Hi Takahiro, On Sun, 1 Aug 2021 at 16:57, AKASHI Takahiro <takahiro.aka...@linaro.org> wrote: > > Simon, > > On Sun, Aug 01, 2021 at 01:00:20PM -0600, Simon Glass wrote: > > Hi Takahiro, > > > > On Sat, 31 Jul 2021 at 22:29, AKASHI Takahiro > > <takahiro.aka...@linaro.org> wrote: > > > > > > Simon, > > > > > > On Sat, Jul 31, 2021 at 10:59:32AM -0600, Simon Glass wrote: > > > > Hi Takahiro, > > > > > > > > On Tue, 27 Jul 2021 at 03:12, AKASHI Takahiro > > > > <takahiro.aka...@linaro.org> wrote: > > > > > > > > > > This new configuration, which was derived from sandbox_defconfig, > > > > > will be > > > > > used solely to run efi capsule authentication test as the test > > > > > requires > > > > > a public key (esl file) to be embedded in U-Boot binary. > > > > > > > > > > Signed-off-by: AKASHI Takahiro <takahiro.aka...@linaro.org> > > > > > --- > > > > > configs/sandbox_capsule_auth_defconfig | 307 > > > > > +++++++++++++++++++++++++ > > > > > 1 file changed, 307 insertions(+) > > > > > create mode 100644 configs/sandbox_capsule_auth_defconfig > > > > > > > > NAK. > > > > > > > > Please just add it to sandbox_defconfig. We sometimes have to create > > > > > > Unfortunately, I can't. > > > Look, we now have two tests, test_capsule_firmware.py and > > > test_capsule_firmware_signed.py, and we need U-Boot binaries, > > > respectively, without a key and with a key. > > > A single configuration cannot satisfy both. > > > > > > > new variants when dealing with actual build variations (e.g. SPL, > > > > building without OF_LIVE), but here we should just enable the feature > > > > in sandbox_defconfig. > > > > > > > > We already covered embedding key in the binary on another thread. > > > > Please don't do that. After that debacle I sent a patch explaining > > > > this: > > > > > > > > http://patchwork.ozlabs.org/project/uboot/patch/20210725164400.468319-3-...@chromium.org/ > > > > > > Please discuss and make an agreement with Heinrich. > > > The patch for embedding a key has already been merged in -rc1. > > > > Which patch was that? I thought I pushed back on the one that did that. > > The commit ddf67daac39d > Author: Ilias Apalodimas <ilias.apalodi...@linaro.org> > Date: Sat Jul 17 17:26:44 2021 +0300 > > efi_capsule: Move signature from DTB to .rodata
OK I sent a revert of that as you saw. Then I sent a v2 revert of three patches when you explained that was not enough. I hope we can figure this out quickly. > > > > > In my personal opinion, neither approaches won't apply to production > > > any way. I have not seen any design for how EFI signing would work in production but I am happy to review it. The existing FIT-signing scheme is widely used in production environments. If we use similar processes then we should be OK. Regards, Simon