efi_capsule: Move signature from DTB to .rodata The capsule signature is now part of our DTB. This is problematic when a user is allowed to change/fixup that DTB from U-Boots command line since he can overwrite the signature as well. So Instead of adding the key on the DTB, embed it in the u-boot binary it self as part of it's .rodata. This assumes that the U-Boot binary we load is authenticated by a previous boot stage loader. Reviewed-by: Masami Hiramatsu <masami.hiramatsu@linaro.org> Tested-by: Masami Hiramatsu <masami.hiramatsu@linaro.org> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

commit: 27e059caee7f46aecd7de97abdcdeda889e8b431 [log] [tgz]
author: Ilias Apalodimas <ilias.apalodimas@linaro.org> Sat Jul 17 17:26:44 2021 +0300
committer: Heinrich Schuchardt <xypron.glpk@gmx.de> Sun Jul 18 14:43:56 2021 +0200
tree: 2f6625c0035401e56d52ddc000e0b3ffddfa892e
parent: 8db8a968e0a0bf59361d5808cbe2a74b4d9f842b [diff] [blame]
diff --git a/lib/efi_loader/efi_capsule_key.S b/lib/efi_loader/efi_capsule_key.S
new file mode 100644
index 0000000..58f00b8
--- /dev/null
+++ b/lib/efi_loader/efi_capsule_key.S

@@ -0,0 +1,17 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * .esl cert for capsule authentication
+ *
+ * Copyright (c) 2021, Ilias Apalodimas <ilias.apalodimas@linaro.org>
+ */
+
+#include <config.h>
+
+.section .rodata.capsule_key.init,"a"
+.balign 16
+.global __efi_capsule_sig_begin
+__efi_capsule_sig_begin:
+.incbin CONFIG_EFI_CAPSULE_KEY_PATH
+__efi_capsule_sig_end:
+.global __efi_capsule_sig_end
+.balign 16
commit	27e059caee7f46aecd7de97abdcdeda889e8b431	[log] [tgz]
author	Ilias Apalodimas <ilias.apalodimas@linaro.org>	Sat Jul 17 17:26:44 2021 +0300
committer	Heinrich Schuchardt <xypron.glpk@gmx.de>	Sun Jul 18 14:43:56 2021 +0200
tree	2f6625c0035401e56d52ddc000e0b3ffddfa892e
parent	8db8a968e0a0bf59361d5808cbe2a74b4d9f842b [diff] [blame]