[v9,04/11] tools: mkeficapsule: add firmware image signing

Message ID	20220118043954.55940-5-takahiro.akashi@linaro.org
State	New
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; From: AKASHI Takahiro <takahiro.akashi@linaro.org> To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro <takahiro.akashi@linaro.org> Subject: [PATCH v9 04/11] tools: mkeficapsule: add firmware image signing Date: Tue, 18 Jan 2022 13:39:47 +0900 Message-Id: <20220118043954.55940-5-takahiro.akashi@linaro.org> In-Reply-To: <20220118043954.55940-1-takahiro.akashi@linaro.org> References: <20220118043954.55940-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	efi_loader: capsule: improve capsule authentication support \| expand [v9,00/11] efi_loader: capsule: improve capsule authentication support [v9,01/11] tools: mkeficapsule: output messages to stderr instead of stdout [v9,02/11] tools: mkeficapsule: rework the code a little bit [v9,03/11] tools: build mkeficapsule with tools-only_defconfig [v9,04/11] tools: mkeficapsule: add firmware image signing [v9,05/11] tools: mkeficapsule: add man page [v9,06/11] doc: update UEFI document for usage of mkeficapsule [v9,07/11] test/py: efi_capsule: add image authentication test [v9,08/11] tools: mkeficapsule: allow for specifying GUID explicitly [v9,09/11] test/py: efi_capsule: align with the syntax change of mkeficapsule [v9,10/11] test/py: efi_capsule: add a test for "--guid" option [v9,11/11] test/py: efi_capsule: check the results in case of CAPSULE_AUTHENTICATE

Message ID

20220118043954.55940-5-takahiro.akashi@linaro.org

State

New

Headers

Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender)
 client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01;
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: xypron.glpk@gmx.de,
	agraf@csgraf.de,
	sjg@chromium.org
Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org,
 masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de,
 AKASHI Takahiro <takahiro.akashi@linaro.org>
Subject: [PATCH v9 04/11] tools: mkeficapsule: add firmware image signing
Date: Tue, 18 Jan 2022 13:39:47 +0900
Message-Id: <20220118043954.55940-5-takahiro.akashi@linaro.org>
In-Reply-To: <20220118043954.55940-1-takahiro.akashi@linaro.org>
References: <20220118043954.55940-1-takahiro.akashi@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Series

efi_loader: capsule: improve capsule authentication support | expand

Commit Message

AKASHI Takahiro Jan. 18, 2022, 4:39 a.m. UTC

With this enhancement, mkeficapsule will be able to sign a capsule
file when it is created. A signature added will be used later
in the verification at FMP's SetImage() call.

To do that, we need specify additional command parameters:
  -monotonic-cout <count> : monotonic count
  -private-key <private key file> : private key file
  -certificate <certificate file> : certificate file
Only when all of those parameters are given, a signature will be added
to a capsule file.

Users are expected to maintain and increment the monotonic count at
every time of the update for each firmware image.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
 tools/Makefile       |   4 +
 tools/eficapsule.h   | 115 +++++++++++++
 tools/mkeficapsule.c | 398 +++++++++++++++++++++++++++++++++++++++----
 3 files changed, 487 insertions(+), 30 deletions(-)
 create mode 100644 tools/eficapsule.h

Comments

Heinrich Schuchardt Jan. 20, 2022, 7:09 p.m. UTC | #1

On 1/18/22 05:39, AKASHI Takahiro wrote:
> With this enhancement, mkeficapsule will be able to sign a capsule
> file when it is created. A signature added will be used later
> in the verification at FMP's SetImage() call.
>
> To do that, we need specify additional command parameters:
>    -monotonic-cout <count> : monotonic count
>    -private-key <private key file> : private key file
>    -certificate <certificate file> : certificate file
> Only when all of those parameters are given, a signature will be added
> to a capsule file.
>
> Users are expected to maintain and increment the monotonic count at
> every time of the update for each firmware image.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> Reviewed-by: Simon Glass <sjg@chromium.org>
> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> ---
>   tools/Makefile       |   4 +
>   tools/eficapsule.h   | 115 +++++++++++++
>   tools/mkeficapsule.c | 398 +++++++++++++++++++++++++++++++++++++++----
>   3 files changed, 487 insertions(+), 30 deletions(-)
>   create mode 100644 tools/eficapsule.h
>
> diff --git a/tools/Makefile b/tools/Makefile
> index 766c0674f4a0..afca08e2941a 100644
> --- a/tools/Makefile
> +++ b/tools/Makefile
> @@ -238,6 +238,10 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs
>   hostprogs-$(CONFIG_ASN1_COMPILER)	+= asn1_compiler
>   HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include
>
> +ifeq ($(CONFIG_TOOLS_LIBCRYPTO),y)

This does not make sense.

You have put mkeficapsule.c under GPL-2.0. Nobody will be able to
distribute the tool compiled with OpenSSL.

According to the changelog only you and Sugosh have made contributions
that are copyrightable.

Either agree with Sughosh to change that license to be OpenSSL
compatible or drop this patch. The BSD license would work. Or you could
use libtls.


Once you have changed the license rethink if we really need the
CONFIG_TOOLS_LIBCRYPTO dependency.

