[0/4] efi_loader: capsule: improve capsule authentication support

Message ID 20210512045753.62288-1-takahiro.akashi@linaro.org
Headers show
Series
  • efi_loader: capsule: improve capsule authentication support
Related show

Message

AKASHI Takahiro May 12, 2021, 4:57 a.m.
As I discussed in [1], I have made a couple of improvements on
the current implemenation of capsule update.

Among others, this patch series
1. add signing feature to mkeficapsule
2. remove dtb operation from mkeficapsule
3. add pytest for capsule authentication (on sandbox)

NOTE:
I temporarily include Patch#3 in order to show that it is not worth
implementing in C as we can do the same thing with a very small
shell script.

My intent is *NOT* to merge Patch#3 in upstream.

Prerequisite patches
====================
See Sughosh's [2] and my [3].

Test
====
* passed the pytest which is included in this patch series
  on sandbox built locally.

Todo
====
* review and update the document for capsule update
    doc/board/emulation/qemu_capsule_update.rst
  (but not in this patch series)

[1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html
[2] https://lists.denx.de/pipermail/u-boot/2021-April/447183.html
[3] https://lists.denx.de/pipermail/u-boot/2021-May/449347.html
    https://lists.denx.de/pipermail/u-boot/2021-May/449348.html
    https://lists.denx.de/pipermail/u-boot/2021-May/449349.html
    https://lists.denx.de/pipermail/u-boot/2021-May/449350.html
    https://lists.denx.de/pipermail/u-boot/2021-May/449351.html

Changes
=======
Initial release (May 12, 2021)
* based on v2021.07-rc2

AKASHI Takahiro (4):
  tools: mkeficapsule: add firmwware image signing
  tools: mkeficapsule: remove device-tree related operation
  tools: add fdtsig command
  test/py: efi_capsule: add image authentication test

 Makefile                                      |   7 +-
 .../py/tests/test_efi_capsule/capsule_defs.py |   5 +
 test/py/tests/test_efi_capsule/conftest.py    |  35 +-
 test/py/tests/test_efi_capsule/signature.dts  |   8 +
 .../test_capsule_firmware_signed.py           | 234 +++++++++
 tools/Makefile                                |   7 +-
 tools/fdtsig.c                                | 274 +++++++++++
 tools/fdtsig.sh                               |  40 ++
 tools/mkeficapsule.c                          | 455 ++++++++++--------
 9 files changed, 856 insertions(+), 209 deletions(-)
 create mode 100644 test/py/tests/test_efi_capsule/signature.dts
 create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
 create mode 100644 tools/fdtsig.c
 create mode 100755 tools/fdtsig.sh

-- 
2.31.0

Comments

Heinrich Schuchardt May 12, 2021, 5:04 a.m. | #1
Am 12. Mai 2021 06:57:49 MESZ schrieb AKASHI Takahiro <takahiro.akashi@linaro.org>:
>As I discussed in [1], I have made a couple of improvements on

>the current implemenation of capsule update.

>

>Among others, this patch series

>1. add signing feature to mkeficapsule

>2. remove dtb operation from mkeficapsule

>3. add pytest for capsule authentication (on sandbox)

>

>NOTE:

>I temporarily include Patch#3 in order to show that it is not worth

>implementing in C as we can do the same thing with a very small

>shell script.

>

>My intent is *NOT* to merge Patch#3 in upstream.

>


Should you need to resend the series, please, put "DO NOT MERGE" into the title of patch 3.

Best regards

Heinrich


>Prerequisite patches

>====================

>See Sughosh's [2] and my [3].

>

>Test

>====

>* passed the pytest which is included in this patch series

>  on sandbox built locally.

>

>Todo

>====

>* review and update the document for capsule update

>    doc/board/emulation/qemu_capsule_update.rst

>  (but not in this patch series)

>

>[1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html

>[2] https://lists.denx.de/pipermail/u-boot/2021-April/447183.html

>[3] https://lists.denx.de/pipermail/u-boot/2021-May/449347.html

>    https://lists.denx.de/pipermail/u-boot/2021-May/449348.html

>    https://lists.denx.de/pipermail/u-boot/2021-May/449349.html

>    https://lists.denx.de/pipermail/u-boot/2021-May/449350.html

>    https://lists.denx.de/pipermail/u-boot/2021-May/449351.html

>

>Changes

>=======

>Initial release (May 12, 2021)

>* based on v2021.07-rc2

>

>AKASHI Takahiro (4):

>  tools: mkeficapsule: add firmwware image signing

>  tools: mkeficapsule: remove device-tree related operation

>  tools: add fdtsig command

>  test/py: efi_capsule: add image authentication test

>

> Makefile                                      |   7 +-

> .../py/tests/test_efi_capsule/capsule_defs.py |   5 +

> test/py/tests/test_efi_capsule/conftest.py    |  35 +-

> test/py/tests/test_efi_capsule/signature.dts  |   8 +

> .../test_capsule_firmware_signed.py           | 234 +++++++++

> tools/Makefile                                |   7 +-

> tools/fdtsig.c                                | 274 +++++++++++

> tools/fdtsig.sh                               |  40 ++

> tools/mkeficapsule.c                          | 455 ++++++++++--------

> 9 files changed, 856 insertions(+), 209 deletions(-)

> create mode 100644 test/py/tests/test_efi_capsule/signature.dts

>create mode 100644

>test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py

> create mode 100644 tools/fdtsig.c

> create mode 100755 tools/fdtsig.sh