From patchwork Wed Dec 30 13:56:58 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 355254 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp11350224jai; Wed, 30 Dec 2020 05:57:42 -0800 (PST) X-Google-Smtp-Source: ABdhPJyrir/bRbZHKJOgMkVhidKlMMzMT9yQnFokIeyPgdepwkBei1SKUN0fF9+qKirdto+qWCdB X-Received: by 2002:a17:906:8354:: with SMTP id b20mr49688416ejy.397.1609336662194; Wed, 30 Dec 2020 05:57:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1609336662; cv=none; d=google.com; s=arc-20160816; b=0yECjtVvBBrMkl5SmvEwk9UVaFH3zYTflefJW+DnOsb3xQqTpsNo9Cbrk6cR/2zF4T 3QUaLGAHKmnVhzSQXsx5BV7sN7h5G4jLdE2HeoDGVMH4KkSc8mcoVF/OqMXgSkGeZC/3 WanHg2Bs5/fsnmvMMOY7YCIniTl4WbmrsTjxHDhiHhbTrx4i1Yz7BtPwj0q3BQuKsm1p uorjNSUcwZ58qVunpRSafN4j26E69PlEwxJW8rOdeW6zunR87kPDSy24MbO9fE3NVhJY vyD6+IT0uoqjrKeL3FnH+yFaHI3NuhyqFgMbEgxMHU0z/YfKpow4TQQWIa58FExN3p7g 0ggA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:message-id:date:subject:cc:to :from; bh=K+A03VaMxUjBBjiR8Dd0mXucbjP+j+Rjq4pgMckN+ko=; b=dHXsEqzwlzSABQCeOWzxIwjTW0hf1pXD2y5Hc01LVQxnfYHpjfSi2v6i4A6+jY52MK k/JQJ6U8mcw/ojulmxbsnpqQRU4cqJI1UCCmK9CQC/GE2ahfOEhWj82QetHB9FSXQFcH p6wHTbylwjWS7JRiC+KaKQTlxhxtxYHRK1JlDiXVpURp8H+5BMVsr7qpcwVm9vOocKV/ FbKZaw6IV+mvDVmZZ5CLe2fr+ZYvTHkIfx0DmP5DVEV2je+x9HIppi+Wi8s4ObbMlbUJ RgOiuZ3yQvUWtEvliTyxkdY36Vqj2UrBbHUb7CsriPcv7ke4hLQQ8kKS6/6Aa8yGH/Hl zdWg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id j26si21661118ejf.716.2020.12.30.05.57.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Dec 2020 05:57:42 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2354982570; Wed, 30 Dec 2020 14:57:38 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 1D4AA82570; Wed, 30 Dec 2020 14:57:37 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id D618F82496 for ; Wed, 30 Dec 2020 14:57:33 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 53D38101E; Wed, 30 Dec 2020 05:57:31 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id E87AA3F6CF; Wed, 30 Dec 2020 05:57:28 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas Subject: [PATCH v4 00/14] qemu: arm64: Add support for uefi capsule update on qemu arm platform Date: Wed, 30 Dec 2020 19:26:58 +0530 Message-Id: <20201230135712.5289-1-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean The capsule update feature is supported on a platform configuration booting in a non-secure mode, i.e with -machine virt,secure=off option set. This results in the platform booting u-boot directly without the presence of trusted firmware(tf-a). Steps that need to be followed for using this feature have been provided as part of the documentation. Support has also been added for enabling the capsule authentication feature. Capsule authentication, as defined by the uefi specification is very much on similar lines to the logic used for variable authentication. As a result, most of the signature verification code already in use for variable authentication has been used for capsule authentication. Storage of the public key certificate, needed for the signature verification process is in form of the efi signature list(esl) structure. This public key is stored on an overlay which is then merged with the platform's base fdt at runtime. The public key esl file can be embedded into the overlay dtb using the mkeficapsule utility that has been added as part of the capsule update support series by Takahiro Akashi. Steps needed for enabling capsule authentication have been provided as part of the documentation. This patch series needs to be applied on top of the capsule update support patch series from Takahiro Akashi on the next branch. Changes since V3: * Move the selection of SYS_MTDPARTS_RUNTIME config to the board's Kconfig from lib/efi_loader/Kconfig, using imply. * Move the selection of SET_DFU_ALT_INFO config to the board's Kconfig from lib/efi_loader/Kconfig, using imply. Changes since V2: * Enable building of board_late_init for both of the Qemu arm and arm64 variants * Move the selection