Best regards

Heinrich


> +HOSTLDLIBS_mkeficapsule += \
> +	$(shell pkg-config --libs libssl libcrypto 2> /dev/null || echo "-lssl -lcrypto")
> +endif
>   hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
>
>   # We build some files with extra pedantic flags to try to minimize things
> diff --git a/tools/eficapsule.h b/tools/eficapsule.h
> new file mode 100644
> index 000000000000..8c1560bb0671
> --- /dev/null
> +++ b/tools/eficapsule.h
> @@ -0,0 +1,115 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * Copyright 2021 Linaro Limited
> + *		Author: AKASHI Takahiro
> + *
> + * derived from efi.h and efi_api.h to make the file POSIX-compliant
> + */
> +
> +#ifndef _EFI_CAPSULE_H
> +#define _EFI_CAPSULE_H
> +
> +#include <stdint.h>
> +#include <pe.h> /* WIN_CERTIFICATE */
> +
> +/*
> + * Gcc's predefined attributes are not recognized by clang.
> + */
> +#ifndef __packed
> +#define __packed	__attribute__((__packed__))
> +#endif
> +
> +#ifndef __aligned
> +#define __aligned(x)	__attribute__((__aligned__(x)))
> +#endif
> +
> +typedef struct {
> +	uint8_t b[16];
> +} efi_guid_t __aligned(8);
> +
> +#define EFI_GUID(a, b, c, d0, d1, d2, d3, d4, d5, d6, d7) \
> +	{{ (a) & 0xff, ((a) >> 8) & 0xff, ((a) >> 16) & 0xff, \
> +		((a) >> 24) & 0xff, \
> +		(b) & 0xff, ((b) >> 8) & 0xff, \
> +		(c) & 0xff, ((c) >> 8) & 0xff, \
> +		(d0), (d1), (d2), (d3), (d4), (d5), (d6), (d7) } }
> +
> +#define EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID \
> +	EFI_GUID(0x6dcbd5ed, 0xe82d, 0x4c44, 0xbd, 0xa1, \
> +		 0x71, 0x94, 0x19, 0x9a, 0xd9, 0x2a)
> +
> +#define EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID \
> +	EFI_GUID(0xae13ff2d, 0x9ad4, 0x4e25, 0x9a, 0xc8, \
> +		 0x6d, 0x80, 0xb3, 0xb2, 0x21, 0x47)
> +
> +#define EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID \
> +	EFI_GUID(0xe2bb9c06, 0x70e9, 0x4b14, 0x97, 0xa3, \
> +		 0x5a, 0x79, 0x13, 0x17, 0x6e, 0x3f)
> +
> +#define EFI_CERT_TYPE_PKCS7_GUID \
> +	EFI_GUID(0x4aafd29d, 0x68df, 0x49ee, 0x8a, 0xa9, \
> +		 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7)
> +
> +/* flags */
> +#define CAPSULE_FLAGS_PERSIST_ACROSS_RESET      0x00010000
> +
> +struct efi_capsule_header {
> +	efi_guid_t capsule_guid;
> +	uint32_t header_size;
> +	uint32_t flags;
> +	uint32_t capsule_image_size;
> +} __packed;
> +
> +struct efi_firmware_management_capsule_header {
> +	uint32_t version;
> +	uint16_t embedded_driver_count;
> +	uint16_t payload_item_count;
> +	uint32_t item_offset_list[];
> +} __packed;
> +
> +/* image_capsule_support */
> +#define CAPSULE_SUPPORT_AUTHENTICATION          0x0000000000000001
> +
> +struct efi_firmware_management_capsule_image_header {
> +	uint32_t version;
> +	efi_guid_t update_image_type_id;
> +	uint8_t update_image_index;
> +	uint8_t reserved[3];
> +	uint32_t update_image_size;
> +	uint32_t update_vendor_code_size;
> +	uint64_t update_hardware_instance;
> +	uint64_t image_capsule_support;
> +} __packed;
> +
> +/**
> + * win_certificate_uefi_guid - A certificate that encapsulates
> + * a GUID-specific signature
> + *
> + * @hdr:	Windows certificate header
> + * @cert_type:	Certificate type
> + * @cert_data:	Certificate data
> + */
> +struct win_certificate_uefi_guid {
> +	WIN_CERTIFICATE	hdr;
> +	efi_guid_t cert_type;
> +	uint8_t cert_data[];
> +} __packed;
> +
> +/**
> + * efi_firmware_image_authentication - Capsule authentication method
> + * descriptor
> + *
> + * This structure describes an authentication information for
> + * a capsule with IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED set
> + * and should be included as part of the capsule.
> + * Only EFI_CERT_TYPE_PKCS7_GUID is accepted.
> + *
> + * @monotonic_count: Count to prevent replay
> + * @auth_info: Authentication info
> + */
> +struct efi_firmware_image_authentication {
> +	uint64_t monotonic_count;
> +	struct win_certificate_uefi_guid auth_info;
> +} __packed;
> +
> +#endif /* _EFI_CAPSULE_H */
> diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
> index ee3e489c0b30..66dc2ee20912 100644
> --- a/tools/mkeficapsule.c
> +++ b/tools/mkeficapsule.c
> @@ -16,21 +16,17 @@
>   #include <sys/stat.h>
>   #include <sys/types.h>
>
> -typedef __u8 u8;
> -typedef __u16 u16;
> -typedef __u32 u32;
> -typedef __u64 u64;
> -typedef __s16 s16;
> -typedef __s32 s32;
> -
> -#define aligned_u64 __aligned_u64
> -
> -#ifndef __packed
> -#define __packed __attribute__((packed))
> +#include <linux/kconfig.h>
> +#ifdef CONFIG_TOOLS_LIBCRYPTO
> +#include <openssl/asn1.h>
> +#include <openssl/bio.h>
> +#include <openssl/evp.h>
> +#include <openssl/err.h>
> +#include <openssl/pem.h>
> +#include <openssl/pkcs7.h>
>   #endif
>
> -#include <efi.h>
> -#include <efi_api.h>
> +#include "eficapsule.h"
>
>   static const char *tool_name = "mkeficapsule";
>
> @@ -39,12 +35,25 @@ efi_guid_t efi_guid_image_type_uboot_fit =
>   		EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID;
>   efi_guid_t efi_guid_image_type_uboot_raw =
>   		EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID;
> +efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID;
> +
> +#ifdef CONFIG_TOOLS_LIBCRYPTO
> +static const char *opts_short = "f:r:i:I:v:p:c:m:dh";
> +#else
> +static const char *opts_short = "f:r:i:I:v:h";
> +#endif
>
>   static struct option options[] = {
>   	{"fit", required_argument, NULL, 'f'},
>   	{"raw", required_argument, NULL, 'r'},
>   	{"index", required_argument, NULL, 'i'},
>   	{"instance", required_argument, NULL, 'I'},
> +#ifdef CONFIG_TOOLS_LIBCRYPTO
> +	{"private-key", required_argument, NULL, 'p'},
> +	{"certificate", required_argument, NULL, 'c'},
> +	{"monotonic-count", required_argument, NULL, 'm'},
> +	{"dump-sig", no_argument, NULL, 'd'},
> +#endif
>   	{"help", no_argument, NULL, 'h'},
>   	{NULL, 0, NULL, 0},
>   };
> @@ -58,10 +67,253 @@ static void print_usage(void)
>   		"\t-r, --raw <raw image>       new raw image file\n"
>   		"\t-i, --index <index>         update image index\n"
>   		"\t-I, --instance <instance>   update hardware instance\n"
> +#ifdef CONFIG_TOOLS_LIBCRYPTO
> +		"\t-p, --private-key <privkey file>  private key file\n"
> +		"\t-c, --certificate <cert file>     signer's certificate file\n"
> +		"\t-m, --monotonic-count <count>     monotonic count\n"
> +		"\t-d, --dump_sig              dump signature (*.p7)\n"
> +#endif
>   		"\t-h, --help                  print a help message\n",
>   		tool_name);
>   }
>
> +/**
> + * auth_context - authentication context
> + * @key_file:	Path to a private key file
