Djam/u-boot
1
0
Fork 0
mirror of https://github.com/u-boot/u-boot.git synced 2025-04-26 07:17:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

scripts/Makefile.lib: EFI: Use capsule CRT instead of ESL file

Browse source 
The EFI Capsule ESL file (EFI Signature List File) used for authentication
is a binary generated from the EFI Capsule public key certificate. Instead
of including it in the source repo, automatically generate it from the
certificate file during the build process.

Currently, sandbox is the only device using this, so removed its ESL file
and set the (new) CONFIG_EFI_CAPSULE_CRT_FILE config to point to its public
key certificate.

Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com>
This commit is contained in:
Jonathan Humphreys 2024-06-13 15:27:53 -05:00 committed by Heinrich Schuchardt
parent 809141812e
commit 659f97eb1f
6 changed files with 28 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
board/sandbox/capsule_pub_esl_good.esl
View file

Binary file not shown.

2
configs/sandbox_defconfig
View file

@ -353,7 +353,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
CONFIG_EFI_CAPSULE_ON_DISK=y CONFIG_EFI_CAPSULE_ON_DISK=y
CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
CONFIG_EFI_CAPSULE_AUTHENTICATE=y CONFIG_EFI_CAPSULE_AUTHENTICATE=y
CONFIG_EFI_CAPSULE_ESL_FILE="board/sandbox/capsule_pub_esl_good.esl" CONFIG_EFI_CAPSULE_CRT_FILE="board/sandbox/capsule_pub_key_good.crt"
CONFIG_EFI_SECURE_BOOT=y CONFIG_EFI_SECURE_BOOT=y
CONFIG_TEST_FDTDEC=y CONFIG_TEST_FDTDEC=y
CONFIG_UNIT_TEST=y CONFIG_UNIT_TEST=y

2
configs/sandbox_flattree_defconfig
View file

@ -227,7 +227,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
CONFIG_EFI_CAPSULE_ON_DISK=y CONFIG_EFI_CAPSULE_ON_DISK=y
CONFIG_EFI_CAPSULE_FIRMWARE_FIT=y CONFIG_EFI_CAPSULE_FIRMWARE_FIT=y
CONFIG_EFI_CAPSULE_AUTHENTICATE=y CONFIG_EFI_CAPSULE_AUTHENTICATE=y
CONFIG_EFI_CAPSULE_ESL_FILE="board/sandbox/capsule_pub_esl_good.esl" CONFIG_EFI_CAPSULE_CRT_FILE="board/sandbox/capsule_pub_key_good.crt"
CONFIG_UNIT_TEST=y CONFIG_UNIT_TEST=y
CONFIG_UT_TIME=y CONFIG_UT_TIME=y
CONFIG_UT_DM=y CONFIG_UT_DM=y

8
doc/develop/uefi/uefi.rst
View file

@ -580,10 +580,10 @@ and used by the steps highlighted below.
} }
You can perform step-4 through the Kconfig symbol You can perform step-4 through the Kconfig symbol
CONFIG_EFI_CAPSULE_ESL_FILE. This symbol points to the esl file CONFIG_EFI_CAPSULE_CRT_FILE. This symbol points to the signing key
generated in step-2. Once the symbol has been populated with the path generated in step-2. As part of U-Boot build, the ESL certificate file will
to the esl file, it will automatically get embedded into the be generated from the signing key and automatically get embedded into the
platform's dtb as part of U-Boot build. platform's dtb.
Anti-rollback Protection Anti-rollback Protection
************************ ************************

12
lib/efi_loader/Kconfig
View file

@ -298,13 +298,15 @@ config EFI_CAPSULE_MAX
Select the max capsule index value used for capsule report Select the max capsule index value used for capsule report
variables. This value is used to create CapsuleMax variable. variables. This value is used to create CapsuleMax variable.
config EFI_CAPSULE_ESL_FILE config EFI_CAPSULE_CRT_FILE
string "Path to the EFI Signature List File" string "Path to the EFI capsule public key certificate"
depends on EFI_CAPSULE_AUTHENTICATE depends on EFI_CAPSULE_AUTHENTICATE
help help
Provides the path to the EFI Signature List file which will Provides the path to the EFI capsule public key certificate that
be embedded in the platform's device tree and used for corresponds to the capsule signing key. This certificate will be used
capsule authentication at the time of capsule update. to generate the EFI capsule ESL (signature list file) that gets
embedded in the platform's device tree and used for capsule
authentication at the time of capsule update.
config EFI_DEVICE_PATH_TO_TEXT config EFI_DEVICE_PATH_TO_TEXT
bool "Device path to text protocol" bool "Device path to text protocol"

24
scripts/Makefile.lib
View file

@ -342,21 +342,27 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \
; \ ; \
sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile) sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile)
quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@ capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in
cmd_capsule_esl_gen = \ capsule_crt_file=$(subst $(quote),,$(CONFIG_EFI_CAPSULE_CRT_FILE))
$(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" $(capsule_esl_input_file) > $@) capsule_esl_dtsi=.capsule_esl.dtsi
$(obj)/.capsule_esl.dtsi: FORCE quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@
ifeq ($(CONFIG_EFI_CAPSULE_ESL_FILE),"") cmd_capsule_esl_gen = cert-to-efi-sig-list $< $@
$(error "CONFIG_EFI_CAPSULE_ESL_FILE is empty, EFI capsule authentication \
$(obj)/capsule_esl_file: $(capsule_crt_file) FORCE
ifeq ($(CONFIG_EFI_CAPSULE_CRT_FILE),"")
$(error "CONFIG_EFI_CAPSULE_CRT_FILE is empty, EFI capsule authentication \
public key must be specified when CONFIG_EFI_CAPSULE_AUTHENTICATE is enabled") public key must be specified when CONFIG_EFI_CAPSULE_AUTHENTICATE is enabled")
else else
$(call cmd,capsule_esl_gen) $(call cmd,capsule_esl_gen)
endif endif
capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in quiet_cmd_capsule_dtsi_gen = CAPSULE_DTSI_GEN $@
capsule_esl_dtsi = .capsule_esl.dtsi cmd_capsule_dtsi_gen = \
capsule_esl_path=$(abspath $(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE))) $(shell sed "s:ESL_BIN_FILE:$(abspath $<):" $(capsule_esl_input_file) > $@)
$(obj)/$(capsule_esl_dtsi): $(obj)/capsule_esl_file FORCE
$(call cmd,capsule_dtsi_gen)
dtsi_include_list_deps := $(addprefix $(u_boot_dtsi_loc),$(subst $(quote),,$(dtsi_include_list))) dtsi_include_list_deps := $(addprefix $(u_boot_dtsi_loc),$(subst $(quote),,$(dtsi_include_list)))