* [RESEND PATCH v1 1/5] efi_loader: Kconfig: Select IMAGE_SIGN_INFO when capsule authentication is enabled
2021-04-07 14:41 [RESEND PATCH v1 0/5] Add support for embedding public key in platform's dtb Sughosh Ganu
@ 2021-04-07 14:41 ` Sughosh Ganu
2021-04-07 16:14 ` Simon Glass
2021-04-07 14:41 ` [RESEND PATCH v1 2/5] efi_loader: Kconfig: Add symbols for embedding the public key into the platform's dtb Sughosh Ganu
` (3 subsequent siblings)
4 siblings, 1 reply; 7+ messages in thread
From: Sughosh Ganu @ 2021-04-07 14:41 UTC (permalink / raw)
To: u-boot
Enable building of the crypto helper functions used during capsule
authentication by selecting IMAGE_SIGN_INFO.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
---
This was not detected when support for capsule auth was added to the
qemu arm64 platform. This is because the platform includes
CONFIG_FIT_SIGNATURE which selects IMAGE_SIGN_INFO.
lib/efi_loader/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index e44f004f3f..0b99d7c774 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -173,6 +173,7 @@ config EFI_CAPSULE_AUTHENTICATE
select X509_CERTIFICATE_PARSER
select PKCS7_MESSAGE_PARSER
select PKCS7_VERIFY
+ select IMAGE_SIGN_INFO
default n
help
Select this option if you want to enable capsule
--
2.17.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [RESEND PATCH v1 2/5] efi_loader: Kconfig: Add symbols for embedding the public key into the platform's dtb
2021-04-07 14:41 [RESEND PATCH v1 0/5] Add support for embedding public key in platform's dtb Sughosh Ganu
2021-04-07 14:41 ` [RESEND PATCH v1 1/5] efi_loader: Kconfig: Select IMAGE_SIGN_INFO when capsule authentication is enabled Sughosh Ganu
@ 2021-04-07 14:41 ` Sughosh Ganu
2021-04-07 14:41 ` [RESEND PATCH v1 3/5] efi_capsule: Add a weak function to check whether capsule authentication is enabled Sughosh Ganu
` (2 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Sughosh Ganu @ 2021-04-07 14:41 UTC (permalink / raw)
To: u-boot
Add config options EFI_PKEY_DTB_EMBED and EFI_PKEY_FILE which are to
be used for embedding the public key to be used for capsule
authentication into the platform's device tree.
The embedding of the public key would take place during the platform
build process.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
---
lib/efi_loader/Kconfig | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 0b99d7c774..de3083a979 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -179,6 +179,21 @@ config EFI_CAPSULE_AUTHENTICATE
Select this option if you want to enable capsule
authentication
+config EFI_PKEY_DTB_EMBED
+ bool "Embed the public key in the Device Tree"
+ default n
+ depends on EFI_CAPSULE_AUTHENTICATE
+ help
+ Select this option if the public key used for capsule
+ authentication is to be embedded into the platform's
+ device tree.
+
+config EFI_PKEY_FILE
+ string "Public Key esl file to be embedded into the Device Tree"
+ help
+ Specify the absolute path of the public key esl file that is
+ to be embedded in the platform's device tree.
+
config EFI_CAPSULE_FIRMWARE_FIT
bool "FMP driver for FIT image"
depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
--
2.17.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [RESEND PATCH v1 3/5] efi_capsule: Add a weak function to check whether capsule authentication is enabled
2021-04-07 14:41 [RESEND PATCH v1 0/5] Add support for embedding public key in platform's dtb Sughosh Ganu
2021-04-07 14:41 ` [RESEND PATCH v1 1/5] efi_loader: Kconfig: Select IMAGE_SIGN_INFO when capsule authentication is enabled Sughosh Ganu
2021-04-07 14:41 ` [RESEND PATCH v1 2/5] efi_loader: Kconfig: Add symbols for embedding the public key into the platform's dtb Sughosh Ganu
@ 2021-04-07 14:41 ` Sughosh Ganu
2021-04-07 14:41 ` [RESEND PATCH v1 4/5] efi_capsule: Add a weak function to get the public key needed for capsule authentication Sughosh Ganu
2021-04-07 14:41 ` [RESEND PATCH v1 5/5] Makefile: Add provision for embedding public key in platform's dtb Sughosh Ganu
4 siblings, 0 replies; 7+ messages in thread
From: Sughosh Ganu @ 2021-04-07 14:41 UTC (permalink / raw)
To: u-boot
Define a weak function which checks if the environment variable
capsule_authentication_enabled has been set, for enabling capsule
authentication. Other platforms might have a different mechanism to
determine this, and would then define their own platform specific
function.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
---
board/emulation/common/qemu_capsule.c | 6 ------
lib/efi_loader/efi_capsule.c | 6 ++++++
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/board/emulation/common/qemu_capsule.c b/board/emulation/common/qemu_capsule.c
index 5cb461d52b..6b8a87022a 100644
--- a/board/emulation/common/qemu_capsule.c
+++ b/board/emulation/common/qemu_capsule.c
@@ -41,9 +41,3 @@ int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)
return 0;
}
-
-bool efi_capsule_auth_enabled(void)
-{
- return env_get("capsule_authentication_enabled") != NULL ?
- true : false;
-}
diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c
index 0cfff0daf7..1423b675c8 100644
--- a/lib/efi_loader/efi_capsule.c
+++ b/lib/efi_loader/efi_capsule.c
@@ -218,6 +218,12 @@ __weak int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)
return 0;
}
+__weak bool efi_capsule_auth_enabled(void)
+{
+ return env_get("capsule_authentication_enabled") ?