> + * @cert_file:	Path to a certificate file
> + * @image_data:	Pointer to firmware data
> + * @image_size:	Size of firmware data
> + * @auth:	Authentication header
> + * @sig_data:	Signature data
> + * @sig_size:	Size of signature data
> + *
> + * Data structure used in create_auth_data(). @key_file through
> + * @image_size are input parameters. @auth, @sig_data and @sig_size
> + * are filled in by create_auth_data().
> + */
> +struct auth_context {
> +	char *key_file;
> +	char *cert_file;
> +	uint8_t *image_data;
> +	size_t image_size;
> +	struct efi_firmware_image_authentication auth;
> +	uint8_t *sig_data;
> +	size_t sig_size;
> +};
> +
> +static int dump_sig;
> +
> +#ifdef CONFIG_TOOLS_LIBCRYPTO
> +/**
> + * fileio-read_pkey - read out a private key
> + * @filename:	Path to a private key file
> + *
> + * Read out a private key file and parse it into "EVP_PKEY" structure.
> + *
> + * Return:
> + * * Pointer to private key structure  - on success
> + * * NULL - on failure
> + */
> +static EVP_PKEY *fileio_read_pkey(const char *filename)
> +{
> +	EVP_PKEY *key = NULL;
> +	BIO *bio;
> +
> +	bio = BIO_new_file(filename, "r");
> +	if (!bio)
> +		goto out;
> +
> +	key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
> +
> +out:
> +	BIO_free_all(bio);
> +	if (!key) {
> +		fprintf(stderr, "Can't load key from file '%s'\n", filename);
> +		ERR_print_errors_fp(stderr);
> +	}
> +
> +	return key;
> +}
> +
> +/**
> + * fileio-read_cert - read out a certificate
> + * @filename:	Path to a certificate file
> + *
> + * Read out a certificate file and parse it into "X509" structure.
> + *
> + * Return:
> + * * Pointer to certificate structure  - on success
> + * * NULL - on failure
> + */
> +static X509 *fileio_read_cert(const char *filename)
> +{
> +	X509 *cert = NULL;
> +	BIO *bio;
> +
> +	bio = BIO_new_file(filename, "r");
> +	if (!bio)
> +		goto out;
> +
> +	cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
> +
> +out:
> +	BIO_free_all(bio);
> +	if (!cert) {
> +		fprintf(stderr, "Can't load certificate from file '%s'\n",
> +			filename);
> +		ERR_print_errors_fp(stderr);
> +	}
> +
> +	return cert;
> +}
> +
> +/**
> + * create_auth_data - compose authentication data in capsule
> + * @auth_context:	Pointer to authentication context
> + *
> + * Fill up an authentication header (.auth) and signature data (.sig_data)
> + * in @auth_context, using library functions from openssl.
> + * All the parameters in @auth_context must be filled in by a caller.
> + *
> + * Return:
> + * * 0  - on success
> + * * -1 - on failure
> + */
> +static int create_auth_data(struct auth_context *ctx)
> +{
> +	EVP_PKEY *key = NULL;
> +	X509 *cert = NULL;
> +	BIO *data_bio = NULL;
> +	const EVP_MD *md;
> +	PKCS7 *p7;
> +	int flags, ret = -1;
> +
> +	OpenSSL_add_all_digests();
> +	OpenSSL_add_all_ciphers();
> +	ERR_load_crypto_strings();
> +
> +	key = fileio_read_pkey(ctx->key_file);
> +	if (!key)
> +		goto err;
> +	cert = fileio_read_cert(ctx->cert_file);
> +	if (!cert)
> +		goto err;
> +
> +	/*
> +	 * create a BIO, containing:
> +	 *  * firmware image
> +	 *  * monotonic count
> +	 * in this order!
> +	 * See EDK2's FmpAuthenticatedHandlerRsa2048Sha256()
> +	 */
> +	data_bio = BIO_new(BIO_s_mem());
> +	BIO_write(data_bio, ctx->image_data, ctx->image_size);
> +	BIO_write(data_bio, &ctx->auth.monotonic_count,
> +		  sizeof(ctx->auth.monotonic_count));
> +
> +	md = EVP_get_digestbyname("SHA256");
> +	if (!md)
> +		goto err;
> +
> +	/* create signature */
> +	/* TODO: maybe add PKCS7_NOATTR and PKCS7_NOSMIMECAP */
> +	flags = PKCS7_BINARY | PKCS7_DETACHED;
> +	p7 = PKCS7_sign(NULL, NULL, NULL, data_bio, flags | PKCS7_PARTIAL);
> +	if (!p7)
> +		goto err;
> +	if (!PKCS7_sign_add_signer(p7, cert, key, md, flags))
> +		goto err;
> +	if (!PKCS7_final(p7, data_bio, flags))
> +		goto err;
> +
> +	/* convert pkcs7 into DER */
> +	ctx->sig_data = NULL;
> +	ctx->sig_size = ASN1_item_i2d((ASN1_VALUE *)p7, &ctx->sig_data,
> +				      ASN1_ITEM_rptr(PKCS7));
> +	if (!ctx->sig_size)
> +		goto err;
> +
> +	/* fill auth_info */
> +	ctx->auth.auth_info.hdr.dwLength = sizeof(ctx->auth.auth_info)
> +						+ ctx->sig_size;
> +	ctx->auth.auth_info.hdr.wRevision = WIN_CERT_REVISION_2_0;
> +	ctx->auth.auth_info.hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
> +	memcpy(&ctx->auth.auth_info.cert_type, &efi_guid_cert_type_pkcs7,
> +	       sizeof(efi_guid_cert_type_pkcs7));
> +
> +	ret = 0;
> +err:
> +	BIO_free_all(data_bio);
> +	EVP_PKEY_free(key);
> +	X509_free(cert);
> +
> +	return ret;
> +}
> +
> +/**
> + * dump_signature - dump out a signature
> + * @path:	Path to a capsule file
> + * @signature:	Signature data
> + * @sig_size:	Size of signature data
> + *
> + * Signature data pointed to by @signature will be saved into
> + * a file whose file name is @path with ".p7" suffix.
> + *
> + * Return:
> + * * 0  - on success
> + * * -1 - on failure
> + */
> +static int dump_signature(const char *path, uint8_t *signature, size_t sig_size)
> +{
> +	char *sig_path;
> +	FILE *f;
> +	size_t size;
> +	int ret = -1;
> +
> +	sig_path = malloc(strlen(path) + 3 + 1);
> +	if (!sig_path)
> +		return ret;
> +
> +	sprintf(sig_path, "%s.p7", path);
> +	f = fopen(sig_path, "w");
> +	if (!f)
> +		goto err;
> +
> +	size = fwrite(signature, 1, sig_size, f);
> +	if (size == sig_size)
> +		ret = 0;
> +
> +	fclose(f);
> +err:
> +	free(sig_path);
> +	return ret;
> +}
> +
> +/**
> + * free_sig_data - free out signature data
> + * @ctx:	Pointer to authentication context
> + *
> + * Free signature data allocated in create_auth_data().
> + */
> +static void free_sig_data(struct auth_context *ctx)
> +{
> +	if (ctx->sig_size)
> +		OPENSSL_free(ctx->sig_data);
> +}
> +#else
> +static int create_auth_data(struct auth_context *ctx)
> +{
> +	return 0;
> +}
> +
> +static int dump_signature(const char *path, uint8_t *signature, size_t sig_size)
> +{
> +	return 0;
> +}
> +
> +static void free_sig_data(struct auth_context *ctx) {}
> +#endif
> +
>   /**
>    * read_bin_file - read a firmware binary file
>    * @bin:	Path to a firmware binary file
> @@ -168,23 +420,25 @@ static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg)
>    * * -1 - on failure
>    */
>   static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
> -			unsigned long index, unsigned long instance)
> +			unsigned long index, unsigned long instance,
> +			uint64_t mcount, char *privkey_file, char *cert_file)
>   {
>   	struct efi_capsule_header header;
