<sjg1>
apalos: I'm still not sure of why this is so tricky. The capsule update should be created by binman, not put into 'u-boot.bin'. What am I missing?
frieder has quit [Ping timeout: 240 seconds]
frieder has joined #u-boot
<apalos>
the public key portion that you'll use to authenticate the capsule needs to be in the dtb and as a consequence in the u-boot.bin
<apalos>
so the capsule it self is a standalone file
<sjg1>
apalos: So the capsule update should be created with binman, right?
<sjg1>
apalos: where does the public key come from?
<apalos>
the capsule update *is* created by binamn in v2
<apalos>
The key comes from the vendor, it's ok a Kconfig iirc
<apalos>
But eventually you need to create a .dtb that includes the public portion and is part of the running u-boot
<apalos>
So you can authenticate incoming capsules against it
mmu_man has quit [Ping timeout: 240 seconds]
<sjg1>
apalos: So EFI_CAPSULE_ESL_FILE is the file...what format is it in?
xroumegu1 has quit [Ping timeout: 240 seconds]
<sjg1>
If you really want it in the input file, can it not be included in a .dtsi as part of the U-Boot build?
<sjg1>
xypron: I can't find that file, but there are lots of references to it. So are the keys put into the dtb in an opaque binary format? Can it not be included in a .dtsi as part of the U-Boot build?
<sjg1>
We should not need to change input files. Either the signatures in advance (and can be included in .dtsi) or they are not and they are added later.
<apalos>
and no you cant include a .dtsi as part of the built,
<apalos>
the whole point is to make the whole process easier for people,
<apalos>
You can, today, produce the capsule and sign it
<apalos>
But that's useless, all we want is for someone to define a key in the kconfig
<apalos>
and every time you build u-boot you get a proper capsule for updates as well
<apalos>
so the easiest way to do this is using what people already know about EFI capsules
<apalos>
and then internally we can append it to the dtb
prabhakarlad has joined #u-boot
<apalos>
and we can indeed generate the capsule through binman, but the .dtb that is produced and concatenated to u-boot *must* automatically include the signature entry
<marex>
apalos: are you gonna be here for EOSS ?
frieder has joined #u-boot
mmu_man has joined #u-boot
<xypron>
sjg1: cert-to-efi-siglist id provided by package efitools
<marex>
xypron: you coming for EOSS ?
mmu_man has quit [Ping timeout: 250 seconds]
mmu_man has joined #u-boot
sng has quit [Remote host closed the connection]
davlefou has quit [Ping timeout: 240 seconds]
ikarso has quit [Quit: Connection closed for inactivity]
mmu_man has quit [Ping timeout: 245 seconds]
bryanb has quit [Ping timeout: 246 seconds]
<apalos>
marex: unfortunately not, I didnt plan in time
<marex>
bummer
<apalos>
marex: i am planning to be in OSFC though
<apalos>
and maybe plumbers, not sure about the latter
<apalos>
I'll definitely be in OSFC
<apalos>
I should have joined EOSS as well tbh...
<marex>
apalos: when/where is OSFC ? They treated U-Boot poorly when I wanted to join, so I gave up on that conf
sng has joined #u-boot
bryanb has joined #u-boot
davlefou has joined #u-boot
<apalos>
Oct 10-12 Sunnyvale iirc
<apalos>
Last time it was most of linuxboot fest as well
<marex>
US again ?
<apalos>
But really noone cares, I just plan on doing a u-boot/EFI talk
<apalos>
it was Gothernburg last year
<apalos>
Gothenburg*
<cambrian_invader>
what happened to elc?
<cambrian_invader>
elce seems to have been merged into eoss
<Tartarus>
Yes, it has
<cambrian_invader>
but there doesn't seem to be a US conference scheduled
<marex>
cambrian_invader: its now EOSS for both EU and US
<marex>
cambrian_invader: next year will be EOSS in US
<cambrian_invader>
ah
<marex>
it will be alternating as far as I can tell
<Tartarus>
And other conferences are trying to pick up some of the need, both location and content-wise
<cambrian_invader>
I always seem to come across good elc talks on elinux.org, so I was hoping there would be a US conference this year
<cambrian_invader>
last year I skipped it because of all the covid restrictions they had
d-s-e has quit [Ping timeout: 240 seconds]
mmu_man has joined #u-boot
sng has quit [Remote host closed the connection]
frieder has quit [Remote host closed the connection]
<milkylainen>
sjg1: Did you see that one btw? It's the uglyfix for the decompression errors I was getting when verifying the fit image using the sign checker.