From patchwork Tue Nov 2 00:55:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516598 Delivered-To: patch@linaro.org Received: by 2002:ad5:5208:0:0:0:0:0 with SMTP id p8csp3915847iml; Mon, 1 Nov 2021 17:56:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzsL6KSYTlvZob/bJEpzWwiEt/ZXRSq9y/O26lPzg5OgaYh4py1/BfNQ07/7e5qjimSh2qI X-Received: by 2002:a17:906:3a0e:: with SMTP id z14mr42047575eje.55.1635814566808; Mon, 01 Nov 2021 17:56:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635814566; cv=none; d=google.com; s=arc-20160816; b=QBR2xAHaT6YtvVZ74RrGPPx7LQfWVee5Ekk1FFUgDDB/Sq94+N5Y+AppthXn+INd43 6fm5mTSe5jI08/n9qBXvKJeyMz2FpG0o09FPdZranjw8L8T6AeC85kdVWb6gJJ+EFGPd KK6r1pIfgFTcG/Li+jGerPVs7LLo5DnrzMbvwvABwdty64OKPYhav/NI+gSa4hObVBns d5mZdIxComG5+7uNMagBn4neQjTv3T+HMOpSewKWQmE+oemPRlxjfqrjPyBOPAxTbvjx 01aaGtbd98D/2X6bXzE+TsPnAs6XaIbkKlqRUpx+dEpm97nDMVK62HNoAhyRRryG/+nf 0Aag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=BaYBnmizFXbnl98mf2PDUeaqhgDxsP2XgpPWAaclhk0=; b=akUlGguS6oc8JvJN5w93J/eMIO3+P/WpZzNTSEmBGMMIXQhLdLOqzvUl30pY7purDo 8s9hU7GfYZ8SxBexPKkQrt4dfqKUnGpvK5GxpuvGsexvP9K0+vTtrvMi6w2yPbpP4hJa S0n3anlG9vtdRnboR3mjOTR/JZfs1cS7B6LZOMTb1UULouC9l/vqHy5guTkLbNyDfeiR 3l5QWlZvr/fhPf1y7wgDtNTECKQ8SDOAbmdKUpYuVwLIjOmje1PwYwO7LmtvtJveGxuy PpM8uYEyRe3MNnmcBTMjaKzZb1MGyQaPrw9bUIaFcCNuCxj/Pj3aF5vII9dm1KoRfeBR CRvw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=TyTWCGxq; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id n1si24403762edb.494.2021.11.01.17.56.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:56:06 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=TyTWCGxq; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id EC97B835E9; Tue, 2 Nov 2021 01:55:59 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="TyTWCGxq"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 1D53D835D6; Tue, 2 Nov 2021 01:55:56 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 3BB1F83410 for ; Tue, 2 Nov 2021 01:55:50 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x634.google.com with SMTP id f8so13345997plo.12 for ; Mon, 01 Nov 2021 17:55:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=BaYBnmizFXbnl98mf2PDUeaqhgDxsP2XgpPWAaclhk0=; b=TyTWCGxq8WV4/r94CmTXodqhTldDWCm8k7b19BjEXqrWaZhwRaedndMr0QZeJJGc4X jgjtuTJBQMIUYaoZRl8320cQXtZ/OZgdmLQZ0evyNJImgVfclyZlIDUedASsaxmx1JL+ jUEOhhNr84QmOaGyvTxA42cp5lYJPwfS0H++nUi7sFu57QKdt4c1agEdbXPFW/1o1Qqf J2eKJb7euRAgHmJ7rgr9tNLPNi9DE++WTplIFsaIeIOeT50OEMBwuDaLff4sRX83J7W0 Y+dJ4iC8iIspGoYzSQEEC5arOE8faJyKqhUCaZs7UGaEBHS3fQZGi+Uv9/065xdTKRRb Eusg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=BaYBnmizFXbnl98mf2PDUeaqhgDxsP2XgpPWAaclhk0=; b=CRCH3hzlLFj0UEeX9M2lO3kG5j4nu9kx7T8860SnDzFzMZtasgYY/XB7Zv3ATnVBFM ktuwRDAB2adsbweRnYt1jhywNY/bYUlkVgPbnX+SfphwCc8t+eYWTsf3fFBs8nQBbq0M ixA+cbly38LOhXq57DgPskWNxnGUt59PAdFdaADsHb/pVZCkjB7hzUOhY6NLe8RadR3B thWh78QhdJpcJyr11AyC2UZH6NXLV/9dO+gdsYJ9Ta1erWp8AkrE7v2tUqRlxkLmbuXl 3uTtsdZTKc9rbpYg0Bs3Rtz0ra2NKkrxZgvsr0MIQbDQHRSRWvUgOjhBZ2aZX3M+X3wp 3StA== X-Gm-Message-State: AOAM531z63f+kNbcjatd6chP3XleUDvyHx/sYwAaRBBdpmC8oqgvMqw6 7wvQKBGmZ8u9h97iKf3NY6BwiA== X-Received: by 2002:a17:902:758c:b0:141:4c99:22b3 with SMTP id j12-20020a170902758c00b001414c9922b3mr28289000pll.40.1635814548623; Mon, 01 Nov 2021 17:55:48 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:a475:65cc:d4b7:aaf5]) by smtp.gmail.com with ESMTPSA id n29sm12305596pfv.29.2021.11.01.17.55.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:55:48 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v6 01/12] efi_loader: capsule: drop __weak from efi_get_public_key_data() Date: Tue, 2 Nov 2021 09:55:01 +0900 Message-Id: <20211102005512.96019-2-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211102005512.96019-1-takahiro.akashi@linaro.org> References: <20211102005512.96019-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean As we discussed in ML, currently a device tree is the only place to store public keys for capsule authentication. So __weak is not necessary for now. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- lib/efi_loader/efi_capsule.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.33.0 diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c index 44f5da61a9be..850937fd120f 100644 --- a/lib/efi_loader/efi_capsule.c +++ b/lib/efi_loader/efi_capsule.c @@ -256,7 +256,7 @@ out: } #if defined(CONFIG_EFI_CAPSULE_AUTHENTICATE) -int __weak efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) +int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) { const void *fdt_blob = gd->fdt_blob; const void *blob; From patchwork Tue Nov 2 00:55:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516599 Delivered-To: patch@linaro.org Received: by 2002:ad5:5208:0:0:0:0:0 with SMTP id p8csp3916001iml; Mon, 1 Nov 2021 17:56:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzwqFrVO6UsodRR86eyQWZsawfoSSrBCZtMgpH6H3qhdoC/+W9b1rliHC8YCwIJAVhaRgBx X-Received: by 2002:a05:6402:128a:: with SMTP id w10mr37652598edv.272.1635814578351; Mon, 01 Nov 2021 17:56:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635814578; cv=none; d=google.com; s=arc-20160816; b=XFXM3tPO3k8IFRAOYshUQlOd7eK1Y5zM37qBNHpmSf+3Qeuf8K3/6iKPrQIv2TzclY ztKoLu1v5bPCyBARNCGKb/F6mqaLVsqFgufeezyvOF4xppNp4YlmUKTjkhxKbQ8OMt24 oWFbfGGVq5GVCIgb9y1rju7Ffc0iaA6TFo8PYwnSf7VGhWFMRbLtzKQtsR/HMSMBPX0U zsCEWUIaCRfCIqZYj35qX7rCBmDGZlypSdRqS1HqVPdi9obCaSl68cit8jUnLhaiK9fJ yyiY68s2YopPPnsCam4N8USKyRZchrDakkXlThjPWHCDYMGSvi3DOQOiwB7qdOOB0yDD 1E9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=lLny3Rk5NjLcv3moqx0kt8GiEcNg84mKBUDy5LzFZBA=; b=jnonrs0Urfip4o48HhBY1wcmQCVDDA6dPdt7QlCNBEM3jrhApec3oWZVPfhTY4FbYL kch/UqU12yfqYYBXXVyckvH4cRkywhl+gyFFC1MQa9flvx8veXWj5i9Nx2jbnM973URO GgBScfbf7tBRfxd75YDnQ2fwDSWwAmUBFJaJPZ8DEuBoeMwLMPqQwfq4NPx6AcVUzL+S kFxPihFjevwrienVjVCcfhBD9RyXfWPVbxGT7ua/Dzd8wsoRtJWFiLwmXjNpnuFcA33d I3iM1ntoNBKi7gp1kJ6mcaiVzNcEj2H1b5PRuh9/r5YPnvAnV5LDQTaeS1tZ7aUA+WrT xGSQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=teglUdDE; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id l11si2501584ejo.694.2021.11.01.17.56.