Ilias Apalodimas <ilias.apalodi...@linaro.org> writes: > Hi Jonathan > > On Thu, 13 Jun 2024 at 23:28, Jonathan Humphreys <j-humphr...@ti.com> wrote: >> >> Use the capsule's public key certificate rather than a prebuilt ESL >> generated from the certificate. The ESL is now generated as part of the >> build. > > Is there a reason to do this? I understand that the .crt extension > might be well known while the .esl is not, but OTOH the system you > build on after this change *needs* to have cert-to-efi-sig-list > installed > Hi Ilias,
In general, I am following the principle that it is better to not include in your source repo derived binaries that can be built at buildtime. As far as the need to have cert-to-efi-sig-list, it is part of efitools and that is already documented as a requirement for the build host ([0] and [1]), and our baseline Docker file also includes it. [0] https://docs.u-boot.org/en/latest/develop/uefi/uefi.html#enabling-capsule-authentication [1] https://docs.u-boot.org/en/latest/develop/uefi/uefi.html#configuring-uefi-secure-boot Jon > Thanks > /Ilias >> >> Changes from v1: >> - Converted the single patch to a series to include a bug fix found during >> development. >> - Created an explicit rule for creating the ESL file for proper makefile >> dependency tracking. v1 had combined creating the ESL file and >> generating the .dtsi include in a single command. >> >> Jonathan Humphreys (2): >> scripts/Makefile.lib: fixes: Embed capsule public key in platform's >> dtb >> scripts/Makefile.lib: EFI: Use capsule CRT instead of ESL file >> >> board/sandbox/capsule_pub_esl_good.esl | Bin 831 -> 0 bytes >> configs/sandbox_defconfig | 2 +- >> configs/sandbox_flattree_defconfig | 2 +- >> doc/develop/uefi/uefi.rst | 8 ++++---- >> lib/efi_loader/Kconfig | 12 +++++++----- >> scripts/Makefile.lib | 24 +++++++++++++++--------- >> 6 files changed, 28 insertions(+), 20 deletions(-) >> delete mode 100644 board/sandbox/capsule_pub_esl_good.esl >> >> -- >> 2.34.1 >>
