From patchwork Thu Aug 10 14:23:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 712349 Delivered-To: patch@linaro.org Received: by 2002:a05:6359:baf:b0:129:c516:61db with SMTP id gf47csp675493rwb; Thu, 10 Aug 2023 07:24:47 -0700 (PDT) X-Google-Smtp-Source: AGHT+IF7LTpVsoILrMpnxytMb3hFCkwKGBlKljV4Zj744BZ3FB4FfK1/0bishl6j7fZ9AgTaRRD6 X-Received: by 2002:a5d:678e:0:b0:317:70da:abdd with SMTP id v14-20020a5d678e000000b0031770daabddmr2135381wru.59.1691677487016; Thu, 10 Aug 2023 07:24:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691677487; cv=none; d=google.com; s=arc-20160816; b=vf40a+ZSB75zsTLMTfo+mgevqmCEABYT8D1iWOlHs5YbyTE7xclZTA599OHKjm35FD yDJpGFYIMRxUcaOYC3lKnt+7hA/E0kVpWkDlrf7Ozl8lGYmxSOxVI9MpPA8gvbxCNaIJ /RqZOFfwKh2Ez7xuD3QqjZ3jrUhud8tucLPOD3E78d+Tp7l+Ew0NiLSwWuCVpSjHeMKz R7IlYvciD40LCd/6I4/7G7j9c/Hm6lCMO7fAn2ejsn1BuFGv+qswxvLGTQ0JvlBvpkhQ XnpIiXQFG5lb25JfapeJhdcZ1Y/U6X3GIlwCXk02abzUOCbravYtXDrHbVFIrshDy+vn qACg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from; bh=md2feYnSbHhx1bodmm4+U97Sz3NU+nB42Yd1+9j/RUc=; fh=+VHZcQFytvjm817rO59VUXPZcjow18EhayO47FzvDvY=; b=0W2G1kqxSlMQAjBlKwsFc8X+ZDuDANbZWNM1gVMeWIAn5bXLC96GJYrIm1gaos/kcV 1AXD9YHwMs1d5VtnmaTJDhhoElyIHF5VAnLegsf4932dKXklE+I7jre0fzWgEebUL/X9 AMrKGkMDDe6lfb4oPmjjd600R6GuRde5pwISlt5bIbuHQ2M0rIZ82thVbjeeeJ0y9k77 PCwKld+W4fOgsFqv5pr7nPKDM13984izpumGYDfL/svOvIrUu+u+xezuOckWN1F8lcNT 8m4kkF3Hq/r/LXylQ0sm3vVRiFGN5Z4EZtEpBhyzGkWDE2gF4Q8ZVa2ZiWP5dDuLiv1y Nb2Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id c16-20020a7bc850000000b003fe2e4cd0a0si2297739wml.158.2023.08.10.07.24.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Aug 2023 07:24:46 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 8501A86851; Thu, 10 Aug 2023 16:24:26 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 1BE4186894; Thu, 10 Aug 2023 16:24:25 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id C49BD8678C for ; Thu, 10 Aug 2023 16:24:14 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 96CDCD75; Thu, 10 Aug 2023 07:24:56 -0700 (PDT) Received: from a076522.blr.arm.com (unknown [10.162.46.7]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id AA86A3F64C; Thu, 10 Aug 2023 07:24:11 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Simon Glass , Takahiro Akashi , Malte Schmidt , Michal Simek , Tom Rini Subject: [PATCH v8 0/9] Enable EFI capsule generation through binman Date: Thu, 10 Aug 2023 19:53:29 +0530 Message-Id: <20230810142338.3402963-1-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean This patch series adds support for generation of EFI capsules as part of u-boot build flow. The capsules can be generated as part of u-boot build, and this is being achieved through binman, by adding a capsule entry type. The parameters needed for capsule generation are specified as properties under the capsule entry node. Changes have also been made to the efi capsule update feature testing setup on the sandbox variants. Currently, the capsule files and the keys for testing capsule authentication are generated after u-boot has been built. As part of this patch series, the private and public keys along with the EFI Signature List(ESL) needed for testing the capsule update functionality on the sandbox plaform are placed in the board directory. The test logic has been changed so that the capsules which were generated as part of the test setup are now being generated as part of the build for sandbox platform. The document has been updated to reflect the above changes. Changes since V7: This version has dropped the changes for embedding the public key ESL into the DTB as there are discussions currently in progress on the solution. The capsule generation changes OTOH are close to getting merged. Hence the separation of the patches. The