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:56:18 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=teglUdDE; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id C051B83602; Tue, 2 Nov 2021 01:56:13 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="teglUdDE"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id D7AF283383; Tue, 2 Nov 2021 01:56:04 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 52FD68354D for ; Tue, 2 Nov 2021 01:55:53 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x432.google.com with SMTP id y4so3578717pfa.5 for ; Mon, 01 Nov 2021 17:55:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=lLny3Rk5NjLcv3moqx0kt8GiEcNg84mKBUDy5LzFZBA=; b=teglUdDElmg6O7ZdWaA50XQf5/VVYIgwbsi9Fsd1klnwkP/OkodfUdahCRchq/LzTd TuDUHM1WWN+JBGL5FeZUglZ+r2Tmam6sVBjy9l3GQP1Dsx13HIcoQnG5cHM34XCMoEiJ mNOloVMRj5MoPJ3ooP4SzOhzpeWpyp29ijFuTeMwW/Ofk7PuakY7wUI5OZYCCH+8w7kV oMy2RL3d6GHv95cht3OKFFbkGKiI4gl04vs0wYLrgvNaRNkaNcOgdUfCQJ+OM4HkPg0Q bRu0vPY9+/tonULQCEeeQIcVBWxZDPn04phM+yhZwFNABDvWT4xSM33sgfN08eUzkciQ fv5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=lLny3Rk5NjLcv3moqx0kt8GiEcNg84mKBUDy5LzFZBA=; b=utFn+M3rD/+uRnNQLnA6wPIkOoN8aiiSVQk3fnJ6syRO7dt445QCGEdiCWSl92uhPv GpL6hIsTHQo5yZEVG1Rc5e6obS1/NTH7f2uiuHLW4EoCpW/lOMz1rFUWu+wmzQLLAmXd EKNUHhfJdQX/wc9cLQkyNw/qMVHEXgiv0n/Tq33e4kD6JMGpLCWFv2ALCTFiiFxo+udP 76mhnqh0a62FoHAm0mLyUCkibWH92rKgrlyf1BtMMa3TDx5/Ew3+1RpNOjYg2CTeUHYi b8K98Gb8m4HipGTwthhJIZb6zrS5RtUkbdg0HPZpCJy+7qFsQZrqlufGw3PBmOTSYzbN 2l5Q== X-Gm-Message-State: AOAM533hx/F60L9F43FxJ0CVQfV6z3/pgbJ1ggIRjmxpLdT1CXV2uH/v NBzm6GRWIE6ZXY+iSKZCxelP3A== X-Received: by 2002:a62:1a17:0:b0:480:f9fc:6a8c with SMTP id a23-20020a621a17000000b00480f9fc6a8cmr15605633pfa.22.1635814551497; Mon, 01 Nov 2021 17:55:51 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:a475:65cc:d4b7:aaf5]) by smtp.gmail.com with ESMTPSA id n29sm12305596pfv.29.2021.11.01.17.55.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:55:51 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v6 02/12] tools: mkeficapsule: rework the code a little bit Date: Tue, 2 Nov 2021 09:55:02 +0900 Message-Id: <20211102005512.96019-3-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211102005512.96019-1-takahiro.akashi@linaro.org> References: <20211102005512.96019-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Abstract common routines to make the code easily understandable. No functional change. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- tools/mkeficapsule.c | 219 ++++++++++++++++++++++++++++++------------- 1 file changed, 155 insertions(+), 64 deletions(-) -- 2.33.0 diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 4995ba4e0c2a..8427fedd941c 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -61,17 +61,117 @@ static void print_usage(void) tool_name); } +/** + * read_bin_file - read a firmware binary file + * @bin: Path to a firmware binary file + * @data: Pointer to pointer of allocated buffer + * @bin_size: Size of allocated buffer + * + * Read out a content of binary, @bin, into @data. + * A caller should free @data. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int read_bin_file(char *bin, void **data, off_t *bin_size) +{ + FILE *g; + struct stat bin_stat; + void *buf; + size_t size; + int ret = 0; + + g = fopen(bin, "r"); + if (!g) { + printf("cannot open %s\n", bin); + return -1; + } + if (stat(bin, &bin_stat) < 0) { + printf("cannot determine the size of %s\n", bin); + ret = -1; + goto err; + } + buf = malloc(bin_stat.st_size); + if (!buf) { + printf("cannot allocate memory: %zx\n", + (size_t)bin_stat.st_size); + ret = -1; + goto err; + } + + size = fread(buf, 1, bin_stat.st_size, g); + if (size < bin_stat.st_size) { + printf("read failed (%zx)\n", size); + ret = -1; + goto err; + } + + *data = buf; + *bin_size = bin_stat.st_size; +err: + fclose(g); + + return ret; +} + +/** + * write_capsule_file - write a capsule file + * @bin: FILE stream + * @data: Pointer to data + * @bin_size: Size of data + * + * Write out data, @data, with the size @bin_size. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg) +{ + size_t size_written; + + size_written = fwrite(data, 1, size, f); + if (size_written < size) { + printf("%s: write failed (%zx != %zx)\n", msg, + size_written, size); + return -1; + } + + return 0; +} + +/** + * create_fwbin - create an uefi capsule file + * @path: Path to a created capsule file + * @bin: Path to a firmware binary to encapsulate + * @guid: GUID of related FMP driver + * @index: Index number in capsule + * @instance: Instance number in capsule + * @mcount: Monotonic count in authentication information + * @private_file: Path to a private key file + * @cert_file: Path to a certificate file + * + * This function actually does the job of creating an uefi capsule file. + * All the arguments must be supplied. + * If either @private_file ror @cert_file is NULL, the capsule file + * won't be signed. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, unsigned long index, unsigned long instance) { struct efi_capsule_header header; struct efi_firmware_management_capsule_header capsule; struct efi_firmware_management_capsule_image_header image; - FILE *f, *g; - struct stat bin_stat; - u8 *data; - size_t size; + FILE *f; + void *data; + off_t bin_size; u64 offset; + int ret; #ifdef DEBUG printf("For output: %s\n", path); @@ -79,25 +179,28 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, printf("\tindex: %ld\n\tinstance: %ld\n", index, instance); #endif - g = fopen(bin, "r"); - if (!g) { - printf("cannot open %s\n", bin); - return -1; - } - if (stat(bin, &bin_stat) < 0) { - printf("cannot determine the size of %s\n", bin); - goto err_1; - } - data = malloc(bin_stat.st_size); - if (!data) { - printf("cannot allocate memory: %zx\n", (size_t)bin_stat.st_size); - goto err_1; - } + f = NULL; + data = NULL; + ret = -1; + + /* + * read a firmware binary + */ + if (read_bin_file(bin, &data, &bin_size)) + goto err; + + /* + * write a capsule file + */ f = fopen(path, "w"); if (!f) { printf("cannot open %s\n", path); - goto err_2; + goto err; } + + /* + * capsule file header + */ header.capsule_guid = efi_guid_fm_capsule; header.header_size = sizeof(header); /* TODO: The current implementation ignores flags */ @@ -105,70 +208,58 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, header.capsule_image_size = sizeof(header) + sizeof(capsule) + sizeof(u64) + sizeof(image) - + bin_stat.st_size; - - size = fwrite(&header, 1, sizeof(header), f); - if (size < sizeof(header)) { - printf("write failed (%zx)\n", size); - goto err_3; - } + + bin_size; + if (write_capsule_file(f, &header, sizeof(header), + "Capsule header")) + goto err; + /* + * firmware capsule header + * This capsule has only one firmware capsule image. + */ capsule.version = 0x00000001; capsule.embedded_driver_count = 0; capsule.payload_item_count = 1; - size = fwrite(&capsule, 1, sizeof(capsule), f); - if (size < (sizeof(capsule))) { - printf("write failed (%zx)\n", size); - goto err_3; - } + if (write_capsule_file(f, &capsule, sizeof(capsule), + "Firmware capsule header")) + goto err; + offset = sizeof(capsule) + sizeof(u64); - size = fwrite(&offset, 1, sizeof(offset), f); - if (size < sizeof(offset)) { - printf("write failed (%zx)\n", size); - goto err_3; - } + if (write_capsule_file(f, &offset, sizeof(offset), + "Offset to capsule image")) + goto err; + /* + * firmware capsule image header + */ image.version = 0x00000003; memcpy(&image.update_image_type_id, guid, sizeof(*guid)); image.update_image_index = index; image.reserved[0] = 0; image.reserved[1] = 0; image.reserved[2] = 0; - image.update_image_size = bin_stat.st_size; + image.update_image_size = bin_size; image.update_vendor_code_size = 0; /* none */ image.update_hardware_instance = instance; image.image_capsule_support = 0; + if (write_capsule_file(f, &image, sizeof(image), + "Firmware capsule image header")) + goto err; - size = fwrite(&image, 