From patchwork Thu Oct 28 06:23:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516355 Delivered-To: patch@linaro.org Received: by 2002:ac0:c404:0:0:0:0:0 with SMTP id t4csp1370505imj; Wed, 27 Oct 2021 23:25:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzrIf/wdAXm81owV1nITTaUwZFUj0OtH9abIemnzJcHr6DtEB8aWggmXf0pM9iGw2WbzJ/r X-Received: by 2002:a05:6402:2814:: with SMTP id h20mr3395959ede.47.1635402310261; Wed, 27 Oct 2021 23:25:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635402310; cv=none; d=google.com; s=arc-20160816; b=OuvNje8Ag9iGm90kfEQcFWD7bSgjBKDjaU9/wTg40IxLfAVeYyGVuM3HZL/lu5jU8f KFF+isUzucaW6u3e/mHHD54A4/8KCl2W4kOETJ+OyqDnx9GHFVKb5bwJN174rNDTarpu VBSMR1XKBwxvg8jJ7Lgk5vl7OGZMPeZl5WId272Zlwk2T/otSBKiw0eXirynBxXCDZ2J 7NOebP3nzsIuI3wy4Y0wQ3GRm/WawwotWq64FYrKfYCVNmvFpw1yx1raMZ3hqx0eK9E/ /SJzcwpIclAf9yvRQHui9tK2WAyBCjVdE42kmdqmrEKg4GBoP57bAqch4CYYh/z2e5cO xrOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=H343WbJCkVtwQNBXT/D6iVv2TdTLO06TEu7YEdAdyCc=; b=a+fzahqunH/aS1T+fSmsbs0WoV9xC62+X5OFAmrpzU/LnFtRmAR4Ak4p1kHP2sHCz2 eaZ+j7VWLoUwgZ0zPwGA8m3BgH75nlUxq/VZFZUmpvpJwTqiOF8pEfbKsuO2J0QMGkge qmEuF0oUqtyGJhl4ukC3mZvn42fGHv7lJ7Hd095J1kQXqPJnXiWJKLceLOBooWZyliIJ rGe4L17PaYf+px8znqIud5Ga7S5FRwXYk/TTjlJ1HTfImjS0ZQh8Uc/98MQDstImOQT8 quPwbD6OvvbrD66Mva2BOQJCYraWVW1NoX9finmaHznK2AXHv/3ihc+VbLrwNMo2itvQ gy+Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=CCwunNj9; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id hp2si3591194ejc.711.2021.10.27.23.25.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:25:10 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=CCwunNj9; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 5FDF783498; Thu, 28 Oct 2021 08:25:08 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="CCwunNj9"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 24169832AF; Thu, 28 Oct 2021 08:25:00 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x536.google.com (mail-pg1-x536.google.com [IPv6:2607:f8b0:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 0891A82F33 for ; Thu, 28 Oct 2021 08:24:55 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pg1-x536.google.com with SMTP id r2so5371617pgl.10 for ; Wed, 27 Oct 2021 23:24:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=H343WbJCkVtwQNBXT/D6iVv2TdTLO06TEu7YEdAdyCc=; b=CCwunNj9HxRbo5LDT7VKpzQPWWbIsK6luMTDukn+5u+f3vQRTQwdYZZlyIiDhzmlQt LgUmz/ZFWyGeHl8mYZ1gSyKl74PwfWWi2c1uLJhfkw10pxi+ZWNk6MH0ALO6oh0ShIpD k/StqL0akk0LSMk4gxdVD6nkfUpnEcNAaL7zzOixr0dcfJhsNV8ksGARUikfeTo2VjZX dPtw4W40kUsUvE7/SdU3YUqSwr1bckLX5vR8GPBkYhHHkZmGtwGSK34hyKpuvc7Rb7Jg 4x44axNphHI8rNTSVxAgOSn5xdhbF8GLr+FoqoNkOgxZK3MdzE8YtZqS2MklU6Ks4Ty5 E2Hw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=H343WbJCkVtwQNBXT/D6iVv2TdTLO06TEu7YEdAdyCc=; b=Xun1CkcHmq/oYBgPVxMVhS0OWiR/aaXrNmCf5hXKpQAyZGL2UsLS9N8nNmr3dFWEfK 3frHISPKOPPanq6TuaBcwmKp4O0G+hs7iiOJUc8jA2BwX/QzIZbTAOIbOn835cGbhUAi k2CW/jgh6xfKozv6jHAszvrHTA6V6sM+7bxW6p1zrzTGPlojdmgYT0PT9C/YJ1IRFs+t vuuKIgA5BCqsUuNRAHopmEpXDCtgqQxcr0qbHKvF13I50ibdtB/CLp0hDodeyFjab/JX Fv6xfhU6OE8Hah7Wctux3lPt2BBZdeVW/BW1PlhII7vEvKelgVs9v2pKm94WLe4ejq6d 5yIQ== X-Gm-Message-State: AOAM532NXyw8UHEZ32P9cMBY+4Xmnw+FukW5F9eRnlZZ/myPepxPpvtJ PJoxT7BZS+0UYHuVAGjKRFoNoQ== X-Received: by 2002:a63:6dca:: with SMTP id i193mr1797290pgc.205.1635402293328; Wed, 27 Oct 2021 23:24:53 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:394a:97ee:bbbb:462e]) by smtp.gmail.com with ESMTPSA id p16sm1582018pgd.78.2021.10.27.23.24.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:24:52 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v5 01/11] efi_loader: capsule: drop __weak from efi_get_public_key_data() Date: Thu, 28 Oct 2021 15:23:46 +0900 Message-Id: <20211028062356.98224-2-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211028062356.98224-1-takahiro.akashi@linaro.org> References: <20211028062356.98224-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean As we discussed in ML, currently a device tree is the only place to store public keys for capsule authentication. So __weak is not necessary for now. Signed-off-by: AKASHI Takahiro --- lib/efi_loader/efi_capsule.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.33.0 Reviewed-by: Simon Glass diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c index 44f5da61a9be..850937fd120f 100644 --- a/lib/efi_loader/efi_capsule.c +++ b/lib/efi_loader/efi_capsule.c @@ -256,7 +256,7 @@ out: } #if defined(CONFIG_EFI_CAPSULE_AUTHENTICATE) -int __weak efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) +int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) { const void *fdt_blob = gd->fdt_blob; const void *blob; From patchwork Thu Oct 28 06:23:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516357 Delivered-To: patch@linaro.org Received: by 2002:ac0:c404:0:0:0:0:0 with SMTP id t4csp1370862imj; Wed, 27 Oct 2021 23:25:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxLrShYcz/4EqAyMLZLXsGIV0SWMY+zz40sDFlJ1HIOMRTa82Kmu29u1CLdJsAM05659N6k X-Received: by 2002:a05:6402:4245:: with SMTP id g5mr3681049edb.64.1635402336041; Wed, 27 Oct 2021 23:25:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635402336; cv=none; d=google.com; s=arc-20160816; b=rdVepphyuW8MWX2Njs3Mw+vAcj8ucsoTTFy86F3KfUouc1vEY7eLUJ7GU3mHeAMSRt MqIa0tu/evXNvq5oA8zRJJR4mVY6VmRDCU03w66JSytmkC0KidJB8+eU3rPbwJZXhkov 73f76tlcYZcSJ/LhEz+4DkcY/wGKMfaBL7jK9ISK6krJIpTox/6FFwyKrKfgVncKjrEf wjYbJmZEq1C8J+Z3/oZfFmY+bI/tQKeGqxdegxxogBUP3SFIYjxFtKGrAdVXOGUGSG1Q Er8xHMnM6ii8i+cdADVXiIa6829GQbxih723eQgGv4aBBeJpt8fvfBl5tSF91GiatynD ngcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=cRPjqCIds3374AeWQ2tlZWiFhP6/CUvDIB0hDu9Oh4Q=; b=xjErZQ68NptPL5CXrcyLFFPg84mDBsC5mO4ujjpLaOsDU8dLpT5WcVOmXvAjolEUpf 9mlLMZuYPEvQa/nF9dNfywcXszspmBe0mryRCAJfrGjvoLg1/4ShIHvEqKkcwq/g6JN7 F5bOj9FgCMNFm40JBbBBV956ST2Wfu8FdI/dG6r183har16vWUr2BkrlnQLp0bi8iYft L4DPAlQd4sllOj8kQ8BPVNHAhrWl4mxO1/IcMaUyGEe6UFwIh8yGOje4CxAKvsVkUtBz 5S4/icuICm4jSZoondwQtCnUI4CxekFw95wkiepZJePXZusqXSctFFfhVji6n+BoOTcc pxCw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=vlnkt9hD; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id hc7si2930122ejc.170.2021.10.27.23.25.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:25:36 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=vlnkt9hD; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id EB64E834A3; Thu, 28 Oct 2021 08:25:29 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="vlnkt9hD"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 9636283172; Thu, 28 Oct 2021 08:25:19 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 0471F82F33 for ; Thu, 28 Oct 2021 08:25:01 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pg1-x52d.google.com with SMTP id f5so5372057pgc.12 for ; Wed, 27 Oct 2021 23:25:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=cRPjqCIds3374AeWQ2tlZWiFhP6/CUvDIB0hDu9Oh4Q=; b=vlnkt9hDR6cgMOlATf2XekmhyzN4XLxve/Q09ftHOCLYqF8OQBjqADhGHbaSyYBaag SlFtcYpFbdywVANwfH6zvhnlD5qJyWS5Z6pjcXhnzqQ+fux5RkcPcKIrQhMOFO6QD/j5 WabrTRyR38vKUo+MwnT2WeSddMpJLHyUHW+PAByZf+qKXlosDVFUUuIzFh4ae5G5/mLz IMK18jp/RIoJlN1tKUs+1wW9DsQATmjN7Tf10xGzVLmotUbJIDWaHpkKOrbYt5Pa/CHE v2LNaTu81MLWmXqZG0m0GPM9rPwJop8AjZxPoIsSComkExp45fGXPIAYTcLkrNgUn6Nt FgvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=cRPjqCIds3374AeWQ2tlZWiFhP6/CUvDIB0hDu9Oh4Q=; b=hqLIsz1y+bhBVf5PEMvkrAUuBzs8nKpVE0N/6wTvmxAzYtL/Xz7gUkgQbtB/Y8MuTU rssnKtdzuhJdn+4m9OEqKQSajveMU8M9p/0TwcFVV6eWzHhjcy769Qea7lR1hbeo1sDk MLpPz2+Jn05x1wNhZEELHpqn4IdjKrOxBGBtNTCCqmxSXxsaJGouFxG0bi6jV+8ZgAea +YVsXiIYNI8hihp8202gEoJ0JWtUcKLnC94LDM32BCFAXszhURUW//YcOS5UhBZB7DJA Gsa39rbm8iWN3Koq0tqFgSWOvMXwJPycqdXenguINBMwsKyy38ICAqeEz3kOzNEQhl6J 50bg== X-Gm-Message-State: AOAM5315YdTJH8wgSugGfZnrEJ/S34EzE3CrMcEv9R5CRSIu3sce74Dk pk+fAyiBrDn4WSo+1zP3P2bmVA== X-Received: by 2002:a63:698a:: with SMTP id e132mr1817313pgc.434.1635402299228; Wed, 27 Oct 2021 23:24:59 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:394a:97ee:bbbb:462e]) by smtp.gmail.com with ESMTPSA id p16sm1582018pgd.78.2021.10.27.23.24.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:24:58 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v5 02/11] tools: mkeficapsule: add firmwware image signing Date: Thu, 28 Oct 2021 15:23:47 +0900 Message-Id: <20211028062356.98224-3-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211028062356.98224-1-takahiro.akashi@linaro.org> References: <20211028062356.98224-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean With this enhancement, mkeficapsule will be able to sign a capsule file when it is created. A signature added will be used later in the verification at FMP's SetImage() call. To do that, We need specify additional command parameters: -monotonic-cout : monotonic count -private-key : private key file -certificate : certificate file Only when all of those parameters are given, a signature will be added to a capsule file. Users are expected to maintain and increment the monotonic count at every time of the update for each firmware image. Signed-off-by: AKASHI Takahiro --- tools/Kconfig | 8 + tools/Makefile | 8 +- tools/mkeficapsule.c | 435 +++++++++++++++++++++++++++++++++++++++---- 3 files changed, 417 insertions(+), 34 deletions(-) -- 2.33.0 Reviewed-by: Simon Glass diff --git a/tools/Kconfig b/tools/Kconfig index 91ce8ae3e516..117c921da3fe 100644 --- a/tools/Kconfig +++ b/tools/Kconfig @@ -90,4 +90,12 @@ config TOOLS_SHA512 help Enable SHA512 support in the tools builds +config TOOLS_MKEFICAPSULE + bool "Build efimkcapsule command" + default y if EFI_CAPSULE_ON_DISK + help + This command allows users to create a UEFI capsule file and, + optionally sign that file. If you want to enable UEFI capsule + update feature on your target, you certainly need this. + endmenu diff --git a/tools/Makefile b/tools/Makefile index b45219e2c30c..5a73cc4b363d 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -238,8 +238,12 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs hostprogs-$(CONFIG_ASN1_COMPILER) += asn1_compiler HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include -mkeficapsule-objs := mkeficapsule.o $(LIBFDT_OBJS) -hostprogs-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += mkeficapsule +HOSTLDLIBS_mkeficapsule += -luuid +ifeq ($(CONFIG_TOOLS_LIBCRYPTO),y) +HOSTLDLIBS_mkeficapsule += \ + $(shell pkg-config --libs libssl libcrypto 2> /dev/null || echo "-lssl -lcrypto") +endif +hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule # We build some files with extra pedantic flags to try to minimize things # that won't build on some weird host compiler -- though there are lots of diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 4995ba4e0c2a..5541e4bda894 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -15,6 +15,16 @@ #include #include +#include +#ifdef CONFIG_TOOLS_LIBCRYPTO +#include +#include +#include +#include +#include +#include +#endif + typedef __u8 u8; typedef __u16 u16; typedef __u32 u32; @@ -38,12 +48,25 @@ efi_guid_t efi_guid_image_type_uboot_fit = EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID; efi_guid_t efi_guid_image_type_uboot_raw = EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID; +efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; + +#ifdef CONFIG_TOOLS_LIBCRYPTO +static const char *opts_short = "f:r:i:I:v:p:c:m:dh"; +#else +static const char *opts_short = "f:r:i:I:v:h"; +#endif static struct option options[] = { {"fit", required_argument, NULL, 'f'}, {"raw", required_argument, NULL, 'r'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, +#ifdef CONFIG_TOOLS_LIBCRYPTO + {"private-key", required_argument, NULL, 'p'}, + {"certificate", required_argument, NULL, 'c'}, + {"monotonic-count", required_argument, NULL, 'm'}, + {"dump-sig", no_argument, NULL, 'd'}, +#endif {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0}, }; @@ -57,16 +80,280 @@ static void print_usage(void) "\t-r, --raw new raw image file\n" "\t-i, --index update image index\n" "\t-I, --instance update hardware instance\n" +#ifdef CONFIG_TOOLS_LIBCRYPTO + "\t-p, --private-key private key file\n" + "\t-c, --certificate signer's certificate file\n" + "\t-m, --monotonic-count monotonic count\n" + "\t-d, --dump_sig dump signature (*.p7)\n" +#endif "\t-h, --help print a help message\n", tool_name); } +/** + * auth_context - authentication context + * @key_file: Path to a private key file + * @cert_file: Path to a certificate file + * @image_data: Pointer to firmware data + * @image_size: Size of firmware data + * @auth: Authentication header + * @sig_data: Signature data + * @sig_size: Size of signature data + * + * Data structure used in create_auth_data(). @key_file through + * @image_size are input parameters. @auth, @sig_data and @sig_size + * are filled in by create_auth_data(). + */ +struct auth_context { + char *key_file; + char *cert_file; + u8 *image_data; + size_t image_size; + struct efi_firmware_image_authentication auth; + u8 *sig_data; + size_t sig_size; +}; + +static int dump_sig; + +#ifdef CONFIG_TOOLS_LIBCRYPTO +/** + * fileio-read_pkey - read out a private key + * @filename: Path to a private key file + * + * Read out a private key file and parse it into "EVP_PKEY" structure. + * + * Return: + * * Pointer to private key structure - on success + * * NULL - on failure + */ +static EVP_PKEY *fileio_read_pkey(const char *filename) +{ + EVP_PKEY *key = NULL; + BIO *bio; + + bio = BIO_new_file(filename, "r"); + if (!bio) + goto out; + + key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); + +out: + BIO_free_all(bio); + if (!key) { + printf("Can't load key from file '%s'\n", filename); + ERR_print_errors_fp(stderr); + } + + return key; +} + +/** + * fileio-read_cert - read out a certificate + * @filename: Path to a certificate file + * + * Read out a certificate file and parse it into "X509" structure. + * + * Return: + * * Pointer to certificate structure - on success + * * NULL - on failure + */ +static X509 *fileio_read_cert(const char *filename) +{ + X509 *cert = NULL; + BIO *bio; + + bio = BIO_new_file(filename, "r"); + if (!bio) + goto out; + + cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); + +out: + BIO_free_all(bio); + if (!cert) { + printf("Can't load certificate from file '%s'\n", filename); + ERR_print_errors_fp(stderr); + } + + return cert; +} + +/** + * create_auth_data - compose authentication data in capsule + * @auth_context: Pointer to authentication context + * + * Fill up an authentication header (.auth) and signature data (.sig_data) + * in @auth_context, using library functions from openssl. + * All the parameters in @auth_context must be filled in by a caller. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int create_auth_data(struct auth_context *ctx) +{ + EVP_PKEY *key = NULL; + X509 *cert = NULL; + BIO *data_bio = NULL; + const EVP_MD *md; + PKCS7 *p7; + int flags, ret = -1; + + OpenSSL_add_all_digests(); + OpenSSL_add_all_ciphers(); + ERR_load_crypto_strings(); + + key = fileio_read_pkey(ctx->key_file); + if (!key) + goto err; + cert = fileio_read_cert(ctx->cert_file); + if (!cert) + goto err; + + /* + * create a BIO, containing: + * * firmware image + * * monotonic count + * in this order! + * See EDK2's FmpAuthenticatedHandlerRsa2048Sha256() + */ + data_bio = BIO_new(BIO_s_mem()); + BIO_write(data_bio, ctx->image_data, ctx->image_size); + BIO_write(data_bio, &ctx->auth.monotonic_count, + sizeof(ctx->auth.monotonic_count)); + + md = EVP_get_digestbyname("SHA256"); + if (!md) + goto err; + + /* create signature */ + /* TODO: maybe add PKCS7_NOATTR and PKCS7_NOSMIMECAP */ + flags = PKCS7_BINARY | PKCS7_DETACHED; + p7 = PKCS7_sign(NULL, NULL, NULL, data_bio, flags | PKCS7_PARTIAL); + if (!p7) + goto err; + if (!PKCS7_sign_add_signer(p7, cert, key, md, flags)) + goto err; + if (!PKCS7_final(p7, data_bio, flags)) + goto err; + + /* convert pkcs7 into DER */ + ctx->sig_data = NULL; + ctx->sig_size = ASN1_item_i2d((ASN1_VALUE *)p7, &ctx->sig_data, + ASN1_ITEM_rptr(PKCS7)); + if (!ctx->sig_size) + goto err; + + /* fill auth_info */ + ctx->auth.auth_info.hdr.dwLength = sizeof(ctx->auth.auth_info) + + ctx->sig_size; + ctx->auth.auth_info.hdr.wRevision = WIN_CERT_REVISION_2_0; + ctx->auth.auth_info.hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID; + memcpy(&ctx->auth.auth_info.cert_type, &efi_guid_cert_type_pkcs7, + sizeof(efi_guid_cert_type_pkcs7)); + + ret = 0; +err: + BIO_free_all(data_bio); + EVP_PKEY_free(key); + X509_free(cert); + + return ret; +} + +/** + * dump_signature - dump out a signature + * @path: Path to a capsule file + * @signature: Signature data + * @sig_size: Size of signature data + * + * Signature data pointed to by @signature will be saved into + * a file whose file name is @path with ".p7" suffix. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int dump_signature(const char *path, u8 *signature, size_t sig_size) +{ + char *sig_path; + FILE *f; + size_t size; + int ret = -1; + + sig_path = malloc(strlen(path) + 3 + 1); + if (!sig_path) + return ret; + + sprintf(sig_path, "%s.p7", path); + f = fopen(sig_path, "w"); + if (!f) + goto err; + + size = fwrite(signature, 1, sig_size, f); + if (size == sig_size) + ret = 0; + + fclose(f); +err: + free(sig_path); + return ret; +} + +/** + * free_sig_data - free out signature data + * @ctx: Pointer to authentication context + * + * Free signature data allocated in create_auth_data(). + */ +static void free_sig_data(struct auth_context *ctx) +{ + if (ctx->sig_size) + OPENSSL_free(ctx->sig_data); +} +#else +static int create_auth_data(struct auth_context *ctx) +{ + return 0; +} + +static int dump_signature(const char *path, u8 *signature, size_t sig_size) +{ + return 0; +} + +static void free_sig_data(struct auth_context *ctx) {} +#endif + +/** + * create_fwbin - create an uefi capsule file + * @path: Path to a created capsule file + * @bin: Path to a firmware binary to encapsulate + * @guid: GUID of related FMP driver + * @index: Index number in capsule + * @instance: Instance number in capsule + * @mcount: Monotonic count in authentication information + * @private_file: Path to a private key file + * @cert_file: Path to a certificate file + * + * This function actually does the job of creating an uefi capsule file. + * All the arguments must be supplied. + * If either @private_file ror @cert_file is NULL, the capsule file + * won't be signed. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, - unsigned long index, unsigned long instance) + unsigned long index, unsigned long instance, + uint64_t mcount, char *privkey_file, char *cert_file) { struct efi_capsule_header header; struct efi_firmware_management_capsule_header capsule; struct efi_firmware_management_capsule_image_header image; + struct auth_context auth_context; FILE *f, *g; struct stat bin_stat; u8 *data; @@ -76,8 +363,9 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, #ifdef DEBUG printf("For output: %s\n", path); printf("\tbin: %s\n\ttype: %pUl\n", bin, guid); - printf("\tindex: %ld\n\tinstance: %ld\n", index, instance); + printf("\tindex: %lu\n\tinstance: %lu\n", index, instance); #endif + auth_context.sig_size = 0; g = fopen(bin, "r"); if (!g) { @@ -93,11 +381,34 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, printf("cannot allocate memory: %zx\n", (size_t)bin_stat.st_size); goto err_1; } - f = fopen(path, "w"); - if (!f) { - printf("cannot open %s\n", path); + + size = fread(data, 1, bin_stat.st_size, g); + if (size < bin_stat.st_size) { + printf("read failed (%zx)\n", size); goto err_2; } + + /* first, calculate signature to determine its size */ + if (privkey_file && cert_file) { + auth_context.key_file = privkey_file; + auth_context.cert_file = cert_file; + auth_context.auth.monotonic_count = mcount; + auth_context.image_data = data; + auth_context.image_size = bin_stat.st_size; + + if (create_auth_data(&auth_context)) { + printf("Signing firmware image failed\n"); + goto err_3; + } + + if (dump_sig && + dump_signature(path, auth_context.sig_data, + auth_context.sig_size)) { + printf("Creating signature file failed\n"); + goto err_3; + } + } + header.capsule_guid = efi_guid_fm_capsule; header.header_size = sizeof(header); /* TODO: The current implementation ignores flags */ @@ -106,11 +417,20 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, + sizeof(capsule) + sizeof(u64) + sizeof(image) + bin_stat.st_size; + if (auth_context.sig_size) + header.capsule_image_size += sizeof(auth_context.auth) + + auth_context.sig_size; + + f = fopen(path, "w"); + if (!f) { + printf("cannot open %s\n", path); + goto err_3; + } size = fwrite(&header, 1, sizeof(header), f); if (size < sizeof(header)) { printf("write failed (%zx)\n", size); - goto err_3; + goto err_4; } capsule.version = 0x00000001; @@ -119,13 +439,13 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, size = fwrite(&capsule, 1, sizeof(capsule), f); if (size < (sizeof(capsule))) { printf("write failed (%zx)\n", size); - goto err_3; + goto err_4; } offset = sizeof(capsule) + sizeof(u64); size = fwrite(&offset, 1, sizeof(offset), f); if (size < sizeof(offset)) { printf("write failed (%zx)\n", size); - goto err_3; + goto err_4; } image.version = 0x00000003; @@ -135,34 +455,53 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, image.reserved[1] = 0; image.reserved[2] = 0; image.update_image_size = bin_stat.st_size; + if (auth_context.sig_size) + image.update_image_size += sizeof(auth_context.auth) + + auth_context.sig_size; image.update_vendor_code_size = 0; /* none */ image.update_hardware_instance = instance; image.image_capsule_support = 0; + if (auth_context.sig_size) + image.image_capsule_support |= CAPSULE_SUPPORT_AUTHENTICATION; size = fwrite(&image, 1, sizeof(image), f); if (size < sizeof(image)) { printf("write failed (%zx)\n", size); - goto err_3; + goto err_4; } - size = fread(data, 1, bin_stat.st_size, g); - if (size < bin_stat.st_size) { - printf("read failed (%zx)\n", size); - goto err_3; + + if (auth_context.sig_size) { + size = fwrite(&auth_context.auth, 1, + sizeof(auth_context.auth), f); + if (size < sizeof(auth_context.auth)) { + printf("write failed (%zx)\n", size); + goto err_4; + } + size = fwrite(auth_context.sig_data, 1, + auth_context.sig_size, f); + if (size < auth_context.sig_size) { + printf("write failed (%zx)\n", size); + goto err_4; + } } + size = fwrite(data, 1, bin_stat.st_size, f); if (size < bin_stat.st_size) { printf("write failed (%zx)\n", size); - goto err_3; + goto err_4; } fclose(f); fclose(g); free(data); + free_sig_data(&auth_context); return 0; -err_3: +err_4: fclose(f); +err_3: + free_sig_data(&auth_context); err_2: free(data); err_1: @@ -171,23 +510,37 @@ err_1: return -1; } -/* - * Usage: - * $ mkeficapsule -f +/** + * main - main entry function of mkeficapsule + * @argc: Number of arguments + * @argv: Array of pointers to arguments + * + * Create an uefi capsule file, optionally signing it. + * Parse all the arguments and pass them on to create_fwbin(). + * + * Return: + * * 0 - on success + * * -1 - on failure */ int main(int argc, char **argv) { char *file; efi_guid_t *guid; unsigned long index, instance; + uint64_t mcount; + char *privkey_file, *cert_file; int c, idx; file = NULL; guid = NULL; index = 0; instance = 0; + mcount = 0; + privkey_file = NULL; + cert_file = NULL; + dump_sig = 0; for (;;) { - c = getopt_long(argc, argv, "f:r:i:I:v:h", options, &idx); + c = getopt_long(argc, argv, opts_short, options, &idx); if (c == -1) break; @@ -214,29 +567,47 @@ int main(int argc, char **argv) case 'I': instance = strtoul(optarg, NULL, 