@@ -106,3 +106,7 @@
#if IS_ENABLED(CONFIG_SUPPORT_VPL)
#include "sandbox_vpl.dtsi"
#endif
+
+#ifdef CONFIG_EFI_HAVE_CAPSULE_SUPPORT
+#include "sandbox_capsule.dtsi"
+#endif
new file mode 100644
@@ -0,0 +1,340 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Devicetree file with binman nodes for generating capsules.
+ */
+
+#include <sandbox_efi_capsule.h>
+
+/ {
+ binman: binman {
+ multiple-images;
+ };
+};
+
+&binman {
+ itb {
+ filename = UBOOT_FIT_IMAGE;
+
+ fit {
+ description = "Automatic U-Boot environment update";
+ #address-cells = <2>;
+
+ images {
+ u-boot-bin {
+ description = "U-Boot binary on SPI Flash";
+ compression = "none";
+ type = "firmware";
+ arch = "sandbox";
+ load = <0>;
+ text {
+ text = "u-boot:New";
+ };
+
+ hash-1 {
+ algo = "sha1";
+ };
+ };
+ u-boot-env {
+ description = "U-Boot environment on SPI Flash";
+ compression = "none";
+ type = "firmware";
+ arch = "sandbox";
+ load = <0>;
+ text {
+ text = "u-boot-env:New";
+ };
+
+ hash-1 {
+ algo = "sha1";
+ };
+ };
+ };
+ };
+ };
+
+ capsule1 {
+ filename = "Test01";
+ capsule {
+ type = "efi-capsule";
+ image-index = <0x1>;
+ image-guid = SANDBOX_UBOOT_IMAGE_GUID;
+
+ text {
+ text = "u-boot:New";
+ };
+ };
+ };
+
+ capsule2 {
+ filename = "Test02";
+ capsule {
+ type = "efi-capsule";
+ image-index = <0x2>;
+ image-guid = SANDBOX_UBOOT_ENV_IMAGE_GUID;
+
+ text {
+ text = "u-boot-env:New";
+ };
+ };
+ };
+
+ capsule3 {
+ filename = "Test03";
+ capsule {
+ type = "efi-capsule";
+ image-index = <0x1>;
+ image-guid = SANDBOX_INCORRECT_GUID;
+
+ text {
+ text = "u-boot:New";
+ };
+ };
+ };
+
+ capsule4 {
+ filename = "Test04";
+ capsule {
+ type = "efi-capsule";
+ image-index = <0x1>;
+ image-guid = SANDBOX_FIT_IMAGE_GUID;
+
+ blob {
+ filename = UBOOT_FIT_IMAGE;
+ };
+ };
+ };
+
+ capsule5 {
+ filename = "Test05";
+ capsule {
+ type = "efi-capsule";
+ image-index = <0x1>;
+ image-guid = SANDBOX_INCORRECT_GUID;
+
+ blob {
+ filename = UBOOT_FIT_IMAGE;
+ };
+ };
+ };
+
+ capsule6 {
+ filename = "Test101";
+ capsule {
+ type = "efi-capsule";
+ image-index = <0x1>;
+ fw-version = <0x5>;
+ image-guid = SANDBOX_UBOOT_IMAGE_GUID;
+
+ text {
+ text = "u-boot:New";
+ };
+ };
+ };
+
+ capsule7 {
+ filename = "Test102";
+ capsule {
+ type = "efi-capsule";
+ image-index = <0x2>;
+ fw-version = <0xa>;
+ image-guid = SANDBOX_UBOOT_ENV_IMAGE_GUID;
+
+ text {
+ text = "u-boot-env:New";
+ };
+ };
+ };
+
+ capsule8 {
+ filename = "Test103";
+ capsule {
+ type = "efi-capsule";
+ image-index = <0x1>;
+ fw-version = <0x2>;
+ image-guid = SANDBOX_UBOOT_IMAGE_GUID;
+
+ text {
+ text = "u-boot:New";
+ };
+ };
+ };
+
+ capsule9 {
+ filename = "Test104";
+ capsule {
+ type = "efi-capsule";
+ image-index = <0x1>;
+ fw-version = <0x5>;
+ image-guid = SANDBOX_FIT_IMAGE_GUID;
+
+ blob {
+ filename = UBOOT_FIT_IMAGE;
+ };
+ };
+ };
+
+ capsule10 {
+ filename = "Test105";
+ capsule {
+ type = "efi-capsule";
+ image-index = <0x1>;
+ fw-version = <0x2>;
+ image-guid = SANDBOX_FIT_IMAGE_GUID;
+
+ blob {
+ filename = UBOOT_FIT_IMAGE;
+ };
+ };
+ };
+
+#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
+ capsule11 {
+ filename = "Test11";
+ capsule {
+ type = "efi-capsule";
+ image-index = <0x1>;
+ image-guid = SANDBOX_UBOOT_IMAGE_GUID;
+ private-key = CAPSULE_PRIV_KEY;
+ public-key-cert = CAPSULE_PUB_KEY;
+ monotonic-count = <0x1>;
+
+ text {
+ text = "u-boot:New";
+ };
+ };
+ };
+
+ capsule12 {
+ filename = "Test12";
+ capsule {
+ type = "efi-capsule";
+ image-index = <0x1>;
+ image-guid = SANDBOX_UBOOT_IMAGE_GUID;
+ private-key = CAPSULE_INVAL_KEY;
+ public-key-cert = CAPSULE_INVAL_PUB_KEY;
+ monotonic-count = <0x1>;
+
+ text {
+ text = "u-boot:New";
+ };
+ };
+ };
+
+ capsule13 {
+ filename = "Test13";
+ capsule {
+ type = "efi-capsule";
+ image-index = <0x1>;
+ image-guid = SANDBOX_FIT_IMAGE_GUID;
+ private-key = CAPSULE_PRIV_KEY;
+ public-key-cert = CAPSULE_PUB_KEY;
+ monotonic-count = <0x1>;
+
+ blob {
+ filename = UBOOT_FIT_IMAGE;
+ };