1, sizeof(image), f); - if (size < sizeof(image)) { - printf("write failed (%zx)\n", size); - goto err_3; - } - size = fread(data, 1, bin_stat.st_size, g); - if (size < bin_stat.st_size) { - printf("read failed (%zx)\n", size); - goto err_3; - } - size = fwrite(data, 1, bin_stat.st_size, f); - if (size < bin_stat.st_size) { - printf("write failed (%zx)\n", size); - goto err_3; - } - - fclose(f); - fclose(g); - free(data); - - return 0; + /* + * firmware binary + */ + if (write_capsule_file(f, data, bin_size, "Firmware binary")) + goto err; -err_3: - fclose(f); -err_2: + ret = 0; +err: + if (f) + fclose(f); + free_sig_data(&auth_context); free(data); -err_1: - fclose(g); - return -1; + return ret; } /* From patchwork Tue Nov 2 00:55:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516602 Delivered-To: patch@linaro.org Received: by 2002:ad5:5208:0:0:0:0:0 with SMTP id p8csp3916472iml; Mon, 1 Nov 2021 17:56:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw+mQuxBXbn4evocTEv8YfzUszWiMneNt7bISje3fdOubHthWl1o+thDcqwwBd2qnKhqRFM X-Received: by 2002:a17:907:110c:: with SMTP id qu12mr755392ejb.383.1635814614196; Mon, 01 Nov 2021 17:56:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635814614; cv=none; d=google.com; s=arc-20160816; b=lOdXvBbV/gjdviEIcf7zL82u2/EBDpgWT+jczduBq8DMctKLiViMgIVLhHIjaLMcYa WH3/077XM+jxYP32viU40xtLkKk2/EwjsOdyYWK5Fb1htnZaFld2OFB210wXLmObG8P7 VzQpgqb1YKcgCDSCqZiUFcWdm9Tlpcq2tobiUHZOvc4OhWyiHXHlm/AvarrqO6DSrIYg +fbbO5h/80zodgHW7eVsRF82SPBcaXA7mJ/P1aJ6YQy2pvhxdMQM2djy579O4XsXVOx0 Jb5CM/L2r2FHmR/5x4P8YVhEAwHS0823UY+D2s6Vl8gAXPJDYKfsWJu4m8OpZtVRe7RQ m6vg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=HECh0SzrW12ZnC898IIPh2OjjVdy+VYUge0SLAvcUXQ=; b=MVd4wSJOCqssPWYkVgc+MxKIFfmp1tfjh+Up3xehy4jHt74omSSefQdt59yjV2c0mw feb7y7Hs6AlZivMyv4tHtP1bBzITk8ymfSn1PlLtAoIVJv+R/R+GJdibMzm/RMThMAfA 4mrimDxQkGtMWX6Zk7ze+Vri69I02wlfaiRtZSFKwdd04wkSP3+3tRKU5SuKOqXYDvph 45mfKilC6vuE5pkkMeUCe1EMjUM2+22qRLdRKq2im0BcbQ2b7wmBb1QybAjlxMXZF92s 8srhOdm7jqSMfP3TPT6Q2vD7cXYxKturiUBHhTV3tWsjMD3LfU+okvyxUZ0EXTFyz96A gdgw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=RcUNcBQy; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id nb24si25704541ejc.544.2021.11.01.17.56.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:56:54 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=RcUNcBQy; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 5BF068361D; Tue, 2 Nov 2021 01:56:47 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="RcUNcBQy"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 2F362835F6; Tue, 2 Nov 2021 01:56:22 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 9774983410 for ; Tue, 2 Nov 2021 01:55:56 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x42a.google.com with SMTP id y4so3578860pfa.5 for ; Mon, 01 Nov 2021 17:55:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=HECh0SzrW12ZnC898IIPh2OjjVdy+VYUge0SLAvcUXQ=; b=RcUNcBQyQwIJYnSfrMvxKZMNybFqi/sPzcMRk1GixVVJM7bFbh1xrdAEmi/ovgtLqq hhoAAbVP6CKnveUDoP6o1C9rNjYW7xPrcjATlnaRyrvo73MnLkG/EQDRPWO4CEQshdNh eZlXGbrU2WKxNsJ84lhe54WaIzXB5LyTBeqZToYfeoVyyZRPPyUosHI6tNUv3HRmiW81 qyJrRARBzZaypXXdhxlQ13vFbb65rni06fTGyAu0VZhSxuPTU49zyQon3AclJzjTXBw2 NwdQHPqKZTyOyMqsuHAKL46xtCnQUAZwBKgut5BXa9J0MAa+h9UtuGleaY1l1WfvNbeq t5Hw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=HECh0SzrW12ZnC898IIPh2OjjVdy+VYUge0SLAvcUXQ=; b=xIgxxVR08D1e2T6zEioptocoLKy+9zF9kQ/cVf/oWpURssXpiJIazyQCCKkNz2lbxo rSWBXWlION0+tRSiHHA2BklKJ0KZyeeD3B1C8e5bAfaFtN1oSqV0Yl8M5OwqTTBbiNm8 gW/iag2Ee49/zc+s0ua2s1yrtFTfiMTQF0oLevMiSBQ6KT1Wp6ZpD0LOXa/MOu944CrU R0r2BHyYtYk71He8Qui5TWkZh8Ny1HcuCVOItnSpDT3fLlJBwHr7zwfF2t8QyeJxyHAn Qdqpocq9+4FDlaS1AByK/9zthiztaUroH1YPQthFPwEa6Gb+5kxoyMayteb9gqOgQi6O b3Ww== X-Gm-Message-State: AOAM532yNc+gbnF+znVJdRaNFA7IaRMrsdFHaS22UWsno83ClKM4M1NO uF7Q7RDsCplOXvMTFpxOFru+tg== X-Received: by 2002:a62:ae0d:0:b0:480:ff6a:50a6 with SMTP id q13-20020a62ae0d000000b00480ff6a50a6mr13109654pff.21.1635814554850; Mon, 01 Nov 2021 17:55:54 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:a475:65cc:d4b7:aaf5]) by smtp.gmail.com with ESMTPSA id n29sm12305596pfv.29.2021.11.01.17.55.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:55:54 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v6 03/12] tools: mkeficapsule: add firmwware image signing Date: Tue, 2 Nov 2021 09:55:03 +0900 Message-Id: <20211102005512.96019-4-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211102005512.96019-1-takahiro.akashi@linaro.org> References: <20211102005512.96019-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean With this enhancement, mkeficapsule will be able to sign a capsule file when it is created. A signature added will be used later in the verification at FMP's SetImage() call. To do that, We need specify additional command parameters: -monotonic-cout : monotonic count -private-key : private key file -certificate : certificate file Only when all of those parameters are given, a signature will be added to a capsule file. Users are expected to maintain and increment the monotonic count at every time of the update for each firmware image. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- tools/Kconfig | 8 + tools/Makefile | 8 +- tools/mkeficapsule.c | 382 ++++++++++++++++++++++++++++++++++++++++--- 3 files changed, 376 insertions(+), 22 deletions(-) -- 2.33.0 diff --git a/tools/Kconfig b/tools/Kconfig index 91ce8ae3e516..117c921da3fe 100644 --- a/tools/Kconfig +++ b/tools/Kconfig @@ -90,4 +90,12 @@ config TOOLS_SHA512 help Enable SHA512 support in the tools builds +config TOOLS_MKEFICAPSULE + bool "Build efimkcapsule command" + default y if EFI_CAPSULE_ON_DISK + help + This command allows users to create a UEFI capsule file and, + optionally sign that file. If you want to enable UEFI capsule + update feature on your target, you certainly need this. + endmenu diff --git a/tools/Makefile b/tools/Makefile index b45219e2c30c..5a73cc4b363d 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -238,8 +238,12 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs hostprogs-$(CONFIG_ASN1_COMPILER) += asn1_compiler HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include -mkeficapsule-objs := mkeficapsule.o $(LIBFDT_OBJS) -hostprogs-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += mkeficapsule +HOSTLDLIBS_mkeficapsule += -luuid +ifeq ($(CONFIG_TOOLS_LIBCRYPTO),y) +HOSTLDLIBS_mkeficapsule += \ + $(shell pkg-config --libs libssl libcrypto 2> /dev/null || echo "-lssl -lcrypto") +endif +hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule # We build some files with extra pedantic flags to try to minimize things # that won't build on some weird host compiler -- though there are lots of diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 8427fedd941c..086757ee8ad7 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -15,6 +15,16 @@ #include #include +#include +#ifdef CONFIG_TOOLS_LIBCRYPTO +#include +#include +#include +#include +#include +#include +#endif + typedef __u8 u8; typedef __u16 u16; typedef __u32 u32; @@ -38,12 +48,25 @@ efi_guid_t efi_guid_image_type_uboot_fit = EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID; efi_guid_t efi_guid_image_type_uboot_raw = EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID; +efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; + +#ifdef CONFIG_TOOLS_LIBCRYPTO +static const char *opts_short = "f:r:i:I:v:p:c:m:dh"; +#else +static const char *opts_short = "f:r:i:I:v:h"; +#endif static struct option options[] = { {"fit", required_argument, NULL, 'f'}, {"raw", required_argument, NULL, 'r'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, +#ifdef CONFIG_TOOLS_LIBCRYPTO + {"private-key", required_argument, NULL, 'p'}, + {"certificate", required_argument, NULL, 'c'}, + {"monotonic-count", required_argument, NULL, 'm'}, + {"dump-sig", no_argument, NULL, 'd'}, +#endif {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0}, }; @@ -57,10 +80,252 @@ static void print_usage(void) "\t-r, --raw new raw image file\n" "\t-i, --index update image index\n" "\t-I, --instance update hardware instance\n" +#ifdef CONFIG_TOOLS_LIBCRYPTO + "\t-p, --private-key private key file\n" + "\t-c, --certificate signer's certificate file\n" + "\t-m, --monotonic-count monotonic count\n" + "\t-d, --dump_sig dump signature (*.p7)\n" +#endif "\t-h, --help print a help message\n", tool_name); } +/** + * auth_context - authentication context + * @key_file: Path to a private key file + * @cert_file: Path to a certificate file + * @image_data: Pointer to firmware data + * @image_size: Size of firmware data + * @auth: Authentication header + * @sig_data: Signature data + * @sig_size: Size of signature data + * + * Data structure used in create_auth_data(). @key_file through + * @image_size are input parameters. @auth, @sig_data and @sig_size + * are filled in by create_auth_data(). + */ +struct auth_context { + char *key_file; + char *cert_file; + u8 *image_data; + size_t image_size; + struct efi_firmware_image_authentication auth; + u8 *sig_data; + size_t sig_size; +}; + +static int dump_sig; + +#ifdef CONFIG_TOOLS_LIBCRYPTO +/** + * fileio-read_pkey - read out a private key + * @filename: Path to a private key file + * + * Read out a private key file and parse it into "EVP_PKEY" structure. + * + * Return: + * * Pointer to private key structure - on success + * * NULL - on failure + */ +static EVP_PKEY *fileio_read_pkey(const char *filename) +{ + EVP_PKEY *key = NULL; + BIO *bio; + + bio = BIO_new_file(filename, "r"); + if (!bio) + goto out; + + key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); + +out: + BIO_free_all(bio); + if (!key) { + printf("Can't load key from file '%s'\n", filename); + ERR_print_errors_fp(stderr); + } + + return key; +} + +/** + * fileio-read_cert - read out a certificate + * @filename: Path to a certificate file + * + * Read out a certificate file and parse it into "X509" structure. + * + * Return: + * * Pointer to certificate structure - on success + * * NULL - on failure + */ +static X509 *fileio_read_cert(const char *filename) +{ + X509 *cert = NULL; + BIO *bio; + + bio = BIO_new_file(filename, "r"); + if (!bio) + goto out; + + cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); + +out: + BIO_free_all(bio); + if (!cert) { + printf("Can't load certificate from file '%s'\n", filename); + ERR_print_errors_fp(stderr); + } + + return cert; +} + +/** + * create_auth_data - compose authentication data in capsule + * @auth_context: Pointer to authentication context + * + * Fill up an authentication header (.auth) and signature data (.sig_data) + * in @auth_context, using library functions from openssl. + * All the parameters in @auth_context must be filled in by a caller. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int create_auth_data(struct auth_context *ctx) +{ + EVP_PKEY *key = NULL; + X509 *cert = NULL; + BIO *data_bio = NULL; + const EVP_MD *md; + PKCS7 *p7; + int flags, ret = -1; + + OpenSSL_add_all_digests(); + OpenSSL_add_all_ciphers(); + ERR_load_crypto_strings(); + + key = fileio_read_pkey(ctx->key_file); + if (!key) + goto err; + cert = fileio_read_cert(ctx->cert_file); + if (!cert) + goto err; + + /* + * create a BIO, containing: + * * firmware image + * * monotonic count + * in this order! + * See EDK2's FmpAuthenticatedHandlerRsa2048Sha256() + */ + data_bio = BIO_new(BIO_s_mem()); + BIO_write(data_bio, ctx->image_data, ctx->image_size); + BIO_write(data_bio, &ctx->auth.monotonic_count, + sizeof(ctx->auth.monotonic_count)); + + md = EVP_get_digestbyname("SHA256"); + if (!md) + goto err; + + /* create signature */ + /* TODO: maybe add PKCS7_NOATTR and PKCS7_NOSMIMECAP */ + flags = PKCS7_BINARY | PKCS7_DETACHED; + p7 = PKCS7_sign(NULL, NULL, NULL, data_bio, flags | PKCS7_PARTIAL); + if (!p7) + goto err; + if (!PKCS7_sign_add_signer(p7, cert, key, md, flags)) + goto err; + if (!PKCS7_final(p7, data_bio, flags)) + goto err; + + /* convert pkcs7 into DER */ + ctx->sig_data = NULL; + ctx->sig_size = ASN1_item_i2d((ASN1_VALUE *)p7, &ctx->sig_data, + ASN1_ITEM_rptr(PKCS7)); + if (!ctx->sig_size) + goto err; + + /* fill auth_info */ + ctx->auth.auth_info.hdr.dwLength = sizeof(ctx->auth.auth_info) + + ctx->sig_size; + ctx->auth.auth_info.hdr.wRevision = WIN_CERT_REVISION_2_0; + ctx->auth.auth_info.hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID; + memcpy(&ctx->auth.auth_info.cert_type, &efi_guid_cert_type_pkcs7, + sizeof(efi_guid_cert_type_pkcs7)); + + ret = 0; +err: + BIO_free_all(data_bio); + EVP_PKEY_free(key); + X509_free(cert); + + return ret; +} + +/** + * dump_signature - dump out a signature + * @path: Path to a capsule file + * @signature: Signature data + * @sig_size: Size of signature data + * + * Signature data pointed to by @signature will be saved into + * a file whose file name is @path with ".p7" suffix. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int dump_signature(const char *path, u8 *signature, size_t sig_size) +{ + char *sig_path; + FILE *f; + size_t size; + int ret = -1; + + sig_path = malloc(strlen(path) + 3 + 1); + if (!sig_path) + return ret; + + sprintf(sig_path, "%s.p7", path); + f = fopen(sig_path, "w"); + if (!f) + goto err; + + size = fwrite(signature, 1, sig_size, f); + if (size == sig_size) + ret = 0; + + fclose(f); +err: + free(sig_path); + return ret; +} + +/** + * free_sig_data - free out signature data + * @ctx: Pointer to authentication context + * + * Free signature data allocated in create_auth_data(). + */ +static void free_sig_data(struct auth_context *ctx) +{ + if (ctx->sig_size) + OPENSSL_free(ctx->sig_data); +} +#else +static int create_auth_data(struct auth_context *ctx) +{ + return 0; +} + +static int dump_signature(const char *path, u8 *signature, size_t sig_size) +{ + return 0; +} + +static void free_sig_data(struct auth_context *ctx) {} +#endif + /** * read_bin_file - read a firmware binary file * @bin: Path to a firmware binary file @@ -162,11 +427,13 @@ static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg) * * -1 - on failure */ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, - unsigned long index, unsigned long instance) + unsigned long index, unsigned long instance, + uint64_t mcount, char *privkey_file, char *cert_file) { struct efi_capsule_header header; struct efi_firmware_management_capsule_header capsule; struct efi_firmware_management_capsule_image_header image; + struct auth_context auth_context; FILE *f; void *data; off_t bin_size; @@ -176,9 +443,9 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, #ifdef DEBUG printf("For output: %s\n", path); printf("\tbin: %s\n\ttype: %pUl\n", bin, guid); - printf("\tindex: %ld\n\tinstance: %ld\n", index, instance); + printf("\tindex: %lu\n\tinstance: %lu\n", index, instance); #endif - + auth_context.sig_size = 0; f = NULL; data = NULL; ret = -1; @@ -189,6 +456,27 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, if (read_bin_file(bin, &data, &bin_size)) goto err; + /* first, calculate signature to determine its size */ + if (privkey_file && cert_file) { + auth_context.key_file = privkey_file; + auth_context.cert_file = cert_file; + auth_context.auth.monotonic_count = mcount; + auth_context.image_data = data; + auth_context.image_size = bin_size; + + if (create_auth_data(&auth_context)) { + printf("Signing firmware image failed\n"); + goto err; + } + + if (dump_sig && + dump_signature(path, auth_context.sig_data, + auth_context.sig_size)) { + printf("Creating signature file failed\n"); + goto err; + } + } + /* * write a capsule file */ @@ -209,6 +497,9 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, + sizeof(capsule) + sizeof(u64) + sizeof(image) + bin_size; + if (auth_context.sig_size) + header.capsule_image_size += sizeof(auth_context.auth) + + auth_context.sig_size; if (write_capsule_file(f, &header, sizeof(header), "Capsule header")) goto err; @@ -239,13 +530,32 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, image.reserved[1] = 0; image.reserved[2] = 0; image.update_image_size = bin_size; + if (auth_context.sig_size) + image.update_image_size += sizeof(auth_context.auth) + + auth_context.sig_size; image.update_vendor_code_size = 0; /* none */ image.update_hardware_instance = instance; image.image_capsule_support = 0; + if (auth_context.sig_size) + image.image_capsule_support |= CAPSULE_SUPPORT_AUTHENTICATION; if (write_capsule_file(f, &image, sizeof(image), "Firmware capsule image header")) goto err; + /* + * signature + */ + if (auth_context.sig_size) { + if (write_capsule_file(f, &auth_context.auth, + sizeof(auth_context.auth), + "Authentication header")) + goto err; + + if (write_capsule_file(f, auth_context.sig_data, + auth_context.sig_size, "Signature")) + goto err; + } + /* * firmware binary */ @@ -262,23 +572,37 @@ err: return ret; } -/* - * Usage: - * $ mkeficapsule -f +/** + * main - main entry function of mkeficapsule + * @argc: Number of arguments + * @argv: Array of pointers to arguments + * + * Create an uefi capsule file, optionally signing it. + * Parse all the arguments and pass them on to create_fwbin(). + * + * Return: + * * 0 - on success + * * -1 - on failure */ int main(int argc, char **argv) { char *file; efi_guid_t *guid; unsigned long index, instance; + uint64_t mcount; + char *privkey_file, *cert_file; int c, idx; file = NULL; guid = NULL; index = 0; instance = 0; + mcount = 0; + privkey_file = NULL; + cert_file = NULL; + dump_sig = 0; for (;;) { - c = getopt_long(argc, argv, "f:r:i:I:v:h", options, &idx); + c = getopt_long(argc, argv, opts_short, options, &idx); if (c == -1) break; @@ -286,7 +610,7 @@ int main(int argc, char **argv) case 'f': if (file) { printf("Image already specified\n"); - return -1; + exit(EXIT_FAILURE); } file = optarg; guid = &efi_guid_image_type_uboot_fit; @@ -294,7 +618,7 @@ int main(int argc, char **argv) case 'r': if (file) { printf("Image already specified\n"); - return -1; + exit(EXIT_FAILURE); } file = optarg; guid = &efi_guid_image_type_uboot_raw; @@ -305,26 +629,44 @@ int main(int argc, char **argv) case 'I': instance = strtoul(optarg, NULL, 0); break; +#ifdef CONFIG_TOOLS_LIBCRYPTO + case 'p': + if (privkey_file) { + printf("Private Key already specified\n"); + exit(EXIT_FAILURE); + } + privkey_file = optarg; + break; + case 'c': + if (cert_file) { + printf("Certificate file already specified\n"); + exit(EXIT_FAILURE); + } + cert_file = optarg; + break; + case 'm': + mcount = strtoul(optarg, NULL, 0); + break; + case 'd': + dump_sig = 1; + break; +#endif /* CONFIG_TOOLS_LIBCRYPTO */ case 'h': print_usage(); - return 0; + exit(EXIT_SUCCESS); } } - /* need an output file */ - if (argc != optind + 1) { + /* check necessary parameters */ + if ((argc != optind + 1) || !file || + ((privkey_file && !cert_file) || + (!privkey_file && cert_file))) { print_usage(); exit(EXIT_FAILURE); } - /* need a fit image file or raw image file */ - if (!file) { - print_usage(); - exit(EXIT_SUCCESS); - } - - if (create_fwbin(argv[optind], file, guid, index, instance) - < 0) { + if (create_fwbin(argv[optind], file, guid, index, instance, + mcount, privkey_file, cert_file) < 0) { printf("Creating firmware capsule failed\n"); exit(EXIT_FAILURE); } From patchwork Tue Nov 2 00:55:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516600 Delivered-To: patch@linaro.org Received: by 2002:ad5:5208:0:0:0:0:0 with SMTP id p8csp3916183iml; Mon, 1 Nov 2021 17:56:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxlgANOhv2x1B/jqFF0HS+k5mtDxhy7p8ZPQqON+bBLYhKDNEblQJU9mcOjd59bVrQ6BQmz X-Received: by 2002:a17:906:3f83:: with SMTP id b3mr41213784ejj.233.1635814590807; Mon, 01 Nov 2021 17:56:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635814590; cv=none; d=google.com; s=arc-20160816; b=FtnDwtM7Ruut5Hj1+ja3wXO7iGYMOlHHz7O2Nce3yKYK9XZluHTzDSiDIoXpOxN8MV zbNPGqlVHhhyg5qTfqstlahBkN2J4rfLx5LIHPTuMBHLCL2wBOzcRCQP4CJMR7TvyCRz rEV2opJAddy1jGbZolKUJlGZQVeAY2HNlQinDWLEhzIA2Z73knLgKSOoQ+EIwEQQAgvY O9tINoCdwKz2GbXOBjVLnv5PuNMu7otnxh9WEh4cUj+RQGZXCcRG+k7fCQ3cQjNadB04 YEWSnPvRr8QfVApZlCLrteHnWu8xAmQOygOZPvAgsyfwl1YcS+g6z4FchtqpeKc5S653 4cpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=olb5wPKSHIkhHOzF4xDAniXMTJgcJlVCJX8O4YkzN0w=; b=SimpZtIKrYME98ThONpFGD88eKch6YO0xAEBWwczOq20ywPWFnHWghmoFi3L7oCQRs 1LKd5xCZgmiwkKHpgW/MBelXoR1u2BVCs6QNIMfLLbImItRgaXHSDGusLSeRpYXI87e9 KgghF8TiHjcizOHa14JnmOlCs8diz6CP4Ga5pedsIGwc6ITZbTJZHs/d8XJrSPi9NJuX 3k8WrRS2BssFUR/7C9tpHsBypcvI/Zduk/iRfhlw+tXJsZaeSnrM1wb4YL+Mq18Ha+0T gwTmZzGpIXGXeFkv0ITdtlR5ujAmiLystHCUJDoLBi5ona3hUWYZI/A/+3i45Fsbp0M/ zdmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Sxsas+cF; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id nc36si15897198ejc.735.2021.11.01.17.56.