From: Simon Glass <sjg@chromium.org>
To: U-Boot Mailing List <u-boot@lists.denx.de>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>,
Heinrich Schuchardt <xypron.glpk@gmx.de>,
KASHI Takahiro <takahiro.akashi@linaro.org>,
Simon Glass <sjg@chromium.org>, Alexander Graf <agraf@csgraf.de>,
Masami Hiramatsu <masami.hiramatsu@linaro.org>,
Sughosh Ganu <sughosh.ganu@linaro.org>
Subject: [PATCH v2 3/3] Revert "efi_capsule: Move signature from DTB to .rodata"
Date: Mon, 2 Aug 2021 08:44:31 -0600 [thread overview]
Message-ID: <20210802144431.2396678-4-sjg@chromium.org> (raw)
In-Reply-To: <20210802144431.2396678-1-sjg@chromium.org>
This was unfortunately applied despite much discussion about it beiong
the wrong way to implement this feature.
Revert it before too many other things are built on top of it.
This reverts commit ddf67daac39de76d2697d587148f4c2cb768f492.
Signed-off-by: Simon Glass <sjg@chromium.org>
---
Changes in v2:
- Also revert two other patches, based on comment from Takahiro
board/emulation/common/Makefile | 1 +
board/emulation/common/qemu_capsule.c | 43 +++++++++++++++++++++++++++
include/asm-generic/sections.h | 2 --
lib/efi_loader/Kconfig | 7 -----
lib/efi_loader/Makefile | 8 -----
lib/efi_loader/efi_capsule.c | 18 ++---------
lib/efi_loader/efi_capsule_key.S | 17 -----------
7 files changed, 47 insertions(+), 49 deletions(-)
create mode 100644 board/emulation/common/qemu_capsule.c
delete mode 100644 lib/efi_loader/efi_capsule_key.S
diff --git a/board/emulation/common/Makefile b/board/emulation/common/Makefile
index c5b452e7e34..7ed447a69dc 100644
--- a/board/emulation/common/Makefile
+++ b/board/emulation/common/Makefile
@@ -2,3 +2,4 @@
obj-$(CONFIG_SYS_MTDPARTS_RUNTIME) += qemu_mtdparts.o
obj-$(CONFIG_SET_DFU_ALT_INFO) += qemu_dfu.o
+obj-$(CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT) += qemu_capsule.o
diff --git a/board/emulation/common/qemu_capsule.c b/board/emulation/common/qemu_capsule.c
new file mode 100644
index 00000000000..6b8a87022a4
--- /dev/null
+++ b/board/emulation/common/qemu_capsule.c
@@ -0,0 +1,43 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (c) 2020 Linaro Limited
+ */
+
+#include <common.h>
+#include <efi_api.h>
+#include <efi_loader.h>
+#include <env.h>
+#include <fdtdec.h>
+#include <asm/global_data.h>
+
+DECLARE_GLOBAL_DATA_PTR;
+
+int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)
+{
+ const void *fdt_blob = gd->fdt_blob;
+ const void *blob;
+ const char *cnode_name = "capsule-key";
+ const char *snode_name = "signature";
+ int sig_node;
+ int len;
+
+ sig_node = fdt_subnode_offset(fdt_blob, 0, snode_name);
+ if (sig_node < 0) {
+ EFI_PRINT("Unable to get signature node offset\n");
+ return -FDT_ERR_NOTFOUND;
+ }
+
+ blob = fdt_getprop(fdt_blob, sig_node, cnode_name, &len);
+
+ if (!blob || len < 0) {
+ EFI_PRINT("Unable to get capsule-key value\n");
+ *pkey = NULL;
+ *pkey_len = 0;
+ return -FDT_ERR_NOTFOUND;
+ }
+
+ *pkey = (void *)blob;
+ *pkey_len = len;
+
+ return 0;
+}
diff --git a/include/asm-generic/sections.h b/include/asm-generic/sections.h
index ec992b0c2e3..267f1db73f2 100644
--- a/include/asm-generic/sections.h
+++ b/include/asm-generic/sections.h
@@ -27,8 +27,6 @@ extern char __efi_helloworld_begin[];
extern char __efi_helloworld_end[];
extern char __efi_var_file_begin[];
extern char __efi_var_file_end[];
-extern char __efi_capsule_sig_begin[];
-extern char __efi_capsule_sig_end[];
/* Private data used by of-platdata devices/uclasses */
extern char __priv_data_start[], __priv_data_end[];
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index dacc3b58810..7a469f22721 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -214,13 +214,6 @@ config EFI_CAPSULE_AUTHENTICATE
Select this option if you want to enable capsule
authentication
-config EFI_CAPSULE_KEY_PATH
- string "Path to .esl cert for capsule authentication"
- depends on EFI_CAPSULE_AUTHENTICATE
- help
- Provide the EFI signature list (esl) certificate used for capsule
- authentication
-
config EFI_DEVICE_PATH_TO_TEXT
bool "Device path to text protocol"
default y
diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile
index 9b369430e25..fd344cea29b 100644
--- a/lib/efi_loader/Makefile
