From patchwork Tue Jul 27 09:10:45 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 486666 Delivered-To: patch@linaro.org Received: by 2002:a05:6638:1185:0:0:0:0 with SMTP id f5csp37367jas; Tue, 27 Jul 2021 02:12:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzFLsSZvCgi0wkruqSZrNcV7/95LUb46BlMabxic67vOLdXo7u/IH2NsbQGXbUUG9zKMVDU X-Received: by 2002:a17:906:58c9:: with SMTP id e9mr20849066ejs.144.1627377135435; Tue, 27 Jul 2021 02:12:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627377135; cv=none; d=google.com; s=arc-20160816; b=sgE/l2ieHOhkrPxr7WA5fks3qHG4KFjttWz8jdRKNro0vcX59ukltMInIaJEWS+W6v /czXmlCUcSONF4d4fDWEQQvbE233BfqIcBFLR0C+gZeyOjn2zSwF6OGcrS7SU7MqnZRL g9PGrGNfbbF4xSRj6shknWyL7OXMcdUZb1ga3IvTd8vOsCMmKvjdx+RoPkn/KLwh84fG e808arh/KW/7tBDribuu4MgGOuEOFreYDgr0Rdz1WZtHfcmbMu/B74JNpH/I0Xgzu9kA piUwzEQLhcV2bsFtdGYEAhZqam1n8y3H6b6Mn0J9WFx5LJ7RRBJbiH/dc8GKAeLBHHUR guoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature; bh=erX/My9GTyQCT8cjS7LeXPHX+aFBNfDH59+ln6jtg3Q=; b=ys/7LrSMBFTD1/tbTNgcqyMUyWu1ZKlLlipF77sgdIPO9ytUOUAvqVhbEXoVCehVyy 5jJBjwgEumLHD976IvGc3SkKui0yhbVr6Zm+Z2PLico5GeUXDXQJqFV/aGnyjuzcL2M5 tdDm/ltzd3IeI0KQZ6V9CAszfWN5pmmeF4zodBcuZl/EJCf+D+5EW/55Ds7yUjFwXlvV DGP3NtLxxtNRzCUFqloN99kd1GJoOwLTH4oeJ+XQwQozyec4rfX59jWRx2ifl49sV9d+ IMgNQzcRwZJdOUm5zl0d9Kp6mWCNNOnwAyOUfxNNgCU8WKm9uL41jVSLl8dnjTZGsLr8 MWSA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YWffpXo3; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id m1si2852823ejj.198.2021.07.27.02.12.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jul 2021 02:12:15 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YWffpXo3; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 8BAAD8343F; Tue, 27 Jul 2021 11:12:13 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="YWffpXo3"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id B8DC683446; Tue, 27 Jul 2021 11:12:06 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 5E16A83448 for ; Tue, 27 Jul 2021 11:11:55 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1032.google.com with SMTP id k4-20020a17090a5144b02901731c776526so3187967pjm.4 for ; Tue, 27 Jul 2021 02:11:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=erX/My9GTyQCT8cjS7LeXPHX+aFBNfDH59+ln6jtg3Q=; b=YWffpXo30JFAfm2jE5Q1IdkpyCdM/xkaAbM7ips0TRZcAqsSHv1IDuk3W/NRVQceg4 l8J/Spk3a/8Me6A/cA1lskeX+9Zei48xZrHcaCmXWTgXrTUmYolLwMwI1VLBP9Mq0O9o o47f+hzjARk5lduCznvRYNwiycYNP8dxP3Yx/82Pnp2ACNrUF5aEiq6yBIuZgNBSorla 7n/weGavKqPfu4MGLj8rGRTI1oXHXlTkgqcYUMrGfZDODT7+2my9PGFIOzGAuywSqJl+ LEmQm0q05ysouac/Oap2j6vjMHcLyYc5yd4MvnXYHEDQrn7+DijoNsL59DCkgHYsZ/Tq B42g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=erX/My9GTyQCT8cjS7LeXPHX+aFBNfDH59+ln6jtg3Q=; b=SY+mpYK00FeHlIWCNy8BiX93BmLfZjom5NljN+DxMpJS0yc5sIQXWvfVX8W6vgjOQU U/4jXcNf3+juwOXMV61kd5H1Pg3omfWFZuZyBRph7dIKSFmG9DHi9/7LPcS9y0iLZBDD pM8DjTDWRrwoPdlOCRoBdHd9h2AHVMvEqLNSy3ySoo52IjA3qVscql3VXzLoj985sqpm aY414XkLPT+kh8oXwNd2kSMpTR+B73ikUJUjRVtxPkNEzVNFr1GKTl4oErxkgpUOu8xo 4DXwwCJmTZqIBAn/TiuXJDZR21vFzwIE+55449Jkn2pfQaRMZt+EFjONtipmp6MOoXA3 uGlg== X-Gm-Message-State: AOAM531QuHxPxmGwc6WzloZsF1cELse97VcExRiSVXu6dHw8nJOR3uw7 4YoDAcGrzS4xEij8l0/AjLTgBJVGiHUEUw== X-Received: by 2002:a63:dd4a:: with SMTP id g10mr22570707pgj.179.1627377113591; Tue, 27 Jul 2021 02:11:53 -0700 (PDT) Received: from localhost.localdomain (pdb6272ed.tkyea130.ap.so-net.ne.jp. [219.98.114.237]) by smtp.gmail.com with ESMTPSA id q13sm2008218pjq.10.2021.07.27.02.11.