From patchwork Thu Nov 26 18:40:57 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 333038 Delivered-To: patch@linaro.org Received: by 2002:a92:5e16:0:0:0:0:0 with SMTP id s22csp1542347ilb; Thu, 26 Nov 2020 10:42:11 -0800 (PST) X-Google-Smtp-Source: ABdhPJy7dM/M3X1MIKT3HSqtGjvx1YMnElYA5TsJy1oe9mf9X/ThAc6v0mnt7C3xa0DCEHJr/Nu8 X-Received: by 2002:a17:907:447d:: with SMTP id oo21mr1235343ejb.367.1606416131494; Thu, 26 Nov 2020 10:42:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606416131; cv=none; d=google.com; s=arc-20160816; b=wqq7Dzuv7YH6zbTAqnod5bCG25NAtskh7PYMYT6a+iWN4ED6MgcqZp24YS77aHB1rB Mcri4b+s0LhOFKwtHHy134bCEAz02w+OTixWI3iCIKFC1aogzhCh01D7IAJWkZ1EVoZh DF9y9sZ6JDegJGFJnePNo6RSrGd12fez9/KrJdEFK1vGFVfPDrltc1hJmIuVxMvM95BF WopIBVuGoDukHkNO9/W6WMAx0nGazny5M9Rxd2m3f2y8ys2l3qcmzJtX0WV/W0mYgKxa 9RmsvzS8M6twVFN0FC2OIelIu8+IGzui8OCkRZfzRnGGJHQgTndcXQte3jfDF5sWO1Mj yDUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=Ch5nzG5XBXD5QSSPZ8f9z5FPkh+9BJjYV8K2YkvAHAc=; b=EPz4gwEK/+TbQE7GplcJrzryr60npYX1jM4xryKipTwCXwA/nRUnfMKbSx4v2WNCi6 1nlgi4g43smtRrow71HGjsTHvO21DWe7orP9efMo92hnGgyO1BKTs2+m3Jo7mH7+AfQK mgizANNXGdxbiX0ONdqzgHURDLnmhl9rIsc0ezxzTy5lwN/Gc6zM8VSpdWSSlx7xdHWF 0UHO7RxRI11f3atLnYIn+NNvZpY9A3hD7V647GOzXZaflUxGg0fvw5v2O3fAp8EQlIy6 oN6RA49HZUeGQkpDUC8Vv8XSrQkxJQU7Os554VG6VHUeYj9DS48qtKPGjXZJKlMIEgI8 OG8Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id e13si3632920eja.305.2020.11.26.10.42.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Nov 2020 10:42:11 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 8D2E8826D9; Thu, 26 Nov 2020 19:42:00 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 2A15E826C3; Thu, 26 Nov 2020 19:41:56 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id AF155826C3 for ; Thu, 26 Nov 2020 19:41:52 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id C1FEA1516; Thu, 26 Nov 2020 10:41:51 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 5A0323F23F; Thu, 26 Nov 2020 10:41:49 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Sughosh Ganu Subject: [PATCH 01/14] qemu: arm: Use the generated DTB only when CONGIG_OF_BOARD is defined Date: Fri, 27 Nov 2020 00:10:57 +0530 Message-Id: <20201126184110.30521-2-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201126184110.30521-1-sughosh.ganu@linaro.org> References: <20201126184110.30521-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean The Qemu platform emulator generates a device tree blob and places it at the start of the dram, which is then used by u-boot. Use this dtb only if CONFIG_OF_BOARD is defined. This allows using a different device tree, using the CONFIG_OF_SEPARATE option. This dtb is attached to the u-boot binary as a u-boot-fdt.bin file Signed-off-by: Sughosh Ganu --- board/emulation/qemu-arm/qemu-arm.c | 2 ++ 1 file changed, 2 insertions(+) -- 2.17.1 diff --git a/board/emulation/qemu-arm/qemu-arm.c b/board/emulation/qemu-arm/qemu-arm.c index f18f2ed7da..e146d1cc50 100644 --- a/board/emulation/qemu-arm/qemu-arm.c +++ b/board/emulation/qemu-arm/qemu-arm.c @@ -89,11 +89,13 @@ int dram_init_banksize(void) return 0; } +#if defined(CONFIG_OF_BOARD) void *board_fdt_blob_setup(void) { /* QEMU loads a generated DTB for us at the start of RAM. */ return (void *)CONFIG_SYS_SDRAM_BASE; } +#endif void enable_caches(void) { From patchwork Thu Nov 26 18:40:58 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 333039 Delivered-To: patch@linaro.org Received: by 2002:a92:5e16:0:0:0:0:0 with SMTP id s22csp1542456ilb; Thu, 26 Nov 2020 10:42:22 -0800 (PST) X-Google-Smtp-Source: ABdhPJyyaI4eYqvO0WEA7xlunUOBVezPcHzaUHh32czXeTFSf95kIv93zfvlW5nKUv/pZpx/NZmr X-Received: by 2002:a50:c40d:: with SMTP id v13mr3856953edf.1.1606416142651; Thu, 26 Nov 2020 10:42:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606416142; cv=none; d=google.com; s=arc-20160816; b=dWMFPpd88P4BY09F2qp1guV8c1dABRdtfcpqvHHSGWxhSucRShutalpiT7N08LDVMq h19/XECsfzmBKlfW/UBcbSs7k0SCoat6UH8UdyhScb5pC5O9jmDCJUo1GOn8yM2LXadG /pXHk3CG5VXwGUPqRcHl46LrqDYfPV0YdRT0XJX4E1AS0cpzy5xZjDhpS0d6XKSR3JiF eNTR/HMsB2xMXSFLW3fPNTmAV5nRuk5XgKNYVjh3F4VZKkbSqVHK4IRCRalJTYRhrTW2 YgKBMSRcZn55tDxPHLiTKlePLk3cmQRONTa+i+WaBFm149MpXlz+cOAi6B6jTe58Z0LH WZZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=TPnulCXKO1zooLm7HRL6Q6lJQeNu1y5YwKiu/57+pbc=; b=lFKRQ6yo09EtsPx8yk8kj+cGFK9XQVwVLolU1ekFMIA0ZxNBYqby/C1Gt/7JjbD/X8 V48F2dKyiHEsVyotSM7bnnxWp630opOhR4nUAfdS1Bj7uHe6FL7aAYIC2PMeNbwT0daC K9x6XeCAuXSFpStfJbKZjLMA7lXzUFuPlDjQSr0ytJBuHhRT8YdU2qjnpR3pcYb43Fpm YkUEjlV5MgiIpOEH7iU700r5SJEisggfIQlfxJr7NwIBvcoUbY3p6elSs1dpNOxd5kv6 wd8PumFWnth8s+D5KnlZhanymznVovaETvNDASiuFbkIhp3nNZ40KRfSmBYAv9J+ARYM CMpg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id q16si3602589ejy.572.2020.11.26.10.42.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Nov 2020 10:42:22 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id CA185826D6; Thu, 26 Nov 2020 19:42:09 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id B58D7826E4; Thu, 26 Nov 2020 19:42:03 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 4EC7F826CB for ; Thu, 26 Nov 2020 19:41:56 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id E4EB21597; Thu, 26 Nov 2020 10:41:54 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 422613F23F; Thu, 26 Nov 2020 10:41:52 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Sughosh Ganu Subject: [PATCH 02/14] mkeficapsule: Add support for embedding public key in a dtb Date: Fri, 27 Nov 2020 00:10:58 +0530 Message-Id: <20201126184110.30521-3-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201126184110.30521-1-sughosh.ganu@linaro.org> References: <20201126184110.30521-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Add options for embedding the public key esl(efi signature list) file to the platform's dtb. The esl file is then retrieved and used for authenticating the capsule to be used for updating firmare components on the platform. The esl file can now be embedded in the dtb by invoking the following command mkeficapsule -K -D This will create a node named 'signature' in the dtb, and the esl file will be stored as 'capsule-key' Signed-off-by: Sughosh Ganu --- tools/Makefile | 1 + tools/mkeficapsule.c | 198 ++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 186 insertions(+), 13 deletions(-) -- 2.17.1 diff --git a/tools/Makefile b/tools/Makefile index 66d9376803..6d7b48fb57 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -218,6 +218,7 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs hostprogs-$(CONFIG_ASN1_COMPILER) += asn1_compiler HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include +mkeficapsule-objs := mkeficapsule.o $(LIBFDT_OBJS) hostprogs-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += mkeficapsule # We build some files with extra pedantic flags to try to minimize things diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 45e27d74a5..ce05da12d6 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -4,16 +4,22 @@ * Author: AKASHI Takahiro */ +#include #include #include #include #include #include #include +#include #include + +#include #include #include +#include "fdt_host.h" + typedef __u8 u8; typedef __u16 u16; typedef __u32 u32; @@ -23,6 +29,8 @@ typedef __s32 s32; #define aligned_u64 __aligned_u64 +#define SIGNATURE_NODENAME "signature" + #ifndef __packed #define __packed __attribute__((packed)) #endif @@ -43,6 +51,8 @@ static struct option options[] = { {"raw", required_argument, NULL, 'r'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, + {"dtb", required_argument, NULL, 'D'}, + {"public key", required_argument, NULL, 'K'}, {"version", required_argument, NULL, 'v'}, {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0}, @@ -52,15 +62,154 @@ static void print_usage(void) { printf("Usage: %s [options] \n" "Options:\n" - "\t--fit new FIT image file\n" - "\t--raw new raw image file\n" - "\t--index update image index\n" - "\t--instance update hardware instance\n" - "\t--version firmware version\n" - "\t--help print a help message\n", + "\t--fit new FIT image file\n" + "\t--raw new raw image file\n" + "\t--index update image index\n" + "\t--instance update hardware instance\n" + "\t--version firmware version\n" + "\t--public-key public key esl file\n" + "\t--dtb dtb file\n" + "\t--help print a help message\n", tool_name); } +static int fdt_add_pub_key_data(void *sptr, void *dptr, size_t key_size) +{ + int parent; + int ret = 0; + + parent = fdt_subnode_offset(dptr, 0, SIGNATURE_NODENAME); + if (parent == -FDT_ERR_NOTFOUND) { + parent = fdt_add_subnode(dptr, 0, SIGNATURE_NODENAME); + if (parent < 0) { + ret = parent; + if (ret != -FDT_ERR_NOSPACE) { + fprintf(stderr, + "Couldn't create signature node: %s\n", + fdt_strerror(parent)); + } + } + } + if (ret) + goto done; + + /* Write the key to the FDT node */ + ret = fdt_setprop(dptr, parent, "capsule-key", + sptr, key_size); + +done: + if (ret) + ret = ret == -FDT_ERR_NOSPACE ? -ENOSPC : -EIO; + + return ret; +} + +static int add_public_key(const char *pkey_file, const char *dtb_file) +{ + int ret; + int srcfd = 0; + int destfd = 0; + void *sptr = NULL; + void *dptr = NULL; + off_t src_size; + struct stat pub_key; + struct stat dtb; + + /* Find out the size of the public key */ + srcfd = open(pkey_file, O_RDONLY); + if (srcfd == -1) { + fprintf(stderr, "%s: Can't open %s: %s\n", + __func__, pkey_file, strerror(errno)); + goto err; + } + + ret = fstat(srcfd, &pub_key); + if (ret == -1) { + fprintf(stderr, "%s: Can't stat %s: %s\n", + __func__, pkey_file, strerror(errno)); + goto err; + } + + src_size = pub_key.st_size; + + /* mmap the public key esl file */ + sptr = mmap(0, src_size, PROT_READ, MAP_SHARED, srcfd, 0); + if ((sptr == MAP_FAILED) || (errno != 0)) { + fprintf(stderr, "%s: Failed to mmap %s:%s\n", + __func__, pkey_file, strerror(errno)); + goto err; + } + + /* Open the dest FDT */ + destfd = open(dtb_file, O_RDWR); + if (destfd == -1) { + fprintf(stderr, "%s: Can't open %s: %s\n", + __func__, dtb_file, strerror(errno)); + goto err; + } + + ret = fstat(destfd, &dtb); + if (ret == -1) { + fprintf(stderr, "%s: Can't stat %s: %s\n", + __func__, dtb_file, strerror(errno)); + goto err; + } + + dtb.st_size += src_size; + if (ftruncate(destfd, dtb.st_size)) { + fprintf(stderr, "%s: Can't expand %s: %s\n", + __func__, dtb_file, strerror(errno)); + goto err;; + } + + errno = 0; + /* mmap the dtb file */ + dptr = mmap(0, dtb.st_size, PROT_READ | PROT_WRITE, MAP_SHARED, + destfd, 0); + if ((dptr == MAP_FAILED) || (errno != 0)) { + fprintf(stderr, "%s: Failed