From patchwork Mon Dec 20 05:02:42 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 526040 Delivered-To: patch@linaro.org Received: by 2002:a05:6e04:2287:0:0:0:0 with SMTP id bl7csp3767870imb; Sun, 19 Dec 2021 21:03:58 -0800 (PST) X-Google-Smtp-Source: ABdhPJyNWjbl5bjjrZiyUzdZqT5rSt6kZqLuFr6t5P9UNBNgWZVzm/XgBTySVXfxvX3oHAP5odyo X-Received: by 2002:a05:6402:27d3:: with SMTP id c19mr14326015ede.390.1639976637944; Sun, 19 Dec 2021 21:03:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1639976637; cv=none; d=google.com; s=arc-20160816; b=y154kNclBAo1ZVqGayv8oAsOjEXNMhtgeSztPP2OC5X49EZpAqgLoMCM5HSakiY20I BgJ0f3t9x31EzDvakK4HLn1ErjRwyGf+EQyz9Yfo+/0l8fiFllLf1Nk8pVxy+yudCbRe bcqKjuJtERHd/rmBBubEKiWde1ZAI+a+kZlcOY0aILlLcPlMVi3+jf/oX6wX5FGUjUhX yYDzl2uk+K2md/3+7RFin6Hne3vlMhiBf+ENEnXlw5d3nNC1470QdBTAS5yhw65WQ8RZ kpvsCWG6hlXa3Ua+WIQTCF+xkE9X5mjwJhRF0wgkCwk1HcLyTL6g+r6mnfJTKuJ3dX0V 1pcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=iFw8sEaVsjbOh3WtyITOeJPHF+YFN0n1B1UBG80ctW4=; b=JcFwoAmz9YMZHHxkD2Z2MToxnrb3Obwo0BFo3vgKuWDU8KzHvz5f3bnFLQTvCzSjHT RGLHc/IBWRV9zGWE8OrwsveHXUNiN+4+E9E3IDGcbETOBY81P2VKjsu1rJSPXIg/NENP VmEwWz1pLFTV4+CsM9m8wYrCuAbFvFAdMYmgGpft6fkLu3/FLUDuD1Fa7oSGLVzVtPww nMz7DeZTlJTrWge0dtc80I6IiG8WRZC/S7rMA1KxdEBFvXkqzcnuGLegQgLVcizigG7Z wEmS/uED7bLBlAKZKwigqBp+BTFf7kD4qkL11SBcTm5Y5JMNxL3myAvnN+b05DmsHOuL s6BQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=HvYvTned; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id j16si11146607edw.472.2021.12.19.21.03.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:03:57 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=HvYvTned; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 02EE4830CE; Mon, 20 Dec 2021 06:03:52 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="HvYvTned"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 0BC74830BE; Mon, 20 Dec 2021 06:03:49 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7AD2E8309A for ; Mon, 20 Dec 2021 06:03:43 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x636.google.com with SMTP id n16so6382310plc.2 for ; Sun, 19 Dec 2021 21:03:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=iFw8sEaVsjbOh3WtyITOeJPHF+YFN0n1B1UBG80ctW4=; b=HvYvTnedYimmbokrFCKNuRGhs/99AZZilD4SSFZvW8nMF4Hnu75NO2XHoL6n7NKtBG LJ8ZszHi1hJIt6f6M4GMNE8Q8YcRISQ+Exs++v14PLQ5ftjJu3gqMpmQvZAP4LWB1fzW kGE7BuhNIt4XgH+vZo8VZ2A6/qJbJoVfEY5Z2mlrGo3o+lkj4gNZSzKIOtE/4p7CmbrD 0Pj2//PRuyMkgievqEhiZbHTYLekxGkfO4gf/LiR+4RnCGij7QsXMUzgF1TRZynX/Agp +XuzTuI3vNodoefjWKiATY1WLR+as81yzFsbfDv1kiv6P+wY7VTZTwjz7g7BjjbJS8Wn 74sA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=iFw8sEaVsjbOh3WtyITOeJPHF+YFN0n1B1UBG80ctW4=; b=OnQYr/O+2tNOnFM6xhOOvCt/eP0VUzZHomeAsUdnv+aRkthuoKlGwxrz8S61YU1dIy Uhx02kskfAM2H6pBvSGruJrqa0hpv6LxpRqI4oW6X9mhcvMKrjgQyH4fMtU3/8MtY0/C X52Of5L2RQi2N8xZsnaSY0N19gQlLeRdRYjbB0BAT6P7IUNTlD9ZnvqstM5ZmJzFXheW 2ezrCY2GPDeUZkmLLwfbebBVON/mEuWrRUkPSIP/HkYT9k6sXvsYDwsLCw6wPYxOAHjf rPtNv4wdFTtzVzWthTqnOJ38zJxYxTzGfhU2fqXukaRb/MgEM/lhkElOkam7WKNivLsi OGdg== X-Gm-Message-State: AOAM533HjF4Y269koC7PDxxybJ6eY6WGTKoVZ8TqkmlUSMCUWsE2IUtQ XBBNPAktU7RM1Q6f24Lhw4m7nQ== X-Received: by 2002:a17:903:1c6:b0:148:a2e7:fb28 with SMTP id e6-20020a17090301c600b00148a2e7fb28mr14822048plh.105.1639976621789; Sun, 19 Dec 2021 21:03:41 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:89bf:be4:468d:12c2]) by smtp.gmail.com with ESMTPSA id mu2sm4581163pjb.43.2021.12.19.21.03.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:03:41 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v8 01/12] tools: mkeficapsule: rework the code a little bit Date: Mon, 20 Dec 2021 14:02:42 +0900 Message-Id: <20211220050253.31163-2-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211220050253.31163-1-takahiro.akashi@linaro.org> References: <20211220050253.31163-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.38 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Abstract common routines to make the code easily understandable. No functional change. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- tools/mkeficapsule.c | 223 ++++++++++++++++++++++++++++++------------- 1 file changed, 159 insertions(+), 64 deletions(-) diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 4995ba4e0c2a..afdcaf7e7933 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -61,17 +61,122 @@ static void print_usage(void) tool_name); } +/** + * read_bin_file - read a firmware binary file + * @bin: Path to a firmware binary file + * @data: Pointer to pointer of allocated buffer + * @bin_size: Size of allocated buffer + * + * Read out a content of binary, @bin, into @data. + * A caller should free @data. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int read_bin_file(char *bin, void **data, off_t *bin_size) +{ + FILE *g; + struct stat bin_stat; + void *buf; + size_t size; + int ret = 0; + + g = fopen(bin, "r"); + if (!g) { + printf("cannot open %s\n", bin); + return -1; + } + if (stat(bin, &bin_stat) < 0) { + printf("cannot determine the size of %s\n", bin); + ret = -1; + goto err; + } + if (bin_stat.st_size > (u32)~0U) { + printf("file size is too large: %s\n", bin); + ret = -1; + goto err; + } + buf = malloc(bin_stat.st_size); + if (!buf) { + printf("cannot allocate memory: %zx\n", + (size_t)bin_stat.st_size); + ret = -1; + goto err; + } + + size = fread(buf, 1, bin_stat.st_size, g); + if (size < bin_stat.st_size) { + printf("read failed (%zx)\n", size); + ret = -1; + goto err; + } + + *data = buf; + *bin_size = bin_stat.st_size; +err: + fclose(g); + + return ret; +} + +/** + * write_capsule_file - write a capsule file + * @bin: FILE stream + * @data: Pointer to data + * @bin_size: Size of data + * + * Write out data, @data, with the size @bin_size. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg) +{ + size_t size_written; + + size_written = fwrite(data, 1, size, f); + if (size_written < size) { + printf("%s: write failed (%zx != %zx)\n", msg, + size_written, size); + return -1; + } + + return 0; +} + +/** + * create_fwbin - create an uefi capsule file + * @path: Path to a created capsule file + * @bin: Path to a firmware binary to encapsulate + * @guid: GUID of related FMP driver + * @index: Index number in capsule + * @instance: Instance number in capsule + * @mcount: Monotonic count in authentication information + * @private_file: Path to a private key file + * @cert_file: Path to a certificate file + * + * This function actually does the job of creating an uefi capsule file. + * All the arguments must be supplied. + * If either @private_file ror @cert_file is NULL, the capsule file + * won't be signed. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, unsigned long index, unsigned long instance) { struct efi_capsule_header header; struct efi_firmware_management_capsule_header capsule; struct efi_firmware_management_capsule_image_header image; - FILE *f, *g; - struct stat bin_stat; - u8 *data; - size_t size; + FILE *f; + void *data; + off_t bin_size; u64 offset; + int ret; #ifdef DEBUG printf("For output: %s\n", path); @@ -79,25 +184,28 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, printf("\tindex: %ld\n\tinstance: %ld\n", index, instance); #endif - g = fopen(bin, "r"); - if (!g) { - printf("cannot open %s\n", bin); - return -1; - } - if (stat(bin, &bin_stat) < 0) { - printf("cannot determine the size of %s\n", bin); - goto err_1; - } - data = malloc(bin_stat.st_size); - if (!data) { - printf("cannot allocate memory: %zx\n", (size_t)bin_stat.st_size); - goto err_1; - } + f = NULL; + data = NULL; + ret = -1; + + /* + * read a firmware binary + */ + if (read_bin_file(bin, &data, &bin_size)) + goto err; + + /* + * write a capsule file + */ f = fopen(path, "w"); if (!f) { printf("cannot open %s\n", path); - goto err_2; + goto err; } + + /* + * capsule file header + */ header.capsule_guid = efi_guid_fm_capsule; header.header_size = sizeof(header); /* TODO: The current implementation ignores flags */ @@ -105,70 +213,57 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, header.capsule_image_size = sizeof(header) + sizeof(capsule) + sizeof(u64) + sizeof(image) - + bin_stat.st_size; - - size = fwrite(&header, 1, sizeof(header), f); - if (size < sizeof(header)) { - printf("write failed (%zx)\n", size); - goto err_3; - } + + bin_size; + if (write_capsule_file(f, &header, sizeof(header), + "Capsule header")) + goto err; + /* + * firmware capsule header + * This capsule has only one firmware capsule image. + */ capsule.version = 0x00000001; capsule.embedded_driver_count = 0; capsule.payload_item_count = 1; - size = fwrite(&capsule, 1, sizeof(capsule), f); - if (size < (sizeof(capsule))) { - printf("write failed (%zx)\n", size); - goto err_3; - } + if (write_capsule_file(f, &capsule, sizeof(capsule), + "Firmware capsule header")) + goto err; + offset = sizeof(capsule) + sizeof(u64); - size = fwrite(&offset, 1, sizeof(offset), f); - if (size < sizeof(offset)) { - printf("write failed (%zx)\n", size); - goto err_3; - } + if (write_capsule_file(f, &offset, sizeof(offset), + "Offset to capsule image")) + goto err; + /* + * firmware capsule image header + */ image.version = 0x00000003; memcpy(&image.update_image_type_id, guid, sizeof(*guid)); image.update_image_index = index; image.reserved[0] = 0; image.reserved[1] = 0; image.reserved[2] = 0; - image.update_image_size = bin_stat.st_size; + image.update_image_size = bin_size; image.update_vendor_code_size = 0; /* none */ image.update_hardware_instance = instance; image.image_capsule_support = 0; + if (write_capsule_file(f, &image, sizeof(image), + "Firmware capsule image header")) + goto err; - size = fwrite(&image, 1, sizeof(image), f); - if (size < sizeof(image)) { - printf("write failed (%zx)\n", size); - goto err_3; - } - size = fread(data, 1, bin_stat.st_size, g); - if (size < bin_stat.st_size) { - printf("read failed (%zx)\n", size); - goto err_3; - } - size = fwrite(data, 1, bin_stat.st_size, f); - if (size < bin_stat.st_size) { - printf("write failed (%zx)\n", size); - goto err_3; - } - - fclose(f); - fclose(g); - free(data); - - return 0; + /* + * firmware binary + */ + if (write_capsule_file(f, data, bin_size, "Firmware binary")) + goto err; -err_3: - fclose(f); -err_2: + ret = 0; +err: + if (f) + fclose(f); free(data); -err_1: - fclose(g); - return -1; + return ret; } /* From patchwork Mon Dec 20 05:02:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 526041 Delivered-To: patch@linaro.org Received: by 2002:a05:6e04:2287:0:0:0:0 with SMTP id bl7csp3767983imb; Sun, 19 Dec 2021 21:04:08 -0800 (PST) X-Google-Smtp-Source: ABdhPJz/XjH0RdRonJ1xIFPQ6eTshF1txiz+2OrKLc/yqwxRJZnWc6+6C2ILTh3DGu4m01gnfMc2 X-Received: by 2002:a17:907:3f29:: with SMTP id hq41mr2872335ejc.86.1639976648067; Sun, 19 Dec 2021 21:04:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1639976648; cv=none; d=google.com; s=arc-20160816; b=CAgQlvTwGYuVQ1mHEFCCs5G4CkmkNoXMXs1EIPRzRsXtPAm+O6tMg9DmAK7bVbrfO3 oeRLYGNJtPhJKW2sZwCkHZFGwmCpsWiCM7qCeKFgW0VsV6a5YSxDSzSRXcbzxMRxGuBY tGqUKFmtbmWqswxx8od6Tqtq1XkZYeA13RjtPL9juMq0N6XMf4kXOgS8UUj+Ga0rHJv1 zYysw6GkxY7ObDDL9n8Z1fiu0+dUz3UP7jmzz8sHflILtRFRyrNShptfAvIdVFQMUZvu T7LyW7u/LOiPD66GCYtSj/y+0TWg1kW3eiuQFzDr98tziF5TEE2h4Fha5ljKLpODTLBz gXyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=/LTGacDZ6Ga7gtAC9oQtlELkbcJXja4lRH8+FQeVK18=; b=W0ymm3zx5XaiT5iSm37rtD6W8kb5fTnxuTPNN9eTssgX024Uc1LKrDQHiiuR3rNbSw WhxYJz/02W2wtCaS/A1fpPehFis26jMGQg5T+2NbayYDmDj8kOUzEvvA72F2359sVEYm V/DcWpSmWjM20Qkb60vY2jnbHnVligJkmKiknfrtGnAyKYn8sDTXvxgToaGgjZd8grC1 FWVGBlx9NoavcFbVlg/PWmjj4038fAp+Jxfk4LP32XwXdw5BdOW0c4H4T/kSZfPhQ7WU 9adrUHLw22BhYMt2ZYK9zMUwLOKPIhC64WnnFtC+TPCAHO2eyniubb0yO+uU+1CPwt/E BbqQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=aORUs3hS; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id sd40si1557429ejc.41.2021.12.19.21.04.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:04:08 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=aORUs3hS; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 304A0831D7; Mon, 20 Dec 2021 06:03:58 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="aORUs3hS"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id D2F39830A0; Mon, 20 Dec 2021 06:03:53 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id BBD28830A0 for ; Mon, 20 Dec 2021 06:03:46 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x42e.google.com with SMTP id m1so6624863pfk.8 for ; Sun, 19 Dec 2021 21:03:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=/LTGacDZ6Ga7gtAC9oQtlELkbcJXja4lRH8+FQeVK18=; b=aORUs3hSXE4h9lX5ZJvlh27KSK4qWVcIGg6j+yaHrgAZzgBLmECnaZ6dfn5Yd8MJ7R plDM7D9DLu99rd6SVFtbokpOjjtfASG6PPUMmzVamXD8Hm2rsHCZbZQZDb8mTnEPeFBp oCdnoJHmRAhrjJV4UMiawqtbHQajGMrjnowmEuW1Z4GLqaYL9NIcZwxsFj3C0YKGTRdk iTOCl//dZR1Fqapny3r2AC+lvIzUDDRT2Ii6rVhqoHqPusrjJVuirVbo+OewV00WtXrE ++GWMSLxj6ykn12l5dE4dkPDHVQULJlp1U/TCgYACDj8BCeiKEnXqeGV/PMcnn72VkLi v8Jw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/LTGacDZ6Ga7gtAC9oQtlELkbcJXja4lRH8+FQeVK18=; b=r5xZE2c/Ug74jgA1SqdqcHOf7NZ1qfYlZfooesUqe9ERff2cE13/1VPF6nVd/8FoTX w/tr3lCw+DPBVK7uopLUoGXrHHQwVRUGvpDlYu9/L62OFh0H+o5AF8dAMMmehKi1NxdA OETCkXimri08SAFf2SwErN/7zWPycYvbTUU4NMBsZmA8QkPDpXrIOibgv9Dih4EIF22C xDzje0vNB62/0q7MXpI95PehNmlpUGx3sXbyEuWVcO6Hpg9zCbmPCiK2alKxCuUNE5hK QwLpmNLM9HxRT6N04seyOOZ9XDluhOniqlFhYM4bKUVFxZGeU0OQ7OL9cYitWJEZdXgL v6UA== X-Gm-Message-State: AOAM533l5HPKr1/rI42JYoVI/BiFucGMtCieddLOeXncOkBjeF6HZ225 /5qo/QerhEpx89buaBQEJ+qnGg== X-Received: by 2002:aa7:9249:0:b0:4a2:d1c5:c94b with SMTP id 9-20020aa79249000000b004a2d1c5c94bmr14566053pfp.45.1639976624887; Sun, 19 Dec 2021 21:03:44 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:89bf:be4:468d:12c2]) by smtp.gmail.com with ESMTPSA id mu2sm4581163pjb.43.2021.12.19.21.03.