diff mbox series

[v3,3/5] doc: update UEFI document for usage of mkeficapsule

Message ID 20210831024659.53464-4-takahiro.akashi@linaro.org
State New
Headers show
Series efi_loader: capsule: improve capsule authentication support | expand

Commit Message

AKASHI Takahiro Aug. 31, 2021, 2:46 a.m. UTC 
Now we can use mkeficapsule command instead of EDK-II's script
to create a signed capsule file. So update the instruction for
capsule authentication.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

---
 doc/develop/uefi/uefi.rst | 31 ++++++++++++++-----------------
 1 file changed, 14 insertions(+), 17 deletions(-)

-- 
2.33.0

Comments

Heinrich Schuchardt Aug. 31, 2021, 6:07 a.m. UTC | #1 
On 8/31/21 4:46 AM, AKASHI Takahiro wrote:
> Now we can use mkeficapsule command instead of EDK-II's script

> to create a signed capsule file. So update the instruction for

> capsule authentication.

>

> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

> ---

>   doc/develop/uefi/uefi.rst | 31 ++++++++++++++-----------------

>   1 file changed, 14 insertions(+), 17 deletions(-)

>

> diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst

> index 64fe9346c7f2..5ccb455da984 100644

> --- a/doc/develop/uefi/uefi.rst

> +++ b/doc/develop/uefi/uefi.rst

> @@ -347,23 +347,20 @@ and used by the steps highlighted below::

>               -keyout CRT.key -out CRT.crt -nodes -days 365

>           $ cert-to-efi-sig-list CRT.crt CRT.esl

>

> -        $ openssl x509 -in CRT.crt -out CRT.cer -outform DER

> -        $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem

> -

> -        $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt

> -        $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem

> -

> -The capsule file can be generated by using the GenerateCapsule.py

> -script in EDKII::

> -

> -    $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \

> -      <capsule_file_name> --monotonic-count <val> --fw-version \

> -      <val> --lsv <val> --guid \

> -      e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \

> -      --update-image-index <val> --signer-private-cert \

> -      /path/to/CRT.pem --trusted-public-cert \

> -      /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \

> -      <u-boot.bin>

> +The signed capsule file can be generated by using tools/mkeficapsule.

> +To build this tool, enable::

> +

> +    CONFIG_TOOLS_MKEFICAPSULE=y

> +    CONFIG_TOOLS_LIBCRYPTO=y

> +

> +To generate and sign the capsule file::

> +

> +    $ mkeficapsule --monotonic-count 1 \

> +      --private-key CRT.key \

> +      --certificate CRT.crt \

> +      --index 1 --instance 0 \

> +      [--fit <FIT image> | --raw <raw image>] \

> +      <capsule_file_name>


Patch 1 allows signed and unsigned capsules. So both should be described
here.

Best regards

Heinrich

>

>   Place the capsule generated in the above step on the EFI System

>   Partition under the EFI/UpdateCapsule directory

>
AKASHI Takahiro Sept. 2, 2021, 9:22 a.m. UTC | #2 
On Tue, Aug 31, 2021 at 08:07:18AM +0200, Heinrich Schuchardt wrote:
> On 8/31/21 4:46 AM, AKASHI Takahiro wrote:

> > Now we can use mkeficapsule command instead of EDK-II's script

> > to create a signed capsule file. So update the instruction for

> > capsule authentication.

> > 

> > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

> > ---

> >   doc/develop/uefi/uefi.rst | 31 ++++++++++++++-----------------

> >   1 file changed, 14 insertions(+), 17 deletions(-)

> > 

> > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst

> > index 64fe9346c7f2..5ccb455da984 100644

> > --- a/doc/develop/uefi/uefi.rst

> > +++ b/doc/develop/uefi/uefi.rst

> > @@ -347,23 +347,20 @@ and used by the steps highlighted below::

> >               -keyout CRT.key -out CRT.crt -nodes -days 365

> >           $ cert-to-efi-sig-list CRT.crt CRT.esl

> > 

> > -        $ openssl x509 -in CRT.crt -out CRT.cer -outform DER

> > -        $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem

> > -

> > -        $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt

> > -        $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem

> > -

> > -The capsule file can be generated by using the GenerateCapsule.py

> > -script in EDKII::

> > -

> > -    $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \

> > -      <capsule_file_name> --monotonic-count <val> --fw-version \

> > -      <val> --lsv <val> --guid \

> > -      e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \

> > -      --update-image-index <val> --signer-private-cert \

> > -      /path/to/CRT.pem --trusted-public-cert \

> > -      /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \

> > -      <u-boot.bin>

> > +The signed capsule file can be generated by using tools/mkeficapsule.

> > +To build this tool, enable::

> > +

> > +    CONFIG_TOOLS_MKEFICAPSULE=y

> > +    CONFIG_TOOLS_LIBCRYPTO=y

> > +

> > +To generate and sign the capsule file::

> > +

> > +    $ mkeficapsule --monotonic-count 1 \

> > +      --private-key CRT.key \

> > +      --certificate CRT.crt \

> > +      --index 1 --instance 0 \

> > +      [--fit <FIT image> | --raw <raw image>] \

> > +      <capsule_file_name>

> 

> Patch 1 allows signed and unsigned capsules. So both should be described

> here.


Sughosh's original doc doesn't have a description for *unsigned* case,
but adding some is not a big deal.

-Takahiro Akashi

> Best regards

> 

> Heinrich

> 

> > 

> >   Place the capsule generated in the above step on the EFI System

> >   Partition under the EFI/UpdateCapsule directory

> > 

>
diff mbox series

Patch

diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
index 64fe9346c7f2..5ccb455da984 100644
--- a/doc/develop/uefi/uefi.rst
+++ b/doc/develop/uefi/uefi.rst
@@ -347,23 +347,20 @@  and used by the steps highlighted below::
             -keyout CRT.key -out CRT.crt -nodes -days 365
         $ cert-to-efi-sig-list CRT.crt CRT.esl
 
-        $ openssl x509 -in CRT.crt -out CRT.cer -outform DER
-        $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem
-
-        $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt
-        $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem
-
-The capsule file can be generated by using the GenerateCapsule.py
-script in EDKII::
-
-    $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \
-      <capsule_file_name> --monotonic-count <val> --fw-version \
-      <val> --lsv <val> --guid \
-      e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \
-      --update-image-index <val> --signer-private-cert \
-      /path/to/CRT.pem --trusted-public-cert \
-      /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \
-      <u-boot.bin>
+The signed capsule file can be generated by using tools/mkeficapsule.
+To build this tool, enable::
+
+    CONFIG_TOOLS_MKEFICAPSULE=y
+    CONFIG_TOOLS_LIBCRYPTO=y
+
+To generate and sign the capsule file::
+
+    $ mkeficapsule --monotonic-count 1 \
+      --private-key CRT.key \
+      --certificate CRT.crt \
+      --index 1 --instance 0 \
+      [--fit <FIT image> | --raw <raw image>] \
+      <capsule_file_name>
 
 Place the capsule generated in the above step on the EFI System
 Partition under the EFI/UpdateCapsule directory