diff mbox series

[v6,9/9] sandbox: capsule: Generate capsule related files through binman

Message ID 20230801174018.1342555-10-sughosh.ganu@linaro.org
State New
Headers show
Series Integrate EFI capsule tasks into u-boot's build flow | expand

Commit Message

Sughosh Ganu Aug. 1, 2023, 5:40 p.m. UTC 
The EFI capsule files can now be generated as part of u-boot
build. This is done through binman. Add capsule entry nodes in the
u-boot.dtsi for the sandbox architecture for generating the
capsules. Remove the corresponding generation of capsules from the
capsule update conftest file.

The capsules are generated through the config file for the sandbox
variant, and through explicit parameters for the sandbox_flattree
variant.

Also generate the FIT image used for testing the capsule update
feature on the sandbox_flattree variant through binman. Remove the now
superfluous its file which was used for generating this FIT image.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
---
Changes since V5:
* Use the public key ESL file and other input files from the tree
  instead of the /tmp/capsules/ directory being used in previous
  version.
* Use macros for other input files and certs. 

 arch/sandbox/dts/u-boot.dtsi                  | 347 ++++++++++++++++++
 test/py/tests/test_efi_capsule/conftest.py    | 128 +------
 .../tests/test_efi_capsule/uboot_bin_env.its  |  36 --
 3 files changed, 348 insertions(+), 163 deletions(-)
 delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its

Comments

Simon Glass Aug. 2, 2023, 12:52 p.m. UTC | #1 
Hi Sughosh,

On Tue, 1 Aug 2023 at 11:41, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
>
> The EFI capsule files can now be generated as part of u-boot
> build. This is done through binman. Add capsule entry nodes in the
> u-boot.dtsi for the sandbox architecture for generating the
> capsules. Remove the corresponding generation of capsules from the
> capsule update conftest file.
>
> The capsules are generated through the config file for the sandbox
> variant, and through explicit parameters for the sandbox_flattree
> variant.
>
> Also generate the FIT image used for testing the capsule update
> feature on the sandbox_flattree variant through binman. Remove the now
> superfluous its file which was used for generating this FIT image.
>
> Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> ---
> Changes since V5:
> * Use the public key ESL file and other input files from the tree
>   instead of the /tmp/capsules/ directory being used in previous
>   version.
> * Use macros for other input files and certs.
>
>  arch/sandbox/dts/u-boot.dtsi                  | 347 ++++++++++++++++++
>  test/py/tests/test_efi_capsule/conftest.py    | 128 +------
>  .../tests/test_efi_capsule/uboot_bin_env.its  |  36 --
>  3 files changed, 348 insertions(+), 163 deletions(-)
>  delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its
>

I want to get the binman stuff right before diving into this, but the
binman stuff seems fairly close, so I'll just mention...do you really
need all these combinations of tests? It seems to me that one test is
enough. You know that the binman tests will protect the code there, so
why test it all over again here?

Regards,
Simon
Sughosh Ganu Aug. 3, 2023, 11:17 a.m. UTC | #2 
hi Simon,

On Wed, 2 Aug 2023 at 18:23, Simon Glass <sjg@chromium.org> wrote:
>
> Hi Sughosh,
>
> On Tue, 1 Aug 2023 at 11:41, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
> >
> > The EFI capsule files can now be generated as part of u-boot
> > build. This is done through binman. Add capsule entry nodes in the
> > u-boot.dtsi for the sandbox architecture for generating the
> > capsules. Remove the corresponding generation of capsules from the
> > capsule update conftest file.
> >
> > The capsules are generated through the config file for the sandbox
> > variant, and through explicit parameters for the sandbox_flattree
> > variant.
> >
> > Also generate the FIT image used for testing the capsule update
> > feature on the sandbox_flattree variant through binman. Remove the now
> > superfluous its file which was used for generating this FIT image.
> >
> > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> > ---
> > Changes since V5:
> > * Use the public key ESL file and other input files from the tree
> >   instead of the /tmp/capsules/ directory being used in previous
> >   version.
> > * Use macros for other input files and certs.
> >
> >  arch/sandbox/dts/u-boot.dtsi                  | 347 ++++++++++++++++++
> >  test/py/tests/test_efi_capsule/conftest.py    | 128 +------
> >  .../tests/test_efi_capsule/uboot_bin_env.its  |  36 --
> >  3 files changed, 348 insertions(+), 163 deletions(-)
> >  delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its
> >
>
> I want to get the binman stuff right before diving into this, but the
> binman stuff seems fairly close, so I'll just mention...do you really
> need all these combinations of tests? It seems to me that one test is
> enough. You know that the binman tests will protect the code there, so
> why test it all over again here?