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:03:44 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v8 02/12] tools: build mkeficapsule with tools-only_defconfig Date: Mon, 20 Dec 2021 14:02:43 +0900 Message-Id: <20211220050253.31163-3-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211220050253.31163-1-takahiro.akashi@linaro.org> References: <20211220050253.31163-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.38 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Add CONFIG_TOOLS_MKEFICAPSULE. Then we want to always build mkeficapsule if tools-only_defconfig is used. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- configs/tools-only_defconfig | 1 + tools/Kconfig | 8 ++++++++ tools/Makefile | 3 +-- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/configs/tools-only_defconfig b/configs/tools-only_defconfig index f482c9a1c1b0..5427797dd4c3 100644 --- a/configs/tools-only_defconfig +++ b/configs/tools-only_defconfig @@ -31,3 +31,4 @@ CONFIG_I2C_EDID=y # CONFIG_VIRTIO_MMIO is not set # CONFIG_VIRTIO_PCI is not set # CONFIG_VIRTIO_SANDBOX is not set +CONFIG_TOOLS_MKEFICAPSULE=y diff --git a/tools/Kconfig b/tools/Kconfig index 91ce8ae3e516..117c921da3fe 100644 --- a/tools/Kconfig +++ b/tools/Kconfig @@ -90,4 +90,12 @@ config TOOLS_SHA512 help Enable SHA512 support in the tools builds +config TOOLS_MKEFICAPSULE + bool "Build efimkcapsule command" + default y if EFI_CAPSULE_ON_DISK + help + This command allows users to create a UEFI capsule file and, + optionally sign that file. If you want to enable UEFI capsule + update feature on your target, you certainly need this. + endmenu diff --git a/tools/Makefile b/tools/Makefile index 1763f44cac43..766c0674f4a0 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -238,8 +238,7 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs hostprogs-$(CONFIG_ASN1_COMPILER) += asn1_compiler HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include -mkeficapsule-objs := mkeficapsule.o $(LIBFDT_OBJS) -hostprogs-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += mkeficapsule +hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule # We build some files with extra pedantic flags to try to minimize things # that won't build on some weird host compiler -- though there are lots of From patchwork Mon Dec 20 05:02:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 526042 Delivered-To: patch@linaro.org Received: by 2002:a05:6e04:2287:0:0:0:0 with SMTP id bl7csp3768077imb; Sun, 19 Dec 2021 21:04:19 -0800 (PST) X-Google-Smtp-Source: ABdhPJyWei8hxjpph6tU7rc3B7TQRU8fUaVZAu8FA8P5W2MZyNqzxT9UwxSlf+m3jBqEXl29kl6Q X-Received: by 2002:a17:906:69c5:: with SMTP id g5mr11587597ejs.41.1639976658890; Sun, 19 Dec 2021 21:04:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1639976658; cv=none; d=google.com; s=arc-20160816; b=mGqwtYTamKTsBJYOsm5W2zzMIdwXqUt8/i8PAKMDoL7zqV7kLSwI896Io4XJAyy+YF O5TjpHdW11FAxySSz+UrVT3/CoTFk6EKPRP1Qvr6XSdaKQfgkD1ENprFkPM1wc3QY+Bf oW4dRo1OrZ+I3go1ROUN+Xu5UdT3Qy6qmznU9bFdtqnWhrzfG3KVUr2hADOzHKHpQwOL tp+tpl8isgKxSle10mJioemO9dfRPveLZpKOOUFZx77Sf929y8BSwYLH30yVmpYm1lzE F4LMLKbFj6sgBCqSLqvUfG+xatNDVrsYcrYsjwh9E/sNyMUeAOMZpdwjdUQ98BSvpqvb HAFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=2XUUc7WDex+J6DxNu3kkA8EHScFlLBbRlqlGfxZ6sRU=; b=lniuU8drNyPXcHFbm5lIQ5134P4yDuF68D1lmqNkkATSu4zzbjaP5qVKvl/NVNQJee 4KX9YFMW7UuMwwX85GnZc0Qdj9PKX3iPCVg9KkTZsHnfhduQ5wkFRhvyF8QXgJR0OyjG qWC+rlpu7T0P/N5FgLxJsrGffy8KI7xWMV4TE6Lb4PyMsFOnmisHpoB2dmyakL4BKgB0 SsmwWN/iAv+P2x03ApctCSJfDE7TB04gEacB3J/3mDpiLbBSmjhHrrAxoIqNl/1U7Vek MNty9sy1lS2BintaNU1sy0tAjAh6bX2fjrtwC0IV7IadSjc7h0RQiyDhDpc+xvfIrWow /1MA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=wTthDkuF; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id eb6si2724877edb.620.2021.12.19.21.04.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:04:18 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=wTthDkuF; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B3FD9830EC; Mon, 20 Dec 2021 06:04:08 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="wTthDkuF"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 87997830C0; Mon, 20 Dec 2021 06:03:59 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id D86F88309D for ; Mon, 20 Dec 2021 06:03:49 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x42b.google.com with SMTP id 196so4143476pfw.10 for ; Sun, 19 Dec 2021 21:03:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=2XUUc7WDex+J6DxNu3kkA8EHScFlLBbRlqlGfxZ6sRU=; b=wTthDkuF3O2gEB7Ht6eDnaLkukDORELPooNVTBR2nfQNWaHY8m4E/kOo/5rHU2SEcR Q1ollql7RbfkoGbhrs0Fx6lf8Igxzdxtrofh/hiAJQu26OG295lKHPUPtQujEutbU58P tL93oCCs/QjwQMsDmhf4BmoSFe7V0PJm+wieorHuU02lDT2cMTvgf/dPjczBCR/1uUFu jm0TqfC7jBflbaCBLQn84taTPXk2/sOXV6y+8tSfHH/sctSdQMCLxcakbf5tsgYKuKsg qWvlU5muAtb+CX+RYydJynJfCmsoAQBOLagcUyI4snuWjzGWncLAdi6JnyTrNXKWoszC RdRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2XUUc7WDex+J6DxNu3kkA8EHScFlLBbRlqlGfxZ6sRU=; b=BJzcLvpsWMjkfA3jAyIlo68FgrCvvdWwyEuGuRymt4aEIuc/Ul4HEZi5g4qk4TwBZe estE0+uhAWA2KDh+m3YNGtPhb0GINPZmZElw+Dd9rxFwvPXN9XvYsHDKnxWNTskAeqe1 5HGDRqXJKLduZt4DW7OJegSNYJ2/t7EgTAjiDMQOKEtKOnQ/Q+hoR26GM7omjEyKCu3p hgJuTxARJOTuvaqEqj9EbawgYEoU67KKQS6I/LwalBlx0X/02pfmjAECfBxBvRqtijry rXJiqYBg+qGv0sTPdKmaVw/m43RJNR7BdvyyErHDnFg6cyBOvUdR8lSBmgNefIgbRP6b Ps7g== X-Gm-Message-State: AOAM532Cmz9ZZYm6u1ZcZROc0WHF9klxf+lEEIyoxDLnETvfRYvTEs+Z WesQKX7UhpA/ls+e/qKk56tSww== X-Received: by 2002:a63:413:: with SMTP id 19mr13580404pge.382.1639976628142; Sun, 19 Dec 2021 21:03:48 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:89bf:be4:468d:12c2]) by smtp.gmail.com with ESMTPSA id mu2sm4581163pjb.43.2021.12.19.21.03.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:03:47 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v8 03/12] tools: mkeficapsule: add firmwware image signing Date: Mon, 20 Dec 2021 14:02:44 +0900 Message-Id: <20211220050253.31163-4-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211220050253.31163-1-takahiro.akashi@linaro.org> References: <20211220050253.31163-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.38 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean With this enhancement, mkeficapsule will be able to sign a capsule file when it is created. A signature added will be used later in the verification at FMP's SetImage() call. To do that, We need specify additional command parameters: -monotonic-cout : monotonic count -private-key : private key file -certificate : certificate file Only when all of those parameters are given, a signature will be added to a capsule file. Users are expected to maintain and increment the monotonic count at every time of the update for each firmware image. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass Acked-by: Ilias Apalodimas --- tools/Makefile | 4 + tools/eficapsule.h | 115 +++++++++++++ tools/mkeficapsule.c | 401 +++++++++++++++++++++++++++++++++++++++---- 3 files changed, 484 insertions(+), 36 deletions(-) create mode 100644 tools/eficapsule.h diff --git a/tools/Makefile b/tools/Makefile index 766c0674f4a0..afca08e2941a 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -238,6 +238,10 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs hostprogs-$(CONFIG_ASN1_COMPILER) += asn1_compiler HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include +ifeq ($(CONFIG_TOOLS_LIBCRYPTO),y) +HOSTLDLIBS_mkeficapsule += \ + $(shell pkg-config --libs libssl libcrypto 2> /dev/null || echo "-lssl -lcrypto") +endif hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule # We build some files with extra pedantic flags to try to minimize things diff --git a/tools/eficapsule.h b/tools/eficapsule.h new file mode 100644 index 000000000000..8c1560bb0671 --- /dev/null +++ b/tools/eficapsule.h @@ -0,0 +1,115 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright 2021 Linaro Limited + * Author: AKASHI Takahiro + * + * derived from efi.h and efi_api.h to make the file POSIX-compliant + */ + +#ifndef _EFI_CAPSULE_H +#define _EFI_CAPSULE_H + +#include +#include /* WIN_CERTIFICATE */ + +/* + * Gcc's predefined attributes are not recognized by clang. + */ +#ifndef __packed +#define __packed __attribute__((__packed__)) +#endif + +#ifndef __aligned +#define __aligned(x) __attribute__((__aligned__(x))) +#endif + +typedef struct { + uint8_t b[16]; +} efi_guid_t __aligned(8); + +#define EFI_GUID(a, b, c, d0, d1, d2, d3, d4, d5, d6, d7) \ + {{ (a) & 0xff, ((a) >> 8) & 0xff, ((a) >> 16) & 0xff, \ + ((a) >> 24) & 0xff, \ + (b) & 0xff, ((b) >> 8) & 0xff, \ + (c) & 0xff, ((c) >> 8) & 0xff, \ + (d0), (d1), (d2), (d3), (d4), (d5), (d6), (d7) } } + +#define EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID \ + EFI_GUID(0x6dcbd5ed, 0xe82d, 0x4c44, 0xbd, 0xa1, \ + 0x71, 0x94, 0x19, 0x9a, 0xd9, 0x2a) + +#define EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID \ + EFI_GUID(0xae13ff2d, 0x9ad4, 0x4e25, 0x9a, 0xc8, \ + 0x6d, 0x80, 0xb3, 0xb2, 0x21, 0x47) + +#define EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID \ + EFI_GUID(0xe2bb9c06, 0x70e9, 0x4b14, 0x97, 0xa3, \ + 0x5a, 0x79, 0x13, 0x17, 0x6e, 0x3f) + +#define EFI_CERT_TYPE_PKCS7_GUID \ + EFI_GUID(0x4aafd29d, 0x68df, 0x49ee, 0x8a, 0xa9, \ + 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7) + +/* flags */ +#define CAPSULE_FLAGS_PERSIST_ACROSS_RESET 0x00010000 + +struct efi_capsule_header { + efi_guid_t capsule_guid; + uint32_t header_size; + uint32_t flags; + uint32_t capsule_image_size; +} __packed; + +struct efi_firmware_management_capsule_header { + uint32_t version; + uint16_t embedded_driver_count; + uint16_t payload_item_count; + uint32_t item_offset_list[]; +} __packed; + +/* image_capsule_support */ +#define CAPSULE_SUPPORT_AUTHENTICATION 0x0000000000000001 + +struct efi_firmware_management_capsule_image_header { + uint32_t version; + efi_guid_t update_image_type_id; + uint8_t update_image_index; + uint8_t reserved[3]; + uint32_t update_image_size; + uint32_t update_vendor_code_size; + uint64_t update_hardware_instance; + uint64_t image_capsule_support; +} __packed; + +/** + * win_certificate_uefi_guid - A certificate that encapsulates + * a GUID-specific signature + * + * @hdr: Windows certificate header + * @cert_type: Certificate type + * @cert_data: Certificate data + */ +struct win_certificate_uefi_guid { + WIN_CERTIFICATE hdr; + efi_guid_t cert_type; + uint8_t cert_data[]; +} __packed; + +/** + * efi_firmware_image_authentication - Capsule authentication method + * descriptor + * + * This structure describes an authentication information for + * a capsule with IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED set + * and should be included as part of the capsule. + * Only EFI_CERT_TYPE_PKCS7_GUID is accepted. + * + * @monotonic_count: Count to prevent replay + * @auth_info: Authentication info + */ +struct efi_firmware_image_authentication { + uint64_t monotonic_count; + struct win_certificate_uefi_guid auth_info; +} __packed; + +#endif /* _EFI_CAPSULE_H */ diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index afdcaf7e7933..3e6f36430d74 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -15,21 +15,17 @@ #include #include -typedef __u8 u8; -typedef __u16 u16; -typedef __u32 u32; -typedef __u64 u64; -typedef __s16 s16; -typedef __s32 s32; - -#define aligned_u64 __aligned_u64 - -#ifndef __packed -#define __packed __attribute__((packed)) +#include +#ifdef CONFIG_TOOLS_LIBCRYPTO +#include +#include +#include +#include +#include +#include #endif -#include -#include +#include "eficapsule.h" static const char *tool_name = "mkeficapsule"; @@ -38,12 +34,25 @@ efi_guid_t efi_guid_image_type_uboot_fit = EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID; efi_guid_t efi_guid_image_type_uboot_raw = EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID; +efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; + +#ifdef CONFIG_TOOLS_LIBCRYPTO +static const char *opts_short = "f:r:i:I:v:p:c:m:dh"; +#else +static const char *opts_short = "f:r:i:I:v:h"; +#endif static struct option options[] = { {"fit", required_argument, NULL, 'f'}, {"raw", required_argument, NULL, 'r'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, +#ifdef CONFIG_TOOLS_LIBCRYPTO + {"private-key", required_argument, NULL, 'p'}, + {"certificate", required_argument, NULL, 'c'}, + {"monotonic-count", required_argument, NULL, 'm'}, + {"dump-sig", no_argument, NULL, 'd'}, +#endif {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0}, }; @@ -57,10 +66,252 @@ static void print_usage(void) "\t-r, --raw new raw image file\n" "\t-i, --index update image index\n" "\t-I, --instance update hardware instance\n" +#ifdef CONFIG_TOOLS_LIBCRYPTO + "\t-p, --private-key private key file\n" + "\t-c, --certificate signer's certificate file\n" + "\t-m, --monotonic-count monotonic count\n" + "\t-d, --dump_sig dump signature (*.p7)\n" +#endif "\t-h, --help print a help message\n", tool_name); } +/** + * auth_context - authentication context + * @key_file: Path to a private key file + * @cert_file: Path to a certificate file + * @image_data: Pointer to firmware data + * @image_size: Size of firmware data + * @auth: Authentication header + * @sig_data: Signature data + * @sig_size: Size of signature data + * + * Data structure used in create_auth_data(). @key_file through + * @image_size are input parameters. @auth, @sig_data and @sig_size + * are filled in by create_auth_data(). + */ +struct auth_context { + char *key_file; + char *cert_file; + uint8_t *image_data; + size_t image_size; + struct efi_firmware_image_authentication auth; + uint8_t *sig_data; + size_t sig_size; +}; + +static int dump_sig; + +#ifdef CONFIG_TOOLS_LIBCRYPTO +/** + * fileio-read_pkey - read out a private key + * @filename: Path to a private key file + * + * Read out a private key file and parse it into "EVP_PKEY" structure. + * + * Return: + * * Pointer to private key structure - on success + * * NULL - on failure + */ +static EVP_PKEY *fileio_read_pkey(const char *filename) +{ + EVP_PKEY *key = NULL; + BIO *bio; + + bio = BIO_new_file(filename, "r"); + if (!bio) + goto out; + + key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); + +out: + BIO_free_all(bio); + if (!key) { + printf("Can't load key from file '%s'\n", filename); + ERR_print_errors_fp(stderr); + } + + return key; +} + +/** + * fileio-read_cert - read out a certificate + * @filename: Path to a certificate file + * + * Read out a certificate file and parse it into "X509" structure. + * + * Return: + * * Pointer to certificate structure - on success + * * NULL - on failure + */ +static X509 *fileio_read_cert(const char *filename) +{ + X509 *cert = NULL; + BIO *bio; + + bio = BIO_new_file(filename, "r"); + if (!bio) + goto out; + + cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); + +out: + BIO_free_all(bio); + if (!cert) { + printf("Can't load certificate from file '%s'\n", filename); + ERR_print_errors_fp(stderr); + } + + return cert; +} + +/** + * create_auth_data - compose authentication data in capsule + * @auth_context: Pointer to authentication context + * + * Fill up an authentication header (.auth) and signature data (.sig_data) + * in @auth_context, using library functions from openssl. + * All the parameters in @auth_context must be filled in by a caller. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int create_auth_data(struct auth_context *ctx) +{ + EVP_PKEY *key = NULL; + X509 *cert = NULL; + BIO *data_bio = NULL; + const EVP_MD *md; + PKCS7 *p7; + int flags, ret = -1; + + OpenSSL_add_all_digests(); + OpenSSL_add_all_ciphers(); + ERR_load_crypto_strings(); + + key = fileio_read_pkey(ctx->key_file); + if (!key) + goto err; + cert = fileio_read_cert(ctx->cert_file); + if (!cert) + goto err; + + /* + * create a BIO, containing: + * * firmware image + * * monotonic count + * in this order! + * See EDK2's FmpAuthenticatedHandlerRsa2048Sha256() + */ + data_bio = BIO_new(BIO_s_mem()); + BIO_write(data_bio, ctx->image_data, ctx->image_size); + BIO_write(data_bio, &ctx->auth.monotonic_count, + sizeof(ctx->auth.monotonic_count)); + + md = EVP_get_digestbyname("SHA256"); + if (!md) + goto err; + + /* create signature */ + /* TODO: maybe add PKCS7_NOATTR and PKCS7_NOSMIMECAP */ + flags = PKCS7_BINARY | PKCS7_DETACHED; + p7 = PKCS7_sign(NULL, NULL, NULL, data_bio, flags | PKCS7_PARTIAL); + if (!p7) + goto err; + if (!PKCS7_sign_add_signer(p7, cert, key, md, flags)) + goto err; + if (!PKCS7_final(p7, data_bio, flags)) + goto err; + + /* convert pkcs7 into DER */ + ctx->sig_data = NULL; + ctx->sig_size = ASN1_item_i2d((ASN1_VALUE *)p7, &ctx->sig_data, + ASN1_ITEM_rptr(PKCS7)); + if (!ctx->sig_size) + goto err; + + /* fill auth_info */ + ctx->auth.auth_info.hdr.dwLength = sizeof(ctx->auth.auth_info) + + ctx->sig_size; + ctx->auth.auth_info.hdr.wRevision = WIN_CERT_REVISION_2_0; + ctx->auth.auth_info.hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID; + memcpy(&ctx->auth.auth_info.cert_type, &efi_guid_cert_type_pkcs7, + sizeof(efi_guid_cert_type_pkcs7)); + + ret = 0; +err: + BIO_free_all(data_bio); + EVP_PKEY_free(key); + X509_free(cert); + + return ret; +} + +/** + * dump_signature - dump out a signature + * @path: Path to a capsule file + * @signature: Signature data + * @sig_size: Size of signature data + * + * Signature data pointed to by @signature will be saved into + * a file whose file name is @path with ".p7" suffix. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int dump_signature(const char *path, uint8_t *signature, size_t sig_size) +{ + char *sig_path; + FILE *f; + size_t size; + int ret = -1; + + sig_path = malloc(strlen(path) + 3 + 1); + if (!sig_path) + return ret; + + sprintf(sig_path, "%s.p7", path); + f = fopen(sig_path, "w"); + if (!f) + goto err; + + size = fwrite(signature, 1, sig_size, f); + if (size == sig_size) + ret = 0; + + fclose(f); +err: + free(sig_path); + return ret; +} + +/** + * free_sig_data - free out signature data + * @ctx: Pointer to authentication context + * + * Free signature data allocated in create_auth_data(). + */ +static void free_sig_data(struct auth_context *ctx) +{ + if (ctx->sig_size) + OPENSSL_free(ctx->sig_data); +} +#else +static int create_auth_data(struct auth_context *ctx) +{ + return 0; +} + +static int dump_signature(const char *path, uint8_t *signature, size_t sig_size) +{ + return 0; +} + +static void free_sig_data(struct auth_context *ctx) {} +#endif + /** * read_bin_file - read a firmware binary file * @bin: Path to a firmware binary file @@ -167,23 +418,25 @@ static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg) * * -1 - on failure */ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, - unsigned long index, unsigned long instance) + unsigned long index, unsigned long instance, + uint64_t mcount, char *privkey_file, char *cert_file) { struct efi_capsule_header header; struct efi_firmware_management_capsule_header capsule; struct efi_firmware_management_capsule_image_header image; + struct auth_context auth_context; FILE *f; void *data; off_t bin_size; - u64 offset; + uint64_t offset; int ret; #ifdef DEBUG printf("For output: %s\n", path); printf("\tbin: %s\n\ttype: %pUl\n", bin, guid); - printf("\tindex: %ld\n\tinstance: %ld\n", index, instance); + printf("\tindex: %lu\n\tinstance: %lu\n", index, instance); #endif - + auth_context.sig_size = 0; f = NULL; data = NULL; ret = -1; @@ -194,6 +447,27 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, if (read_bin_file(bin, &data, &bin_size)) goto err; + /* first, calculate signature to determine its size */ + if (privkey_file && cert_file) { + auth_context.key_file = privkey_file; + auth_context.cert_file = cert_file; + auth_context.auth.monotonic_count = mcount; + auth_context.image_data = data; + auth_context.image_size = bin_size; + + if (create_auth_data(&auth_context)) { + printf("Signing firmware image failed\n"); + goto err; + } + + if (dump_sig && + dump_signature(path, auth_context.sig_data, + auth_context.sig_size)) { + printf("Creating signature file failed\n"); + goto err; + } + } + /* * write a capsule file */ @@ -211,9 +485,12 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, /* TODO: The current implementation ignores flags */ header.flags = CAPSULE_FLAGS_PERSIST_ACROSS_RESET; header.capsule_image_size = sizeof(header) - + sizeof(capsule) + sizeof(u64) + + sizeof(capsule) + sizeof(uint64_t) + sizeof(image) + bin_size; + if (auth_context.sig_size) + header.capsule_image_size += sizeof(auth_context.auth) + + auth_context.sig_size; if (write_capsule_file(f, &header, sizeof(header), "Capsule header")) goto err; @@ -229,7 +506,7 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, "Firmware capsule header")) goto err; - offset = sizeof(capsule) + sizeof(u64); + offset = sizeof(capsule) + sizeof(uint64_t); if (write_capsule_file(f, &offset, sizeof(offset), "Offset to capsule image")) goto err; @@ -244,13 +521,32 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, image.reserved[1] = 0; image.reserved[2] = 0; image.update_image_size = bin_size; + if (auth_context.sig_size) + image.update_image_size += sizeof(auth_context.auth) + + auth_context.sig_size; image.update_vendor_code_size = 0; /* none */ image.update_hardware_instance = instance; image.image_capsule_support = 0; + if (auth_context.sig_size) + image.image_capsule_support |= CAPSULE_SUPPORT_AUTHENTICATION; if (write_capsule_file(f, &image, sizeof(image), "Firmware capsule image header")) goto err; + /* + * signature + */ + if (auth_context.sig_size) { + if (write_capsule_file(f, &auth_context.auth, + sizeof(auth_context.auth), + "Authentication header")) + goto err; + + if (write_capsule_file(f, auth_context.sig_data, + auth_context.sig_size, "Signature")) + goto err; + } + /* * firmware binary */ @@ -261,28 +557,43 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, err: if (f) fclose(f); + free_sig_data(&auth_context); free(data); return ret; } -/* - * Usage: - * $ mkeficapsule -f +/** + * main - main entry function of mkeficapsule + * @argc: Number of arguments + * @argv: Array of pointers to arguments + * + * Create an uefi capsule file, optionally signing it. + * Parse all the arguments and pass them on to create_fwbin(). + * + * Return: + * * 0 - on success + * * -1 - on failure */ int main(int argc, char **argv) { char *file; efi_guid_t *guid; unsigned long index, instance; + uint64_t mcount; + char *privkey_file, *cert_file; int c, idx; file = NULL; guid = NULL; index = 0; instance = 0; + mcount = 0; + privkey_file = NULL; + cert_file = NULL; + dump_sig = 0; for (;;) { - c = getopt_long(argc, argv, "f:r:i:I:v:h", options, &idx); + c = getopt_long(argc, argv, opts_short, options, &idx); if (c == -1) break; @@ -290,7 +601,7 @@ int main(int argc, char **argv) case 'f': if (file) { printf("Image already specified\n"); - return -1; + exit(EXIT_FAILURE); } file = optarg; guid = &efi_guid_image_type_uboot_fit; @@ -298,7 +609,7 @@ int main(int argc, char **argv) case 'r': if (file) { printf("Image already specified\n"); - return -1; + exit(EXIT_FAILURE); } file = optarg; guid = &efi_guid_image_type_uboot_raw; @@ -309,26 +620,44 @@ int main(int argc, char **argv) case 'I': instance = strtoul(optarg, NULL, 0); break; +#ifdef CONFIG_TOOLS_LIBCRYPTO + case 'p': + if (privkey_file) { + printf("Private Key already specified\n"); + exit(EXIT_FAILURE); + } + privkey_file = optarg; + break; + case 'c': + if (cert_file) { + printf("Certificate file already specified\n"); + exit(EXIT_FAILURE); + } + cert_file = optarg; + break; + case 'm': + mcount = strtoul(optarg, NULL, 0); + break; + case 'd': + dump_sig = 1; + break; +#endif /* CONFIG_TOOLS_LIBCRYPTO */ case 'h': print_usage(); - return 0; + exit(EXIT_SUCCESS); } } - /* need an output file */ - if (argc != optind + 1) { + /* check necessary parameters */ + if ((argc != optind + 1) || !file || + ((privkey_file && !cert_file) || + (!privkey_file && cert_file))) { print_usage(); exit(EXIT_FAILURE); } - /* need a fit image file or raw image file */ - if (!file) { - print_usage(); - exit(EXIT_SUCCESS); - } - - if (create_fwbin(argv[optind], file, guid, index, instance) - < 0) { + if (create_fwbin(argv[optind], file, guid, index, instance, + mcount, privkey_file, cert_file) < 0) { printf("Creating firmware capsule failed\n"); exit(EXIT_FAILURE); } From patchwork Mon Dec 20 05:02:45 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 526043 Delivered-To: patch@linaro.org Received: by 2002:a05:6e04:2287:0:0:0:0 with SMTP id bl7csp3768175imb; Sun, 19 Dec 2021 21:04:29 -0800 (PST) X-Google-Smtp-Source: ABdhPJxXRFtxC9HyheX3KZbriNBG54GS7OvT6OvQDe23vZmCHWQZoakugWgpHfcHfdOZwFHz3LJ/ X-Received: by 2002:a17:907:c0c:: with SMTP id ga12mr9606014ejc.147.1639976669788; Sun, 19 Dec 2021 21:04:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1639976669; cv=none; d=google.com; s=arc-20160816; b=bdgyhpecTjfylw97SOkRiyi2CNyaP/AhO6/zR5UkHbYta1b3T2S6QXNq47Nr3j2GCJ k3XfY9nUrblB7sYrQ7VG6hhrFYQ9BSS0m7fJAQ3JB4flX66vdLo6EpLJK90nnOGkPRkE qMPFt7fQ2UVnlsBblMQD3isFa3XPt+yllxE2r7+4B3IYjsP6RSJrETsh2hblamAvsTRt 1dgPZheINMiZej9Q+uBT8CdocmOtonID6d9LZcmJFG8MyOmXToR7DoSV5G4bFImdaCJ1 gQ+LwfUDml405bqTDYffpgqXVZCT/HTI05LlMTrYbCQs1OK85Wivme4SkyPWpmpwHumh NnIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Mml3ICjaaBBgtJYrbjKQr4IdaQGfPoXXhGwX2gLY4Uw=; b=jf7xs/ahqRMj8lWY9YvF3oHI/GWWmU+RI1+uzZuX4IuzxGzC6yY2BKiwRYga2XOy4S rmFAiEW9hQglpTwF6kV4d3gY+3i8rZlV36WbApzbajY9yWxxgDl3uCK2vJOwN8+pH18s Xymg5l3voKmtqTFMFpceJbUmkPRlV8f6C3DgN6E/T0NePqapO73ns+JCNQAIQYzZ3Ym1 P6xd9qhjJKyg1kMYPlIC5agGvp5Gs2p95liOiB9+yhXXaiBbDDFUI8Za1dcqbcE2ZgBE MEhwWNmDxcjChBUMHkFI7b0yabiF0r4rJw+1HPVKWjgeq05ihZ5EcC37/wmfLcC3k4tK bwrw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=k3ELMatm; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id m12si10014147edb.613.2021.12.19.21.04.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:04:29 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=k3ELMatm; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 43E77833B8; Mon, 20 Dec 2021 06:04:13 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="k3ELMatm"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 313B88309D; Mon, 20 Dec 2021 06:04:02 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com [IPv6:2607:f8b0:4864:20::436]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id BF63D83104 for ; Mon, 20 Dec 2021 06:03:52 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x436.google.com with SMTP id c2so7680261pfc.1 for ; Sun, 19 Dec 2021 21:03:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Mml3ICjaaBBgtJYrbjKQr4IdaQGfPoXXhGwX2gLY4Uw=; b=k3ELMatmSjqkjtV27U6FEseWzU3JdmWR4tK9prxCLblNeazlZlTqEp8HTDEU0vCVUo TnwI+UKEsn+uBbcHOMi9X+Nzk/HFg4bru2/mFXKSsBW7JlC1Wak1LM7xWnTI5OADSr08 EKnl1tG9lq0rcTBSe9ttOZ+8wCJl45FaKIVqiUIXlRuaXa+cq28qY5BGQ52AbQ6rKBvv eSYoDQimSlOQNZpvLUVEG1c/4ZF30SoUPLLsMBFKvItHJLLU6HO0VUcHAY1ObhehBDKT o+OVtLqNeBikluJQCIkA4BF5/666veQxOlJiQsmsh/mkX+jp6GI+bjolV4Frhbp6XDLr SgVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Mml3ICjaaBBgtJYrbjKQr4IdaQGfPoXXhGwX2gLY4Uw=; b=7/MhzqD32MKNi7nhq7YXIlb+7nDUJ1RbhjXSLE1IVeBaheGg4qYge6GQknbEnc8246 EeH1AjTlIeQ0HITsKuNwlpAX18BCkYkeKfq2asP+x4px7nr5mgBQy1Dl0v8XZzRwL7T2 S4ANlzEJZV8V2owX4uVIQNxRrRXJtIBXt4wv9LfPL+AQD6cPmQjquIbrRjEz9Ap88kqC kdRZ7OneL7oaxiQGcQNH/dI+MGFBt4idJq5egZZn2ISSax6mt6DBJ1/lt3URKRGHetO+ uYVIE67r4gV1eO7/52WdWQp3R4qflMJHLMKekzJYT0RUgb5xi5MNO674uIx860vqTYQv O0qQ== X-Gm-Message-State: AOAM5337Mh8Dat8V28wx/wZKnMcZUL7uzkXqrJb1L57XXL/v51MxOHI0 apcQADHYdFB7RwXX3nir0Uxa8g== X-Received: by 2002:a63:2c10:: with SMTP id s16mr13651700pgs.173.1639976631225; Sun, 19 Dec 2021 21:03:51 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:89bf:be4:468d:12c2]) by smtp.gmail.com with ESMTPSA id mu2sm4581163pjb.43.2021.12.19.21.03.