[PATCH 0/5] capsule: Embed the public key ESL as part of build

[PATCH 0/5] capsule: Embed the public key ESL as part of build

[Sughosh Ganu]

This series takes a different approach to embedding the public key EFI
Signature List(ESL) needed for capsule authentication into the
platform's DTB.

The earlier approach [1] was using a u-boot.dtsi file to embed the
key. But this approach has a few issues. 1) The path of the incbin file
is not relative to $(srctree), but relative to the directory of the
dts file which is including the dtsi -- this causes problems when the
dts file are located in different directories. 2) The u-boot.dtsi file
only gets included in the DTB if there are no other *u-boot.dtsi files
being included. 3) A separate u-boot.dtsi is needed per arch.

To get around these issues, this approach generates a dtsi
file(.capsule_esl.dtsi) with the public key node during build. This
generated dtsi file contains the resolved path to the ESL and is then
included for the DTB generation.

The first patch of the series also cleans up the logic to include the
dtsi files, by collating all the dtsi files to be included into a
single variable.

These patches need to be applied on top of the series for generating
the capsules as part of the build [2].

[1] - https://lists.denx.de/pipermail/u-boot/2023-August/526323.html
[2] - https://lore.kernel.org/u-boot/20230812153024.334563-1-sughosh.ganu@linaro.org/T/#m85a50079007acf8943cfe8efcc7d78d23a40db7c

Changes since RFC series:

* s/include_files/dtsi_include_list
* Remove the default value of the config symbol.
* s/include_files/dtsi_include_list
* Add all the dtsi files being included as dependency for the dtb
  target.
* s/u-boot/U-Boot in the commit message.
* New patch for removing superfluous logic from efi capsule update
  test setup.

Sughosh Ganu (5):
  scripts/Makefile.lib: Collate all dtsi files for inclusion
  scripts/Makefile.lib: Embed capsule public key in platform's dtb
  sandbox: capsule: Add path to the public key ESL file
  doc: capsule: Document the new mechanism to embed ESL file into dtb
  test: capsule: Remove logic to add public key ESL

 configs/sandbox_defconfig                    |  1 +
 configs/sandbox_flattree_defconfig           |  1 +
 doc/develop/uefi/uefi.rst                    | 19 ++++---------
 lib/efi_loader/Kconfig                       |  8 ++++++
 lib/efi_loader/capsule_esl.dtsi.in           | 11 ++++++++
 scripts/Makefile.lib                         | 29 ++++++++++++++++----
 test/py/tests/test_efi_capsule/conftest.py   | 28 +++++--------------
 test/py/tests/test_efi_capsule/signature.dts | 10 -------
 8 files changed, 57 insertions(+), 50 deletions(-)
 create mode 100644 lib/efi_loader/capsule_esl.dtsi.in
 delete mode 100644 test/py/tests/test_efi_capsule/signature.dts

-- 
2.34.1

[PATCH 1/5] scripts/Makefile.lib: Collate all dtsi files for inclusion

[Sughosh Ganu]

At the time of building a device-tree file, all the *u-boot.dtsi files
are looked for, in a particular order, and the first file found is
included. Then, the list of files specified in the
CONFIG_DEVICE_TREE_INCLUDES symbol are included.

Combine these files that are to be included into a variable, and then
include all these files in one go.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
---
Changes since RFC series:
* s/include_files/dtsi_include_list

 scripts/Makefile.lib | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index f5ab7af0f4..368b5a3e28 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -179,10 +179,13 @@ ifdef DEVICE_TREE_DEBUG
 u_boot_dtsi_options_debug = $(warning $(u_boot_dtsi_options_raw))
 endif
 
-# We use the first match
-u_boot_dtsi = $(strip $(u_boot_dtsi_options_debug) \
+# We use the first match to be included
+dtsi_include_list = $(strip $(u_boot_dtsi_options_debug) \
 	$(notdir $(firstword $(u_boot_dtsi_options))))
 
+# The CONFIG_DEVICE_TREE_INCLUDES also need to be included
+dtsi_include_list += $(CONFIG_DEVICE_TREE_INCLUDES)
+
 # Modified for U-Boot
 dtc_cpp_flags  = -Wp,-MD,$(depfile).pre.tmp -nostdinc                    \
 		 $(UBOOTINCLUDE)                                         \
@@ -320,8 +323,8 @@ quiet_cmd_dtc = DTC     $@
 # Bring in any U-Boot-specific include at the end of the file
 # And finally any custom .dtsi fragments specified with CONFIG_DEVICE_TREE_INCLUDES
 cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \
-	(cat $<; $(if $(u_boot_dtsi),echo '$(pound)include "$(u_boot_dtsi)"')) > $(pre-tmp); \
-	$(foreach f,$(subst $(quote),,$(CONFIG_DEVICE_TREE_INCLUDES)), \
+	(cat $< > $(pre-tmp)); \
+	$(foreach f,$(subst $(quote),,$(dtsi_include_list)), \
 	  echo '$(pound)include "$(f)"' >> $(pre-tmp);) \
 	$(HOSTCC) -E $(dtc_cpp_flags) -x assembler-with-cpp -o $(dtc-tmp) $(pre-tmp) ; \
 	$(DTC) -O dtb -o $@ -b 0 \
-- 
2.34.1

[PATCH 2/5] scripts/Makefile.lib: Embed capsule public key in platform's dtb

[Sughosh Ganu]

The EFI capsule authentication logic in u-boot expects the public key
in the form of an EFI Signature List(ESL) to be provided as part of
the platform's dtb. Currently, the embedding of the ESL file into the
dtb needs to be done manually.