+ };
+ };
+
+ capsule14 {
+ filename = "Test14";
+ capsule {
+ type = "efi-capsule";
+ image-index = <0x1>;
+ image-guid = SANDBOX_FIT_IMAGE_GUID;
+ private-key = CAPSULE_INVAL_KEY;
+ public-key-cert = CAPSULE_INVAL_PUB_KEY;
+ monotonic-count = <0x1>;
+
+ blob {
+ filename = UBOOT_FIT_IMAGE;
+ };
+ };
+ };
+
+ capsule15 {
+ filename = "Test111";
+ capsule {
+ type = "efi-capsule";
+ image-index = <0x1>;
+ fw-version = <0x5>;
+ image-guid = SANDBOX_UBOOT_IMAGE_GUID;
+ private-key = CAPSULE_PRIV_KEY;
+ public-key-cert = CAPSULE_PUB_KEY;
+ monotonic-count = <0x1>;
+
+ text {
+ text = "u-boot:New";
+ };
+ };
+ };
+
+ capsule16 {
+ filename = "Test112";
+ capsule {
+ type = "efi-capsule";
+ image-index = <0x2>;
+ fw-version = <0xa>;
+ image-guid = SANDBOX_UBOOT_ENV_IMAGE_GUID;
+ private-key = CAPSULE_PRIV_KEY;
+ public-key-cert = CAPSULE_PUB_KEY;
+ monotonic-count = <0x1>;
+
+ text {
+ text = "u-boot-env:New";
+ };
+ };
+ };
+
+ capsule17 {
+ filename = "Test113";
+ capsule {
+ type = "efi-capsule";
+ image-index = <0x1>;
+ fw-version = <0x2>;
+ image-guid = SANDBOX_UBOOT_IMAGE_GUID;
+ private-key = CAPSULE_PRIV_KEY;
+ public-key-cert = CAPSULE_PUB_KEY;
+ monotonic-count = <0x1>;
+
+ text {
+ text = "u-boot:New";
+ };
+ };
+ };
+
+ capsule18 {
+ filename = "Test114";
+ capsule {
+ type = "efi-capsule";
+ image-index = <0x1>;
+ fw-version = <0x5>;
+ image-guid = SANDBOX_FIT_IMAGE_GUID;
+ private-key = CAPSULE_PRIV_KEY;
+ public-key-cert = CAPSULE_PUB_KEY;
+ monotonic-count = <0x1>;
+
+ blob {
+ filename = UBOOT_FIT_IMAGE;
+ };
+ };
+ };
+
+ capsule19 {
+ filename = "Test115";
+ capsule {
+ type = "efi-capsule";
+ image-index = <0x1>;
+ fw-version = <0x2>;
+ image-guid = SANDBOX_FIT_IMAGE_GUID;
+ private-key = CAPSULE_PRIV_KEY;
+ public-key-cert = CAPSULE_PUB_KEY;
+ monotonic-count = <0x1>;
+
+ blob {
+ filename = UBOOT_FIT_IMAGE;
+ };
+ };
+ };
+#endif /* CONFIG_EFI_CAPSULE_AUTHENTICATE */
+};
@@ -1849,3 +1849,7 @@
#endif
#include "cedit.dtsi"
+
+#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
+#include "sandbox_capsule.dtsi"
+#endif
new file mode 100644
@@ -0,0 +1,21 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (c) 2023, Linaro Limited
+ */
+
+#if !defined(_SANDBOX_EFI_CAPSULE_H_)
+#define _SANDBOX_EFI_CAPSULE_H_
+
+#define SANDBOX_UBOOT_IMAGE_GUID "09d7cf52-0720-4710-91d1-08469b7fe9c8"
+#define SANDBOX_UBOOT_ENV_IMAGE_GUID "5a7021f5-fef2-48b4-aaba-832e777418c0"
+#define SANDBOX_FIT_IMAGE_GUID "3673b45d-6a7c-46f3-9e60-adabb03f7937"
+#define SANDBOX_INCORRECT_GUID "058b7d83-50d5-4c47-a195-60d86ad341c4"
+
+#define UBOOT_FIT_IMAGE "u-boot_bin_env.itb"
+
+#define CAPSULE_PRIV_KEY "capsule_priv_key_good.key"
+#define CAPSULE_PUB_KEY "capsule_pub_key_good.crt"
+#define CAPSULE_INVAL_KEY "capsule_priv_key_bad.key"
+#define CAPSULE_INVAL_PUB_KEY "capsule_pub_key_bad.crt"
+
+#endif /* _SANDBOX_EFI_CAPSULE_H_ */
@@ -34,15 +34,20 @@ def efi_capsule_data(request, u_boot_config):
capsule_auth_enabled = u_boot_config.buildconfig.get(
'config_efi_capsule_authenticate')
+ key_dir = u_boot_config.source_dir + '/board/sandbox'
if capsule_auth_enabled:
- # Create private key (SIGNER.key) and certificate (SIGNER.crt)
- check_call('cd %s; '
- 'openssl req -x509 -sha256 -newkey rsa:2048 '
- '-subj /CN=TEST_SIGNER/ -keyout SIGNER.key '
- '-out SIGNER.crt -nodes -days 365'
- % data_dir, shell=True)
- check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'
- % (data_dir, EFITOOLS_PATH), shell=True)
+ # Get the keys from the board directory
+ check_call('cp %s/capsule_priv_key_good.key %s/SIGNER.key'
+ % (key_dir, data_dir), shell=True)
+ check_call('cp %s/capsule_pub_key_good.crt %s/SIGNER.crt'
+ % (key_dir, data_dir), shell=True)
+ check_call('cp %s/capsule_pub_esl_good.esl %s/SIGNER.esl'
+ % (key_dir, data_dir), shell=True)
+
+ check_call('cp %s/capsule_priv_key_bad.key %s/SIGNER2.key'
+ % (key_dir, data_dir), shell=True)
+ check_call('cp %s/capsule_pub_key_bad.crt %s/SIGNER2.crt'
+ % (key_dir, data_dir), shell=True)
