On Sun, Apr 25, 2021 at 09:24:39AM +0200, Heinrich Schuchardt wrote: > On 4/12/21 5:05 PM, Sughosh Ganu wrote: > > Add config options EFI_PKEY_DTB_EMBED and EFI_PKEY_FILE which are to > > be used for embedding the public key to be used for capsule > > authentication into the platform's device tree. > > > > The embedding of the public key would take place during the platform > > build process. > > > > Signed-off-by: Sughosh Ganu <sughosh.g...@linaro.org> > > --- > > > > Changes since V1: > > * Provide a default name for public key file, eficapsule.esl as > > suggested by Heinrich. > > * Remove the superfluous default n statement for EFI_PKEY_DTB_EMBED > > > > lib/efi_loader/Kconfig | 15 +++++++++++++++ > > 1 file changed, 15 insertions(+) > > > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig > > index 79b488823a..089accaaaa 100644 > > --- a/lib/efi_loader/Kconfig > > +++ b/lib/efi_loader/Kconfig > > @@ -179,6 +179,21 @@ config EFI_CAPSULE_AUTHENTICATE > > Select this option if you want to enable capsule > > authentication > > > > +config EFI_PKEY_DTB_EMBED > > + bool "Embed the public key in the Device Tree" > > + depends on EFI_CAPSULE_AUTHENTICATE > > + help > > + Select this option if the public key used for capsule > > + authentication is to be embedded into the platform's > > + device tree. > > + > > +config EFI_PKEY_FILE > > + string "Public Key esl file to be embedded into the Device Tree" > > + default "eficapsule.esl" > > This config symbol should depend on EFI_PKEY_DTB_EMBED.
What is embedded here is a *list* of X509 certificate, not a single public key. "esl" stands for EFI Signature List. The symbol name as well as help text are confusing. -Takahiro Akashi > Best regards > > Heinrich > > > + help > > + Specify the absolute path of the public key esl file that is > > + to be embedded in the platform's device tree. > > + > > config EFI_CAPSULE_FIRMWARE_FIT > > bool "FMP driver for FIT image" > > depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT > > >
