diff options
| author | Ilias Apalodimas <ilias.apalodimas@linaro.org> | 2021-07-17 17:26:44 +0300 |
|---|---|---|
| committer | Heinrich Schuchardt <xypron.glpk@gmx.de> | 2021-07-18 14:43:56 +0200 |
| commit | ddf67daac39de76d2697d587148f4c2cb768f492 (patch) | |
| tree | 2f6625c0035401e56d52ddc000e0b3ffddfa892e /lib/efi_loader/efi_capsule_key.S | |
| parent | d934ed577e9257e64e08bc722a7715e586c4a2bc (diff) | |
efi_capsule: Move signature from DTB to .rodata
The capsule signature is now part of our DTB. This is problematic when a
user is allowed to change/fixup that DTB from U-Boots command line since he
can overwrite the signature as well.
So Instead of adding the key on the DTB, embed it in the u-boot binary it
self as part of it's .rodata. This assumes that the U-Boot binary we load
is authenticated by a previous boot stage loader.
Reviewed-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Tested-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Diffstat (limited to 'lib/efi_loader/efi_capsule_key.S')
| -rw-r--r-- | lib/efi_loader/efi_capsule_key.S | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/lib/efi_loader/efi_capsule_key.S b/lib/efi_loader/efi_capsule_key.S new file mode 100644 index 0000000000..58f00b8e4b --- /dev/null +++ b/lib/efi_loader/efi_capsule_key.S @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * .esl cert for capsule authentication + * + * Copyright (c) 2021, Ilias Apalodimas <ilias.apalodimas@linaro.org> + */ + +#include <config.h> + +.section .rodata.capsule_key.init,"a" +.balign 16 +.global __efi_capsule_sig_begin +__efi_capsule_sig_begin: +.incbin CONFIG_EFI_CAPSULE_KEY_PATH +__efi_capsule_sig_end: +.global __efi_capsule_sig_end +.balign 16 |