On 12/20/21 06:02, AKASHI Takahiro wrote:
By specifying CONFIG_EFI_CAPSULE_KEY_PATH, the build process will
automatically insert the given key into the device tree.
Otherwise, users are required to do so manually, possibly, with
the utility script, fdtsig.sh.

Why do we need a script fdtsig.sh? Can't you integrate this into the
Makefile?


Signed-off-by: AKASHI Takahiro <takahiro.aka...@linaro.org>
---
  doc/develop/uefi/uefi.rst |  4 ++++
  dts/Makefile              | 23 +++++++++++++++++++++--
  lib/efi_loader/Kconfig    |  7 +++++++
  3 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
index 54fefd76f0f5..7f85b9e5a4a6 100644
--- a/doc/develop/uefi/uefi.rst
+++ b/doc/develop/uefi/uefi.rst
@@ -347,6 +347,7 @@ following config, in addition to the configs listed above 
for capsule
  update::

      CONFIG_EFI_CAPSULE_AUTHENTICATE=y
+    CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert>

  The public and private keys used for the signing process are generated
  and used by the steps highlighted below.
@@ -392,6 +393,9 @@ and used by the steps highlighted below.
                  };
          };

+   If CONFIG_EFI_CAPSULE_KEY_PATH is specified, the build process will
+   take care of it for you.
+
  Executing the boot manager
  ~~~~~~~~~~~~~~~~~~~~~~~~~~

diff --git a/dts/Makefile b/dts/Makefile
index cb3111382959..6c5486719ecd 100644
--- a/dts/Makefile
+++ b/dts/Makefile
@@ -20,11 +20,30 @@ $(obj)/dt-$(SPL_NAME).dtb: dts/dt.dtb 
$(objtree)/tools/fdtgrep FORCE
        mkdir -p $(dir $@)
        $(call if_changed,fdtgrep)

+quiet_cmd_fdtsig = FDTSIG $@
+       cmd_fdtsig = \
+               cat $< > $@; \
+               $(srctree)/tools/fdtsig.sh \
+                       $(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)) $@
+
+ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y)
+ifneq ($(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)),)

Shouldn't I get a build error if the path is not specified?

Best regards

Heinrich

+DTB_ov := $(obj)/dt.dtb_ov
+
+$(obj)/dt.dtb_ov: $(DTB) FORCE
+       $(call if_changed,fdtsig)
+else
+DTB_ov := $(DTB)
+endif
+else
+DTB_ov := $(DTB)
+endif
+
  ifeq ($(CONFIG_OF_DTB_PROPS_REMOVE),y)
-$(obj)/dt.dtb: $(DTB) $(objtree)/tools/fdtgrep FORCE
+$(obj)/dt.dtb: $(DTB_ov) $(objtree)/tools/fdtgrep FORCE
        $(call if_changed,fdt_rm_props)
  else
-$(obj)/dt.dtb: $(DTB) FORCE
+$(obj)/dt.dtb: $(DTB_ov) FORCE
        $(call if_changed,shipped)
  endif

diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 700dc838ddb9..8c8d14d46433 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -209,6 +209,13 @@ config EFI_CAPSULE_AUTHENTICATE
          Select this option if you want to enable capsule
          authentication

+config EFI_CAPSULE_KEY_PATH
+       string "Path to .esl cert for capsule authentication"
+       depends on EFI_CAPSULE_AUTHENTICATE
+       help
+         Provide the EFI signature list (esl) certificate used for capsule
+         authentication
+
  config EFI_DEVICE_PATH_TO_TEXT
        bool "Device path to text protocol"
        default y

Reply via email to