Add a target for generating a dtsi file which contains the signature
node with the ESL file included as a property under the signature
node. Include the dtsi file in the dtb. This brings the embedding of
the ESL in the dtb into the U-Boot build flow.

The path to the ESL file is specified through the
CONFIG_EFI_CAPSULE_ESL_FILE symbol.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
---
Changes since RFC series:
* Remove the default value of the config symbol.
* s/include_files/dtsi_include_list
* Add all the dtsi files being included as dependency for the dtb
  target.

 lib/efi_loader/Kconfig             |  8 ++++++++
 lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++
 scripts/Makefile.lib               | 18 +++++++++++++++++-
 3 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 lib/efi_loader/capsule_esl.dtsi.in

diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 9989e3f384..d20aaab6db 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX
 	  Select the max capsule index value used for capsule report
 	  variables. This value is used to create CapsuleMax variable.
 
+config EFI_CAPSULE_ESL_FILE
+	string "Path to the EFI Signature List File"
+	depends on EFI_CAPSULE_AUTHENTICATE
+	help
+	  Provides the path to the EFI Signature List file which will
+	  be embedded in the platform's device tree and used for
+	  capsule authentication at the time of capsule update.
+
 config EFI_DEVICE_PATH_TO_TEXT
 	bool "Device path to text protocol"
 	default y
diff --git a/lib/efi_loader/capsule_esl.dtsi.in b/lib/efi_loader/capsule_esl.dtsi.in
new file mode 100644
index 0000000000..61a9f2b25e
--- /dev/null
+++ b/lib/efi_loader/capsule_esl.dtsi.in
@@ -0,0 +1,11 @@
+// SPDX-License-Identifier: GPL-2.0+
+/**
+ * Devicetree file with the public key EFI Signature List(ESL)
+ * node. This file is used to generate the dtsi file to be
+ * included into the DTB.
+*/
+/ {
+	signature {
+		capsule-key = /incbin/("ESL_BIN_FILE");
+	};
+};
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index 368b5a3e28..2e71f190bc 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -334,7 +334,23 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \
 		; \
 	sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile)
 
-$(obj)/%.dtb: $(src)/%.dts $(DTC) FORCE
+ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
+quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@
+cmd_capsule_esl_gen = \
+	$(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" $(capsule_esl_input_file) > $@)
+
+$(obj)/.capsule_esl.dtsi:
+	$(call cmd_capsule_esl_gen)
+
+capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in
+capsule_esl_dtsi = .capsule_esl.dtsi
+capsule_esl_path=$(abspath $(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE)))
+dtsi_include_list += $(capsule_esl_dtsi)
+endif
+
+dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list)))
+
+$(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE
 	$(call if_changed_dep,dtc)
 
 pre-tmp = $(subst $(comma),_,$(dot-target).pre.tmp)
-- 
2.34.1

[PATCH 3/5] sandbox: capsule: Add path to the public key ESL file

[Sughosh Ganu]

Add the path to the public key EFI Signature List(ESL) file for the
sandbox variants which enable capsule authentication. This ESL file
gets embedded into the platform's device-tree as part of the build.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
---
Changes since RFC series: None

 configs/sandbox_defconfig          | 1 +
 configs/sandbox_flattree_defconfig | 1 +
 2 files changed, 2 insertions(+)

diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig
index 1cd1c2ed7c..9f349d482b 100644
--- a/configs/sandbox_defconfig
+++ b/configs/sandbox_defconfig
@@ -340,6 +340,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
 CONFIG_EFI_CAPSULE_ON_DISK=y
 CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
 CONFIG_EFI_CAPSULE_AUTHENTICATE=y
+CONFIG_EFI_CAPSULE_ESL_FILE="board/sandbox/capsule_pub_esl_good.esl"
 CONFIG_EFI_SECURE_BOOT=y
 CONFIG_TEST_FDTDEC=y
 CONFIG_UNIT_TEST=y
diff --git a/configs/sandbox_flattree_defconfig b/configs/sandbox_flattree_defconfig
index 8aa295686d..2a24b38cfb 100644
--- a/configs/sandbox_flattree_defconfig
+++ b/configs/sandbox_flattree_defconfig
@@ -227,6 +227,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
 CONFIG_EFI_CAPSULE_ON_DISK=y
 CONFIG_EFI_CAPSULE_FIRMWARE_FIT=y
 CONFIG_EFI_CAPSULE_AUTHENTICATE=y
+CONFIG_EFI_CAPSULE_ESL_FILE="board/sandbox/capsule_pub_esl_good.esl"
 CONFIG_UNIT_TEST=y
 CONFIG_UT_TIME=y
 CONFIG_UT_DM=y
-- 
2.34.1

[PATCH 4/5] doc: capsule: Document the new mechanism to embed ESL file into dtb

[Sughosh Ganu]

Update the document to specify how the EFI Signature List(ESL) file
can be embedded into the platform's dtb as part of the U-Boot build.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
---
Changes since RFC series:
* s/u-boot/U-Boot in the commit message.

 doc/develop/uefi/uefi.rst | 19 +++++--------------
 1 file changed, 5 insertions(+), 14 deletions(-)

diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
index 3ce579d46e..950f4d1a5a 100644
--- a/doc/develop/uefi/uefi.rst
+++ b/doc/develop/uefi/uefi.rst
@@ -539,20 +539,11 @@ and used by the steps highlighted below.
             ...
     }
 
-You can do step-4 manually with
-
-.. code-block:: console
-
-    $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts
-    $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo
-
-where signature.dts looks like::
-
-    &{/} {
-            signature {
-                    capsule-key = /incbin/("CRT.esl");
-            };
-    };
+You can perform step-4 by defining the Kconfig symbol
+CONFIG_EFI_CAPSULE_ESL_FILE. This symbol defines the path to the esl
+file generated in step-2. Once the symbol has been populated with the
+path to the esl file, the esl file will automatically get embedded
+into the platform's dtb as part of U-Boot build.
 