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jul 2021 02:11:53 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, trini@konsulko.com, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v2 0/9] efi_loader: capsule: improve capsule authentication support Date: Tue, 27 Jul 2021 18:10:45 +0900 Message-Id: <20210727091054.512050-1-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.31.0 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean As I proposed and discussed in [1] and [2], I have made a couple of improvements on the current implementation of capsule update in this patch set. * add signing feature to mkeficapsule * add "--guid" option to mkeficapsule * add man page of mkeficapsule * add pytest for capsule authentication (on sandbox) NOTE: Due to Ilias's commit[3], we need to have a customized configuration for sandbox to properly set up and run capsule authentication test. See patch#5,#6 and #7. [1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html [2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html [3] commit ddf67daac39d ("efi_capsule: Move signature from DTB to .rodata") Prerequisite patches ==================== None Test ==== * locally passed the pytest which is included in this patch series on sandbox built. Todo ==== * Confirm that the change in .gitlab-ci.yml works. * Azure support(?) Changes ======= v2 (July 28, 2021) * rebased on v2021.10-rc* * removed dependency on target's configuration * removed fdtsig.sh and others * add man page * update the UEFI document * add dedicate defconfig for testing on sandbox * add gitlab CI support * add "--guid" option to mkeficapsule (yet rather RFC) Initial release (May 12, 2021) * based on v2021.07-rc2 AKASHI Takahiro (9): tools: mkeficapsule: add firmwware image signing tools: mkeficapsule: add man page doc: update UEFI document for usage of mkeficapsule efi_loader: ease the file path check for public key test/py: efi_capsule: add image authentication test sandbox: add config for efi capsule authentication test GitLab: add a test rule for efi capsule authentication test tools: mkeficapsule: allow for specifying GUID explicitly test/py: efi_capsule: align with the syntax change of mkeficapsule .gitlab-ci.yml | 6 + MAINTAINERS | 1 + configs/sandbox_capsule_auth_defconfig | 307 +++++++++++++++ doc/develop/uefi/uefi.rst | 31 +- doc/mkeficapsule.1 | 98 +++++ lib/efi_loader/Makefile | 5 +- test/py/tests/test_efi_capsule/SIGNER.crt | 19 + test/py/tests/test_efi_capsule/SIGNER.esl | Bin 0 -> 829 bytes test/py/tests/test_efi_capsule/SIGNER.key | 28 ++ test/py/tests/test_efi_capsule/SIGNER2.crt | 19 + test/py/tests/test_efi_capsule/SIGNER2.key | 28 ++ .../py/tests/test_efi_capsule/capsule_defs.py | 5 + test/py/tests/test_efi_capsule/conftest.py | 39 +- .../test_capsule_firmware_signed.py | 228 +++++++++++ tools/Kconfig | 7 + tools/Makefile | 8 +- tools/mkeficapsule.c | 368 ++++++++++++++++-- 17 files changed, 1129 insertions(+), 68 deletions(-) create mode 100644 configs/sandbox_capsule_auth_defconfig create mode 100644 doc/mkeficapsule.1 create mode 100644 test/py/tests/test_efi_capsule/SIGNER.crt create mode 100644 test/py/tests/test_efi_capsule/SIGNER.esl create mode 100644 test/py/tests/test_efi_capsule/SIGNER.key create mode 100644 test/py/tests/test_efi_capsule/SIGNER2.crt create mode 100644 test/py/tests/test_efi_capsule/SIGNER2.key create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py -- 2.31.0