| Message ID | 20230725085725.350917-11-sughosh.ganu@linaro.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Integrate EFI capsule tasks into u-boot's build flow | expand |
On Tue, 25 Jul 2023 at 02:58, Sughosh Ganu <sughosh.ganu@linaro.org> wrote: > > The embedding of the public key EFI Signature List(ESL) file into the > platform's DTB is now done at the time of u-boot build. Remove this > logic from the capsule update test' configuration. > > Include the public key for the sandbox and sandbox_flattree variant > as part of the build. > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > --- > Changes since V4: None > > configs/sandbox_defconfig | 1 + > configs/sandbox_flattree_defconfig | 1 + > test/py/tests/test_efi_capsule/conftest.py | 37 ++++---------------- > test/py/tests/test_efi_capsule/signature.dts | 10 ------ > 4 files changed, 9 insertions(+), 40 deletions(-) > delete mode 100644 test/py/tests/test_efi_capsule/signature.dts > > diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig > index 19cc6701e6..53e342b3fa 100644 > --- a/configs/sandbox_defconfig > +++ b/configs/sandbox_defconfig > @@ -342,6 +342,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y > CONFIG_EFI_CAPSULE_ON_DISK=y > CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y > CONFIG_EFI_CAPSULE_AUTHENTICATE=y > +CONFIG_EFI_CAPSULE_ESL_FILE="/tmp/capsules/SIGNER.esl" No, we cannot use hard-coded pathnames, still. Please grep for /tmp/capsules throughout your series. You should be able to drop the path if you put the file in the right dir in the test. It runs in the working directory, I believe. [..] Regards, Simon
hi Simon, On Wed, 26 Jul 2023 at 04:24, Simon Glass <sjg@chromium.org> wrote: > > On Tue, 25 Jul 2023 at 02:58, Sughosh Ganu <sughosh.ganu@linaro.org> wrote: > > > > The embedding of the public key EFI Signature List(ESL) file into the > > platform's DTB is now done at the time of u-boot build. Remove this > > logic from the capsule update test' configuration. > > > > Include the public key for the sandbox and sandbox_flattree variant > > as part of the build. > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > > --- > > Changes since V4: None > > > > configs/sandbox_defconfig | 1 + > > configs/sandbox_flattree_defconfig | 1 + > > test/py/tests/test_efi_capsule/conftest.py | 37 ++++---------------- > > test/py/tests/test_efi_capsule/signature.dts | 10 ------ > > 4 files changed, 9 insertions(+), 40 deletions(-) > > delete mode 100644 test/py/tests/test_efi_capsule/signature.dts > > > > diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig > > index 19cc6701e6..53e342b3fa 100644 > > --- a/configs/sandbox_defconfig > > +++ b/configs/sandbox_defconfig > > @@ -342,6 +342,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y > > CONFIG_EFI_CAPSULE_ON_DISK=y > > CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y > > CONFIG_EFI_CAPSULE_AUTHENTICATE=y > > +CONFIG_EFI_CAPSULE_ESL_FILE="/tmp/capsules/SIGNER.esl" > > No, we cannot use hard-coded pathnames, still. > > Please grep for /tmp/capsules throughout your series. > > You should be able to drop the path if you put the file in the right > dir in the test. It runs in the working directory, I believe. Okay, let me check this out. -sughosh
diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig index 19cc6701e6..53e342b3fa 100644 --- a/configs/sandbox_defconfig +++ b/configs/sandbox_defconfig @@ -342,6 +342,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y CONFIG_EFI_CAPSULE_ON_DISK=y CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y CONFIG_EFI_CAPSULE_AUTHENTICATE=y +CONFIG_EFI_CAPSULE_ESL_FILE="/tmp/capsules/SIGNER.esl" CONFIG_EFI_SECURE_BOOT=y CONFIG_TEST_FDTDEC=y CONFIG_UNIT_TEST=y diff --git a/configs/sandbox_flattree_defconfig b/configs/sandbox_flattree_defconfig index 8aa295686d..06b1408b90 100644 --- a/configs/sandbox_flattree_defconfig +++ b/configs/sandbox_flattree_defconfig @@ -227,6 +227,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y CONFIG_EFI_CAPSULE_ON_DISK=y CONFIG_EFI_CAPSULE_FIRMWARE_FIT=y CONFIG_EFI_CAPSULE_AUTHENTICATE=y +CONFIG_EFI_CAPSULE_ESL_FILE="/tmp/capsules/SIGNER.esl" CONFIG_UNIT_TEST=y CONFIG_UT_TIME=y CONFIG_UT_DM=y diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index 054be1ee97..99b502902e 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -25,48 +25,25 @@ def efi_capsule_data(request, u_boot_config): image_path = u_boot_config.persistent_data_dir + '/test_efi_capsule.img' try: + capsules_path_dir = '/tmp/capsules/' # Create a target device check_call('dd if=/dev/zero of=./spi.bin bs=1MiB count=16', shell=True) check_call('rm -rf %s' % mnt_point, shell=True) check_call('mkdir -p %s' % data_dir, shell=True) check_call('mkdir -p %s' % install_dir, shell=True) - - capsule_auth_enabled = u_boot_config.buildconfig.get( - 'config_efi_capsule_authenticate') - if capsule_auth_enabled: - # Create private key (SIGNER.key) and certificate (SIGNER.crt) - check_call('cd %s; ' - 'openssl req -x509 -sha256 -newkey rsa:2048 ' - '-subj /CN=TEST_SIGNER/ -keyout SIGNER.key ' - '-out SIGNER.crt -nodes -days 365' - % data_dir, shell=True) - check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl' - % (data_dir, EFITOOLS_PATH), shell=True) - - # Update dtb adding capsule certificate - check_call('cd %s; ' - 'cp %s/test/py/tests/test_efi_capsule/signature.dts .' - % (data_dir, u_boot_config.source_dir), shell=True) - check_call('cd %s; ' - 'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; ' - 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb ' - '-o test_sig.dtb signature.dtbo' - % (data_dir, u_boot_config.build_dir), shell=True) - - # Create *malicious* private key (SIGNER2.key) and certificate - # (SIGNER2.crt) - check_call('cd %s; ' - 'openssl req -x509 -sha256 -newkey rsa:2048 ' - '-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key ' - '-out SIGNER2.crt -nodes -days 365' - % data_dir, shell=True) + check_call('cp %s/* %s ' % (capsules_path_dir, data_dir), shell=True) # Update dtb to add the version information check_call('cd %s; ' 'cp %s/test/py/tests/test_efi_capsule/version.dts .' % (data_dir, u_boot_config.source_dir), shell=True) + + capsule_auth_enabled = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') if capsule_auth_enabled: + check_call('cp %s/arch/sandbox/dts/test.dtb %s/test_sig.dtb' % + (u_boot_config.build_dir, data_dir), shell=True) check_call('cd %s; ' 'dtc -@ -I dts -O dtb -o version.dtbo version.dts; ' 'fdtoverlay -i test_sig.dtb ' diff --git a/test/py/tests/test_efi_capsule/signature.dts b/test/py/tests/test_efi_capsule/signature.dts deleted file mode 100644 index 078cfc76c9..0000000000 --- a/test/py/tests/test_efi_capsule/signature.dts +++ /dev/null @@ -1,10 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0+ - -/dts-v1/; -/plugin/; - -&{/} { - signature { - capsule-key = /incbin/("SIGNER.esl"); - }; -};
The embedding of the public key EFI Signature List(ESL) file into the platform's DTB is now done at the time of u-boot build. Remove this logic from the capsule update test' configuration. Include the public key for the sandbox and sandbox_flattree variant as part of the build. Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> --- Changes since V4: None configs/sandbox_defconfig | 1 + configs/sandbox_flattree_defconfig | 1 + test/py/tests/test_efi_capsule/conftest.py | 37 ++++---------------- test/py/tests/test_efi_capsule/signature.dts | 10 ------ 4 files changed, 9 insertions(+), 40 deletions(-) delete mode 100644 test/py/tests/test_efi_capsule/signature.dts