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:56:30 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Sxsas+cF; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2CC6A835DA; Tue, 2 Nov 2021 01:56:28 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Sxsas+cF"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 2A602835DB; Tue, 2 Nov 2021 01:56:19 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 040A4835EA for ; Tue, 2 Nov 2021 01:56:00 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pg1-x534.google.com with SMTP id g184so18644424pgc.6 for ; Mon, 01 Nov 2021 17:55:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=olb5wPKSHIkhHOzF4xDAniXMTJgcJlVCJX8O4YkzN0w=; b=Sxsas+cFjZWxCuNssASERgJmNJxxczh3DMM9SNAGd+ih5oZlZi5qLQ9rt2l0SRy4AM lybnjTJMzLxoZjenbCREZV7peWrtHcx32eC9rst2Sc3IbdVCjDw22PtA/t9ZPachIwSA n7lY/tGYPdUku3whbCT/TY9N6YBRD3NoK9bOE/EwTJ+A6u3Pm5KwsEUuJ39r/aTSeyVX 8o6dTj4FE2FI+ZtlrAyN1sHg7BOpIYCQqJKwSG58J0W5bryBB3boVapAs++Pje0KCgM/ ZsbqRFBt4w6rTwGTGkSBydOQ5UdFD17iXCXoHVkr+uxYXLxiW4y83/sUnILYgm+ZUN+8 o6PA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=olb5wPKSHIkhHOzF4xDAniXMTJgcJlVCJX8O4YkzN0w=; b=KY0hriYnneRgSu3rmHuzjLCmNuTZ4H68XTCV2/Mtom5caDcWnp4KoKjMKqUvEF4ebG sCbXR5ZDPNw1shM76MDxKRiZRTPQac0Wadr3bKFusLp8NQD2NWqF1OfMjrPndxD59iw/ qdbSOLJ68YcZSIFVaWMzuzYC4RQEsUUJ3NKiQbJCgttK6RIzcyuiGuRhBSNkP2qKNvTx gMV0osncgd/eo9h5lrg+U0IyL1lEGcJUZTKgfiPBfLdFi1qeoEJDZSNgt/ldCHLCkpNU X9dp19JDH5rWQcEB51L+YvgLsy75xjyx4ELLEhHN61g4ot/JCyU2RGXr3FdyMicrOPNI UPCA== X-Gm-Message-State: AOAM531Kcj4754bl2ehg5r1HEF2JGU9P4TCVU2Cube3hLLzmIl3LX1k3 zwgGGBjH9zS3buJKIvYTlDpe7Q== X-Received: by 2002:a63:90c2:: with SMTP id a185mr11774593pge.112.1635814558152; Mon, 01 Nov 2021 17:55:58 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:a475:65cc:d4b7:aaf5]) by smtp.gmail.com with ESMTPSA id n29sm12305596pfv.29.2021.11.01.17.55.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:55:57 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v6 04/12] tools: mkeficapsule: add man page Date: Tue, 2 Nov 2021 09:55:04 +0900 Message-Id: <20211102005512.96019-5-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211102005512.96019-1-takahiro.akashi@linaro.org> References: <20211102005512.96019-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Add a man page for mkeficapsule command. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- MAINTAINERS | 1 + doc/mkeficapsule.1 | 95 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 doc/mkeficapsule.1 -- 2.33.0 diff --git a/MAINTAINERS b/MAINTAINERS index 9d8cba902800..569332db4719 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -718,6 +718,7 @@ S: Maintained T: git https://source.denx.de/u-boot/custodians/u-boot-efi.git F: doc/api/efi.rst F: doc/develop/uefi/* +F: doc/mkeficapsule.1 F: doc/usage/bootefi.rst F: drivers/rtc/emul_rtc.c F: include/capitalization.h diff --git a/doc/mkeficapsule.1 b/doc/mkeficapsule.1 new file mode 100644 index 000000000000..837e09ab451e --- /dev/null +++ b/doc/mkeficapsule.1 @@ -0,0 +1,95 @@ +.TH MAEFICAPSULE 1 "May 2021" + +.SH NAME +mkeficapsule \- Generate EFI capsule file for U-Boot + +.SH SYNOPSIS +.B mkeficapsule +.RB [\fIoptions\fP] " \fIcapsule-file\fP" + +.SH "DESCRIPTION" +The +\fBmkeficapsule\fP +command is used to create an EFI capsule file for use with the U-Boot +EFI capsule update. +A capsule file may contain various type of firmware blobs which +are to be applied to the system and must be placed in the specific +directory on the UEFI system partition. An update will be automatically +executed at next reboot. + +Optionally, a capsule file can be signed with a given private key. +In this case, the update will be authenticated by verifying the signature +before applying. + +\fBmkeficapsule\fP supports two different format of image files: +.TP +.I raw image +format is a single binary blob of any type of firmware. + +.TP +.I FIT (Flattened Image Tree) image +format +is the same as used in the new \fIuImage\fP format and allows for +multiple binary blobs in a single capsule file. +This type of image file can be generated by \fBmkimage\fP. + +.SH "OPTIONS" +One of \fB--fit\fP or \fB--raw\fP option must be specified. + +.TP +.BI "-f, --fit \fIfit-image-file\fP" +Specify a FIT image file + +.TP +.BI "-r, --raw \fIraw-image-file\fP" +Specify a raw image file + +.TP +.BI "-i, --index \fIindex\fP" +Specify an image index + +.TP +.BI "-I, --instance \fIinstance\fP" +Specify a hardware instance + +.TP +.BI "-h, --help" +Print a help message + +.TP 0 +.B With signing: + +\fB--private-key\fP, \fB--certificate\fP and \fB--monotonic-count\fP are +all mandatory. + +.TP +.BI "-p, --private-key \fIprivate-key-file\fP" +Specify signer's private key file in PEM + +.TP +.BI "-c, --certificate \fIcertificate-file\fP" +Specify signer's certificate file in EFI certificate list format + +.TP +.BI "-m, --monotonic-count \fIcount\fP" +Specify a monotonic count which is set to be monotonically incremented +at every firmware update. + +.TP +.BI "-d, --dump_sig" +Dump signature data into *.p7 file + +.PP +.SH FILES +.TP +.BI "\fI/EFI/UpdateCapsule\fP" +The directory in which all capsule files be placed + +.SH SEE ALSO +.B mkimage + +.SH AUTHORS +Written by AKASHI Takahiro + +.SH HOMEPAGE +http://www.denx.de/wiki/U-Boot/WebHome From patchwork Tue Nov 2 00:55:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516601 Delivered-To: patch@linaro.org Received: by 2002:ad5:5208:0:0:0:0:0 with SMTP id p8csp3916349iml; Mon, 1 Nov 2021 17:56:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzDzWQuU+VYzxd9OXMoJzjK18S0CltU1v0H/+3xcntxrMOlrAKwfgMOQrVpTAY6v+Nhd/8X X-Received: by 2002:a17:906:608:: with SMTP id s8mr2863881ejb.405.1635814604484; Mon, 01 Nov 2021 17:56:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635814604; cv=none; d=google.com; s=arc-20160816; b=B0dQN5HrGqjZTTaE6On4M3UaOHCT8tX0uDzineZFMbgHni4zjbZwt8yyJdGFvW9g0R u5Ht5FrLb5IEgK7J6bIDLnjk+VVkWsExoePv6Lj7pjtRUyX1MnzSQzgvXmiHYE+gHRl3 g0UooltoDWapqmxm6qb2p1CV5nYgG/PnBvaxeh9gQ11sZ0t5XS1syDGinz5ewCdNrQGj Njsm4dYoF+QiEwzH7NBbN7Rphpd2OTRbm0TQntTHJaU3bLaNe9nNgCP5jPDeiKT/3xDY xKgs6xaP+KbM4qVrh7jyI8wNFnIZ1VsdaczEnA2HTwfwVQfLjHjlJvU1a/zuXWJmaZQT X2AQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=/Uu1VeJl3GAWSfSPlMJ8B3n41+ALV5vnQE+UqWBAFV4=; b=zNeO49RW4CLt1HiElys8U0vlvpo1pcbe21vs6/m1U2jzy2rrtuGYk2l/CZQybTnsXR w1teovMFD2LcsFyitbXzH6409SZXPXzVpmWQ5sESAjtyFxKxLJSg9ovzaW8PlRTG/n+N zpr07aY5y/X/xEwrANBiNIGb+/UGqbRFQ0c5sprlwhOhXH8osuSALcrX83X4Uyx2p9Ot 44+ggyflK/XYveqI4Jgth84nGs/tw9rlXprtXxY+HyZxwNDkfPYTAF0OtYRju11n9+9q 2MhW9dMOIsTPF/B8swSyyQgmivNgUe5iHN+e9IrYD4MzOIWewDdZXTfFY5tRBn14cARD Y1Yg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=uts5rEkV; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id go20si14507005ejc.347.2021.11.01.17.56.