These are capsules that are needed for testing the EFI capsule update
functionality. Currently, the capsules used for testing the feature
are generated after u-boot has been built. Same for embedding the
public key in the dtb. I think it is better to have the same flow of
generating capsules and the associated logic(public key embedding)
that is being supported in u-boot rather than having two divergent
flows. This also serves as an example for potential users who would
want to generate capsules as part of the build flow.

-sughosh

>
> Regards,
> Simon
Simon Glass Aug. 4, 2023, 3:02 a.m. UTC | #3 
Hi Sughosh,

On Thu, 3 Aug 2023 at 05:18, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
>
> hi Simon,
>
> On Wed, 2 Aug 2023 at 18:23, Simon Glass <sjg@chromium.org> wrote:
> >
> > Hi Sughosh,
> >
> > On Tue, 1 Aug 2023 at 11:41, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
> > >
> > > The EFI capsule files can now be generated as part of u-boot
> > > build. This is done through binman. Add capsule entry nodes in the
> > > u-boot.dtsi for the sandbox architecture for generating the
> > > capsules. Remove the corresponding generation of capsules from the
> > > capsule update conftest file.
> > >
> > > The capsules are generated through the config file for the sandbox
> > > variant, and through explicit parameters for the sandbox_flattree
> > > variant.
> > >
> > > Also generate the FIT image used for testing the capsule update
> > > feature on the sandbox_flattree variant through binman. Remove the now
> > > superfluous its file which was used for generating this FIT image.
> > >
> > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> > > ---
> > > Changes since V5:
> > > * Use the public key ESL file and other input files from the tree
> > >   instead of the /tmp/capsules/ directory being used in previous
> > >   version.
> > > * Use macros for other input files and certs.
> > >
> > >  arch/sandbox/dts/u-boot.dtsi                  | 347 ++++++++++++++++++
> > >  test/py/tests/test_efi_capsule/conftest.py    | 128 +------
> > >  .../tests/test_efi_capsule/uboot_bin_env.its  |  36 --
> > >  3 files changed, 348 insertions(+), 163 deletions(-)
> > >  delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its
> > >
> >
> > I want to get the binman stuff right before diving into this, but the
> > binman stuff seems fairly close, so I'll just mention...do you really
> > need all these combinations of tests? It seems to me that one test is
> > enough. You know that the binman tests will protect the code there, so
> > why test it all over again here?
>
> These are capsules that are needed for testing the EFI capsule update
> functionality. Currently, the capsules used for testing the feature
> are generated after u-boot has been built. Same for embedding the
> public key in the dtb. I think it is better to have the same flow of
> generating capsules and the associated logic(public key embedding)
> that is being supported in u-boot rather than having two divergent
> flows. This also serves as an example for potential users who would
> want to generate capsules as part of the build flow.

But my question was why you need more than one test here? Are you
testing that U-Boot can decode a capsule file of various types? That
should be done in unit tests.

Now I see the tests you are referring to in
test_capsule_firmware_signed_raw.py  (please shorten the name!)

These tests all have the reboot problem we need to fix, but anyway, at
least I understand it.

It looks like you are writing the test files into the source tree?
They should be written to the output tree.

