efi: capsule: Add support for uefi capsule authentication Add support for authenticating uefi capsules. Most of the signature verification functionality is shared with the uefi secure boot feature. The root certificate containing the public key used for the signature verification is stored as part of the device tree blob. The root certificate is stored as an efi signature list(esl) file -- this file contains the x509 certificate which is the root certificate. Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>

commit: 04be98bd6bcfccf3ab028fda0ca962dd00f61260 [log] [tgz]
author: Sughosh Ganu <sughosh.ganu@linaro.org> Wed Dec 30 19:27:09 2020 +0530
committer: Heinrich Schuchardt <xypron.glpk@gmx.de> Thu Dec 31 14:41:31 2020 +0100
tree: 3c5364e835613770b47a069ca9dd398ac0ac4ceb
parent: b4f20a5d83f0b8a5c30128966eabe68748631e66 [diff] [blame]
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index e780491..fdf245d 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig

@@ -153,6 +153,23 @@
 	  Select this option if you want to enable capsule-based
 	  firmware update using Firmware Management Protocol.
 
+config EFI_CAPSULE_AUTHENTICATE
+	bool "Update Capsule authentication"
+	depends on EFI_CAPSULE_FIRMWARE
+	depends on EFI_CAPSULE_ON_DISK
+	depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
+	select SHA256
+	select RSA
+	select RSA_VERIFY
+	select RSA_VERIFY_WITH_PKEY
+	select X509_CERTIFICATE_PARSER
+	select PKCS7_MESSAGE_PARSER
+	select PKCS7_VERIFY
+	default n
+	help
+	  Select this option if you want to enable capsule
+	  authentication
+
 config EFI_CAPSULE_FIRMWARE_FIT
 	bool "FMP driver for FIT image"
 	depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
commit	04be98bd6bcfccf3ab028fda0ca962dd00f61260	[log] [tgz]
author	Sughosh Ganu <sughosh.ganu@linaro.org>	Wed Dec 30 19:27:09 2020 +0530
committer	Heinrich Schuchardt <xypron.glpk@gmx.de>	Thu Dec 31 14:41:31 2020 +0100
tree	3c5364e835613770b47a069ca9dd398ac0ac4ceb
parent	b4f20a5d83f0b8a5c30128966eabe68748631e66 [diff] [blame]