Re: [PATCH 2/5] scripts/Makefile.lib: Embed capsule public key in platform's dtb

Tue, 15 Aug 2023 13:24:29 -0700 

On Tue, Aug 15, 2023 at 09:56:20PM +0530, Sughosh Ganu wrote:

> The EFI capsule authentication logic in u-boot expects the public key
> in the form of an EFI Signature List(ESL) to be provided as part of
> the platform's dtb. Currently, the embedding of the ESL file into the
> dtb needs to be done manually.
> 
> Add a target for generating a dtsi file which contains the signature
> node with the ESL file included as a property under the signature
> node. Include the dtsi file in the dtb. This brings the embedding of
> the ESL in the dtb into the U-Boot build flow.
> 
> The path to the ESL file is specified through the
> CONFIG_EFI_CAPSULE_ESL_FILE symbol.
> 
> Signed-off-by: Sughosh Ganu <[email protected]>
[snip]
> diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
> index 368b5a3e28..2e71f190bc 100644
> --- a/scripts/Makefile.lib
> +++ b/scripts/Makefile.lib
> @@ -334,7 +334,23 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \
>               ; \
>       sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > 
> $(depfile)
>  
> -$(obj)/%.dtb: $(src)/%.dts $(DTC) FORCE
> +ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
> +quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@
> +cmd_capsule_esl_gen = \
> +     $(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" 
> $(capsule_esl_input_file) > $@)
> +
> +$(obj)/.capsule_esl.dtsi:
> +     $(call cmd_capsule_esl_gen)
> +
> +capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in
> +capsule_esl_dtsi = .capsule_esl.dtsi
> +capsule_esl_path=$(abspath $(srctree)/$(subst 
> $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE)))
> +dtsi_include_list += $(capsule_esl_dtsi)
> +endif

We should only need to ifdef around appending to dtsi_include_list.  The
rest we can / should just leave always there, that's cleaner reading.

> +
> +dtsi_include_list_deps = $(addprefix $(obj)/,$(subst 
> $(quote),,$(dtsi_include_list)))
> +
> +$(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE

This part here is a separate bugfix and we should do that as patch 2,
and the rest of the changes here as patch 3.

-- 
Tom

Attachment: signature.asc
Description: PGP signature

Reply via email to