From patchwork Tue Aug 22 17:39:53 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sughosh Ganu <sughosh.ganu@linaro.org>
X-Patchwork-Id: 715767
Delivered-To: patch@linaro.org
Received: by 2002:adf:f747:0:b0:317:ecd7:513f with SMTP id z7csp392460wrp;
 Tue, 22 Aug 2023 10:40:41 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGu0UNbC9RNJcTX3lHZheiTOM/EHsfAD2ZRjt44c49zBTeSvIRXQBOf/kQju3H9JFDMFHeC
X-Received: by 2002:a1c:7302:0:b0:3fe:1af6:6542 with SMTP id
 d2-20020a1c7302000000b003fe1af66542mr7820432wmb.33.1692726041382;
 Tue, 22 Aug 2023 10:40:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1692726041; cv=none;
 d=google.com; s=arc-20160816;
 b=i+574oYBvqRZWbQgRhY7tKNnOuX59cAxzRDgUTdRRCZYdv366+EXygdd7xRPtnFAf6
 0lRUI4PKEEaKJ6IiQyn5XgP78aEOCM+xHe9Va7OnAasoUIMrCw5LHMHDruNcZ76aadKr
 6wUPNv/cTUKuk8wjZ3N3kx9iXZWf8rwemvOaHRG9M+0pcTWn1bTPwv0hU0RaoDcK5cCt
 u8JprKKeWRB07t+WtQnW5H3m74EqTcINuYES19XU7F100wg/UjY/f6dhFJSwrkS4bpW2
 4JuxlnXkNHTY6uUFgq4MCjj+fwy48WBrc/2M+II0jlItF7Tu++V3nuuEEIItR+Aefvv7
 yocA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:message-id:date:subject:cc:to:from;
 bh=oWQOlJBCeQneC+U+3hzOl/zQrxB5d1giO3DlHeiWkJ0=;
 fh=/Yu38Pgq7D5OzJNkd+QPrthx10+S8MtoZEzbDIahAwY=;
 b=YfvMW/N1mFnUu7qukKmv+LTQGRJpzZNGYxf0kTX1jnL4BICJqXGU7HmxlOksi4ftEl
 h3qKPayqJpRNj4Fx/OU+US2Gvwm1hgknXT4kBOgI6H/NiZYFi2j0biqHVbYYQfQyFgCD
 TqamC4JGwlz0tpJPPs6NU+HqAtkEGBn7bev++A4Adb2yryKdwuIcYA9wKvsTieL1bqzh
 KRvBX3SqBj5FeJYdTVz27Wqm1XUbyDUQQ9jg8RUuLREL8keg8/sUrhw3+U0FcmA9HTIw
 VeuP4VAVWbGbkmgHN/KbapfHXdaW4GuHEOwgRGJe+NLC1NyxAK8jJYk+bkkqr3jHZABr
 QakA==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates
 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender)
 smtp.mailfrom=u-boot-bounces@lists.denx.de;
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <u-boot-bounces@lists.denx.de>
Received: from phobos.denx.de (phobos.denx.de.
 [2a01:238:438b:c500:173d:9f52:ddab:ee01])
 by mx.google.com with ESMTPS id
 r15-20020a05600c35cf00b003fe5d054533si1308328wmq.41.2023.08.22.10.40.40
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 22 Aug 2023 10:40:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender)
 client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01;
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates
 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender)
 smtp.mailfrom=u-boot-bounces@lists.denx.de;
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
 by phobos.denx.de (Postfix) with ESMTP id 7F299863B2;
 Tue, 22 Aug 2023 19:40:40 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=fail (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Received: by phobos.denx.de (Postfix, from userid 109)
 id BE434863B2; Tue, 22 Aug 2023 19:40:38 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
 SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.2
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by phobos.denx.de (Postfix) with ESMTP id 71B93846C0
 for <u-boot@lists.denx.de>; Tue, 22 Aug 2023 19:40:35 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=fail (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=fail smtp.mailfrom=sughosh.ganu@linaro.org
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
 by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 9F3A511FB;
 Tue, 22 Aug 2023 10:41:15 -0700 (PDT)
Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.46.7])
 by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id C313F3F762;
 Tue, 22 Aug 2023 10:40:32 -0700 (PDT)
From: Sughosh Ganu <sughosh.ganu@linaro.org>
To: u-boot@lists.denx.de
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>,
 Ilias Apalodimas <ilias.apalodimas@linaro.org>,
 Simon Glass <sjg@chromium.org>,
 Takahiro Akashi <takahiro.akashi@linaro.org>, Tom Rini <trini@konsulko.com>
Subject: [PATCH v11 00/15] Integrate EFI capsule tasks into U-Boot's build flow
Date: Tue, 22 Aug 2023 23:09:53 +0530
Message-Id: <20230822174008.626239-1-sughosh.ganu@linaro.org>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de
X-Virus-Status: Clean

