From patchwork Sat Aug 5 11:34:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 710644 Delivered-To: patch@linaro.org Received: by 2002:a05:6359:d30:b0:129:c516:61db with SMTP id gp48csp501857rwb; Sat, 5 Aug 2023 04:35:28 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGMrQcAYMO35IQTb5T1uJ/qpxVG8+ocEKjxcKehrtVDtYbxAje/TW/gHXbn/8ezELFxyR55 X-Received: by 2002:adf:fa90:0:b0:317:dcdd:3fa2 with SMTP id h16-20020adffa90000000b00317dcdd3fa2mr847601wrr.31.1691235327990; Sat, 05 Aug 2023 04:35:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691235327; cv=none; d=google.com; s=arc-20160816; b=m4bdJ6XlhCtuguhAQKCc7I5DMBvJUXE22/DuuqdYTgEGIgwqWT+oc2/Co18yPTbpUh ONxcNkEYMgXrxi68wfLZq2j7MoBnARexLalEBk8/KwaqB8cG4S5Uosx+yijxTG0MC0Xa CC/x5ERVM8ntZuk8OQS3SQYMl9fXE3JdD+9A3+r51GOi6XkJj3z756+346s4+NRIrMGm zhzG+PjwmKgN06uMTKQQfmRpGHCs5drm1uVRgFOE3lfldcxzXZ7yeU5wzGT7sA2k0LXv sYERRXEQYpvXnujxOXyPHYH++xTAIH27kxVFkMvc0Yxatvb1OGmWyByPVTR3wVIES1dv ItsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from; bh=6RyfdThm60rkgBo0IA6x3iG0BNKnv1nYXxUbEwnX4S0=; fh=+VHZcQFytvjm817rO59VUXPZcjow18EhayO47FzvDvY=; b=SNQehWGaSo4B1Knwy3H+EsGm6sI9xog6w+1+MPx0djY1JLx2KDylbjRqP1fvYHJM28 D7bu86b6qy+1On0nLu7NxV6M6sXRKg1QCWrCEP2u1SLrTLH2l0KAyYWoVOhD/RMhgndI udJtfAPV0nBGxLyZHx15B0N3Wta/GIk18/AmBiui0q79Q+6o9RyCkbnGrxqD6u8WsRsP vU+JsRpXrVvwaGPXcjng5dbhmZH+nk7iT+FClzYuvtLPe7KeTeIbgouH6rqC4Uj2gA3D 6nIH2zNURlsFeHSHY+Fc/LJnd4OgglnwwYP9aK6JnjPIHvNq0JDYVXzvEw1OuiHJLJcD ieEw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id o8-20020a5d4a88000000b003159ec8b992si2063130wrq.435.2023.08.05.04.35.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 05 Aug 2023 04:35:27 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 687CA867CA; Sat, 5 Aug 2023 13:35:26 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 97522867C9; Sat, 5 Aug 2023 13:35:25 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 2641A8666E for ; Sat, 5 Aug 2023 13:35:23 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id DE1591FB; Sat, 5 Aug 2023 04:36:04 -0700 (PDT) Received: from a076522.blr.arm.com (unknown [10.162.46.7]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 9E0113F5A1; Sat, 5 Aug 2023 04:35:19 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Simon Glass , Takahiro Akashi , Malte Schmidt , Michal Simek , Tom Rini Subject: [PATCH v7 00/11] Integrate EFI capsule tasks into u-boot's build flow Date: Sat, 5 Aug 2023 17:04:47 +0530 Message-Id: <20230805113458.1430239-1-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean This patchset aims to bring two capsule related tasks under the u-boot build flow. One is the embedding of the public key into the platform's dtb. The public key is in the form of an EFI Signature List(ESL) file and is used for capsule authentication. This is being achieved by adding the signature node containing the capsule public key in the architecture's u-boot.dtsi file. Currently, the u-boot.dtsi file has been added for the sandbox and arm architectures. The path to the ESL file is being provided through a Kconfig symbol(CONFIG_EFI_CAPSULE_ESL_FILE). Changes have also been made to the test flow so that the keys used for signing the capsule, and the ESL file, are generated prior to invoking the u-boot's build, which enables embedding the ESL file into the dtb as part of the u-boot build. The other task is related to generation of capsules. The capsules can be generated as part of u-boot build, and this is being achieved through binman, by adding a capsule entry type. The capsules can be generated by specifying the capsule parameters as properties under the capsule entry node. Changes have also been made to the efi capsule update feature testing setup on the sandbox variants. Currently, the capsule files and the public key ESL file are generated after u-boot has been built. This logic has been changed so that the capsule input files along with the keys needed for capsule signing and authentication are generated prior to initiation of the u-boot build. The placement of all the keys and public key certificates needed for signing and authenticating capsules is under the board/sandbox/ directory. The other input files needed for testing the EFI capsule update feature are being generated through binman for the sandbox platform. The document has been updated to reflect the above changes. Changes since V6: After discussing with Simon and Tom over irc, this series puts only the keys and cert files under the board/sandbox/ directory. The other set of capsule input files needed for capsule update feature testing are being generated through binman. The other patch specific changes are as under. * New