On 4/7/21 1:53 PM, Sughosh Ganu wrote:
Add provision for embedding the public key used for capsule
authentication in the platform's dtb. This is done by invoking the
mkeficapsule utility which puts the public key in the efi signature
list(esl) format into the dtb.
Signed-off-by: Sughosh Ganu <[email protected]>
---
Makefile | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/Makefile b/Makefile
index 193aa4d1c9..0d50c6a805 100644
--- a/Makefile
+++ b/Makefile
@@ -1010,6 +1010,10 @@ cmd_pad_cat = $(cmd_objcopy) && $(append) || { rm -f $@;
false; }
quiet_cmd_lzma = LZMA $@
cmd_lzma = lzma -c -z -k -9 $< > $@
+quiet_cmd_mkeficapsule = MKEFICAPSULE $@
+cmd_mkeficapsule = $(objtree)/tools/mkeficapsule -K $(CONFIG_EFI_PKEY_FILE) \
+ -D $@
+
tools/mkeficapsule --help does neither show a parameter -K nor a
parameter -D. Please, update tools/mkeficapsule.c before using these. A
man-page for mkeficapsule in doc/usage/ would be helpful.
$ tools/mkeficapsule --help
Usage: mkeficapsule [options] <output file>
Options:
--fit <fit image> new FIT image file
--raw <raw image> new raw image file
--index <index> update image index
--instance <instance> update hardware instance
--public-key <key file> public key esl file
--dtb <dtb file> dtb file
--overlay the dtb file is an overlay
--help print a help message
Best regards
Heinrich
cfg: u-boot.cfg
quiet_cmd_cfgcheck = CFGCHK $2
@@ -1104,8 +1108,14 @@ endif
PHONY += dtbs
dtbs: dts/dt.dtb
@:
+ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE)$(CONFIG_EFI_PKEY_DTB_EMBED),yy)
+dts/dt.dtb: u-boot tools
+ $(Q)$(MAKE) $(build)=dts dtbs
+ $(call cmd,mkeficapsule)
+else
dts/dt.dtb: u-boot
$(Q)$(MAKE) $(build)=dts dtbs
+endif
quiet_cmd_copy = COPY $@
cmd_copy = cp $< $@
