@@ -743,6 +743,7 @@ F: cmd/bootefi.c
F: cmd/efidebug.c
F: cmd/nvedit_efi.c
F: tools/efivar.py
+F: tools/fdtsig.sh
F: tools/file2include.c
F: tools/mkeficapsule.c
new file mode 100755
@@ -0,0 +1,40 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0+
+#
+# script to add a certificate (efi-signature-list) to dtb blob
+
+usage() {
+ if [ -n "$*" ]; then
+ echo "ERROR: $*"
+ fi
+ echo "Usage: "$(basename $0) " <esl file> <dtb file>"
+}
+
+if [ "$#" -ne 2 ]; then
+ usage "Arguments missing"
+ exit 1
+fi
+
+ESL=$1
+DTB=$2
+NEW_DTB=$(basename $DTB)_tmp
+SIG=signature
+
+cat << 'EOF' > $SIG.dts
+/dts-v1/;
+/plugin/;
+
+&{/} {
+ signature {
+EOF
+echo "capsule-key = /incbin/(\"$ESL\");" >> $SIG.dts
+cat << 'EOF' >> $SIG.dts
+ };
+};
+EOF
+
+dtc -@ -I dts -O dtb -o $SIG.dtbo $SIG.dts
+fdtoverlay -i $DTB -o $NEW_DTB $SIG.dtbo
+mv $NEW_DTB $DTB
+
+rm $SIG.dts $SIG.dtsn $SIG.dtbo
With this script, a public key is added to a device tree blob as the default efi_get_public_key_data() expects. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> --- MAINTAINERS | 1 + tools/fdtsig.sh | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100755 tools/fdtsig.sh