Regards,
Simon
Sughosh Ganu Aug. 4, 2023, 7:03 a.m. UTC | #4 
hi Simon,

On Fri, 4 Aug 2023 at 08:32, Simon Glass <sjg@chromium.org> wrote:
>
> Hi Sughosh,
>
> On Thu, 3 Aug 2023 at 05:18, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
> >
> > hi Simon,
> >
> > On Wed, 2 Aug 2023 at 18:23, Simon Glass <sjg@chromium.org> wrote:
> > >
> > > Hi Sughosh,
> > >
> > > On Tue, 1 Aug 2023 at 11:41, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
> > > >
> > > > The EFI capsule files can now be generated as part of u-boot
> > > > build. This is done through binman. Add capsule entry nodes in the
> > > > u-boot.dtsi for the sandbox architecture for generating the
> > > > capsules. Remove the corresponding generation of capsules from the
> > > > capsule update conftest file.
> > > >
> > > > The capsules are generated through the config file for the sandbox
> > > > variant, and through explicit parameters for the sandbox_flattree
> > > > variant.
> > > >
> > > > Also generate the FIT image used for testing the capsule update
> > > > feature on the sandbox_flattree variant through binman. Remove the now
> > > > superfluous its file which was used for generating this FIT image.
> > > >
> > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> > > > ---
> > > > Changes since V5:
> > > > * Use the public key ESL file and other input files from the tree
> > > >   instead of the /tmp/capsules/ directory being used in previous
> > > >   version.
> > > > * Use macros for other input files and certs.
> > > >
> > > >  arch/sandbox/dts/u-boot.dtsi                  | 347 ++++++++++++++++++
> > > >  test/py/tests/test_efi_capsule/conftest.py    | 128 +------
> > > >  .../tests/test_efi_capsule/uboot_bin_env.its  |  36 --
> > > >  3 files changed, 348 insertions(+), 163 deletions(-)
> > > >  delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its
> > > >
> > >
> > > I want to get the binman stuff right before diving into this, but the
> > > binman stuff seems fairly close, so I'll just mention...do you really
> > > need all these combinations of tests? It seems to me that one test is
> > > enough. You know that the binman tests will protect the code there, so
> > > why test it all over again here?
> >
> > These are capsules that are needed for testing the EFI capsule update
> > functionality. Currently, the capsules used for testing the feature
> > are generated after u-boot has been built. Same for embedding the
> > public key in the dtb. I think it is better to have the same flow of
> > generating capsules and the associated logic(public key embedding)
> > that is being supported in u-boot rather than having two divergent
> > flows. This also serves as an example for potential users who would
> > want to generate capsules as part of the build flow.
>
> But my question was why you need more than one test here? Are you
> testing that U-Boot can decode a capsule file of various types? That
> should be done in unit tests.

The tests are the same. They are not being changed. What is changed is
the stage at which the capsules are being generated. Currently, the
capsules get generated only when the tests are invoked, as part of the
test setup. Same for embedding of the public key cert EFI Signature
List(ESL) file. This patch results in the capsules getting generated
as part of the u-boot build. Same for embedding of the public key ESL.
If we don't follow this flow, we would have support for generating
capsules as part of the u-boot build, but that flow would not be used
at all. I understand that binman tests the generation of capsules, but
we would then have this divergence between the flow that is supported,
and what is actually used in the tests.

One alternative, which I think is a middle ground for this would be to
add a Kconfig symbol and use that for generating capsules. We can then
use that symbol in CI. This is similar to how the trace testing
happens in CI on the sandbox platform. In that scenario, we would not
have the capsules getting generated during normal builds.

>
> Now I see the tests you are referring to in
> test_capsule_firmware_signed_raw.py  (please shorten the name!)
>
> These tests all have the reboot problem we need to fix, but anyway, at
> least I understand it.
>
> It looks like you are writing the test files into the source tree?
> They should be written to the output tree.

If we are to generate the capsules, and embed the key as part of the
u-boot build, these input files are needed. Btw, I do see a few places
which have input files in the source, including inside binman. What
issue do you see having these in the source?

I had discussed this with Tom over irc and he had suggested this
location for the files.