0); break; +#ifdef CONFIG_TOOLS_LIBCRYPTO + case 'p': + if (privkey_file) { + printf("Private Key already specified\n"); + return -1; + } + privkey_file = optarg; + break; + case 'c': + if (cert_file) { + printf("Certificate file already specified\n"); + return -1; + } + cert_file = optarg; + break; + case 'm': + mcount = strtoul(optarg, NULL, 0); + break; + case 'd': + dump_sig = 1; + break; +#endif /* CONFIG_TOOLS_LIBCRYPTO */ case 'h': print_usage(); return 0; } } - /* need an output file */ - if (argc != optind + 1) { - print_usage(); - exit(EXIT_FAILURE); - } - - /* need a fit image file or raw image file */ - if (!file) { + /* check necessary parameters */ + if ((argc != optind + 1) || !file || + ((privkey_file && !cert_file) || + (!privkey_file && cert_file))) { print_usage(); - exit(EXIT_SUCCESS); + return -1; } - if (create_fwbin(argv[optind], file, guid, index, instance) - < 0) { + if (create_fwbin(argv[optind], file, guid, index, instance, + mcount, privkey_file, cert_file) < 0) { printf("Creating firmware capsule failed\n"); - exit(EXIT_FAILURE); + return -1; } - exit(EXIT_SUCCESS); + return 0; } From patchwork Thu Oct 28 06:23:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516356 Delivered-To: patch@linaro.org Received: by 2002:ac0:c404:0:0:0:0:0 with SMTP id t4csp1370686imj; Wed, 27 Oct 2021 23:25:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzg2XMEvlJrF9ratWMa5V6Z6ILziFQJ+Sv3z5YtYZISgYjNukMaJ6jCovawL3RRqHoAbOOh X-Received: by 2002:a05:6402:270b:: with SMTP id y11mr3580022edd.387.1635402325411; Wed, 27 Oct 2021 23:25:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635402325; cv=none; d=google.com; s=arc-20160816; b=GCuHrTK/GlmTMSbTl1M0DqBGanf5Y3n/C9WGPAkbRV6PPhx9/d7/y3w40lSEw/6ji2 qS2AA2pPgRS+Na4UZO50TfRL7QQE0yeNGIu5qC0h17RthZmk9Sku2vDm2mSRalCvP/Of gVWjmoel3Zt4tTddKqNdgl1U8C9eahGwuoIfljCUH4e0v7GhPlAdtDPYrf/YO+K+n8lW /Ai8xyh8+sLosejXKZd6hp7bgHhi8Gh18VZ9LKrE/fZXqqGRDaoWkZ6cegGgRPa60Ebo plepmfKY/5v/bgvZkCRygu4pXnfljUkZGF8tgVVRUEU8yGoHGXouWU/sBcITFt3Ms72W hi8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=cRikCXg+PPiYIlKIg5wySHKZL5oVN2TnGGpcmdxqRTQ=; b=mYpArOs0TGuNI2rWInPcxCDrv6QqdoMlgBGDw1pcukda0Tiv5hvOHR2vETDRcoUSUr o+f0J3VINltcWhGvXx5D/xatQbWIbd4mNmErRxIGMw+PRO3bpiiGYjulnJGYhUgdf2qq bz7QLyn3wVGxUDVT0ZQIRhiUMoWowTrpF9kBdVKLg7Rzten/f9QHmFxFT+0mqKyb1K/U kAlkow7zL6Fw1Ipsl+OErw/ru+jiOY527MdCVK/IvM7aFWmlwxbT+NcPdZH65Jt6yd5B a3bwdEojrb6RIPD3ldU+kZT18PS/VvUj6iZK6AfjRXca00gKFJAavtBne3vgh5WKbsmq 2XoA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="lJe/8zdk"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id cw8si3549426ejc.645.2021.10.27.23.25.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:25:25 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="lJe/8zdk"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id F339783556; Thu, 28 Oct 2021 08:25:23 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="lJe/8zdk"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id F351383216; Thu, 28 Oct 2021 08:25:14 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7BF788347C for ; Thu, 28 Oct 2021 08:25:04 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x62b.google.com with SMTP id t21so3700205plr.6 for ; Wed, 27 Oct 2021 23:25:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=cRikCXg+PPiYIlKIg5wySHKZL5oVN2TnGGpcmdxqRTQ=; b=lJe/8zdkKaxW1BzBLBgNNiZU35ZCgZzUqsUQgzHACc2Nhhivw8H1NhAfe7FcXVU9NK T7k4Kz2QL3glEBjtWXwbgdvjVozRRkh5+mXeUIpDTJFZWu/0pee5rmluE4IgvmwcKbpv UG2Ondt5aaCX1b7i/FPCI9Bi3FQ2FUctVjSs/oTvvxLjqFKvexEoIDRdLWhCQZ3F4eAx Q0zzWepx+x0UaPzAfb1Gd3fNoFj5cTu+v1jW1Hjx2DKkp+r9ZFcazsHb1+pLwhQ7EOiZ 5AERgfyJdkzfrU8hnqjNf05NcLZw1s93AZ0iMjos/1ZYkgvUFDiP9KB+XijHz0ID+LZq S09g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=cRikCXg+PPiYIlKIg5wySHKZL5oVN2TnGGpcmdxqRTQ=; b=foinbaXTD/LeWVM+bcClGgQyXuTxUjE5zmWa0QIpWE0lsez+mNR18j6AXT+bebt5bH 68SoQOrkd/t8INRrsh1qgTrUxneL9cfdyhqsaS8ovkftK6hW6bhTQoaFpe//YKQBO7Ke QGabJOTq2giYa9aXkpLy4dbVsODIenEfUmvta8nWEdtuw7Jpa5RWK9iZT6HIIVEkFS5O +JUXgbD8ehhHuYEsgzMUbfTYKC98IUFF0j3jy96qkPXQiu3LIFI12kDB3GP2R9ScbTQE LA6uygRK3iP+aR5CQcWaWXcrDV2d3H6kKsokxdOTailnU2oMJIyM5Rmqa1A/w9hgrsnq oLkg== X-Gm-Message-State: AOAM532e3bzpkktTYWgD29d1WJAGN0998Beqg/OtwBQ8zlFW19feaFDh gb/PQIFRF7PynuoxHaNLUopPLA== X-Received: by 2002:a17:90a:e389:: with SMTP id b9mr2482365pjz.40.1635402302231; Wed, 27 Oct 2021 23:25:02 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:394a:97ee:bbbb:462e]) by smtp.gmail.com with ESMTPSA id p16sm1582018pgd.78.2021.10.27.23.24.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:25:01 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v5 03/11] tools: mkeficapsule: add man page Date: Thu, 28 Oct 2021 15:23:48 +0900 Message-Id: <20211028062356.98224-4-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211028062356.98224-1-takahiro.akashi@linaro.org> References: <20211028062356.98224-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Add a man page for mkeficapsule command. Signed-off-by: AKASHI Takahiro --- MAINTAINERS | 1 + doc/mkeficapsule.1 | 95 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 doc/mkeficapsule.1 -- 2.33.0 Reviewed-by: Simon Glass diff --git a/MAINTAINERS b/MAINTAINERS index 5069f1880652..96233f0aad51 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -707,6 +707,7 @@ S: Maintained T: git https://source.denx.de/u-boot/custodians/u-boot-efi.git F: doc/api/efi.rst F: doc/develop/uefi/* +F: doc/mkeficapsule.1 F: doc/usage/bootefi.rst F: drivers/rtc/emul_rtc.c F: include/capitalization.h diff --git a/doc/mkeficapsule.1 b/doc/mkeficapsule.1 new file mode 100644 index 000000000000..837e09ab451e --- /dev/null +++ b/doc/mkeficapsule.1 @@ -0,0 +1,95 @@ +.TH MAEFICAPSULE 1 "May 2021" + +.SH NAME +mkeficapsule \- Generate EFI capsule file for U-Boot + +.SH SYNOPSIS +.B mkeficapsule +.RB [\fIoptions\fP] " \fIcapsule-file\fP" + +.SH "DESCRIPTION" +The +\fBmkeficapsule\fP +command is used to create an EFI capsule file for use with the U-Boot +EFI capsule update. +A capsule file may contain various type of firmware blobs which +are to be applied to the system and must be placed in the specific +directory on the UEFI system partition. An update will be automatically +executed at next reboot. + +Optionally, a capsule file can be signed with a given private key. +In this case, the update will be authenticated by verifying the signature +before applying. + +\fBmkeficapsule\fP supports two different format of image files: +.TP +.I raw image +format is a single binary blob of any type of firmware. + +.TP +.I FIT (Flattened Image Tree) image +format +is the same as used in the new \fIuImage\fP format and allows for +multiple binary blobs in a single capsule file. +This type of image file can be generated by \fBmkimage\fP. + +.SH "OPTIONS" +One of \fB--fit\fP or \fB--raw\fP option must be specified. + +.TP +.BI "-f, --fit \fIfit-image-file\fP" +Specify a FIT image file + +.TP +.BI "-r, --raw \fIraw-image-file\fP" +Specify a raw image file + +.TP +.BI "-i, --index \fIindex\fP" +Specify an image index + +.TP +.BI "-I, --instance \fIinstance\fP" +Specify a hardware instance + +.TP +.BI "-h, --help" +Print a help message + +.TP 0 +.B With signing: + +\fB--private-key\fP, \fB--certificate\fP and \fB--monotonic-count\fP are +all mandatory. + +.TP +.BI "-p, --private-key \fIprivate-key-file\fP" +Specify signer's private key file in PEM + +.TP +.BI "-c, --certificate \fIcertificate-file\fP" +Specify signer's certificate file in EFI certificate list format + +.TP +.BI "-m, --monotonic-count \fIcount\fP" +Specify a monotonic count which is set to be monotonically incremented +at every firmware update. + +.TP +.BI "-d, --dump_sig" +Dump signature data into *.p7 file + +.PP +.SH FILES +.TP +.BI "\fI/EFI/UpdateCapsule\fP" +The directory in which all capsule files be placed + +.SH SEE ALSO +.B mkimage + +.SH AUTHORS +Written by AKASHI Takahiro + +.SH HOMEPAGE +http://www.denx.de/wiki/U-Boot/WebHome From patchwork Thu Oct 28 06:23:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516358 Delivered-To: patch@linaro.org Received: by 2002:ac0:c404:0:0:0:0:0 with SMTP id t4csp1370987imj; Wed, 27 Oct 2021 23:25:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxmF4vt/qyhq7DujNcAs8qx7F479l7fqXA3Yfgm20hN0ef0dvRguoeUjmzDKyfLzrjXyu/L X-Received: by 2002:a05:6402:51cf:: with SMTP id r15mr3640000edd.60.1635402347950; Wed, 27 Oct 2021 23:25:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635402347; cv=none; d=google.com; s=arc-20160816; b=A+V2+URn3NDB0PFjkBwEQvHUitauBq8HQE8UOgLe49/fExwzucuHzWQPLVCrroNzg2 I3cQFmzXCcxEC+tj5KDFw4Uu3MH31jh0xET2hhuohcVpu383VzyJ37URHYjFmJvzLC1p 31MppY9nWWTXmXQPaeru7ak2nczb0VJHXpU2JLGBn4CCKBm1BGuKrZwanFE6hoCe2wzC h7tUeM2B5yCw8lc/k8PgR3JNa/aSYmCd8cey2vJcy4Qmsg04hCPLLOfGUZxqkrwzDyY5 XySMjdqTVozuK4oL9//3Xo1OBcQgFQ2DKcdY1YC73LRKCRrE24AMX0eqChYLiPnAc0Yv jNFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=mz64zxgnwUlJiFZe6CDL1FxiZ7AGxikYDoKxWT5Nhl8=; b=gTyxf+mw3MyvfAo0Vy78Blda/xH5Ivx02I59UqCQEwXLsqLko9OFBq1Y5brBCrZVuj oX22bJLbHTk6NMf+CD0/+zu7ghmiY3/hgXlYn9m2ax1ix9EiF2LpZZ4CAZKbBshblG1s J45fYtsc+c3FK2ByotpA4Mtv5JBZCDZURDiNHwgHU132vxh0cTcDiybpUme5kvC0vRK8 beD5Z8XjqDFFHt7aRD5Xzt3+ezF0YmThdE0xwE6xiP6CSXAFg+lmNbE8ujy79BpDkiQz HmytEpxTwiNPCmwEseISmF/BO3HjNQcCL3OiHuq+cpmcEuGvp6ZK4+DVSAPsHK90NBZJ mftQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=LpNmyBP6; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id o11si4268456edc.51.2021.10.27.23.25.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:25:47 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=LpNmyBP6; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 0545982FE7; Thu, 28 Oct 2021 08:25:47 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="LpNmyBP6"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 0850783513; Thu, 28 Oct 2021 08:25:23 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 1EFA682FE7 for ; Thu, 28 Oct 2021 08:25:07 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x634.google.com with SMTP id r5so3732291pls.1 for ; Wed, 27 Oct 2021 23:25:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=mz64zxgnwUlJiFZe6CDL1FxiZ7AGxikYDoKxWT5Nhl8=; b=LpNmyBP69zeu8jRdzo9+Go2q8yhpET6kAZhT23+iEtNCDeD4s6iPeKdjyaLMo8i2CU nKFt1sJy4IPAqeCfDmvdAlF+xNmUYxujR5CDwuAm6PmIsxA/8YrjRj5Ya114BQf9e6LO gb0h+5SbZaX5KCjM4IolsTSgtYJcdCxwfbwtWUeNTyJB61wwUkGURft58fbAzzjxq7QM 79u8KM0nKJLPv24hwXQJ2jc4930JJiXcz3qaQf9mYyx2cH/uG5ouPcnTlMCJVqdIUx/O JubjDCJZPE+jVZhSP6vsCwakJkGFP6IW6PnyZFcOYxNkzkpCg1RiVoFnG6AFY1xHM1Fn in4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mz64zxgnwUlJiFZe6CDL1FxiZ7AGxikYDoKxWT5Nhl8=; b=HjKibuVtgpWUqN4tSfaUrrVQZzL5YugFd636HLLPVKf+85KRRj6n8b6ST4oTnb3dg1 zIZe8YYRJh+HksADn/PKXkNxrKd5zz6rbhKPAbHosvpHCQysJa/ST0GOOVb93K50/Sgy vWz/lgD23DXgCnOkoL+IL+L+rS2OkhAQc2acIyvrY1QgNBlsl41ieFI8HGERcXtd4vZC tut1rjOFWLJNHHBVHEc2Op4fcI2/7Ie+SpEB3g/Ql4avS+Z0iEF6ukrs8v5L5UDJzXVz DmZ/NEfioGnBKbr8Cp0TgC39jFcVc0OfRl8erNrrOHEQDL9j+J/XFN34ybiP1GIZe+7b SUmg== X-Gm-Message-State: AOAM531GHKdcOyUgucb7kFp4P6KqZn4a8Vi3xys/rd5nzsMPhlOwRaWT z9goKqw2tdcC+TNxxiCZi6PUZQ== X-Received: by 2002:a17:902:7681:b0:13f:45d5:b9f with SMTP id m1-20020a170902768100b0013f45d50b9fmr2194101pll.62.1635402305424; Wed, 27 Oct 2021 23:25:05 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:394a:97ee:bbbb:462e]) by smtp.gmail.com with ESMTPSA id p16sm1582018pgd.78.2021.10.27.23.25.