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:03:50 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v8 04/12] tools: mkeficapsule: add man page Date: Mon, 20 Dec 2021 14:02:45 +0900 Message-Id: <20211220050253.31163-5-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211220050253.31163-1-takahiro.akashi@linaro.org> References: <20211220050253.31163-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.38 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Add a man page for mkeficapsule command. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass Acked-by: Ilias Apalodimas --- MAINTAINERS | 1 + doc/mkeficapsule.1 | 95 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 doc/mkeficapsule.1 diff --git a/MAINTAINERS b/MAINTAINERS index e718ad213553..93ef5e297acc 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -723,6 +723,7 @@ S: Maintained T: git https://source.denx.de/u-boot/custodians/u-boot-efi.git F: doc/api/efi.rst F: doc/develop/uefi/* +F: doc/mkeficapsule.1 F: doc/usage/bootefi.rst F: drivers/rtc/emul_rtc.c F: include/capitalization.h diff --git a/doc/mkeficapsule.1 b/doc/mkeficapsule.1 new file mode 100644 index 000000000000..837e09ab451e --- /dev/null +++ b/doc/mkeficapsule.1 @@ -0,0 +1,95 @@ +.TH MAEFICAPSULE 1 "May 2021" + +.SH NAME +mkeficapsule \- Generate EFI capsule file for U-Boot + +.SH SYNOPSIS +.B mkeficapsule +.RB [\fIoptions\fP] " \fIcapsule-file\fP" + +.SH "DESCRIPTION" +The +\fBmkeficapsule\fP +command is used to create an EFI capsule file for use with the U-Boot +EFI capsule update. +A capsule file may contain various type of firmware blobs which +are to be applied to the system and must be placed in the specific +directory on the UEFI system partition. An update will be automatically +executed at next reboot. + +Optionally, a capsule file can be signed with a given private key. +In this case, the update will be authenticated by verifying the signature +before applying. + +\fBmkeficapsule\fP supports two different format of image files: +.TP +.I raw image +format is a single binary blob of any type of firmware. + +.TP +.I FIT (Flattened Image Tree) image +format +is the same as used in the new \fIuImage\fP format and allows for +multiple binary blobs in a single capsule file. +This type of image file can be generated by \fBmkimage\fP. + +.SH "OPTIONS" +One of \fB--fit\fP or \fB--raw\fP option must be specified. + +.TP +.BI "-f, --fit \fIfit-image-file\fP" +Specify a FIT image file + +.TP +.BI "-r, --raw \fIraw-image-file\fP" +Specify a raw image file + +.TP +.BI "-i, --index \fIindex\fP" +Specify an image index + +.TP +.BI "-I, --instance \fIinstance\fP" +Specify a hardware instance + +.TP +.BI "-h, --help" +Print a help message + +.TP 0 +.B With signing: + +\fB--private-key\fP, \fB--certificate\fP and \fB--monotonic-count\fP are +all mandatory. + +.TP +.BI "-p, --private-key \fIprivate-key-file\fP" +Specify signer's private key file in PEM + +.TP +.BI "-c, --certificate \fIcertificate-file\fP" +Specify signer's certificate file in EFI certificate list format + +.TP +.BI "-m, --monotonic-count \fIcount\fP" +Specify a monotonic count which is set to be monotonically incremented +at every firmware update. + +.TP +.BI "-d, --dump_sig" +Dump signature data into *.p7 file + +.PP +.SH FILES +.TP +.BI "\fI/EFI/UpdateCapsule\fP" +The directory in which all capsule files be placed + +.SH SEE ALSO +.B mkimage + +.SH AUTHORS +Written by AKASHI Takahiro + +.SH HOMEPAGE +http://www.denx.de/wiki/U-Boot/WebHome From patchwork Mon Dec 20 05:02:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 526044 Delivered-To: patch@linaro.org Received: by 2002:a05:6e04:2287:0:0:0:0 with SMTP id bl7csp3768273imb; Sun, 19 Dec 2021 21:04:44 -0800 (PST) X-Google-Smtp-Source: ABdhPJxju+GzbaHQA88YVBSiQ7vsQy8CDmXrEcL3v9cK1bzS3EflGmAgSZV43Kq3FqkLO9NA5TM2 X-Received: by 2002:a05:6402:21c6:: with SMTP id bi6mr13868357edb.209.1639976684469; Sun, 19 Dec 2021 21:04:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1639976684; cv=none; d=google.com; s=arc-20160816; b=kmafHtpGlSmhjeHS/AAJntp/u8eV980WJkxyqstap5djOSIPpA6eh/pqjVt5ktKTLl cLDHCDkd4Kpj0ScpK/BiAZ45Vvz4XJcM8iNBL/151Frzcoc6qfcnnd+aSb48uKZhjfyq YdnjaBBOAAzAxPZMKAJYD+nirQjWDV5Nn1dXzhmtQuK42p/sSE88gp5x+PQGBB0yrA1z OUhnLtv5FBuJTm5LBghYPCXdNFcW2R9wYrx3olcPFXF1czzqUt57B//Lneoq7bUcBT8A ba/YZ/7ZdoubRDjfnbFOS9XOXlfRl7FztXuH7DCDDzIDM+i1vPzm+VdKPt7Q4QO24vLQ l+2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=911B1ZA56gdhB3LqeyvCvcW3vpxQmbwI6cOu+4Ny7FI=; b=umDBec5ZXZAOGB0LTRcBugcWT3ZeP+EBsAPMxbDEiDACrl+lzkcEQLwFEcbLe3+2Gw hJzmuL624QGtj3xBzkFahj2HZq+GDF2hgAlEyK20PI5A4J/5R/m+WXTEVOVtGrj2p1b+ gNH7BrMxvyoE+iXvFCmVJy05BujpLx96LvnbKTsfen11DNwuRELi9JUU50fY3rrI2CAL F4zCDgxrEMdcv6Hyhu7KVuHNxU0PrG1psZb0ZBCRYKyr7NyaEX1EnVfesBqJjbVe1UOT BQwDmaklLTW96T5vnAr+CbZiUTOuAZLZ03fGjOMFKDBr6vSK34hu7pstKSRpOPKznPTj 08aw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=M5NqhFB6; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id dr2si1636059ejc.191.2021.12.19.21.04.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:04:44 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=M5NqhFB6; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id E586C83458; Mon, 20 Dec 2021 06:04:16 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="M5NqhFB6"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id D0063830EC; Mon, 20 Dec 2021 06:04:03 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 0D756830BE for ; Mon, 20 Dec 2021 06:03:56 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x636.google.com with SMTP id o14so7131624plg.5 for ; Sun, 19 Dec 2021 21:03:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=911B1ZA56gdhB3LqeyvCvcW3vpxQmbwI6cOu+4Ny7FI=; b=M5NqhFB6sT2gd6vrrNU3WF1p26YeED0d/xEujKbIKepmME6s0wnKE3TlpL1fDdKvhp jpLhEiFdwSDcWbjI5mji8v8sEFRj9T8nO8QqrBoOEaBwfHpDP7+kVKXJqr+LuT+tFoT5 TE5r4bIiC7ulqZux/VHdx536v8+cGKfulkZ62L2lg9NMnaeA/2Kg7H4YOaC2fx7i1ZAP Z01fEtfJeISn64UuuRBp0WuG1+16yyeu8vJA3MMAWoMDq2J3pCKzY+zcug7X7uCCdYUr q2vaSg9LD3ImIsvrSzrgYthYP3826JH9u2gYQT7I8zUO+lZE395BEdgWCa+kgliU2RVG 0/Xw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=911B1ZA56gdhB3LqeyvCvcW3vpxQmbwI6cOu+4Ny7FI=; b=nxJ9sy781dEUhZKD4j+p6m5diYVl0QBp4hlo9xm2C5fcvWlHtnuWENlPakhwhwB1v4 0kodxdI0sIaUDqlVxCEuraGNQZueykswYSPITjgibc0GMMsYbiVziuThAxG6W3ALPtWt LOEZbvGLG4ga5w/P9BSX+Bh17QLn8Abw+9KyoartTka0Dd4tS1uib7kSEPopu3Pg0fnC 7e+xyP24suQB3pH6lteov1cwe9AEnQW97QuWH78hxJXEioJat0DurMbW84lnulVw9WH8 1p6pB/XMdLbS+OQbLs4lCpFgAmkfVS78+XkNU3S3nHMEik/MYXJlaeuwUBGRtSl4Hk/R W1ag== X-Gm-Message-State: AOAM532a0bLF/JqQLKhktcl3wgtTPCil0ctFGmVQ5XBfDi7XC5l8dKN3 ocU0M/IOlFvaPW3CiY9zFJmQyPclFIK5Pd6I X-Received: by 2002:a17:90a:3d41:: with SMTP id o1mr26172353pjf.215.1639976634288; Sun, 19 Dec 2021 21:03:54 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:89bf:be4:468d:12c2]) by smtp.gmail.com with ESMTPSA id mu2sm4581163pjb.43.2021.12.19.21.03.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:03:53 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v8 05/12] doc: update UEFI document for usage of mkeficapsule Date: Mon, 20 Dec 2021 14:02:46 +0900 Message-Id: <20211220050253.31163-6-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211220050253.31163-1-takahiro.akashi@linaro.org> References: <20211220050253.31163-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.38 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Now we can use mkeficapsule command instead of EDK-II's script to create a signed capsule file. So update the instruction for capsule authentication. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass Acked-by: Ilias Apalodimas --- doc/develop/uefi/uefi.rst | 143 ++++++++++++++++++-------------------- 1 file changed, 67 insertions(+), 76 deletions(-) diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index f17138f5c765..864d61734bee 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -284,37 +284,52 @@ Support has been added for the UEFI capsule update feature which enables updating the U-Boot image using the UEFI firmware management protocol (FMP). The capsules are not passed to the firmware through the UpdateCapsule runtime service. Instead, capsule-on-disk -functionality is used for fetching the capsule from the EFI System -Partition (ESP) by placing the capsule file under the -\EFI\UpdateCapsule directory. - -The directory \EFI\UpdateCapsule is checked for capsules only within the -EFI system partition on the device specified in the active boot option -determined by reference to BootNext variable or BootOrder variable processing. -The active Boot Variable is the variable with highest priority BootNext or -within BootOrder that refers to a device found to be present. Boot variables -in BootOrder but referring to devices not present are ignored when determining -active boot variable. -Before starting a capsule update make sure your capsules are installed in the -correct ESP partition or set BootNext. +functionality is used for fetching capsules from the EFI System +Partition (ESP) by placing capsule files under the directory:: + + \EFI\UpdateCapsule + +The directory is checked for capsules only within the +EFI system partition on the device specified in the active boot option, +which is determined by BootXXXX variable in BootNext, or if not, the highest +priority one within BootOrder. Any BootXXXX variables referring to devices +not present are ignored when determining the active boot option. + +Please note that capsules will be applied in the alphabetic order of +capsule file names. + +Creating a capsule file +*********************** + +A capsule file can be created by using tools/mkeficapsule. +To build this tool, enable:: + + CONFIG_TOOLS_MKEFICAPSULE=y + CONFIG_TOOLS_LIBCRYPTO=y + +Run the following command:: + + $ mkeficapsule \ + --index 1 --instance 0 \ + [--fit | --raw ] \ + Performing the update ********************* -Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig -option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable -check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule. - -If that option is disabled, you'll need to set the OsIndications variable with:: +Put capsule files under the directory mentioned above. +Then, following the UEFI specification, you'll need to set +the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED +bit in OsIndications variable with:: => setenv -e -nv -bs -rt -v OsIndications =0x04 -Finally, the capsule update can be initiated either by rebooting the board, -which is the preferred method, or by issuing the following command:: +Since U-boot doesn't currently support SetVariable at runtime, its value +won't be taken over across the reboot. If this is the case, you can skip +this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS) +set. - => efidebug capsule disk-update - -**The efidebug command is should only be used during debugging/development.** +Finally, the capsule update can be initiated by rebooting the board. Enabling Capsule Authentication ******************************* @@ -324,82 +339,58 @@ be updated by verifying the capsule signature. The capsule signature is computed and prepended to the capsule payload at the time of capsule generation. This signature is then verified by using the public key stored as part of the X509 certificate. This certificate is -in the form of an efi signature list (esl) file, which is embedded as -part of U-Boot. +in the form of an efi signature list (esl) file, which is embedded in +a device tree. The capsule authentication feature can be enabled through the following config, in addition to the configs listed above for capsule update:: CONFIG_EFI_CAPSULE_AUTHENTICATE=y - CONFIG_EFI_CAPSULE_KEY_PATH= The public and private keys used for the signing process are generated -and used by the steps highlighted below:: +and used by the steps highlighted below. - 1. Install utility commands on your host - * OPENSSL +1. Install utility commands on your host + * openssl * efitools - 2. Create signing keys and certificate files on your host +2. Create signing keys and certificate files on your host:: $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ -keyout CRT.key -out CRT.crt -nodes -days 365 $ cert-to-efi-sig-list CRT.crt CRT.esl - $ openssl x509 -in CRT.crt -out CRT.cer -outform DER - $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem - - $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt - $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem - -The capsule file can be generated by using the GenerateCapsule.py -script in EDKII:: - - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ - --monotonic-count --fw-version \ - --lsv --guid \ - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ - --update-image-index --signer-private-cert \ - /path/to/CRT.pem --trusted-public-cert \ - /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ - - -Place the capsule generated in the above step on the EFI System -Partition under the EFI/UpdateCapsule directory - -Testing on QEMU -*************** +3. Run the following command to create and sign the capsule file:: -Currently, support has been added on the QEMU ARM64 virt platform for -updating the U-Boot binary as a raw image when the platform is booted -in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this -configuration, the QEMU platform needs to be booted with -'secure=off'. The U-Boot binary placed on the first bank of the NOR -flash at offset 0x0. The U-Boot environment is placed on the second -NOR flash bank at offset 0x4000000. + $ mkeficapsule --monotonic-count 1 \ + --private-key CRT.key \ + --certificate CRT.crt \ + --index 1 --instance 0 \ + [--fit | --raw ] \ + -The capsule update feature is enabled with the following configuration -settings:: +4. Insert the signature list into a device tree in the following format:: - CONFIG_MTD=y - CONFIG_FLASH_CFI_MTD=y - CONFIG_CMD_MTDPARTS=y - CONFIG_CMD_DFU=y - CONFIG_DFU_MTD=y - CONFIG_PCI_INIT_R=y - CONFIG_EFI_CAPSULE_ON_DISK=y - CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y - CONFIG_EFI_CAPSULE_FIRMWARE=y - CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y + { + signature { + capsule-key = [ ]; + } + ... + } -In addition, the following config needs to be disabled(QEMU ARM specific):: + You can do this manually with:: - CONFIG_TFABOOT + $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts + $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo -The capsule file can be generated by using the tools/mkeficapsule:: + where signature.dts looks like:: - $ mkeficapsule --raw --index 1 + &{/} { + signature { + capsule-key = /incbin/("CRT.esl"); + }; + }; Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~ From patchwork Mon Dec 20 05:02:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 526045 Delivered-To: patch@linaro.org Received: by 2002:a05:6e04:2287:0:0:0:0 with SMTP id bl7csp3768392imb; Sun, 19 Dec 2021 21:04:56 -0800 (PST) X-Google-Smtp-Source: ABdhPJzkbp9IRejW2cQUa6lGi38MSeIinhXQfgAUOwHOSC07c46K9dzuoLPV0aJA4t3r2AuwBYBI X-Received: by 2002:a17:906:7d15:: with SMTP id u21mr12063908ejo.554.1639976696381; Sun, 19 Dec 2021 21:04:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1639976696; cv=none; d=google.com; s=arc-20160816; b=My4Qb32GR1Fz0+QmTrFEoOd9bx6++ihyl+IGmIL6w56v4s/YvcYN6un0A/C03jVphy cMbBanCULxpSvyOoC0d/uqnU84EWVAYxaLh618Cu9e5fTebSZiSDjx+4Ap6OfhfqAGzK ruQ0ZvSGNp6gkTxr32juLhHv4yl4o+8Mc1FKCNJrONlXZh6YVY/b0jcE1svp9bCKgMwR FgTXBEBSkNxzZH8aDOxOQhkt3g3JL3qRHQrZ7DcQXxP+yPAeqw78UQ0WizYrq+I7vh5/ Vg1W531Z1LwbC/XvOtIb69m+NxotYbODgE5MwqSspVI0GpeAW5p9Kb6VfaLRUJs6oPwr u9RA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=hThpDIDhnTPiFu0B6tzelfYSKk9191NqjEliSsuGqcY=; b=aZaSRiFp0U8QUf/nR2jAsLwVvWU0h8mhI/Ai0R2KlHDn9wl9SwUI57eFYHsTliA0hx DRQWO2gCErNo2Lx77bdpC6SLT5oQmWdjfA4JF53erIZ5aaXbEGVTz6BpszzxIXwR9wst rhB0vm56oYKput4jFFyrb6fI3KpK1I55Zz1mRlr6LcwaagSSJ+Bmkcer5gFdaylt0byG 87vh9VkO+d4oEnFadDyp4Mv9T/Vzq2/mDQZiHbPqNRwpeHkS7QKhTvKedHxmDu1/xtE2 gidbbHr8bzoo7llCdcPO6DdH1A0J4GmBs6nIgBCSLJ0A3SCK/Umdyg10gwKR1gaIEARP hFbw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=plSigEAJ; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id n7si9423237edw.113.2021.12.19.21.04.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:04:56 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=plSigEAJ; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id DE03F8344C; Mon, 20 Dec 2021 06:04:22 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="plSigEAJ"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 5D69F8307B; Mon, 20 Dec 2021 06:04:09 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 24C32830B9 for ; Mon, 20 Dec 2021 06:03:59 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x62e.google.com with SMTP id q17so7126591plr.11 for ; Sun, 19 Dec 2021 21:03:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=hThpDIDhnTPiFu0B6tzelfYSKk9191NqjEliSsuGqcY=; b=plSigEAJrKCUm4ME3kZgZzYdDLbKjDfKOwxzoa9jyxnZEJfUoH8g6FetprcycDOMOO QJH3cYq8+VuWcLlpFPVq7VkvdYgs/6N4LWUC3a+j78nXsqSTB6+rU5d2AKSBBtvLiZ4R Xp9gIibpcEQImaEpe6rb7paLvxLlLzfOoWHf9UrM/yQOJKStlwmd3h+SojwBjFiHCzii kboHN3rw0fCd7VJBPsmrcullV39G/oOAQK8FVEQnHTUsPmJsrqUS9zNoGMPpIiZhOeA+ UKUUE5wCkBdGVk0AI0oZphWHiiEdtChYPDfX4Icvhg13IkuoJELk5FO5U2y/0T/rLfi6 MfHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=hThpDIDhnTPiFu0B6tzelfYSKk9191NqjEliSsuGqcY=; b=oSGIXemQYur08Dk8VJHVWkR0EW2tiV0DQ2ku0ulMi8S1yR82WGulih99s3LoesWj1r xGFNpII96FpdnFPeLZt1cS6LeZ9IHExlIiq4bvRfPsIOVFgWgDCzl3NvNBjDxOIr7gpB fXFjnNejoere4mJrWaOL0untIuqhIj5IO1pa3MTv7rVkk1qYG34HGv5Dp3JARoTBnX8J TKWq6UbFm6Sy8VtwxYXeqIrMKcMwKz5o+HYRNbQe53uOs1yaitmY1eedvZaDdpAGY69O Ph6LfN4XdSMK/t3LNWNv13tPyqVSLsATf4tMdgIUhYlQx7VF7g4jt8xOhKm9f0PaXiLM FeDw== X-Gm-Message-State: AOAM533anLz6rxS1Fr6oQCwZa9293jCP11UntGX/RGqdqF0NMgKlrz08 P+kA1NZ7cclnnLSp6Y8IawaAQJacZlaFw622 X-Received: by 2002:a17:902:d484:b0:148:e505:7de9 with SMTP id c4-20020a170902d48400b00148e5057de9mr13215458plg.14.1639976637484; Sun, 19 Dec 2021 21:03:57 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:89bf:be4:468d:12c2]) by smtp.gmail.com with ESMTPSA id mu2sm4581163pjb.43.2021.12.19.21.03.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:03:57 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v8 06/12] test/py: efi_capsule: add image authentication test Date: Mon, 20 Dec 2021 14:02:47 +0900 Message-Id: <20211220050253.31163-7-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211220050253.31163-1-takahiro.akashi@linaro.org> References: <20211220050253.31163-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.38 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Add a couple of test cases against capsule image authentication for capsule-on-disk, where only a signed capsule file with the verified signature will be applied to the system. Due to the difficulty of embedding a public key (esl file) in U-Boot binary during pytest setup time, all the keys/certificates are pre-created. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass Acked-by: Ilias Apalodimas --- .../py/tests/test_efi_capsule/capsule_defs.py | 5 + test/py/tests/test_efi_capsule/conftest.py | 52 +++- test/py/tests/test_efi_capsule/signature.dts | 10 + .../test_capsule_firmware_signed.py | 254 ++++++++++++++++++ 4 files changed, 318 insertions(+), 3 deletions(-) create mode 100644 test/py/tests/test_efi_capsule/signature.dts create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py index 4fd6353c2040..aa9bf5eee3aa 100644 --- a/test/py/tests/test_efi_capsule/capsule_defs.py +++ b/test/py/tests/test_efi_capsule/capsule_defs.py @@ -3,3 +3,8 @@ # Directories CAPSULE_DATA_DIR = '/EFI/CapsuleTestData' CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule' + +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and +# you need build a newer version on your own. +# The path must terminate with '/'. +EFITOOLS_PATH = '' diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index 6ad5608cd71c..27c05971ca32 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -10,13 +10,13 @@ import pytest from capsule_defs import * # -# Fixture for UEFI secure boot test +# Fixture for UEFI capsule test # - @pytest.fixture(scope='session') def efi_capsule_data(request, u_boot_config): - """Set up a file system to be used in UEFI capsule test. + """Set up a file system to be used in UEFI capsule and + authentication test. Args: request: Pytest request object. @@ -40,6 +40,36 @@ def efi_capsule_data(request, u_boot_config): check_call('mkdir -p %s' % data_dir, shell=True) check_call('mkdir -p %s' % install_dir, shell=True) + capsule_auth_enabled = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') + if capsule_auth_enabled: + # Create private key (SIGNER.key) and certificate (SIGNER.crt) + check_call('cd %s; ' + 'openssl req -x509 -sha256 -newkey rsa:2048 ' + '-subj /CN=TEST_SIGNER/ -keyout SIGNER.key ' + '-out SIGNER.crt -nodes -days 365' + % data_dir, shell=True) + check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl' + % (data_dir, EFITOOLS_PATH), shell=True) + + # Update dtb adding capsule certificate + check_call('cd %s; ' + 'cp %s/test/py/tests/test_efi_capsule/signature.dts .' + % (data_dir, u_boot_config.source_dir), shell=True) + check_call('cd %s; ' + 'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; ' + 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb ' + '-o test_sig.dtb signature.dtbo' + % (data_dir, u_boot_config.build_dir), shell=True) + + # Create *malicious* private key (SIGNER2.key) and certificate + # (SIGNER2.crt) + check_call('cd %s; ' + 'openssl req -x509 -sha256 -newkey rsa:2048 ' + '-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key ' + '-out SIGNER2.crt -nodes -days 365' + % data_dir, shell=True) + # Create capsule files # two regions: one for u-boot.bin and the other for u-boot.env check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old -> u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir, @@ -56,6 +86,22 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' % (data_dir, u_boot_config.build_dir), shell=True) + if capsule_auth_enabled: + # firmware signed with proper key + check_call('cd %s; ' + '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' + '--private-key SIGNER.key --certificate SIGNER.crt ' + '--raw u-boot.bin.new Test11' + % (data_dir, u_boot_config.build_dir), + shell=True) + # firmware signed with *mal* key + check_call('cd %s; ' + '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' + '--private-key SIGNER2.key ' + '--certificate SIGNER2.crt ' + '--raw u-boot.bin.new Test12' + % (data_dir, u_boot_config.build_dir), + shell=True) # Create a disk image with EFI system partition check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' % diff --git a/test/py/tests/test_efi_capsule/signature.dts b/test/py/tests/test_efi_capsule/signature.dts new file mode 100644 index 000000000000..078cfc76c93c --- /dev/null +++ b/test/py/tests/test_efi_capsule/signature.dts @@ -0,0 +1,10 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; +/plugin/; + +&{/} { + signature { + capsule-key = /incbin/("SIGNER.esl"); + }; +}; diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py new file mode 100644 index 000000000000..593b032e9015 --- /dev/null +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py @@ -0,0 +1,254 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright (c) 2021, Linaro Limited +# Author: AKASHI Takahiro +# +# U-Boot UEFI: Firmware Update (Signed capsule) Test + +""" +This test verifies capsule-on-disk firmware update +with signed capsule files +""" + +import pytest +from capsule_defs import CAPSULE_DATA_DIR, CAPSULE_INSTALL_DIR + +@pytest.mark.boardspec('sandbox') +@pytest.mark.buildconfigspec('efi_capsule_firmware_raw') +@pytest.mark.buildconfigspec('efi_capsule_authenticate') +@pytest.mark.buildconfigspec('dfu') +@pytest.mark.buildconfigspec('dfu_sf') +@pytest.mark.buildconfigspec('cmd_efidebug') +@pytest.mark.buildconfigspec('cmd_fat') +@pytest.mark.buildconfigspec('cmd_memory') +@pytest.mark.buildconfigspec('cmd_nvedit_efi') +@pytest.mark.buildconfigspec('cmd_sf') +@pytest.mark.slow +class TestEfiCapsuleFirmwareSigned(object): + def test_efi_capsule_auth1( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 1 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is properly signed, the authentication + should pass and the firmware be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 1-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' + % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test11' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test11 $filesize' + % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test11' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \ + + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 1-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test11' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test11' not in ''.join(output) + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:New' in ''.join(output) + + def test_efi_capsule_auth2( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 2 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is signed but with an invalid key, + the authentication should fail and the firmware + not be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 2-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' + % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test12' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test12 $filesize' + % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test12' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \ + + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 2-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test12' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + # deleted any way + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test12' not in ''.join(output) + + # TODO: check CapsuleStatus in CapsuleXXXX + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:Old' in ''.join(output) + + def test_efi_capsule_auth3( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 3 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is not signed, the authentication + should fail and the firmware not be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 3-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' + % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test02' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test02 $filesize' + % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \ + + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 3-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + # deleted any way + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' not in ''.join(output) + + # TODO: check CapsuleStatus in CapsuleXXXX + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:Old' in ''.join(output) From patchwork Mon Dec 20 05:02:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 526046 Delivered-To: patch@linaro.org Received: by 2002:a05:6e04:2287:0:0:0:0 with SMTP id bl7csp3768517imb; Sun, 19 Dec 2021 21:05:07 -0800 (PST) X-Google-Smtp-Source: ABdhPJzIMsq8DQ2WxVeG/NbS0iW7L5JXMsfEsqxu0mroHdF0H45AqONXQZoRtELG6uPooKUnjH06 X-Received: by 2002:a17:906:c9d2:: with SMTP id hk18mr12083964ejb.523.1639976707394; Sun, 19 Dec 2021 21:05:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1639976707; cv=none; d=google.com; s=arc-20160816; b=UyPEXbL9Dqc29rS+5+3PC8FF+wJI7csztkmElKcSLXCIeUiX2XA/nmiOD9o4ixSryT Be2XF0RQwjjdzl97YKZXIuaYBIKO67+nIlAVMpWvq5sKQRVv6+IjE6rzE50eli65oV/R 6qS/3/njjrpJ00G0j31GoiiRKJgwB0ab71MkbJQasupwTaUQK3kvo2E8i2a6GGvK6Geo SVH7BgVFw78TsU0AaJ7STKlJogZsMjlxhVJqCBpf8v0PCIlVW0KH5JZc/bUhUGVmRkyM omFtjJxpcmLOPwdKr49mMKa6lSSZXA9RT2LBaNKPve5J3tCldQ0+LAaS4AjtkgDnaWdq RHfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=jTSyu7xWj/vZjU6xSPeEDjljphvcmqfL7BSxiKPHsik=; b=QdzvymF+V6lDfiYMIZaauqOHhCysGRr4FmxAEM/SYhftf2GjQfQxFjKRi2Fr8oqXZA ICikVxUXalThCv4SZAA5nrqrBJ6t6iNEj9fkbBR1ueMb9lyOxORVks8Lteq9qt32T7nF q3C0Bpcwp6kEFLqGu4dnqU4lyfHIDjhraT7c0sGwSo30KeUg2dCskP+VM0CjZcWgJcAi gYgO+pF2y+Ds+vh/ZNVJJGkU+PqBmiV/Xn1iF5EcvaA/3zN/wwp5U4yjJI+Vs/J7P8T5 MEpAXVUCPEuB068oicr2ep1RdsJYedd4o+TWIX9hmDCZxDqr7Amr6+BWOVzqOLSglEl3 LjAQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="XawSd/nt"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id eg9si9033816edb.378.2021.12.19.21.05.