to mmap %s:%s\n", + __func__, dtb_file, strerror(errno)); + goto err; + } + + if (fdt_check_header(dptr)) { + fprintf(stderr, "%s: Invalid FDT header\n", __func__); + goto err; + } + + ret = fdt_open_into(dptr, dptr, dtb.st_size); + if (ret) { + fprintf(stderr, "%s: Cannot expand FDT: %s\n", + __func__, fdt_strerror(ret)); + goto err; + } + + /* Copy the esl file to the expanded FDT */ + ret = fdt_add_pub_key_data(sptr, dptr, src_size); + if (ret < 0) { + fprintf(stderr, "%s: Unable to add public key to the FDT\n", + __func__); + goto err; + } + + return 0; + +err: + if (sptr) + munmap(sptr, src_size); + + if (dptr) + munmap(dptr, dtb.st_size); + + if (srcfd >= 0) + close(srcfd); + + if (destfd >= 0) + close(destfd); + + return -1; +} + static int create_fwbin(char *path, char *bin, efi_guid_t *guid, unsigned long version, unsigned long index, unsigned long instance) @@ -171,17 +320,22 @@ err_1: int main(int argc, char **argv) { char *file; + char *pkey_file; + char *dtb_file; efi_guid_t *guid; unsigned long index, instance, version; int c, idx; + int ret; file = NULL; + pkey_file = NULL; + dtb_file = NULL; guid = NULL; index = 0; instance = 0; version = 0; for (;;) { - c = getopt_long(argc, argv, "f:r:i:I:v:h", options, &idx); + c = getopt_long(argc, argv, "f:r:i:I:v:D:K:h", options, &idx); if (c == -1) break; @@ -211,22 +365,40 @@ int main(int argc, char **argv) case 'v': version = strtoul(optarg, NULL, 0); break; + case 'K': + if (pkey_file) { + printf("Public Key already specified\n"); + return -1; + } + pkey_file = optarg; + break; + case 'D': + if (dtb_file) { + printf("DTB file already specified\n"); + return -1; + } + dtb_file = optarg; + break; case 'h': print_usage(); return 0; } } - /* need a output file */ - if (argc != optind + 1) { + /* need a fit image file or raw image file */ + if (!file && !pkey_file && !dtb_file) { print_usage(); return -1; } - /* need a fit image file or raw image file */ - if (!file) { - print_usage(); - return -1; + if (pkey_file && dtb_file) { + ret = add_public_key(pkey_file, dtb_file); + if (ret == -1) { + printf("Adding public key to the dtb failed\n"); + return -1; + } else { + return 0; + } } if (create_fwbin(argv[optind], file, guid, version, index, instance) From patchwork Thu Nov 26 18:40:59 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 333040 Delivered-To: patch@linaro.org Received: by 2002:a92:5e16:0:0:0:0:0 with SMTP id s22csp1542602ilb; Thu, 26 Nov 2020 10:42:35 -0800 (PST) X-Google-Smtp-Source: ABdhPJz/KKmclRQ53hX6If6Xk/93+nmcZfkikhbhXS5viBbDt70HpLweYZvstSGoC0i9RdD3eQ9w X-Received: by 2002:a17:906:f894:: with SMTP id lg20mr3923287ejb.348.1606416154987; Thu, 26 Nov 2020 10:42:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606416154; cv=none; d=google.com; s=arc-20160816; b=umxRv4goI1sAxjenLUWovq6WXaoADP7JtgXZWnLo4DhD6Y27vbte1XgzfmrAcOCrQ6 OA2L2WUT7i5bFbGxoDcqPOkUA1qzK/L/FBOrdna/XtNCc1EzNjJmWBml4FHOXPYczUbo jCN7AOWvlrKSAnm0XgqHzKhusfZHaUkevlthKxR+sbXoB80AYBgrwaT7oem/1o7KpMkU 3BH8c7LgVr+FdxEbIo5RJFqnYGtt0YS4+BGHEXxCrp1QThw/95KfJRDcJI/EiUza8wJg 9mHAxiDm30rsYVQNNRFXsYMJ4S/yujSA88PgEkEm/azyLQxIRaN1nPtsenN0bKSajLQA reAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=jlDfmAKIMa77JnO2+eUk5IAi3oX7KMzTVNbN0He9XSo=; b=JoqDZLn2XC3GGGjclC4tB2zK/7/UdNNRM7WANXCOAN+CV6uA+4flMm0pNYKyEMGRH0 oTNM9A7cIisoHCF4lnrBJ9CC9SX2gx7JEPyNFp/79dzK2U361LCwYlAhaweQBV2VwHY+ Q0/ZTBK2Bp8C7vmDrm+UCOGMDB1fiyh4lM3j/eVODB2ngba4CQjZ/RMaDwBIymE95izo 63S1MfGrajYrFtsJrOjaWczmhO/jvJ4xsQ+pbVoVX1oW189+wt4p6OhjQyU8GZziI/S2 Ij3Z+Cj67BoOOXOZDZObubcX9SZ1Lw/1Bhf9Bnl5IvzLiQPcL+kNOJvonFvWWbOR5Cv2 xqIw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id k16si3565287eja.59.2020.11.26.10.42.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Nov 2020 10:42:34 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 1E1BE826E6; Thu, 26 Nov 2020 19:42:13 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 23AC6826E7; Thu, 26 Nov 2020 19:42:04 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 314F5826D6 for ; Thu, 26 Nov 2020 19:41:59 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id CCFD415A1; Thu, 26 Nov 2020 10:41:57 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 6532E3F23F; Thu, 26 Nov 2020 10:41:55 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Sughosh Ganu Subject: [PATCH 03/14] qemu: arm: Scan the pci bus in board_init Date: Fri, 27 Nov 2020 00:10:59 +0530 Message-Id: <20201126184110.30521-4-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201126184110.30521-1-sughosh.ganu@linaro.org> References: <20201126184110.30521-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Scan the pci bus in board_init routine before scanning the virtio devices. This enumerates all the virtio devices, including devices found on the pci bus. Signed-off-by: Sughosh Ganu --- board/emulation/qemu-arm/qemu-arm.c | 8 ++++++++ 1 file changed, 8 insertions(+) -- 2.17.1 diff --git a/board/emulation/qemu-arm/qemu-arm.c b/board/emulation/qemu-arm/qemu-arm.c index e146d1cc50..b3d5b3d5c2 100644 --- a/board/emulation/qemu-arm/qemu-arm.c +++ b/board/emulation/qemu-arm/qemu-arm.c @@ -65,6 +65,14 @@ struct mm_region *mem_map = qemu_arm64_mem_map; int board_init(void) { + + /* + * Scan the pci bus before calling virtio_init. This + * enumerates all virtio devices, including devices + * on the pci bus. + */ + pci_init(); + /* * Make sure virtio bus is enumerated so that peripherals * on the virtio bus can be discovered by their drivers From patchwork Thu Nov 26 18:41:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 333041 Delivered-To: patch@linaro.org Received: by 2002:a92:5e16:0:0:0:0:0 with SMTP id s22csp1542742ilb; Thu, 26 Nov 2020 10:42:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJwM1jDtMdWdkxYI+alSaTbQtN8N/lsWxP6uObBeAkrnUpk5eZ2rEjrqPFvfgVLXPYXH4GAo X-Received: by 2002:a17:906:e4f:: with SMTP id q15mr3884107eji.220.1606416167960; Thu, 26 Nov 2020 10:42:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606416167; cv=none; d=google.com; s=arc-20160816; b=BIqpPn46bd7joPYwfXPGBlnXPfrlzFYFnnG4ahLcABQFVfkZFTelqmy6RDVm/v7yWL 45wnt8Y6YtQRlSkWJTdMrsG5kYZwuPbw221KcHC4jCvzZs9j1tRveOI9tSgDhpy6zmdk ffXJgl2ohjSr/sWCGI9AqI3x4IbmbMZKqJ3puXcZ3fb4OpvHcfOql9SEAWCDvwiX+dSw FxjVUXbicMHtWhrRX+rG1RV3j3Ds65JKYq3u6uSI+Ncmjk7dnMsoEb9TZINOviz6zQIA rOX7yRTQeQPaDvTVcAsAytpkRn3ZyhGOIAXpk1Lrai9XIb9+0aX9oiRH+RmAZPIVFtzh x/fg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=hZJdmus1SmamA3LhbzPcANb1kR5WAZhboxFBQKGAW4Y=; b=Gjh3icBSPTslZ7u2LJfGfUQ5U9ZbtQOj1+MjN5PJEnP7HcxGa+pJhzLiFfYbm4/rZp YRxGK5uKqjxj4ScyohJ0E90hWn2oPkaw8xZ3F/Yf8AvAuMupvuuPkVrXo5u2JYIaBBZN fHS1zfS8YvkC7iLQkcZV3ZZ4v34thHk/I5JlqYpvaZGwfH2wx0u8r0WVZwSIM2CUFL++ t2VlmzhWgkMC/ckpq4UkH5azLYLrZHeD+w5QmrkpKHyDhSmwnrLRxajjQLEwXgOm1leX cGo9lBVat2xIuouJgtp3ACaHssq8knngkOJIfskERS63R8uTb4eLlFIxe2BpwjIZ9/Lr +a/w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id i17si4495604ejo.171.2020.11.26.10.42.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Nov 2020 10:42:47 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id DB26A826F2; Thu, 26 Nov 2020 19:42:15 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 540E7826E7; Thu, 26 Nov 2020 19:42:07 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 6D74C826E3 for ; Thu, 26 Nov 2020 19:42:02 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id B6D6615DB; Thu, 26 Nov 2020 10:42:00 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 4D3F73F23F; Thu, 26 Nov 2020 10:41:58 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Sughosh Ganu Subject: [PATCH 04/14] crypto: Fix the logic to calculate hash with authattributes set Date: Fri, 27 Nov 2020 00:11:00 +0530 Message-Id: <20201126184110.30521-5-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201126184110.30521-1-sughosh.ganu@linaro.org> References: <20201126184110.30521-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean RFC 2315 Section 9.3 describes the message digesting process. The digest calculated depends on whether the authenticated attributes are present. In case of a scenario where the authenticated attributes are present, the message digest that gets signed and is part of the pkcs7 message is computed from the auth attributes rather than the contents field. Check if the auth attributes are present, and if set, use the auth attributes to compute the hash that would be compared with the encrypted hash on the pkcs7 message. Signed-off-by: Sughosh Ganu --- lib/crypto/pkcs7_verify.c | 37 ++++++++++++++++++++++++++----------- 1 file changed, 26 insertions(+), 11 deletions(-) -- 2.17.1 diff --git a/lib/crypto/pkcs7_verify.c b/lib/crypto/pkcs7_verify.c index 320ba49f79..58683ef614 100644 --- a/lib/crypto/pkcs7_verify.c +++ b/lib/crypto/pkcs7_verify.c @@ -50,8 +50,15 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, struct image_region regions[2]; int ret = 0; - /* The digest was calculated already. */ - if (sig->digest) + /* + * [RFC2315 9.3] + * If the authenticated attributes are present, + * the message-digest is calculated on the + * attributes present in the + * authenticatedAttributes field and not just + * the contents field + */ + if (!sinfo->authattrs && sig->digest) return 0; if (!sinfo->sig->hash_algo) @@ -63,17 +70,25 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, else return -ENOPKG; - sig->digest = calloc(1, sig->digest_size); - if (!sig->digest) { - pr_warn("Sig %u: Out of memory\n", sinfo->index); - return -ENOMEM; - } + /* + * Calculate the hash only if the data is present. + * In case of authenticated variable and capsule, + * the hash has already been calculated on the + * efi_image_regions and populated + */ + if (pkcs7->data) { + sig->digest = calloc(1, sig->digest_size); + if (!sig->digest) { + pr_warn("Sig %u: Out of memory\n", sinfo->index); + return -ENOMEM; + } - regions[0].data = pkcs7->data; - regions[0].size = pkcs7->data_len; + regions[0].data = pkcs7->data; + regions[0].size = pkcs7->data_len; - /* Digest the message [RFC2315 9.3] */ - hash_calculate(sinfo->sig->hash_algo, regions, 1, sig->digest); + /* Digest the message [RFC2315 9.3] */ + hash_calculate(sinfo->sig->hash_algo, regions, 1, sig->digest); + } /* However, if there are authenticated attributes, there must be a * message digest attribute amongst them which corresponds to the From patchwork Thu Nov 26 18:41:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 333042 Delivered-To: patch@linaro.org Received: by 2002:a92:5e16:0:0:0:0:0 with SMTP id s22csp1542888ilb; Thu, 26 Nov 2020 10:43:02 -0800 (PST) X-Google-Smtp-Source: ABdhPJwXrcaQ+rvu0CLXIe5VQrHpUdkTb+5qhY1D4YxjbC0kwnnQAUZVvWro/FJ6sWHqFbjvHC+p X-Received: by 2002:a17:906:7e43:: with SMTP id z3mr3889864ejr.67.1606416182027; Thu, 26 Nov 2020 10:43:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606416182; cv=none; d=google.com; s=arc-20160816; b=0cCFdGRo4NOMu/yFv5w0o/KmmyGNKjN1L+xnp7HRe2/x+JbXVfsfVe5DV+lg7p1pwZ UcUQbiESbBIHRzVDpiOGm4KyQxCoVqgQgdSc17DYtOAdxYw/RLYWyj0y0DzcKzSqL+Pp +nSh/eHnlnqCmo763VQklti9FVdGSjnFUNi4OSbbG5d/eyBrDxdlzjhxvEtnztXUp5Yl 9ijN85xEF3LyTxCEdiiLxF5awetwYgGLfaHdQl6etmU2F1ffuO9UslNiFrNMXYzKT0hl 88R9jRHnF52MMlalN4uNGq0Qvl2sDqoCrVom+OtHZpggn/r58R8lvK1A4HkZeDnHjcfz lN+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=OqtLYtxkD3mM3ej3YXXdo7qfrHOGp8l/zJCgOom7Elg=; b=UmbKXh6Fe2QTbWBIAHszXxoqXGL3FfuIZH3tOFQbqSKGT6f8GBQAa5dsZxAC7TcA1o u4VORCW3ukZAjuAoZdp2PFAAagD0ApMjU47tCBCLb/astVtm9TF0hnTUfqTquBr2BUEC txQbNg2Oq7hleOXaWtmJtLny8E6DbRddoAkHX+4Jkp7evzRVKXonEx6XOpZCiP9aTWcL HnWZv5PBhdJyvbGtjl1PDdbZXkYvElohlq97z6p/I7Fv9l4qDwDKX+lkhaG4emE0SjGy s2hJnhT2LGMN2WUBnlsz3PJTb11KdVzSwm+JoIM2h+Mep6sSP51yOA2/iqEnmrvsSKEG Nr5Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id u13si1508439edd.500.2020.11.26.10.43.