-sughosh
Simon Glass Aug. 4, 2023, 2:15 p.m. UTC | #5 
Hi Sughosh,

On Fri, 4 Aug 2023 at 01:03, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
>
> hi Simon,
>
> On Fri, 4 Aug 2023 at 08:32, Simon Glass <sjg@chromium.org> wrote:
> >
> > Hi Sughosh,
> >
> > On Thu, 3 Aug 2023 at 05:18, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
> > >
> > > hi Simon,
> > >
> > > On Wed, 2 Aug 2023 at 18:23, Simon Glass <sjg@chromium.org> wrote:
> > > >
> > > > Hi Sughosh,
> > > >
> > > > On Tue, 1 Aug 2023 at 11:41, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
> > > > >
> > > > > The EFI capsule files can now be generated as part of u-boot
> > > > > build. This is done through binman. Add capsule entry nodes in the
> > > > > u-boot.dtsi for the sandbox architecture for generating the
> > > > > capsules. Remove the corresponding generation of capsules from the
> > > > > capsule update conftest file.
> > > > >
> > > > > The capsules are generated through the config file for the sandbox
> > > > > variant, and through explicit parameters for the sandbox_flattree
> > > > > variant.
> > > > >
> > > > > Also generate the FIT image used for testing the capsule update
> > > > > feature on the sandbox_flattree variant through binman. Remove the now
> > > > > superfluous its file which was used for generating this FIT image.
> > > > >
> > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> > > > > ---
> > > > > Changes since V5:
> > > > > * Use the public key ESL file and other input files from the tree
> > > > >   instead of the /tmp/capsules/ directory being used in previous
> > > > >   version.
> > > > > * Use macros for other input files and certs.
> > > > >
> > > > >  arch/sandbox/dts/u-boot.dtsi                  | 347 ++++++++++++++++++
> > > > >  test/py/tests/test_efi_capsule/conftest.py    | 128 +------
> > > > >  .../tests/test_efi_capsule/uboot_bin_env.its  |  36 --
> > > > >  3 files changed, 348 insertions(+), 163 deletions(-)
> > > > >  delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its
> > > > >
> > > >
> > > > I want to get the binman stuff right before diving into this, but the
> > > > binman stuff seems fairly close, so I'll just mention...do you really
> > > > need all these combinations of tests? It seems to me that one test is
> > > > enough. You know that the binman tests will protect the code there, so
> > > > why test it all over again here?
> > >
> > > These are capsules that are needed for testing the EFI capsule update
> > > functionality. Currently, the capsules used for testing the feature
> > > are generated after u-boot has been built. Same for embedding the
> > > public key in the dtb. I think it is better to have the same flow of
> > > generating capsules and the associated logic(public key embedding)
> > > that is being supported in u-boot rather than having two divergent
> > > flows. This also serves as an example for potential users who would
> > > want to generate capsules as part of the build flow.
> >
> > But my question was why you need more than one test here? Are you
> > testing that U-Boot can decode a capsule file of various types? That
> > should be done in unit tests.
>
> The tests are the same. They are not being changed. What is changed is
> the stage at which the capsules are being generated. Currently, the
> capsules get generated only when the tests are invoked, as part of the
> test setup. Same for embedding of the public key cert EFI Signature
> List(ESL) file. This patch results in the capsules getting generated
> as part of the u-boot build. Same for embedding of the public key ESL.
> If we don't follow this flow, we would have support for generating
> capsules as part of the u-boot build, but that flow would not be used
> at all. I understand that binman tests the generation of capsules, but
> we would then have this divergence between the flow that is supported,
> and what is actually used in the tests.

OK let's discuss the tests later.

>
> One alternative, which I think is a middle ground for this would be to
> add a Kconfig symbol and use that for generating capsules. We can then
> use that symbol in CI. This is similar to how the trace testing
> happens in CI on the sandbox platform. In that scenario, we would not
> have the capsules getting generated during normal builds.

Here's what I suggest:

- rely on binman tests for capsule generation
    - once you have a dump_capsule tool you can use that to check that
things look OK
- rely on unit tests for testing decoding capsules in U-Boot
- have a few functional tests as a sanity check for overall behaviour

>
> >
> > Now I see the tests you are referring to in
> > test_capsule_firmware_signed_raw.py  (please shorten the name!)
> >
> > These tests all have the reboot problem we need to fix, but anyway, at
> > least I understand it.
> >
> > It looks like you are writing the test files into the source tree?
> > They should be written to the output tree.
>
> If we are to generate the capsules, and embed the key as part of the
> u-boot build, these input files are needed. Btw, I do see a few places
> which have input files in the source, including inside binman. What
> issue do you see having these in the source?

OK so long as the tests don't write to the source tree, this is fine. Do they?

Rather than writing out the test/py/tests/xxx/xxx dir, just use the
leaf name. Then you can use the input dir. If you put the certificants
in board/sandbox/ that should work. Please do use 'blobl' instead of
'blob-ext' as the latter is confusing.

For the u-boot.bin.new file, it is just text, so you can use the
'text' etype that binman provides and then you don't need a file.

Basically, don't have paths in the .dtsi file. We try to make sure
that the includes, etc. are correct so that everything just works.

>
> I had discussed this with Tom over irc and he had suggested this
> location for the files.

It's fine for tests, but since this is now part of the build, we
should not be pulling in files from there.

Regards,
Simon
diff mbox series

Patch

diff --git a/arch/sandbox/dts/u-boot.dtsi b/arch/sandbox/dts/u-boot.dtsi
index 60bd004937..ae798660de 100644
--- a/arch/sandbox/dts/u-boot.dtsi
+++ b/arch/sandbox/dts/u-boot.dtsi
@@ -7,11 +7,358 @@ 
  */
 