>   	struct efi_firmware_management_capsule_header capsule;
>   	struct efi_firmware_management_capsule_image_header image;
> +	struct auth_context auth_context;
>   	FILE *f;
>   	void *data;
>   	off_t bin_size;
> -	u64 offset;
> +	uint64_t offset;
>   	int ret;
>
>   #ifdef DEBUG
>   	fprintf(stderr, "For output: %s\n", path);
>   	fprintf(stderr, "\tbin: %s\n\ttype: %pUl\n", bin, guid);
> -	fprintf(stderr, "\tindex: %ld\n\tinstance: %ld\n", index, instance);
> +	fprintf(stderr, "\tindex: %lu\n\tinstance: %lu\n", index, instance);
>   #endif
> -
> +	auth_context.sig_size = 0;
>   	f = NULL;
>   	data = NULL;
>   	ret = -1;
> @@ -195,6 +449,27 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
>   	if (read_bin_file(bin, &data, &bin_size))
>   		goto err;
>
> +	/* first, calculate signature to determine its size */
> +	if (privkey_file && cert_file) {
> +		auth_context.key_file = privkey_file;
> +		auth_context.cert_file = cert_file;
> +		auth_context.auth.monotonic_count = mcount;
> +		auth_context.image_data = data;
> +		auth_context.image_size = bin_size;
> +
> +		if (create_auth_data(&auth_context)) {
> +			fprintf(stderr, "Signing firmware image failed\n");
> +			goto err;
> +		}
> +
> +		if (dump_sig &&
> +		    dump_signature(path, auth_context.sig_data,
> +				   auth_context.sig_size)) {
> +			fprintf(stderr, "Creating signature file failed\n");
> +			goto err;
> +		}
> +	}
> +
>   	/*
>   	 * write a capsule file
>   	 */
> @@ -212,9 +487,12 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
>   	/* TODO: The current implementation ignores flags */
>   	header.flags = CAPSULE_FLAGS_PERSIST_ACROSS_RESET;
>   	header.capsule_image_size = sizeof(header)
> -					+ sizeof(capsule) + sizeof(u64)
> +					+ sizeof(capsule) + sizeof(uint64_t)
>   					+ sizeof(image)
>   					+ bin_size;
> +	if (auth_context.sig_size)
> +		header.capsule_image_size += sizeof(auth_context.auth)
> +				+ auth_context.sig_size;
>   	if (write_capsule_file(f, &header, sizeof(header),
>   			       "Capsule header"))
>   		goto err;
> @@ -230,7 +508,7 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
>   			       "Firmware capsule header"))
>   		goto err;
>
> -	offset = sizeof(capsule) + sizeof(u64);
> +	offset = sizeof(capsule) + sizeof(uint64_t);
>   	if (write_capsule_file(f, &offset, sizeof(offset),
>   			       "Offset to capsule image"))
>   		goto err;
> @@ -245,13 +523,32 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
>   	image.reserved[1] = 0;
>   	image.reserved[2] = 0;
>   	image.update_image_size = bin_size;
> +	if (auth_context.sig_size)
> +		image.update_image_size += sizeof(auth_context.auth)
> +				+ auth_context.sig_size;
>   	image.update_vendor_code_size = 0; /* none */
>   	image.update_hardware_instance = instance;
>   	image.image_capsule_support = 0;
> +	if (auth_context.sig_size)
> +		image.image_capsule_support |= CAPSULE_SUPPORT_AUTHENTICATION;
>   	if (write_capsule_file(f, &image, sizeof(image),
>   			       "Firmware capsule image header"))
>   		goto err;
>
> +	/*
> +	 * signature
> +	 */
> +	if (auth_context.sig_size) {
> +		if (write_capsule_file(f, &auth_context.auth,
> +				       sizeof(auth_context.auth),
> +				       "Authentication header"))
> +			goto err;
> +
> +		if (write_capsule_file(f, auth_context.sig_data,
> +				       auth_context.sig_size, "Signature"))
> +			goto err;
> +	}
> +
>   	/*
>   	 * firmware binary
>   	 */
> @@ -262,28 +559,43 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
>   err:
>   	if (f)
>   		fclose(f);
> +	free_sig_data(&auth_context);
>   	free(data);
>
>   	return ret;
>   }
>
> -/*
> - * Usage:
> - *   $ mkeficapsule -f <firmware binary> <output file>
> +/**
> + * main - main entry function of mkeficapsule
> + * @argc:	Number of arguments
> + * @argv:	Array of pointers to arguments
> + *
> + * Create an uefi capsule file, optionally signing it.
> + * Parse all the arguments and pass them on to create_fwbin().
> + *
> + * Return:
> + * * 0  - on success
> + * * -1 - on failure
>    */
>   int main(int argc, char **argv)
>   {
>   	char *file;
>   	efi_guid_t *guid;
>   	unsigned long index, instance;
> +	uint64_t mcount;
> +	char *privkey_file, *cert_file;
>   	int c, idx;
>
>   	file = NULL;
>   	guid = NULL;
>   	index = 0;
>   	instance = 0;
> +	mcount = 0;
> +	privkey_file = NULL;
> +	cert_file = NULL;
> +	dump_sig = 0;
>   	for (;;) {
> -		c = getopt_long(argc, argv, "f:r:i:I:v:h", options, &idx);
> +		c = getopt_long(argc, argv, opts_short, options, &idx);
>   		if (c == -1)
>   			break;
>
> @@ -291,7 +603,7 @@ int main(int argc, char **argv)
>   		case 'f':
>   			if (file) {
>   				fprintf(stderr, "Image already specified\n");
> -				return -1;
> +				exit(EXIT_FAILURE);
>   			}
>   			file = optarg;
>   			guid = &efi_guid_image_type_uboot_fit;
> @@ -299,7 +611,7 @@ int main(int argc, char **argv)
>   		case 'r':
>   			if (file) {
>   				fprintf(stderr, "Image already specified\n");
> -				return -1;
> +				exit(EXIT_FAILURE);
>   			}
>   			file = optarg;
>   			guid = &efi_guid_image_type_uboot_raw;
> @@ -310,14 +622,40 @@ int main(int argc, char **argv)
>   		case 'I':
>   			instance = strtoul(optarg, NULL, 0);
>   			break;
> +#ifdef CONFIG_TOOLS_LIBCRYPTO
> +		case 'p':
> +			if (privkey_file) {
> +				fprintf(stderr,
> +					"Private Key already specified\n");
> +				exit(EXIT_FAILURE);
> +			}
> +			privkey_file = optarg;
> +			break;
> +		case 'c':
> +			if (cert_file) {
> +				fprintf(stderr,
> +					"Certificate file already specified\n");
> +				exit(EXIT_FAILURE);
> +			}
> +			cert_file = optarg;
> +			break;
> +		case 'm':
> +			mcount = strtoul(optarg, NULL, 0);
> +			break;
> +		case 'd':
> +			dump_sig = 1;
> +			break;
> +#endif /* CONFIG_TOOLS_LIBCRYPTO */
>   		case 'h':
>   			print_usage();
> -			return 0;
> +			exit(EXIT_SUCCESS);
>   		}
>   	}
>
> -	/* need an output file */
> -	if (argc != optind + 1) {
> +	/* check necessary parameters */
> +	if ((argc != optind + 1) || !file ||
> +	    ((privkey_file && !cert_file) ||
> +	     (!privkey_file && cert_file))) {
>   		print_usage();
>   		exit(EXIT_FAILURE);
>   	}
> @@ -328,8 +666,8 @@ int main(int argc, char **argv)
>   		exit(EXIT_SUCCESS);
>   	}
>
> -	if (create_fwbin(argv[optind], file, guid, index, instance)
> -			< 0) {
> +	if (create_fwbin(argv[optind], file, guid, index, instance,
> +			 mcount, privkey_file, cert_file) < 0) {
>   		fprintf(stderr, "Creating firmware capsule failed\n");
>   		exit(EXIT_FAILURE);
>   	}