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:05:07 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="XawSd/nt"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 21770831FF; Mon, 20 Dec 2021 06:04:28 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="XawSd/nt"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 3B19B8309A; Mon, 20 Dec 2021 06:04:10 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7C24B8310B for ; Mon, 20 Dec 2021 06:04:02 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x435.google.com with SMTP id k64so7669405pfd.11 for ; Sun, 19 Dec 2021 21:04:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=jTSyu7xWj/vZjU6xSPeEDjljphvcmqfL7BSxiKPHsik=; b=XawSd/ntQOu2bnDezZQfeGTVJ+IX8Hq2J37XTrp4ecRoInG5Y9H3nnSo4i3f1vICVd nu+saRuLLKzez20Qg597YPH4VeW7gjrYWLAGBiUHGkJdW3yuwFRhUz5nGHhAnKHQ8aTI nqcQKaZkL4eOAarlrj3dU6sRtRpM59YAAZb7vEvzMgm5ezQIk754CWAyQGzGSDi5IHe5 eW1DPgOVGV53VQGboZhBWmyrnmSh7TlnDjqNBHSugneBKJm4jbAkWSuQFnHtciHq7t3n spnbiPGOad/sm9Ih9hCS3qx9nYTo9/u6YHBpTbXV17xDEdAFSI4pw4YeGEvZW0w31guh RzwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=jTSyu7xWj/vZjU6xSPeEDjljphvcmqfL7BSxiKPHsik=; b=QXDiALpA6agdTqeXmGp/MU5eIkt+mxEqQVFyG6tCFkDqwI6AdgoHpINTBHKK6qCHlo XvSZttKg8OlulDzc5lDRVG5WPmD1M3eCkx3WYo0zcgivmvFwHn/f6yKvyWrD4ZsEkk2j 9IkuzRK4QBzBX6xiIW02pOo/AwPTe7e25gwKn27EsSKQkwd0NKTCFGHi1NHZ0FPBz1Ag yF9Q/ob0n6080hr68ITDH89JI/Y7/koTFAQKNgk4qnKEHluuaIXL3ApsJFHfHDALWJHU 9PwtYVsOMjDAC0NLmczasqwA2whzSjY7hQii5bigtAiSNFnyy3rOIkRCs883jYoh4rxh EmHg== X-Gm-Message-State: AOAM530deu/TuhSDDcpAW9llE4i89j6fspLxyDWT/4dIxDeACiEG99aH RYJqOFRCzwnvGyDSgguCu/6etA== X-Received: by 2002:a63:9141:: with SMTP id l62mr13239487pge.30.1639976640746; Sun, 19 Dec 2021 21:04:00 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:89bf:be4:468d:12c2]) by smtp.gmail.com with ESMTPSA id mu2sm4581163pjb.43.2021.12.19.21.03.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:04:00 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v8 07/12] tools: mkeficapsule: allow for specifying GUID explicitly Date: Mon, 20 Dec 2021 14:02:48 +0900 Message-Id: <20211220050253.31163-8-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211220050253.31163-1-takahiro.akashi@linaro.org> References: <20211220050253.31163-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.38 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean The existing options, "--fit" and "--raw," are only used to put a proper GUID in a capsule header, where GUID identifies a particular FMP (Firmware Management Protocol) driver which then would handle the firmware binary in a capsule. In fact, mkeficapsule does the exact same job in creating a capsule file whatever the firmware binary type is. To prepare for the future extension, the command syntax will be a bit modified to allow users to specify arbitrary GUID for their own FMP driver. OLD: [--fit | --raw ] NEW: [--fit | --raw | --guid ] Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- doc/develop/uefi/uefi.rst | 4 +- doc/mkeficapsule.1 | 26 +++++++++---- tools/Makefile | 1 + tools/mkeficapsule.c | 78 ++++++++++++++++++++++++++++++--------- 4 files changed, 82 insertions(+), 27 deletions(-) diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 864d61734bee..54fefd76f0f5 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -367,8 +367,8 @@ and used by the steps highlighted below. --private-key CRT.key \ --certificate CRT.crt \ --index 1 --instance 0 \ - [--fit | --raw ] \ - + [--fit | --raw | --guid 4. Insert the signature list into a device tree in the following format:: diff --git a/doc/mkeficapsule.1 b/doc/mkeficapsule.1 index 837e09ab451e..312e8a8b3188 100644 --- a/doc/mkeficapsule.1 +++ b/doc/mkeficapsule.1 @@ -5,7 +5,7 @@ mkeficapsule \- Generate EFI capsule file for U-Boot .SH SYNOPSIS .B mkeficapsule -.RB [\fIoptions\fP] " \fIcapsule-file\fP" +.RB [\fIoptions\fP] " \fIimage-blob\fP \fIcapsule-file\fP" .SH "DESCRIPTION" The @@ -21,7 +21,7 @@ Optionally, a capsule file can be signed with a given private key. In this case, the update will be authenticated by verifying the signature before applying. -\fBmkeficapsule\fP supports two different format of image files: +\fBmkeficapsule\fP takes any type of image files, including: .TP .I raw image format is a single binary blob of any type of firmware. @@ -33,16 +33,28 @@ is the same as used in the new \fIuImage\fP format and allows for multiple binary blobs in a single capsule file. This type of image file can be generated by \fBmkimage\fP. +.PP +If you want to use other types than above two, you should explicitly +specify a guid for the FMP driver. + .SH "OPTIONS" -One of \fB--fit\fP or \fB--raw\fP option must be specified. +One of \fB--fit\fP, \fB--raw\fP or \fB--guid\fP option must be specified. .TP -.BI "-f, --fit \fIfit-image-file\fP" -Specify a FIT image file +.BI "-f, --fit +Indicate that the blob is a FIT image file .TP -.BI "-r, --raw \fIraw-image-file\fP" -Specify a raw image file +.BI "-r, --raw +Indicate that the blob is a raw image file + +.TP +.BI "-g, --guid \fIguid-string\fP" +Specify guid for image blob type. The format is: + xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx + +The first three elements are in little endian, while the rest +is in big endian. .TP .BI "-i, --index \fIindex\fP" diff --git a/tools/Makefile b/tools/Makefile index afca08e2941a..cbf83a252caa 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -242,6 +242,7 @@ ifeq ($(CONFIG_TOOLS_LIBCRYPTO),y) HOSTLDLIBS_mkeficapsule += \ $(shell pkg-config --libs libssl libcrypto 2> /dev/null || echo "-lssl -lcrypto") endif +HOSTLDLIBS_mkeficapsule += -luuid hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule # We build some files with extra pedantic flags to try to minimize things diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 3e6f36430d74..8891496d1564 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -14,7 +14,7 @@ #include #include - +#include #include #ifdef CONFIG_TOOLS_LIBCRYPTO #include @@ -37,14 +37,15 @@ efi_guid_t efi_guid_image_type_uboot_raw = efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; #ifdef CONFIG_TOOLS_LIBCRYPTO -static const char *opts_short = "f:r:i:I:v:p:c:m:dh"; +static const char *opts_short = "frg:i:I:v:p:c:m:dh"; #else -static const char *opts_short = "f:r:i:I:v:h"; +static const char *opts_short = "frg:i:I:v:h"; #endif static struct option options[] = { - {"fit", required_argument, NULL, 'f'}, - {"raw", required_argument, NULL, 'r'}, + {"fit", no_argument, NULL, 'f'}, + {"raw", no_argument, NULL, 'r'}, + {"guid", required_argument, NULL, 'g'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, #ifdef CONFIG_TOOLS_LIBCRYPTO @@ -59,11 +60,12 @@ static struct option options[] = { static void print_usage(void) { - printf("Usage: %s [options] \n" + printf("Usage: %s [options] \n" "Options:\n" - "\t-f, --fit new FIT image file\n" - "\t-r, --raw new raw image file\n" + "\t-f, --fit FIT image type\n" + "\t-r, --raw raw image type\n" + "\t-g, --guid guid for image blob type\n" "\t-i, --index update image index\n" "\t-I, --instance update hardware instance\n" #ifdef CONFIG_TOOLS_LIBCRYPTO @@ -563,6 +565,37 @@ err: return ret; } +/** + * convert_uuid_to_guid() - convert uuid string to guid string + * @buf: String for UUID + * + * UUID and GUID have the same data structure, but their string + * formats are different due to the endianness. See lib/uuid.c. + * Since uuid_parse() can handle only UUID, this function must + * be called to get correct data for GUID when parsing a string. + * + * The correct data will be returned in @buf. + */ +void convert_uuid_to_guid(unsigned char *buf) +{ + unsigned char c; + + c = buf[0]; + buf[0] = buf[3]; + buf[3] = c; + c = buf[1]; + buf[1] = buf[2]; + buf[2] = c; + + c = buf[4]; + buf[4] = buf[5]; + buf[5] = c; + + c = buf[6]; + buf[6] = buf[7]; + buf[7] = c; +} + /** * main - main entry function of mkeficapsule * @argc: Number of arguments @@ -577,14 +610,13 @@ err: */ int main(int argc, char **argv) { - char *file; efi_guid_t *guid; + unsigned char uuid_buf[16]; unsigned long index, instance; uint64_t mcount; char *privkey_file, *cert_file; int c, idx; - file = NULL; guid = NULL; index = 0; instance = 0; @@ -599,21 +631,31 @@ int main(int argc, char **argv) switch (c) { case 'f': - if (file) { - printf("Image already specified\n"); + if (guid) { + printf("Image type already specified\n"); exit(EXIT_FAILURE); } - file = optarg; guid = &efi_guid_image_type_uboot_fit; break; case 'r': - if (file) { - printf("Image already specified\n"); + if (guid) { + printf("Image type already specified\n"); exit(EXIT_FAILURE); } - file = optarg; guid = &efi_guid_image_type_uboot_raw; break; + case 'g': + if (guid) { + printf("Image type already specified\n"); + exit(EXIT_FAILURE); + } + if (uuid_parse(optarg, uuid_buf)) { + printf("Wrong guid format\n"); + exit(EXIT_FAILURE); + } + convert_uuid_to_guid(uuid_buf); + guid = (efi_guid_t *)uuid_buf; + break; case 'i': index = strtoul(optarg, NULL, 0); break; @@ -649,14 +691,14 @@ int main(int argc, char **argv) } /* check necessary parameters */ - if ((argc != optind + 1) || !file || + if ((argc != optind + 2) || !guid || ((privkey_file && !cert_file) || (!privkey_file && cert_file))) { print_usage(); exit(EXIT_FAILURE); } - if (create_fwbin(argv[optind], file, guid, index, instance, + if (create_fwbin(argv[argc - 1], argv[argc - 2], guid, index, instance, mcount, privkey_file, cert_file) < 0) { printf("Creating firmware capsule failed\n"); exit(EXIT_FAILURE); From patchwork Mon Dec 20 05:02:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 526047 Delivered-To: patch@linaro.org Received: by 2002:a05:6e04:2287:0:0:0:0 with SMTP id bl7csp3768620imb; Sun, 19 Dec 2021 21:05:18 -0800 (PST) X-Google-Smtp-Source: ABdhPJxGbg1QfOlvOAyVy9/RbmfKDI+XxhFBf/cQ1cG4id4S1pM/2jwriVQno2heBD1/YR8sSAAI X-Received: by 2002:a50:e688:: with SMTP id z8mr13916004edm.107.1639976718212; Sun, 19 Dec 2021 21:05:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1639976718; cv=none; d=google.com; s=arc-20160816; b=gxFeJowPUFBLVs+gzQK05pOp3E+b3m9AU/Vldz4QjqwvN+8WMXVjeXMKWMhU6gBkUB P9wWCW1hqSHr1KqWO6ya1NSbl+yX7XuuUYxGG+z55XG1O9bGAWTUJTQIk81djZxTu2T1 gANw2xkmSD05FZYrhhfcELUXewt+HazywjF9pCHsO/lUs/M+ZdISrjkzrBcOOYbIzWdc 6xgcqLPE3kLaO1NdpVCM/rmoQHstC99PldPAmMQSoMeMxGhRwgb1S5Otljh0bldyg/gg vz03LGunQKj8AQF4Y+V0MCPjDmI5fLNRB9VfTPjuBHKIUjQM0QLUaIzk/pWnWq+RHZ+W kU6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=dRz+pYre7G66GxmnD4c+PKAAw7SxJFLHJCc2sklu4uM=; b=0h7R13CqU24PzfvEMb91iScwHbHEMpUYmqzKE52vJ4CqICHx6mHBP1dyGkayK8BjdV U0DW8EjLzKJ5nBaAGqoXREwAXHsWNvMWQrm18NS5MuPDb/tX6pDpQHN0dmio1nZ9tII0 d01Ntx+xvPcG3EvWgAinBbJkr9X6nrVDzu0EqbKnFQDiTKnBGYqmBnA8WtNwEDv5jA1k osUvaQETUsLP3vEK0lSEBT+nW7oHPQ2fNGsu/NFXsltxBYZBz0ejJP14q/VXmyT3r5qt FeuxCsJNvyVrtjEA1mXF2cHfsAMOLzEaMfxLX0pXi+AxawecYh0ZAqSLISxYgGEOdPsb rH6g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=V3vVd1Sz; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id cr19si2340809ejc.112.2021.12.19.21.05.