| Message ID | 20210831024659.53464-5-takahiro.akashi@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | efi_loader: capsule: improve capsule authentication support | expand |
On 8/31/21 4:46 AM, AKASHI Takahiro wrote: > The existing options, "--fit" and "--raw," are only used to put a proper > GUID in a capsule header, where GUID identifies a particular FMP (Firmware > Management Protocol) driver which then would handle the firmware binary in > a capsule. In fact, mkeficapsule does the exact same job in creating > a capsule file whatever the firmware binary type is. > > To prepare for the future extension, the command syntax will be a bit > modified to allow users to specify arbitrary GUID for their own FMP driver. > OLD: > [--fit <image> | --raw <image>] <capsule file> > NEW: > [--fit | --raw | --guid <guid-string>] <image> <capsule file> > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Acked-by: Heinrich Schuchardt <xypron.glpk@gmx.de> > --- > doc/develop/uefi/uefi.rst | 4 ++-- > doc/mkeficapsule.1 | 19 +++++++++++----- > tools/mkeficapsule.c | 46 ++++++++++++++++++++++++--------------- > 3 files changed, 43 insertions(+), 26 deletions(-) > > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst > index 5ccb455da984..c23fc2125fb2 100644 > --- a/doc/develop/uefi/uefi.rst > +++ b/doc/develop/uefi/uefi.rst > @@ -359,8 +359,8 @@ To generate and sign the capsule file:: > --private-key CRT.key \ > --certificate CRT.crt \ > --index 1 --instance 0 \ > - [--fit <FIT image> | --raw <raw image>] \ > - <capsule_file_name> > + [--fit | --raw | --guid <guid-string] \ > + <binary_blob> <capsule_file_name> > > Place the capsule generated in the above step on the EFI System > Partition under the EFI/UpdateCapsule directory > diff --git a/doc/mkeficapsule.1 b/doc/mkeficapsule.1 > index 7c2341160ea4..ab2aa3719744 100644 > --- a/doc/mkeficapsule.1 > +++ b/doc/mkeficapsule.1 > @@ -5,7 +5,7 @@ mkeficapsule \- Generate EFI capsule file for U-Boot > > .SH SYNOPSIS > .B mkeficapsule > -.RB [\fIoptions\fP] " \fIcapsule-file\fP" > +.RB [\fIoptions\fP] " \fIimage-blob\fP \fIcapsule-file\fP" > > .SH "DESCRIPTION" > The > @@ -21,7 +21,7 @@ Optionally, a capsule file can be signed with a given private key. > In this case, the update will be authenticated by verifying the signature > before applying. > > -\fBmkeficapsule\fP supports two different format of image files: > +\fBmkeficapsule\fP takes any type of image files, including: > .TP > .I raw image > format is a single binary blob of any type of firmware. > @@ -33,15 +33,22 @@ is the same as used in the new \fIuImage\fP format and allows for > multiple binary blobs in a single capsule file. > This type of image file can be generated by \fBmkimage\fP. > > +If you want to use other types than above two, you should explicitly > +specify a guid for the FMP driver. > + > .SH "OPTIONS" > > .TP > -.BI "-f, --fit \fIfit-image-file\fP" > -Specify a FIT image file > +.BI "-f, --fit > +Indicate that the blob is a FIT image file > + > +.TP > +.BI "-r, --raw > +Indicate that the blob is a raw image file > > .TP > -.BI "-r, --raw \fIraw-image-file\fP" > -Specify a raw image file > +.BI "-g, --guid \fIguid-string\fP" > +Specify guid for image blob type > > .TP > .BI "-i, --index \fIindex\fP" > diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c > index 090fb02de68d..c730cf468d2b 100644 > --- a/tools/mkeficapsule.c > +++ b/tools/mkeficapsule.c > @@ -14,7 +14,7 @@ > > #include <sys/stat.h> > #include <sys/types.h> > - > +#include <uuid/uuid.h> > #include <linux/kconfig.h> > #ifdef CONFIG_TOOLS_LIBCRYPTO > #include <openssl/asn1.h> > @@ -51,14 +51,15 @@ efi_guid_t efi_guid_image_type_uboot_raw = > efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; > > #ifdef CONFIG_TOOLS_LIBCRYPTO > -static const char *opts_short = "f:r:i:I:v:p:c:m:dh"; > +static const char *opts_short = "frg:i:I:v:p:c:m:dh"; > #else > -static const char *opts_short = "f:r:i:I:v:h"; > +static const char *opts_short = "frg:i:I:v:h"; > #endif > > static struct option options[] = { > - {"fit", required_argument, NULL, 'f'}, > - {"raw", required_argument, NULL, 'r'}, > + {"fit", no_argument, NULL, 