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Nov 2020 10:43:02 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 69AAF826F3; Thu, 26 Nov 2020 19:42:26 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id C4D8A826EA; Thu, 26 Nov 2020 19:42:10 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 0FC8F826E2 for ; Thu, 26 Nov 2020 19:42:05 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 9C6CB161B; Thu, 26 Nov 2020 10:42:03 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 349943F23F; Thu, 26 Nov 2020 10:42:00 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Sughosh Ganu Subject: [PATCH 05/14] qemu: arm64: Add support for dynamic mtdparts for the platform Date: Fri, 27 Nov 2020 00:11:01 +0530 Message-Id: <20201126184110.30521-6-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201126184110.30521-1-sughosh.ganu@linaro.org> References: <20201126184110.30521-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Add support for setting the default values for mtd partitions on the platform for the nor flash. This would be used for updating the firmware image using uefi capsule update with the dfu mtd backend driver. Signed-off-by: Sughosh Ganu --- board/emulation/qemu-arm/qemu-arm.c | 70 +++++++++++++++++++++++++++++ include/configs/qemu-arm.h | 7 +++ 2 files changed, 77 insertions(+) -- 2.17.1 diff --git a/board/emulation/qemu-arm/qemu-arm.c b/board/emulation/qemu-arm/qemu-arm.c index b3d5b3d5c2..d5ed3eebaf 100644 --- a/board/emulation/qemu-arm/qemu-arm.c +++ b/board/emulation/qemu-arm/qemu-arm.c @@ -197,3 +197,73 @@ void flash_write32(u32 value, void *addr) { asm("str %" __W "1, %0" : "=m"(*(u32 *)addr) : "r"(value)); } + +#if defined(CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT) + +#include + +static void board_get_mtdparts(const char *dev, const char *partition, + char *mtdids, char *mtdparts) +{ + /* mtdids: "=, ...." */ + if (mtdids[0] != '\0') + strcat(mtdids, ","); + strcat(mtdids, dev); + strcat(mtdids, "="); + strcat(mtdids, dev); + + /* mtdparts: "mtdparts=:>;..." */ + if (mtdparts[0] != '\0') + strncat(mtdparts, ";", MTDPARTS_LEN); + else + strcat(mtdparts, "mtdparts="); + + strncat(mtdparts, dev, MTDPARTS_LEN); + strncat(mtdparts, ":", MTDPARTS_LEN); + strncat(mtdparts, partition, MTDPARTS_LEN); +} + +void board_mtdparts_default(const char **mtdids, const char **mtdparts) +{ + struct mtd_info *mtd; + struct udevice *dev; + const char *mtd_partition; + static char parts[3 * MTDPARTS_LEN + 1]; + static char ids[MTDIDS_LEN + 1]; + static bool mtd_initialized; + + if (mtd_initialized) { + *mtdids = ids; + *mtdparts = parts; + return; + } + + memset(parts, 0, sizeof(parts)); + memset(ids, 0, sizeof(ids)); + + /* probe all MTD devices */ + for (uclass_first_device(UCLASS_MTD, &dev); dev; + uclass_next_device(&dev)) { + debug("mtd device = %s\n", dev->name); + } + + mtd = get_mtd_device_nm("nor0"); + if (!IS_ERR_OR_NULL(mtd)) { + mtd_partition = MTDPARTS_NOR0; + board_get_mtdparts("nor0", mtd_partition, ids, parts); + put_mtd_device(mtd); + } + + mtd = get_mtd_device_nm("nor1"); + if (!IS_ERR_OR_NULL(mtd)) { + mtd_partition = MTDPARTS_NOR1; + board_get_mtdparts("nor1", mtd_partition, ids, parts); + put_mtd_device(mtd); + } + + mtd_initialized = true; + *mtdids = ids; + *mtdparts = parts; + debug("%s:mtdids=%s & mtdparts=%s\n", __func__, ids, parts); +} +#endif /* CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT */ diff --git a/include/configs/qemu-arm.h b/include/configs/qemu-arm.h index 273fa1a7d7..69ff329434 100644 --- a/include/configs/qemu-arm.h +++ b/include/configs/qemu-arm.h @@ -32,6 +32,13 @@ #include +#if defined(CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT) +#define CONFIG_SYS_MTDPARTS_RUNTIME +#endif + +#define MTDPARTS_NOR0 "64m(u-boot)\0" +#define MTDPARTS_NOR1 "64m(u-boot-env)\0" + #define CONFIG_EXTRA_ENV_SETTINGS \ "fdt_high=0xffffffff\0" \ "initrd_high=0xffffffff\0" \ From patchwork Thu Nov 26 18:41:02 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 333043 Delivered-To: patch@linaro.org Received: by 2002:a92:5e16:0:0:0:0:0 with SMTP id s22csp1543024ilb; Thu, 26 Nov 2020 10:43:15 -0800 (PST) X-Google-Smtp-Source: ABdhPJzO8yoZlMa3RzfMVhw0IQrZhjT79l6n8ykomk3MMgzsfmzLhRI6R2/LANOkAXqMzsbBVkVj X-Received: by 2002:a05:6402:b02:: with SMTP id bm2mr3948059edb.299.1606416195546; Thu, 26 Nov 2020 10:43:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606416195; cv=none; d=google.com; s=arc-20160816; b=1Dmz/KQbcfIhkYBNjm+WoL8IP39b57CFqQiSxoiyp3xJLLkXMFzSIoECZokeflsqN6 skl/W4nrVUVQ4Idj9SEEqXtumVHf8lLTvvxyTSKZsK4bkw5snXgUNhZ3WL/EzdM1dFwd yj1IvxpG70sFm57mFbqwdtKg9FeUVyX8iterHl5ueiiDKC//iNf2P4w2JoTPBMULUXg2 hFO72VgwXwuWj3CZiQ8NjRSpoQMIGymgDjG7JBVzXHgdvXdB4RFfSYR6O4aBDuaX/Ktg BTOWNUjHRcjCBmtb7NP6mp9BpCeSdH8TmuqL1EC1hKmkzl4Vl5RFpWbv+Ntus0Y8VQXM n6rw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=tOsNE5kZf0Jst+zSSGyicC8KLnOcFeLUb7uNlVme+7Y=; b=VUl18ievEVyWDOAeZinibGJXNSks3YrOm22qORV2TgFbaG5ThwxYSjKxxLWiYpu+ul 56BNgfpuquA6Eg5HuE5Z4GU1v8ujJ4RsGTGta7p3y47/vsKgjQmiR2VuR6kkPbb2j6kX 18TdEXJOL2HHuQHGZiBbP922czLZj8s19+ITc5H4TLHMus+sIJDqM69EbkYH0vj3lbCT UZUyq7m6IVVZM+iOSD9xKz8O22WuxOjITAcfxIDl6ljBWllOW5DOIGfqt0bQbbaY4DJZ 02Z1HSLIzGWUb0+YyBgMo0RO10C3enYZLtk0bSJ8lN1QCLlo4aLz5M5h8ek58/aKmdg2 YsgQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id w13si3534995edf.269.2020.11.26.10.43.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Nov 2020 10:43:15 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 8D4BE826EE; Thu, 26 Nov 2020 19:42:30 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 2A1DF826EB; Thu, 26 Nov 2020 19:42:12 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id E1517826E3 for ; Thu, 26 Nov 2020 19:42:07 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 849511650; Thu, 26 Nov 2020 10:42:06 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 1CB273F23F; Thu, 26 Nov 2020 10:42:03 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Sughosh Ganu Subject: [PATCH 06/14] qemu: arm64: Set dfu_alt_info variable for the platform Date: Fri, 27 Nov 2020 00:11:02 +0530 Message-Id: <20201126184110.30521-7-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201126184110.30521-1-sughosh.ganu@linaro.org> References: <20201126184110.30521-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean The dfu framework uses the dfu_alt_info environment variable to get information that is needed for performing the firmware update. Set the dfu_alt_info for the platform to reflect the two mtd partitions created for the u-boot env and the firmware image. Signed-off-by: Sughosh Ganu --- board/emulation/qemu-arm/qemu-arm.c | 55 +++++++++++++++++++++++++++++ include/configs/qemu-arm.h | 1 + 2 files changed, 56 insertions(+) -- 2.17.1 diff --git a/board/emulation/qemu-arm/qemu-arm.c b/board/emulation/qemu-arm/qemu-arm.c index d5ed3eebaf..8cad54c76f 100644 --- a/board/emulation/qemu-arm/qemu-arm.c +++ b/board/emulation/qemu-arm/qemu-arm.c @@ -200,8 +200,63 @@ void flash_write32(u32 value, void *addr) #if defined(CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT) +#include #include +#define MTDPARTS_LEN 256 +#define MTDIDS_LEN 128 + +#define DFU_ALT_BUF_LEN SZ_1K + +static void board_get_alt_info(struct mtd_info *mtd, char *buf) +{ + struct mtd_info *part; + bool first = true; + const char *name; + int len, partnum = 0; + + name = mtd->name; + len = strlen(buf); + + if (buf[0] != '\0') + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, "&"); + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, + "mtd %s=", name); + + list_for_each_entry(part, &mtd->partitions, node) { + partnum++; + if (!first) + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, ";"); + first = false; + + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, + "%s part %d", + part->name, partnum); + } +} + +void set_dfu_alt_info(char *interface, char *devstr) +{ + struct mtd_info *mtd; + + ALLOC_CACHE_ALIGN_BUFFER(char, buf, DFU_ALT_BUF_LEN); + + if (env_get("dfu_alt_info")) + return; + + memset(buf, 0, sizeof(buf)); + + /* probe all MTD devices */ + mtd_probe_devices(); + + mtd = get_mtd_device_nm("nor0"); + if (!IS_ERR_OR_NULL(mtd)) + board_get_alt_info(mtd, buf); + + env_set("dfu_alt_info", buf); + printf("dfu_alt_info set\n"); +} + static void board_get_mtdparts(const char *dev, const char *partition, char *mtdids, char *mtdparts) { diff --git a/include/configs/qemu-arm.h b/include/configs/qemu-arm.h index 69ff329434..726f985d35 100644 --- a/include/configs/qemu-arm.h +++ b/include/configs/qemu-arm.h @@ -33,6 +33,7 @@ #include #if defined(CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT) +#define CONFIG_SET_DFU_ALT_INFO #define CONFIG_SYS_MTDPARTS_RUNTIME #endif From patchwork Thu Nov 26 18:41:03 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 333044 Delivered-To: patch@linaro.org Received: by 2002:a92:5e16:0:0:0:0:0 with SMTP id s22csp1543164ilb; Thu, 26 Nov 2020 10:43:29 -0800 (PST) X-Google-Smtp-Source: ABdhPJxqB5KXcnaVk6Floea/bM0zpipKfi7fAsCQauwDoxEXWbd0/fMN21n19SS12tnQdJr+Sa4g X-Received: by 2002:a17:906:6b86:: with SMTP id l6mr3966881ejr.524.1606416209509; Thu, 26 Nov 2020 10:43:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606416209; cv=none; d=google.com; s=arc-20160816; b=ldiYGNLO0oC/xB9tCJTr3bFGe9w6tNr4iCsE7R8qCSN+LYNBfkdTczFCkuvGLVHw3j OxDc0H1jAYoXwahX/o5wm65YynykX8NNRU26VepXAvpw31PRAyXcoVP7d515XuTDqvtV XeBpV15Chifjvk3RfIz4yUxiqBIdYdQfQD331C1FcDgTT+NmXLf73e2Ig+l6mL0QnI6m CPlyMpnClBc5AHJ+g01d9xViTriBRwDzSAyvbtU4PUaz+9dcelP0Z/hXtl20XXLt/omd EFeHSVOfz8Xzyns9DFj017d3SfaVfPqhiNy5pLlykb+L6a1GYhTP49Is55Ype462SSrC hFgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=v+ACP5YuSMoeegsYiXKQHKPz6JxcuSEtGANYHUVt0Gk=; b=ckkSNHPgkBLFnMCH95B/OP6Uyx8omujUcpqNiK3lNrHGeLDJDdNruwcuoe5ebYt6Sa I9ldAV6a1paTaykVJEPJwFaCg3YWUNqtRfpc8wvvQ6nTI30sqesNkhQSOl1/eGDYODBm V1fszkO0wQdmofxFRo6O82EbHVyzPNYHxX3N+KjEzYpnDISwtdP/AHjyR3CTamCMjCBX 06nuVj6/I3BzkCsWUwwhRoHX7sdlWFYuaFr5ioCeTBs1/N0eg4wGZ3EX+bzG92wUOGOX oqYWkoUY8ZLp4+DzfAwr4mdSyLdbY5kqy+Oiws6Dnl5mW4feY9k5stvUn/l2tyW8YoQH TEaQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id a22si3782180eds.497.2020.11.26.10.43.