diff --git a/tools/Makefile b/tools/Makefile
index 766c0674f4a0..afca08e2941a 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -238,6 +238,10 @@  hostprogs-$(CONFIG_MIPS) += mips-relocs
 hostprogs-$(CONFIG_ASN1_COMPILER)	+= asn1_compiler
 HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include
 
+ifeq ($(CONFIG_TOOLS_LIBCRYPTO),y)
+HOSTLDLIBS_mkeficapsule += \
+	$(shell pkg-config --libs libssl libcrypto 2> /dev/null || echo "-lssl -lcrypto")
+endif
 hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
 
 # We build some files with extra pedantic flags to try to minimize things
diff --git a/tools/eficapsule.h b/tools/eficapsule.h
new file mode 100644
index 000000000000..8c1560bb0671
--- /dev/null
+++ b/tools/eficapsule.h
@@ -0,0 +1,115 @@ 
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright 2021 Linaro Limited
+ *		Author: AKASHI Takahiro
+ *
+ * derived from efi.h and efi_api.h to make the file POSIX-compliant
+ */
+
+#ifndef _EFI_CAPSULE_H
+#define _EFI_CAPSULE_H
+
+#include <stdint.h>
+#include <pe.h> /* WIN_CERTIFICATE */
+
+/*
+ * Gcc's predefined attributes are not recognized by clang.
+ */
+#ifndef __packed
+#define __packed	__attribute__((__packed__))
+#endif
+
+#ifndef __aligned
+#define __aligned(x)	__attribute__((__aligned__(x)))
+#endif
+
+typedef struct {
+	uint8_t b[16];
+} efi_guid_t __aligned(8);
+
+#define EFI_GUID(a, b, c, d0, d1, d2, d3, d4, d5, d6, d7) \
+	{{ (a) & 0xff, ((a) >> 8) & 0xff, ((a) >> 16) & 0xff, \
+		((a) >> 24) & 0xff, \
+		(b) & 0xff, ((b) >> 8) & 0xff, \
+		(c) & 0xff, ((c) >> 8) & 0xff, \
+		(d0), (d1), (d2), (d3), (d4), (d5), (d6), (d7) } }
+
+#define EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID \
+	EFI_GUID(0x6dcbd5ed, 0xe82d, 0x4c44, 0xbd, 0xa1, \
+		 0x71, 0x94, 0x19, 0x9a, 0xd9, 0x2a)
+
+#define EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID \
+	EFI_GUID(0xae13ff2d, 0x9ad4, 0x4e25, 0x9a, 0xc8, \
+		 0x6d, 0x80, 0xb3, 0xb2, 0x21, 0x47)
+
+#define EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID \
+	EFI_GUID(0xe2bb9c06, 0x70e9, 0x4b14, 0x97, 0xa3, \
+		 0x5a, 0x79, 0x13, 0x17, 0x6e, 0x3f)
+
+#define EFI_CERT_TYPE_PKCS7_GUID \
+	EFI_GUID(0x4aafd29d, 0x68df, 0x49ee, 0x8a, 0xa9, \
+		 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7)
+
+/* flags */
+#define CAPSULE_FLAGS_PERSIST_ACROSS_RESET      0x00010000
+
+struct efi_capsule_header {
+	efi_guid_t capsule_guid;
+	uint32_t header_size;
+	uint32_t flags;
+	uint32_t capsule_image_size;
+} __packed;
+
+struct efi_firmware_management_capsule_header {
+	uint32_t version;
+	uint16_t embedded_driver_count;
+	uint16_t payload_item_count;
+	uint32_t item_offset_list[];
+} __packed;
+
+/* image_capsule_support */
+#define CAPSULE_SUPPORT_AUTHENTICATION          0x0000000000000001
+
+struct efi_firmware_management_capsule_image_header {
+	uint32_t version;
+	efi_guid_t update_image_type_id;
+	uint8_t update_image_index;
+	uint8_t reserved[3];
+	uint32_t update_image_size;
+	uint32_t update_vendor_code_size;
+	uint64_t update_hardware_instance;
+	uint64_t image_capsule_support;
+} __packed;
+
+/**
+ * win_certificate_uefi_guid - A certificate that encapsulates
+ * a GUID-specific signature
+ *
+ * @hdr:	Windows certificate header
+ * @cert_type:	Certificate type
+ * @cert_data:	Certificate data
+ */
+struct win_certificate_uefi_guid {
+	WIN_CERTIFICATE	hdr;
+	efi_guid_t cert_type;
+	uint8_t cert_data[];
+} __packed;
+
+/**
+ * efi_firmware_image_authentication - Capsule authentication method
+ * descriptor
+ *
+ * This structure describes an authentication information for
+ * a capsule with IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED set
+ * and should be included as part of the capsule.
+ * Only EFI_CERT_TYPE_PKCS7_GUID is accepted.
+ *
+ * @monotonic_count: Count to prevent replay
+ * @auth_info: Authentication info
+ */
+struct efi_firmware_image_authentication {
+	uint64_t monotonic_count;
+	struct win_certificate_uefi_guid auth_info;
+} __packed;
+
+#endif /* _EFI_CAPSULE_H */
diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
index ee3e489c0b30..66dc2ee20912 100644
--- a/tools/mkeficapsule.c
+++ b/tools/mkeficapsule.c
@@ -16,21 +16,17 @@ 
 #include <sys/stat.h>
 #include <sys/types.h>
 
