From patchwork Wed May 12 04:57:49 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: AKASHI Takahiro <takahiro.akashi@linaro.org>
X-Patchwork-Id: 435447
Delivered-To: patch@linaro.org
Received: by 2002:a02:c901:0:0:0:0:0 with SMTP id t1csp4488724jao;
 Tue, 11 May 2021 21:58:29 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwrxKYzJVqsnKnWwn6EPi7YizCkYqQLsrVQ9kKdlNTV/z79Otcbo+7KxZShCQVFWEQpc9Zr
X-Received: by 2002:a17:906:26d4:: with SMTP id
 u20mr36383980ejc.114.1620795509566; 
 Tue, 11 May 2021 21:58:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1620795509; cv=none;
 d=google.com; s=arc-20160816;
 b=UUvUP3c1Ent5kIn1yRJUDjvqJaCJwfECMlVSb+jr6Uh47QBP2uepwEKPx8gqX6QuUm
 TD2ch2ysBSz6B7+pJtQOyARp+ZuyK3DBVSncAJBY7bUz+DF20I4pcO2kN1OkBepMhDIh
 8NdUAgQYxxOHjugE1sZAWgbWRj+xnKb+IFeV41FcqhfdfQ5+T+4RUlb8ILqfAWQsVuAQ
 UPa+NqPdvP6kzEEIaSn3eNVVd8CA1md6iJJyNg1wzk6rFBSsRG6sRIQrwHWWHtPEk2ZE
 3UVOcKxXPXA3u7K65po4b/nTlYfNjKwpAh0Qo2sBwRBbhOZ0qDf2M+vzweQPDR1ABPqp
 iNWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:message-id:date:subject:cc:to:from:dkim-signature;
 bh=g0tTRngW/xtiQBx6ImaGLlTc3+0YG1uWbSy/rUKOcdo=;
 b=RtFg2fblVutPEYJanxuUcRFQxX2pnvCJ5z65JROxeDnO9zgOuSBgSpL0eAVFf363QJ
 /IwWvU3YtumaxXg0H96CnL1WDZ9+GMJ7RWXoAcPND4wXc7bwHmmj5OSNBPFPNRw5R2rH
 20fWYqXQ1b6c4hMLvCtxxqjuN7HIsXoPKbaqRIKoZdI7d2ZmH4ZJ+QBUkIQ5c9pgURdu
 umx/EsPTuwQr51l+MMpBkvpuCoisHW1blSRRtXPPJCQWoDjUwlssqrzJRTtt1vpHFfav
 d+ZaSuskeCYXy/2yNG0mcYFWRcSLDKQfGlLBAShppHNecIH9M1RYhPaTj/dtUEhG1b0B
 kO5A==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=glti7aJf;
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as
 permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <u-boot-bounces@lists.denx.de>
Received: from phobos.denx.de (phobos.denx.de.
 [2a01:238:438b:c500:173d:9f52:ddab:ee01])
 by mx.google.com with ESMTPS id
 z22si23244168edm.578.2021.05.11.21.58.28
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 11 May 2021 21:58:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as
 permitted sender)
 client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=glti7aJf;
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as
 permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
 by phobos.denx.de (Postfix) with ESMTP id A8A6A82CDE;
 Wed, 12 May 2021 06:58:26 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key;
 unprotected) header.d=linaro.org header.i=@linaro.org
 header.b="glti7aJf"; dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id A7A5C82CDE; Wed, 12 May 2021 06:58:24 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham
 autolearn_force=no version=3.4.2
Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com
 [IPv6:2607:f8b0:4864:20::52e])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id C49D682B7E
 for <u-boot@lists.denx.de>; Wed, 12 May 2021 06:58:14 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=takahiro.akashi@linaro.org
Received: by mail-pg1-x52e.google.com with SMTP id t193so4780225pgb.4
 for <u-boot@lists.denx.de>; Tue, 11 May 2021 21:58:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=g0tTRngW/xtiQBx6ImaGLlTc3+0YG1uWbSy/rUKOcdo=;
 b=glti7aJfBn0vHOhzk/Z8X9MAFPwaB6La3pjFOZKLsE+0F2wQ7nyHGvWkL189zxZV4M
 jlnjyJN6aeOWiXlDulSaXF4Tb2Jr/3LjBj79x19dghmoNwJXDprol38o0wkC59AfQgaG
 N9H9tIKZO0201qYJuZcLK4jozKWXVjEqXWQnIK/gZgkNWOmeo0J1V7jS7ZwMaGBhd7i7
 1EpLfHzhw11/X9qrxkD6s0XVQFQzlLOJyjWz6cj16ejKGNt1hPE3Au0n3tMJMWUcH7AD
 nHrqNWX4TkmofmuLeM00llFh5OzaxQb2rAKQ/NJbyLnWxrQ/i2I197a/9Mai7hvf0sQ4
 o2RQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=g0tTRngW/xtiQBx6ImaGLlTc3+0YG1uWbSy/rUKOcdo=;
 b=g0Qv0wCCrnDyAC5ny6mKBEyRsEGMbfzNz8ndvk0yUGXwzr1UXMLqOjqNYswSHuY+XR
 S/zOjCakmR/KC9L2d5gLV4C7XngN7E8j00AF9ndSidPciW4nlyqhH7e3TzaVp0Yr40HJ
 /4n2uMOE2E6gfu6IQnRb8cLw70ca5hq14RNPC0hQ8myRewfvvb6u5lhUYOflp7/x6Gyk
 r9iRmuhlgnWr9XvZ3P73B0VQbQxJjH3+YZi3CrbLqsuAjzuOsBfMpws4DcMyHwoIc+aa
 7QAiHWx5HmZMfWElb3yyzaN9okLk5wEw2gAAsKc/K/akyKPWdn5RrQ3XpycVraL6ul3+
 3UFA==
X-Gm-Message-State: AOAM530lOEtmE2lNdRYTGrw7YdcLZeiJqZZfpL6R3YJFKcHCyneF7j4j
 HqF4WqlnPhWTBmXcfup0R5SzGQ==
X-Received: by 2002:aa7:96ea:0:b029:28c:e131:f0f with SMTP id
 i10-20020aa796ea0000b029028ce1310f0fmr34228984pfq.11.1620795492978; 
 Tue, 11 May 2021 21:58:12 -0700 (PDT)
Received: from localhost.localdomain (p3dd30534.tkyea130.ap.so-net.ne.jp.
 [61.211.5.52]) by smtp.gmail.com with ESMTPSA id
 q194sm15188202pfc.62.2021.05.11.21.58.10
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 11 May 2021 21:58:12 -0700 (PDT)
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: xypron.glpk@gmx.de,
	agraf@csgraf.de
Cc: sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org,
 u-boot@lists.denx.de, AKASHI Takahiro <takahiro.akashi@linaro.org>
Subject: [PATCH 0/4] efi_loader: capsule: improve capsule authentication
 support
Date: Wed, 12 May 2021 13:57:49 +0900
Message-Id: <20210512045753.62288-1-takahiro.akashi@linaro.org>
X-Mailer: git-send-email 2.31.0
MIME-Version: 1.0
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de
X-Virus-Status: Clean

