From mboxrd@z Thu Jan  1 00:00:00 1970
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
Date: Wed, 28 Apr 2021 14:01:21 +0900
Subject: [PATCH v2 2/4] efi_loader: Kconfig: Add symbols for embedding
 the public key into the platform's dtb
In-Reply-To: <20210428045518.GA25322@laputa>
References: <20210412150526.29822-1-sughosh.ganu@linaro.org>
 <20210412150526.29822-3-sughosh.ganu@linaro.org>
 <e8a9bc7c-ec96-4da2-571a-7fa8449be9d4@gmx.de>
 <20210428045518.GA25322@laputa>
Message-ID: <20210428050121.GB25322@laputa>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

On Wed, Apr 28, 2021 at 01:55:18PM +0900, AKASHI Takahiro wrote:
> On Sun, Apr 25, 2021 at 09:24:39AM +0200, Heinrich Schuchardt wrote:
> > On 4/12/21 5:05 PM, Sughosh Ganu wrote:
> > > Add config options EFI_PKEY_DTB_EMBED and EFI_PKEY_FILE which are to
> > > be used for embedding the public key to be used for capsule
> > > authentication into the platform's device tree.
> > > 
> > > The embedding of the public key would take place during the platform
> > > build process.
> > > 
> > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> > > ---
> > > 
> > > Changes since V1:
> > > * Provide a default name for public key file, eficapsule.esl as
> > >    suggested by Heinrich.
> > > * Remove the superfluous default n statement for EFI_PKEY_DTB_EMBED
> > > 
> > >   lib/efi_loader/Kconfig | 15 +++++++++++++++
> > >   1 file changed, 15 insertions(+)
> > > 
> > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> > > index 79b488823a..089accaaaa 100644
> > > --- a/lib/efi_loader/Kconfig
> > > +++ b/lib/efi_loader/Kconfig
> > > @@ -179,6 +179,21 @@ config EFI_CAPSULE_AUTHENTICATE
> > >   	  Select this option if you want to enable capsule
> > >   	  authentication
> > > 
> > > +config EFI_PKEY_DTB_EMBED
> > > +	bool "Embed the public key in the Device Tree"
> > > +	depends on EFI_CAPSULE_AUTHENTICATE
> > > +	help
> > > +	  Select this option if the public key used for capsule
> > > +	  authentication is to be embedded into the platform's
> > > +	  device tree.
> > > +
> > > +config EFI_PKEY_FILE
> > > +	string "Public Key esl file to be embedded into the Device Tree"
> > > +	default "eficapsule.esl"
> > 
> > This config symbol should depend on EFI_PKEY_DTB_EMBED.
> 
> What is embedded here is a *list* of X509 certificate, not a single public key.
> "esl" stands for EFI Signature List.
> The symbol name as well as help text are confusing.

In addition, "signature" means a hash value of image
as well as X509 in UEFI terms.
So as far as we use efi_signature_verify(), any type of
"signature" will be allowed.

We must be clear here.

-Takahiro Akashi


> -Takahiro Akashi
> 
> > Best regards
> > 
> > Heinrich
> > 
> > > +	help
> > > +	  Specify the absolute path of the public key esl file that is
> > > +	  to be embedded in the platform's device tree.
> > > +
> > >   config EFI_CAPSULE_FIRMWARE_FIT
> > >   	bool "FMP driver for FIT image"
> > >   	depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
> > > 
> >