diff options
| author | Ilias Apalodimas <ilias.apalodimas@linaro.org> | 2021-07-17 17:26:44 +0300 |
|---|---|---|
| committer | Heinrich Schuchardt <xypron.glpk@gmx.de> | 2021-07-18 14:43:56 +0200 |
| commit | ddf67daac39de76d2697d587148f4c2cb768f492 (patch) | |
| tree | 2f6625c0035401e56d52ddc000e0b3ffddfa892e /board/emulation | |
| parent | d934ed577e9257e64e08bc722a7715e586c4a2bc (diff) | |
efi_capsule: Move signature from DTB to .rodata
The capsule signature is now part of our DTB. This is problematic when a
user is allowed to change/fixup that DTB from U-Boots command line since he
can overwrite the signature as well.
So Instead of adding the key on the DTB, embed it in the u-boot binary it
self as part of it's .rodata. This assumes that the U-Boot binary we load
is authenticated by a previous boot stage loader.
Reviewed-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Tested-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Diffstat (limited to 'board/emulation')
| -rw-r--r-- | board/emulation/common/Makefile | 1 | ||||
| -rw-r--r-- | board/emulation/common/qemu_capsule.c | 43 |
2 files changed, 0 insertions, 44 deletions
diff --git a/board/emulation/common/Makefile b/board/emulation/common/Makefile index 7ed447a69d..c5b452e7e3 100644 --- a/board/emulation/common/Makefile +++ b/board/emulation/common/Makefile @@ -2,4 +2,3 @@ obj-$(CONFIG_SYS_MTDPARTS_RUNTIME) += qemu_mtdparts.o obj-$(CONFIG_SET_DFU_ALT_INFO) += qemu_dfu.o -obj-$(CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT) += qemu_capsule.o diff --git a/board/emulation/common/qemu_capsule.c b/board/emulation/common/qemu_capsule.c deleted file mode 100644 index 6b8a87022a..0000000000 --- a/board/emulation/common/qemu_capsule.c +++ /dev/null @@ -1,43 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0+ -/* - * Copyright (c) 2020 Linaro Limited - */ - -#include <common.h> -#include <efi_api.h> -#include <efi_loader.h> -#include <env.h> -#include <fdtdec.h> -#include <asm/global_data.h> - -DECLARE_GLOBAL_DATA_PTR; - -int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) -{ - const void *fdt_blob = gd->fdt_blob; - const void *blob; - const char *cnode_name = "capsule-key"; - const char *snode_name = "signature"; - int sig_node; - int len; - - sig_node = fdt_subnode_offset(fdt_blob, 0, snode_name); - if (sig_node < 0) { - EFI_PRINT("Unable to get signature node offset\n"); - return -FDT_ERR_NOTFOUND; - } - - blob = fdt_getprop(fdt_blob, sig_node, cnode_name, &len); - - if (!blob || len < 0) { - EFI_PRINT("Unable to get capsule-key value\n"); - *pkey = NULL; - *pkey_len = 0; - return -FDT_ERR_NOTFOUND; - } - - *pkey = (void *)blob; - *pkey_len = len; - - return 0; -} |