From 04be98bd6bcfccf3ab028fda0ca962dd00f61260 Mon Sep 17 00:00:00 2001 From: Sughosh Ganu Date: Wed, 30 Dec 2020 19:27:09 +0530 Subject: efi: capsule: Add support for uefi capsule authentication Add support for authenticating uefi capsules. Most of the signature verification functionality is shared with the uefi secure boot feature. The root certificate containing the public key used for the signature verification is stored as part of the device tree blob. The root certificate is stored as an efi signature list(esl) file -- this file contains the x509 certificate which is the root certificate. Signed-off-by: Sughosh Ganu --- include/efi_api.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'include/efi_api.h') diff --git a/include/efi_api.h b/include/efi_api.h index e82d4ca9ff..ecb43a0607 100644 --- a/include/efi_api.h +++ b/include/efi_api.h @@ -1812,6 +1812,24 @@ struct efi_variable_authentication_2 { struct win_certificate_uefi_guid auth_info; } __attribute__((__packed__)); +/** + * efi_firmware_image_authentication - Capsule authentication method + * descriptor + * + * This structure describes an authentication information for + * a capsule with IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED set + * and should be included as part of the capsule. + * Only EFI_CERT_TYPE_PKCS7_GUID is accepted. + * + * @monotonic_count: Count to prevent replay + * @auth_info: Authentication info + */ +struct efi_firmware_image_authentication { + uint64_t monotonic_count; + struct win_certificate_uefi_guid auth_info; +} __attribute__((__packed__)); + + /** * efi_signature_data - A format of signature * -- cgit