 Anti-rollback Protection
 ************************
-- 
2.34.1

[PATCH 5/5] test: capsule: Remove logic to add public key ESL

[Sughosh Ganu]

The public key EFI Signature List(ESL) needed for capsule
authentication is now embedded into the platform's DTB as part of the
build. Remove the superfluous logic from the test setup.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
---
Changes since RFC series:
* New patch

 test/py/tests/test_efi_capsule/conftest.py   | 28 +++++---------------
 test/py/tests/test_efi_capsule/signature.dts | 10 -------
 2 files changed, 7 insertions(+), 31 deletions(-)
 delete mode 100644 test/py/tests/test_efi_capsule/signature.dts

diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py
index 7eead9bc64..67761a9708 100644
--- a/test/py/tests/test_efi_capsule/conftest.py
+++ b/test/py/tests/test_efi_capsule/conftest.py
@@ -49,33 +49,19 @@ def efi_capsule_data(request, u_boot_config):
             check_call('cp %s/capsule_pub_key_bad.crt %s/SIGNER2.crt'
                        % (key_dir, data_dir), shell=True)
 
-            # Update dtb adding capsule certificate
-            check_call('cd %s; '
-                       'cp %s/test/py/tests/test_efi_capsule/signature.dts .'
-                       % (data_dir, u_boot_config.source_dir), shell=True)
+        if capsule_auth_enabled:
             check_call('cd %s; '
-                       'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; '
-                       'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
-                            '-o test_sig.dtb signature.dtbo'
+                       'cp %s/arch/sandbox/dts/test.dtb test_sig.dtb'
                        % (data_dir, u_boot_config.build_dir), shell=True)
-
         # Update dtb to add the version information
         check_call('cd %s; '
                    'cp %s/test/py/tests/test_efi_capsule/version.dts .'
                    % (data_dir, u_boot_config.source_dir), shell=True)
-        if capsule_auth_enabled:
-            check_call('cd %s; '
-                       'dtc -@ -I dts -O dtb -o version.dtbo version.dts; '
-                       'fdtoverlay -i test_sig.dtb '
-                            '-o test_ver.dtb version.dtbo'
-                       % (data_dir), shell=True)
-        else:
-            check_call('cd %s; '
-                       'dtc -@ -I dts -O dtb -o version.dtbo version.dts; '
-                       'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
-                            '-o test_ver.dtb version.dtbo'
-                       % (data_dir, u_boot_config.build_dir), shell=True)
-
+        check_call('cd %s; '
+                   'dtc -@ -I dts -O dtb -o version.dtbo version.dts; '
+                   'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
+                   '-o test_ver.dtb version.dtbo'
+                   % (data_dir, u_boot_config.build_dir), shell=True)
 
         check_call('cp %s/u-boot_bin_env.itb %s ' % (u_boot_config.build_dir, data_dir), shell=True)
         check_call('cp %s/Test* %s ' % (u_boot_config.build_dir, data_dir), shell=True)
diff --git a/test/py/tests/test_efi_capsule/signature.dts b/test/py/tests/test_efi_capsule/signature.dts
deleted file mode 100644
index 078cfc76c9..0000000000
--- a/test/py/tests/test_efi_capsule/signature.dts
+++ /dev/null
@@ -1,10 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0+
-
-/dts-v1/;
-/plugin/;
-
-&{/} {
-	signature {
-		capsule-key = /incbin/("SIGNER.esl");
-	};
-};
-- 
2.34.1

Re: [PATCH 2/5] scripts/Makefile.lib: Embed capsule public key in platform's dtb

[Simon Glass]

Hi Sughosh,

On Tue, 15 Aug 2023 at 10:26, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
>
> The EFI capsule authentication logic in u-boot expects the public key
> in the form of an EFI Signature List(ESL) to be provided as part of
> the platform's dtb. Currently, the embedding of the ESL file into the
> dtb needs to be done manually.
>
> Add a target for generating a dtsi file which contains the signature
> node with the ESL file included as a property under the signature
> node. Include the dtsi file in the dtb. This brings the embedding of
> the ESL in the dtb into the U-Boot build flow.
>
> The path to the ESL file is specified through the
> CONFIG_EFI_CAPSULE_ESL_FILE symbol.
>
> Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> ---
> Changes since RFC series:
> * Remove the default value of the config symbol.
> * s/include_files/dtsi_include_list
> * Add all the dtsi files being included as dependency for the dtb
>   target.
>
>  lib/efi_loader/Kconfig             |  8 ++++++++
>  lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++
>  scripts/Makefile.lib               | 18 +++++++++++++++++-
>  3 files changed, 36 insertions(+), 1 deletion(-)
>  create mode 100644 lib/efi_loader/capsule_esl.dtsi.in
>
> diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> index 9989e3f384..d20aaab6db 100644
> --- a/lib/efi_loader/Kconfig
> +++ b/lib/efi_loader/Kconfig
> @@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX
>           Select the max capsule index value used for capsule report
>           variables. This value is used to create CapsuleMax variable.
>
> +config EFI_CAPSULE_ESL_FILE
> +       string "Path to the EFI Signature List File"

Do we need this, or could we name it as we do with the .env file? It
seems confusing to have to set this for each board - it might be
better to have it in a defined location.