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:25:04 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v5 04/11] doc: update UEFI document for usage of mkeficapsule Date: Thu, 28 Oct 2021 15:23:49 +0900 Message-Id: <20211028062356.98224-5-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211028062356.98224-1-takahiro.akashi@linaro.org> References: <20211028062356.98224-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Now we can use mkeficapsule command instead of EDK-II's script to create a signed capsule file. So update the instruction for capsule authentication. Signed-off-by: AKASHI Takahiro --- doc/develop/uefi/uefi.rst | 143 ++++++++++++++++++-------------------- 1 file changed, 67 insertions(+), 76 deletions(-) -- 2.33.0 Reviewed-by: Simon Glass diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index f17138f5c765..864d61734bee 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -284,37 +284,52 @@ Support has been added for the UEFI capsule update feature which enables updating the U-Boot image using the UEFI firmware management protocol (FMP). The capsules are not passed to the firmware through the UpdateCapsule runtime service. Instead, capsule-on-disk -functionality is used for fetching the capsule from the EFI System -Partition (ESP) by placing the capsule file under the -\EFI\UpdateCapsule directory. - -The directory \EFI\UpdateCapsule is checked for capsules only within the -EFI system partition on the device specified in the active boot option -determined by reference to BootNext variable or BootOrder variable processing. -The active Boot Variable is the variable with highest priority BootNext or -within BootOrder that refers to a device found to be present. Boot variables -in BootOrder but referring to devices not present are ignored when determining -active boot variable. -Before starting a capsule update make sure your capsules are installed in the -correct ESP partition or set BootNext. +functionality is used for fetching capsules from the EFI System +Partition (ESP) by placing capsule files under the directory:: + + \EFI\UpdateCapsule + +The directory is checked for capsules only within the +EFI system partition on the device specified in the active boot option, +which is determined by BootXXXX variable in BootNext, or if not, the highest +priority one within BootOrder. Any BootXXXX variables referring to devices +not present are ignored when determining the active boot option. + +Please note that capsules will be applied in the alphabetic order of +capsule file names. + +Creating a capsule file +*********************** + +A capsule file can be created by using tools/mkeficapsule. +To build this tool, enable:: + + CONFIG_TOOLS_MKEFICAPSULE=y + CONFIG_TOOLS_LIBCRYPTO=y + +Run the following command:: + + $ mkeficapsule \ + --index 1 --instance 0 \ + [--fit | --raw ] \ + Performing the update ********************* -Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig -option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable -check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule. - -If that option is disabled, you'll need to set the OsIndications variable with:: +Put capsule files under the directory mentioned above. +Then, following the UEFI specification, you'll need to set +the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED +bit in OsIndications variable with:: => setenv -e -nv -bs -rt -v OsIndications =0x04 -Finally, the capsule update can be initiated either by rebooting the board, -which is the preferred method, or by issuing the following command:: +Since U-boot doesn't currently support SetVariable at runtime, its value +won't be taken over across the reboot. If this is the case, you can skip +this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS) +set. - => efidebug capsule disk-update - -**The efidebug command is should only be used during debugging/development.** +Finally, the capsule update can be initiated by rebooting the board. Enabling Capsule Authentication ******************************* @@ -324,82 +339,58 @@ be updated by verifying the capsule signature. The capsule signature is computed and prepended to the capsule payload at the time of capsule generation. This signature is then verified by using the public key stored as part of the X509 certificate. This certificate is -in the form of an efi signature list (esl) file, which is embedded as -part of U-Boot. +in the form of an efi signature list (esl) file, which is embedded in +a device tree. The capsule authentication feature can be enabled through the following config, in addition to the configs listed above for capsule update:: CONFIG_EFI_CAPSULE_AUTHENTICATE=y - CONFIG_EFI_CAPSULE_KEY_PATH= The public and private keys used for the signing process are generated -and used by the steps highlighted below:: +and used by the steps highlighted below. - 1. Install utility commands on your host - * OPENSSL +1. Install utility commands on your host + * openssl * efitools - 2. Create signing keys and certificate files on your host +2. Create signing keys and certificate files on your host:: $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ -keyout CRT.key -out CRT.crt -nodes -days 365 $ cert-to-efi-sig-list CRT.crt CRT.esl - $ openssl x509 -in CRT.crt -out CRT.cer -outform DER - $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem - - $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt - $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem - -The capsule file can be generated by using the GenerateCapsule.py -script in EDKII:: - - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ - --monotonic-count --fw-version \ - --lsv --guid \ - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ - --update-image-index --signer-private-cert \ - /path/to/CRT.pem --trusted-public-cert \ - /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ - - -Place the capsule generated in the above step on the EFI System -Partition under the EFI/UpdateCapsule directory - -Testing on QEMU -*************** +3. Run the following command to create and sign the capsule file:: -Currently, support has been added on the QEMU ARM64 virt platform for -updating the U-Boot binary as a raw image when the platform is booted -in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this -configuration, the QEMU platform needs to be booted with -'secure=off'. The U-Boot binary placed on the first bank of the NOR -flash at offset 0x0. The U-Boot environment is placed on the second -NOR flash bank at offset 0x4000000. + $ mkeficapsule --monotonic-count 1 \ + --private-key CRT.key \ + --certificate CRT.crt \ + --index 1 --instance 0 \ + [--fit | --raw ] \ + -The capsule update feature is enabled with the following configuration -settings:: +4. Insert the signature list into a device tree in the following format:: - CONFIG_MTD=y - CONFIG_FLASH_CFI_MTD=y - CONFIG_CMD_MTDPARTS=y - CONFIG_CMD_DFU=y - CONFIG_DFU_MTD=y - CONFIG_PCI_INIT_R=y - CONFIG_EFI_CAPSULE_ON_DISK=y - CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y - CONFIG_EFI_CAPSULE_FIRMWARE=y - CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y + { + signature { + capsule-key = [ ]; + } + ... + } -In addition, the following config needs to be disabled(QEMU ARM specific):: + You can do this manually with:: - CONFIG_TFABOOT + $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts + $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo -The capsule file can be generated by using the tools/mkeficapsule:: + where signature.dts looks like:: - $ mkeficapsule --raw --index 1 + &{/} { + signature { + capsule-key = /incbin/("CRT.esl"); + }; + }; Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~ From patchwork Thu Oct 28 06:23:50 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516360 Delivered-To: patch@linaro.org Received: by 2002:ac0:c404:0:0:0:0:0 with SMTP id t4csp1371183imj; Wed, 27 Oct 2021 23:26:09 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw0BeC61mh/UmzmJiNFnTY72d1AdDakIVFefoXhcNk/aFub5UHxJaOW2OXMp7rum5bV5QJx X-Received: by 2002:a50:8dcb:: with SMTP id s11mr3413137edh.143.1635402368615; Wed, 27 Oct 2021 23:26:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635402368; cv=none; d=google.com; s=arc-20160816; b=JMDTKcmXjsOYdsJlxeoN3MYNsQar14v7UOd0aCxfjCfStXROptd/ER3nsDzniUqZ/y iX5YKp7WO9j1YMVtX/eV9h+VQePRW9UUvOvdTjk3es5hmk11IvcBxoV3S827hmXGALPT fF3hnasQpaeIi3Wp5mPEeLStoIiAHCrkjNdywRHiqm5icqY2Ki6ll/EedHEkZyHgSPGz gqL+L1Mdb23xXsmFpGEGDLvkEm3A2cXwHZsLU5ORJFdJSVTe6WcUNLc45PlL7qW18Z8j t8o6hON9jqu8I6z3HDeMpsUikCp43llzmKCicy+0+PbO9G+UwwyO35g5GDqTIht4lj20 PpMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=rIfSdKnlfCrR77WvA7pQqXPkrnEN0ELZcMDnDjjn1xU=; b=o2ZLElrSBguYhfVQ0ToCfKInZnjBamlWzg/BJC/Es5Lrkpv5lq6XMtNBq1zD3aKGLL yWKwA4K1RCIMHiZUVJ7c9IjqeR1bJQgOHrY0mECbbDM0oBP8SoP3WC2dwUjbQkmkjmsi PL+PNNQb9E2qR2Y4KlhT4AA1Qi2PubO2Rjrx2aVIHyUendRx/CyCz1wk71DCaUcqCIb1 Ex1WLAZT2OKe3308cl9ERNNRuuXC/H8IHmFzcZHudwrMtUvKd7P33+mUWDu6vTzc2luL rPuKqO7UB4yaUvuRAWBQXDYMPisaj/dDryQH72ukfGqzdF+J+IshNLLWOqNSQ4kfZ42N rKSw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=GsXX+85c; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id oz30si3157540ejc.667.2021.10.27.23.26.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:26:08 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=GsXX+85c; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 0E3E683542; Thu, 28 Oct 2021 08:25:54 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="GsXX+85c"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id A889D834D1; Thu, 28 Oct 2021 08:25:27 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 4284B834A3 for ; Thu, 28 Oct 2021 08:25:10 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x62a.google.com with SMTP id f8so3684821plo.12 for ; Wed, 27 Oct 2021 23:25:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=rIfSdKnlfCrR77WvA7pQqXPkrnEN0ELZcMDnDjjn1xU=; b=GsXX+85cFbvA6Xmj4WU1FmTgSS2RRSvDJ5vXIdArfko5z7zs8pxJfcQE+6QbhTVsXs O2p0D3eRVRgsicZuQujun3JFaOqSewu3HEviznexLawf20aPdAh11vX3X6hmz9tinhd6 Q57dK6UuUgsccbRkyYk8uKUp8GUqm7MYI5O+ckunAwVZLc1AsFI1tB4NYmZgsFx3PEaK 7HENFwdc4xZtx2r7YnQKWuhjshi5VU7jqb9UVqC4m863ce5mJ3GnQFDQAwBaQEhnZezB cMCkFMGzyVLQG3cNG4PTH4AaZJcadA+kU5O75e2epr1bX4S72WaPvEGcYOjppoz4z1Ha U20w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rIfSdKnlfCrR77WvA7pQqXPkrnEN0ELZcMDnDjjn1xU=; b=CtG3zw7P5PJwFKVPHb84ZgoPX4Z46yaYgJzXyBJuEFeKvExGSInRFBDMuIhlRqEKQF ENnBfGUNJwb5n05thtUIB/vIV/xxg4Xfk3IhEtSlce/JDsyKiWGbUlbk3ZWX2B9pnUcq J5K8Qt8Ubl/blrGwth90epjxtOliS5+Md1QcFYxk0DnyZwBECHs+kZ6anDhFEYqCl602 q95gI4sXiBru5Bc8v67X4UMd9y2Q3wI2NfQx3YwzVKOdy81FfdsjVwQca35wm5Hlzjp+ NtHc9sSlIZfLSbS5u98MsnYttZYsuQ+AhjNKeLNxLM1m6KlUQ95mC3wFGNG8zf+0psXu MgVw== X-Gm-Message-State: AOAM532wKMsk6KkF1XaDm6enF4npbOs1YGgGDh0vB+X3bZi2WQoUBL17 LBqBwnjRtY2pSQS2Pv+CtLOFqw== X-Received: by 2002:a17:90b:4b08:: with SMTP id lx8mr11048639pjb.24.1635402308440; Wed, 27 Oct 2021 23:25:08 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:394a:97ee:bbbb:462e]) by smtp.gmail.com with ESMTPSA id p16sm1582018pgd.78.2021.10.27.23.25.