diff options
| author | Simon Glass <sjg@chromium.org> | 2021-08-02 08:44:31 -0600 |
|---|---|---|
| committer | Simon Glass <sjg@chromium.org> | 2021-09-18 03:47:50 -0600 |
| commit | 47a25e81d35c8d801cae9089de90c9ffea083409 (patch) | |
| tree | 65cdfa1cdbca878dbd8a835fef89dc0222b144db | |
| parent | d428e81266a59974ade74c1ba019af39f23304ab (diff) | |
| download | u-boot-47a25e81d35c8d801cae9089de90c9ffea083409.tar.gz | |
Revert "efi_capsule: Move signature from DTB to .rodata"
This was unfortunately applied despite much discussion about it beiong
the wrong way to implement this feature.
Revert it before too many other things are built on top of it.
This reverts commit ddf67daac39de76d2697d587148f4c2cb768f492.
Signed-off-by: Simon Glass <sjg@chromium.org>
| -rw-r--r-- | board/emulation/common/Makefile | 1 | ||||
| -rw-r--r-- | include/asm-generic/sections.h | 2 | ||||
| -rw-r--r-- | lib/efi_loader/Kconfig | 7 | ||||
| -rw-r--r-- | lib/efi_loader/Makefile | 8 | ||||
| -rw-r--r-- | lib/efi_loader/efi_capsule.c | 18 | ||||
| -rw-r--r-- | lib/efi_loader/efi_capsule_key.S | 17 |
6 files changed, 4 insertions, 49 deletions
diff --git a/board/emulation/common/Makefile b/board/emulation/common/Makefile index c5b452e7e3..7ed447a69d 100644 --- a/board/emulation/common/Makefile +++ b/board/emulation/common/Makefile @@ -2,3 +2,4 @@ obj-$(CONFIG_SYS_MTDPARTS_RUNTIME) += qemu_mtdparts.o obj-$(CONFIG_SET_DFU_ALT_INFO) += qemu_dfu.o +obj-$(CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT) += qemu_capsule.o diff --git a/include/asm-generic/sections.h b/include/asm-generic/sections.h index ec992b0c2e..267f1db73f 100644 --- a/include/asm-generic/sections.h +++ b/include/asm-generic/sections.h @@ -27,8 +27,6 @@ extern char __efi_helloworld_begin[]; extern char __efi_helloworld_end[]; extern char __efi_var_file_begin[]; extern char __efi_var_file_end[]; -extern char __efi_capsule_sig_begin[]; -extern char __efi_capsule_sig_end[]; /* Private data used by of-platdata devices/uclasses */ extern char __priv_data_start[], __priv_data_end[]; diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 649ee57330..f48d9e8b51 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -215,13 +215,6 @@ config EFI_CAPSULE_AUTHENTICATE Select this option if you want to enable capsule authentication -config EFI_CAPSULE_KEY_PATH - string "Path to .esl cert for capsule authentication" - depends on EFI_CAPSULE_AUTHENTICATE - help - Provide the EFI signature list (esl) certificate used for capsule - authentication - config EFI_DEVICE_PATH_TO_TEXT bool "Device path to text protocol" default y diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile index 08469d9cd9..fd344cea29 100644 --- a/lib/efi_loader/Makefile +++ b/lib/efi_loader/Makefile @@ -20,19 +20,11 @@ always += helloworld.efi targets += helloworld.o endif -ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y) -EFI_CAPSULE_KEY_PATH := $(subst $\",,$(CONFIG_EFI_CAPSULE_KEY_PATH)) -ifeq ("$(wildcard $(EFI_CAPSULE_KEY_PATH))","") -$(error .esl certificate not found. Configure your CONFIG_EFI_CAPSULE_KEY_PATH) -endif -endif - obj-$(CONFIG_CMD_BOOTEFI_HELLO) += helloworld_efi.o obj-$(CONFIG_CMD_BOOTEFI_BOOTMGR) += efi_bootmgr.o obj-y += efi_boottime.o obj-y += efi_helper.o obj-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += efi_capsule.o -obj-$(CONFIG_EFI_CAPSULE_AUTHENTICATE) += efi_capsule_key.o obj-$(CONFIG_EFI_CAPSULE_FIRMWARE) += efi_firmware.o obj-y += efi_console.o obj-y += efi_device_path.o diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c index 26990bc2df..b75e4bcba1 100644 --- a/lib/efi_loader/efi_capsule.c +++ b/lib/efi_loader/efi_capsule.c @@ -16,7 +16,6 @@ #include <mapmem.h> #include <sort.h> -#include <asm/sections.h> #include <crypto/pkcs7.h> #include <crypto/pkcs7_parser.h> #include <linux/err.h> @@ -253,23 +252,12 @@ out: #if defined(CONFIG_EFI_CAPSULE_AUTHENTICATE) -static int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) -{ - const void *blob = __efi_capsule_sig_begin; - const int len = __efi_capsule_sig_end - __efi_capsule_sig_begin; - - *pkey = (void *)blob; - *pkey_len = len; - - return 0; -} - efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size, void **image, efi_uintn_t *image_size) { u8 *buf; int ret; - void *stored_pkey, *pkey; + void *fdt_pkey, *pkey; efi_uintn_t pkey_len; uint64_t monotonic_count; struct efi_signature_store *truststore; @@ -322,7 +310,7 @@ efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_s goto out; } - ret = efi_get_public_key_data(&stored_pkey, &pkey_len); + ret = efi_get_public_key_data(&fdt_pkey, &pkey_len); if (ret < 0) goto out; @@ -330,7 +318,7 @@ efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_s if (!pkey) goto out; - memcpy(pkey, stored_pkey, pkey_len); + memcpy(pkey, fdt_pkey, pkey_len); truststore = efi_build_signature_store(pkey, pkey_len); if (!truststore) goto out; diff --git a/lib/efi_loader/efi_capsule_key.S b/lib/efi_loader/efi_capsule_key.S deleted file mode 100644 index 58f00b8e4b..0000000000 --- a/lib/efi_loader/efi_capsule_key.S +++ /dev/null @@ -1,17 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0+ */ -/* - * .esl cert for capsule authentication - * - * Copyright (c) 2021, Ilias Apalodimas <ilias.apalodimas@linaro.org> - */ - -#include <config.h> - -.section .rodata.capsule_key.init,"a" -.balign 16 -.global __efi_capsule_sig_begin -__efi_capsule_sig_begin: -.incbin CONFIG_EFI_CAPSULE_KEY_PATH -__efi_capsule_sig_end: -.global __efi_capsule_sig_end -.balign 16 |