'f'}, > + {"raw", no_argument, NULL, 'r'}, > + {"guid", required_argument, NULL, 'g'}, > {"index", required_argument, NULL, 'i'}, > {"instance", required_argument, NULL, 'I'}, > #ifdef CONFIG_TOOLS_LIBCRYPTO > @@ -73,11 +74,12 @@ static struct option options[] = { > > static void print_usage(void) > { > - printf("Usage: %s [options] <output file>\n" > + printf("Usage: %s [options] <image blob> <output file>\n" > "Options:\n" > > - "\t-f, --fit <fit image> new FIT image file\n" > - "\t-r, --raw <raw image> new raw image file\n" > + "\t-f, --fit FIT image type\n" > + "\t-r, --raw raw image type\n" > + "\t-g, --guid <guid string> guid for image blob type\n" > "\t-i, --index <index> update image index\n" > "\t-I, --instance <instance> update hardware instance\n" > #ifdef CONFIG_TOOLS_LIBCRYPTO > @@ -524,14 +526,13 @@ err_1: > */ > int main(int argc, char **argv) > { > - char *file; > efi_guid_t *guid; > + unsigned char uuid_buf[16]; > unsigned long index, instance; > uint64_t mcount; > char *privkey_file, *cert_file; > int c, idx; > > - file = NULL; > guid = NULL; > index = 0; > instance = 0; > @@ -546,21 +547,30 @@ int main(int argc, char **argv) > > switch (c) { > case 'f': > - if (file) { > - printf("Image already specified\n"); > + if (guid) { > + printf("Image type already specified\n"); > return -1; > } > - file = optarg; > guid = &efi_guid_image_type_uboot_fit; > break; > case 'r': > - if (file) { > - printf("Image already specified\n"); > + if (guid) { > + printf("Image type already specified\n"); > return -1; > } > - file = optarg; > guid = &efi_guid_image_type_uboot_raw; > break; > + case 'g': > + if (guid) { > + printf("Image type already specified\n"); > + return -1; > + } > + if (uuid_parse(optarg, uuid_buf)) { > + printf("Wrong guid format\n"); > + return -1; > + } > + guid = (efi_guid_t *)uuid_buf; > + break; > case 'i': > index = strtoul(optarg, NULL, 0); > break; > @@ -596,14 +606,14 @@ int main(int argc, char **argv) > } > > /* check necessary parameters */ > - if ((argc != optind + 1) || !file || > + if ((argc != optind + 2) || !guid || > ((privkey_file && !cert_file) || > (!privkey_file && cert_file))) { > print_usage(); > return -1; > } > > - if (create_fwbin(argv[optind], file, guid, index, instance, > + if (create_fwbin(argv[argc - 1], argv[argc - 2], guid, index, instance, > mcount, privkey_file, cert_file) < 0) { > printf("Creating firmware capsule failed\n"); > return -1; >
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 5ccb455da984..c23fc2125fb2 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -359,8 +359,8 @@ To generate and sign the capsule file:: --private-key CRT.key \ --certificate CRT.crt \ --index 1 --instance 0 \ - [--fit <FIT image> | --raw <raw image>] \ - <capsule_file_name> + [--fit | --raw | --guid <guid-string] \ + <binary_blob> <capsule_file_name> Place the capsule generated in the above step on the EFI System Partition under the EFI/UpdateCapsule directory diff --git a/doc/mkeficapsule.1 b/doc/mkeficapsule.1 index 7c2341160ea4..ab2aa3719744 100644 --- a/doc/mkeficapsule.1 +++ b/doc/mkeficapsule.1 @@ -5,7 +5,7 @@ mkeficapsule \- Generate EFI capsule file for U-Boot .SH SYNOPSIS .B mkeficapsule -.RB [\fIoptions\fP] " \fIcapsule-file\fP" +.RB [\fIoptions\fP] " \fIimage-blob\fP \fIcapsule-file\fP" .SH "DESCRIPTION" The @@ -21,7 +21,7 @@ Optionally, a capsule file can be signed with a given private key. In this case, the update will be authenticated by verifying the signature before applying. -\fBmkeficapsule\fP supports two different format of image files: +\fBmkeficapsule\fP takes any type of image files, including: .TP .I raw image format is a single binary blob of any type of firmware. @@ -33,15 +33,22 @@ is the same as used in the new \fIuImage\fP format and allows for multiple binary blobs in a single capsule file. This type of image file can be generated by \fBmkimage\fP. +If you want to use other types than above two, you should explicitly +specify a guid for the FMP driver. + .SH "OPTIONS" .TP -.BI "-f, --fit \fIfit-image-file\fP" -Specify a FIT image file +.BI "-f, --fit +Indicate that the blob is a FIT image