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:25:07 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v5 05/11] test/py: efi_capsule: add image authentication test Date: Thu, 28 Oct 2021 15:23:50 +0900 Message-Id: <20211028062356.98224-6-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211028062356.98224-1-takahiro.akashi@linaro.org> References: <20211028062356.98224-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Add a couple of test cases against capsule image authentication for capsule-on-disk, where only a signed capsule file with the verified signature will be applied to the system. Due to the difficulty of embedding a public key (esl file) in U-Boot binary during pytest setup time, all the keys/certificates are pre-created. Signed-off-by: AKASHI Takahiro --- .../py/tests/test_efi_capsule/capsule_defs.py | 5 + test/py/tests/test_efi_capsule/conftest.py | 35 ++- test/py/tests/test_efi_capsule/signature.dts | 10 + .../test_capsule_firmware_signed.py | 233 ++++++++++++++++++ 4 files changed, 280 insertions(+), 3 deletions(-) create mode 100644 test/py/tests/test_efi_capsule/signature.dts create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py -- 2.33.0 Reviewed-by: Simon Glass diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py index 4fd6353c2040..aa9bf5eee3aa 100644 --- a/test/py/tests/test_efi_capsule/capsule_defs.py +++ b/test/py/tests/test_efi_capsule/capsule_defs.py @@ -3,3 +3,8 @@ # Directories CAPSULE_DATA_DIR = '/EFI/CapsuleTestData' CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule' + +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and +# you need build a newer version on your own. +# The path must terminate with '/'. +EFITOOLS_PATH = '' diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index 6ad5608cd71c..b0e84dec4931 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -10,13 +10,13 @@ import pytest from capsule_defs import * # -# Fixture for UEFI secure boot test +# Fixture for UEFI capsule test # - @pytest.fixture(scope='session') def efi_capsule_data(request, u_boot_config): - """Set up a file system to be used in UEFI capsule test. + """Set up a file system to be used in UEFI capsule and + authentication test. Args: request: Pytest request object. @@ -40,6 +40,26 @@ def efi_capsule_data(request, u_boot_config): check_call('mkdir -p %s' % data_dir, shell=True) check_call('mkdir -p %s' % install_dir, shell=True) + capsule_auth_enabled = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') + if capsule_auth_enabled: + # Create private key (SIGNER.key) and certificate (SIGNER.crt) + check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365' + % data_dir, shell=True) + check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl' + % (data_dir, EFITOOLS_PATH), shell=True) + + # Update dtb adding capsule certificate + check_call('cd %s; cp %s/test/py/tests/test_efi_capsule/signature.dts .' + % (data_dir, u_boot_config.source_dir), shell=True) + check_call('cd %s; dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; fdtoverlay -i %s/arch/sandbox/dts/test.dtb -o test_sig.dtb signature.dtbo' + % (data_dir, u_boot_config.build_dir), shell=True) + + # Create *malicious* private key (SIGNER2.key) and certificate + # (SIGNER2.crt) + check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER2.key -out SIGNER2.crt -nodes -days 365' + % data_dir, shell=True) + # Create capsule files # two regions: one for u-boot.bin and the other for u-boot.env check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old -> u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir, @@ -56,6 +76,15 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' % (data_dir, u_boot_config.build_dir), shell=True) + if capsule_auth_enabled: + # firmware signed with proper key + check_call('cd %s; %s/tools/mkeficapsule --index 1 --monotonic-count 1 --private-key SIGNER.key --certificate SIGNER.crt --raw u-boot.bin.new Test11' % + (data_dir, u_boot_config.build_dir), + shell=True) + # firmware signed with *mal* key + check_call('cd %s; %s/tools/mkeficapsule --index 1 --monotonic-count 1 --private-key SIGNER2.key --certificate SIGNER2.crt --raw u-boot.bin.new Test12' % + (data_dir, u_boot_config.build_dir), + shell=True) # Create a disk image with EFI system partition check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' % diff --git a/test/py/tests/test_efi_capsule/signature.dts b/test/py/tests/test_efi_capsule/signature.dts new file mode 100644 index 000000000000..078cfc76c93c --- /dev/null +++ b/test/py/tests/test_efi_capsule/signature.dts @@ -0,0 +1,10 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; +/plugin/; + +&{/} { + signature { + capsule-key = /incbin/("SIGNER.esl"); + }; +}; diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py new file mode 100644 index 000000000000..e8bfd49e6363 --- /dev/null +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py @@ -0,0 +1,233 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright (c) 2021, Linaro Limited +# Author: AKASHI Takahiro +# +# U-Boot UEFI: Firmware Update (Signed capsule) Test + +""" +This test verifies capsule-on-disk firmware update +with signed capsule files +""" + +import pytest +from capsule_defs import CAPSULE_DATA_DIR, CAPSULE_INSTALL_DIR + +@pytest.mark.boardspec('sandbox') +@pytest.mark.buildconfigspec('efi_capsule_firmware_raw') +@pytest.mark.buildconfigspec('efi_capsule_authenticate') +@pytest.mark.buildconfigspec('dfu') +@pytest.mark.buildconfigspec('dfu_sf') +@pytest.mark.buildconfigspec('cmd_efidebug') +@pytest.mark.buildconfigspec('cmd_fat') +@pytest.mark.buildconfigspec('cmd_memory') +@pytest.mark.buildconfigspec('cmd_nvedit_efi') +@pytest.mark.buildconfigspec('cmd_sf') +@pytest.mark.slow +class TestEfiCapsuleFirmwareSigned(object): + def test_efi_capsule_auth1( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 1 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is properly signed, the authentication + should pass and the firmware be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 1-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test11' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test11 $filesize' % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test11' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 1-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test11' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test11' not in ''.join(output) + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:New' in ''.join(output) + + def test_efi_capsule_auth2( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 2 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is signed but with an invalid key, + the authentication should fail and the firmware + not be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 2-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test12' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test12 $filesize' % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test12' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 2-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test12' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + # deleted any way + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test12' not in ''.join(output) + + # TODO: check CapsuleStatus in CapsuleXXXX + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:Old' in ''.join(output) + + def test_efi_capsule_auth3( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 3 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is not signed, the authentication + should fail and the firmware not be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 3-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test02' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test02 $filesize' % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 3-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + # deleted any way + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' not in ''.join(output) + + # TODO: check CapsuleStatus in CapsuleXXXX + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:Old' in ''.join(output) From patchwork Thu Oct 28 06:23:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516359 Delivered-To: patch@linaro.org Received: by 2002:ac0:c404:0:0:0:0:0 with SMTP id t4csp1371082imj; Wed, 27 Oct 2021 23:25:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzrbVttmuTW9e2574hPdcMxzMPAuZTcIOhkVEyrDb4l/zeHrDE0sXj6/5SauapCghSnBWA5 X-Received: by 2002:a05:6402:42d0:: with SMTP id i16mr3540536edc.63.1635402357670; Wed, 27 Oct 2021 23:25:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635402357; cv=none; d=google.com; s=arc-20160816; b=yafX9tkROwJ7GC1hgHnid6CjyixCrbNh9MAMWjyDW7j70/fvdfQ4JjD13UdIbO34Yl nE8i/dAuuIttGRlwJEYTqO/OCu3CxbkO+DNaWWUYruTLD+sfwCnpQ5hnVolisa4NJB/W ZxaCEYtt5O108/eQ9FSf/UrafbPwD6kTcA7DMkVJL42aTTH/0w8OYhSKLzCIxzjRFhFa TSy6mh87ZVTBbdeD0NPg3hb+oDbg/7FmQXrAGdHKirojudkIT4igQ60/+u5ZQtClbLYG zpPB11oyyCJLMULdk/yIIsDo/+Ujhei9t45TKnXnfnmakHivzgBeUBptFVZx2FhCB/os SLxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=xe+kqIrpwV2gL/3ksxj2SW9lxtR3Npyme7+tUyhnYss=; b=EL8K832rRrYgVbJLRXSH2URq0K2t9hsI50L7UYoRvapQH+zX95NhmU3F4RTemRXqfW yGM6efrPL7faevflItsiu2VeP6hSGnxRNCsBxkUddAbKXJR5Rt/gUbzn6KWl+S0w76VQ 5eYZzYuQBFd38rB61UGIn1FKBTeSSUUVYdF04gdLlT/rXjnWgMhvCvQ4AvVkHkIUVv5g PRLUfKNxzntL1A5BwJzboR9yOgaXUaUSdclGiKInLbJvUf7YAlF7UQWiSf4x45Ysm4cY YWR0hIhjPb2YqUjrRVONjQvRtvXKzNooDC6tO23SvAV2w0V73o1eHn7ImM4RsvaMO4wd Z3IA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=qtbTPcI6; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id y7si2834304edv.2.2021.10.27.23.25.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:25:57 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=qtbTPcI6; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 070BF83216; Thu, 28 Oct 2021 08:25:51 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="qtbTPcI6"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 1222582FE7; Thu, 28 Oct 2021 08:25:25 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x536.google.com (mail-pg1-x536.google.com [IPv6:2607:f8b0:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 4B30D834D0 for ; Thu, 28 Oct 2021 08:25:13 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pg1-x536.google.com with SMTP id h193so5444219pgc.1 for ; Wed, 27 Oct 2021 23:25:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=xe+kqIrpwV2gL/3ksxj2SW9lxtR3Npyme7+tUyhnYss=; b=qtbTPcI6ZlQVtOKLeOn5FWVoi8qfoYqqEWTX0h8M4vbnZNxTFr1TEgDjwe9eJdCAdf 0Q+PLhjNauY3l9XUGYZXpG2Q1RVFAKSjKJ4WLBLkwveUQBP62pbdA4e6q+B1iJ8w0PjJ pVcLeSGarulNWibcey/NjMeoSMePrbrsF8qNFDu91Lb/kki/Qu2etFEQUJclw9ibod0M e7OIgGHzbbm4uZzCumzdoqFTfjiT4LDmbZm0G4tQlvu6G7BMMr70X4scDTr4vc2qDBqs gZf7tTJZ+JcMlDOWAk4xasSjmP/2M0wsjsBPFx4HQfQBJ78wgjMVXaJR+2TTzJJFWUAj 2XVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=xe+kqIrpwV2gL/3ksxj2SW9lxtR3Npyme7+tUyhnYss=; b=HOKUU2PsgR2bkRuL1MzHvJSKstWH1bD5X6NU8EUj20Q1HDhES+/vXjS+s67DuMQ6Fw Z7wZ9S2dsifuR36EbMve+5F6abcRif6rgszib7FmcZazYJnuFkLFbnDRzvHNo8rJQzNr /Gpp6UNbZTipiHQ0b8q3cuKmDuL/GL6CpuFS4msbOGpzsMlaOEwkYb20ELUKKcDi2Q4C 4Jasw7B52QluH/sqAhCmAGrY46X/tIOdmHLdZO3oGSFu9yvyXjDdtXwWzuQpWSj9G37A us9AyVqn/3ksWs5IvRxSYAq/BDq+5+qosOL1zeeZGtrdQxIhn+2lEYJGR1QaEB35d5eJ +5UA== X-Gm-Message-State: AOAM533fPRmU3EZt9Zl5HsY21xuRefIAN+4NxWGtuC0DkWLNA3OLnSle 6dzgzUGoJX+HcRz/lfjG1p7KhA== X-Received: by 2002:aa7:9633:0:b0:47b:ea78:f399 with SMTP id r19-20020aa79633000000b0047bea78f399mr2232220pfg.62.1635402311587; Wed, 27 Oct 2021 23:25:11 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:394a:97ee:bbbb:462e]) by smtp.gmail.com with ESMTPSA id p16sm1582018pgd.78.2021.10.27.23.25.