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Nov 2020 10:43:29 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id A1F3A826D6; Thu, 26 Nov 2020 19:42:33 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id F2289826EC; Thu, 26 Nov 2020 19:42:13 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 26CB7826DF for ; Thu, 26 Nov 2020 19:42:10 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 6C91F15EC; Thu, 26 Nov 2020 10:42:09 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 04BC73F23F; Thu, 26 Nov 2020 10:42:06 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Sughosh Ganu Subject: [PATCH 07/14] efi_loader: Add config option to indicate fmp header presence Date: Fri, 27 Nov 2020 00:11:03 +0530 Message-Id: <20201126184110.30521-8-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201126184110.30521-1-sughosh.ganu@linaro.org> References: <20201126184110.30521-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean When building the capsule using scripts in edk2, an fmp header is added on top of the binary payload. Add a config option to indicate the presence of the header. When enabled, the pointer to the image needs to be adjusted as per the size of the header to point to the actual binary payload. Signed-off-by: Sughosh Ganu --- lib/efi_loader/Kconfig | 7 +++++++ lib/efi_loader/efi_firmware.c | 12 ++++++++++++ 2 files changed, 19 insertions(+) -- 2.17.1 diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 0d1b1b5356..55e4787e32 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -138,6 +138,13 @@ config EFI_CAPSULE_FIRMWARE_MANAGEMENT Select this option if you want to enable capsule-based firmware update using Firmware Management Protocol. +config EFI_CAPSULE_FMP_HEADER + bool "Capsule uses FMP header" + depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT + help + Select this option if the capsule is built using the + scripts in edk2. + config EFI_CAPSULE_FIRMWARE_FIT bool "FMP driver for FIT image" depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT diff --git a/lib/efi_loader/efi_firmware.c b/lib/efi_loader/efi_firmware.c index 7e56077383..6c97604d8b 100644 --- a/lib/efi_loader/efi_firmware.c +++ b/lib/efi_loader/efi_firmware.c @@ -385,10 +385,22 @@ efi_status_t EFIAPI efi_firmware_raw_set_image( if (!image) return EFI_EXIT(EFI_INVALID_PARAMETER); + if (CONFIG_IS_ENABLED(EFI_CAPSULE_FMP_HEADER)) { + /* + * When building the capsule with the scripts in + * edk2, a FMP header is inserted above the capsule + * payload. Compensate for this header to get the + * actual payload that is to be updated. + */ + image += 0x10; + image_size -= 0x10; + } + if (dfu_write_by_alt(image_index - 1, (void *)image, image_size, NULL, NULL)) return EFI_EXIT(EFI_DEVICE_ERROR); + printf("%s: Capsule update complete!\n", __func__); return EFI_EXIT(EFI_SUCCESS); } From patchwork Thu Nov 26 18:41:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 333045 Delivered-To: patch@linaro.org Received: by 2002:a92:5e16:0:0:0:0:0 with SMTP id s22csp1543265ilb; Thu, 26 Nov 2020 10:43:43 -0800 (PST) X-Google-Smtp-Source: ABdhPJwitel/IW17S3J6z2bW1QLmNNNId0ZILd5CYQkUdIUiMpN+RAD7YryDIPal0BfsE7UzaI1I X-Received: by 2002:a17:906:2741:: with SMTP id a1mr3893577ejd.85.1606416223199; Thu, 26 Nov 2020 10:43:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606416223; cv=none; d=google.com; s=arc-20160816; b=Zd/MkIm9TZrEC/ZwgXxDHCgJ+kxhCrgf9a6/0uWFs1FK05zsYczxUBoRFoq3GJZIO4 xjHX03B+pYgCDbyFABIteUJr6vn0D8qjPD7YUSNh5fk8IK1U5mPVRhgTLv99XbDK0gWS 7FRBOnCw/f6dYN4i7v9BPjH/DkJVJiHCAd19MN+4u67tQEZyTBBs/EZ3wt5UhOcKnFdp KfeEikOP+Yv1u70NgdwFMTgyiAoZ+kMRHTkcsPo9VhxvY1C8lt7sBnkVH2sjjHmzslY7 LteSDkMWOFUMYjlrN7JnZp47kih33FEdNy8HnFFgJzt6WQ3f/EBynl7/PunoRy42La08 mj4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=4giwJOKVNhsqBxSZ33NQzbd9SB4i+j1ySAVxqpQ3LW4=; b=jGHCg8zGyYUWNFqt+XtpQlnSKd8fwbq8lTfpAcvx0QufXZTiKDbsNsqnlv1bKhV7y6 66zC96m1nTE0OdrBdVB2Ps662lwD/jVa0dzhSX7WRFo2uurWGEy6WEPqxn8YHTOYoKHc vY1+Ro/ZxX/Wps5mUVnpmyVmYV+Pe9NSaq8hKHp184y6HPbJ8f+SF7Tu3XPI79ygBamY QxD4u0jzkGsZT/metgr/SGQfMrCrlKGI9JGcxHs2lz3kN/KjXNq4Tz2GSgJwDA0kcU/m y3cmr18hIn5SO1oek8gSrYBBZc1UNdIdJMvBkZ+SCMsRUxj24wPfLfRXCcnwd7hsfXtY XKzQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id n6si917213ejc.567.2020.11.26.10.43.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Nov 2020 10:43:43 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 7033682705; Thu, 26 Nov 2020 19:42:40 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 59011826EF; Thu, 26 Nov 2020 19:42:16 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id ECAE6826E3 for ; Thu, 26 Nov 2020 19:42:12 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5477E1655; Thu, 26 Nov 2020 10:42:12 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id E0ED03F23F; Thu, 26 Nov 2020 10:42:09 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Sughosh Ganu Subject: [PATCH 08/14] dfu_mtd: Add provision to unlock mtd device Date: Fri, 27 Nov 2020 00:11:04 +0530 Message-Id: <20201126184110.30521-9-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201126184110.30521-1-sughosh.ganu@linaro.org> References: <20201126184110.30521-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Prior to writing to an mtd device, mtd_erase is called. This call fails in case the sector being erased is locked. Call mtd_unlock to unlock the region which is to be erased and later written to. Lock the region once the write to the region has completed. Signed-off-by: Sughosh Ganu --- drivers/dfu/dfu_mtd.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) -- 2.17.1 diff --git a/drivers/dfu/dfu_mtd.c b/drivers/dfu/dfu_mtd.c index 36cd4e945b..b34975dbb0 100644 --- a/drivers/dfu/dfu_mtd.c +++ b/drivers/dfu/dfu_mtd.c @@ -21,7 +21,7 @@ static bool mtd_is_aligned_with_block_size(struct mtd_info *mtd, u64 size) static int mtd_block_op(enum dfu_op op, struct dfu_entity *dfu, u64 offset, void *buf, long *len) { - u64 off, lim, remaining; + u64 off, lim, remaining, lock_ofs, lock_len; struct mtd_info *mtd = dfu->data.mtd.info; struct mtd_oob_ops io_op = {}; int ret = 0; @@ -34,7 +34,7 @@ static int mtd_block_op(enum dfu_op op, struct dfu_entity *dfu, return 0; } - off = dfu->data.mtd.start + offset + dfu->bad_skip; + off = lock_ofs = dfu->data.mtd.start + offset + dfu->bad_skip; lim = dfu->data.mtd.start + dfu->data.mtd.size; if (off >= lim) { @@ -56,12 +56,19 @@ static int mtd_block_op(enum dfu_op op, struct dfu_entity *dfu, if (op == DFU_OP_WRITE) { struct erase_info erase_op = {}; - remaining = round_up(*len, mtd->erasesize); + remaining = lock_len = round_up(*len, mtd->erasesize); erase_op.mtd = mtd; erase_op.addr = off; erase_op.len = mtd->erasesize; erase_op.scrub = 0; + debug("Unlocking the mtd device\n"); + ret = mtd_unlock(mtd, lock_ofs, lock_len); + if (ret && ret != -EOPNOTSUPP) { + printf("MTD device unlock failed\n"); + return 0; + } + while (remaining) { if (erase_op.addr + remaining > lim) { printf("Limit reached 0x%llx while erasing at offset 0x%llx\n", @@ -139,6 +146,13 @@ static int mtd_block_op(enum dfu_op op, struct dfu_entity *dfu, io_op.len = mtd->writesize; } + if (op == DFU_OP_WRITE) { + /* Write done, lock again */ + debug("Locking the mtd device\n"); + ret = mtd_lock(mtd, lock_ofs, lock_len); + if (ret && ret != -EOPNOTSUPP) + printf("MTD device lock failed\n"); + } return ret; } From patchwork Thu Nov 26 18:41:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 333046 Delivered-To: patch@linaro.org Received: by 2002:a92:5e16:0:0:0:0:0 with SMTP id s22csp1543349ilb; Thu, 26 Nov 2020 10:43:55 -0800 (PST) X-Google-Smtp-Source: ABdhPJwHeYO4Ck9mxt5lsf4xm31oadQEAPoKLMJo93E6xDsmRapCKgkgp8QRprcr4GYxiJwJy4pX X-Received: by 2002:a05:6402:c05:: with SMTP id co5mr3834413edb.247.1606416235551; Thu, 26 Nov 2020 10:43:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606416235; cv=none; d=google.com; s=arc-20160816; b=b5wTGTol02CtoZ5YS/xmNTEcK5mNujjKVLmfB/B3ZDDlGK0ITsQGFkCOLvIsPmzZwf raFmMjXcaCRP89YUt/LWtAhKM2tswLw2mik7TMObiqWcXIzcfKf7NvTRRwChYArA9/RA Guoe7P/h8aGEXJ0/xkQVZdmNAjeFFWTHLRahujaGl7ugQQ1789A+YwGFJvQ6PM+djBGH s27mmgVbdRI2c/7h9GSYUHXdYgJ5CNHiS7xCOgy+9vSi/myzQmkbocBjTSo1VfobQE+c Duz2Pfb6PEz0gT8MuYh/U+VtAFMeEuoYIpdYw1SQ7uJxr5kx13jVzWUUF6cwiz3nP9UD Jnyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=+IiqSGOt+8Z1UWtgoL708azzRuCbA/DF8qIbPEzmG0o=; b=YI6zz9d9rJBmLZrpXpIJwaesBqwm5lBGK3t6dAikeY5lb5856Bp5sGYBH+wWTqWiUa KVGxJxAIVYbF5hHdmc9lVCW0SyV3PIFkMsVqyqz7rKux1blpRluVbgXQfMD6xVdG8r9k cVrfTLTpT268+3514VIs1n9jH6ItGV8wNOi4T0/DnqtOAjbTNbWKLnQuolhEXbfwqRwh 2CZRMBU4cxq20VFaMHVhAg+bh45Y1CVq0gb81Sl1NwvdiDtVxzxf4NnMObLEzpIx0u+6 mlCRE4V7NwoddgPWwU1WiCbPm9k/UrYXuuiDllR5w8lTqBkALfOLOlKJSb8kQY2AQTyx dZwg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id a13si3651419edr.154.2020.11.26.10.43.