mirror of
https://github.com/brain-hackers/u-boot-brain
synced 2024-06-09 23:36:03 +09:00
04be98bd6b
Add support for authenticating uefi capsules. Most of the signature verification functionality is shared with the uefi secure boot feature. The root certificate containing the public key used for the signature verification is stored as part of the device tree blob. The root certificate is stored as an efi signature list(esl) file -- this file contains the x509 certificate which is the root certificate. Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
49 lines
976 B
C
49 lines
976 B
C
// SPDX-License-Identifier: GPL-2.0+
|
|
/*
|
|
* Copyright (c) 2020 Linaro Limited
|
|
*/
|
|
|
|
#include <common.h>
|
|
#include <efi_api.h>
|
|
#include <efi_loader.h>
|
|
#include <env.h>
|
|
#include <fdtdec.h>
|
|
|
|
DECLARE_GLOBAL_DATA_PTR;
|
|
|
|
int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)
|
|
{
|
|
const void *fdt_blob = gd->fdt_blob;
|
|
const void *blob;
|
|
const char *cnode_name = "capsule-key";
|
|
const char *snode_name = "signature";
|
|
int sig_node;
|
|
int len;
|
|
|
|
sig_node = fdt_subnode_offset(fdt_blob, 0, snode_name);
|
|
if (sig_node < 0) {
|
|
EFI_PRINT("Unable to get signature node offset\n");
|
|
return -FDT_ERR_NOTFOUND;
|
|
}
|
|
|
|
blob = fdt_getprop(fdt_blob, sig_node, cnode_name, &len);
|
|
|
|
if (!blob || len < 0) {
|
|
EFI_PRINT("Unable to get capsule-key value\n");
|
|
*pkey = NULL;
|
|
*pkey_len = 0;
|
|
return -FDT_ERR_NOTFOUND;
|
|
}
|
|
|
|
*pkey = (void *)blob;
|
|
*pkey_len = len;
|
|
|
|
return 0;
|
|
}
|
|
|
|
bool efi_capsule_auth_enabled(void)
|
|
{
|
|
return env_get("capsule_authentication_enabled") != NULL ?
|
|
true : false;
|
|
}
|