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:25:10 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v5 06/11] tools: mkeficapsule: allow for specifying GUID explicitly Date: Thu, 28 Oct 2021 15:23:51 +0900 Message-Id: <20211028062356.98224-7-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211028062356.98224-1-takahiro.akashi@linaro.org> References: <20211028062356.98224-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean The existing options, "--fit" and "--raw," are only used to put a proper GUID in a capsule header, where GUID identifies a particular FMP (Firmware Management Protocol) driver which then would handle the firmware binary in a capsule. In fact, mkeficapsule does the exact same job in creating a capsule file whatever the firmware binary type is. To prepare for the future extension, the command syntax will be a bit modified to allow users to specify arbitrary GUID for their own FMP driver. OLD: [--fit | --raw ] NEW: [--fit | --raw | --guid ] Signed-off-by: AKASHI Takahiro --- doc/develop/uefi/uefi.rst | 4 +- doc/mkeficapsule.1 | 26 +++++++++---- tools/mkeficapsule.c | 78 ++++++++++++++++++++++++++++++--------- 3 files changed, 81 insertions(+), 27 deletions(-) -- 2.33.0 diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 864d61734bee..54fefd76f0f5 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -367,8 +367,8 @@ and used by the steps highlighted below. --private-key CRT.key \ --certificate CRT.crt \ --index 1 --instance 0 \ - [--fit | --raw ] \ - + [--fit | --raw | --guid 4. Insert the signature list into a device tree in the following format:: diff --git a/doc/mkeficapsule.1 b/doc/mkeficapsule.1 index 837e09ab451e..312e8a8b3188 100644 --- a/doc/mkeficapsule.1 +++ b/doc/mkeficapsule.1 @@ -5,7 +5,7 @@ mkeficapsule \- Generate EFI capsule file for U-Boot .SH SYNOPSIS .B mkeficapsule -.RB [\fIoptions\fP] " \fIcapsule-file\fP" +.RB [\fIoptions\fP] " \fIimage-blob\fP \fIcapsule-file\fP" .SH "DESCRIPTION" The @@ -21,7 +21,7 @@ Optionally, a capsule file can be signed with a given private key. In this case, the update will be authenticated by verifying the signature before applying. -\fBmkeficapsule\fP supports two different format of image files: +\fBmkeficapsule\fP takes any type of image files, including: .TP .I raw image format is a single binary blob of any type of firmware. @@ -33,16 +33,28 @@ is the same as used in the new \fIuImage\fP format and allows for multiple binary blobs in a single capsule file. This type of image file can be generated by \fBmkimage\fP. +.PP +If you want to use other types than above two, you should explicitly +specify a guid for the FMP driver. + .SH "OPTIONS" -One of \fB--fit\fP or \fB--raw\fP option must be specified. +One of \fB--fit\fP, \fB--raw\fP or \fB--guid\fP option must be specified. .TP -.BI "-f, --fit \fIfit-image-file\fP" -Specify a FIT image file +.BI "-f, --fit +Indicate that the blob is a FIT image file .TP -.BI "-r, --raw \fIraw-image-file\fP" -Specify a raw image file +.BI "-r, --raw +Indicate that the blob is a raw image file + +.TP +.BI "-g, --guid \fIguid-string\fP" +Specify guid for image blob type. The format is: + xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx + +The first three elements are in little endian, while the rest +is in big endian. .TP .BI "-i, --index \fIindex\fP" diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 5541e4bda894..2e61ee196caf 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -14,7 +14,7 @@ #include #include - +#include #include #ifdef CONFIG_TOOLS_LIBCRYPTO #include @@ -51,14 +51,15 @@ efi_guid_t efi_guid_image_type_uboot_raw = efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; #ifdef CONFIG_TOOLS_LIBCRYPTO -static const char *opts_short = "f:r:i:I:v:p:c:m:dh"; +static const char *opts_short = "frg:i:I:v:p:c:m:dh"; #else -static const char *opts_short = "f:r:i:I:v:h"; +static const char *opts_short = "frg:i:I:v:h"; #endif static struct option options[] = { - {"fit", required_argument, NULL, 'f'}, - {"raw", required_argument, NULL, 'r'}, + {"fit", no_argument, NULL, 'f'}, + {"raw", no_argument, NULL, 'r'}, + {"guid", required_argument, NULL, 'g'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, #ifdef CONFIG_TOOLS_LIBCRYPTO @@ -73,11 +74,12 @@ static struct option options[] = { static void print_usage(void) { - printf("Usage: %s [options] \n" + printf("Usage: %s [options] \n" "Options:\n" - "\t-f, --fit new FIT image file\n" - "\t-r, --raw new raw image file\n" + "\t-f, --fit FIT image type\n" + "\t-r, --raw raw image type\n" + "\t-g, --guid guid for image blob type\n" "\t-i, --index update image index\n" "\t-I, --instance update hardware instance\n" #ifdef CONFIG_TOOLS_LIBCRYPTO @@ -510,6 +512,37 @@ err_1: return -1; } +/** + * convert_uuid_to_guid() - convert uuid string to guid string + * @buf: String for UUID + * + * UUID and GUID have the same data structure, but their string + * formats are different due to the endianness. See lib/uuid.c. + * Since uuid_parse() can handle only UUID, this function must + * be called to get correct data for GUID when parsing a string. + * + * The correct data will be returned in @buf. + */ +void convert_uuid_to_guid(unsigned char *buf) +{ + unsigned char c; + + c = buf[0]; + buf[0] = buf[3]; + buf[3] = c; + c = buf[1]; + buf[1] = buf[2]; + buf[2] = c; + + c = buf[4]; + buf[4] = buf[5]; + buf[5] = c; + + c = buf[6]; + buf[6] = buf[7]; + buf[7] = c; +} + /** * main - main entry function of mkeficapsule * @argc: Number of arguments @@ -524,14 +557,13 @@ err_1: */ int main(int argc, char **argv) { - char *file; efi_guid_t *guid; + unsigned char uuid_buf[16]; unsigned long index, instance; uint64_t mcount; char *privkey_file, *cert_file; int c, idx; - file = NULL; guid = NULL; index = 0; instance = 0; @@ -546,21 +578,31 @@ int main(int argc, char **argv) switch (c) { case 'f': - if (file) { - printf("Image already specified\n"); + if (guid) { + printf("Image type already specified\n"); return -1; } - file = optarg; guid = &efi_guid_image_type_uboot_fit; break; case 'r': - if (file) { - printf("Image already specified\n"); + if (guid) { + printf("Image type already specified\n"); return -1; } - file = optarg; guid = &efi_guid_image_type_uboot_raw; break; + case 'g': + if (guid) { + printf("Image type already specified\n"); + return -1; + } + if (uuid_parse(optarg, uuid_buf)) { + printf("Wrong guid format\n"); + return -1; + } + convert_uuid_to_guid(uuid_buf); + guid = (efi_guid_t *)uuid_buf; + break; case 'i': index = strtoul(optarg, NULL, 0); break; @@ -596,14 +638,14 @@ int main(int argc, char **argv) } /* check necessary parameters */ - if ((argc != optind + 1) || !file || + if ((argc != optind + 2) || !guid || ((privkey_file && !cert_file) || (!privkey_file && cert_file))) { print_usage(); return -1; } - if (create_fwbin(argv[optind], file, guid, index, instance, + if (create_fwbin(argv[argc - 1], argv[argc - 2], guid, index, instance, mcount, privkey_file, cert_file) < 0) { printf("Creating firmware capsule failed\n"); return -1; From patchwork Thu Oct 28 06:23:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516361 Delivered-To: patch@linaro.org Received: by 2002:ac0:c404:0:0:0:0:0 with SMTP id t4csp1371317imj; Wed, 27 Oct 2021 23:26:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzbZjkmd1FIy/uXELHFLBRm69e1a6ulwGEizr7NfNMw9H9uhdeidpBn5sZkYml916SWYlWq X-Received: by 2002:a05:6402:35c5:: with SMTP id z5mr3531241edc.388.1635402380710; Wed, 27 Oct 2021 23:26:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635402380; cv=none; d=google.com; s=arc-20160816; b=vVycBtxcLLpDxQiU2QGW87gHT1BheueXP8DrY1cM6z0zdPktIC/Y6q0MJWsM/HOhiD ld9T16PT5dBcRluXwa93tUYpQQtdYK6Zd2lGfiqC3T4PjO3T7xPqttRvE6vCBMBSd2ZH 4sGP4LHJq3vd9tSQQJatUhxfdXw4FNzrIwhBJBn9e8wiUwjtbd4os9chigp8UwzfYPi/ 1arqim6JyvTuFdaEzBxjhEBOU+NRNlN/2AHcXODdiJiUru20YwpCVRYO1eKznnnZ6+Pv onRBNaPfu7uDq3nHjDKrlUChZy1aonxVGdZ0EKcl9W0cW5kSTf9Tt25LQspUF+SVcH0Q vW4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=X3+LyJ/0hltwWaOyaohghIsb3oB0yCYv0w4Lz7ttpS0=; b=osvchUZL7eb90bYP4Q5i8/CtWQJ+DUrrLVp5rxBr5sFdDJoxxrwBQIRZCbQpPMdtoC B65m1bVwjI9N7xCIYJxTrvk4iyDsxFFFgp8j5DL7LQOkYy0od8mRGXHu2pOWu6vUGy5A il6VqO/XAfrBhuXx7/E6ojwlbGyz8fHsV73KAuvrrMH6cAuR+NX54kF/8x+Y4wgmgf2A ADzYqo2DnItEMdW9oEADsU9vfPpqUiH/mbU4jkjy72tA5NKeXNl3zp+WNlSLztlSSAgE 5Kx1zQeLpyt8jefvcrDBEvDD8HAgODyNSiIwO+ealELCduHb4aYurZtIrGztF3i+VOQx isyg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=DNANS0cw; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id gt30si2924122ejc.419.2021.10.27.23.26.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:26:20 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=DNANS0cw; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 400868347C; Thu, 28 Oct 2021 08:25:58 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="DNANS0cw"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 03DA5831D3; Thu, 28 Oct 2021 08:25:28 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 49B88834E8 for ; Thu, 28 Oct 2021 08:25:17 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pg1-x52e.google.com with SMTP id r2so5372430pgl.10 for ; Wed, 27 Oct 2021 23:25:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=X3+LyJ/0hltwWaOyaohghIsb3oB0yCYv0w4Lz7ttpS0=; b=DNANS0cwp/JapWeCIPA0tUblruast6cE/s7wT0mVmoxVIruUCjBZfY/AvCJuW5XKzA gpM/tt23k5RJeeUVBQSKTttVfI9HuiGtMiI680Z9Y/Zk8+aKeeAyUfDsg/p71cJ+Khwl d6Ry6c0WRWzFaprbxHkEhlEUi4mOMyDqD5BlLE2yivvXcJC4uSNPHogAfEHynPzRLtTG Eo+GqPi4VGMOFsUfWVJKqLnCIIDixDqJUuK0R5B5irvE6Ihr1JEdSgiz/PuNYuhg3mlM THOXkMwN0pG170KtbNHOWkQn1jwRtg2sY0MQM8xE/5nK4jjr4R5xyJbLQ1RNxRqy+lkA pCyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=X3+LyJ/0hltwWaOyaohghIsb3oB0yCYv0w4Lz7ttpS0=; b=21I04G47mMemgr7MAleItBK3v3C7SpDsnniHc3SpJAiCWf6LTzdz148du8w6H9ELbb 5iZ2dfvcCBwOEbGOeGzx4G25ZorLxyan0i48CBlKaglvdcIQYpUEuj3Az7CtOadqV/xs 0f1zvYBpVo7mA4gF+dd+uJ8Ol7h6oOLkgZUW+e0KTotwuq66QxpBkYRnLgFH/LLcH5qi KGkvBPaYAB6uBGGW3gkExUCNluWNMp6jKNTRaTtP9PfPi+pgwqWWvHuBJ66BHi4o/JhG EVViUnMmW2THNljAZRNms3uu+6NWUz1+3jw8fqtNCb88GPBPCNOUdQ6fs3Ah1ptGNowX /ltg== X-Gm-Message-State: AOAM531SrNA7Jsf3g9yHv6l0YHa1X/yb/ihU8evKR+8SQ9ye9U3wlwp0 wMwnH5GcAwG05wHbuYZVymIQhKyK1Qrehw== X-Received: by 2002:a63:2c4f:: with SMTP id s76mr1804714pgs.155.1635402314668; Wed, 27 Oct 2021 23:25:14 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:394a:97ee:bbbb:462e]) by smtp.gmail.com with ESMTPSA id p16sm1582018pgd.78.2021.10.27.23.25.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:25:14 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v5 07/11] test/py: efi_capsule: align with the syntax change of mkeficapsule Date: Thu, 28 Oct 2021 15:23:52 +0900 Message-Id: <20211028062356.98224-8-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211028062356.98224-1-takahiro.akashi@linaro.org> References: <20211028062356.98224-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Since the syntax of mkeficapsule was changed in the previous commit, we need to modify command line arguments in a pytest script. Signed-off-by: AKASHI Takahiro --- test/py/tests/test_efi_capsule/conftest.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.33.0 diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index b0e84dec4931..08bcd74dd991 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -70,10 +70,10 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkimage -f uboot_bin_env.its uboot_bin_env.itb' % (data_dir, u_boot_config.build_dir), shell=True) - check_call('cd %s; %s/tools/mkeficapsule --fit uboot_bin_env.itb --index 1 Test01' % + check_call('cd %s; %s/tools/mkeficapsule --index 1 --fit uboot_bin_env.itb Test01' % (data_dir, u_boot_config.build_dir), shell=True) - check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' % + check_call('cd %s; %s/tools/mkeficapsule --index 1 --raw u-boot.bin.new Test02' % (data_dir, u_boot_config.build_dir), shell=True) if capsule_auth_enabled: From patchwork Thu Oct 28 06:23:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516362 Delivered-To: patch@linaro.org Received: by 2002:ac0:c404:0:0:0:0:0 with SMTP id t4csp1371400imj; Wed, 27 Oct 2021 23:26:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxcMRmWUpa5pCOC84C1RVhR5hHcthxa5qnOwIiH1TMPEq1Far2hyuv4OW5MwYklzdRkCVVy X-Received: by 2002:a05:6402:4303:: with SMTP id m3mr3538155edc.328.1635402389213; Wed, 27 Oct 2021 23:26:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635402389; cv=none; d=google.com; s=arc-20160816; b=G4UuijjD3acZ3Up9+T6NsNDNJ2mJcQZomgih/F0kpMrMpPLt7Qk19RBp8RsLsph4wd RJL3ZBJB+hdQDyM7eN3HHy+ibhxMIwBoowePCbRWkWDx3DXPd+G/PNsJmU8qexhbwSKa uPTouwW/4aQbsGAO4WPz8m4OF4Q/+7orkM9wZbmXWHsoXXzDjVBcW0HjXq6LZ+tQDeN0 S7VRKdn1L+8z8C6gNrBxTgQ9H+WTaAdWlESdjalYVBiXF86B24pZZfAOKSEV3hraUYGY odARmgSBodJs6xXXFfREOIy5PoQsd/2F7prIK6fyItFQhSjCi6pg1EYBEwejaLOGZZb6 0o2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=i6GO9GbOEVkVGCqDCcFVm5yBGFySYGoKpp+moWwFpJY=; b=F3urrnP7ify1R/wcISvO9RLWWvagioN4m3L3AfdjlWho2TYamMVkAA+MbzemoXeW1t TyB3Wssmf10tfEHHgc02sg/E/ITDXCGROYS18sy9dzidVN/F2q6HztpzqG7s+NHo2tEG m4GpjlRD26UqjRbamTsw+zmBvaIvFaBtuwNpYABT6hQA2UwQ5Lc25C8gaK0Cd6D+g3Tw EfvITkm8V1HQNhzTZYCsd7RmFv/JKMHNRZJvPOwbwa8iy0mRAEujD3NLGZ7F2K8LOB/7 Ea1F1JamNCvFFxnmOC727mrzPceOzMeuzaQHLxB5aQfJpSzk/IMIlU+h3YNdAkRPzmYs mHwg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Fy7iCJUg; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id sc24si4098958ejc.355.2021.10.27.23.26.