+ true : false;
+}
+
efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size,
void **image, efi_uintn_t *image_size)
{
--
2.17.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [RESEND PATCH v1 4/5] efi_capsule: Add a weak function to get the public key needed for capsule authentication
2021-04-07 14:41 [RESEND PATCH v1 0/5] Add support for embedding public key in platform's dtb Sughosh Ganu
` (2 preceding siblings ...)
2021-04-07 14:41 ` [RESEND PATCH v1 3/5] efi_capsule: Add a weak function to check whether capsule authentication is enabled Sughosh Ganu
@ 2021-04-07 14:41 ` Sughosh Ganu
2021-04-07 14:41 ` [RESEND PATCH v1 5/5] Makefile: Add provision for embedding public key in platform's dtb Sughosh Ganu
4 siblings, 0 replies; 7+ messages in thread
From: Sughosh Ganu @ 2021-04-07 14:41 UTC (permalink / raw)
To: u-boot
Define a weak function which would be used in the scenario where the
public key is stored on the platform's dtb. This dtb is concatenated
with the u-boot binary during the build process. Platforms which have
a different mechanism for getting the public key would define their
own platform specific function.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
---
lib/efi_loader/efi_capsule.c | 38 ++++++++++++++++++++++++++++++++----
1 file changed, 34 insertions(+), 4 deletions(-)
diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c
index 1423b675c8..fc5e1c0856 100644
--- a/lib/efi_loader/efi_capsule.c
+++ b/lib/efi_loader/efi_capsule.c
@@ -14,10 +14,13 @@
#include <mapmem.h>
#include <sort.h>
+#include <asm/global_data.h>
#include <crypto/pkcs7.h>
#include <crypto/pkcs7_parser.h>
#include <linux/err.h>
+DECLARE_GLOBAL_DATA_PTR;
+
const efi_guid_t efi_guid_capsule_report = EFI_CAPSULE_REPORT_GUID;
static const efi_guid_t efi_guid_firmware_management_capsule_id =
EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID;
@@ -210,11 +213,38 @@ const efi_guid_t efi_guid_capsule_root_cert_guid =
__weak int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)
{
- /* The platform is supposed to provide
- * a method for getting the public key
- * stored in the form of efi signature
- * list
+ /*
+ * This is a function for retrieving the public key from the
+ * platform's device tree. The platform's device tree has been
+ * concatenated with the u-boot binary.
+ * If a platform has a different mechanism to get the public
+ * key, it can define it's own function.
*/
+ const void *fdt_blob = gd->fdt_blob;
+ const void *blob;
+ const char *cnode_name = "capsule-key";
+ const char *snode_name = "signature";
+ int sig_node;
+ int len;
+
+ sig_node = fdt_subnode_offset(fdt_blob, 0, snode_name);
+ if (sig_node < 0) {
+ EFI_PRINT("Unable to get signature node offset\n");
+ return -FDT_ERR_NOTFOUND;
+ }
+
+ blob = fdt_getprop(fdt_blob, sig_node, cnode_name, &len);
+
+ if (!blob || len < 0) {
+ EFI_PRINT("Unable to get capsule-key value\n");
+ *pkey = NULL;
+ *pkey_len = 0;
+ return -FDT_ERR_NOTFOUND;
+ }
+
+ *pkey = (void *)blob;
+ *pkey_len = len;
+
return 0;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [RESEND PATCH v1 5/5] Makefile: Add provision for embedding public key in platform's dtb
2021-04-07 14:41 [RESEND PATCH v1 0/5] Add support for embedding public key in platform's dtb Sughosh Ganu
` (3 preceding siblings ...)
2021-04-07 14:41 ` [RESEND PATCH v1 4/5] efi_capsule: Add a weak function to get the public key needed for capsule authentication Sughosh Ganu
@ 2021-04-07 14:41 ` Sughosh Ganu
4 siblings, 0 replies; 7+ messages in thread
From: Sughosh Ganu @ 2021-04-07 14:41 UTC (permalink / raw)
To: u-boot
Add provision for embedding the public key used for capsule
authentication in the platform's dtb. This is done by invoking the
mkeficapsule utility which puts the public key in the efi signature
list(esl) format into the dtb.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
---
Makefile | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/Makefile b/Makefile
index 193aa4d1c9..0d50c6a805 100644
--- a/Makefile
+++ b/Makefile
@@ -1010,6 +1010,10 @@ cmd_pad_cat = $(cmd_objcopy) && $(append) || { rm -f $@; false; }
quiet_cmd_lzma = LZMA $@
cmd_lzma = lzma -c -z -k -9 $< > $@
+quiet_cmd_mkeficapsule = MKEFICAPSULE $@
+cmd_mkeficapsule = $(objtree)/tools/mkeficapsule -K $(CONFIG_EFI_PKEY_FILE) \
+ -D $@
+
cfg: u-boot.cfg
quiet_cmd_cfgcheck = CFGCHK $2
@@ -1104,8 +1108,14 @@ endif
PHONY += dtbs
dtbs: dts/dt.dtb
@:
+ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE)$(CONFIG_EFI_PKEY_DTB_EMBED),yy)
+dts/dt.dtb: u-boot tools
+ $(Q)$(MAKE) $(build)=dts dtbs
+ $(call cmd,mkeficapsule)
+else
dts/dt.dtb: u-boot
$(Q)$(MAKE) $(build)=dts dtbs
+endif
quiet_cmd_copy = COPY $@
cmd_copy = cp $< $@
--
2.17.1
^ permalink raw reply related [flat|nested] 7+ messages in thread