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Nov 2020 10:43:55 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4F2FF826D7; Thu, 26 Nov 2020 19:42:44 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 9F1AD826ED; Thu, 26 Nov 2020 19:42:20 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id E1DB4826F3 for ; Thu, 26 Nov 2020 19:42:15 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 3C8D1165C; Thu, 26 Nov 2020 10:42:15 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id C8D083F23F; Thu, 26 Nov 2020 10:42:12 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Sughosh Ganu Subject: [PATCH 09/14] efi_loader: Make the pkcs7 header parsing function an extern Date: Fri, 27 Nov 2020 00:11:05 +0530 Message-Id: <20201126184110.30521-10-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201126184110.30521-1-sughosh.ganu@linaro.org> References: <20201126184110.30521-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean The pkcs7 header parsing functionality is pretty generic, and can be used by other features like capsule authentication. Make the function an extern, also changing it's name to efi_parse_pkcs7_header Signed-off-by: Sughosh Ganu --- include/efi_loader.h | 4 ++ lib/efi_loader/efi_signature.c | 85 +++++++++++++++++++++++++++++++ lib/efi_loader/efi_variable.c | 93 ++-------------------------------- 3 files changed, 93 insertions(+), 89 deletions(-) -- 2.17.1 diff --git a/include/efi_loader.h b/include/efi_loader.h index 76cd2b36f2..b9226208f5 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -810,6 +810,10 @@ bool efi_secure_boot_enabled(void); bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp, WIN_CERTIFICATE **auth, size_t *auth_len); +struct pkcs7_message *efi_parse_pkcs7_header(const void *buf, + size_t buflen, + u8 **tmpbuf); + /* runtime implementation of memcpy() */ void efi_memcpy_runtime(void *dest, const void *src, size_t n); diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 79dee27421..9ab071b611 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -27,6 +27,91 @@ const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID; const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; #ifdef CONFIG_EFI_SECURE_BOOT +static u8 pkcs7_hdr[] = { + /* SEQUENCE */ + 0x30, 0x82, 0x05, 0xc7, + /* OID: pkcs7-signedData */ + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, + /* Context Structured? */ + 0xa0, 0x82, 0x05, 0xb8, +}; + +/** + * efi_parse_pkcs7_header - parse a signature in payload + * @buf: Pointer to payload's value + * @buflen: Length of @buf + * @tmpbuf: Pointer to temporary buffer + * + * Parse a signature embedded in payload's value and instantiate + * a pkcs7_message structure. Since pkcs7_parse_message() accepts only + * pkcs7's signedData, some header needed be prepended for correctly + * parsing authentication data + * A temporary buffer will be allocated if needed, and it should be + * kept valid during the authentication because some data in the buffer + * will be referenced by efi_signature_verify(). + * + * Return: Pointer to pkcs7_message structure on success, NULL on error + */ +struct pkcs7_message *efi_parse_pkcs7_header(const void *buf, + size_t buflen, + u8 **tmpbuf) +{ + u8 *ebuf; + size_t ebuflen, len; + struct pkcs7_message *msg; + + /* + * This is the best assumption to check if the binary is + * already in a form of pkcs7's signedData. + */ + if (buflen > sizeof(pkcs7_hdr) && + !memcmp(&((u8 *)buf)[4], &pkcs7_hdr[4], 11)) { + msg = pkcs7_parse_message(buf, buflen); + if (IS_ERR(msg)) + return NULL; + return msg; + } + + /* + * Otherwise, we should add a dummy prefix sequence for pkcs7 + * message parser to be able to process. + * NOTE: EDK2 also uses similar hack in WrapPkcs7Data() + * in CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c + * TODO: + * The header should be composed in a more refined manner. + */ + EFI_PRINT("Makeshift prefix added to authentication data\n"); + ebuflen = sizeof(pkcs7_hdr) + buflen; + if (ebuflen <= 0x7f) { + EFI_PRINT("Data is too short\n"); + return NULL; + } + + ebuf = malloc(ebuflen); + if (!ebuf) { + EFI_PRINT("Out of memory\n"); + return NULL; + } + + memcpy(ebuf, pkcs7_hdr, sizeof(pkcs7_hdr)); + memcpy(ebuf + sizeof(pkcs7_hdr), buf, buflen); + len = ebuflen - 4; + ebuf[2] = (len >> 8) & 0xff; + ebuf[3] = len & 0xff; + len = ebuflen - 0x13; + ebuf[0x11] = (len >> 8) & 0xff; + ebuf[0x12] = len & 0xff; + + msg = pkcs7_parse_message(ebuf, ebuflen); + + if (IS_ERR(msg)) { + free(ebuf); + return NULL; + } + + *tmpbuf = ebuf; + return msg; +} /** * efi_hash_regions - calculate a hash value diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index 0c689cfb47..ba0874e9e7 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -24,91 +24,6 @@ #include #ifdef CONFIG_EFI_SECURE_BOOT -static u8 pkcs7_hdr[] = { - /* SEQUENCE */ - 0x30, 0x82, 0x05, 0xc7, - /* OID: pkcs7-signedData */ - 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, - /* Context Structured? */ - 0xa0, 0x82, 0x05, 0xb8, -}; - -/** - * efi_variable_parse_signature - parse a signature in variable - * @buf: Pointer to variable's value - * @buflen: Length of @buf - * @tmpbuf: Pointer to temporary buffer - * - * Parse a signature embedded in variable's value and instantiate - * a pkcs7_message structure. Since pkcs7_parse_message() accepts only - * pkcs7's signedData, some header needed be prepended for correctly - * parsing authentication data, particularly for variable's. - * A temporary buffer will be allocated if needed, and it should be - * kept valid during the authentication because some data in the buffer - * will be referenced by efi_signature_verify(). - * - * Return: Pointer to pkcs7_message structure on success, NULL on error - */ -static struct pkcs7_message *efi_variable_parse_signature(const void *buf, - size_t buflen, - u8 **tmpbuf) -{ - u8 *ebuf; - size_t ebuflen, len; - struct pkcs7_message *msg; - - /* - * This is the best assumption to check if the binary is - * already in a form of pkcs7's signedData. - */ - if (buflen > sizeof(pkcs7_hdr) && - !memcmp(&((u8 *)buf)[4], &pkcs7_hdr[4], 11)) { - msg = pkcs7_parse_message(buf, buflen); - if (IS_ERR(msg)) - return NULL; - return msg; - } - - /* - * Otherwise, we should add a dummy prefix sequence for pkcs7 - * message parser to be able to process. - * NOTE: EDK2 also uses similar hack in WrapPkcs7Data() - * in CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c - * TODO: - * The header should be composed in a more refined manner. - */ - EFI_PRINT("Makeshift prefix added to authentication data\n"); - ebuflen = sizeof(pkcs7_hdr) + buflen; - if (ebuflen <= 0x7f) { - EFI_PRINT("Data is too short\n"); - return NULL; - } - - ebuf = malloc(ebuflen); - if (!ebuf) { - EFI_PRINT("Out of memory\n"); - return NULL; - } - - memcpy(ebuf, pkcs7_hdr, sizeof(pkcs7_hdr)); - memcpy(ebuf + sizeof(pkcs7_hdr), buf, buflen); - len = ebuflen - 4; - ebuf[2] = (len >> 8) & 0xff; - ebuf[3] = len & 0xff; - len = ebuflen - 0x13; - ebuf[0x11] = (len >> 8) & 0xff; - ebuf[0x12] = len & 0xff; - - msg = pkcs7_parse_message(ebuf, ebuflen); - - if (IS_ERR(msg)) { - free(ebuf); - return NULL; - } - - *tmpbuf = ebuf; - return msg; -} /** * efi_variable_authenticate - authenticate a variable @@ -215,10 +130,10 @@ static efi_status_t efi_variable_authenticate(u16 *variable, goto err; /* ebuf should be kept valid during the authentication */ - var_sig = efi_variable_parse_signature(auth->auth_info.cert_data, - auth->auth_info.hdr.dwLength - - sizeof(auth->auth_info), - &ebuf); + var_sig = efi_parse_pkcs7_header(auth->auth_info.cert_data, + auth->auth_info.hdr.dwLength + - sizeof(auth->auth_info), + &ebuf); if (!var_sig) { EFI_PRINT("Parsing variable's signature failed\n"); goto err; From patchwork Thu Nov 26 18:41:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 333047 Delivered-To: patch@linaro.org Received: by 2002:a92:5e16:0:0:0:0:0 with SMTP id s22csp1543441ilb; Thu, 26 Nov 2020 10:44:06 -0800 (PST) X-Google-Smtp-Source: ABdhPJzr1WlxZa8IatE4JA8d7Ulkhv76277PNHjud8bmulqao+GGTw4RsVygw7zlsapNQedjJKq8 X-Received: by 2002:a17:906:d931:: with SMTP id rn17mr3834022ejb.308.1606416246632; Thu, 26 Nov 2020 10:44:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606416246; cv=none; d=google.com; s=arc-20160816; b=kfRbWomrj9p/8r9Yrhxmo6PADJiF6NLN5TGs3sUj5XyQCJoIpv7iZXUfSpnn+uPp7d wD5VZkJFAd4P+IJfoxnT499LkT0lOLhlYekMrr+g7gUe6PHGIGOgy7GGHlJb4VudOukw 9W6wUZZe1bHrc2PjI2vtYoAlDvB/Z2nPQqTfnigkPhRQpIJV6tmqZQdy7tDrbAz/oVwc 9ykCn8gwhdyOqZkKQjoVaoi+DNCJW9CvXeXC6esM0J+/V076pLjyvkhWDKUoVBKhHPny FCdsAVzgE3E3XdByl6Fq+VDexe0BUKpAyRZLA4qdl/jvzqUIqjDFJJvGf0WMKtS9DXmF k6Bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=iaFJ7GjLEuJqNcg6+IDpChkWzT8ojxyTr34ZTsZ90qU=; b=TgOypBjawHdQeJgBJqXWqtMV4DCE0VFO/6K1SBMWIkCdPPgIRHDWvV2llqsrHZRADb 3UiEIweAK3hWdci2W6nqZAfFAJ1ymvrnpnpX1u3pbiA70wSv3KfcYkyVcSQlZpaTNjyK ggtKh8nA4FbvNMbra8k4b4sPf2IlMcOHIqDB8DGPfC8RG63ndpH0gP1PC/Q4gdB6fNDm PDe9NLWvYsGpycK3a1oCQfDa0uqGWwb35agUKG9clFwbOuyUF/lNVuVMPQ2pyfIQrbVy qBD0rBQEm73Mjblydta5tjfgyvkTpmVRMRplSWcm6rlFZoSyp2eiM57rNL7nzw7I/eHL NjYw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id z14si3613932ejp.202.2020.11.26.10.44.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Nov 2020 10:44:06 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B3F66826D9; Thu, 26 Nov 2020 19:42:47 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id CA967826E3; Thu, 26 Nov 2020 19:42:22 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id C07B0826EA for ; Thu, 26 Nov 2020 19:42:18 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 253BE1682; Thu, 26 Nov 2020 10:42:18 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id B0E0B3F23F; Thu, 26 Nov 2020 10:42:15 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Sughosh Ganu Subject: [PATCH 10/14] efi_loader: Re-factor code to build the signature store from efi signature list Date: Fri, 27 Nov 2020 00:11:06 +0530 Message-Id: <20201126184110.30521-11-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201126184110.30521-1-sughosh.ganu@linaro.org> References: <20201126184110.30521-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean The efi_sigstore_parse_sigdb function reads the uefi authenticated variable, stored in the signature database format and builds the signature store structure. Factor out the code for building the signature store. This can then be used by the capsule authentication routine to build the signature store even when the signature database is not stored as an uefi authenticated variable Signed-off-by: Sughosh Ganu --- include/efi_loader.h | 2 + lib/efi_loader/efi_signature.c | 103 +++++++++++++++++++-------------- 2 files changed, 63 insertions(+), 42 deletions(-) -- 2.17.1 diff --git a/include/efi_loader.h b/include/efi_loader.h index b9226208f5..8d8a6649b5 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -803,6 +803,8 @@ efi_status_t efi_image_region_add(struct efi_image_regions *regs, int nocheck); void efi_sigstore_free(struct efi_signature_store *sigstore); +struct efi_signature_store *efi_build_signature_store(void *sig_list, + efi_uintn_t size); struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name); bool efi_secure_boot_enabled(void); diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 9ab071b611..87525bdc80 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -736,6 +736,63 @@ err: return NULL; } +/** + * efi_sigstore_parse_sigdb - parse the signature list and populate + * the signature store + * + * @sig_list: Pointer to the signature list + * @size: Size of the signature list + * + * Parse the efi signature list and instantiate a signature store + * structure. + * + * Return: Pointer to signature store on success, NULL on error + */ +struct efi_signature_store *efi_build_signature_store(void *sig_list, + efi_uintn_t size) +{ + struct efi_signature_list *esl; + struct efi_signature_store *sigstore = NULL, *siglist; + + esl = sig_list; + while (size > 0) { + /* List must exist if there is remaining data. */ + if (size < sizeof(*esl)) { + EFI_PRINT("Signature list in wrong format\n"); + goto err; + } + + if (size < esl->signature_list_size) { + EFI_PRINT("Signature list in wrong format\n"); + goto err; + } + + /* Parse a single siglist. */ + siglist = efi_sigstore_parse_siglist(esl); + if (!siglist) { + EFI_PRINT("Parsing of signature list of failed\n"); + goto err; + } + + /* Append siglist */ + siglist->next = sigstore; + sigstore = siglist; + + /* Next */ + size -= esl->signature_list_size; + esl = (void *)esl + esl->signature_list_size; + } + free(sig_list); + + return sigstore; + +err: + efi_sigstore_free(sigstore); + free(sig_list); + + return NULL; +} + /** * efi_sigstore_parse_sigdb - parse a signature database variable * @name: Variable's name @@ -747,8 +804,7 @@ err: */ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name) { - struct efi_signature_store *sigstore = NULL, *siglist; - struct efi_signature_list *esl; + struct efi_signature_store *sigstore = NULL; const efi_guid_t *vendor; void *db; efi_uintn_t db_size; @@ -784,47 +840,10 @@ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name) ret = EFI_CALL(efi_get_variable(name, vendor, NULL, &db_size, db)); if (ret != EFI_SUCCESS) { EFI_PRINT("Getting variable, %ls, failed\n", name); - goto err; - } - - /* Parse siglist list */ - esl = db; - while (db_size > 0) { - /* List must exist if there is remaining data. */ - if (db_size < sizeof(*esl)) { - EFI_PRINT("variable, %ls, in wrong format\n", name); - goto err; - } - - if (db_size < esl->signature_list_size) { - EFI_PRINT("variable, %ls, in wrong format\n", name); - goto err; - } - - /* Parse a single siglist. */ - siglist = efi_sigstore_parse_siglist(esl); - if (!siglist) { - EFI_PRINT("Parsing signature list of %ls failed\n", - name); - goto err; - } - - /* Append siglist */ - siglist->next = sigstore; - sigstore = siglist; - - /* Next */ - db_size -= esl->signature_list_size; - esl = (void *)esl + esl->signature_list_size; + free(db); + return NULL; } - free(db); - - return sigstore; -err: - efi_sigstore_free(sigstore); - free(db); - - return NULL; + return efi_build_signature_store(db, db_size); } #endif /* CONFIG_EFI_SECURE_BOOT */ From patchwork Thu Nov 26 18:41:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 333048 Delivered-To: patch@linaro.org Received: by 2002:a92:5e16:0:0:0:0:0 with SMTP id s22csp1543551ilb; Thu, 26 Nov 2020 10:44:16 -0800 (PST) X-Google-Smtp-Source: ABdhPJzKBuG0E0Ak7sLHOdRoEPrEYqmvtSftt0qOJiov2wT25mKauTI2C/ckmLWepLhOJnPl5m7+ X-Received: by 2002:a17:906:af6b:: with SMTP id os11mr3994384ejb.270.1606416256786; Thu, 26 Nov 2020 10:44:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606416256; cv=none; d=google.com; s=arc-20160816; b=YBONM52aPNDHTQzRh0MguezY1uFtM7mCctXBUTkbNfPzp0jaugvHCdUvh3NiviEWfu IHhOv9GpmsZISMzgbqKZpcoT9sgFkfSLD2Ehzb/UBs3GMe4aJiVUP71MQHA3D8NIEmSN q8WjS28rKIBGsLncjVLrA5w+YTUENwhbBzZdV0d+XoM4pYjNd4KhCwgt5LNsojRSfXSB 0zyLhLenQ4je1SzzHxLFW+yB8/bioq6Y6knymVv91+NSPNU8QPtk7vMXgdlQL6V3FdZe atQ3p24LnZoG4+uCCGT7DllD+ER5SP/NX/iWs5TMS6fL5nJNjf4ImWi4U6x6Far6lBB4 Sqpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=ShstwUGWlFqt657RfxLewjGa0ly08lsv31K4uQk2/So=; b=v1zD7nQyHzEWoU2WyRP8p08iVLGPdPW6eccwiVqH+8faOJBqG2m8PScIce7D7zLxzv 2JWH+FeD/uCHTxj4GuJmQLAb6+shRqVCtmNOTkUzutg1M7JdkqRmpLOXfCBFSh3U+8VB qb6RXI9hVvjaZxhPxAgNlLu8z3s+eb+26lIrYGcoJ24FIcISfhgpgmBQ137ZUp2vcT1o N6cqPwJd6By153LXQ7fE6AqtoTN/OK9FT/QD0Zdb1VDeUP9mdxA3By5F4TSEei73vgxK SZrCxGi2vY/uLX7jyszTzJto/suj/vTeD/PdyWJHjPLrO9IolBSWRhy5Otpxyp3Muj5c kTaw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id p89si3524048edp.328.2020.11.26.10.44.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Nov 2020 10:44:16 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id C6C2E8270E; Thu, 26 Nov 2020 19:42:49 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id BAEC0826EA; Thu, 26 Nov 2020 19:42:25 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 18210826EE for ; Thu, 26 Nov 2020 19:42:22 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 50D4D1684; Thu, 26 Nov 2020 10:42:21 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 98FBF3F23F; Thu, 26 Nov 2020 10:42:18 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Sughosh Ganu Subject: [PATCH 11/14] efi: capsule: Add support for uefi capsule authentication Date: Fri, 27 Nov 2020 00:11:07 +0530 Message-Id: <20201126184110.30521-12-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201126184110.30521-1-sughosh.ganu@linaro.org> References: <20201126184110.30521-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Add support for authenticating uefi capsules. Most of the signature verification functionality is shared with the uefi secure boot feature. The root certificate containing the public key used for the signature verification is stored as part of the device tree blob. The root certificate is stored as an efi signature list(esl) file -- this file contains the x509 certificate which is the root certificate. Signed-off-by: Sughosh Ganu --- board/emulation/qemu-arm/qemu-arm.c | 35 ++++++++ include/efi_api.h | 18 ++++ include/efi_loader.h | 6 ++ lib/efi_loader/Kconfig | 17 ++++ lib/efi_loader/efi_capsule.c | 122 ++++++++++++++++++++++++++++ lib/efi_loader/efi_signature.c | 4 +- 6 files changed, 200 insertions(+), 2 deletions(-) -- 2.17.1 diff --git a/board/emulation/qemu-arm/qemu-arm.c b/board/emulation/qemu-arm/qemu-arm.c index 8cad54c76f..5794d4c669 100644 --- a/board/emulation/qemu-arm/qemu-arm.c +++ b/board/emulation/qemu-arm/qemu-arm.c @@ -208,6 +208,41 @@ void flash_write32(u32 value, void *addr) #define DFU_ALT_BUF_LEN SZ_1K +int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) +{ + const void *fdt_blob = gd->fdt_blob; + const void *blob; + const char *cnode_name = "capsule-key"; + const char *snode_name = "signature"; + int sig_node; + int len; + + sig_node = fdt_subnode_offset(fdt_blob, 0, snode_name); + if (sig_node < 0) { + EFI_PRINT("Unable to get signature node offset\n"); + return -FDT_ERR_NOTFOUND; + } + + blob = fdt_getprop(fdt_blob, sig_node, cnode_name, &len); + + if (!blob || len < 0) { + EFI_PRINT("Unable to get capsule-key value\n"); + *pkey = NULL; + *pkey_len = 0; + return -FDT_ERR_NOTFOUND; + } + + *pkey = (void *)blob; + *pkey_len = len; + + return 0; +} + +bool efi_capsule_auth_enabled(void) +{ + return env_get("capsule_authentication_enabled") != NULL ? true : false; +} + static void board_get_alt_info(struct mtd_info *mtd, char *buf) { struct mtd_info *part; diff --git a/include/efi_api.h b/include/efi_api.h index c7038f863a..bcf6de6629 100644 --- a/include/efi_api.h +++ b/include/efi_api.h @@ -1808,6 +1808,24 @@ struct efi_variable_authentication_2 { struct win_certificate_uefi_guid auth_info; } __attribute__((__packed__)); +/** + * efi_firmware_image_authentication - Capsule authentication method + * descriptor + * + * This structure describes an authentication information for + * a capsule with IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED set + * and should be included as part of the capsule. + * Only EFI_CERT_TYPE_PKCS7_GUID is accepted. + * + * @monotonic_count: Count to prevent replay + * @auth_info: Authentication info + */ +struct efi_firmware_image_authentication { + uint64_t monotonic_count; + struct win_certificate_uefi_guid auth_info; +} __attribute__((__packed__)); + + /** * efi_signature_data - A format of signature * diff --git a/include/efi_loader.h b/include/efi_loader.h index 8d8a6649b5..d311317fc1 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -809,6 +809,8 @@ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name); bool efi_secure_boot_enabled(void); +bool efi_capsule_auth_enabled(void); + bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp, WIN_CERTIFICATE **auth, size_t *auth_len); @@ -836,6 +838,10 @@ efi_status_t EFIAPI efi_query_capsule_caps( u64 *maximum_capsule_size, u32 *reset_type); +efi_status_t efi_capsule_authenticate(const void *capsule, + efi_uintn_t capsule_size, + void **image, efi_uintn_t *image_size); + #define EFI_CAPSULE_DIR L"\\EFI\\UpdateCapsule\\" /* Hook at initialization */ diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 55e4787e32..597ad6b2a7 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -145,6 +145,23 @@ config EFI_CAPSULE_FMP_HEADER Select this option if the capsule is built using the scripts in edk2. +config EFI_CAPSULE_AUTHENTICATE + bool "Update Capsule authentication" + depends on EFI_CAPSULE_FIRMWARE + depends on EFI_CAPSULE_ON_DISK + depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT + select SHA256 + select RSA + select RSA_VERIFY + select RSA_VERIFY_WITH_PKEY + select X509_CERTIFICATE_PARSER + select PKCS7_MESSAGE_PARSER + select PKCS7_VERIFY + default n + help + Select this option if you want to enable capsule + authentication + config EFI_CAPSULE_FIRMWARE_FIT bool "FMP driver for FIT image" depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c index f385e58378..ad2036fe93 100644 --- a/lib/efi_loader/efi_capsule.c +++ b/lib/efi_loader/efi_capsule.c @@ -14,6 +14,10 @@ #include #include +#include +#include +#include + const efi_guid_t efi_guid_capsule_report = EFI_CAPSULE_REPORT_GUID; static const efi_guid_t efi_guid_firmware_management_capsule_id = EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID; @@ -191,6 +195,124 @@ skip: return NULL; } +#if defined(CONFIG_EFI_CAPSULE_AUTHENTICATE) + +const efi_guid_t efi_guid_capsule_root_cert_guid = + EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID; + +__weak int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) +{ + /* The platform is supposed to provide + * a method for getting the public key + * stored in the form of efi signature + * list + */ + return 0; +} + +efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size, + void **image, efi_uintn_t *image_size) +{ + u8 *buf; + int ret; + void *fdt_pkey, *pkey; + efi_uintn_t pkey_len; + uint64_t monotonic_count; + struct efi_signature_store *truststore; + struct pkcs7_message *capsule_sig; + struct efi_image_regions *regs; + struct efi_firmware_image_authentication *auth_hdr; + efi_status_t status; + + status = EFI_SECURITY_VIOLATION; + capsule_sig = NULL; + truststore = NULL; + regs = NULL; + + /* Sanity checks */ + if (capsule == NULL || capsule_size == 0) + goto out; + + auth_hdr = (struct efi_firmware_image_authentication *)capsule; + if (capsule_size < sizeof(*auth_hdr)) + goto out; + + if (auth_hdr->auth_info.hdr.dwLength <= + offsetof(struct win_certificate_uefi_guid, cert_data)) + goto out; + + if (guidcmp(&auth_hdr->auth_info.cert_type, &efi_guid_cert_type_pkcs7)) + goto out; + + *image = (uint8_t *)capsule + sizeof(auth_hdr->monotonic_count) + + auth_hdr->auth_info.hdr.dwLength; + *image_size = capsule_size - auth_hdr->auth_info.hdr.dwLength - + sizeof(auth_hdr->monotonic_count); + memcpy(&monotonic_count, &auth_hdr->monotonic_count, + sizeof(monotonic_count)); + + /* data to be digested */ + regs = calloc(sizeof(*regs) + sizeof(struct image_region) * 2, 1); + if (!regs) + goto out; + + regs->max = 2; + efi_image_region_add(regs, (uint8_t *)*image, + (uint8_t *)*image + *image_size, 1); + + efi_image_region_add(regs, (uint8_t *)&monotonic_count, + (uint8_t *)&monotonic_count + sizeof(monotonic_count), + 1); + + capsule_sig = efi_parse_pkcs7_header(auth_hdr->auth_info.cert_data, + auth_hdr->auth_info.hdr.dwLength + - sizeof(auth_hdr->auth_info), + &buf); + if (IS_ERR(capsule_sig)) { + debug("Parsing variable's pkcs7 header failed\n"); + capsule_sig = NULL; + goto out; + } + + ret = efi_get_public_key_data(&fdt_pkey, &pkey_len); + if (ret < 0) + goto out; + + pkey = malloc(pkey_len); + if (!pkey) + goto out; + + memcpy(pkey, fdt_pkey, pkey_len); + truststore = efi_build_signature_store(pkey, pkey_len); + if (!truststore) + goto out; + + /* verify signature */ + if (efi_signature_verify(regs, capsule_sig, truststore, NULL)) { + debug("Verified\n"); + } else { + debug("Verifying variable's signature failed\n"); + goto out; + } + + status = EFI_SUCCESS; + +out: + efi_sigstore_free(truststore); + pkcs7_free_message(capsule_sig); + free(regs); + + return status; +} +#else +efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size, + void **image, efi_uintn_t *image_size) +{ + return EFI_UNSUPPORTED; +} +#endif /* CONFIG_EFI_CAPSULE_AUTHENTICATE */ + + /** * efi_capsule_update_firmware - update firmware from capsule * @capsule_data: Capsule diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 87525bdc80..c7ec275414 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -26,7 +26,7 @@ const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID; const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID; const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; -#ifdef CONFIG_EFI_SECURE_BOOT +#if defined(CONFIG_EFI_SECURE_BOOT) || defined(CONFIG_EFI_CAPSULE_AUTHENTICATE) static u8 pkcs7_hdr[] = { /* SEQUENCE */ 0x30, 0x82, 0x05, 0xc7, @@ -846,4 +846,4 @@ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name) return efi_build_signature_store(db, db_size); } -#endif /* CONFIG_EFI_SECURE_BOOT */ +#endif /* CONFIG_EFI_SECURE_BOOT || CONFIG_EFI_CAPSULE_AUTHENTICATE */ From patchwork Thu Nov 26 18:41:08 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 333049 Delivered-To: patch@linaro.org Received: by 2002:a92:5e16:0:0:0:0:0 with SMTP id s22csp1543701ilb; Thu, 26 Nov 2020 10:44:31 -0800 (PST) X-Google-Smtp-Source: ABdhPJw/OM1xRDaXGZ4dPP9JTmj6eRDZ6oxoiDlmGamqjB96VnXIcpOVNwpwBIkbKPAxsvQ2TFSM X-Received: by 2002:a05:6402:134a:: with SMTP id y10mr3805343edw.144.1606416271694; Thu, 26 Nov 2020 10:44:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606416271; cv=none; d=google.com; s=arc-20160816; b=nSFpgk4Oje6AMcKdH3hiBDE3uPW0P6nPr9o6cvrg+afesimJBOmXbgGyvEL+oSjCxJ 59kgCUOMSIsS2DyoULwyMQKZWVCO+mwtIVza5p8RMFv90nUDotiw0DEBqguFHE2CQWed Gqij3lM0pyHmhii8Ackp0DmS2zIGZrzXDyhjXHtnrReVpE76Mr2cBioF63+SRYy44jKc AOrU/OsWT7hvhB2y7SrBeMxLQ2FRivaiGJ5kxbWmVAOVjV9XgWYpavOHPJdvj3CSGotZ DU934ROvssQg/C5tUrcHv05oZ4XlONiVOTS+mAXj17F+uFC+s0aZ5RMq/iHocLugMMbl gsrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=fMexHvDYrB6yqTyjt/j7PZF6vBBjeu2FucB/MxSk1Ks=; b=azXTUHPEuiEhe0dpDUhR/B5T1LoOaNNfNZMtYuk+LKkFkmSfoKpka4S5BNiwF4b/kc f5FqF6Fs0th7gU0O71mUVSfSKKNjj/arBImJA/joC2xtD6Zgegi8c8p1p+2M2Lanw/o4 yH7ThidFpXEuWtYbm/l0ZTfxoUdRNsdkl8i2QvdoYD156Kf9nASlQZUqMWPIBVA2xe9i OcKagrp2qH+8j/15bRY23DhLNZwkl7Z7AhDPPwM/ah6uOEuIYubOWqEzfkI0DPiW50av PRssyLVexNhOx0JElFCaF+amLGJSztKxZl6o1DTxXh06L4qEJiwV2u0zrTJHxSFFwrkM 9A4w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id m7si4216848edq.548.2020.11.26.10.44.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Nov 2020 10:44:31 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id BE17182717; Thu, 26 Nov 2020 19:42:51 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 7337C82703; Thu, 26 Nov 2020 19:42:29 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id AF9F8826DF for ; Thu, 26 Nov 2020 19:42:24 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 38D2E1688; Thu, 26 Nov 2020 10:42:24 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id C51FD3F23F; Thu, 26 Nov 2020 10:42:21 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Sughosh Ganu Subject: [PATCH 12/14] efi_loader: Enable uefi capsule authentication Date: Fri, 27 Nov 2020 00:11:08 +0530 Message-Id: <20201126184110.30521-13-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201126184110.30521-1-sughosh.ganu@linaro.org> References: <20201126184110.30521-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Add support for enabling uefi capsule authentication. This feature is enabled by setting the environment variable "capsule_authentication_enabled". The following configs are needed for enabling uefi capsule update and capsule authentication features on the platform. CONFIG_EFI_HAVE_CAPSULE_SUPPORT=y CONFIG_EFI_CAPSULE_ON_DISK=y CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y CONFIG_EFI_CAPSULE_FIRMWARE=y CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y CONFIG_EFI_CAPSULE_AUTHENTICATE=y Signed-off-by: Sughosh Ganu --- lib/efi_loader/efi_firmware.c | 37 ++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) -- 2.17.1 diff --git a/lib/efi_loader/efi_firmware.c b/lib/efi_loader/efi_firmware.c index 6c97604d8b..5e17b2ab5a 100644 --- a/lib/efi_loader/efi_firmware.c +++ b/lib/efi_loader/efi_firmware.c @@ -162,9 +162,16 @@ static efi_status_t efi_get_dfu_info( image_info[i].version_name = NULL; /* not supported */ image_info[i].size = 0; image_info[i].attributes_supported = - IMAGE_ATTRIBUTE_IMAGE_UPDATABLE; + IMAGE_ATTRIBUTE_IMAGE_UPDATABLE | + IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED; image_info[i].attributes_setting = IMAGE_ATTRIBUTE_IMAGE_UPDATABLE; + + /* Check if the capsule authentication is enabled */ + if (env_get("capsule_authentication_enabled")) + image_info[0].attributes_setting |= + IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED; + image_info[i].lowest_supported_image_version = 0; image_info[i].last_attempt_version = 0; image_info[i].last_attempt_status = LAST_ATTEMPT_STATUS_SUCCESS; @@ -379,12 +386,40 @@ efi_status_t EFIAPI efi_firmware_raw_set_image( efi_status_t (*progress)(efi_uintn_t completion), u16 **abort_reason) { + void *capsule_payload; + efi_status_t status; + efi_uintn_t capsule_payload_size; + EFI_ENTRY("%p %d %p %ld %p %p %p\n", this, image_index, image, image_size, vendor_code, progress, abort_reason); if (!image) return EFI_EXIT(EFI_INVALID_PARAMETER); + /* Authenticate the capsule if authentication enabled */ + if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) && + env_get("capsule_authentication_enabled")) { + capsule_payload = NULL; + capsule_payload_size = 0; + status = efi_capsule_authenticate(image, image_size, + &capsule_payload, + &capsule_payload_size); + + if (status == EFI_SECURITY_VIOLATION) { + printf("Capsule authentication check failed. Aborting update\n"); + return EFI_EXIT(status); + } else if (status != EFI_SUCCESS) { + return EFI_EXIT(status); + } + + debug("Capsule authentication successfull\n"); + image = capsule_payload; + image_size = capsule_payload_size; + } else { + debug("Capsule authentication disabled. "); + debug("Updating capsule without authenticating.\n"); + } + if (CONFIG_IS_ENABLED(EFI_CAPSULE_FMP_HEADER)) { /* * When building the capsule with the scripts in From patchwork Thu Nov 26 18:41:09 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 333050 Delivered-To: patch@linaro.org Received: by 2002:a92:5e16:0:0:0:0:0 with SMTP id s22csp1543810ilb; Thu, 26 Nov 2020 10:44:44 -0800 (PST) X-Google-Smtp-Source: ABdhPJxhUZd/Xt9t/28PvThP9212zOn4sAAkeG83IEX3Gl5bj3JqQ1IfxU3DuVXVL2yVTDfBKHQW X-Received: by 2002:a17:906:c7d9:: with SMTP id dc25mr3892146ejb.309.1606416284039; Thu, 26 Nov 2020 10:44:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606416284; cv=none; d=google.com; s=arc-20160816; b=WtzWR0SomULi742+FDdZAYLoaLFlSEgF3+QW2OCpB0hmKd//MenOnxjitvzcYQEKaV kB6oktnTiPnFWgFxioQp/oXAktdzKVcQHGGqLA2JEMCq4dM1dceABUsEYK4i2yZp00E6 CPNsvLGKqY7Z8YVrkG2vj9FfFIwd7trIw58Elkubnj+fsphE14+9NchobUCcrPaJvyD9 ey7mcNMR1vnb8y3n+GkyyxUS3DeOEtMIgGaWo/RJUUZd3UyXSeqmW2P+1lcXq5Ntf/Mp swVjFdBqy/bzKpVetX9If8onRSjI6uHg5QIAnbdREQwoWZRwkH1XKQYdg3Fqd9TqQXEw /zew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=90TEn/uexgAbatgMfxQYNXOGIzhTQJHbEJwQ2j8PHdQ=; b=084GJlNB0eJ/mb8lHnpbiEOP3u4AdwkXqEeh5UzEp35p/rmngZYKnyBmYcwl+EYPFX lKffMdIO+lNAPLR8R59EtH0OG5/27v4IzMdjpgVnjF5ni1cR48kE2Lu1rCjtvhAVXA0k Oo59GZ+DXG6lP5Zp/B3VvGCJbZMpNx3S0ek7SgEhtIW1UOGjC1sTkFlMkyAcPtfp8xYP Px8+LibB+5gTH3co0xbOBMbnRKQORavbktECN+oAE3Nu6C6U+T6mSt9lnhhpTL9vY0R9 muraJTPxBiqtOAzW4nEJ00wk23o+OR2IPxCu2/GzWd1XgnuVVK0TGzDRNxXg62IQ1WK1 Lkfw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id d64si3694107edd.257.2020.11.26.10.44.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Nov 2020 10:44:44 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 6D12A8271B; Thu, 26 Nov 2020 19:42:53 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 4534182700; Thu, 26 Nov 2020 19:42:33 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 59C35826FC for ; Thu, 26 Nov 2020 19:42:27 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 2103F168F; Thu, 26 Nov 2020 10:42:27 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id AD3133F23F; Thu, 26 Nov 2020 10:42:24 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Sughosh Ganu Subject: [PATCH 13/14] efidebug: capsule: Add a command to update capsule on disk Date: Fri, 27 Nov 2020 00:11:09 +0530 Message-Id: <20201126184110.30521-14-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201126184110.30521-1-sughosh.ganu@linaro.org> References: <20201126184110.30521-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Add a efidebug subcommand to initiate a firmware update using the efi firmware management protocol(fmp) set_image routine. The firmware update can be initiated through 'efidebug capsule disk-update' This would locate the efi capsule file on the efi system partition, and call the platform's set_image fmp routine to initiate the firmware update. Signed-off-by: Sughosh Ganu --- cmd/efidebug.