Another idea is that we could use binman to pull this in, e.g. with an
option to insert the capsule key during the build. Then it can be
anywhere on the binman path.

As you know I am not a fan of these opaque binaries when we have a
nice self-describing format like devicetre. But we can worry about
that problem another time.

> +       depends on EFI_CAPSULE_AUTHENTICATE
> +       help
> +         Provides the path to the EFI Signature List file which will
> +         be embedded in the platform's device tree and used for
> +         capsule authentication at the time of capsule update.
> +
>  config EFI_DEVICE_PATH_TO_TEXT
>         bool "Device path to text protocol"
>         default y
> diff --git a/lib/efi_loader/capsule_esl.dtsi.in b/lib/efi_loader/capsule_esl.dtsi.in
> new file mode 100644
> index 0000000000..61a9f2b25e
> --- /dev/null
> +++ b/lib/efi_loader/capsule_esl.dtsi.in
> @@ -0,0 +1,11 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +/**
> + * Devicetree file with the public key EFI Signature List(ESL)
> + * node. This file is used to generate the dtsi file to be
> + * included into the DTB.
> +*/
> +/ {
> +       signature {
> +               capsule-key = /incbin/("ESL_BIN_FILE");
> +       };
> +};
> diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
> index 368b5a3e28..2e71f190bc 100644
> --- a/scripts/Makefile.lib
> +++ b/scripts/Makefile.lib
> @@ -334,7 +334,23 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \
>                 ; \
>         sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile)
>
> -$(obj)/%.dtb: $(src)/%.dts $(DTC) FORCE
> +ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
> +quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@
> +cmd_capsule_esl_gen = \
> +       $(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" $(capsule_esl_input_file) > $@)
> +
> +$(obj)/.capsule_esl.dtsi:
> +       $(call cmd_capsule_esl_gen)
> +
> +capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in
> +capsule_esl_dtsi = .capsule_esl.dtsi
> +capsule_esl_path=$(abspath $(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE)))
> +dtsi_include_list += $(capsule_esl_dtsi)
> +endif
> +
> +dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list)))
> +
> +$(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE
>         $(call if_changed_dep,dtc)
>
>  pre-tmp = $(subst $(comma),_,$(dot-target).pre.tmp)
> --
> 2.34.1
>

Regards,
Simon

Re: [PATCH 1/5] scripts/Makefile.lib: Collate all dtsi files for inclusion

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 549 bytes --]

On Tue, Aug 15, 2023 at 09:56:19PM +0530, Sughosh Ganu wrote:

> At the time of building a device-tree file, all the *u-boot.dtsi files
> are looked for, in a particular order, and the first file found is
> included. Then, the list of files specified in the
> CONFIG_DEVICE_TREE_INCLUDES symbol are included.
> 
> Combine these files that are to be included into a variable, and then
> include all these files in one go.
> 
> Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>

Reviewed-by: Tom Rini <trini@konsulko.com>

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

Re: [PATCH 2/5] scripts/Makefile.lib: Embed capsule public key in platform's dtb

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 2105 bytes --]

On Tue, Aug 15, 2023 at 09:56:20PM +0530, Sughosh Ganu wrote:

> The EFI capsule authentication logic in u-boot expects the public key
> in the form of an EFI Signature List(ESL) to be provided as part of
> the platform's dtb. Currently, the embedding of the ESL file into the
> dtb needs to be done manually.
> 
> Add a target for generating a dtsi file which contains the signature
> node with the ESL file included as a property under the signature
> node. Include the dtsi file in the dtb. This brings the embedding of
> the ESL in the dtb into the U-Boot build flow.
> 
> The path to the ESL file is specified through the
> CONFIG_EFI_CAPSULE_ESL_FILE symbol.
> 
> Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
[snip]
> diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
> index 368b5a3e28..2e71f190bc 100644
> --- a/scripts/Makefile.lib
> +++ b/scripts/Makefile.lib
> @@ -334,7 +334,23 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \
>  		; \
>  	sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile)
>  
> -$(obj)/%.dtb: $(src)/%.dts $(DTC) FORCE
> +ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
> +quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@
> +cmd_capsule_esl_gen = \
> +	$(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" $(capsule_esl_input_file) > $@)
> +
> +$(obj)/.capsule_esl.dtsi:
> +	$(call cmd_capsule_esl_gen)
> +
> +capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in
> +capsule_esl_dtsi = .capsule_esl.dtsi
> +capsule_esl_path=$(abspath $(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE)))
> +dtsi_include_list += $(capsule_esl_dtsi)
> +endif

We should only need to ifdef around appending to dtsi_include_list.  The
rest we can / should just leave always there, that's cleaner reading.

> +
> +dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list)))
> +
> +$(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE

This part here is a separate bugfix and we should do that as patch 2,
and the rest of the changes here as patch 3.