-typedef __u8 u8;
-typedef __u16 u16;
-typedef __u32 u32;
-typedef __u64 u64;
-typedef __s16 s16;
-typedef __s32 s32;
-
-#define aligned_u64 __aligned_u64
-
-#ifndef __packed
-#define __packed __attribute__((packed))
+#include <linux/kconfig.h>
+#ifdef CONFIG_TOOLS_LIBCRYPTO
+#include <openssl/asn1.h>
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/pkcs7.h>
 #endif
 
-#include <efi.h>
-#include <efi_api.h>
+#include "eficapsule.h"
 
 static const char *tool_name = "mkeficapsule";
 
@@ -39,12 +35,25 @@  efi_guid_t efi_guid_image_type_uboot_fit =
 		EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID;
 efi_guid_t efi_guid_image_type_uboot_raw =
 		EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID;
+efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID;
+
+#ifdef CONFIG_TOOLS_LIBCRYPTO
+static const char *opts_short = "f:r:i:I:v:p:c:m:dh";
+#else
+static const char *opts_short = "f:r:i:I:v:h";
+#endif
 
 static struct option options[] = {
 	{"fit", required_argument, NULL, 'f'},
 	{"raw", required_argument, NULL, 'r'},
 	{"index", required_argument, NULL, 'i'},
 	{"instance", required_argument, NULL, 'I'},
+#ifdef CONFIG_TOOLS_LIBCRYPTO
+	{"private-key", required_argument, NULL, 'p'},
+	{"certificate", required_argument, NULL, 'c'},
+	{"monotonic-count", required_argument, NULL, 'm'},
+	{"dump-sig", no_argument, NULL, 'd'},
+#endif
 	{"help", no_argument, NULL, 'h'},
 	{NULL, 0, NULL, 0},
 };
@@ -58,10 +67,253 @@  static void print_usage(void)
 		"\t-r, --raw <raw image>       new raw image file\n"
 		"\t-i, --index <index>         update image index\n"
 		"\t-I, --instance <instance>   update hardware instance\n"
+#ifdef CONFIG_TOOLS_LIBCRYPTO
+		"\t-p, --private-key <privkey file>  private key file\n"
+		"\t-c, --certificate <cert file>     signer's certificate file\n"
+		"\t-m, --monotonic-count <count>     monotonic count\n"
+		"\t-d, --dump_sig              dump signature (*.p7)\n"
+#endif
 		"\t-h, --help                  print a help message\n",
 		tool_name);
 }
 
