From patchwork Sat Jun 24 13:41:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 695731 Delivered-To: patch@linaro.org Received: by 2002:adf:e885:0:0:0:0:0 with SMTP id d5csp2551559wrm; Sat, 24 Jun 2023 13:49:24 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7uNWdRELRSMYYCXlW0/92f3EbYbc6bC5SIvfd3f+jHDfj80R+JJaaOk0+0EOImRHOYDN5j X-Received: by 2002:a05:622a:1c1:b0:400:9b80:e89a with SMTP id t1-20020a05622a01c100b004009b80e89amr710233qtw.35.1687639764397; Sat, 24 Jun 2023 13:49:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687639764; cv=none; d=google.com; s=arc-20160816; b=fRDzt7zuWNKqznI8eRTkTmBi8wtWuY2RGu+j2clpI4bEdQWAgEq0EdtmzcdReL4zBu j+24e1p8W/8EVAJw+qGDDiKVZKuNRT/fqpit7Cu2vCJScLPbZPImkwDfQjLudmoDawWP LgzLAZ6G/Mzf3goVfyngzuTYApOeitWXq2YcSB2TZoWFwwJHMcNLaXaenKRhFrA+H0IP inHyrQOpm4isHsUsaMItoVkhoqu5BcA315y3y8CFvlivH0N+LEOudHBPOqfa/n4C+Df8 RPJbMAeeG50jY0MPooz3p3jpjAmyIh0WVvn0vwcP1FSNHcmWGkTEZRTr+9FgBMM2bJ1T zDjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from; bh=RYGTfx/E091o+XTLiFocEA8+O/Oypxlh+D1Bv7VX27k=; fh=yo1Nk3UintPQARLJS3aJj7Bsr6ysFYFwrq0mu1VdnKs=; b=X/E5CQNjZMVjOo13v4Z2oQA82mTsJS5QEzW2u1RLjvzlJicEMo6d+BWk0LByu495/1 YLIi4L0Xfi20ThoNZyeNhemgSNI0sG6y8tb+pjweEV4GnIDmRm9QVXHmFspXiadgG+VP TH9qrqgDd+Qx1OxQzCmeTwjNUvdkO5GHrrY5JQYkgY4QnKhKEco8b4oaeowaaZBkBbWc 8587RJUF2fe04hKYzHG0NzQjKDfvUcYhW57vzTRFOQGJgmX/3mvmzSZcr4W+V0VBQ1ed lrVJGAaGvaza+0giGnOFkH8SVIAhCgLOlWlmjmL5+EqtqksVdbf5J+TuW2h7D4sPXP+3 3yaQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id x5-20020a05622a000500b003f391e7d585si673316qtw.543.2023.06.24.13.49.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 24 Jun 2023 13:49:24 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 6C80F86068; Sat, 24 Jun 2023 22:49:11 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 811B386068; Sat, 24 Jun 2023 22:49:05 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_SOFTFAIL,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id A601985CB1 for ; Sat, 24 Jun 2023 22:49:00 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5C78F2F4; Sat, 24 Jun 2023 06:42:32 -0700 (PDT) Received: from a076522.blr.arm.com (unknown [10.162.46.7]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id EF9183F663; Sat, 24 Jun 2023 06:41:45 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Simon Glass , Michal Simek , Takahiro Akashi , Malte Schmidt , Tom Rini Subject: [PATCH v2 0/8] Integrate EFI capsule tasks into u-boot's build flow Date: Sat, 24 Jun 2023 19:11:10 +0530 Message-Id: <20230624134118.944567-1-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean This patchset aims to bring two capsule related tasks under the u-boot build flow. One is the embedding of the public key into the platform's dtb. The public key is in the form of an EFI Signature List(ESL) file and is used for capsule authentication. This is being achieved through binman, with an entry type added for raw images, and properties added to the binman fit entry type to enable embedding the ESL into all the DTB's that get packaged into the FIT. The path to the ESL file is being provided through a Kconfig symbol(CONFIG_EFI_CAPSULE_ESL_FILE). Changes have also been made to the test flow so that the keys used for signing the capsule, and the ESL file, are generated prior to invoking the u-boot's build, which enables embedding the ESL file into the dtb as part of the u-boot build flow. The other task is to add a make target for generating capsules. This is being achieved by adding support for parsing a config file to get the capsule generation parameters. Multiple payloads can be specified, resulting in generation of multiple capsules with a single invocation of the command. The path to the config file is to be specified through a Kconfig symbol(CONFIG_EFI_CAPSULE_CFG_FILE). Changes have been made to the efi capsule test setup, whereby, with the above config symbol having been populated, the capsule files are generated through the make capsule command. The requisite config file has been placed under the test/py/tests/test_efi_capsule/ directory, which results in generation of the same set of capsule files. Currently, the capsule authentication feature is tested on the sandbox and sandbox_flattree variants. The capsule generation through config file is enabled for the sandbox variant, with the sandbox_flattree variant generating capsules through the command-line parameters. The document has been updated to reflect the above changes. Changes since V1: At a broad level, this version takes a stab at using binman for embedding the ESL file into the DTB's. This is being done for both raw images and FIT images. I had mentioned the issue of dependency when using binman for generating capsules[1], which is why I have stuck with using the make target for generating capsules. [1] - https://lists.denx.de/pipermail/u-boot/2023-June/520814.html * New patch * Use fdt_add_pubkey tool for adding the ESL into the dtb instead of using the shell script used in the earlier version. * Achieve the embedding of the ESL into the DTB through binman * Add an entry type fdt-esl-embed for embedding the ESL for raw images. * Add logic in binman's fit entry type for embedding the ESL into all the DTB's which are part of the FIT image. * Add corresponding documentation entries in binman for the above changes. * Add the logic to generate the keys in the yml files which get used in the CI setup. * Add a fdt-esl-embed node in sandbox's binman node with capsule authentication enabled. * Add a cfg-file parameter to pass the config file to the mkeficapsule tool. This results in generation of the same tool image irrespective of using command-line parameters or config file. * Call the mkeficapsule utility with the cfg-file parameter when building capsules via the config file. Sughosh Ganu (8): fdt_add_pubkey: Add support for adding ESL public key under signature node capsule: authenticate: Embed capsule public key in platform's dtb test: py: Change capsule authenticate test flow doc: capsule: Document the new mechanism to embed ESL file into dtb tools: mkeficapsule: Add support for parsing capsule params from config file Makefile: Add a target for building capsules test: efi_capsule: Test capsule generation from config file doc: Add documentation to describe capsule config file format .azure-pipelines.yml | 17 + .gitlab-ci.yml | 15 + Makefile | 9 + arch/sandbox/dts/sandbox.dts | 4 + arch/sandbox/dts/sandbox_capsule.dtsi | 12 + arch/sandbox/dts/test.dts | 4 + configs/sandbox_defconfig | 2 + configs/sandbox_flattree_defconfig | 1 + doc/develop/uefi/uefi.rst | 83 ++++- lib/efi_loader/Kconfig | 11 + test/py/conftest.py | 64 ++++ test/py/tests/test_efi_capsule/conftest.py | 142 ++++--- .../test_efi_capsule/sandbox_capsule_cfg.txt | 75 ++++ test/py/tests/test_efi_capsule/signature.dts | 10 - tools/Kconfig | 9 + tools/Makefile | 3 +- tools/binman/btool/fdt_add_pubkey.py | 73 ++++ tools/binman/entries.rst | 49 +++ tools/binman/etype/fdt_esl_embed.py | 80 ++++ tools/binman/etype/fit.py | 31 ++ tools/eficapsule.h | 110 ++++++ tools/fdt_add_pubkey.c | 16 +- tools/fdt_add_pubkey_esl.c | 98 +++++ tools/mkeficapsule.c | 84 +++-- tools/mkeficapsule_parse.c | 345 ++++++++++++++++++ 25 files changed, 1216 insertions(+), 131 deletions(-) create mode 100644 arch/sandbox/dts/sandbox_capsule.dtsi create mode 100644 test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt delete mode 100644 test/py/tests/test_efi_capsule/signature.dts create mode 100644 tools/binman/btool/fdt_add_pubkey.py create mode 100644 tools/binman/etype/fdt_esl_embed.py create mode 100644 tools/fdt_add_pubkey_esl.c create mode 100644 tools/mkeficapsule_parse.c