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

Re: [PATCH 2/5] scripts/Makefile.lib: Embed capsule public key in platform's dtb

[Sughosh Ganu]

hi Simon,

On Wed, 16 Aug 2023 at 00:09, Simon Glass <sjg@chromium.org> wrote:
>
> Hi Sughosh,
>
> On Tue, 15 Aug 2023 at 10:26, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
> >
> > The EFI capsule authentication logic in u-boot expects the public key
> > in the form of an EFI Signature List(ESL) to be provided as part of
> > the platform's dtb. Currently, the embedding of the ESL file into the
> > dtb needs to be done manually.
> >
> > Add a target for generating a dtsi file which contains the signature
> > node with the ESL file included as a property under the signature
> > node. Include the dtsi file in the dtb. This brings the embedding of
> > the ESL in the dtb into the U-Boot build flow.
> >
> > The path to the ESL file is specified through the
> > CONFIG_EFI_CAPSULE_ESL_FILE symbol.
> >
> > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> > ---
> > Changes since RFC series:
> > * Remove the default value of the config symbol.
> > * s/include_files/dtsi_include_list
> > * Add all the dtsi files being included as dependency for the dtb
> >   target.
> >
> >  lib/efi_loader/Kconfig             |  8 ++++++++
> >  lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++
> >  scripts/Makefile.lib               | 18 +++++++++++++++++-
> >  3 files changed, 36 insertions(+), 1 deletion(-)
> >  create mode 100644 lib/efi_loader/capsule_esl.dtsi.in
> >
> > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> > index 9989e3f384..d20aaab6db 100644
> > --- a/lib/efi_loader/Kconfig
> > +++ b/lib/efi_loader/Kconfig
> > @@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX
> >           Select the max capsule index value used for capsule report
> >           variables. This value is used to create CapsuleMax variable.
> >
> > +config EFI_CAPSULE_ESL_FILE
> > +       string "Path to the EFI Signature List File"
>
> Do we need this, or could we name it as we do with the .env file? It
> seems confusing to have to set this for each board - it might be
> better to have it in a defined location.

The reason I put this is because I thought this gave the user the
flexibility to provide the location and name of the ESL. But I suppose
that the board directory would be a good location to expect this file.
Then this file can have a name like capsule_pub_key,esl. Tom, what are
your thoughts on this?

>
> Another idea is that we could use binman to pull this in, e.g. with an
> option to insert the capsule key during the build. Then it can be
> anywhere on the binman path.

So, if I understand you right, I believe you are suggesting using
binman for this task? Which, just to make it clear, I pretty much
understand what would be needed to be done to get this working in
binman. A typical binman image for for this task would look like

&binman {
        u-boot-capsule-esl {
                u-boot-no-dtb {
                };
                fdt-esl {
                        u-boot-dtb {
                        };
                };
        };
};

The fdt-esl entry type would then call the fdt_add_pubkey tool to do
the needful. We also support capsule update for FIT images, and that
would mean adding some logic to call the fdt_add_pubkey for the
fdt_list. So implementing this is not a difficult thing at all.

But the main issue, or rather the only issue with this is that we are
getting an image with a different name, like u-boot-capsule-esl.bin as
the resulting image. But like I had mentioned earlier in our
discussions, we have platforms which boot the u-boot.bin binary. We
also have the ST boards which generate the fip image and use the
u-boot.dtb as the BL33_CFG. So generating a new image binary, or a new
DTB would break these boards. Not to mention that these platforms
would not be interested in using a different image just because they
are enabling some functionality on the platform.

>
> As you know I am not a fan of these opaque binaries when we have a
> nice self-describing format like devicetre. But we can worry about
> that problem another time.

I know, but this is what we have when we follow the UEFI
specification. It is not our design.

-sughosh

>
> > +       depends on EFI_CAPSULE_AUTHENTICATE
> > +       help
> > +         Provides the path to the EFI Signature List file which will
> > +         be embedded in the platform's device tree and used for
> > +         capsule authentication at the time of capsule update.
> > +
> >  config EFI_DEVICE_PATH_TO_TEXT
> >         bool "Device path to text protocol"
> >         default y
> > diff --git a/lib/efi_loader/capsule_esl.dtsi.in b/lib/efi_loader/capsule_esl.dtsi.in
> > new file mode 100644
> > index 0000000000..61a9f2b25e
> > --- /dev/null
> > +++ b/lib/efi_loader/capsule_esl.dtsi.in
> > @@ -0,0 +1,11 @@
> > +// SPDX-License-Identifier: GPL-2.0+
> > +/**
> > + * Devicetree file with the public key EFI Signature List(ESL)
> > + * node. This file is used to generate the dtsi file to be
> > + * included into the DTB.
> > +*/
> > +/ {
> > +       signature {
> > +               capsule-key = /incbin/("ESL_BIN_FILE");
> > +       };
> > +};
> > diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
> > index 368b5a3e28..2e71f190bc 100644
> > --- a/scripts/Makefile.lib
> > +++ b/scripts/Makefile.lib
> > @@ -334,7 +334,23 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \
> >                 ; \
> >         sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile)
> >
> > -$(obj)/%.dtb: $(src)/%.dts $(DTC) FORCE
> > +ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
> > +quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@
> > +cmd_capsule_esl_gen = \
> > +       $(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" $(capsule_esl_input_file) > $@)
> > +
> > +$(obj)/.capsule_esl.dtsi:
> > +       $(call cmd_capsule_esl_gen)
> > +
> > +capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in
> > +capsule_esl_dtsi = .capsule_esl.dtsi
> > +capsule_esl_path=$(abspath $(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE)))
> > +dtsi_include_list += $(capsule_esl_dtsi)
> > +endif
> > +
> > +dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list)))
> > +
> > +$(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE
> >         $(call if_changed_dep,dtc)
> >
> >  pre-tmp = $(subst $(comma),_,$(dot-target).pre.tmp)
> > --
> > 2.34.1
> >
>
> Regards,
> Simon