 #ifdef CONFIG_EFI_HAVE_CAPSULE_SUPPORT
+
+#define SANDBOX_UBOOT_IMAGE_GUID	"09d7cf52-0720-4710-91d1-08469b7fe9c8"
+#define SANDBOX_UBOOT_ENV_IMAGE_GUID	"5a7021f5-fef2-48b4-aaba-832e777418c0"
+#define SANDBOX_FIT_IMAGE_GUID		"3673b45d-6a7c-46f3-9e60-adabb03f7937"
+#define SANDBOX_INCORRECT_GUID		"058b7d83-50d5-4c47-a195-60d86ad341c4"
+
+#define UBOOT_BIN_IMAGE			"test/py/tests/test_efi_capsule/test_files/u-boot.bin.new"
+#define UBOOT_ENV_IMAGE			"test/py/tests/test_efi_capsule/test_files/u-boot.env.new"
+#define UBOOT_FIT_IMAGE			"u-boot_bin_env.itb"
+
+#define CAPSULE_PRIV_KEY		"test/py/tests/test_efi_capsule/test_files/SIGNER.key"
+#define CAPSULE_PUB_KEY			"test/py/tests/test_efi_capsule/test_files/SIGNER.crt"
+#define CAPSULE_INVAL_KEY		"test/py/tests/test_efi_capsule/test_files/SIGNER2.key"
+#define CAPSULE_INVAL_PUB_KEY		"test/py/tests/test_efi_capsule/test_files/SIGNER2.crt"
+
 / {
 #ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
 	signature {
 		capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);
 	};
 #endif
+
+	binman: binman {
+		multiple-images;
+	};
+};
+
+&binman {
+	itb {
+		filename = UBOOT_FIT_IMAGE;
+
+		fit {
+			description = "Automatic U-Boot environment update";
+			#address-cells = <2>;
+
+			images {
+				u-boot-bin {
+					description = "U-Boot binary on SPI Flash";
+					compression = "none";
+					type = "firmware";
+					arch = "sandbox";
+					load = <0>;
+					blob {
+						filename = UBOOT_BIN_IMAGE;
+					};
+
+					hash-1 {
+						algo = "sha1";
+					};
+				};
+				u-boot-env {
+					description = "U-Boot environment on SPI Flash";
+					compression = "none";
+					type = "firmware";
+					arch = "sandbox";
+					load = <0>;
+					blob {
+						filename = UBOOT_ENV_IMAGE;
+					};
+
+					hash-1 {
+						algo = "sha1";
+					};
+				};
+			};
+		};
+	};
+
+	capsule1 {
+		filename = "Test01";
+		capsule {
+			type = "efi-capsule";
+			image-index = <0x1>;
+			image-type-id = SANDBOX_UBOOT_IMAGE_GUID;
+
+			blob-ext {
+				filename = UBOOT_BIN_IMAGE;
+			};
+		};
+	};
+
+	capsule2 {
+		filename = "Test02";
+		capsule {
+			type = "efi-capsule";
+			image-index = <0x2>;
+			image-type-id = SANDBOX_UBOOT_ENV_IMAGE_GUID;
+
+			blob-ext {
+				filename = UBOOT_ENV_IMAGE;
+			};
+		};
+	};
+
+	capsule3 {
+		filename = "Test03";
+		capsule {
+			type = "efi-capsule";
+			image-index = <0x1>;
+			image-type-id = SANDBOX_INCORRECT_GUID;
+
+			blob-ext {
+				filename = UBOOT_BIN_IMAGE;
+			};
+		};
+	};
+
+	capsule4 {
+		filename = "Test04";
+		capsule {
+			type = "efi-capsule";
+			image-index = <0x1>;
