scripts/Makefile.lib: EFI: Use capsule CRT instead of ESL file

The EFI Capsule ESL file (EFI Signature List File) used for authentication
is a binary generated from the EFI Capsule public key certificate. Instead
of including it in the source repo, automatically generate it from the
certificate file during the build process.

Currently, sandbox is the only device using this, so removed its ESL file
and set the (new) CONFIG_EFI_CAPSULE_CRT_FILE config to point to its public
key certificate.

Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com>

diff --git a/board/sandbox/capsule_pub_esl_good.esl b/board/sandbox/capsule_pub_esl_good.esl
deleted file mode 100644 (file)
index f8cc272..0000000
Binary files a/board/sandbox/capsule_pub_esl_good.esl and /dev/null differ

diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig
index da8c1976d7bd8fa03768d0f0195b33d8621140c8..e2db66d4a25b2e7cd5768250e6ce01a290c99250 100644 (file)
--- a/configs/sandbox_defconfig
+++ b/configs/sandbox_defconfig
@@ -353,7 +353,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
 CONFIG_EFI_CAPSULE_ON_DISK=y
 CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
 CONFIG_EFI_CAPSULE_AUTHENTICATE=y
-CONFIG_EFI_CAPSULE_ESL_FILE="board/sandbox/capsule_pub_esl_good.esl"
+CONFIG_EFI_CAPSULE_CRT_FILE="board/sandbox/capsule_pub_key_good.crt"
 CONFIG_EFI_SECURE_BOOT=y
 CONFIG_TEST_FDTDEC=y
 CONFIG_UNIT_TEST=y

diff --git a/configs/sandbox_flattree_defconfig b/configs/sandbox_flattree_defconfig
index 6bf8874e722eda127da024cb966436f66465f378..049a606613ebc92391fa618e0899249b524562f7 100644 (file)
--- a/configs/sandbox_flattree_defconfig
+++ b/configs/sandbox_flattree_defconfig
@@ -227,7 +227,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
 CONFIG_EFI_CAPSULE_ON_DISK=y
 CONFIG_EFI_CAPSULE_FIRMWARE_FIT=y
 CONFIG_EFI_CAPSULE_AUTHENTICATE=y
-CONFIG_EFI_CAPSULE_ESL_FILE="board/sandbox/capsule_pub_esl_good.esl"
+CONFIG_EFI_CAPSULE_CRT_FILE="board/sandbox/capsule_pub_key_good.crt"
 CONFIG_UNIT_TEST=y
 CONFIG_UT_TIME=y
 CONFIG_UT_DM=y

diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
index 88596f312c0c75e7c2f3da3d385fc676bcba1a01..d450b12bf801a638b967753bd6ed7e63da694430 100644 (file)
--- a/doc/develop/uefi/uefi.rst
+++ b/doc/develop/uefi/uefi.rst
@@ -580,10 +580,10 @@ and used by the steps highlighted below.
     }
 
 You can perform step-4 through the Kconfig symbol
-CONFIG_EFI_CAPSULE_ESL_FILE. This symbol points to the esl file
-generated in step-2. Once the symbol has been populated with the path
-to the esl file, it will automatically get embedded into the
-platform's dtb as part of U-Boot build.
+CONFIG_EFI_CAPSULE_CRT_FILE. This symbol points to the signing key
+generated in step-2. As part of U-Boot build, the ESL certificate file will
+be generated from the signing key and automatically get embedded into the
+platform's dtb.
 
 Anti-rollback Protection
 ************************

diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index ee71f417147ab4a72183b6be6f777fbb099cf016..2fb24d7af9a4f2088460d541f5b5df628db43a5e 100644 (file)
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -298,13 +298,15 @@ config EFI_CAPSULE_MAX
          Select the max capsule index value used for capsule report
          variables. This value is used to create CapsuleMax variable.
 
-config EFI_CAPSULE_ESL_FILE
-       string "Path to the EFI Signature List File"
+config EFI_CAPSULE_CRT_FILE
+       string "Path to the EFI capsule public key certificate"
        depends on EFI_CAPSULE_AUTHENTICATE
        help
-         Provides the path to the EFI Signature List file which will
-         be embedded in the platform's device tree and used for
-         capsule authentication at the time of capsule update.
+         Provides the path to the EFI capsule public key certificate that
+         corresponds to the capsule signing key. This certificate will be used
+         to generate the EFI capsule ESL (signature list file) that gets
+         embedded in the platform's device tree and used for capsule
+         authentication at the time of capsule update.
 
 config EFI_DEVICE_PATH_TO_TEXT
        bool "Device path to text protocol"

diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index d3c95f3446f72978605c860a5a55accb8d8e43d6..f66a65d1c1f25a1b71721954354cf84f846d66d9 100644 (file)
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -342,21 +342,27 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \
                ; \
        sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile)
 
+capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in
+capsule_crt_file=$(subst $(quote),,$(CONFIG_EFI_CAPSULE_CRT_FILE))
+capsule_esl_dtsi=.capsule_esl.dtsi
+
 quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@
-cmd_capsule_esl_gen = \
-       $(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):" $(capsule_esl_input_file) > $@)
+cmd_capsule_esl_gen = cert-to-efi-sig-list $< $@
 
-$(obj)/.capsule_esl.dtsi: FORCE
-ifeq ($(CONFIG_EFI_CAPSULE_ESL_FILE),"")
-       $(error "CONFIG_EFI_CAPSULE_ESL_FILE is empty, EFI capsule authentication \
+$(obj)/capsule_esl_file: $(capsule_crt_file) FORCE
+ifeq ($(CONFIG_EFI_CAPSULE_CRT_FILE),"")
+       $(error "CONFIG_EFI_CAPSULE_CRT_FILE is empty, EFI capsule authentication \
        public key must be specified when CONFIG_EFI_CAPSULE_AUTHENTICATE is enabled")
 else
        $(call cmd,capsule_esl_gen)
 endif
 
-capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in
-capsule_esl_dtsi = .capsule_esl.dtsi
-capsule_esl_path=$(abspath $(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE)))
+quiet_cmd_capsule_dtsi_gen = CAPSULE_DTSI_GEN $@
+cmd_capsule_dtsi_gen = \
+       $(shell sed "s:ESL_BIN_FILE:$(abspath $<):" $(capsule_esl_input_file) > $@)
+
+$(obj)/$(capsule_esl_dtsi): $(obj)/capsule_esl_file FORCE
+       $(call cmd,capsule_dtsi_gen)
 
 dtsi_include_list_deps := $(addprefix $(u_boot_dtsi_loc),$(subst $(quote),,$(dtsi_include_list)))