Re: [PATCH 2/5] scripts/Makefile.lib: Embed capsule public key in platform's dtb

[Sughosh Ganu]

hi Tom,

On Wed, 16 Aug 2023 at 01:54, Tom Rini <trini@konsulko.com> wrote:
>
> On Tue, Aug 15, 2023 at 09:56:20PM +0530, Sughosh Ganu wrote:
>
> > The EFI capsule authentication logic in u-boot expects the public key
> > in the form of an EFI Signature List(ESL) to be provided as part of
> > the platform's dtb. Currently, the embedding of the ESL file into the
> > dtb needs to be done manually.
> >
> > Add a target for generating a dtsi file which contains the signature
> > node with the ESL file included as a property under the signature
> > node. Include the dtsi file in the dtb. This brings the embedding of
> > the ESL in the dtb into the U-Boot build flow.
> >
> > The path to the ESL file is specified through the
> > CONFIG_EFI_CAPSULE_ESL_FILE symbol.
> >
> > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> [snip]
> > diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
> > index 368b5a3e28..2e71f190bc 100644
> > --- a/scripts/Makefile.lib
> > +++ b/scripts/Makefile.lib
> > @@ -334,7 +334,23 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \
> >               ; \
> >       sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile)
> >
> > -$(obj)/%.dtb: $(src)/%.dts $(DTC) FORCE
> > +ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
> > +quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@
> > +cmd_capsule_esl_gen = \
> > +     $(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" $(capsule_esl_input_file) > $@)
> > +
> > +$(obj)/.capsule_esl.dtsi:
> > +     $(call cmd_capsule_esl_gen)
> > +
> > +capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in
> > +capsule_esl_dtsi = .capsule_esl.dtsi
> > +capsule_esl_path=$(abspath $(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE)))
> > +dtsi_include_list += $(capsule_esl_dtsi)
> > +endif
>
> We should only need to ifdef around appending to dtsi_include_list.  The
> rest we can / should just leave always there, that's cleaner reading.

Okay

>
> > +
> > +dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list)))
> > +
> > +$(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE
>
> This part here is a separate bugfix and we should do that as patch 2,
> and the rest of the changes here as patch 3.

Will put this in a separate patch. Thanks.

-sughosh

Re: [PATCH 2/5] scripts/Makefile.lib: Embed capsule public key in platform's dtb

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 2705 bytes --]

On Wed, Aug 16, 2023 at 09:58:42AM +0530, Sughosh Ganu wrote:
> hi Simon,
> 
> On Wed, 16 Aug 2023 at 00:09, Simon Glass <sjg@chromium.org> wrote:
> >
> > Hi Sughosh,
> >
> > On Tue, 15 Aug 2023 at 10:26, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
> > >
> > > The EFI capsule authentication logic in u-boot expects the public key
> > > in the form of an EFI Signature List(ESL) to be provided as part of
> > > the platform's dtb. Currently, the embedding of the ESL file into the
> > > dtb needs to be done manually.
> > >
> > > Add a target for generating a dtsi file which contains the signature
> > > node with the ESL file included as a property under the signature
> > > node. Include the dtsi file in the dtb. This brings the embedding of
> > > the ESL in the dtb into the U-Boot build flow.
> > >
> > > The path to the ESL file is specified through the
> > > CONFIG_EFI_CAPSULE_ESL_FILE symbol.
> > >
> > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> > > ---
> > > Changes since RFC series:
> > > * Remove the default value of the config symbol.
> > > * s/include_files/dtsi_include_list
> > > * Add all the dtsi files being included as dependency for the dtb
> > >   target.
> > >
> > >  lib/efi_loader/Kconfig             |  8 ++++++++
> > >  lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++
> > >  scripts/Makefile.lib               | 18 +++++++++++++++++-
> > >  3 files changed, 36 insertions(+), 1 deletion(-)
> > >  create mode 100644 lib/efi_loader/capsule_esl.dtsi.in
> > >
> > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> > > index 9989e3f384..d20aaab6db 100644
> > > --- a/lib/efi_loader/Kconfig
> > > +++ b/lib/efi_loader/Kconfig
> > > @@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX
> > >           Select the max capsule index value used for capsule report
> > >           variables. This value is used to create CapsuleMax variable.
> > >
> > > +config EFI_CAPSULE_ESL_FILE
> > > +       string "Path to the EFI Signature List File"
> >
> > Do we need this, or could we name it as we do with the .env file? It
> > seems confusing to have to set this for each board - it might be
> > better to have it in a defined location.
> 
> The reason I put this is because I thought this gave the user the
> flexibility to provide the location and name of the ESL. But I suppose
> that the board directory would be a good location to expect this file.
> Then this file can have a name like capsule_pub_key,esl. Tom, what are
> your thoughts on this?

I feel like an automatic name we can guess isn't likely how this will be
used in the real world, so we should leave this as configurable.

