UefiUpdateSecurityKeys.dts missing from UEFI Capsule update generated with meta-tegra

[jpeeee]

I believe updating UEFI keys via tegra-uefi-keys-dtb.bb does not work on scarthgap nor master branches.

When adding UefiUpdateSecurityKeys.dts to tegra-uefi-keys-dtb.bbappend, the UefiUpdateSecurityKeys.dtbo is not installed in the sysroot of the recipe, causing tegra_bootcontrol_overlay_list() to not append it to the list of overlays to use for the capsule update. The result is that it is missing from the capsule update, making it impossible to update the KEK and other keys used by UEFI secure boot.

I believe I have a solution to the problem by adding the following stage to tegra-uefi-keys-dtb.bbappend:

do_populate_sysroot() {
    install -d ${SYSROOT_DESTDIR}
    install -m 0644 ${B}/UefiDefaultSecurityKeys.dtbo ${SYSROOT_DESTDIR}
    if [ -a "${B}/UefiUpdateSecurityKeys.dtbo" ]; then
        install -m 0644 ${B}/UefiUpdateSecurityKeys.dtbo ${SYSROOT_DESTDIR}
    fi
}

and modifying tegra_bootcontrol_overlay_list() as follows:

def tegra_bootcontrol_overlay_list(d, bup=False, separator=','):
    overlays = d.getVar('TEGRA_BOOTCONTROL_OVERLAYS').split()
    if d.getVar('TEGRA_UEFI_USE_SIGNED_FILES') == "true":
        overlays.append('UefiDefaultSecurityKeys.dtbo')
        sysroot = d.getVar('RECIPE_SYSROOT')
        if bup and os.path.exists(os.path.join(sysroot, 'UefiUpdateSecurityKeys.dtbo')):
            overlays.append('UefiUpdateSecurityKeys.dtbo')
    return separator.join(overlays)

With these changes UefiUpdateSecurityKeys.dtbo is picked up for the capsule update and deploying the update I can see the new keys in the EKB.

I am currently unable to push a branch to meta-tegra so could not create a PR for review.

A word of warning, having updated the EKB using this recipe, the board boots once, but on second reboot it stops at the following error:
ASSERT [FvbNorFlashStandaloneMm] /usr/src/debug/standalone-mm-optee-tegra/36.3.0/edk2-nvidia/Silicon)

This happens when signing the EUFI payloads with either the 'old' keys (pre-update) and with the new keys brought by the update. I am yet to test with Jetpack (not meta-tegra) to confirm whether updating the EKB actually works.

Could someone review my changes and let me know if they make sense?
Has updating the EKB not yet been tested by anyone?
Any comments on the error I am getting after the update?

Thanks!

[dwalkes]

Hi @jpeeee

I am currently unable to push a branch to meta-tegra so could not create a PR for review.

Please use https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork to create a pull request from a fork for review.