# Update dtb adding capsule certificate
check_call('cd %s; '
@@ -54,14 +59,6 @@ def efi_capsule_data(request, u_boot_config):
'-o test_sig.dtb signature.dtbo'
% (data_dir, u_boot_config.build_dir), shell=True)
- # Create *malicious* private key (SIGNER2.key) and certificate
- # (SIGNER2.crt)
- check_call('cd %s; '
- 'openssl req -x509 -sha256 -newkey rsa:2048 '
- '-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key '
- '-out SIGNER2.crt -nodes -days 365'
- % data_dir, shell=True)
-
# Update dtb to add the version information
check_call('cd %s; '
'cp %s/test/py/tests/test_efi_capsule/version.dts .'
@@ -79,132 +76,12 @@ def efi_capsule_data(request, u_boot_config):
'-o test_ver.dtb version.dtbo'
% (data_dir, u_boot_config.build_dir), shell=True)
- # Create capsule files
+
+ check_call('cp %s/u-boot_bin_env.itb %s ' % (u_boot_config.build_dir, data_dir), shell=True)
+ check_call('cp %s/Test* %s ' % (u_boot_config.build_dir, data_dir), shell=True)
# two regions: one for u-boot.bin and the other for u-boot.env
check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old > u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir,
shell=True)
- check_call('sed -e \"s?BINFILE1?u-boot.bin.new?\" -e \"s?BINFILE2?u-boot.env.new?\" %s/test/py/tests/test_efi_capsule/uboot_bin_env.its > %s/uboot_bin_env.its' %
- (u_boot_config.source_dir, data_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkimage -f uboot_bin_env.its uboot_bin_env.itb' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test01' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkeficapsule --index 2 --guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 u-boot.env.new Test02' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 058B7D83-50D5-4C47-A195-60D86AD341C4 u-boot.bin.new Test03' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test04' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 058B7D83-50D5-4C47-A195-60D86AD341C4 uboot_bin_env.itb Test05' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 5 '
- '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test101' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkeficapsule --index 2 --fw-version 10 '
- '--guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 u-boot.env.new Test102' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 2 '
- '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test103' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 5 '
- '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test104' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 2 '
- '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test105' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
-
- if capsule_auth_enabled:
- # raw firmware signed with proper key
- check_call('cd %s; '
- '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
- '--private-key SIGNER.key --certificate SIGNER.crt '
- '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
- 'u-boot.bin.new Test11'
- % (data_dir, u_boot_config.build_dir),
- shell=True)
- # raw firmware signed with *mal* key
- check_call('cd %s; '
- '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
- '--private-key SIGNER2.key '
- '--certificate SIGNER2.crt '
- '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
- 'u-boot.bin.new Test12'
- % (data_dir, u_boot_config.build_dir),
- shell=True)
- # FIT firmware signed with proper key
- check_call('cd %s; '
- '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
- '--private-key SIGNER.key --certificate SIGNER.crt '
- '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
- 'uboot_bin_env.itb Test13'
- % (data_dir, u_boot_config.build_dir),
- shell=True)
- # FIT firmware signed with *mal* key
- check_call('cd %s; '
- '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
- '--private-key SIGNER2.key '
- '--certificate SIGNER2.crt '
- '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
- 'uboot_bin_env.itb Test14'
- % (data_dir, u_boot_config.build_dir),