This patchset aims to bring two capsule related tasks under the U-Boot
build flow.

The first task is related to generation of capsules. The capsules can
be generated as part of U-Boot build, and this is being achieved
through binman, by adding a capsule entry type. The capsules can be
generated by specifying the capsule parameters as properties under the
capsule entry node.

The other task is the embedding of the public key into the platform's
DTB. The public key is in the form of an EFI Signature List(ESL) file
and is used for capsule authentication. This is being achieved by
adding the signature node containing the capsule public key in the
platform's DTB.

Corresponding changes have also been made to the test setup of the EFI
capsule update feature. The ESL public key file was embedded into the
sandbox platform's test.dtb as part of the test setup, post U-Boot
build. This is now no longer needed as the embedding of the ESL
happens as part of the build.

Secondly, the capsules needed for testing the EFI capsule update
feature were being generated through the invocation of the
mkeficapsule tool. This setup has also been changed to introduce
generation of these capsules through binman.

The document has been updated to reflect the above changes.

Changes since V10:

This series clubs two changes together. 1) Capsule generation through
binman, 2) Embedding the capsule public key ESL into the platform's
DTB [1]. This has been done based on feedback from Tom Rini on IRC.

The capsule generation was being done for all sandbox variant
builds till the V10 version. This is now changed so that the capsules
are only generated as part of the EFI capsule update feature
testing. This has been done based on feedback from Tom Rini [2]. These
changes are part of patch 7. 

* Remove the sandbox_capsule.dtsi file.
* Remove addition of multiple-images property from sandbox.dts and
  test.dts as the capsule generation is moved to the test.
* Add the capsule_gen_binman.dts with binman nodes for capsule
  generation.
* Call the binman tool as part of the capsule test setup for
  generation of capsules.
* Add an example binman capsule node which shows how a capsule can be
  generated through binman.

[1] - https://lists.denx.de/pipermail/u-boot/2023-August/527810.html
[2] - https://lists.denx.de/pipermail/u-boot/2023-August/526987.html

Sughosh Ganu (15):
  binman: bintool: Build a tool from a list of commands
  nuvoton: npcm845-evb: Add a newline at the end of file
  sandbox: capsule: Add keys and certificates needed for capsule update
    testing
  sandbox: capsule: Enable EFI capsule module on sandbox variants
  btool: mkeficapsule: Add a bintool for EFI capsule generation
  binman: capsule: Add support for generating EFI capsules
  test: capsule: Generate EFI capsules through binman
  doc: Add documentation to highlight capsule generation related updates
  sandbox: trace: Increase trace buffer size
  scripts/Makefile.lib: Collate all dtsi files for inclusion
  scripts/Makefile.lib: Add dtsi include files as deps for building DTB
  scripts/Makefile.lib: Embed capsule public key in platform's dtb
  sandbox: capsule: Add path to the public key ESL file
  test: capsule: Remove logic to add public key ESL
  doc: capsule: Document the new mechanism to embed ESL file into dtb