+			image-type-id = SANDBOX_FIT_IMAGE_GUID;
+
+			blob-ext {
+				filename = UBOOT_FIT_IMAGE;
+			};
+		};
+	};
+
+	capsule5 {
+		filename = "Test05";
+		capsule {
+			type = "efi-capsule";
+			image-index = <0x1>;
+			image-type-id = SANDBOX_INCORRECT_GUID;
+
+			blob-ext {
+				filename = UBOOT_FIT_IMAGE;
+			};
+		};
+	};
+
+	capsule6 {
+		filename = "Test101";
+		capsule {
+			type = "efi-capsule";
+			image-index = <0x1>;
+			fw-version = <0x5>;
+			image-type-id = SANDBOX_UBOOT_IMAGE_GUID;
+
+			blob-ext {
+				filename = UBOOT_BIN_IMAGE;
+			};
+		};
+	};
+
+	capsule7 {
+		filename = "Test102";
+		capsule {
+			type = "efi-capsule";
+			image-index = <0x2>;
+			fw-version = <0xa>;
+			image-type-id = SANDBOX_UBOOT_ENV_IMAGE_GUID;
+
+			blob-ext {
+				filename = UBOOT_ENV_IMAGE;
+			};
+		};
+	};
+
+	capsule8 {
+		filename = "Test103";
+		capsule {
+			type = "efi-capsule";
+			image-index = <0x1>;
+			fw-version = <0x2>;
+			image-type-id = SANDBOX_UBOOT_IMAGE_GUID;
+
+			blob-ext {
+				filename = UBOOT_BIN_IMAGE;
+			};
+		};
+	};
+
+	capsule9 {
+		filename = "Test104";
+		capsule {
+			type = "efi-capsule";
+			image-index = <0x1>;
+			fw-version = <0x5>;
+			image-type-id = SANDBOX_FIT_IMAGE_GUID;
+
+			blob-ext {
+				filename = UBOOT_FIT_IMAGE;
+			};
+		};
+	};
+
+	capsule10 {
+		filename = "Test105";
+		capsule {
+			type = "efi-capsule";
+			image-index = <0x1>;
+			fw-version = <0x2>;
+			image-type-id = SANDBOX_FIT_IMAGE_GUID;
+
+			blob-ext {
+				filename = UBOOT_FIT_IMAGE;
+			};
+		};
+	};
+
+#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
+	capsule11 {
+		filename = "Test11";
+		capsule {
+			type = "efi-capsule";
+			image-index = <0x1>;
+			image-type-id = SANDBOX_UBOOT_IMAGE_GUID;
+			private-key = CAPSULE_PRIV_KEY;
+			pub-key-cert = CAPSULE_PUB_KEY;
+			monotonic-count = <0x1>;
+
+			blob-ext {
+				filename = UBOOT_BIN_IMAGE;
+			};
+		};
+	};
+
+	capsule12 {
+		filename = "Test12";
+		capsule {
+			type = "efi-capsule";
+			image-index = <0x1>;
+			image-type-id = SANDBOX_UBOOT_IMAGE_GUID;
+			private-key = CAPSULE_INVAL_KEY;
+			pub-key-cert = CAPSULE_INVAL_PUB_KEY;
+			monotonic-count = <0x1>;
+
+			blob-ext {
+				filename = UBOOT_BIN_IMAGE;
+			};
+		};
+	};
+
+	capsule13 {
+		filename = "Test13";
+		capsule {
+			type = "efi-capsule";
+			image-index = <0x1>;
+			image-type-id = SANDBOX_FIT_IMAGE_GUID;
+			private-key = CAPSULE_PRIV_KEY;
+			pub-key-cert = CAPSULE_PUB_KEY;
+			monotonic-count = <0x1>;
+
+			blob-ext {
+				filename = UBOOT_FIT_IMAGE;
+			};
+		};
+	};
+
+	capsule14 {
+		filename = "Test14";
+		capsule {
+			type = "efi-capsule";
