diff options
| author | Sughosh Ganu | 2020-12-30 19:27:09 +0530 |
|---|---|---|
| committer | Heinrich Schuchardt | 2020-12-31 14:41:31 +0100 |
| commit | 04be98bd6bcfccf3ab028fda0ca962dd00f61260 (patch) | |
| tree | 3c5364e835613770b47a069ca9dd398ac0ac4ceb /board | |
| parent | b4f20a5d83f0b8a5c30128966eabe68748631e66 (diff) | |
efi: capsule: Add support for uefi capsule authentication
Add support for authenticating uefi capsules. Most of the signature
verification functionality is shared with the uefi secure boot
feature.
The root certificate containing the public key used for the signature
verification is stored as part of the device tree blob. The root
certificate is stored as an efi signature list(esl) file -- this file
contains the x509 certificate which is the root certificate.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Diffstat (limited to 'board')
| -rw-r--r-- | board/emulation/common/Makefile | 1 | ||||
| -rw-r--r-- | board/emulation/common/qemu_capsule.c | 48 |
2 files changed, 49 insertions, 0 deletions
diff --git a/board/emulation/common/Makefile b/board/emulation/common/Makefile index c5b452e7e34..7ed447a69dc 100644 --- a/board/emulation/common/Makefile +++ b/board/emulation/common/Makefile @@ -2,3 +2,4 @@ obj-$(CONFIG_SYS_MTDPARTS_RUNTIME) += qemu_mtdparts.o obj-$(CONFIG_SET_DFU_ALT_INFO) += qemu_dfu.o +obj-$(CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT) += qemu_capsule.o diff --git a/board/emulation/common/qemu_capsule.c b/board/emulation/common/qemu_capsule.c new file mode 100644 index 00000000000..f1d403501a9 --- /dev/null +++ b/board/emulation/common/qemu_capsule.c @@ -0,0 +1,48 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Copyright (c) 2020 Linaro Limited + */ + +#include <common.h> +#include <efi_api.h> +#include <efi_loader.h> +#include <env.h> +#include <fdtdec.h> + +DECLARE_GLOBAL_DATA_PTR; + +int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) +{ + const void *fdt_blob = gd->fdt_blob; + const void *blob; + const char *cnode_name = "capsule-key"; + const char *snode_name = "signature"; + int sig_node; + int len; + + sig_node = fdt_subnode_offset(fdt_blob, 0, snode_name); + if (sig_node < 0) { + EFI_PRINT("Unable to get signature node offset\n"); + return -FDT_ERR_NOTFOUND; + } + + blob = fdt_getprop(fdt_blob, sig_node, cnode_name, &len); + + if (!blob || len < 0) { + EFI_PRINT("Unable to get capsule-key value\n"); + *pkey = NULL; + *pkey_len = 0; + return -FDT_ERR_NOTFOUND; + } + + *pkey = (void *)blob; + *pkey_len = len; + + return 0; +} + +bool efi_capsule_auth_enabled(void) +{ + return env_get("capsule_authentication_enabled") != NULL ? + true : false; +} |