Commit 47a25e81 authored by Simon Glass's avatar Simon Glass
Browse files

Revert "efi_capsule: Move signature from DTB to .rodata"

This was unfortunately applied despite much discussion about it beiong
the wrong way to implement this feature.

Revert it before too many other things are built on top of it.

This reverts commit ddf67daa

.
Signed-off-by: Simon Glass's avatarSimon Glass <sjg@chromium.org>
parent d428e812
Pipeline #9156 passed with stages
in 73 minutes and 10 seconds
......@@ -2,3 +2,4 @@
obj-$(CONFIG_SYS_MTDPARTS_RUNTIME) += qemu_mtdparts.o
obj-$(CONFIG_SET_DFU_ALT_INFO) += qemu_dfu.o
obj-$(CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT) += qemu_capsule.o
......@@ -27,8 +27,6 @@ extern char __efi_helloworld_begin[];
extern char __efi_helloworld_end[];
extern char __efi_var_file_begin[];
extern char __efi_var_file_end[];
extern char __efi_capsule_sig_begin[];
extern char __efi_capsule_sig_end[];
/* Private data used by of-platdata devices/uclasses */
extern char __priv_data_start[], __priv_data_end[];
......
......@@ -215,13 +215,6 @@ config EFI_CAPSULE_AUTHENTICATE
Select this option if you want to enable capsule
authentication
config EFI_CAPSULE_KEY_PATH
string "Path to .esl cert for capsule authentication"
depends on EFI_CAPSULE_AUTHENTICATE
help
Provide the EFI signature list (esl) certificate used for capsule
authentication
config EFI_DEVICE_PATH_TO_TEXT
bool "Device path to text protocol"
default y
......
......@@ -20,19 +20,11 @@ always += helloworld.efi
targets += helloworld.o
endif
ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y)
EFI_CAPSULE_KEY_PATH := $(subst $\",,$(CONFIG_EFI_CAPSULE_KEY_PATH))
ifeq ("$(wildcard $(EFI_CAPSULE_KEY_PATH))","")
$(error .esl certificate not found. Configure your CONFIG_EFI_CAPSULE_KEY_PATH)
endif
endif
obj-$(CONFIG_CMD_BOOTEFI_HELLO) += helloworld_efi.o
obj-$(CONFIG_CMD_BOOTEFI_BOOTMGR) += efi_bootmgr.o
obj-y += efi_boottime.o
obj-y += efi_helper.o
obj-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += efi_capsule.o
obj-$(CONFIG_EFI_CAPSULE_AUTHENTICATE) += efi_capsule_key.o
obj-$(CONFIG_EFI_CAPSULE_FIRMWARE) += efi_firmware.o
obj-y += efi_console.o
obj-y += efi_device_path.o
......
......@@ -16,7 +16,6 @@
#include <mapmem.h>
#include <sort.h>
#include <asm/sections.h>
#include <crypto/pkcs7.h>
#include <crypto/pkcs7_parser.h>
#include <linux/err.h>
......@@ -253,23 +252,12 @@ out:
#if defined(CONFIG_EFI_CAPSULE_AUTHENTICATE)
static int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)
{
const void *blob = __efi_capsule_sig_begin;
const int len = __efi_capsule_sig_end - __efi_capsule_sig_begin;
*pkey = (void *)blob;
*pkey_len = len;
return 0;
}
efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size,
void **image, efi_uintn_t *image_size)
{
u8 *buf;
int ret;
void *stored_pkey, *pkey;
void *fdt_pkey, *pkey;
efi_uintn_t pkey_len;
uint64_t monotonic_count;
struct efi_signature_store *truststore;
......@@ -322,7 +310,7 @@ efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_s
goto out;
}
ret = efi_get_public_key_data(&stored_pkey, &pkey_len);
ret = efi_get_public_key_data(&fdt_pkey, &pkey_len);
if (ret < 0)
goto out;
......@@ -330,7 +318,7 @@ efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_s
if (!pkey)
goto out;
memcpy(pkey, stored_pkey, pkey_len);
memcpy(pkey, fdt_pkey, pkey_len);
truststore = efi_build_signature_store(pkey, pkey_len);
if (!truststore)
goto out;
......
/* SPDX-License-Identifier: GPL-2.0+ */
/*
* .esl cert for capsule authentication
*
* Copyright (c) 2021, Ilias Apalodimas <ilias.apalodimas@linaro.org>
*/
#include <config.h>
.section .rodata.capsule_key.init,"a"
.balign 16
.global __efi_capsule_sig_begin
__efi_capsule_sig_begin:
.incbin CONFIG_EFI_CAPSULE_KEY_PATH
__efi_capsule_sig_end:
.global __efi_capsule_sig_end
.balign 16
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment