With this script, a public key is added to a device tree blob
as the default efi_get_public_key_data() expects.

Signed-off-by: AKASHI Takahiro <takahiro.aka...@linaro.org>
---
 MAINTAINERS     |  1 +
 tools/fdtsig.sh | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100755 tools/fdtsig.sh

diff --git a/MAINTAINERS b/MAINTAINERS
index 569332db4719..860f58ef6640 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -738,6 +738,7 @@ F:  cmd/bootefi.c
 F:     cmd/efidebug.c
 F:     cmd/nvedit_efi.c
 F:     tools/efivar.py
+F:     tools/fdtsig.sh
 F:     tools/file2include.c
 F:     tools/mkeficapsule.c
 
diff --git a/tools/fdtsig.sh b/tools/fdtsig.sh
new file mode 100755
index 000000000000..c2b2a6dc5ec8
--- /dev/null
+++ b/tools/fdtsig.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0+
+#
+# script to add a certificate (efi-signature-list) to dtb blob
+
+usage() {
+       if [ -n "$*" ]; then
+               echo "ERROR: $*"
+       fi
+       echo "Usage: "$(basename $0) " <esl file> <dtb file>"
+}
+
+if [ "$#" -ne 2 ]; then
+       usage "Arguments missing"
+       exit 1
+fi
+
+ESL=$1
+DTB=$2
+NEW_DTB=$(basename $DTB)_tmp
+SIG=signature
+
+cat << 'EOF' > $SIG.dts
+/dts-v1/;
+/plugin/;
+
+&{/} {
+    signature {
+EOF
+echo "capsule-key = /incbin/(\"$ESL\");" >> $SIG.dts
+cat << 'EOF' >> $SIG.dts
+    };
+};
+EOF
+
+dtc -@ -I dts -O dtb -o $SIG.dtbo $SIG.dts
+fdtoverlay -i $DTB -o $NEW_DTB $SIG.dtbo
+mv $NEW_DTB $DTB
+
+rm $SIG.dts $SIG.dtsn $SIG.dtbo
-- 
2.33.0

Reply via email to