tegra-uefi-keys-dtb: automates UEFI device tree file generation#2005
tegra-uefi-keys-dtb: automates UEFI device tree file generation#2005gabrielssanches wants to merge 2 commits into
Conversation
gen_uefi_keys_dts.sh is used for generating device tree files for UEFI keys. This commit enables the generation step automation by depending on this recipe. Signed-off-by: Gabriel dos Santos Sanches <gasa@prevas.dk>
Generates UEFI device tree files instead of doing outside of yocto. This covers generation of UefiDefaultSecurityKeys.dts/dtbo only The minimal set of keys and certs is: TEGRA_UEFI_PK_CERT TEGRA_UEFI_KEK_1_CERT TEGRA_UEFI_DB_1_KEY TEGRA_UEFI_DB_1_CERT up to 3 KEK and DB certs may be provided. see official documentation for more info. Signed-off-by: Gabriel dos Santos Sanches <gasa@prevas.dk>
|
There is an issue to be solved still. it depends on cert-to-efi-sig-list which is provided by efitools meta-perl it is a bit too much in my opinion, but the alternative is to roll a meta-tegra efitool recipe (may be just focused on building cert-to-efi-sig-list) let me know what are your thoughts on this |
|
I'd prefer it if the existing recipe retains its current behavior by default, so as not to break builds that use the bbappend approach. While automating the DTS file generation isn't a bad idea, I'm a bit worried that having a recipe do that generation would make it too easy to expose secrets, since users are apt to just check in the As for the missing tool, we could add a recipe to build just the needed tool for this purpose. |
|
sounds like the right way to do it. I am on paternity leave until March 2026 😅 so it will have to wait |
2 participants
Generates UEFI device tree files instead of doing outside of yocto.
This covers generation of UefiDefaultSecurityKeys.dts/dtbo
The minimal set of keys and certs is:
tegra-flashtools-native: installs gen_uefi_keys_dts.sh