 .azure-pipelines.yml                          |   2 +-
 .gitlab-ci.yml                                |   2 +-
 arch/arm/dts/nuvoton-npcm845-evb.dts          |   2 +-
 board/sandbox/capsule_priv_key_bad.key        |  28 ++
 board/sandbox/capsule_priv_key_good.key       |  28 ++
 board/sandbox/capsule_pub_esl_good.esl        | Bin 0 -> 831 bytes
 board/sandbox/capsule_pub_key_bad.crt         |  19 ++
 board/sandbox/capsule_pub_key_good.crt        |  19 ++
 configs/sandbox_defconfig                     |   1 +
 configs/sandbox_flattree_defconfig            |   1 +
 configs/sandbox_noinst_defconfig              |   2 +
 configs/sandbox_spl_defconfig                 |   2 +
 configs/sandbox_vpl_defconfig                 |   2 +
 doc/develop/uefi/uefi.rst                     |  59 +++-
 include/sandbox_efi_capsule.h                 |  21 ++
 lib/efi_loader/Kconfig                        |   8 +
 lib/efi_loader/capsule_esl.dtsi.in            |  11 +
 scripts/Makefile.lib                          |  30 +-
 .../test_efi_capsule/capsule_gen_binman.dts   | 321 ++++++++++++++++++
 test/py/tests/test_efi_capsule/conftest.py    | 175 ++--------
 test/py/tests/test_efi_capsule/signature.dts  |  10 -
 .../tests/test_efi_capsule/uboot_bin_env.its  |  36 --
 test/py/tests/test_trace.py                   |   2 +-
 tools/binman/bintool.py                       |  19 +-
 tools/binman/btool/mkeficapsule.py            | 101 ++++++
 tools/binman/entries.rst                      |  64 ++++
 tools/binman/etype/efi_capsule.py             | 143 ++++++++
 tools/binman/ftest.py                         | 118 +++++++
 tools/binman/test/311_capsule.dts             |  21 ++
 tools/binman/test/312_capsule_signed.dts      |  23 ++
 tools/binman/test/313_capsule_version.dts     |  22 ++
 tools/binman/test/314_capsule_signed_ver.dts  |  24 ++
 tools/binman/test/315_capsule_oemflags.dts    |  22 ++
 tools/binman/test/316_capsule_missing_key.dts |  22 ++
 .../binman/test/317_capsule_missing_index.dts |  20 ++
 .../binman/test/318_capsule_missing_guid.dts  |  19 ++
 36 files changed, 1175 insertions(+), 224 deletions(-)
 create mode 100644 board/sandbox/capsule_priv_key_bad.key
 create mode 100644 board/sandbox/capsule_priv_key_good.key
 create mode 100644 board/sandbox/capsule_pub_esl_good.esl
 create mode 100644 board/sandbox/capsule_pub_key_bad.crt
 create mode 100644 board/sandbox/capsule_pub_key_good.crt
 create mode 100644 include/sandbox_efi_capsule.h
 create mode 100644 lib/efi_loader/capsule_esl.dtsi.in
 create mode 100644 test/py/tests/test_efi_capsule/capsule_gen_binman.dts
 delete mode 100644 test/py/tests/test_efi_capsule/signature.dts
 delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its
 create mode 100644 tools/binman/btool/mkeficapsule.py
 create mode 100644 tools/binman/etype/efi_capsule.py
 create mode 100644 tools/binman/test/311_capsule.dts
 create mode 100644 tools/binman/test/312_capsule_signed.dts
 create mode 100644 tools/binman/test/313_capsule_version.dts
 create mode 100644 tools/binman/test/314_capsule_signed_ver.dts
 create mode 100644 tools/binman/test/315_capsule_oemflags.dts
 create mode 100644 tools/binman/test/316_capsule_missing_key.dts
 create mode 100644 tools/binman/test/317_capsule_missing_index.dts
 create mode 100644 tools/binman/test/318_capsule_missing_guid.dts