Hi Sughosh, On Tue, 13 Jun 2023 at 11:41, Sughosh Ganu <sughosh.g...@linaro.org> wrote: > > The EFI capsule authentication logic in u-boot expects the public key > in the form of an EFI Signature List(ESL) to be provided as part of > the platform's dtb. Currently, the embedding of the ESL file into the > dtb needs to be done manually. > > Add a script for embedding the ESL used for capsule authentication in > the platform's dtb, and call this as part of building the dtb(s). This > brings the embedding of the ESL in the dtb into the u-boot build flow. > > The path to the ESL file is specified through the > CONFIG_EFI_CAPSULE_ESL_FILE symbol. > > Signed-off-by: Sughosh Ganu <sughosh.g...@linaro.org> > --- > lib/efi_loader/Kconfig | 11 +++++++++++ > scripts/Makefile.lib | 8 ++++++++ > scripts/embed_capsule_key.sh | 25 +++++++++++++++++++++++++ > 3 files changed, 44 insertions(+) > create mode 100755 scripts/embed_capsule_key.sh > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig > index c5835e6ef6..1326a1d109 100644 > --- a/lib/efi_loader/Kconfig > +++ b/lib/efi_loader/Kconfig > @@ -234,6 +234,17 @@ config EFI_CAPSULE_MAX > Select the max capsule index value used for capsule report > variables. This value is used to create CapsuleMax variable. > > +config EFI_CAPSULE_ESL_FILE > + string "Path to the EFI Signature List File" > + default "" > + depends on EFI_CAPSULE_AUTHENTICATE > + help > + Provides the absolute path to the EFI Signature List > + file which will be embedded in the platform's device > + tree and used for capsule authentication at the time > + of capsule update. > + > + > config EFI_DEVICE_PATH_TO_TEXT > bool "Device path to text protocol" > default y > diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib > index 7b27224b5d..a4083d0a26 100644 > --- a/scripts/Makefile.lib > +++ b/scripts/Makefile.lib > @@ -192,6 +192,8 @@ dtc_cpp_flags = -Wp,-MD,$(depfile).pre.tmp -nostdinc > \ > -D__ASSEMBLY__ \ > -undef -D__DTS__ > > +export dtc_cpp_flags > + > # Finds the multi-part object the current object will be linked into > modname-multi = $(sort $(foreach m,$(multi-used),\ > $(if $(filter $(subst $(obj)/,,$*.o), $($(m:.o=-objs)) > $($(m:.o=-y))),$(m:.o=)))) > @@ -315,6 +317,9 @@ ifeq ($(CONFIG_OF_LIBFDT_OVERLAY),y) > DTC_FLAGS += -@ > endif > > +quiet_cmd_embedcapsulekey = EMBEDCAPSULEKEY $@ > +cmd_embedcapsulekey = $(srctree)/scripts/embed_capsule_key.sh $@ > + > quiet_cmd_dtc = DTC $@ > # Modified for U-Boot > # Bring in any U-Boot-specific include at the end of the file > @@ -333,6 +338,9 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \ > > $(obj)/%.dtb: $(src)/%.dts FORCE > $(call if_changed_dep,dtc) > +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y) > + $(call cmd,embedcapsulekey,$@) > +endif > > pre-tmp = $(subst $(comma),_,$(dot-target).pre.tmp) > dtc-tmp = $(subst $(comma),_,$(dot-target).dts.tmp) > diff --git a/scripts/embed_capsule_key.sh b/scripts/embed_capsule_key.sh > new file mode 100755 > index 0000000000..1c2e45f758 > --- /dev/null > +++ b/scripts/embed_capsule_key.sh > @@ -0,0 +1,25 @@ > +#! /bin/bash > +# SPDX-License-Identifier: GPL-2.0+ > +# > +# Copyright (C) 2023, Linaro Limited > +# > + > +gen_capsule_signature_file() { > +cat >> $1 << EOF > +/dts-v1/; > +/plugin/; > + > +&{/} { > + signature { > + capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE); > + }; > +}; > +EOF > +} > + > +gen_capsule_signature_file signature.$$.dts > /dev/null 2>&1 > +$CPP $dtc_cpp_flags -x assembler-with-cpp -o signature.$$.tmp > signature.$$.dts > /dev/null 2>&1 > +dtc -@ -O dtb -o signature.$$.dtbo signature.$$.tmp > /dev/null 2>&1 > +fdtoverlay -i $1 -o temp.$$.dtb -v signature.$$.dtbo > /dev/null 2>&1 > +mv temp.$$.dtb $1 > /dev/null 2>&1 > +rm -f signature.$$.* > /dev/null 2>&1 > -- > 2.34.1 >
Can you please add this to binman instead? Regards, Simon