From 659f97eb1fc30296aa64e2ad9f4b7578e183aea5 Mon Sep 17 00:00:00 2001 From: Jonathan Humphreys Date: Thu, 13 Jun 2024 15:27:53 -0500 Subject: scripts/Makefile.lib: EFI: Use capsule CRT instead of ESL file The EFI Capsule ESL file (EFI Signature List File) used for authentication is a binary generated from the EFI Capsule public key certificate. Instead of including it in the source repo, automatically generate it from the certificate file during the build process. Currently, sandbox is the only device using this, so removed its ESL file and set the (new) CONFIG_EFI_CAPSULE_CRT_FILE config to point to its public key certificate. Signed-off-by: Jonathan Humphreys --- doc/develop/uefi/uefi.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'doc/develop') diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 88596f312c..d450b12bf8 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -580,10 +580,10 @@ and used by the steps highlighted below. } You can perform step-4 through the Kconfig symbol -CONFIG_EFI_CAPSULE_ESL_FILE. This symbol points to the esl file -generated in step-2. Once the symbol has been populated with the path -to the esl file, it will automatically get embedded into the -platform's dtb as part of U-Boot build. +CONFIG_EFI_CAPSULE_CRT_FILE. This symbol points to the signing key +generated in step-2. As part of U-Boot build, the ESL certificate file will +be generated from the signing key and automatically get embedded into the +platform's dtb. Anti-rollback Protection ************************ -- cgit v1.2.3