patch that puts the keys and cert files under board/sandbox/ directory as suggested Simon Glass. * Populate the CONFIG_EFI_CAPSULE_ESL_FILE symbol for sandbox and sandbox_flattree which enable capsule authentication. * New patch which has been split up from the binman capsule entry support patch from earlier version, as suggested by Simon Glass. * Enables mkeficapsule tool for all sandbox variants, instead of only for sandbox_spl variant. * Split the changes for mkeficapsule btool into a separate patch, as suggested by Simon Glass. * Use the word commandline consistently, as suggested by Simon Glass. * Add macros for the GUID strings in sandbox_efi_capsule.h * Highlight that the private and public keys are mandatory for capsule signing. * Add a URL link to the UEFI spec, as used in the rst files. * Use local vars for private and public keys in BuildSectionData() * Use local vars for input payload and capsule filenames in BuildSectionData(). * Drop the ProcessContents() and SetImagePos() as the superclass functions suffice. * Use GUID macro names in the capsule test dts files. * Rename efi_capsule_payload.bin to capsule_input.bin. * Use macros defined in sandbox_efi_capsule for GUIDs and capsule input filenames. * Generate the capsule input files through binman text entries. * New patch for fixing CI trace test failure. Sughosh Ganu (11): binman: bintool: Build a tool from a list of commands nuvoton: npcm845-evb: Add a newline at the end of file sandbox: capsule: Add keys and certificates needed for capsule update testing capsule: authenticate: Add capsule public key in platform's dtb doc: capsule: Document the new mechanism to embed ESL file into dtb sandbox: Build the mkeficapsule tool for the sandbox variants btool: mkeficapsule: Add a bintool for EFI capsule generation binman: capsule: Add support for generating EFI capsules sandbox: capsule: Generate capsule related files through binman doc: Add documentation to highlight capsule generation related updates sandbox: trace: Increase trace buffer size .azure-pipelines.yml | 2 +- .gitlab-ci.yml | 2 +- arch/arm/dts/nuvoton-npcm845-evb.dts | 2 +- arch/arm/dts/u-boot.dtsi | 14 + arch/sandbox/dts/u-boot.dtsi | 380 ++++++++++++++++++ board/sandbox/SIGNER.crt | 19 + board/sandbox/SIGNER.esl | Bin 0 -> 831 bytes board/sandbox/SIGNER.key | 28 ++ board/sandbox/SIGNER2.crt | 19 + board/sandbox/SIGNER2.key | 28 ++ configs/sandbox_defconfig | 1 + configs/sandbox_flattree_defconfig | 1 + doc/develop/uefi/uefi.rst | 40 +- include/sandbox_efi_capsule.h | 25 ++ lib/efi_loader/Kconfig | 9 + test/py/tests/test_efi_capsule/conftest.py | 168 +------- test/py/tests/test_efi_capsule/signature.dts | 10 - .../tests/test_efi_capsule/uboot_bin_env.its | 36 -- test/py/tests/test_trace.py | 2 +- tools/Kconfig | 6 +- tools/binman/bintool.py | 19 +- tools/binman/btool/mkeficapsule.py | 101 +++++ tools/binman/entries.rst | 62 +++ tools/binman/etype/efi_capsule.py | 143 +++++++ tools/binman/ftest.py | 121 ++++++ tools/binman/test/307_capsule.dts | 23 ++ tools/binman/test/308_capsule_signed.dts | 25 ++ tools/binman/test/309_capsule_version.dts | 24 ++ tools/binman/test/310_capsule_signed_ver.dts | 26 ++ tools/binman/test/311_capsule_oemflags.dts | 24 ++ tools/binman/test/312_capsule_missing_key.dts | 24 ++ .../binman/test/313_capsule_missing_index.dts | 22 + .../binman/test/314_capsule_missing_guid.dts | 19 + .../test/315_capsule_missing_payload.dts | 19 + 34 files changed, 1213 insertions(+), 231 deletions(-) create mode 100644 arch/arm/dts/u-boot.dtsi create mode 100644 arch/sandbox/dts/u-boot.dtsi create mode 100644 board/sandbox/SIGNER.crt create mode 100644 board/sandbox/SIGNER.esl create mode 100644 board/sandbox/SIGNER.key create mode 100644 board/sandbox/SIGNER2.crt create mode 100644 board/sandbox/SIGNER2.key create mode 100644 include/sandbox_efi_capsule.h delete mode 100644 test/py/tests/test_efi_capsule/signature.dts delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its create mode 100644 tools/binman/btool/mkeficapsule.py create mode 100644 tools/binman/etype/efi_capsule.py create mode 100644 tools/binman/test/307_capsule.dts create mode 100644 tools/binman/test/308_capsule_signed.dts create mode 100644 tools/binman/test/309_capsule_version.dts create mode 100644 tools/binman/test/310_capsule_signed_ver.dts create mode 100644 tools/binman/test/311_capsule_oemflags.dts create mode 100644 tools/binman/test/312_capsule_missing_key.dts create mode 100644 tools/binman/test/313_capsule_missing_index.dts create mode 100644 tools/binman/test/314_capsule_missing_guid.dts create mode 100644 tools/binman/test/315_capsule_missing_payload.dts