efi_capsule: Move signature from DTB to .rodata The capsule signature is now part of our DTB. This is problematic when a user is allowed to change/fixup that DTB from U-Boots command line since he can overwrite the signature as well. So Instead of adding the key on the DTB, embed it in the u-boot binary it self as part of it's .rodata. This assumes that the U-Boot binary we load is authenticated by a previous boot stage loader. Reviewed-by: Masami Hiramatsu <masami.hiramatsu@linaro.org> Tested-by: Masami Hiramatsu <masami.hiramatsu@linaro.org> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

commit: 27e059caee7f46aecd7de97abdcdeda889e8b431 [log] [tgz]
author: Ilias Apalodimas <ilias.apalodimas@linaro.org> Sat Jul 17 17:26:44 2021 +0300
committer: Heinrich Schuchardt <xypron.glpk@gmx.de> Sun Jul 18 14:43:56 2021 +0200
tree: 2f6625c0035401e56d52ddc000e0b3ffddfa892e
parent: 8db8a968e0a0bf59361d5808cbe2a74b4d9f842b [diff] [blame]
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 7a469f2..dacc3b5 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig

@@ -214,6 +214,13 @@
 	  Select this option if you want to enable capsule
 	  authentication
 
+config EFI_CAPSULE_KEY_PATH
+	string "Path to .esl cert for capsule authentication"
+	depends on EFI_CAPSULE_AUTHENTICATE
+	help
+	  Provide the EFI signature list (esl) certificate used for capsule
+	  authentication
+
 config EFI_DEVICE_PATH_TO_TEXT
 	bool "Device path to text protocol"
 	default y
commit	27e059caee7f46aecd7de97abdcdeda889e8b431	[log] [tgz]
author	Ilias Apalodimas <ilias.apalodimas@linaro.org>	Sat Jul 17 17:26:44 2021 +0300
committer	Heinrich Schuchardt <xypron.glpk@gmx.de>	Sun Jul 18 14:43:56 2021 +0200
tree	2f6625c0035401e56d52ddc000e0b3ffddfa892e
parent	8db8a968e0a0bf59361d5808cbe2a74b4d9f842b [diff] [blame]