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:05:18 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=V3vVd1Sz; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 33B428341A; Mon, 20 Dec 2021 06:04:31 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="V3vVd1Sz"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id BA65A8329E; Mon, 20 Dec 2021 06:04:11 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id A8BC9830A0 for ; Mon, 20 Dec 2021 06:04:05 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x635.google.com with SMTP id u16so1074103plg.9 for ; Sun, 19 Dec 2021 21:04:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=dRz+pYre7G66GxmnD4c+PKAAw7SxJFLHJCc2sklu4uM=; b=V3vVd1Szw32q/tC2KIrBphkDcwxm/i8ObbHvy86TIIfL4k9+yLwD/lcbuuzEJM2T7E +YEQryub+kibQn4FqPNIQtxIHjP1ZSL0Lb6hp/h1YhHmUf2y5PkXB6TpJbQh3vpdervV LRcyOqi/efr6UT9EFQWuhxbMqyQ+3zIVWQqrLWpcEiB86YsGa7ceXz953Qvt2jBMxrwg ZU20wUN4snHq6vw4gu0ArxouxxzJvLBXXhT1Ix3PWuQYAuTyb+oXRVLXjVVd5OjNdUW3 yDASTHra8qwlR+GAWT6UrhAA2gFgiMx5F/QySBunguf58SQvGFKcsPTqk8J8rac/JOAB 6/sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=dRz+pYre7G66GxmnD4c+PKAAw7SxJFLHJCc2sklu4uM=; b=0W+R8UuGDH9vo4O0h49eaCOMkrljsdj/97eaZCvgh7Al7ehf/MCufCMudcEkiV6O+r ZbGUXEPeux3SfPfo1WyM2Din9uEX6nOih3mKtn8Y6OsYhJK3J6jpf+JJuYG30bANPk5s STtfRpJ1fjfhgEZXB7PdJOw//8eEMCg4nuipunZQ5kQZ8AiCYNddwL1NiH3it68vl022 taiYgxyviKX+6syz3tNdoR2JJua/t5OqK29DJgUDJyhsN2f1s7Wmn07ZFCygvG5pa+Pl iZdsL833FCjhJMoBIIdtsgtd+XHGsNzSEyWwX6rlTLtU8GC6FurPOMsN2+f0BGcmCtwQ nhsw== X-Gm-Message-State: AOAM532SL1fuffE4tPD1nALnHrCApcTLvngcruNGiVPKRa2Y3gcUOeBU TFOJM0QFKhGSExf1Ce67jfci4w== X-Received: by 2002:a17:902:b08f:b0:148:b5d3:96d9 with SMTP id p15-20020a170902b08f00b00148b5d396d9mr14792787plr.66.1639976644095; Sun, 19 Dec 2021 21:04:04 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:89bf:be4:468d:12c2]) by smtp.gmail.com with ESMTPSA id mu2sm4581163pjb.43.2021.12.19.21.04.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:04:03 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v8 08/12] test/py: efi_capsule: align with the syntax change of mkeficapsule Date: Mon, 20 Dec 2021 14:02:49 +0900 Message-Id: <20211220050253.31163-9-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211220050253.31163-1-takahiro.akashi@linaro.org> References: <20211220050253.31163-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.38 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Since the syntax of mkeficapsule was changed in the previous commit, we need to modify command line arguments in a pytest script. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- test/py/tests/test_efi_capsule/conftest.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index 27c05971ca32..a5a25c53dcb4 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -80,10 +80,10 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkimage -f uboot_bin_env.its uboot_bin_env.itb' % (data_dir, u_boot_config.build_dir), shell=True) - check_call('cd %s; %s/tools/mkeficapsule --fit uboot_bin_env.itb --index 1 Test01' % + check_call('cd %s; %s/tools/mkeficapsule --index 1 --fit uboot_bin_env.itb Test01' % (data_dir, u_boot_config.build_dir), shell=True) - check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' % + check_call('cd %s; %s/tools/mkeficapsule --index 1 --raw u-boot.bin.new Test02' % (data_dir, u_boot_config.build_dir), shell=True) if capsule_auth_enabled: From patchwork Mon Dec 20 05:02:50 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 526048 Delivered-To: patch@linaro.org Received: by 2002:a05:6e04:2287:0:0:0:0 with SMTP id bl7csp3768717imb; Sun, 19 Dec 2021 21:05:28 -0800 (PST) X-Google-Smtp-Source: ABdhPJz7NIpRNz7BjdU178iKb0HwPjP3W+yAfBdulVpNp3EDwL6I1//kFXvwWMp/rNNyhxdwuRno X-Received: by 2002:a17:906:4c99:: with SMTP id q25mr11472532eju.18.1639976728255; Sun, 19 Dec 2021 21:05:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1639976728; cv=none; d=google.com; s=arc-20160816; b=wh64iBkj5BcecnZG92jkwMAlZR0hIIMawgb1C09C//ZzWm00QeGxtRWBGL6GS8EyNj 3TKmtKVQmik6nmy5FK+gs3aqTsLAuA18jdOSz3dzcVD3RCpGkuDNIzRb0nX3D7qIEedE 1d4Z+JcaofFH/RrRw8MXT2wnL/tMJDiVWPxdYb+GzGwIG5oXQ0Smwt8mF1p5McC8ekl8 DLVQ0ALu20MhkV2HzhxzsxkHSBM1pi2MCg2ghei+OK9dTvYOyn3WNI89o0Rj12nVqaQi 6ptfAbFWt7JivYQe2NQYVdC3oC+/boG8f5xUGptPlxteUvEijmc02pKAker5qMuGQy24 H4Lw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=37b4CbGVq2vXfUQd07BoRyvPsjDtxkfVdV+ImREOVoM=; b=0zabtmKFyyvM6fuhDX/YZhfeAxqQ/KFa64wrwulGZ87ei/d/DvZAUmVQ0utTZD+wMb d4jJ7mSSJqK9eqi0qZlDr8Dl1leMP7T1S2YYqrftkq/XEUjaYl/w1cNc/AAIvUdOq48m htLrcQZiTwp8kanMw8nIPhDQJkaOg2fQvkeK9Q1fNpzgKxxokZ7vWFL/t6AaYJvAsIcu j5sbnDXFPntWhSocgtmAIAjGBhN5lRZeB6z0j9ZvRW9jG4OzyiRR9RGE2FOd1jnKaKWw 4k5R1xxhpcR2+h7oCdheYXPfPdKVQ2k132d5PY+jbMuFp/b4J1/Qlws3uCwy/nFCD+Pa su3A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=c5gCIiRn; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id dt16si2957626ejc.273.2021.12.19.21.05.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:05:28 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=c5gCIiRn; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B0A6B83473; Mon, 20 Dec 2021 06:04:33 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="c5gCIiRn"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 607D58341A; Mon, 20 Dec 2021 06:04:15 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7B91C8309D for ; Mon, 20 Dec 2021 06:04:09 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pg1-x530.google.com with SMTP id m15so8295051pgu.11 for ; Sun, 19 Dec 2021 21:04:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=37b4CbGVq2vXfUQd07BoRyvPsjDtxkfVdV+ImREOVoM=; b=c5gCIiRnFIfrPw68GzyQaBurckrxoKXkhWEsODgugpE/b41jKZerj6Ym+RnUCOdpfD yujX/DKJclXyg7Q2NIAhmjAhUiQ6Bh4rOTk0tVsG6RDIUTRn7s7erGPZkBD+2zkZL0hd A+szvpoeKgYlSMl1JLV7kVUkK+0lPnjhiic6Ez65t6iqhm+lzpuUCTdi+FlLwKw1mRAE 8NOCl0KVMLcFlaThZY2+UOSFIeDj8OIuWxsfTdOiD+jmEUqfxVqu828DjU/7ZCvoNhpU XV5z9ajxedkD3lGSL/3q0v4N8KFXKsf16iLjoLwwN5wyJ1Q3TrcQCmP1hQ0hprGLrzKL RJsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=37b4CbGVq2vXfUQd07BoRyvPsjDtxkfVdV+ImREOVoM=; b=LeAV47RF9Nbg1VfTqVVpmwnx2r4c4fwK0zssTP6J8Ev75JxKEHkBUBKZ05noAC7x7n 4SULbIfuC0/aMbsIDW8ryPczp1fm6qZjgW3/Z51YNqWNfGZa8vpklZgxpm2Wd0T/+yTN 1RJVxrbTuMaJyaMhxTSqY0l0A6xdPxVATF21Z6knjLqHlgb5cz8sM34aZvfBTxON75hs lmeLmExZpjN4pEBv4W/EOCgGCHwpUJ1iGOIYtzDhcgPejXY3FAD+uqw5qtol2r/kvRGh OV9fIVz7VmAkv0AeWGNzmm0qoDkcQVjUrY3vaNGNx762iucnqYaNuWh8ZHklt3sn2Bwo CuEg== X-Gm-Message-State: AOAM532NcV1ClChwXNLJAhvpeG4TGVywjVxUICz17vLkuRcHftjTEKbS eUtYDrb4fhKkmJ8FDy3BoDJGMg== X-Received: by 2002:a63:3841:: with SMTP id h1mr13392902pgn.597.1639976647865; Sun, 19 Dec 2021 21:04:07 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:89bf:be4:468d:12c2]) by smtp.gmail.com with ESMTPSA id mu2sm4581163pjb.43.2021.12.19.21.04.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:04:07 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v8 09/12] test/py: efi_capsule: add a test for "--guid" option Date: Mon, 20 Dec 2021 14:02:50 +0900 Message-Id: <20211220050253.31163-10-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211220050253.31163-1-takahiro.akashi@linaro.org> References: <20211220050253.31163-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.38 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean This test scenario tests a new feature of mkeficapsule, "--guid" option, which allows us to specify FMP driver's guid explicitly at the command line. Signed-off-by: AKASHI Takahiro --- test/py/tests/test_efi_capsule/conftest.py | 3 + .../test_efi_capsule/test_capsule_firmware.py | 67 +++++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index a5a25c53dcb4..9076087a12b7 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -86,6 +86,9 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkeficapsule --index 1 --raw u-boot.bin.new Test02' % (data_dir, u_boot_config.build_dir), shell=True) + check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid E2BB9C06-70E9-4B14-97A3-5A7913176E3F u-boot.bin.new Test03' % + (data_dir, u_boot_config.build_dir), + shell=True) if capsule_auth_enabled: # firmware signed with proper key check_call('cd %s; ' diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware.py b/test/py/tests/test_efi_capsule/test_capsule_firmware.py index 9eeaae27d626..9cc973560fa1 100644 --- a/test/py/tests/test_efi_capsule/test_capsule_firmware.py +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware.py @@ -247,3 +247,70 @@ class TestEfiCapsuleFirmwareFit(object): 'sf read 4000000 100000 10', 'md.b 4000000 10']) assert 'u-boot:New' in ''.join(output) + + def test_efi_capsule_fw4( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 4 - Test "--guid" option of mkeficapsule + The test scenario is the same as Case 3. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 4-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi -s ""', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test03' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test03 $filesize' % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' in ''.join(output) + + # reboot + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 4-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + output = u_boot_console.run_command_list(['efidebug capsule esrt']) + + # ensure that EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID is in the ESRT. + assert 'E2BB9C06-70E9-4B14-97A3-5A7913176E3F' in ''.join(output) + + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' not in ''.join(output) + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:New' in ''.join(output) From patchwork Mon Dec 20 05:02:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 526049 Delivered-To: patch@linaro.org Received: by 2002:a05:6e04:2287:0:0:0:0 with SMTP id bl7csp3768786imb; Sun, 19 Dec 2021 21:05:37 -0800 (PST) X-Google-Smtp-Source: ABdhPJxGbjElHU3UDNzNu03x8YsYZlh9g2YdvbbfJsY+g4PmuWMtnNSbiS25oFrxi/i126GYdrSL X-Received: by 2002:a05:6402:34d1:: with SMTP id w17mr14100593edc.229.1639976737629; Sun, 19 Dec 2021 21:05:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1639976737; cv=none; d=google.com; s=arc-20160816; b=a4YnSzcohLGoHgSmNYFW+ZhuMegGEUrHguZLz9pkOYFCUrmsSo5xB46yr7rsAemGoH Mv8x8Ntgl3hX7/5HlqNR2ENTMcjo4c9QXHYDhMYwna4H3gYQcYr8QCNmjLf3SYacziJP kagrCgPkiw5Is81Zvt1Z7rV3FICO/4nHQDWH/L94F3KdwZup0qXEj3hcuZOUIyNmT47i ZU9lrHMcl0N+4eMlSsACUh4r6gT+wclXftDNh0HGxbEIDvnUyrXYtt/uH62xBLcMvLzl /cRESlNgUI7YlajaAC0m8h5/01Sewuz3cNFLk24VuCqm8lWFVyCu+ZblOZ7FsQQBAWtL HSNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=IWerVfIYQG4PYlCT6/iZD5GfRSLOO0VoGD6nCIjvwMk=; b=ebePL5WkKxzWugQri72HNMhQYcr9lDLpLugjY2uDBhxyZp1MlxA+aGtETMr4zaJrFL KCrIgvt1l/Q3dJN9imZ3I9cAwMJK7QVh997pRxBFkFZO3Uxs0uWgsbJOopocHWkYPSO/ OpfnmK1hA8HjzCiASONP0jthEjQbSzlbTCFd74sjXtGUFtU6yAa5rbl6pvMjAs2m3SfG cRrZG8EFg1uGI0lGFfpqHiDNkspuuyOhj99IFEeYHDykYPiQeOekbsTwjj9qpCz30zEV YInGR1/CxSHZpZBSDd0XOPxr8IzazCG8Lx7IFsUAFAua9AKpHg23U+tpvEAhk/K6vUHC Fsjg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="fraJ3n/K"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id m19si8408471edq.451.2021.12.19.21.05.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:05:37 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="fraJ3n/K"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id CA6AC834CF; Mon, 20 Dec 2021 06:04:37 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="fraJ3n/K"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 752A28307B; Mon, 20 Dec 2021 06:04:17 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 9EADE830D9 for ; Mon, 20 Dec 2021 06:04:12 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pg1-x535.google.com with SMTP id v25so3231446pge.2 for ; Sun, 19 Dec 2021 21:04:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=IWerVfIYQG4PYlCT6/iZD5GfRSLOO0VoGD6nCIjvwMk=; b=fraJ3n/KWDGl0+oEcgIsEboq5X8zCx1OZzixsdPdSmsA9U6S6taimZs+LxL15Za6Kf YkY97CYTWKDA5Dgfkb1TfxtL4/Oe69FS8WxTMwQYNVIWJOk4a53Lhlv9J92IGk8Vdo+s ta6m5eK0bMblAVUUoRLOUkZN7mz70lnjmeGDX0ZtYBH8CG+pV3SpUECQq19ymzHimERk nIgrwzAM+MrVqC8gEloFwPAL1PP78lYnxHolMgFiRhuVknBfO5hUiTduURxc8qB9FNns x6ZAeemwyKPYvIkUeDrMO5vRypXreNW+CUTNOQqs+9Frf85vvoRV4pqEOpxEJGvbDo4n xc3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=IWerVfIYQG4PYlCT6/iZD5GfRSLOO0VoGD6nCIjvwMk=; b=W3t7cKCRYFymD1I7lPFoiRwfFO5Csd0+Krh4GI/6ohlZLTpIzS2/crVLGHc/dKH4Ip nPKTLApUAwmaIdr7Nr00ojmWwquZg+GZSMdXLuYC4E2kGSR+VvbDsQtP3SZXFzVVSEOD WRG67st5yQkDhreFTcYXt4OcLpRvLb+YtC+Gq15x6kLZIwSiG+cNBb8bbs0wIoAnvru8 2LWMMLRahwiU07ksa1RZ9pT1511+KTyyosqPxHz2GM6/AcsARYENeWoO8lwlgI45Q8sH 7y9/3Jz1bKq+2FpkScQaRyBSUcXNf5/CvOqXdPx3QV/9biZhRTRBCsM35Etyuear2axB Jugw== X-Gm-Message-State: AOAM532haPF20gl0zybNdVt9RkdQ0qn9iEAz0QF1ct00ITMkwVEl9/I6 jG73pe2fhmSSQl4M8h/OIwB3jw== X-Received: by 2002:a62:7a58:0:b0:4ba:6ddd:814d with SMTP id v85-20020a627a58000000b004ba6ddd814dmr14443562pfc.43.1639976651043; Sun, 19 Dec 2021 21:04:11 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:89bf:be4:468d:12c2]) by smtp.gmail.com with ESMTPSA id mu2sm4581163pjb.43.2021.12.19.21.04.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:04:10 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v8 10/12] test/py: efi_capsule: check the results in case of CAPSULE_AUTHENTICATE Date: Mon, 20 Dec 2021 14:02:51 +0900 Message-Id: <20211220050253.31163-11-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211220050253.31163-1-takahiro.akashi@linaro.org> References: <20211220050253.31163-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.38 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Before the capsule authentication is supported, this test script works correctly, but with the feature enabled, most tests will fail due to unsigned capsules. So check the results depending on CAPSULE_AUTHENTICATE or not. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- .../test_efi_capsule/test_capsule_firmware.py | 26 ++++++++++++++++--- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware.py b/test/py/tests/test_efi_capsule/test_capsule_firmware.py index 9cc973560fa1..6e803f699f2f 100644 --- a/test/py/tests/test_efi_capsule/test_capsule_firmware.py +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware.py @@ -148,6 +148,8 @@ class TestEfiCapsuleFirmwareFit(object): capsule_early = u_boot_config.buildconfig.get( 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') with u_boot_console.log.section('Test Case 2-b, after reboot'): if not capsule_early: # make sure that dfu_alt_info exists even persistent variables @@ -171,12 +173,18 @@ class TestEfiCapsuleFirmwareFit(object): 'sf probe 0:0', 'sf read 4000000 100000 10', 'md.b 4000000 10']) - assert 'u-boot:New' in ''.join(output) + if capsule_auth: + assert 'u-boot:Old' in ''.join(output) + else: + assert 'u-boot:New' in ''.join(output) output = u_boot_console.run_command_list([ 'sf read 4000000 150000 10', 'md.b 4000000 10']) - assert 'u-boot-env:New' in ''.join(output) + if capsule_auth: + assert 'u-boot-env:Old' in ''.join(output) + else: + assert 'u-boot-env:New' in ''.join(output) def test_efi_capsule_fw3( self, u_boot_config, u_boot_console, efi_capsule_data): @@ -215,6 +223,8 @@ class TestEfiCapsuleFirmwareFit(object): capsule_early = u_boot_config.buildconfig.get( 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') with u_boot_console.log.section('Test Case 3-b, after reboot'): if not capsule_early: # make sure that dfu_alt_info exists even persistent variables @@ -246,7 +256,10 @@ class TestEfiCapsuleFirmwareFit(object): 'sf probe 0:0', 'sf read 4000000 100000 10', 'md.b 4000000 10']) - assert 'u-boot:New' in ''.join(output) + if capsule_auth: + assert 'u-boot:Old' in ''.join(output) + else: + assert 'u-boot:New' in ''.join(output) def test_efi_capsule_fw4( self, u_boot_config, u_boot_console, efi_capsule_data): @@ -285,6 +298,8 @@ class TestEfiCapsuleFirmwareFit(object): capsule_early = u_boot_config.buildconfig.get( 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') with u_boot_console.log.section('Test Case 4-b, after reboot'): if not capsule_early: # make sure that dfu_alt_info exists even persistent variables @@ -313,4 +328,7 @@ class TestEfiCapsuleFirmwareFit(object): 'sf probe 0:0', 'sf read 4000000 100000 10', 'md.b 4000000 10']) - assert 'u-boot:New' in ''.join(output) + if capsule_auth: + assert 'u-boot:Old' in ''.join(output) + else: + assert 'u-boot:New' in ''.join(output) From patchwork Mon Dec 20 05:02:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 526050 Delivered-To: patch@linaro.org Received: by 2002:a05:6e04:2287:0:0:0:0 with SMTP id bl7csp3768871imb; Sun, 19 Dec 2021 21:05:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJzzgVPy4NEhOUoHM3u9BrRUnNhBzor2nMQPlhiH2ZaMcifx9+qM5uHdPPIyE+7cIPI+NSMj X-Received: by 2002:aa7:d619:: with SMTP id c25mr10045419edr.405.1639976748198; Sun, 19 Dec 2021 21:05:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1639976748; cv=none; d=google.com; s=arc-20160816; b=fPyz39XvA9W+bykgTN4NIRShre1jkbt/pVjGyW+stV4QWe+597BXTXc21ZdHzjdyPE ZDuzeoyjj/H7LqtV/V/taGZ8RXqoqUfSXF/EnJ6jQmqVdt2qyU+m3h8GHXKIPt3Vc/ct PU6652xsuLp148kSmVXDmi6eEd0i0hPzM+LTxwMwIvwGs24hmK54l5412JFVWR9vN7Qy tkADzA7fccOU5sNomMzMYljWVoDuhYcNeIv3hBi5+Hvs17ROvVkQKjmOKOOVP9o1oyVS wi/4QBJRvM86fYlVjN5S/Yx1O08BOAARNCeS9CT9q1HBIOmQVZBDQ8rMlrpDx9nbBQg8 FGIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=SM+IRbafxx8Qr/8kK8fKjePcwTpG3b764rPu/B5MUy4=; b=mOJllVqr2bd/l7N+QtHAfmF0WuoLijbrjdmwobabWMCHZHPdVjKXBACxOQcP1IbOAk bB9iZkE5zaTF9nA+CZNwaso9eoIeDSjwaGc8YfyqYUBPJZ0wNMlD5slaRnFlc/URSQ4Q /e4Ehg6pUBOIfc782JDuR2p9BTAucdyJR4Dir475pNGcQ6xyiCoX5iIXaQUpVYj150Tm EP3Z9neg79+tqEXNqlzV7yIFa8VNsEZBeSw2F2fPJV8AJ5I0ppXUxVGV+q2/xtZiFiVj 660wfCcfjl1IGiDkg1zJS2NoTPGkTer59Ai1ZTghPdl6URfgVD3EHw5Se6VxCD7a2EZ+ Q1Vg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=LzzC9j1U; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id nb10si9397410ejc.336.2021.12.19.21.05.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:05:48 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=LzzC9j1U; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id CA6D683494; Mon, 20 Dec 2021 06:04:41 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="LzzC9j1U"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E50A28309A; Mon, 20 Dec 2021 06:04:19 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 9862A832DE for ; Mon, 20 Dec 2021 06:04:15 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x632.google.com with SMTP id q17so7127124plr.11 for ; Sun, 19 Dec 2021 21:04:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=SM+IRbafxx8Qr/8kK8fKjePcwTpG3b764rPu/B5MUy4=; b=LzzC9j1UwBds7ADEFGCbgRs8mLZiocuWkI75F0c2+0wd3Blj4pxyS+3BZHb59w4ORU /X7CkHm84eSolapMCbZh0+rB0avJ6buZ2dVDLI2iLFXI8DQ++jzEYvuCsIm41u3fn3KT bIVTJwCTYe5VXK4qBqchpNwxJEOzcqKr9DJVLAapQKq4ZUAq3QzONp0A2HV26BAsT821 2kOYlZz1gJi71yHNUa2ZVdLpWCMRzhdabuKjrxZyOcMzDG8W/3Vf+7NCTR6PokkTdfH3 w1BoSrQVWLSgp+XilCYC+HiWj+V5skDdkZgYvVqrcYSkSi3GvKbFD3xZ/Zx2aINv27ME nbtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=SM+IRbafxx8Qr/8kK8fKjePcwTpG3b764rPu/B5MUy4=; b=nqWj7WpSLrxhMSPCIBv69fkDQ4FfmwYqpjiyRK05Haq+YCi+qrA2GwSm65jy3kMnCm BBXFTIAA+/sCSCfjjMF5Xe4vl8qyCfUZtdwfSohu00QdvHs2UDvwWwYZ4opERO4OIPn1 eIXop4FKQFQUWv6XP4AFhMQCDZ5vWapVY1hCZeS+fHERcPrtyjw/zOsCsfRqVWFAvEs2 UrhVnnX0Gu/7RGo146r2BvPiAdEZ5WMot1QyVR3kF9JER1DP7jeNMM3W2/39eyoLY7d3 owQ9BhOWDNssY6IoC6cXQEfuYLMi9COC+KcOmwtiCXb1WVhvwShLy2ZS92r0C3DMWLgT QZCw== X-Gm-Message-State: AOAM531iBEGMZFySv0dnMOg1cYcaetpsnufnKt+FkiS5i05UVeUnDRfQ K/osodazizMHYYERgfvUpUCwHw== X-Received: by 2002:a17:90b:4c44:: with SMTP id np4mr17848969pjb.195.1639976654027; Sun, 19 Dec 2021 21:04:14 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:89bf:be4:468d:12c2]) by smtp.gmail.com with ESMTPSA id mu2sm4581163pjb.43.2021.12.19.21.04.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:04:13 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v8 11/12] (RFC) tools: add fdtsig.sh Date: Mon, 20 Dec 2021 14:02:52 +0900 Message-Id: <20211220050253.31163-12-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211220050253.31163-1-takahiro.akashi@linaro.org> References: <20211220050253.31163-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.38 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean With this script, a public key is added to a device tree blob as the default efi_get_public_key_data() expects. Signed-off-by: AKASHI Takahiro --- MAINTAINERS | 1 + tools/fdtsig.sh | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100755 tools/fdtsig.sh diff --git a/MAINTAINERS b/MAINTAINERS index 93ef5e297acc..e7cca02eac9b 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -743,6 +743,7 @@ F: cmd/bootefi.c F: cmd/efidebug.c F: cmd/nvedit_efi.c F: tools/efivar.py +F: tools/fdtsig.sh F: tools/file2include.c F: tools/mkeficapsule.c diff --git a/tools/fdtsig.sh b/tools/fdtsig.sh new file mode 100755 index 000000000000..c2b2a6dc5ec8 --- /dev/null +++ b/tools/fdtsig.sh @@ -0,0 +1,40 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0+ +# +# script to add a certificate (efi-signature-list) to dtb blob + +usage() { + if [ -n "$*" ]; then + echo "ERROR: $*" + fi + echo "Usage: "$(basename $0) " " +} + +if [ "$#" -ne 2 ]; then + usage "Arguments missing" + exit 1 +fi + +ESL=$1 +DTB=$2 +NEW_DTB=$(basename $DTB)_tmp +SIG=signature + +cat << 'EOF' > $SIG.dts +/dts-v1/; +/plugin/; + +&{/} { + signature { +EOF +echo "capsule-key = /incbin/(\"$ESL\");" >> $SIG.dts +cat << 'EOF' >> $SIG.dts + }; +}; +EOF + +dtc -@ -I dts -O dtb -o $SIG.dtbo $SIG.dts +fdtoverlay -i $DTB -o $NEW_DTB $SIG.dtbo +mv $NEW_DTB $DTB + +rm $SIG.dts $SIG.dtsn $SIG.dtbo From patchwork Mon Dec 20 05:02:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 526051 Delivered-To: patch@linaro.org Received: by 2002:a05:6e04:2287:0:0:0:0 with SMTP id bl7csp3768985imb; Sun, 19 Dec 2021 21:05:59 -0800 (PST) X-Google-Smtp-Source: ABdhPJxhvFAXU3IsFbTbhHapTJkLLIBWKmyw2m868N6O7aIp8iFvF8emXqa1m+/maf3xa3Njg1sB X-Received: by 2002:a17:907:76a1:: with SMTP id jw1mr11697461ejc.688.1639976758969; Sun, 19 Dec 2021 21:05:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1639976758; cv=none; d=google.com; s=arc-20160816; b=NbZpZYX42R8qoXcDQk8lPE6bmEpN0+L2YHRMxmRr+/NnP0H8wcdcNGjr7+M3XJepR4 nEPU0aVffIcV+a3xZoD7ee75zbKiapIX5XbacwULYy//NMvbFuj5uq484DQ2XSh57U2Z ueIR5dSX1HJU/xrHMjDl4j1g2DOGFP3FHzYnenzqqX2+DJ0uiY1ZdWlyGkfC6Dw0carC ee73Os6Nda5HfovGwTxLdMHDKsDRrJ0g+NKq/sLax2qXhRwdUbNK5jbKXn9Vy/QcRvDr ffh3khduQ9+2CGmetZVLqznu2cUUkab4db7mmtjr3cB1eTtxtYyaEJ3g8BkPGLZvbLkg a8+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6Y6an3FgR2IWazNWCp6oy4xutrkKfynM74K7uqDogxY=; b=J8zHjTG4vDyh4HyaipPGUBhiZ+ooNGdNJCJcl9IZtloK6fLETqX3mn2nhc4zBn7n6a 7yax38n1ZsI33h6ojcd2T4Ge++JcDxUyyMG/3L17uPOrDwcgkk2M9XCYsJvxR2J9CyiK DBG3lnPgdGxPobGF9Vn0l/Z9OwcQj9uExG69VvscRnrYHK8nZO+PcCtHPLHbCLalgtTr GQf58A9DXQZ1rW92kR6rusxGnKfp4SfR7JVO/T9NzRn0i9eb0e1pO/OG0pzha4RD3xos Lthhg507lqZwvYIjuSsYgwcyibPIVLBDwGwuggDgLjNL/bproAQMl0VGqqgk/YZG6Kc3 Qwrw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=LdfDoHf5; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id r4si9435308edw.55.2021.12.19.21.05.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:05:58 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=LdfDoHf5; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 9825A8350D; Mon, 20 Dec 2021 06:04:46 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="LdfDoHf5"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 3D5A583457; Mon, 20 Dec 2021 06:04:23 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id BCBFE8307B for ; Mon, 20 Dec 2021 06:04:18 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x62e.google.com with SMTP id p14so687583plf.3 for ; Sun, 19 Dec 2021 21:04:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=6Y6an3FgR2IWazNWCp6oy4xutrkKfynM74K7uqDogxY=; b=LdfDoHf5p/dKABUugOc1YmCtf6mM3YBvRJjSzPBIY83d9GXEYYo3PA2/qe5jtCJK4E dw9C+c2T/BbHo2BO2ygdeTHWVN+QnMOb3fn5txylP4FX2H7xqCOWlqbyNVHYuocfyA3F soyC7a+SuPWFfnbTi7adAwNAAY95KfvGuzCGa836E4Ew/bi4vXg+TGzICzLhx/JgTL8p XrBUCtMe1B2Ar4VXe3+LkUEAN38sRYrp/94eyPtvQtFQH1/XOD/pO0CjPkixevXWFn2o /ifg8aXSsM/5GXketPjRPFKsxGHw7+mccPXao/ZIujivGhMkDeLywVBtyoTAhP5D8cSD wAhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=6Y6an3FgR2IWazNWCp6oy4xutrkKfynM74K7uqDogxY=; b=fkefVUoRRZ8hMO8uVPDjzU5uYrkzuNNo0VR4ZPEA6nwS0O19KJ1+nzJuYMwC+9ghcE Paef00bLAMYjCQ7pPmzY0tHdHkN/LlVZCxZzr/DILRobafCos0+9GzC03C8Ye8y9HBmL OSj95ndi5QGjEjXig8KaJkV6ULsFGf8k8U5/afH6+3WHYGSIOYzZ0ojQGeCe3rvpXrj1 1hVf/m11iy85si38PzdC0nW0nZTuU6tppVm4mar0hKZtGQ7SeczTH6ZYtYNsyfHlp2Fk JV9FkzxoJpnXHN/o6jDsnsgIgB2XJ8Aqq6OS/0zKvCwlf1rlFNsXpdllW6OnlCCNNKhI Z2dg== X-Gm-Message-State: AOAM531TrjgWebxOmG5NoGdP27Hb2gOf8uvefWE7TknPAZUQgG3RypBw yEExEsHke0dZteZQZ3ZNHP7ICA== X-Received: by 2002:a17:90a:34cf:: with SMTP id m15mr19128461pjf.189.1639976657216; Sun, 19 Dec 2021 21:04:17 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:89bf:be4:468d:12c2]) by smtp.gmail.com with ESMTPSA id mu2sm4581163pjb.43.2021.12.19.21.04.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Dec 2021 21:04:16 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v8 12/12] (RFC) efi_loader, dts: add public keys for capsules to device tree Date: Mon, 20 Dec 2021 14:02:53 +0900 Message-Id: <20211220050253.31163-13-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211220050253.31163-1-takahiro.akashi@linaro.org> References: <20211220050253.31163-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.38 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean By specifying CONFIG_EFI_CAPSULE_KEY_PATH, the build process will automatically insert the given key into the device tree. Otherwise, users are required to do so manually, possibly, with the utility script, fdtsig.sh. Signed-off-by: AKASHI Takahiro --- doc/develop/uefi/uefi.rst | 4 ++++ dts/Makefile | 23 +++++++++++++++++++++-- lib/efi_loader/Kconfig | 7 +++++++ 3 files changed, 32 insertions(+), 2 deletions(-) diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 54fefd76f0f5..7f85b9e5a4a6 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -347,6 +347,7 @@ following config, in addition to the configs listed above for capsule update:: CONFIG_EFI_CAPSULE_AUTHENTICATE=y + CONFIG_EFI_CAPSULE_KEY_PATH= The public and private keys used for the signing process are generated and used by the steps highlighted below. @@ -392,6 +393,9 @@ and used by the steps highlighted below. }; }; + If CONFIG_EFI_CAPSULE_KEY_PATH is specified, the build process will + take care of it for you. + Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/dts/Makefile b/dts/Makefile index cb3111382959..6c5486719ecd 100644 --- a/dts/Makefile +++ b/dts/Makefile @@ -20,11 +20,30 @@ $(obj)/dt-$(SPL_NAME).dtb: dts/dt.dtb $(objtree)/tools/fdtgrep FORCE mkdir -p $(dir $@) $(call if_changed,fdtgrep) +quiet_cmd_fdtsig = FDTSIG $@ + cmd_fdtsig = \ + cat $< > $@; \ + $(srctree)/tools/fdtsig.sh \ + $(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)) $@ + +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y) +ifneq ($(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)),) +DTB_ov := $(obj)/dt.dtb_ov + +$(obj)/dt.dtb_ov: $(DTB) FORCE + $(call if_changed,fdtsig) +else +DTB_ov := $(DTB) +endif +else +DTB_ov := $(DTB) +endif + ifeq ($(CONFIG_OF_DTB_PROPS_REMOVE),y) -$(obj)/dt.dtb: $(DTB) $(objtree)/tools/fdtgrep FORCE +$(obj)/dt.dtb: $(DTB_ov) $(objtree)/tools/fdtgrep FORCE $(call if_changed,fdt_rm_props) else -$(obj)/dt.dtb: $(DTB) FORCE +$(obj)/dt.dtb: $(DTB_ov) FORCE $(call if_changed,shipped) endif diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 700dc838ddb9..8c8d14d46433 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -209,6 +209,13 @@ config EFI_CAPSULE_AUTHENTICATE Select this option if you want to enable capsule authentication +config EFI_CAPSULE_KEY_PATH + string "Path to .esl cert for capsule authentication" + depends on EFI_CAPSULE_AUTHENTICATE + help + Provide the EFI signature list (esl) certificate used for capsule + authentication + config EFI_DEVICE_PATH_TO_TEXT bool "Device path to text protocol" default y