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:26:29 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Fy7iCJUg; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 1AF318357F; Thu, 28 Oct 2021 08:26:02 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Fy7iCJUg"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 43F6B831B4; Thu, 28 Oct 2021 08:25:35 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id B483E82F33 for ; Thu, 28 Oct 2021 08:25:19 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x62f.google.com with SMTP id i5so3714310pla.5 for ; Wed, 27 Oct 2021 23:25:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=i6GO9GbOEVkVGCqDCcFVm5yBGFySYGoKpp+moWwFpJY=; b=Fy7iCJUgRR71tHWauVtfL3KbdO41KS9l8PR8Hui1hU8R7g9Fu0EwB7u1FdeU0e0vG9 mCRK/7ImkvrDda6uiM+q+pIoenrPghBVbTqir2IyVKLWkTJUybdNjAFr/2nDqd1Rdrwy TJQh94IhnfJM0dZeGs1smS9TQfZ6YwCNg32zIsa43Jqp6A/pW0D4i+EiHXcHHf9+NbHs 8Ix6cjyWMxhrCE08+44vr1EvtmvoVbCgANOCnpUWNhm4cxnOt/0CQUtyRfHFG5lXmDgO 6/qwyCTNwi7TRxYtWayuUhqS+ALAgsEQlYoA3WJsNpK/q8wBfvdBTkTOMCVTTrlJzdEG zsCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=i6GO9GbOEVkVGCqDCcFVm5yBGFySYGoKpp+moWwFpJY=; b=YFhLl5q1aqynaCvhmpV2UAFsOVuOp875XFZvU7DGvhe0WjE/sZUApwf+KjtRkn5zF8 KENWpMhS9dpie3YctVyVlnwobtqwiyObPp8hixXg1hmobQjFacCpJVVUNc/kBf1SQk4R 67EGv8M4P+9optwrlK7GkPI1QNQA91tdmR2DwySZ9+BpDZV6Gn60MQntcEEykg2B1yRZ XZcwn+174b+w8DrgbLSeFsjms/O92SADz8mGVoupRNA2+GW1cU4UJks1ZvXsACdQsHtu capQlBpRG0nR5q/8AvYWbT9DvnspvpgzhIdj7MhwZ3n9goefDLQuU/NBFvMmuULOYw74 9TFQ== X-Gm-Message-State: AOAM531MtqvqAjuz+r3tPbIpDvn3Qh7uj574HoczTmjzfFrog95HSfIB YxNiFedDGcEETzd29PM31biQzA== X-Received: by 2002:a17:90a:1a4c:: with SMTP id 12mr2440436pjl.175.1635402318044; Wed, 27 Oct 2021 23:25:18 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:394a:97ee:bbbb:462e]) by smtp.gmail.com with ESMTPSA id p16sm1582018pgd.78.2021.10.27.23.25.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:25:17 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v5 08/11] test/py: efi_capsule: add a test for "--guid" option Date: Thu, 28 Oct 2021 15:23:53 +0900 Message-Id: <20211028062356.98224-9-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211028062356.98224-1-takahiro.akashi@linaro.org> References: <20211028062356.98224-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean This test scenario tests a new feature of mkeficapsule, "--guid" option, which allows us to specify FMP driver's guid explicitly at the command line. Signed-off-by: AKASHI Takahiro --- test/py/tests/test_efi_capsule/conftest.py | 3 + .../test_efi_capsule/test_capsule_firmware.py | 67 +++++++++++++++++++ 2 files changed, 70 insertions(+) -- 2.33.0 diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index 08bcd74dd991..b31dea5c1df6 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -76,6 +76,9 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkeficapsule --index 1 --raw u-boot.bin.new Test02' % (data_dir, u_boot_config.build_dir), shell=True) + check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid E2BB9C06-70E9-4B14-97A3-5A7913176E3F u-boot.bin.new Test03' % + (data_dir, u_boot_config.build_dir), + shell=True) if capsule_auth_enabled: # firmware signed with proper key check_call('cd %s; %s/tools/mkeficapsule --index 1 --monotonic-count 1 --private-key SIGNER.key --certificate SIGNER.crt --raw u-boot.bin.new Test11' % diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware.py b/test/py/tests/test_efi_capsule/test_capsule_firmware.py index 9eeaae27d626..9cc973560fa1 100644 --- a/test/py/tests/test_efi_capsule/test_capsule_firmware.py +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware.py @@ -247,3 +247,70 @@ class TestEfiCapsuleFirmwareFit(object): 'sf read 4000000 100000 10', 'md.b 4000000 10']) assert 'u-boot:New' in ''.join(output) + + def test_efi_capsule_fw4( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 4 - Test "--guid" option of mkeficapsule + The test scenario is the same as Case 3. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 4-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi -s ""', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test03' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test03 $filesize' % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' in ''.join(output) + + # reboot + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 4-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + output = u_boot_console.run_command_list(['efidebug capsule esrt']) + + # ensure that EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID is in the ESRT. + assert 'E2BB9C06-70E9-4B14-97A3-5A7913176E3F' in ''.join(output) + + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' not in ''.join(output) + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:New' in ''.join(output) From patchwork Thu Oct 28 06:23:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516363 Delivered-To: patch@linaro.org Received: by 2002:ac0:c404:0:0:0:0:0 with SMTP id t4csp1371487imj; Wed, 27 Oct 2021 23:26:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwAxlk0Iy26nAQ6GUc9BuSstCwaAwJfgYLNRrLCssIXd76VvJ1Pnw35zuU4YEcGi6lYkbAs X-Received: by 2002:a17:906:4f95:: with SMTP id o21mr2989901eju.61.1635402399132; Wed, 27 Oct 2021 23:26:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635402399; cv=none; d=google.com; s=arc-20160816; b=M7TlNFSVUMKkr2oYrRADMPBWC7xC4IEuzQ7Un4BuBDltFAyqElwVt+6DSWrmFOyQlh jaGobjm7oF1RZ5uJyOzFtQrahc3DK8P5y2wqrF11fMOZ5zCKgfGktuKGguTIhNccXojo 6DUls6Icjb4ihrryYf5LSCzDz7C6m1+2FGpF8zPjw77NpqfGlIc+m73VpMPW9je9M1lG Iy84Djtf/YpT6rAxfOyebjHMxHYtXH0vAPljzIhlkq5TBXBQF+mo6UxcqgG27j2WOOu1 cYkKce8xIko5sl0rvtIEqddoFaP8Rfbmnw04eCRhffDEpi3ONh1BUK4ao85W8YrD2bMs YCvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=cKodfHrn3bFXlghVQ9of8BIc8y1xcIrgpj4uzdGOZHo=; b=NRvsSIiF4w56qMrqeTRm5at9mB3OWRodN5v0Mx1IWDgYJaOPAheMNIm7hV9v3R2bF/ XlxNieSq5X7z/U3arD0F67JtF93ZN7ADOn+5zbc6gH41wuHH9FuBYjdNXywlsCyB3Mso ajTuJLFLzRMUsys2KtNS+TAHSsRb5brbd4sD6d/aVrH0kuVvZxq4Dcz23qnIImUr39A1 e7mUMw6gCVdrCOvg1lm0fPvUeLMMopDdWrUIerINGpP6mEajDYkFT+0UDq6qdWtkPg3k tlR8xib9t/foHY8NFvCuJcEwgS1vwAn4nRfd6O2M/dGgsfC0x9U3RwFWA5LWncC5rFo2 7PYQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=izwCzCfv; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id g2si4228800ejt.760.2021.10.27.23.26.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:26:39 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=izwCzCfv; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id C4C6883576; Thu, 28 Oct 2021 08:26:07 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="izwCzCfv"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 3352582F33; Thu, 28 Oct 2021 08:25:37 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id B52ED83172 for ; Thu, 28 Oct 2021 08:25:22 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1029.google.com with SMTP id np13so3892621pjb.4 for ; Wed, 27 Oct 2021 23:25:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=cKodfHrn3bFXlghVQ9of8BIc8y1xcIrgpj4uzdGOZHo=; b=izwCzCfvpUW9WVWnqdUWb8tVupTIhVHM0+ZmOChO5ZzRNH0LNokQADCGkelUh/Qh5g eWeIZkNzuoOm1OdCZ8y5ewCgR+6kYwSwscMx6S0dZq2omQI1iLyuiKEKFidTz2Tdtcit XxSxKUE+kOvJoLYxo9z+mSOCAD/kW0MUYsedrnvqLblQCD6YoJdLyL190h/1Psgu4jyS KL+KcphAA2EnvrrlO3WrRLzOxeI9diveAMkKEaeqrzyrAEOxGCETg8V7SbHAl6hE250I s85EcqcIzpoID2ElewNt0T+gD/OP86oN5tXz5Yvy0aIB2wwmwkAt9SlonnrgI8/HgQyK NF8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=cKodfHrn3bFXlghVQ9of8BIc8y1xcIrgpj4uzdGOZHo=; b=V3QH/zbywIyGSvNkHK2HzSM9wPK9e52kIS5CTKbTHqWCVVaaY7qzZcI3nNVhPE8FPQ RwABVQPstOzn4HIwpTReIenJnFwVl7B8hxXOQvduEBgmcER99CjBGqUFWr9HWTUUufvS elehNSdf/In4DBrraIKF0K42ymubS3h5XaY9fQcK/2ZKvj4xutFmvhAJYgHe/LAAl9J/ cwMCBrvxDOVQ5JiOU1SKeqlQVgKOPZTKXqCPXVzh1Hcb7oH9ZxU10i7Pks4FQWkdVOLA 3sDTIbn314oy6qNeOe/Q5qAZunhV4TU+elcVHkan7zfEEOGf4PTH/bbNtY8JUZkuRfc1 AvCQ== X-Gm-Message-State: AOAM531J5qOaimulSAgbiwcdA8k1YwBboXkUqz9MToRc6N9LGL8WSXbI icz+tOyYsCV/ZR0mLH0gNRR49g== X-Received: by 2002:a17:90b:3ecb:: with SMTP id rm11mr10903339pjb.110.1635402321093; Wed, 27 Oct 2021 23:25:21 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:394a:97ee:bbbb:462e]) by smtp.gmail.com with ESMTPSA id p16sm1582018pgd.78.2021.10.27.23.25.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:25:20 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v5 09/11] test/py: efi_capsule: check the results in case of CAPSULE_AUTHENTICATE Date: Thu, 28 Oct 2021 15:23:54 +0900 Message-Id: <20211028062356.98224-10-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211028062356.98224-1-takahiro.akashi@linaro.org> References: <20211028062356.98224-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Before the capsule authentication is supported, this test script works correctly, but with the feature enabled, most tests will fail due to unsigned capsules. So check the results depending on CAPSULE_AUTHENTICATE or not. Signed-off-by: AKASHI Takahiro --- .../test_efi_capsule/test_capsule_firmware.py | 26 ++++++++++++++++--- 1 file changed, 22 insertions(+), 4 deletions(-) -- 2.33.0 diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware.py b/test/py/tests/test_efi_capsule/test_capsule_firmware.py index 9cc973560fa1..6e803f699f2f 100644 --- a/test/py/tests/test_efi_capsule/test_capsule_firmware.py +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware.py @@ -148,6 +148,8 @@ class TestEfiCapsuleFirmwareFit(object): capsule_early = u_boot_config.buildconfig.get( 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') with u_boot_console.log.section('Test Case 2-b, after reboot'): if not capsule_early: # make sure that dfu_alt_info exists even persistent variables @@ -171,12 +173,18 @@ class TestEfiCapsuleFirmwareFit(object): 'sf probe 0:0', 'sf read 4000000 100000 10', 'md.b 4000000 10']) - assert 'u-boot:New' in ''.join(output) + if capsule_auth: + assert 'u-boot:Old' in ''.join(output) + else: + assert 'u-boot:New' in ''.join(output) output = u_boot_console.run_command_list([ 'sf read 4000000 150000 10', 'md.b 4000000 10']) - assert 'u-boot-env:New' in ''.join(output) + if capsule_auth: + assert 'u-boot-env:Old' in ''.join(output) + else: + assert 'u-boot-env:New' in ''.join(output) def test_efi_capsule_fw3( self, u_boot_config, u_boot_console, efi_capsule_data): @@ -215,6 +223,8 @@ class TestEfiCapsuleFirmwareFit(object): capsule_early = u_boot_config.buildconfig.get( 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') with u_boot_console.log.section('Test Case 3-b, after reboot'): if not capsule_early: # make sure that dfu_alt_info exists even persistent variables @@ -246,7 +256,10 @@ class TestEfiCapsuleFirmwareFit(object): 'sf probe 0:0', 'sf read 4000000 100000 10', 'md.b 4000000 10']) - assert 'u-boot:New' in ''.join(output) + if capsule_auth: + assert 'u-boot:Old' in ''.join(output) + else: + assert 'u-boot:New' in ''.join(output) def test_efi_capsule_fw4( self, u_boot_config, u_boot_console, efi_capsule_data): @@ -285,6 +298,8 @@ class TestEfiCapsuleFirmwareFit(object): capsule_early = u_boot_config.buildconfig.get( 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') with u_boot_console.log.section('Test Case 4-b, after reboot'): if not capsule_early: # make sure that dfu_alt_info exists even persistent variables @@ -313,4 +328,7 @@ class TestEfiCapsuleFirmwareFit(object): 'sf probe 0:0', 'sf read 4000000 100000 10', 'md.b 4000000 10']) - assert 'u-boot:New' in ''.join(output) + if capsule_auth: + assert 'u-boot:Old' in ''.join(output) + else: + assert 'u-boot:New' in ''.join(output) From patchwork Thu Oct 28 06:23:55 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516364 Delivered-To: patch@linaro.org Received: by 2002:ac0:c404:0:0:0:0:0 with SMTP id t4csp1371579imj; Wed, 27 Oct 2021 23:26:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy0zDJOrg1KEPHiecYHpHqtuKuyzVmZKz5Czcpy8Qj7drO1XsGStxzQWYq5hN8zrxPBdu9C X-Received: by 2002:a17:907:7212:: with SMTP id dr18mr3003972ejc.298.1635402408692; Wed, 27 Oct 2021 23:26:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635402408; cv=none; d=google.com; s=arc-20160816; b=lhfKQv33VfQvms7UGlPxczykS2uhiJhAYWjLXwkm757chdGtXgB3TOSGMNALqH6H/O OY+3DedqaPlCXAZTdqpfFi6KJ9vIa4OnX9ZKa533ITlk2LXxLqj9kNsbx0Yq/JFh83ia Dhndn9MFo6hZLZjBjUdVLtCNBjB4oZsirFIVSxT4FxJ2liasc+QhqlRyOblFoWVkwvks zozq8krVW5zhk53CjRlfW9Z2MfyQtDwR6lxd5S0ek2eyUJzt+80ph92pUFzeShB9z6cY hGmGcb2A5CKmxulLlP54A+dqKxQmzlMIO+qw4tq10ff0IckVbeYc4aOzBWGbVDfKbg7h 56lg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=X7RqyvKXuCExKI+23guwQfpfslE2fPjzJdid5QWaDtk=; b=yAJrAgeAPVFNrEf8GU0WN6fPUfyFJsXiwP3U7d+zaUEJqkYjVPs5fAX2KFR62tt2vM b6lSohPqCbmuxtUPIcD87olV270sGSNxMXpCayfDizWmU3yQ1Wl+u38d8Oa3T9YG7n9I foohLtT1ZxLRSs4sYT/v6+IBoCMmplCfDlLpMAun9e/33qUScKZKkt9ySjX53gDHHezO pYtwLmz76bXRnfyFcwZhamNwxjCEH2qkvxRxK+cuOhfTVfsDoPuUEXFDfn2ewlRdJtP+ w0dvadmWlf3HGBvzH8DhRvUlc1eW24VJSpOKlV86emxXLUngsM7ZXnYoJRssxvql0DiY DPKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ktl9ApFH; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id m14si2915182edb.327.2021.10.27.23.26.