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) -- 2.17.1 diff --git a/cmd/efidebug.c b/cmd/efidebug.c index 7d327c8268..b8fe9ad6d5 100644 --- a/cmd/efidebug.c +++ b/cmd/efidebug.c @@ -79,6 +79,16 @@ static int do_efi_capsule_update(struct cmd_tbl *cmdtp, int flag, return CMD_RET_SUCCESS; } +static int do_efi_capsule_on_disk_update(struct cmd_tbl *cmdtp, int flag, + int argc, char * const argv[]) +{ + efi_status_t ret; + + ret = efi_launch_capsules(); + + return ret == EFI_SUCCESS ? CMD_RET_SUCCESS : CMD_RET_FAILURE; +} + /** * do_efi_capsule_show() - show capsule information * @@ -207,6 +217,8 @@ static struct cmd_tbl cmd_efidebug_capsule_sub[] = { "", ""), U_BOOT_CMD_MKENT(show, CONFIG_SYS_MAXARGS, 1, do_efi_capsule_show, "", ""), + U_BOOT_CMD_MKENT(disk-update, 0, 0, do_efi_capsule_on_disk_update, + "", ""), U_BOOT_CMD_MKENT(result, CONFIG_SYS_MAXARGS, 1, do_efi_capsule_res, "", ""), }; @@ -1540,6 +1552,8 @@ static char efidebug_help_text[] = #ifdef CONFIG_EFI_HAVE_CAPSULE_SUPPORT "efidebug capsule update [-v] \n" " - process a capsule\n" + "efidebug capsule disk-update\n" + " - update a capsule from disk\n" "efidebug capsule show \n" " - show capsule information\n" "efidebug capsule result []\n" From patchwork Thu Nov 26 18:41:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 333051 Delivered-To: patch@linaro.org Received: by 2002:a92:5e16:0:0:0:0:0 with SMTP id s22csp1543926ilb; Thu, 26 Nov 2020 10:44:57 -0800 (PST) X-Google-Smtp-Source: ABdhPJw76jFfpHMcoT3mY9exBExLPNjRJSGTOHU/JYZY/4rWsX3kRpC4rnyFb21huX5mxOYPUdXx X-Received: by 2002:a17:906:e96:: with SMTP id p22mr3982392ejf.451.1606416297844; Thu, 26 Nov 2020 10:44:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606416297; cv=none; d=google.com; s=arc-20160816; b=PR1P2t95XHjw2czGI80xNYatuTzpgH/P7QE+2VUrpbWlHCsqOmQl0/vtCjHaaDGEcp LIpZVRPOLxnA5+NvoKI7veSlxbEB7R992RrFOJXWJ3KiUJQ/kPF+CYxz5kA2CNGoBBxL SSuQzRABbd399q7jdndJV5615eSiIF0dUQI0qBuR5/7l4jSYpSSivuf+1dFqhnUVrMFq SGAkNVMvqQGx7466U7Qkqx0zcXQAp1Cpp5Sdo1zxd4Hrq+B1wnqejdiWhR0nu2wpjbKv m5fHsDUbu3NCC7PpEUSYwoB+WoyGQYb16OKxMv+BLxnOc6HmWw29Jj5x4SfygQNqkKYI nH2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=umEkjbi0FX9QSg266UTFIdLP7fX88lotRgWepNlaNFk=; b=XgY99rWQliVC9ibJ2fL/G29SopWHuDzRQetObBfVmDOylFACUXrzR7lkyxyqgVfVzM WtPDd8h6/XEazDopY4W8Nqzq537iULRMnHPCyjHi2CWjNi+UrPeOghoOb+HsAeL88EVd Qrltm86es6hyGiDOytH4j7C5VYQo8bIfQFPTTLNbGjTzlLQmaIisFvkCnCAFEIt5igAK GBAKiNCKZ0YNt778W7wvCmBD3YfZxjuyiXY4ClViLnEX3NrEN4O+Glhoer0ek2tnjAsF uDkegRWfg/YhdT3dwO/ZrXYDbN09lAYyGa1o8PCjCBieeaw/Ioe51nlx85OiwCWfwMJ3 O5Wg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id y14si3635966edq.407.2020.11.26.10.44.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Nov 2020 10:44:57 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 56E4282713; Thu, 26 Nov 2020 19:42:56 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 3BCEF82701; Thu, 26 Nov 2020 19:42:35 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 9FC68826FB for ; Thu, 26 Nov 2020 19:42:30 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 0AE8C1691; Thu, 26 Nov 2020 10:42:30 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 964223F23F; Thu, 26 Nov 2020 10:42:27 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Sughosh Ganu Subject: [PATCH 14/14] qemu: arm64: Add documentation for capsule update Date: Fri, 27 Nov 2020 00:11:10 +0530 Message-Id: <20201126184110.30521-15-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201126184110.30521-1-sughosh.ganu@linaro.org> References: <20201126184110.30521-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Add documentation highlighting the steps for using the uefi capsule update feature for updating the u-boot firmware image. Signed-off-by: Sughosh Ganu --- doc/board/emulation/qemu-arm.rst | 157 +++++++++++++++++++++++++++++++ 1 file changed, 157 insertions(+) -- 2.17.1 diff --git a/doc/board/emulation/qemu-arm.rst b/doc/board/emulation/qemu-arm.rst index 8d7fda10f1..3978c13269 100644 --- a/doc/board/emulation/qemu-arm.rst +++ b/doc/board/emulation/qemu-arm.rst @@ -90,3 +90,160 @@ The debug UART on the ARM virt board uses these settings:: CONFIG_DEBUG_UART_PL010=y CONFIG_DEBUG_UART_BASE=0x9000000 CONFIG_DEBUG_UART_CLOCK=0 + +Enabling Uefi Capsule Update feature +------------------------------------ + +Support has been added for the uefi capsule update feature which +enables updating the u-boot image using the uefi firmware management +protocol (fmp). The capsules are not passed to the firmware through +the UpdateCapsule runtime service. Instead, capsule-on-disk +functionality is used for fetching the capsule from the EFI System +Partition (ESP). + +Currently, support has been added for updating the u-boot binary as a +raw image when the platform is booted in non-secure mode, i.e with +CONFIG_TFABOOT disabled. For this configuration, the qemu platform +needs to be booted with 'secure=off'. The u-boot binary placed on the +first bank of the Nor Flash at offset 0x0. The u-boot environment is +placed on the second Nor Flash bank at offset 0x4000000. + +The capsule update feature is enabled with the following configs:: + + CONFIG_MTD=y + CONFIG_FLASH_CFI_MTD=y + CONFIG_CMD_MTDPARTS=y + CONFIG_CMD_DFU=y + CONFIG_DFU_MTD=y + CONFIG_EFI_CAPSULE_ON_DISK=y + CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y + CONFIG_EFI_CAPSULE_FIRMWARE=y + CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y + CONFIG_EFI_CAPSULE_FMP_HEADER=y + +In addition, the following config needs to be disabled:: + CONFIG_TFABOOT + +The capsule file can be generated by using the GenerateCapsule.py +script in edk2:: + + $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ + --fw-version --lsv --guid \ + e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index \ + --verbose + +If the above edk2 script is being used for generating the capsule, the +following additional config needs to be enabled:: + CONFIG_EFI_CAPSULE_FMP_HEADER=y + +As per the uefi specification, the capsule file needs to be placed on +the EFI System Partition, under the EFI/UpdateCapsule/ directory. The +EFI System Partition can be a virtio-blk-device. + +Before initiating the firmware update, the efi variables BootNext, +BootXXXX and OsIndications need to be set. The BootXXXX variable needs +to be pointing to the EFI System Partition which contains the capsule +file. The BootNext, BootXXXX and OsIndications variables can be set +using the following commands:: + + => efidebug boot add 0 Boot0000 virtio 0:1 + => efidebug boot next 0 + => setenv -e -nv -bs -rt -v OsIndications =0x04 + => saveenv + +Finally, the capsule update can be initiated with the following +command:: + + => efidebug capsule disk-update + +The updated u-boot image will be booted on subsequent boot. + +Enabling Capsule Authentication +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The uefi specification defines a way of authenticating the capsule to +be updated by verifying the capsule signature. The capsule signature +is computed and prepended to the capsule payload at the time of +capsule generation. This signature is then verified by using the +public key stored as part of the X509 certificate. This certificate is +in the form of an efi signature list (esl) file, which is embedded as +part of the platform's device tree blob using the mkeficapsule +utility. + +The capsule authentication feature can be enabled through the +following config, in addition to the configs listed above for capsule +update:: + + CONFIG_EFI_CAPSULE_AUTHENTICATE=y + +The public key esl file can be embedded in the dtb with the following +command:: + ./tools/mkeficapsule -K -D + +Running the above command results in the creation of a 'signature' +node in the dtb, under which the public key is stored as a +'capsule-key' property. + +Once the esl file has been embedded as part of the dtb, the platform +needs to be be booted with this dtb. This can be done by disabling the +CONFIG_OF_BOARD option, and then, passing the above dtb file to the +u-boot build. + +The capsule update with authentication can be enabled on the platform +with the following steps + +1. Install utility commands on your host + * openssl + * efitools + +2. Create signing keys and certificate files on your host:: + + $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ + -keyout CRT.key -out CRT.crt -nodes -days 365 + $ cert-to-efi-sig-list CRT.crt CRT.esl + + $ openssl x509 -in CRT.crt -out CRT.cer -outform DER + $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem + + $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt + $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem + +3. Store the esl file generated above as part of the dtb:: + + $ ./tools/mkeficapsule -K -D + +4. The capsule file can be generated by using the GenerateCapsule.py + script in edk2:: + + $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ + --monotonic-count --fw-version \ + --lsv --guid \ + e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ + --update-image-index --signer-private-cert \ + /path/to/CRT.pem --trusted-public-cert \ + /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ + + +Once the capsule has been generated, use the same instructions as +mentioned above for placing the capsule on the EFI System Partition + +5. Building u-boot with the following steps:: + + $ make qemu_arm64_defconfig + $ make menuconfig + Disable CONFIG_OF_BOARD and CONFIG_TFABOOT + $ make EXT_DTB= all + +6. Enable capsule authentication by setting the following env + variable:: + + => setenv capsule_authentication_enabled 1 + => saveenv + +Setting the environment variable capsule_authentication_enabled +enables the capsule authentication. + +Once the capsule has been placed on the EFI System Partition and the +above env variable has been set, along with the BootXXXX and the +BootNext variables, the capsule update can be initiated +using the same command as that shown above.