+/**
+ * auth_context - authentication context
+ * @key_file:	Path to a private key file
+ * @cert_file:	Path to a certificate file
+ * @image_data:	Pointer to firmware data
+ * @image_size:	Size of firmware data
+ * @auth:	Authentication header
+ * @sig_data:	Signature data
+ * @sig_size:	Size of signature data
+ *
+ * Data structure used in create_auth_data(). @key_file through
+ * @image_size are input parameters. @auth, @sig_data and @sig_size
+ * are filled in by create_auth_data().
+ */
+struct auth_context {
+	char *key_file;
+	char *cert_file;
+	uint8_t *image_data;
+	size_t image_size;
+	struct efi_firmware_image_authentication auth;
+	uint8_t *sig_data;
+	size_t sig_size;
+};
+
+static int dump_sig;
+
+#ifdef CONFIG_TOOLS_LIBCRYPTO
+/**
+ * fileio-read_pkey - read out a private key
+ * @filename:	Path to a private key file
+ *
+ * Read out a private key file and parse it into "EVP_PKEY" structure.
+ *
+ * Return:
+ * * Pointer to private key structure  - on success
+ * * NULL - on failure
+ */
+static EVP_PKEY *fileio_read_pkey(const char *filename)
+{
+	EVP_PKEY *key = NULL;
+	BIO *bio;
+
+	bio = BIO_new_file(filename, "r");
+	if (!bio)
+		goto out;
+
+	key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
+
+out:
+	BIO_free_all(bio);
+	if (!key) {
+		fprintf(stderr, "Can't load key from file '%s'\n", filename);
+		ERR_print_errors_fp(stderr);
+	}
+
+	return key;
+}
+
+/**
+ * fileio-read_cert - read out a certificate
+ * @filename:	Path to a certificate file
+ *
+ * Read out a certificate file and parse it into "X509" structure.
+ *
+ * Return:
+ * * Pointer to certificate structure  - on success
+ * * NULL - on failure
+ */
+static X509 *fileio_read_cert(const char *filename)
+{
+	X509 *cert = NULL;
+	BIO *bio;
+
+	bio = BIO_new_file(filename, "r");
+	if (!bio)
+		goto out;
+
+	cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+
+out:
+	BIO_free_all(bio);
+	if (!cert) {
+		fprintf(stderr, "Can't load certificate from file '%s'\n",
+			filename);
+		ERR_print_errors_fp(stderr);
+	}
+
+	return cert;
+}
+
+/**
+ * create_auth_data - compose authentication data in capsule
+ * @auth_context:	Pointer to authentication context
+ *
+ * Fill up an authentication header (.auth) and signature data (.sig_data)
+ * in @auth_context, using library functions from openssl.
+ * All the parameters in @auth_context must be filled in by a caller.
+ *
+ * Return:
+ * * 0  - on success
+ * * -1 - on failure
+ */
+static int create_auth_data(struct auth_context *ctx)
+{
+	EVP_PKEY *key = NULL;
+	X509 *cert = NULL;
+	BIO *data_bio = NULL;
+	const EVP_MD *md;
+	PKCS7 *p7;
+	int flags, ret = -1;
+
+	OpenSSL_add_all_digests();
+	OpenSSL_add_all_ciphers();
+	ERR_load_crypto_strings();
+
+	key = fileio_read_pkey(ctx->key_file);
+	if (!key)
+		goto err;
+	cert = fileio_read_cert(ctx->cert_file);
+	if (!cert)
+		goto err;
+
+	/*
+	 * create a BIO, containing:
+	 *  * firmware image
+	 *  * monotonic count
+	 * in this order!
+	 * See EDK2's FmpAuthenticatedHandlerRsa2048Sha256()
+	 */
+	data_bio = BIO_new(BIO_s_mem());
+	BIO_write(data_bio, ctx->image_data, ctx->image_size);
+	BIO_write(data_bio, &ctx->auth.monotonic_count,
+		  sizeof(ctx->auth.monotonic_count));
+
+	md = EVP_get_digestbyname("SHA256");
+	if (!md)
+		goto err;
+
+	/* create signature */
+	/* TODO: maybe add PKCS7_NOATTR and PKCS7_NOSMIMECAP */
+	flags = PKCS7_BINARY | PKCS7_DETACHED;
+	p7 = PKCS7_sign(NULL, NULL, NULL, data_bio, flags | PKCS7_PARTIAL);
+	if (!p7)
+		goto err;
+	if (!PKCS7_sign_add_signer(p7, cert, key, md, flags))
+		goto err;
+	if (!PKCS7_final(p7, data_bio, flags))
+		goto err;
+
+	/* convert pkcs7 into DER */
+	ctx->sig_data = NULL;
+	ctx->sig_size = ASN1_item_i2d((ASN1_VALUE *)p7, &ctx->sig_data,
+				      ASN1_ITEM_rptr(PKCS7));
+	if (!ctx->sig_size)
+		goto err;
+
+	/* fill auth_info */
+	ctx->auth.auth_info.hdr.dwLength = sizeof(ctx->auth.auth_info)
+						+ ctx->sig_size;
+	ctx->auth.auth_info.hdr.wRevision = WIN_CERT_REVISION_2_0;
+	ctx->auth.auth_info.hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
+	memcpy(&ctx->auth.auth_info.cert_type, &efi_guid_cert_type_pkcs7,
+	       sizeof(efi_guid_cert_type_pkcs7));
+
+	ret = 0;
+err:
+	BIO_free_all(data_bio);
+	EVP_PKEY_free(key);
+	X509_free(cert);
+
+	return ret;
+}
+
+/**
+ * dump_signature - dump out a signature
+ * @path:	Path to a capsule file
+ * @signature:	Signature data
+ * @sig_size:	Size of signature data
+ *
+ * Signature data pointed to by @signature will be saved into
+ * a file whose file name is @path with ".p7" suffix.
+ *
+ * Return:
+ * * 0  - on success
+ * * -1 - on failure
+ */
+static int dump_signature(const char *path, uint8_t *signature, size_t sig_size)
+{
+	char *sig_path;
+	FILE *f;
+	size_t size;
+	int ret = -1;
+
+	sig_path = malloc(strlen(path) + 3 + 1);
+	if (!sig_path)
+		return ret;
+
+	sprintf(sig_path, "%s.p7", path);
+	f = fopen(sig_path, "w");
+	if (!f)
+		goto err;
+
+	size = fwrite(signature, 1, sig_size, f);
+	if (size == sig_size)
+		ret = 0;
+
+	fclose(f);
+err:
+	free(sig_path);
+	return ret;
+}
+
+/**
+ * free_sig_data - free out signature data
+ * @ctx:	Pointer to authentication context
+ *
+ * Free signature data allocated in create_auth_data().
+ */
+static void free_sig_data(struct auth_context *ctx)
+{
+	if (ctx->sig_size)
+		OPENSSL_free(ctx->sig_data);
+}
+#else
+static int create_auth_data(struct auth_context *ctx)
+{
+	return 0;
+}
+
+static int dump_signature(const char *path, uint8_t *signature, size_t sig_size)
+{
+	return 0;
+}
+
+static void free_sig_data(struct auth_context *ctx) {}
+#endif
+
 /**
  * read_bin_file - read a firmware binary file
  * @bin:	Path to a firmware binary file
@@ -168,23 +420,25 @@  static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg)
  * * -1 - on failure
  */
 static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
-			unsigned long index, unsigned long instance)
+			unsigned long index, unsigned long instance,
+			uint64_t mcount, char *privkey_file, char *cert_file)
 {
 	struct efi_capsule_header header;
 	struct efi_firmware_management_capsule_header capsule;
 	struct efi_firmware_management_capsule_image_header image;
+	struct auth_context auth_context;
 	FILE *f;
 	void *data;
 	off_t bin_size;
-	u64 offset;
+	uint64_t offset;
 	int ret;
 
 #ifdef DEBUG
 	fprintf(stderr, "For output: %s\n", path);
 	fprintf(stderr, "\tbin: %s\n\ttype: %pUl\n", bin, guid);
-	fprintf(stderr, "\tindex: %ld\n\tinstance: %ld\n", index, instance);
+	fprintf(stderr, "\tindex: %lu\n\tinstance: %lu\n", index, instance);
 #endif
-
+	auth_context.sig_size = 0;
 	f = NULL;
 	data = NULL;
 	ret = -1;
@@ -195,6 +449,27 @@  static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
 	if (read_bin_file(bin, &data, &bin_size))
 		goto err;
 