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

Re: [PATCH 2/5] scripts/Makefile.lib: Embed capsule public key in platform's dtb

[Simon Glass]

Hi Tom,

On Wed, 16 Aug 2023 at 15:26, Tom Rini <trini@konsulko.com> wrote:
>
> On Wed, Aug 16, 2023 at 09:58:42AM +0530, Sughosh Ganu wrote:
> > hi Simon,
> >
> > On Wed, 16 Aug 2023 at 00:09, Simon Glass <sjg@chromium.org> wrote:
> > >
> > > Hi Sughosh,
> > >
> > > On Tue, 15 Aug 2023 at 10:26, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
> > > >
> > > > The EFI capsule authentication logic in u-boot expects the public key
> > > > in the form of an EFI Signature List(ESL) to be provided as part of
> > > > the platform's dtb. Currently, the embedding of the ESL file into the
> > > > dtb needs to be done manually.
> > > >
> > > > Add a target for generating a dtsi file which contains the signature
> > > > node with the ESL file included as a property under the signature
> > > > node. Include the dtsi file in the dtb. This brings the embedding of
> > > > the ESL in the dtb into the U-Boot build flow.
> > > >
> > > > The path to the ESL file is specified through the
> > > > CONFIG_EFI_CAPSULE_ESL_FILE symbol.
> > > >
> > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> > > > ---
> > > > Changes since RFC series:
> > > > * Remove the default value of the config symbol.
> > > > * s/include_files/dtsi_include_list
> > > > * Add all the dtsi files being included as dependency for the dtb
> > > >   target.
> > > >
> > > >  lib/efi_loader/Kconfig             |  8 ++++++++
> > > >  lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++
> > > >  scripts/Makefile.lib               | 18 +++++++++++++++++-
> > > >  3 files changed, 36 insertions(+), 1 deletion(-)
> > > >  create mode 100644 lib/efi_loader/capsule_esl.dtsi.in
> > > >
> > > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> > > > index 9989e3f384..d20aaab6db 100644
> > > > --- a/lib/efi_loader/Kconfig
> > > > +++ b/lib/efi_loader/Kconfig
> > > > @@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX
> > > >           Select the max capsule index value used for capsule report
> > > >           variables. This value is used to create CapsuleMax variable.
> > > >
> > > > +config EFI_CAPSULE_ESL_FILE
> > > > +       string "Path to the EFI Signature List File"
> > >
> > > Do we need this, or could we name it as we do with the .env file? It
> > > seems confusing to have to set this for each board - it might be
> > > better to have it in a defined location.
> >
> > The reason I put this is because I thought this gave the user the
> > flexibility to provide the location and name of the ESL. But I suppose
> > that the board directory would be a good location to expect this file.
> > Then this file can have a name like capsule_pub_key,esl. Tom, what are
> > your thoughts on this?
>
> I feel like an automatic name we can guess isn't likely how this will be
> used in the real world, so we should leave this as configurable.

Are we expecting these files to end up in the source tree? Where would they go?

Regards,
Simon

Re: [PATCH 2/5] scripts/Makefile.lib: Embed capsule public key in platform's dtb

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 3637 bytes --]

On Thu, Aug 17, 2023 at 07:41:33AM -0600, Simon Glass wrote:
> Hi Tom,
> 
> On Wed, 16 Aug 2023 at 15:26, Tom Rini <trini@konsulko.com> wrote:
> >
> > On Wed, Aug 16, 2023 at 09:58:42AM +0530, Sughosh Ganu wrote:
> > > hi Simon,
> > >
> > > On Wed, 16 Aug 2023 at 00:09, Simon Glass <sjg@chromium.org> wrote:
> > > >
> > > > Hi Sughosh,
> > > >
> > > > On Tue, 15 Aug 2023 at 10:26, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
> > > > >
> > > > > The EFI capsule authentication logic in u-boot expects the public key
> > > > > in the form of an EFI Signature List(ESL) to be provided as part of
> > > > > the platform's dtb. Currently, the embedding of the ESL file into the
> > > > > dtb needs to be done manually.
> > > > >
> > > > > Add a target for generating a dtsi file which contains the signature
> > > > > node with the ESL file included as a property under the signature
> > > > > node. Include the dtsi file in the dtb. This brings the embedding of
> > > > > the ESL in the dtb into the U-Boot build flow.
> > > > >
> > > > > The path to the ESL file is specified through the
> > > > > CONFIG_EFI_CAPSULE_ESL_FILE symbol.
> > > > >
> > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> > > > > ---
> > > > > Changes since RFC series:
> > > > > * Remove the default value of the config symbol.
> > > > > * s/include_files/dtsi_include_list
> > > > > * Add all the dtsi files being included as dependency for the dtb
> > > > >   target.
> > > > >
> > > > >  lib/efi_loader/Kconfig             |  8 ++++++++
> > > > >  lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++
> > > > >  scripts/Makefile.lib               | 18 +++++++++++++++++-
> > > > >  3 files changed, 36 insertions(+), 1 deletion(-)
> > > > >  create mode 100644 lib/efi_loader/capsule_esl.dtsi.in
> > > > >
> > > > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> > > > > index 9989e3f384..d20aaab6db 100644
> > > > > --- a/lib/efi_loader/Kconfig
> > > > > +++ b/lib/efi_loader/Kconfig
> > > > > @@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX
> > > > >           Select the max capsule index value used for capsule report
> > > > >           variables. This value is used to create CapsuleMax variable.
> > > > >
> > > > > +config EFI_CAPSULE_ESL_FILE
> > > > > +       string "Path to the EFI Signature List File"
> > > >
> > > > Do we need this, or could we name it as we do with the .env file? It
> > > > seems confusing to have to set this for each board - it might be
> > > > better to have it in a defined location.
> > >
> > > The reason I put this is because I thought this gave the user the
> > > flexibility to provide the location and name of the ESL. But I suppose
> > > that the board directory would be a good location to expect this file.
> > > Then this file can have a name like capsule_pub_key,esl. Tom, what are
> > > your thoughts on this?
> >
> > I feel like an automatic name we can guess isn't likely how this will be
> > used in the real world, so we should leave this as configurable.
> 
> Are we expecting these files to end up in the source tree? Where would they go?