following are changes per individual patches * Change the file names to highlight good and bad keys as suggested by Simon Glass. * Rebase on top of current upstream. * Drop the ReadEntries method as suggested by Simon Glass. * Add logic to allow specifying a string 'binman-test' for GUIDs in binman tests. * Add a todo comment for getting the capsule contents from the tool. * Move the capsule generation logic to sandbox_capsule.dtsi and include that explicitly in test.dts and sandbox.dts. * Drop the u-boot.dtsi file which kept the capsule and signature nodes. * Remove capsule generation logic from capsule update test setup. * Keep the logic to embed the public key in DTB in the test setup. * Change the name of the file which contains the capsule entry binman nodes. Sughosh Ganu (9): binman: bintool: Build a tool from a list of commands nuvoton: npcm845-evb: Add a newline at the end of file sandbox: capsule: Add keys and certificates needed for capsule update testing sandbox: Build the mkeficapsule tool for the sandbox variants btool: mkeficapsule: Add a bintool for EFI capsule generation binman: capsule: Add support for generating EFI capsules sandbox: capsule: Generate capsule related files through binman doc: Add documentation to highlight capsule generation related updates sandbox: trace: Increase trace buffer size .azure-pipelines.yml | 2 +- .gitlab-ci.yml | 2 +- arch/arm/dts/nuvoton-npcm845-evb.dts | 2 +- arch/sandbox/dts/sandbox.dts | 4 + arch/sandbox/dts/sandbox_capsule.dtsi | 340 ++++++++++++++++++ arch/sandbox/dts/test.dts | 4 + board/sandbox/capsule_priv_key_bad.key | 28 ++ board/sandbox/capsule_priv_key_good.key | 28 ++ board/sandbox/capsule_pub_esl_good.esl | Bin 0 -> 831 bytes board/sandbox/capsule_pub_key_bad.crt | 19 + board/sandbox/capsule_pub_key_good.crt | 19 + doc/develop/uefi/uefi.rst | 16 + include/sandbox_efi_capsule.h | 21 ++ test/py/tests/test_efi_capsule/conftest.py | 155 +------- .../tests/test_efi_capsule/uboot_bin_env.its | 36 -- test/py/tests/test_trace.py | 2 +- tools/Kconfig | 6 +- tools/binman/bintool.py | 19 +- tools/binman/btool/mkeficapsule.py | 101 ++++++ tools/binman/entries.rst | 64 ++++ tools/binman/etype/efi_capsule.py | 143 ++++++++ tools/binman/ftest.py | 118 ++++++ tools/binman/test/311_capsule.dts | 21 ++ tools/binman/test/312_capsule_signed.dts | 23 ++ tools/binman/test/313_capsule_version.dts | 22 ++ tools/binman/test/314_capsule_signed_ver.dts | 24 ++ tools/binman/test/315_capsule_oemflags.dts | 22 ++ tools/binman/test/316_capsule_missing_key.dts | 22 ++ .../binman/test/317_capsule_missing_index.dts | 20 ++ .../binman/test/318_capsule_missing_guid.dts | 19 + 30 files changed, 1112 insertions(+), 190 deletions(-) create mode 100644 arch/sandbox/dts/sandbox_capsule.dtsi create mode 100644 board/sandbox/capsule_priv_key_bad.key create mode 100644 board/sandbox/capsule_priv_key_good.key create mode 100644 board/sandbox/capsule_pub_esl_good.esl create mode 100644 board/sandbox/capsule_pub_key_bad.crt create mode 100644 board/sandbox/capsule_pub_key_good.crt create mode 100644 include/sandbox_efi_capsule.h delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its create mode 100644 tools/binman/btool/mkeficapsule.py create mode 100644 tools/binman/etype/efi_capsule.py create mode 100644 tools/binman/test/311_capsule.dts create mode 100644 tools/binman/test/312_capsule_signed.dts create mode 100644 tools/binman/test/313_capsule_version.dts create mode 100644 tools/binman/test/314_capsule_signed_ver.dts create mode 100644 tools/binman/test/315_capsule_oemflags.dts create mode 100644 tools/binman/test/316_capsule_missing_key.dts create mode 100644 tools/binman/test/317_capsule_missing_index.dts create mode 100644 tools/binman/test/318_capsule_missing_guid.dts