+			image-index = <0x1>;
+			image-type-id = SANDBOX_FIT_IMAGE_GUID;
+			private-key = CAPSULE_INVAL_KEY;
+			pub-key-cert = CAPSULE_INVAL_PUB_KEY;
+			monotonic-count = <0x1>;
+
+			blob-ext {
+				filename = UBOOT_FIT_IMAGE;
+			};
+		};
+	};
+
+	capsule15 {
+		filename = "Test111";
+		capsule {
+			type = "efi-capsule";
+			image-index = <0x1>;
+			fw-version = <0x5>;
+			image-type-id = SANDBOX_UBOOT_IMAGE_GUID;
+			private-key = CAPSULE_PRIV_KEY;
+			pub-key-cert = CAPSULE_PUB_KEY;
+			monotonic-count = <0x1>;
+
+			blob-ext {
+				filename = UBOOT_BIN_IMAGE;
+			};
+		};
+	};
+
+	capsule16 {
+		filename = "Test112";
+		capsule {
+			type = "efi-capsule";
+			image-index = <0x2>;
+			fw-version = <0xa>;
+			image-type-id = SANDBOX_UBOOT_ENV_IMAGE_GUID;
+			private-key = CAPSULE_PRIV_KEY;
+			pub-key-cert = CAPSULE_PUB_KEY;
+			monotonic-count = <0x1>;
+
+			blob-ext {
+				filename = UBOOT_ENV_IMAGE;
+			};
+		};
+	};
+
+	capsule17 {
+		filename = "Test113";
+		capsule {
+			type = "efi-capsule";
+			image-index = <0x1>;
+			fw-version = <0x2>;
+			image-type-id = SANDBOX_UBOOT_IMAGE_GUID;
+			private-key = CAPSULE_PRIV_KEY;
+			pub-key-cert = CAPSULE_PUB_KEY;
+			monotonic-count = <0x1>;
+
+			blob-ext {
+				filename = UBOOT_BIN_IMAGE;
+			};
+		};
+	};
+
+	capsule18 {
+		filename = "Test114";
+		capsule {
+			type = "efi-capsule";
+			image-index = <0x1>;
+			fw-version = <0x5>;
+			image-type-id = SANDBOX_FIT_IMAGE_GUID;
+			private-key = CAPSULE_PRIV_KEY;
+			pub-key-cert = CAPSULE_PUB_KEY;
+			monotonic-count = <0x1>;
+
+			blob-ext {
+				filename = UBOOT_FIT_IMAGE;
+			};
+		};
+	};
+
+	capsule19 {
+		filename = "Test115";
+		capsule {
+			type = "efi-capsule";
+			image-index = <0x1>;
+			fw-version = <0x2>;
+			image-type-id = SANDBOX_FIT_IMAGE_GUID;
+			private-key = CAPSULE_PRIV_KEY;
+			pub-key-cert = CAPSULE_PUB_KEY;
+			monotonic-count = <0x1>;
+
+			blob-ext {
+				filename = UBOOT_FIT_IMAGE;
+			};
+		};
+	};
+#endif /* CONFIG_EFI_CAPSULE_AUTHENTICATE */
 };
 #endif /* CONFIG_EFI_HAVE_CAPSULE_SUPPORT */
diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py
index bee3050282..bc0f188609 100644
--- a/test/py/tests/test_efi_capsule/conftest.py
+++ b/test/py/tests/test_efi_capsule/conftest.py
@@ -33,6 +33,7 @@  def efi_capsule_data(request, u_boot_config):
         check_call('mkdir -p %s' % data_dir, shell=True)
         check_call('mkdir -p %s' % install_dir, shell=True)
         check_call('cp %s/* %s ' % (capsules_path_dir, data_dir), shell=True)
+        check_call('cp %s/Test* %s ' % (u_boot_config.build_dir, data_dir), shell=True)
 