- shell=True)
- # raw firmware signed with proper key with version information
- check_call('cd %s; '
- '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
- '--fw-version 5 '
- '--private-key SIGNER.key --certificate SIGNER.crt '
- '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
- 'u-boot.bin.new Test111'
- % (data_dir, u_boot_config.build_dir),
- shell=True)
- # raw firmware signed with proper key with version information
- check_call('cd %s; '
- '%s/tools/mkeficapsule --index 2 --monotonic-count 1 '
- '--fw-version 10 '
- '--private-key SIGNER.key --certificate SIGNER.crt '
- '--guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 '
- 'u-boot.env.new Test112'
- % (data_dir, u_boot_config.build_dir),
- shell=True)
- # raw firmware signed with proper key with lower version information
- check_call('cd %s; '
- '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
- '--fw-version 2 '
- '--private-key SIGNER.key --certificate SIGNER.crt '
- '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
- 'u-boot.bin.new Test113'
- % (data_dir, u_boot_config.build_dir),
- shell=True)
- # FIT firmware signed with proper key with version information
- check_call('cd %s; '
- '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
- '--fw-version 5 '
- '--private-key SIGNER.key --certificate SIGNER.crt '
- '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
- 'uboot_bin_env.itb Test114'
- % (data_dir, u_boot_config.build_dir),
- shell=True)
- # FIT firmware signed with proper key with lower version information
- check_call('cd %s; '
- '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
- '--fw-version 2 '
- '--private-key SIGNER.key --certificate SIGNER.crt '
- '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
- 'uboot_bin_env.itb Test115'
- % (data_dir, u_boot_config.build_dir),
- shell=True)
# Create a disk image with EFI system partition
check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' %
deleted file mode 100644
@@ -1,36 +0,0 @@
-/*
- * Automatic software update for U-Boot
- * Make sure the flashing addresses ('load' prop) is correct for your board!
- */
-
-/dts-v1/;
-
-/ {
- description = "Automatic U-Boot environment update";
- #address-cells = <2>;
-
- images {
- u-boot-bin {
- description = "U-Boot binary on SPI Flash";
- data = /incbin/("BINFILE1");
- compression = "none";
- type = "firmware";
- arch = "sandbox";
- load = <0>;
- hash-1 {
- algo = "sha1";
- };
- };
- u-boot-env {
- description = "U-Boot environment on SPI Flash";
- data = /incbin/("BINFILE2");
- compression = "none";
- type = "firmware";
- arch = "sandbox";
- load = <0>;
- hash-1 {
- algo = "sha1";
- };
- };
- };
-};
The EFI capsule files can now be generated as part of u-boot build through binman. Add capsule entry nodes for the sandbox architecture for generating the capsules. These capsules are then used for testing the EFI capsule update functionality on the sandbox platforms. Remove the corresponding logic in the test setup which was used for generation of these capsule which is now superfluous. Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> --- Changes since V7: * Move the capsule generation logic to sandbox_capsule.dtsi and include that explicitly in test.dts and sandbox.dts. * Drop the u-boot.dtsi file which kept the capsule and signature nodes. * Remove capsule generation logic from capsule update test setup. * Keep the logic to embed the public key in DTB in the test setup. arch/sandbox/dts/sandbox.dts | 4 + arch/sandbox/dts/sandbox_capsule.dtsi | 340 ++++++++++++++++++ arch/sandbox/dts/test.dts | 4 + include/sandbox_efi_capsule.h | 21 ++ test/py/tests/test_efi_capsule/conftest.py | 155 +------- .../tests/test_efi_capsule/uboot_bin_env.its | 36 -- 6 files changed, 385 insertions(+), 175 deletions(-) create mode 100644 arch/sandbox/dts/sandbox_capsule.dtsi create mode 100644 include/sandbox_efi_capsule.h delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its