From patchwork Tue Aug 15 16:26:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 713789 Delivered-To: patch@linaro.org Received: by 2002:a5d:4012:0:b0:317:ecd7:513f with SMTP id n18csp1875677wrp; Tue, 15 Aug 2023 09:27:11 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGnQKlRzH13Ay25T/YahPyZRexSEf7eUNCGubQiUqj7zvKsDR3LUwZj05/+5scmwXWQZXMO X-Received: by 2002:adf:e390:0:b0:319:650f:60e2 with SMTP id e16-20020adfe390000000b00319650f60e2mr7939856wrm.11.1692116831143; Tue, 15 Aug 2023 09:27:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692116831; cv=none; d=google.com; s=arc-20160816; b=NeSuYpZkX5/qqXNvANjfNu4PwoaM5ziLauzEIdlkGXw78azD2opQQfgj+ozoAyhGyI /eZnr1sARwsRayupsWgUff8BONT1cRbdT+pGhPHXCTfzK3ndlvWI6kWYockrmxWlUHLp RnBKEE5dvh62HTKCrqSNQhTjaMJCyGCH+zfBgRXvx9Qzz9SBf7AMhzDuZo2c6xOd5fbB lgVx4TG94Nl+Gnu9IVdcnLkG2m1qQWFeP5q53VVrhFDKv98z4bIsbvWRxHtaFiuteRrX 8iMJxChWTO01FR3t87v50IqocvNyTy6Q8OWfz1sUIPLOabxsoGGRkXoxMx8bM7KHipZi cxYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=2tvt9QoTqhirWsRU8gcJx02N4DJ7wgqV0Uhy25zp/jY=; fh=ikJSK2WVWLZPtKfyjzYjMbDKcRMYT5CY2x/iGdlGnWY=; b=uhoqZMYHnUMMageYN+BGRP7saAU8P24qQeHrtZlEYIMPE8XpKgln8zjBp7lBGBhVTU k9U56DjF6mN3c+81Eaf7lGunfgiZbUcvDwoB2nikxqaKgFLTykMU11Lx5zIFuW3kHjzB jZ6EPS2+PzswEWXJrp5YBnQrX4V1vhWaZYRHtrmkB3IkTCpUnQfa8dE6b+4VqwRKXeCK hbf92YUQSiTcfFgSvvevJFDl1fwymjorwtM+AykHnnbQ2RLkqcGZSqE6vrRZcVDBQk8c 7KVpBqjLWpSMdrK2GRUs3Xj8gTrVt4Z8lHi2qCJYBCxzHFQgWwmRQhZ497Vt4ysxH99j vR3g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id e3-20020a5d5943000000b0030646bc02e6si6191847wri.253.2023.08.15.09.27.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Aug 2023 09:27:11 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id F23B7869B4; Tue, 15 Aug 2023 18:26:55 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 58584869B1; Tue, 15 Aug 2023 18:26:55 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 37D03869AD for ; Tue, 15 Aug 2023 18:26:53 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 6ACAE1063; Tue, 15 Aug 2023 09:27:34 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.46.7]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id DEB413F6C4; Tue, 15 Aug 2023 09:26:49 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Simon Glass , Takahiro Akashi , Tom Rini , Sughosh Ganu Subject: [PATCH 2/5] scripts/Makefile.lib: Embed capsule public key in platform's dtb Date: Tue, 15 Aug 2023 21:56:20 +0530 Message-Id: <20230815162623.1824357-3-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230815162623.1824357-1-sughosh.ganu@linaro.org> References: <20230815162623.1824357-1-sughosh.ganu@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean The EFI capsule authentication logic in u-boot expects the public key in the form of an EFI Signature List(ESL) to be provided as part of the platform's dtb. Currently, the embedding of the ESL file into the dtb needs to be done manually. Add a target for generating a dtsi file which contains the signature node with the ESL file included as a property under the signature node. Include the dtsi file in the dtb. This brings the embedding of the ESL in the dtb into the U-Boot build flow. The path to the ESL file is specified through the CONFIG_EFI_CAPSULE_ESL_FILE symbol. Signed-off-by: Sughosh Ganu --- Changes since RFC series: * Remove the default value of the config symbol. * s/include_files/dtsi_include_list * Add all the dtsi files being included as dependency for the dtb target. lib/efi_loader/Kconfig | 8 ++++++++ lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++ scripts/Makefile.lib | 18 +++++++++++++++++- 3 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 lib/efi_loader/capsule_esl.dtsi.in diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 9989e3f384..d20aaab6db 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX Select the max capsule index value used for capsule report variables. This value is used to create CapsuleMax variable. +config EFI_CAPSULE_ESL_FILE + string "Path to the EFI Signature List File" + depends on EFI_CAPSULE_AUTHENTICATE + help + Provides the path to the EFI Signature List file which will + be embedded in the platform's device tree and used for + capsule authentication at the time of capsule update. + config EFI_DEVICE_PATH_TO_TEXT bool "Device path to text protocol" default y diff --git a/lib/efi_loader/capsule_esl.dtsi.in b/lib/efi_loader/capsule_esl.dtsi.in new file mode 100644 index 0000000000..61a9f2b25e --- /dev/null +++ b/lib/efi_loader/capsule_esl.dtsi.in @@ -0,0 +1,11 @@ +// SPDX-License-Identifier: GPL-2.0+ +/** + * Devicetree file with the public key EFI Signature List(ESL) + * node. This file is used to generate the dtsi file to be + * included into the DTB. +*/ +/ { + signature { + capsule-key = /incbin/("ESL_BIN_FILE"); + }; +}; diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index 368b5a3e28..2e71f190bc 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -334,7 +334,23 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \ ; \ sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile) -$(obj)/%.dtb: $(src)/%.dts $(DTC) FORCE +ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE +quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@ +cmd_capsule_esl_gen = \ + $(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" $(capsule_esl_input_file) > $@) + +$(obj)/.capsule_esl.dtsi: + $(call cmd_capsule_esl_gen) + +capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in +capsule_esl_dtsi = .capsule_esl.dtsi +capsule_esl_path=$(abspath $(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE))) +dtsi_include_list += $(capsule_esl_dtsi) +endif + +dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list))) + +$(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE $(call if_changed_dep,dtc) pre-tmp = $(subst $(comma),_,$(dot-target).pre.tmp)