Revert "efi_capsule: Move signature from DTB to .rodata"

This was unfortunately applied despite much discussion about it beiong
the wrong way to implement this feature.

Revert it before too many other things are built on top of it.

This reverts commit ddf67daac39de76d2697d587148f4c2cb768f492.
Signed-off-by: Simon Glass <sjg@chromium.org>

diff --git a/board/emulation/common/Makefile b/board/emulation/common/Makefile
index c5b452e7e341f9d2cab8ed32763bddf9b4c802a4..7ed447a69dce9d923ad161a36df96175d0e59045 100644 (file)
--- a/board/emulation/common/Makefile
+++ b/board/emulation/common/Makefile
@@ -2,3 +2,4 @@
 
 obj-$(CONFIG_SYS_MTDPARTS_RUNTIME) += qemu_mtdparts.o
 obj-$(CONFIG_SET_DFU_ALT_INFO) += qemu_dfu.o
+obj-$(CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT) += qemu_capsule.o

diff --git a/include/asm-generic/sections.h b/include/asm-generic/sections.h
index ec992b0c2e3fbb63edc50d8b675a0a57112a587c..267f1db73f238e18e5acb5a01890733e656a4221 100644 (file)
--- a/include/asm-generic/sections.h
+++ b/include/asm-generic/sections.h
@@ -27,8 +27,6 @@ extern char __efi_helloworld_begin[];
 extern char __efi_helloworld_end[];
 extern char __efi_var_file_begin[];
 extern char __efi_var_file_end[];
-extern char __efi_capsule_sig_begin[];
-extern char __efi_capsule_sig_end[];
 
 /* Private data used by of-platdata devices/uclasses */
 extern char __priv_data_start[], __priv_data_end[];

diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 649ee57330db5b7c901a009217a2217a26ca2e9c..f48d9e8b513d23202b4cc59f7fcd7afe68d1cd5e 100644 (file)
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -215,13 +215,6 @@ config EFI_CAPSULE_AUTHENTICATE
          Select this option if you want to enable capsule
          authentication
 
-config EFI_CAPSULE_KEY_PATH
-       string "Path to .esl cert for capsule authentication"
-       depends on EFI_CAPSULE_AUTHENTICATE
-       help
-         Provide the EFI signature list (esl) certificate used for capsule
-         authentication
-
 config EFI_DEVICE_PATH_TO_TEXT
        bool "Device path to text protocol"
        default y

diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile
index 08469d9cd95b5fae45f666e92eff4cc6e3577dd7..fd344cea29b03655672b27ded322a3709e8d883b 100644 (file)
--- a/lib/efi_loader/Makefile
+++ b/lib/efi_loader/Makefile
@@ -20,19 +20,11 @@ always += helloworld.efi
 targets += helloworld.o
 endif
 
-ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y)
-EFI_CAPSULE_KEY_PATH := $(subst $\",,$(CONFIG_EFI_CAPSULE_KEY_PATH))
-ifeq ("$(wildcard $(EFI_CAPSULE_KEY_PATH))","")
-$(error .esl certificate not found. Configure your CONFIG_EFI_CAPSULE_KEY_PATH)
-endif
-endif
-
 obj-$(CONFIG_CMD_BOOTEFI_HELLO) += helloworld_efi.o
 obj-$(CONFIG_CMD_BOOTEFI_BOOTMGR) += efi_bootmgr.o
 obj-y += efi_boottime.o
 obj-y += efi_helper.o
 obj-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += efi_capsule.o
-obj-$(CONFIG_EFI_CAPSULE_AUTHENTICATE) += efi_capsule_key.o
 obj-$(CONFIG_EFI_CAPSULE_FIRMWARE) += efi_firmware.o
 obj-y += efi_console.o
 obj-y += efi_device_path.o

diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c
index 26990bc2df4a21b1e4420731e212156f4494b012..b75e4bcba1a9821b579bc606ed64ef3dda887f9e 100644 (file)
--- a/lib/efi_loader/efi_capsule.c
+++ b/lib/efi_loader/efi_capsule.c
@@ -16,7 +16,6 @@
 #include <mapmem.h>
 #include <sort.h>
 
-#include <asm/sections.h>
 #include <crypto/pkcs7.h>
 #include <crypto/pkcs7_parser.h>
 #include <linux/err.h>
@@ -253,23 +252,12 @@ out:
 
 #if defined(CONFIG_EFI_CAPSULE_AUTHENTICATE)
 
-static int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)
-{
-       const void *blob = __efi_capsule_sig_begin;
-       const int len = __efi_capsule_sig_end - __efi_capsule_sig_begin;
-
-       *pkey = (void *)blob;
-       *pkey_len = len;
-
-       return 0;
-}
-
 efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size,
                                      void **image, efi_uintn_t *image_size)
 {
        u8 *buf;
        int ret;
-       void *stored_pkey, *pkey;
+       void *fdt_pkey, *pkey;
        efi_uintn_t pkey_len;
        uint64_t monotonic_count;
        struct efi_signature_store *truststore;
@@ -322,7 +310,7 @@ efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_s
                goto out;
        }
 
-       ret = efi_get_public_key_data(&stored_pkey, &pkey_len);
+       ret = efi_get_public_key_data(&fdt_pkey, &pkey_len);
        if (ret < 0)
                goto out;
 
@@ -330,7 +318,7 @@ efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_s
        if (!pkey)
                goto out;
 
-       memcpy(pkey, stored_pkey, pkey_len);
+       memcpy(pkey, fdt_pkey, pkey_len);
        truststore = efi_build_signature_store(pkey, pkey_len);
        if (!truststore)
                goto out;

diff --git a/lib/efi_loader/efi_capsule_key.S b/lib/efi_loader/efi_capsule_key.S
deleted file mode 100644 (file)
index 58f00b8..0000000
--- a/lib/efi_loader/efi_capsule_key.S
+++ /dev/null
@@ -1,17 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0+ */
-/*
- * .esl cert for capsule authentication
- *
- * Copyright (c) 2021, Ilias Apalodimas <ilias.apalodimas@linaro.org>
- */
-
-#include <config.h>
-
-.section .rodata.capsule_key.init,"a"
-.balign 16
-.global __efi_capsule_sig_begin
-__efi_capsule_sig_begin:
-.incbin CONFIG_EFI_CAPSULE_KEY_PATH
-__efi_capsule_sig_end:
-.global __efi_capsule_sig_end
-.balign 16