file + +.TP +.BI "-r, --raw +Indicate that the blob is a raw image file .TP -.BI "-r, --raw \fIraw-image-file\fP" -Specify a raw image file +.BI "-g, --guid \fIguid-string\fP" +Specify guid for image blob type .TP .BI "-i, --index \fIindex\fP" diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 090fb02de68d..c730cf468d2b 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -14,7 +14,7 @@ #include <sys/stat.h> #include <sys/types.h> - +#include <uuid/uuid.h> #include <linux/kconfig.h> #ifdef CONFIG_TOOLS_LIBCRYPTO #include <openssl/asn1.h> @@ -51,14 +51,15 @@ efi_guid_t efi_guid_image_type_uboot_raw = efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; #ifdef CONFIG_TOOLS_LIBCRYPTO -static const char *opts_short = "f:r:i:I:v:p:c:m:dh"; +static const char *opts_short = "frg:i:I:v:p:c:m:dh"; #else -static const char *opts_short = "f:r:i:I:v:h"; +static const char *opts_short = "frg:i:I:v:h"; #endif static struct option options[] = { - {"fit", required_argument, NULL, 'f'}, - {"raw", required_argument, NULL, 'r'}, + {"fit", no_argument, NULL, 'f'}, + {"raw", no_argument, NULL, 'r'}, + {"guid", required_argument, NULL, 'g'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, #ifdef CONFIG_TOOLS_LIBCRYPTO @@ -73,11 +74,12 @@ static struct option options[] = { static void print_usage(void) { - printf("Usage: %s [options] <output file>\n" + printf("Usage: %s [options] <image blob> <output file>\n" "Options:\n" - "\t-f, --fit <fit image> new FIT image file\n" - "\t-r, --raw <raw image> new raw image file\n" + "\t-f, --fit FIT image type\n" + "\t-r, --raw raw image type\n" + "\t-g, --guid <guid string> guid for image blob type\n" "\t-i, --index <index> update image index\n" "\t-I, --instance <instance> update hardware instance\n" #ifdef CONFIG_TOOLS_LIBCRYPTO @@ -524,14 +526,13 @@ err_1: */ int main(int argc, char **argv) { - char *file; efi_guid_t *guid; + unsigned char uuid_buf[16]; unsigned long index, instance; uint64_t mcount; char *privkey_file, *cert_file; int c, idx; - file = NULL; guid = NULL; index = 0; instance = 0; @@ -546,21 +547,30 @@ int main(int argc, char **argv) switch (c) { case 'f': - if (file) { - printf("Image already specified\n"); + if (guid) { + printf("Image type already specified\n"); return -1; } - file = optarg; guid = &efi_guid_image_type_uboot_fit; break; case 'r': - if (file) { - printf("Image already specified\n"); + if (guid) { + printf("Image type already specified\n"); return -1; } - file = optarg; guid = &efi_guid_image_type_uboot_raw; break; + case 'g': + if (guid) { + printf("Image type already specified\n"); + return -1; + } + if (uuid_parse(optarg, uuid_buf)) { + printf("Wrong guid format\n"); + return -1; + } + guid = (efi_guid_t *)uuid_buf; + break; case 'i': index = strtoul(optarg, NULL, 0); break; @@ -596,14 +606,14 @@ int main(int argc, char **argv) } /* check necessary parameters */ - if ((argc != optind + 1) || !file || + if ((argc != optind + 2) || !guid || ((privkey_file && !cert_file) || (!privkey_file && cert_file))) { print_usage(); return -1; } - if (create_fwbin(argv[optind], file, guid, index, instance, + if (create_fwbin(argv[argc - 1], argv[argc - 2], guid, index, instance, mcount, privkey_file, cert_file) < 0) { printf("Creating firmware capsule failed\n"); return -1;
The existing options, "--fit" and "--raw," are only used to put a proper GUID in a capsule header, where GUID identifies a particular FMP (Firmware Management Protocol) driver which then would handle the firmware binary in a capsule. In fact, mkeficapsule does the exact same job in creating a capsule file whatever the firmware binary type is. To prepare for the future extension, the command syntax will be a bit modified to allow users to specify arbitrary GUID for their own FMP driver. OLD: [--fit <image> | --raw <image>] <capsule file> NEW: [--fit | --raw | --guid <guid-string>] <image> <capsule file> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> --- doc/develop/uefi/uefi.rst | 4 ++-- doc/mkeficapsule.1 | 19 +++++++++++----- tools/mkeficapsule.c | 46 ++++++++++++++++++++++++--------------- 3 files changed, 43 insertions(+), 26 deletions(-) -- 2.33.0