+++ b/lib/efi_loader/Makefile
@@ -20,19 +20,11 @@ always += helloworld.efi
targets += helloworld.o
endif
-ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y)
-EFI_CAPSULE_KEY_PATH := $(subst $\",,$(CONFIG_EFI_CAPSULE_KEY_PATH))
-ifeq ("$(wildcard $(EFI_CAPSULE_KEY_PATH))","")
-$(error .esl cerificate not found. Configure your CONFIG_EFI_CAPSULE_KEY_PATH)
-endif
-endif
-
obj-$(CONFIG_CMD_BOOTEFI_HELLO) += helloworld_efi.o
obj-$(CONFIG_CMD_BOOTEFI_BOOTMGR) += efi_bootmgr.o
obj-y += efi_boottime.o
obj-y += efi_helper.o
obj-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += efi_capsule.o
-obj-$(CONFIG_EFI_CAPSULE_AUTHENTICATE) += efi_capsule_key.o
obj-$(CONFIG_EFI_CAPSULE_FIRMWARE) += efi_firmware.o
obj-y += efi_console.o
obj-y += efi_device_path.o
diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c
index 26990bc2df4..b75e4bcba1a 100644
--- a/lib/efi_loader/efi_capsule.c
+++ b/lib/efi_loader/efi_capsule.c
@@ -16,7 +16,6 @@
#include <mapmem.h>
#include <sort.h>
-#include <asm/sections.h>
#include <crypto/pkcs7.h>
#include <crypto/pkcs7_parser.h>
#include <linux/err.h>
@@ -253,23 +252,12 @@ out:
#if defined(CONFIG_EFI_CAPSULE_AUTHENTICATE)
-static int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)
-{
- const void *blob = __efi_capsule_sig_begin;
- const int len = __efi_capsule_sig_end - __efi_capsule_sig_begin;
-
- *pkey = (void *)blob;
- *pkey_len = len;
-
- return 0;
-}
-
efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size,
void **image, efi_uintn_t *image_size)
{
u8 *buf;
int ret;
- void *stored_pkey, *pkey;
+ void *fdt_pkey, *pkey;
efi_uintn_t pkey_len;
uint64_t monotonic_count;
struct efi_signature_store *truststore;
@@ -322,7 +310,7 @@ efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_s
goto out;
}
- ret = efi_get_public_key_data(&stored_pkey, &pkey_len);
+ ret = efi_get_public_key_data(&fdt_pkey, &pkey_len);
if (ret < 0)
goto out;
@@ -330,7 +318,7 @@ efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_s
if (!pkey)
goto out;
- memcpy(pkey, stored_pkey, pkey_len);
+ memcpy(pkey, fdt_pkey, pkey_len);
truststore = efi_build_signature_store(pkey, pkey_len);
if (!truststore)
goto out;
diff --git a/lib/efi_loader/efi_capsule_key.S b/lib/efi_loader/efi_capsule_key.S
deleted file mode 100644
index 58f00b8e4bc..00000000000
--- a/lib/efi_loader/efi_capsule_key.S
+++ /dev/null
@@ -1,17 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0+ */
-/*
- * .esl cert for capsule authentication
- *
- * Copyright (c) 2021, Ilias Apalodimas <ilias.apalodimas@linaro.org>
- */
-
-#include <config.h>
-
-.section .rodata.capsule_key.init,"a"
-.balign 16
-.global __efi_capsule_sig_begin
-__efi_capsule_sig_begin:
-.incbin CONFIG_EFI_CAPSULE_KEY_PATH
-__efi_capsule_sig_end:
-.global __efi_capsule_sig_end
-.balign 16
--
2.32.0.554.ge1b32706d8-goog
next prev parent reply other threads:[~2021-08-02 14:45 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-02 14:44 [PATCH v2 0/3] efi: Minimal revert to rodata change Simon Glass
2021-08-02 14:44 ` [PATCH v2 1/3] Revert "doc: Update CapsuleUpdate READMEs" Simon Glass
2021-08-02 14:44 ` [PATCH v2 2/3] Revert "mkeficapsule: Remove dtb related options" Simon Glass
2021-08-03 5:29 ` KASHI Takahiro
2021-08-04 16:08 ` Simon Glass
2021-08-02 14:44 ` Simon Glass [this message]
2021-08-02 15:37 ` [PATCH v2 0/3] efi: Minimal revert to rodata change Ilias Apalodimas
2021-08-02 20:02 ` Simon Glass
2021-08-03 5:43 ` Ilias Apalodimas
2021-08-03 15:27 ` Simon Glass
2021-08-02 17:30 ` Heinrich Schuchardt
2021-08-02 19:22 ` Simon Glass
2021-08-03 5:46 ` [PATCH v2 0/3] efi: Minimal revert to rodata change\ Ilias Apalodimas
2021-08-03 15:27 ` Simon Glass
2021-08-05 15:24 ` [PATCH v2 0/3] efi: Minimal revert to rodata change Heinrich Schuchardt
2021-08-05 15:46 ` Simon Glass
2021-08-06 0:13 ` KASHI Takahiro
2021-08-06 0:33 ` Simon Glass
2021-08-09 16:01 ` Tom Rini
2021-08-13 12:37 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210802144431.2396678-4-sjg@chromium.org \
--to=sjg@chromium.org \
--cc=agraf@csgraf.de \
--cc=ilias.apalodimas@linaro.org \
--cc=masami.hiramatsu@linaro.org \
--cc=sughosh.ganu@linaro.org \
--cc=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.