From mboxrd@z Thu Jan 1 00:00:00 1970 From: AKASHI Takahiro Date: Fri, 7 May 2021 17:15:32 +0900 Subject: [PATCH 5/5] Makefile: Add provision for embedding public key in platform's dtb In-Reply-To: References: <20210407115335.8615-1-sughosh.ganu@linaro.org> <20210407115335.8615-6-sughosh.ganu@linaro.org> <5a137b94-d797-e245-6f70-9eaaf474df72@gmx.de> <20210428054350.GE25322@laputa> Message-ID: <20210507081532.GA32968@laputa> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On Wed, Apr 28, 2021 at 03:31:36PM +0900, Masami Hiramatsu wrote: > 2021?4?28?(?) 14:44 AKASHI Takahiro : > > > > On Thu, Apr 08, 2021 at 09:58:17PM +0200, Heinrich Schuchardt wrote: > > > On 4/7/21 1:53 PM, Sughosh Ganu wrote: > > > > Add provision for embedding the public key used for capsule > > > > authentication in the platform's dtb. This is done by invoking the > > > > mkeficapsule utility which puts the public key in the efi signature > > > > list(esl) format into the dtb. > > > > > > > > Signed-off-by: Sughosh Ganu > > > > --- > > > > Makefile | 10 ++++++++++ > > > > 1 file changed, 10 insertions(+) > > > > > > > > diff --git a/Makefile b/Makefile > > > > index 193aa4d1c9..0d50c6a805 100644 > > > > --- a/Makefile > > > > +++ b/Makefile > > > > @@ -1010,6 +1010,10 @@ cmd_pad_cat = $(cmd_objcopy) && $(append) || { rm -f $@; false; } > > > > quiet_cmd_lzma = LZMA $@ > > > > cmd_lzma = lzma -c -z -k -9 $< > $@ > > > > > > > > +quiet_cmd_mkeficapsule = MKEFICAPSULE $@ > > > > +cmd_mkeficapsule = $(objtree)/tools/mkeficapsule -K $(CONFIG_EFI_PKEY_FILE) \ > > > > + -D $@ > > > > + > > > > > > tools/mkeficapsule --help does neither show a parameter -K nor a > > > parameter -D. > > > > This clearly shows that the feature with -K/-D has nothing to do with > > creating a capsule file. > > Two totally different things in one place (command). > > And the dtb overlay operation can be achieved by using standard commands. > > If I understand correctly, we need the following steps, > 1. prepare the key for signing > 2. make dtb overlay from that key > 3. sign the capsule with the key > > And Sughosh's implementation is using mkeficapsule for 2 and 3. > Takahiro pointed that mkeficapsule is only for 3 because of its name > and avoid confusion. > > Is that correct? > > What would you think about changing the tool name? > E.g. > > For step 2. > capsuletool dtb --public-key pubkey [--overlay] target.dtb My point is: as this command line shows, it has nothing to do with a capsule file. It simply deals with dtb blob for overlaying. (So 'capsuletool' is not appropriate.) -Takahiro Akashi > For step 3. > capsuletool capsule --raw u-boot.bin --index 1 --public-key pubkey u-boot.cap > > Then we can expand it for inspection, verify etc. > > Thank you, > > > > > I believe that the feature should be removed from mkeficapsule. > > > > -Takahiro Akashi > > > > > > > Please, update tools/mkeficapsule.c before using these. A > > > man-page for mkeficapsule in doc/usage/ would be helpful. > > > > > > $ tools/mkeficapsule --help > > > Usage: mkeficapsule [options] > > > Options: > > > --fit new FIT image file > > > --raw new raw image file > > > --index update image index > > > --instance update hardware instance > > > --public-key public key esl file > > > --dtb dtb file > > > --overlay the dtb file is an overlay > > > --help print a help message > > > > > > Best regards > > > > > > Heinrich > > > > > > > cfg: u-boot.cfg > > > > > > > > quiet_cmd_cfgcheck = CFGCHK $2 > > > > @@ -1104,8 +1108,14 @@ endif > > > > PHONY += dtbs > > > > dtbs: dts/dt.dtb > > > > @: > > > > +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE)$(CONFIG_EFI_PKEY_DTB_EMBED),yy) > > > > +dts/dt.dtb: u-boot tools > > > > + $(Q)$(MAKE) $(build)=dts dtbs > > > > + $(call cmd,mkeficapsule) > > > > +else > > > > dts/dt.dtb: u-boot > > > > $(Q)$(MAKE) $(build)=dts dtbs > > > > +endif > > > > > > > > quiet_cmd_copy = COPY $@ > > > > cmd_copy = cp $< $@ > > > > > > > > > > > -- > Masami Hiramatsu