         # Update dtb to add the version information
         check_call('cd %s; '
@@ -56,133 +57,6 @@  def efi_capsule_data(request, u_boot_config):
                             '-o test_ver.dtb version.dtbo'
                        % (data_dir, u_boot_config.build_dir), shell=True)
 
-        # Create capsule files
-        # two regions: one for u-boot.bin and the other for u-boot.env
-        check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old > u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir,
-                   shell=True)
-        check_call('sed -e \"s?BINFILE1?u-boot.bin.new?\" -e \"s?BINFILE2?u-boot.env.new?\" %s/test/py/tests/test_efi_capsule/uboot_bin_env.its > %s/uboot_bin_env.its' %
-                   (u_boot_config.source_dir, data_dir),
-                   shell=True)
-        check_call('cd %s; %s/tools/mkimage -f uboot_bin_env.its uboot_bin_env.itb' %
-                   (data_dir, u_boot_config.build_dir),
-                   shell=True)
-        check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test01' %
-                   (data_dir, u_boot_config.build_dir),
-                   shell=True)
-        check_call('cd %s; %s/tools/mkeficapsule --index 2 --guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 u-boot.env.new Test02' %
-                   (data_dir, u_boot_config.build_dir),
-                   shell=True)
-        check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 058B7D83-50D5-4C47-A195-60D86AD341C4 u-boot.bin.new Test03' %
-                   (data_dir, u_boot_config.build_dir),
-                   shell=True)
-        check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test04' %
-                   (data_dir, u_boot_config.build_dir),
-                   shell=True)
-        check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid  058B7D83-50D5-4C47-A195-60D86AD341C4 uboot_bin_env.itb Test05' %
-                   (data_dir, u_boot_config.build_dir),
-                   shell=True)
-        check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 5 '
-                        '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test101' %
-                   (data_dir, u_boot_config.build_dir),
-                   shell=True)
-        check_call('cd %s; %s/tools/mkeficapsule --index 2 --fw-version 10 '
-                        '--guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 u-boot.env.new Test102' %
-                   (data_dir, u_boot_config.build_dir),
-                   shell=True)
-        check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 2 '
-                        '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test103' %
-                   (data_dir, u_boot_config.build_dir),
-                   shell=True)
-        check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 5 '
-                        '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test104' %
-                   (data_dir, u_boot_config.build_dir),
-                   shell=True)
-        check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 2 '
-                        '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test105' %
-                   (data_dir, u_boot_config.build_dir),
-                   shell=True)
-
-        if capsule_auth_enabled:
-            # raw firmware signed with proper key
-            check_call('cd %s; '
-                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
-                            '--private-key SIGNER.key --certificate SIGNER.crt '
-                            '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
-                            'u-boot.bin.new Test11'
-                       % (data_dir, u_boot_config.build_dir),
-                       shell=True)
-            # raw firmware signed with *mal* key
-            check_call('cd %s; '
-                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
-                            '--private-key SIGNER2.key '
-                            '--certificate SIGNER2.crt '
-                            '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
-                            'u-boot.bin.new Test12'
-                       % (data_dir, u_boot_config.build_dir),
-                       shell=True)
-            # FIT firmware signed with proper key
-            check_call('cd %s; '
-                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
-                            '--private-key SIGNER.key --certificate SIGNER.crt '
-                            '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
-                            'uboot_bin_env.itb Test13'
-                       % (data_dir, u_boot_config.build_dir),
-                       shell=True)
-            # FIT firmware signed with *mal* key
-            check_call('cd %s; '
-                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
-                            '--private-key SIGNER2.key '
-                            '--certificate SIGNER2.crt '
-                            '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
-                            'uboot_bin_env.itb Test14'
-                       % (data_dir, u_boot_config.build_dir),
-                       shell=True)
-            # raw firmware signed with proper key with version information
-            check_call('cd %s; '
-                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
-                            '--fw-version 5 '
-                            '--private-key SIGNER.key --certificate SIGNER.crt '
-                            '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
-                            'u-boot.bin.new Test111'
-                       % (data_dir, u_boot_config.build_dir),
-                       shell=True)
-            # raw firmware signed with proper key with version information
-            check_call('cd %s; '
-                       '%s/tools/mkeficapsule --index 2 --monotonic-count 1 '
-                            '--fw-version 10 '
-                            '--private-key SIGNER.key --certificate SIGNER.crt '
-                            '--guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 '
-                            'u-boot.env.new Test112'
-                       % (data_dir, u_boot_config.build_dir),
-                       shell=True)
-            # raw firmware signed with proper key with lower version information
-            check_call('cd %s; '
-                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
-                            '--fw-version 2 '
-                            '--private-key SIGNER.key --certificate SIGNER.crt '
-                            '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
-                            'u-boot.bin.new Test113'
-                       % (data_dir, u_boot_config.build_dir),
-                       shell=True)
-            # FIT firmware signed with proper key with version information
-            check_call('cd %s; '
-                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
-                            '--fw-version 5 '
-                            '--private-key SIGNER.key --certificate SIGNER.crt '
-                            '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
-                            'uboot_bin_env.itb Test114'
-                       % (data_dir, u_boot_config.build_dir),
-                       shell=True)
-            # FIT firmware signed with proper key with lower version information
-            check_call('cd %s; '
-                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
-                            '--fw-version 2 '
-                            '--private-key SIGNER.key --certificate SIGNER.crt '
-                            '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
-                            'uboot_bin_env.itb Test115'
-                       % (data_dir, u_boot_config.build_dir),
-                       shell=True)
-
         # Create a disk image with EFI system partition
         check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' %
                    (mnt_point, image_path), shell=True)
diff --git a/test/py/tests/test_efi_capsule/uboot_bin_env.its b/test/py/tests/test_efi_capsule/uboot_bin_env.its
deleted file mode 100644
index fc65907481..0000000000
--- a/test/py/tests/test_efi_capsule/uboot_bin_env.its
+++ /dev/null
@@ -1,36 +0,0 @@ 
-/*
- * Automatic software update for U-Boot
- * Make sure the flashing addresses ('load' prop) is correct for your board!
- */
-
-/dts-v1/;
-
-/ {
-	description = "Automatic U-Boot environment update";
-	#address-cells = <2>;
-
-	images {
-		u-boot-bin {
-			description = "U-Boot binary on SPI Flash";
-			data = /incbin/("BINFILE1");
-			compression = "none";
-			type = "firmware";
-			arch = "sandbox";
-			load = <0>;
-			hash-1 {
-				algo = "sha1";
-			};
-		};
-		u-boot-env {
-			description = "U-Boot environment on SPI Flash";
-			data = /incbin/("BINFILE2");
-			compression = "none";
-			type = "firmware";
-			arch = "sandbox";
-			load = <0>;
-			hash-1 {
-				algo = "sha1";
-			};
-		};
-	};
-};