efi: capsule: Add support for uefi capsule authentication

Add support for authenticating uefi capsules. Most of the signature verification functionality is shared with the uefi secure boot feature. The root certificate containing the public key used for the signature verification is stored as part of the device tree blob. The root certificate is stored as an efi signature list(esl) file -- this file contains the x509 certificate which is the root certificate. Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2025-05-09 03:21:51 +00:00 · 2020-12-30 19:27:09 +05:30 · 2020-12-30 19:27:09 +05:30 · 04be98bd6b
commit 04be98bd6b
parent b4f20a5d83
7 changed files with 214 additions and 2 deletions
--- a/include/efi_api.h
+++ b/include/efi_api.h
@ -1812,6 +1812,24 @@ struct efi_variable_authentication_2 {
 	struct win_certificate_uefi_guid auth_info;
 } __attribute__((__packed__));

+/**
+ * efi_firmware_image_authentication - Capsule authentication method
+ * descriptor
+ *
+ * This structure describes an authentication information for
+ * a capsule with IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED set
+ * and should be included as part of the capsule.
+ * Only EFI_CERT_TYPE_PKCS7_GUID is accepted.
+ *
+ * @monotonic_count: Count to prevent replay
+ * @auth_info: Authentication info
+ */
+struct efi_firmware_image_authentication {
+	uint64_t monotonic_count;
+	struct win_certificate_uefi_guid auth_info;
+} __attribute__((__packed__));
+
+
 /**
 * efi_signature_data - A format of signature
 *