+	/* first, calculate signature to determine its size */
+	if (privkey_file && cert_file) {
+		auth_context.key_file = privkey_file;
+		auth_context.cert_file = cert_file;
+		auth_context.auth.monotonic_count = mcount;
+		auth_context.image_data = data;
+		auth_context.image_size = bin_size;
+
+		if (create_auth_data(&auth_context)) {
+			fprintf(stderr, "Signing firmware image failed\n");
+			goto err;
+		}
+
+		if (dump_sig &&
+		    dump_signature(path, auth_context.sig_data,
+				   auth_context.sig_size)) {
+			fprintf(stderr, "Creating signature file failed\n");
+			goto err;
+		}
+	}
+
 	/*
 	 * write a capsule file
 	 */
@@ -212,9 +487,12 @@  static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
 	/* TODO: The current implementation ignores flags */
 	header.flags = CAPSULE_FLAGS_PERSIST_ACROSS_RESET;
 	header.capsule_image_size = sizeof(header)
-					+ sizeof(capsule) + sizeof(u64)
+					+ sizeof(capsule) + sizeof(uint64_t)
 					+ sizeof(image)
 					+ bin_size;
+	if (auth_context.sig_size)
+		header.capsule_image_size += sizeof(auth_context.auth)
+				+ auth_context.sig_size;
 	if (write_capsule_file(f, &header, sizeof(header),
 			       "Capsule header"))
 		goto err;
@@ -230,7 +508,7 @@  static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
 			       "Firmware capsule header"))
 		goto err;
 
-	offset = sizeof(capsule) + sizeof(u64);
+	offset = sizeof(capsule) + sizeof(uint64_t);
 	if (write_capsule_file(f, &offset, sizeof(offset),
 			       "Offset to capsule image"))
 		goto err;
@@ -245,13 +523,32 @@  static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
 	image.reserved[1] = 0;
 	image.reserved[2] = 0;
 	image.update_image_size = bin_size;
+	if (auth_context.sig_size)
+		image.update_image_size += sizeof(auth_context.auth)
+				+ auth_context.sig_size;
 	image.update_vendor_code_size = 0; /* none */
 	image.update_hardware_instance = instance;
 	image.image_capsule_support = 0;
+	if (auth_context.sig_size)
+		image.image_capsule_support |= CAPSULE_SUPPORT_AUTHENTICATION;
 	if (write_capsule_file(f, &image, sizeof(image),
 			       "Firmware capsule image header"))
 		goto err;
 
+	/*
+	 * signature
+	 */
+	if (auth_context.sig_size) {
+		if (write_capsule_file(f, &auth_context.auth,
+				       sizeof(auth_context.auth),
+				       "Authentication header"))
+			goto err;
+
+		if (write_capsule_file(f, auth_context.sig_data,
+				       auth_context.sig_size, "Signature"))
+			goto err;
+	}
+
 	/*
 	 * firmware binary
 	 */
@@ -262,28 +559,43 @@  static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
 err:
 	if (f)
 		fclose(f);
+	free_sig_data(&auth_context);
 	free(data);
 
 	return ret;
 }
 
-/*
- * Usage:
- *   $ mkeficapsule -f <firmware binary> <output file>
+/**
+ * main - main entry function of mkeficapsule
+ * @argc:	Number of arguments
+ * @argv:	Array of pointers to arguments
+ *
+ * Create an uefi capsule file, optionally signing it.
+ * Parse all the arguments and pass them on to create_fwbin().
+ *
+ * Return:
+ * * 0  - on success
+ * * -1 - on failure
  */
 int main(int argc, char **argv)
 {
 	char *file;
 	efi_guid_t *guid;
 	unsigned long index, instance;
+	uint64_t mcount;
+	char *privkey_file, *cert_file;
 	int c, idx;
 
 	file = NULL;
 	guid = NULL;
 	index = 0;
 	instance = 0;
+	mcount = 0;
+	privkey_file = NULL;
+	cert_file = NULL;
+	dump_sig = 0;
 	for (;;) {
-		c = getopt_long(argc, argv, "f:r:i:I:v:h", options, &idx);
+		c = getopt_long(argc, argv, opts_short, options, &idx);
 		if (c == -1)
 			break;
 
@@ -291,7 +603,7 @@  int main(int argc, char **argv)
 		case 'f':
 			if (file) {
 				fprintf(stderr, "Image already specified\n");
-				return -1;
+				exit(EXIT_FAILURE);
 			}
 			file = optarg;
 			guid = &efi_guid_image_type_uboot_fit;
@@ -299,7 +611,7 @@  int main(int argc, char **argv)
 		case 'r':
 			if (file) {
 				fprintf(stderr, "Image already specified\n");
-				return -1;
+				exit(EXIT_FAILURE);
 			}
 			file = optarg;
 			guid = &efi_guid_image_type_uboot_raw;
@@ -310,14 +622,40 @@  int main(int argc, char **argv)
 		case 'I':
 			instance = strtoul(optarg, NULL, 0);
 			break;
+#ifdef CONFIG_TOOLS_LIBCRYPTO
+		case 'p':
+			if (privkey_file) {
+				fprintf(stderr,
+					"Private Key already specified\n");
+				exit(EXIT_FAILURE);
+			}
+			privkey_file = optarg;
+			break;
+		case 'c':
+			if (cert_file) {
+				fprintf(stderr,
+					"Certificate file already specified\n");
+				exit(EXIT_FAILURE);
+			}
+			cert_file = optarg;
+			break;
+		case 'm':
+			mcount = strtoul(optarg, NULL, 0);
+			break;
+		case 'd':
+			dump_sig = 1;
+			break;
+#endif /* CONFIG_TOOLS_LIBCRYPTO */
 		case 'h':
 			print_usage();
-			return 0;
+			exit(EXIT_SUCCESS);
 		}
 	}
 
-	/* need an output file */
-	if (argc != optind + 1) {
+	/* check necessary parameters */
+	if ((argc != optind + 1) || !file ||
+	    ((privkey_file && !cert_file) ||
+	     (!privkey_file && cert_file))) {
 		print_usage();
 		exit(EXIT_FAILURE);
 	}
@@ -328,8 +666,8 @@  int main(int argc, char **argv)
 		exit(EXIT_SUCCESS);
 	}
 
-	if (create_fwbin(argv[optind], file, guid, index, instance)
-			< 0) {
+	if (create_fwbin(argv[optind], file, guid, index, instance,
+			 mcount, privkey_file, cert_file) < 0) {
 		fprintf(stderr, "Creating firmware capsule failed\n");
 		exit(EXIT_FAILURE);
 	}

[v9,04/11] tools: mkeficapsule: add firmware image signing

Commit Message

Comments

Patch