2021年5月7日(金) 18:57 Masami Hiramatsu <[email protected]>: > > Hi, > > 2021年5月7日(金) 17:15 AKASHI Takahiro <[email protected]>: > > > > On Wed, Apr 28, 2021 at 03:31:36PM +0900, Masami Hiramatsu wrote: > > > 2021年4月28日(水) 14:44 AKASHI Takahiro <[email protected]>: > > > > > > > > On Thu, Apr 08, 2021 at 09:58:17PM +0200, Heinrich Schuchardt wrote: > > > > > On 4/7/21 1:53 PM, Sughosh Ganu wrote: > > > > > > Add provision for embedding the public key used for capsule > > > > > > authentication in the platform's dtb. This is done by invoking the > > > > > > mkeficapsule utility which puts the public key in the efi signature > > > > > > list(esl) format into the dtb. > > > > > > > > > > > > Signed-off-by: Sughosh Ganu <[email protected]> > > > > > > --- > > > > > > Makefile | 10 ++++++++++ > > > > > > 1 file changed, 10 insertions(+) > > > > > > > > > > > > diff --git a/Makefile b/Makefile > > > > > > index 193aa4d1c9..0d50c6a805 100644 > > > > > > --- a/Makefile > > > > > > +++ b/Makefile > > > > > > @@ -1010,6 +1010,10 @@ cmd_pad_cat = $(cmd_objcopy) && $(append) || > > > > > > { rm -f $@; false; } > > > > > > quiet_cmd_lzma = LZMA $@ > > > > > > cmd_lzma = lzma -c -z -k -9 $< > $@ > > > > > > > > > > > > +quiet_cmd_mkeficapsule = MKEFICAPSULE $@ > > > > > > +cmd_mkeficapsule = $(objtree)/tools/mkeficapsule -K > > > > > > $(CONFIG_EFI_PKEY_FILE) \ > > > > > > + -D $@ > > > > > > + > > > > > > > > > > tools/mkeficapsule --help does neither show a parameter -K nor a > > > > > parameter -D. > > > > > > > > This clearly shows that the feature with -K/-D has nothing to do with > > > > creating a capsule file. > > > > Two totally different things in one place (command). > > > > And the dtb overlay operation can be achieved by using standard > > > > commands. > > > > > > If I understand correctly, we need the following steps, > > > 1. prepare the key for signing > > > 2. make dtb overlay from that key > > > 3. sign the capsule with the key > > > > > > And Sughosh's implementation is using mkeficapsule for 2 and 3. > > > Takahiro pointed that mkeficapsule is only for 3 because of its name > > > and avoid confusion. > > > > > > Is that correct? > > > > > > What would you think about changing the tool name? > > > E.g. > > > > > > For step 2. > > > capsuletool dtb --public-key pubkey [--overlay] target.dtb > > > > My point is: as this command line shows, it has nothing to do > > with a capsule file. It simply deals with dtb blob for overlaying. > > (So 'capsuletool' is not appropriate.) > > But if the capsuletool provide the devicetree template for the capsule > something like test/py/tests/test_efi_capsule/pubkey.dts, we can say > it is related to the capsule, because the dts is obviously for capsule. > What would you think?
Ah, wait. I misunderstood. It seems that the efi_get_public_key_data() is platform dependent. Thus isn't it hard to provide a unified tool to embed the key data into the dtb because it is usable for some platform but not usable for others? Thank you, -- Masami Hiramatsu
