lib: Add dtsi include files as deps for building DTB scripts/Makefile.lib: Embed capsule public key in platform's dtb sandbox: capsule: Add path to the public key ESL file test: capsule: Remove logic to add public key ESL doc: capsule: Document the new mechanism to embed ESL file into dtb configs/sandbox_defconfig | 1 + configs/sandbox_flattree_defconfig | 1 + doc/develop/uefi/uefi.rst | 19 ++++--------- lib/efi_loader/Kconfig | 8 ++++++ lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++ scripts/Makefile.lib | 30 ++++++++++++++++---- test/py/tests/test_efi_capsule/conftest.py | 28 +++++------------- test/py/tests/test_efi_capsule/signature.dts | 10 ------- 8 files changed, 58 insertions(+), 50 deletions(-) create mode 100644 lib/efi_loader/capsule_esl.dtsi.in delete mode 100644 test/py/tests/test_efi_capsule/signature.dts