As I discussed in [1], I have made a couple of improvements on
the current implemenation of capsule update.

Among others, this patch series
1. add signing feature to mkeficapsule
2. remove dtb operation from mkeficapsule
3. add pytest for capsule authentication (on sandbox)

NOTE:
I temporarily include Patch#3 in order to show that it is not worth
implementing in C as we can do the same thing with a very small
shell script.

My intent is *NOT* to merge Patch#3 in upstream.

Prerequisite patches
====================
See Sughosh's [2] and my [3].

Test
====
* passed the pytest which is included in this patch series
  on sandbox built locally.

Todo
====
* review and update the document for capsule update
    doc/board/emulation/qemu_capsule_update.rst
  (but not in this patch series)

[1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html
[2] https://lists.denx.de/pipermail/u-boot/2021-April/447183.html
[3] https://lists.denx.de/pipermail/u-boot/2021-May/449347.html
    https://lists.denx.de/pipermail/u-boot/2021-May/449348.html
    https://lists.denx.de/pipermail/u-boot/2021-May/449349.html
    https://lists.denx.de/pipermail/u-boot/2021-May/449350.html
    https://lists.denx.de/pipermail/u-boot/2021-May/449351.html

Changes
=======
Initial release (May 12, 2021)
* based on v2021.07-rc2

AKASHI Takahiro (4):
  tools: mkeficapsule: add firmwware image signing
  tools: mkeficapsule: remove device-tree related operation
  tools: add fdtsig command
  test/py: efi_capsule: add image authentication test

 Makefile                                      |   7 +-
 .../py/tests/test_efi_capsule/capsule_defs.py |   5 +
 test/py/tests/test_efi_capsule/conftest.py    |  35 +-
 test/py/tests/test_efi_capsule/signature.dts  |   8 +
 .../test_capsule_firmware_signed.py           | 234 +++++++++
 tools/Makefile                                |   7 +-
 tools/fdtsig.c                                | 274 +++++++++++
 tools/fdtsig.sh                               |  40 ++
 tools/mkeficapsule.c                          | 455 ++++++++++--------
 9 files changed, 856 insertions(+), 209 deletions(-)
 create mode 100644 test/py/tests/test_efi_capsule/signature.dts
 create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
 create mode 100644 tools/fdtsig.c
 create mode 100755 tools/fdtsig.sh

-- 
2.31.0