diff options
| author | Ilias Apalodimas <[email protected]> | 2025-04-01 14:27:25 +0300 |
|---|---|---|
| committer | Heinrich Schuchardt <[email protected]> | 2025-04-11 13:25:31 +0200 |
| commit | fd58c275f6ba524101ba0990e53f5a11ac390bd0 (patch) | |
| tree | 6802b43917ac76cb2b60d8f182143cf5997350f7 /scripts/Makefile.lib | |
| parent | 2dc04803b05ff189619d46acd137a47bedaf6193 (diff) | |
efi_loader: Move public cert for capsules to .rodata
commit ddf67daac39d ("efi_capsule: Move signature from DTB to .rodata")
was reverted in
commit 47a25e81d35c ("Revert "efi_capsule: Move signature from DTB to .rodata"")
because that's what U-Boot was usually doing -- using the DT to store
configuration and data. Some of the discussions can be found here [0].
(Ab)using the device tree to store random data isn't ideal though.
On top of that with new features introduced over the years, keeping
the certificates in the DT has proven to be problematic.
One of the reasons is that platforms might send U-Boot a DTB
from the previous stage loader using a transfer list which won't contain
the signatures since other loaders are not aware of internal
U-Boot ABIs. On top of that QEMU creates the DTB on the fly, so adding
the capsule certificate there does not work and requires users to dump
it and re-create it injecting the public keys.
Now that we have proper memory permissions for arm64, move the certificate
to .rodata and read it from there.
[0] https://lore.kernel.org/u-boot/CAPnjgZ2uM=n8Qo-a=DUkx5VW5Bzp5Xy8=Wgmrw8ESqUBK00YJQ@mail.gmail.com/
Signed-off-by: Ilias Apalodimas <[email protected]>
Tested-by: Jonathan Humphreys <[email protected]> # on TI sk-am62p-lp
Tested-by: Neil Armstrong <[email protected]> # on AML-A311D-CC
Tested-by: Raymond Mao <[email protected]>
Diffstat (limited to 'scripts/Makefile.lib')
| -rw-r--r-- | scripts/Makefile.lib | 27 |
1 files changed, 0 insertions, 27 deletions
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index 275c308154b..83fd5ff6c31 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -377,35 +377,8 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \ ; \ sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile) -capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in -capsule_crt_file=$(subst $(quote),,$(CONFIG_EFI_CAPSULE_CRT_FILE)) -capsule_esl_dtsi=.capsule_esl.dtsi - -quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@ -cmd_capsule_esl_gen = cert-to-efi-sig-list $< $@ - -$(obj)/capsule_esl_file: $(capsule_crt_file) FORCE -ifeq ($(CONFIG_EFI_CAPSULE_CRT_FILE),"") - $(error "CONFIG_EFI_CAPSULE_CRT_FILE is empty, EFI capsule authentication \ - public key must be specified when CONFIG_EFI_CAPSULE_AUTHENTICATE is enabled") -else - $(call cmd,capsule_esl_gen) -endif - -quiet_cmd_capsule_dtsi_gen = CAPSULE_DTSI_GEN $@ -cmd_capsule_dtsi_gen = \ - $(shell sed "s:ESL_BIN_FILE:$(abspath $<):" $(capsule_esl_input_file) > $@) - -$(obj)/$(capsule_esl_dtsi): $(obj)/capsule_esl_file FORCE - $(call cmd,capsule_dtsi_gen) - dtsi_include_list_deps := $(addprefix $(u_boot_dtsi_loc),$(subst $(quote),,$(dtsi_include_list))) -ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE -dtsi_include_list += $(capsule_esl_dtsi) -dtsi_include_list_deps += $(obj)/$(capsule_esl_dtsi) -endif - ifneq ($(CHECK_DTBS),) DT_CHECKER ?= dt-validate DT_CHECKER_FLAGS ?= $(if $(DT_SCHEMA_FILES),-l $(DT_SCHEMA_FILES),-m) |