mirror of
https://source.denx.de/u-boot/u-boot.git
synced 2025-08-13 18:56:59 +02:00
fd58c275f6
commitddf67daac3("efi_capsule: Move signature from DTB to .rodata") was reverted in commit47a25e81d3("Revert "efi_capsule: Move signature from DTB to .rodata"") because that's what U-Boot was usually doing -- using the DT to store configuration and data. Some of the discussions can be found here [0]. (Ab)using the device tree to store random data isn't ideal though. On top of that with new features introduced over the years, keeping the certificates in the DT has proven to be problematic. One of the reasons is that platforms might send U-Boot a DTB from the previous stage loader using a transfer list which won't contain the signatures since other loaders are not aware of internal U-Boot ABIs. On top of that QEMU creates the DTB on the fly, so adding the capsule certificate there does not work and requires users to dump it and re-create it injecting the public keys. Now that we have proper memory permissions for arm64, move the certificate to .rodata and read it from there. [0] https://lore.kernel.org/u-boot/CAPnjgZ2uM=n8Qo-a=DUkx5VW5Bzp5Xy8=Wgmrw8ESqUBK00YJQ@mail.gmail.com/ Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Tested-by: Jonathan Humphreys <j-humphreys@ti.com> # on TI sk-am62p-lp Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on AML-A311D-CC Tested-by: Raymond Mao <raymond.mao@linaro.org>
18 lines
377 B
ArmAsm
18 lines
377 B
ArmAsm
/* SPDX-License-Identifier: GPL-2.0+ */
|
|
/*
|
|
* .esl cert for capsule authentication
|
|
*
|
|
* Copyright (c) 2021, Ilias Apalodimas <ilias.apalodimas@linaro.org>
|
|
*/
|
|
|
|
#include <config.h>
|
|
|
|
.section .rodata.capsule_key.init,"a"
|
|
.balign 16
|
|
.global __efi_capsule_sig_begin
|
|
__efi_capsule_sig_begin:
|
|
.incbin CAPSULE_ESL_PATH
|
|
__efi_capsule_sig_end:
|
|
.global __efi_capsule_sig_end
|
|
.balign 16
|