the CONFIG_BOARD_LATE_INIT to mach-qemu Kconfig file * Move the functions to populate the mtdparts under board/emulation/common for allowing subsequent re-use by other Qemu arch based platforms * Move the functions to populate the dfu_alt_info variable under board/emulation/common for allowing subsequent re-use by other Qemu arch based platforms * Move the function for fetching the public key certficate from the platform's dtb under board/emulation/common directory. * Move the function for checking the capsule_authentication_enabled env variable under board/emulation/common directory. * Moved the capsule update related documentation for the Qemu platform to a new file under doc/board/emulation/ directory. * Incorporated all typo review comments from Heinrich * Put in a skeletal overlay dts file for reference, as was suggested by Heinrich Changes since V1: * Added support for embedding the public key cert in an overlay using the -O option * The earlier patch was adding a call to pci_init in board_init. Moved the virtio_init call to board_late_init * Change MTDPARTS_NOR[01] as config options instead of defining them in the qemu-arm.h config header. * Enable CONFIG_SYS_MTDPARTS_RUNTIME with CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT * Build set_dfu_alt_info and board_get_alt_info functions only if CONFIG_SET_DFU_ALT_INFO is defined * Enable CONFIG_SET_DFU_ALT_INFO with CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT * Detect the presence of the FMP Payload header at runtime instead of using a Kconfig option, as was suggested by Heinrich * Change the documentation to reflect the usage of overlays for embedding the public key certs at runtime * Fix the build for 'make htmldocs' Sughosh Ganu (14): mkeficapsule: Add support for embedding public key in a dtb qemu: arm: Initialise virtio devices in board_late_init crypto: Fix the logic to calculate hash with authattributes set qemu: common: Add support for dynamic mtdparts for the platform qemu: common: Set dfu_alt_info variable for the platform fsp: Move and rename fsp_types.h file efi_loader: Add logic to parse EDKII specific fmp payload header dfu_mtd: Add provision to unlock mtd device efi_loader: Make the pkcs7 header parsing function an extern efi_loader: Re-factor code to build the signature store from efi signature list efi: capsule: Add support for uefi capsule authentication efi_loader: Enable uefi capsule authentication efidebug: capsule: Add a command to update capsule on disk qemu: arm64: Add documentation for capsule update arch/arm/mach-qemu/Kconfig | 2 + arch/x86/include/asm/fsp/fsp_support.h | 3 +- board/emulation/common/Kconfig | 15 ++ board/emulation/common/Makefile | 5 + board/emulation/common/qemu_capsule.c | 48 ++++ board/emulation/common/qemu_dfu.c | 68 +++++ board/emulation/common/qemu_mtdparts.c | 82 ++++++ board/emulation/qemu-arm/Kconfig | 8 + board/emulation/qemu-arm/qemu-arm.c | 5 + cmd/efidebug.c | 14 ++ doc/board/emulation/index.rst | 1 + doc/board/emulation/qemu_capsule_update.rst | 210 ++++++++++++++++ drivers/dfu/dfu_mtd.c | 20 +- include/efi_api.h | 18 ++ include/efi_loader.h | 12 + .../fsp/fsp_types.h => include/signatures.h | 6 +- lib/crypto/pkcs7_verify.c | 37 ++- lib/efi_loader/Kconfig | 17 ++ lib/efi_loader/efi_capsule.c | 122 +++++++++ lib/efi_loader/efi_firmware.c | 77 +++++- lib/efi_loader/efi_signature.c | 192 +++++++++++---- lib/efi_loader/efi_variable.c | 93 +------ tools/Makefile | 1 + tools/mkeficapsule.c | 233 +++++++++++++++++- 24 files changed, 1125 insertions(+), 164 deletions(-) create mode 100644 board/emulation/common/Kconfig create mode 100644 board/emulation/common/Makefile create mode 100644 board/emulation/common/qemu_capsule.c create mode 100644 board/emulation/common/qemu_dfu.c create mode 100644 board/emulation/common/qemu_mtdparts.c create mode 100644 doc/board/emulation/qemu_capsule_update.rst rename arch/x86/include/asm/fsp/fsp_types.h => include/signatures.h (95%) -- 2.17.1