Yes, they should be
board/vendor/common/whatever-vendor-uses-internally.esl or so.  As I
think I mentioned on IRC, in theory someone like Asus should be using
the same file here for their rockchip-based tinker board and their x8664
based motherboards too.  And it's a public key, not a private key.  But
we still need to ask here because a vendor may care more about
"security" and so have the key /over/somewhere/else more than
reproducible builds.

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

Re: [PATCH 2/5] scripts/Makefile.lib: Embed capsule public key in platform's dtb

[Simon Glass]

Hi Tom,

On Thu, 17 Aug 2023 at 09:10, Tom Rini <trini@konsulko.com> wrote:
>
> On Thu, Aug 17, 2023 at 07:41:33AM -0600, Simon Glass wrote:
> > Hi Tom,
> >
> > On Wed, 16 Aug 2023 at 15:26, Tom Rini <trini@konsulko.com> wrote:
> > >
> > > On Wed, Aug 16, 2023 at 09:58:42AM +0530, Sughosh Ganu wrote:
> > > > hi Simon,
> > > >
> > > > On Wed, 16 Aug 2023 at 00:09, Simon Glass <sjg@chromium.org> wrote:
> > > > >
> > > > > Hi Sughosh,
> > > > >
> > > > > On Tue, 15 Aug 2023 at 10:26, Sughosh Ganu <
sughosh.ganu@linaro.org> wrote:
> > > > > >
> > > > > > The EFI capsule authentication logic in u-boot expects the
public key
> > > > > > in the form of an EFI Signature List(ESL) to be provided as
part of
> > > > > > the platform's dtb. Currently, the embedding of the ESL file
into the
> > > > > > dtb needs to be done manually.
> > > > > >
> > > > > > Add a target for generating a dtsi file which contains the
signature
> > > > > > node with the ESL file included as a property under the
signature
> > > > > > node. Include the dtsi file in the dtb. This brings the
embedding of
> > > > > > the ESL in the dtb into the U-Boot build flow.
> > > > > >
> > > > > > The path to the ESL file is specified through the
> > > > > > CONFIG_EFI_CAPSULE_ESL_FILE symbol.
> > > > > >
> > > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> > > > > > ---
> > > > > > Changes since RFC series:
> > > > > > * Remove the default value of the config symbol.
> > > > > > * s/include_files/dtsi_include_list
> > > > > > * Add all the dtsi files being included as dependency for the
dtb
> > > > > >   target.
> > > > > >
> > > > > >  lib/efi_loader/Kconfig             |  8 ++++++++
> > > > > >  lib/efi_loader/capsule_esl.dtsi.in | 11 +++++++++++
> > > > > >  scripts/Makefile.lib               | 18 +++++++++++++++++-
> > > > > >  3 files changed, 36 insertions(+), 1 deletion(-)
> > > > > >  create mode 100644 lib/efi_loader/capsule_esl.dtsi.in
> > > > > >
> > > > > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> > > > > > index 9989e3f384..d20aaab6db 100644
> > > > > > --- a/lib/efi_loader/Kconfig
> > > > > > +++ b/lib/efi_loader/Kconfig
> > > > > > @@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX
> > > > > >           Select the max capsule index value used for capsule
report
> > > > > >           variables. This value is used to create CapsuleMax
variable.
> > > > > >
> > > > > > +config EFI_CAPSULE_ESL_FILE
> > > > > > +       string "Path to the EFI Signature List File"
> > > > >
> > > > > Do we need this, or could we name it as we do with the .env file?
It
> > > > > seems confusing to have to set this for each board - it might be
> > > > > better to have it in a defined location.
> > > >
> > > > The reason I put this is because I thought this gave the user the
> > > > flexibility to provide the location and name of the ESL. But I
suppose
> > > > that the board directory would be a good location to expect this
file.
> > > > Then this file can have a name like capsule_pub_key,esl. Tom, what
are
> > > > your thoughts on this?
> > >
> > > I feel like an automatic name we can guess isn't likely how this will
be
> > > used in the real world, so we should leave this as configurable.
> >
> > Are we expecting these files to end up in the source tree? Where would
they go?
>
> Yes, they should be
> board/vendor/common/whatever-vendor-uses-internally.esl or so.  As I
> think I mentioned on IRC, in theory someone like Asus should be using
> the same file here for their rockchip-based tinker board and their x8664
> based motherboards too.  And it's a public key, not a private key.  But
> we still need to ask here because a vendor may care more about
> "security" and so have the key /over/somewhere/else more than
> reproducible builds.

OK.

Regards,
Simon