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:26:48 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ktl9ApFH; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 5785983556; Thu, 28 Oct 2021 08:26:17 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="ktl9ApFH"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 29696831D3; Thu, 28 Oct 2021 08:25:36 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 8EAE683542 for ; Thu, 28 Oct 2021 08:25:25 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1034.google.com with SMTP id n11-20020a17090a2bcb00b001a1e7a0a6a6so7182613pje.0 for ; Wed, 27 Oct 2021 23:25:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=X7RqyvKXuCExKI+23guwQfpfslE2fPjzJdid5QWaDtk=; b=ktl9ApFHC6sXYSrtQBgCCu2kwwhcShP5k0EEpQ54PsHm4KFdOHoETXb6pTfu0ddl3R TWZe+75TwXa6xB8HovEtz3YQEa+1HA1MaufTZVEr9bXekeM6wvbz6LAW6RCJHOwTjYFu xlPYdZi5haqFxig+uAux1SnrJQy8hrYjCvDVDUSZd2/A95wSxBplaN9kJUgLg9/OoHQw kQU5ZlIIJtnyicHMku+lfOu4cf4zZF0F6f7yaZsEN1Z5S23l/CWTGyDi4RPyV+guIHBl XG4R1d1yym4Z17FS69ipLwEkTFyq+m1WPAzpp/2cqvbdeKE+rVDDO6RNzQ7IBsUH9o9E 9ZEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=X7RqyvKXuCExKI+23guwQfpfslE2fPjzJdid5QWaDtk=; b=uT3QIpWSzKqDyOceQXcZnxSbOfv1I91FkvI3bIMKEY4IgwhFfM5xJSEkAZ7EOUTOna oVEfMU6FFX6EFGx3E0gJVToG1ZucjJh9fhMFrRmaudqaeG5QeHdbebCPnRfTKuy/HKAI RAWTsrRcBpRCOVkNxlUzwnO6FNQ9WHX9GkODdzjUHVp33vWFrl09Re1FTOqKOJM+iGLb X6AKtaj/Dfw+mfvS13cmY25T97bYpg1RbeYQXhYALt0n6MwBt1B5GA7V4DDsOmflOxxW w6O4T6kiIZRA9V40sExO2w2zCPKm9F/r8Lve1g1A22A79iNg8Aw3SzJQ2Li03qYu7X7G rl7Q== X-Gm-Message-State: AOAM530AnbwO12BEoHcXJp1r/zi/RLXtTKm/U2ON0y9c0jzn4cXblQG9 ic31UQPrbPdhjMDSveugreEW5A== X-Received: by 2002:a17:903:22c5:b0:140:298b:9e27 with SMTP id y5-20020a17090322c500b00140298b9e27mr2203343plg.23.1635402323967; Wed, 27 Oct 2021 23:25:23 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:394a:97ee:bbbb:462e]) by smtp.gmail.com with ESMTPSA id p16sm1582018pgd.78.2021.10.27.23.25.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:25:23 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v5 10/11] (RFC) tools: add fdtsig.sh Date: Thu, 28 Oct 2021 15:23:55 +0900 Message-Id: <20211028062356.98224-11-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211028062356.98224-1-takahiro.akashi@linaro.org> References: <20211028062356.98224-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean With this script, a public key is added to a device tree blob as the default efi_get_public_key_data() expects. Signed-off-by: AKASHI Takahiro --- MAINTAINERS | 1 + tools/fdtsig.sh | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100755 tools/fdtsig.sh -- 2.33.0 diff --git a/MAINTAINERS b/MAINTAINERS index 96233f0aad51..2d83d60619c9 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -727,6 +727,7 @@ F: cmd/bootefi.c F: cmd/efidebug.c F: cmd/nvedit_efi.c F: tools/efivar.py +F: tools/fdtsig.sh F: tools/file2include.c F: tools/mkeficapsule.c diff --git a/tools/fdtsig.sh b/tools/fdtsig.sh new file mode 100755 index 000000000000..c2b2a6dc5ec8 --- /dev/null +++ b/tools/fdtsig.sh @@ -0,0 +1,40 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0+ +# +# script to add a certificate (efi-signature-list) to dtb blob + +usage() { + if [ -n "$*" ]; then + echo "ERROR: $*" + fi + echo "Usage: "$(basename $0) " " +} + +if [ "$#" -ne 2 ]; then + usage "Arguments missing" + exit 1 +fi + +ESL=$1 +DTB=$2 +NEW_DTB=$(basename $DTB)_tmp +SIG=signature + +cat << 'EOF' > $SIG.dts +/dts-v1/; +/plugin/; + +&{/} { + signature { +EOF +echo "capsule-key = /incbin/(\"$ESL\");" >> $SIG.dts +cat << 'EOF' >> $SIG.dts + }; +}; +EOF + +dtc -@ -I dts -O dtb -o $SIG.dtbo $SIG.dts +fdtoverlay -i $DTB -o $NEW_DTB $SIG.dtbo +mv $NEW_DTB $DTB + +rm $SIG.dts $SIG.dtsn $SIG.dtbo From patchwork Thu Oct 28 06:23:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516365 Delivered-To: patch@linaro.org Received: by 2002:ac0:c404:0:0:0:0:0 with SMTP id t4csp1371707imj; Wed, 27 Oct 2021 23:26:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwSHHlTQrcKVA3E/N4Y98UEcoZ5fy08HukKTX2eC84aKq7zmo4sokXefdlLvfRLmnQbIdwG X-Received: by 2002:a05:6402:350a:: with SMTP id b10mr3522923edd.345.1635402418435; Wed, 27 Oct 2021 23:26:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635402418; cv=none; d=google.com; s=arc-20160816; b=XX0L8WnKonmKGEK0Xdz3dT++xrVlJ4G1NMOT3ExOlaU85HK0MhH72ywzOpgFIVsbBx pVjjPdohQlxejEl/VgPuZHeu+6TSD5KLjV3XsIrMByXo0rZOrQ5l++hxrYglf11HAQPX pLstmVOfhcna1O2IWAT22COEoawmknmeF4PZKUiR2jMu++C442ro4jOe2HD7sA3X+yyQ mBEhF4a62Jm13cRFsqYaFMti4+IqnQqD0DuJixTZU8n9QRQrUYg5TAJ/o28X2219tmOz sFxwWudkS8LZY2EQ/XFvc6OCO/6jT5un6w/UECZEJ/qA5mVXd2vR6EWNm7L4EvggN39n eB4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6iiymLorAL8Tnpa1lqZvk6MLjBUdYK7Mr5qkX19bD18=; b=DCWBbQxjuMfXJccXxtOZlZamsY/Piwk4xmPjZIukQdvs0HxcgMUYdRlxZAZc2sBFwk Yco05Il0c7YVZrxHptk4rivIfNJzl2JYZTrNfEylgbpzGwYHdYGpmYW81g91AOOcjKyn +fzMQwCuQSHhP9r/4JalAt3Y08jSMIsvOM3h5Qye5dr6nBwn/UPS8qZYRsgrVRNeCdLZ 3Dbq42D+9subPyFIwUNL9Dd4XctDezNtAdtSSYneGA6B6NuOe3NTGkJUmVwhkPI4IDKr FpmlQe4DBZLM8YnLI/knGvxja2sdW2G6/X7im/JwZpsMAqDGcsia17GZBKoJlqcbI/Hd fH3w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=QyQKHuVZ; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id g3si2914969edu.245.2021.10.27.23.26.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:26:58 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=QyQKHuVZ; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id DC5F48358B; Thu, 28 Oct 2021 08:26:21 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="QyQKHuVZ"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 9F0CD82F33; Thu, 28 Oct 2021 08:25:38 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 5DF6C8347C for ; Thu, 28 Oct 2021 08:25:28 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pg1-x52c.google.com with SMTP id l186so5395913pge.7 for ; Wed, 27 Oct 2021 23:25:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=6iiymLorAL8Tnpa1lqZvk6MLjBUdYK7Mr5qkX19bD18=; b=QyQKHuVZtbwkTroabVizOKwkxwYyIE55N5YgnKFeo6WMyYK4iVtR1p7Ipzv2Zslrjv nvpTpAQprl7QpcU+N77zCmscdW9ss3YJ1VLT0pUc/MZJutrsdF/gNiQJZI3N5SbkLFkr w6BQcR16HZLZQnaTr+RDVopUkLOeU20ak89WMR6zI/sINGvqswROd4WAS7Inb/AaPIP9 oreqN2qlSAWlDfh7qTSCK41W/6ShqvFI3sAFz9V4ASGb17aWnol0nkBJqkia7ibwkHUB 5p4uwT9DLuYEsqzT11WTd9tHpYelicss3NBCqZTb86bzbhmKZ/trlfZPO7of6/XRnZ7+ /d4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=6iiymLorAL8Tnpa1lqZvk6MLjBUdYK7Mr5qkX19bD18=; b=J/oUGhYwZFvw4n1NYJWQFgQRhiiZkHNPuKdSTFAMIKfiDLpUS9OVAVjlQ7W33A5JLZ yhglVtdTF9s9L2E2TsumugZr1FYiTWrTLPAiRh+xAQAyI5837Iwo9hSKzAMPJjSsLjtN 1505nDP9PITWsMMRr8C5u68vbrv+iu8uTnPvl6oQaxM5F1xikmo1VPxmu2iedTS2j63d Mr4xaj3Ay1HN4+jpRmw8bGhMAtG/PFFm2Ur4ul3sJtAItYP0FG86oT2lxMzSga9pTSH8 RwQEZIizol3aDfKiEB9GSi4JmD7TM7iZvQyVSFQdiQFb1yQZ4/rNt2JCBnLwqRjwrsuT Ql6g== X-Gm-Message-State: AOAM530kGuNUlxBkjcMGqRjALYj/1Enm3R3x+Q/QT9QmA1Nq1ArlIrt7 HHDSnlUpDoOxQsIsrsYxHPiu5g== X-Received: by 2002:a05:6a00:24c4:b0:47c:354e:b19 with SMTP id d4-20020a056a0024c400b0047c354e0b19mr2359555pfv.33.1635402326749; Wed, 27 Oct 2021 23:25:26 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:394a:97ee:bbbb:462e]) by smtp.gmail.com with ESMTPSA id p16sm1582018pgd.78.2021.10.27.23.25.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 23:25:26 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v5 11/11] (RFC) efi_loader, dts: add public keys for capsules to device tree Date: Thu, 28 Oct 2021 15:23:56 +0900 Message-Id: <20211028062356.98224-12-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211028062356.98224-1-takahiro.akashi@linaro.org> References: <20211028062356.98224-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean By specifying CONFIG_EFI_CAPSULE_KEY_PATH, the build process will automatically insert the given key into the device tree. Otherwise, users are required to do so manually, possibly, with the utility script, fdtsig.sh. Signed-off-by: AKASHI Takahiro --- doc/develop/uefi/uefi.rst | 4 ++++ dts/Makefile | 23 +++++++++++++++++++++-- lib/efi_loader/Kconfig | 7 +++++++ 3 files changed, 32 insertions(+), 2 deletions(-) -- 2.33.0 diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 54fefd76f0f5..7f85b9e5a4a6 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -347,6 +347,7 @@ following config, in addition to the configs listed above for capsule update:: CONFIG_EFI_CAPSULE_AUTHENTICATE=y + CONFIG_EFI_CAPSULE_KEY_PATH= The public and private keys used for the signing process are generated and used by the steps highlighted below. @@ -392,6 +393,9 @@ and used by the steps highlighted below. }; }; + If CONFIG_EFI_CAPSULE_KEY_PATH is specified, the build process will + take care of it for you. + Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/dts/Makefile b/dts/Makefile index cb3111382959..6c5486719ecd 100644 --- a/dts/Makefile +++ b/dts/Makefile @@ -20,11 +20,30 @@ $(obj)/dt-$(SPL_NAME).dtb: dts/dt.dtb $(objtree)/tools/fdtgrep FORCE mkdir -p $(dir $@) $(call if_changed,fdtgrep) +quiet_cmd_fdtsig = FDTSIG $@ + cmd_fdtsig = \ + cat $< > $@; \ + $(srctree)/tools/fdtsig.sh \ + $(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)) $@ + +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y) +ifneq ($(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)),) +DTB_ov := $(obj)/dt.dtb_ov + +$(obj)/dt.dtb_ov: $(DTB) FORCE + $(call if_changed,fdtsig) +else +DTB_ov := $(DTB) +endif +else +DTB_ov := $(DTB) +endif + ifeq ($(CONFIG_OF_DTB_PROPS_REMOVE),y) -$(obj)/dt.dtb: $(DTB) $(objtree)/tools/fdtgrep FORCE +$(obj)/dt.dtb: $(DTB_ov) $(objtree)/tools/fdtgrep FORCE $(call if_changed,fdt_rm_props) else -$(obj)/dt.dtb: $(DTB) FORCE +$(obj)/dt.dtb: $(DTB_ov) FORCE $(call if_changed,shipped) endif diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 52f71c07c991..d12b1e56ae80 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -208,6 +208,13 @@ config EFI_CAPSULE_AUTHENTICATE Select this option if you want to enable capsule authentication +config EFI_CAPSULE_KEY_PATH + string "Path to .esl cert for capsule authentication" + depends on EFI_CAPSULE_AUTHENTICATE + help + Provide the EFI signature list (esl) certificate used for capsule + authentication + config EFI_DEVICE_PATH_TO_TEXT bool "Device path to text protocol" default y