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:56:44 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=uts5rEkV; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 63ABB83606; Tue, 2 Nov 2021 01:56:40 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="uts5rEkV"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 83D2783613; Tue, 2 Nov 2021 01:56:23 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, SPF_HELO_NONE, T_SPF_TEMPERROR autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com [IPv6:2607:f8b0:4864:20::436]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id ED7FA835FA for ; Tue, 2 Nov 2021 01:56:02 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x436.google.com with SMTP id b1so14458687pfm.6 for ; Mon, 01 Nov 2021 17:56:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=/Uu1VeJl3GAWSfSPlMJ8B3n41+ALV5vnQE+UqWBAFV4=; b=uts5rEkVMH5Rhqa36jXLR1bPb2MxtvOxs4le1LuVNWi1rGFbZMOSii1qeVS6ysTUwA FYZU5v/2b6B3gk9K8Mj+nnUYx3Ft65H+A+3loVX4Qu7uJr5D30Jju1SdNO35/nd8B1E3 1jMuTgcysaQh3f5iw0xvn0qecSl7/Huje1gHIDo7tO5WDzDLrl9zZUyIFSwrXnOUTUuH wyuYgWI3yJbri77CDplPHxs9g+Fad+wwzpxwg2VY9F+HzvF7+t4fKC5/Dq/+CbBxTdyt fk0NB0nLXTHFXu+vD+kzY4g3Kku/JtjeBF//9CjQoO57bZAZlLdGjqsfqXkMvP/0OROE uiXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/Uu1VeJl3GAWSfSPlMJ8B3n41+ALV5vnQE+UqWBAFV4=; b=bz4meqrnf+9SlckKCQX4FKpyysCo+3A6g2k7DPfuZLQz99vjZ83bj/hoivJnS0x4JX tMRCSAnyp28IhvHIoqE4Pd5uFj2lCBIU8QoWSMjLgYp5FTntab0XNFDiwIAh5ANHTVCe wg17gxQlKhJhGv7GWhwQYnLhLGSKVJ4utp7tbOskLRgTC3iZblZrZMUiNqrG+BTWqTJe LvbZixKVyklSgcZhHRNBmBCoQTn/Yq2MrxOzCT/piuOrZcKNAHUgPSKqR7AfCLBh1Ayh 77LlQntX1ov1YF107UUw2O7MTyyqpfsKafZtxVfEPywZY4+tO55lQS+dlO5l5kNCMcK+ JeVQ== X-Gm-Message-State: AOAM530t7qRAlr6GbhoIjanFyoN9npAI8a7l3k/zTjhuYUH56SY9iXVv MB35G98P4TMqJsZ6Ou002f8Msw== X-Received: by 2002:a05:6a00:8c4:b0:44c:9827:16cc with SMTP id s4-20020a056a0008c400b0044c982716ccmr32698604pfu.7.1635814561003; Mon, 01 Nov 2021 17:56:01 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:a475:65cc:d4b7:aaf5]) by smtp.gmail.com with ESMTPSA id n29sm12305596pfv.29.2021.11.01.17.55.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:56:00 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v6 05/12] doc: update UEFI document for usage of mkeficapsule Date: Tue, 2 Nov 2021 09:55:05 +0900 Message-Id: <20211102005512.96019-6-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211102005512.96019-1-takahiro.akashi@linaro.org> References: <20211102005512.96019-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Now we can use mkeficapsule command instead of EDK-II's script to create a signed capsule file. So update the instruction for capsule authentication. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- doc/develop/uefi/uefi.rst | 143 ++++++++++++++++++-------------------- 1 file changed, 67 insertions(+), 76 deletions(-) -- 2.33.0 diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index f17138f5c765..864d61734bee 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -284,37 +284,52 @@ Support has been added for the UEFI capsule update feature which enables updating the U-Boot image using the UEFI firmware management protocol (FMP). The capsules are not passed to the firmware through the UpdateCapsule runtime service. Instead, capsule-on-disk -functionality is used for fetching the capsule from the EFI System -Partition (ESP) by placing the capsule file under the -\EFI\UpdateCapsule directory. - -The directory \EFI\UpdateCapsule is checked for capsules only within the -EFI system partition on the device specified in the active boot option -determined by reference to BootNext variable or BootOrder variable processing. -The active Boot Variable is the variable with highest priority BootNext or -within BootOrder that refers to a device found to be present. Boot variables -in BootOrder but referring to devices not present are ignored when determining -active boot variable. -Before starting a capsule update make sure your capsules are installed in the -correct ESP partition or set BootNext. +functionality is used for fetching capsules from the EFI System +Partition (ESP) by placing capsule files under the directory:: + + \EFI\UpdateCapsule + +The directory is checked for capsules only within the +EFI system partition on the device specified in the active boot option, +which is determined by BootXXXX variable in BootNext, or if not, the highest +priority one within BootOrder. Any BootXXXX variables referring to devices +not present are ignored when determining the active boot option. + +Please note that capsules will be applied in the alphabetic order of +capsule file names. + +Creating a capsule file +*********************** + +A capsule file can be created by using tools/mkeficapsule. +To build this tool, enable:: + + CONFIG_TOOLS_MKEFICAPSULE=y + CONFIG_TOOLS_LIBCRYPTO=y + +Run the following command:: + + $ mkeficapsule \ + --index 1 --instance 0 \ + [--fit | --raw ] \ + Performing the update ********************* -Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig -option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable -check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule. - -If that option is disabled, you'll need to set the OsIndications variable with:: +Put capsule files under the directory mentioned above. +Then, following the UEFI specification, you'll need to set +the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED +bit in OsIndications variable with:: => setenv -e -nv -bs -rt -v OsIndications =0x04 -Finally, the capsule update can be initiated either by rebooting the board, -which is the preferred method, or by issuing the following command:: +Since U-boot doesn't currently support SetVariable at runtime, its value +won't be taken over across the reboot. If this is the case, you can skip +this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS) +set. - => efidebug capsule disk-update - -**The efidebug command is should only be used during debugging/development.** +Finally, the capsule update can be initiated by rebooting the board. Enabling Capsule Authentication ******************************* @@ -324,82 +339,58 @@ be updated by verifying the capsule signature. The capsule signature is computed and prepended to the capsule payload at the time of capsule generation. This signature is then verified by using the public key stored as part of the X509 certificate. This certificate is -in the form of an efi signature list (esl) file, which is embedded as -part of U-Boot. +in the form of an efi signature list (esl) file, which is embedded in +a device tree. The capsule authentication feature can be enabled through the following config, in addition to the configs listed above for capsule update:: CONFIG_EFI_CAPSULE_AUTHENTICATE=y - CONFIG_EFI_CAPSULE_KEY_PATH= The public and private keys used for the signing process are generated -and used by the steps highlighted below:: +and used by the steps highlighted below. - 1. Install utility commands on your host - * OPENSSL +1. Install utility commands on your host + * openssl * efitools - 2. Create signing keys and certificate files on your host +2. Create signing keys and certificate files on your host:: $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ -keyout CRT.key -out CRT.crt -nodes -days 365 $ cert-to-efi-sig-list CRT.crt CRT.esl - $ openssl x509 -in CRT.crt -out CRT.cer -outform DER - $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem - - $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt - $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem - -The capsule file can be generated by using the GenerateCapsule.py -script in EDKII:: - - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ - --monotonic-count --fw-version \ - --lsv --guid \ - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ - --update-image-index --signer-private-cert \ - /path/to/CRT.pem --trusted-public-cert \ - /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ - - -Place the capsule generated in the above step on the EFI System -Partition under the EFI/UpdateCapsule directory - -Testing on QEMU -*************** +3. Run the following command to create and sign the capsule file:: -Currently, support has been added on the QEMU ARM64 virt platform for -updating the U-Boot binary as a raw image when the platform is booted -in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this -configuration, the QEMU platform needs to be booted with -'secure=off'. The U-Boot binary placed on the first bank of the NOR -flash at offset 0x0. The U-Boot environment is placed on the second -NOR flash bank at offset 0x4000000. + $ mkeficapsule --monotonic-count 1 \ + --private-key CRT.key \ + --certificate CRT.crt \ + --index 1 --instance 0 \ + [--fit | --raw ] \ + -The capsule update feature is enabled with the following configuration -settings:: +4. Insert the signature list into a device tree in the following format:: - CONFIG_MTD=y - CONFIG_FLASH_CFI_MTD=y - CONFIG_CMD_MTDPARTS=y - CONFIG_CMD_DFU=y - CONFIG_DFU_MTD=y - CONFIG_PCI_INIT_R=y - CONFIG_EFI_CAPSULE_ON_DISK=y - CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y - CONFIG_EFI_CAPSULE_FIRMWARE=y - CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y + { + signature { + capsule-key = [ ]; + } + ... + } -In addition, the following config needs to be disabled(QEMU ARM specific):: + You can do this manually with:: - CONFIG_TFABOOT + $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts + $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo -The capsule file can be generated by using the tools/mkeficapsule:: + where signature.dts looks like:: - $ mkeficapsule --raw --index 1 + &{/} { + signature { + capsule-key = /incbin/("CRT.esl"); + }; + }; Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~ From patchwork Tue Nov 2 00:55:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516603 Delivered-To: patch@linaro.org Received: by 2002:ad5:5208:0:0:0:0:0 with SMTP id p8csp3916642iml; Mon, 1 Nov 2021 17:57:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzqNII9aJDyoSVHI+ChAXz//AXeCdbgTetOUrlqFgoMI7zP2Doa4nGyGNLWt/c3djZElLDk X-Received: by 2002:a05:6402:455:: with SMTP id p21mr5587521edw.384.1635814626936; Mon, 01 Nov 2021 17:57:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635814626; cv=none; d=google.com; s=arc-20160816; b=hWDUWtLB3LkWJgbKGuIm3uR1WO/od+yrwuH5AZcWWk4CXAgEBB/p9iopsD3o3jTtTw v7fUZa8qUnt6HYG5GmOTdUOPFp85RnS1jma/ak+Ih5ovH8sB0yUemRczh6ytwNB1yEiJ 4vmn415QJ7Jkd51ad2F0oPHAgms7L2bgS/FcCgesj1jBNIZsrciBouQrRvdGARMANrYi o/b2NxSZnS7HkIpNGeWr12pp45TBaUgbsYVz1VdoOuMNFlsBcOA3XTWZS2PL0ZLPaRnE 5Jcpm8fuZtRhke12iKWBDVsyg0BhoZWbgp1Iy9eFoqe6BFswURBxCPvt9JuwIfMout2P O4TA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=lRomWg3gel2B+WBJkxKDBR3kpFdMzwxKo/KEE2hl9XI=; b=Sr9BL7yGBfy/PvQC/Q2tVSY0l6o9pNnjKxyjLNfQtoCgOWkblbld3AXrvwyNxa5//K 2ZyMqf0TK4ASn+tZ3eKwUvOwEelwfkSo4Yo4Y7RzXWgFRQrrQLhUvnB7fYwf9V2PICQo UlOoK63Yz/2MZqaicazwOJx6ouFjeFvdAu3yqy/d+OLRg1lq98W7CcqakVlm7eDwEgnG b12omvH8PKkILkDJwBR0bY76xphZSXMPMubVayTpuwB4/rhYi/frGblK9Ttojy3ExsvN dGBO5orSVZis8qhujXu/4ChRwbXDPb3MWT6+l0aSv0eV8H3XJYF7HHbkVpCl/F1Ru2vG tHLA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=vSZW9oGQ; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id d13si22490962edo.55.2021.11.01.17.57.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:57:06 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=vSZW9oGQ; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 7C21F835FC; Tue, 2 Nov 2021 01:56:53 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="vSZW9oGQ"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id D183E835DD; Tue, 2 Nov 2021 01:56:28 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 67149835EE for ; Tue, 2 Nov 2021 01:56:06 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x631.google.com with SMTP id f8so13346750plo.12 for ; Mon, 01 Nov 2021 17:56:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=lRomWg3gel2B+WBJkxKDBR3kpFdMzwxKo/KEE2hl9XI=; b=vSZW9oGQAvkEQPWjYjaNVMHa+K8T8qJGOLIs6/TqnBDoOXTP1UoQn5lobQRlYP6TaO txiAfWzUv/smkQKShJe+DnRWdeihgP/keWqa8s60senEqkFOMIA9Fdwci7V/8PoHd+6O Jf0YfJ5gkaVtphMuBlJSXHTXHJXmaVgnmlazY8YPGpXsZYaEsQBhdiI2ynFDAes9OWbf 5qZ3Qaqb/uufYPr5vikWVtufikXJc+0BbwubO5yl1kr8/kald5JXd7tdpLp78cKLmbQl 1SB4LrRwUiejRpQ+ys0EiD/Cj/4ggW7xt8a55aNH4HNy5DXyqBmLGnwxxmyN1ktQnQrm R0iw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=lRomWg3gel2B+WBJkxKDBR3kpFdMzwxKo/KEE2hl9XI=; b=ekisGoebBQ5ckaH66SGGWhEbH+LJnBVTHkn3UifXGx2lzSHLBcWvA8LmP00dikSWf+ RzWcC2C7IA8Lywu9TfGnNeke2pQYwq484AVcBSgZqX1GLq8ASquThtlNIboNV2Go20w+ klMlS4YX5Mq2lTXmO81NSxRp+WSi1HZAEns2Juo5kNQ40sgawcTaLNVe+o7imeJgU/W5 163s7LP5n1C87QP9E7tmoEgmbyocD1D4SNuhnnuBytDRUNKp8I0YWrfqghiO3ezkm9BH YzSlBqK00x1oGJKnCMhm9Sgb58PxQVRUQacptq65JTh+OrxRxhOEJSvc8KuqBE6gcp8q BB4Q== X-Gm-Message-State: AOAM532BVXwP+k3kdcac9LRl9A9Y5Z1NxqhlynkEOE6hmKqrfzIQnieU SlYrKQagYsJhPaBcKLyPc2rAyg== X-Received: by 2002:a17:90b:4f86:: with SMTP id qe6mr2724194pjb.209.1635814563813; Mon, 01 Nov 2021 17:56:03 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:a475:65cc:d4b7:aaf5]) by smtp.gmail.com with ESMTPSA id n29sm12305596pfv.29.2021.11.01.17.56.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:56:03 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v6 06/12] test/py: efi_capsule: add image authentication test Date: Tue, 2 Nov 2021 09:55:06 +0900 Message-Id: <20211102005512.96019-7-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211102005512.96019-1-takahiro.akashi@linaro.org> References: <20211102005512.96019-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Add a couple of test cases against capsule image authentication for capsule-on-disk, where only a signed capsule file with the verified signature will be applied to the system. Due to the difficulty of embedding a public key (esl file) in U-Boot binary during pytest setup time, all the keys/certificates are pre-created. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass Acked-by: Ilias Apalodimas --- .../py/tests/test_efi_capsule/capsule_defs.py | 5 + test/py/tests/test_efi_capsule/conftest.py | 52 +++- test/py/tests/test_efi_capsule/signature.dts | 10 + .../test_capsule_firmware_signed.py | 254 ++++++++++++++++++ 4 files changed, 318 insertions(+), 3 deletions(-) create mode 100644 test/py/tests/test_efi_capsule/signature.dts create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py -- 2.33.0 diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py index 4fd6353c2040..aa9bf5eee3aa 100644 --- a/test/py/tests/test_efi_capsule/capsule_defs.py +++ b/test/py/tests/test_efi_capsule/capsule_defs.py @@ -3,3 +3,8 @@ # Directories CAPSULE_DATA_DIR = '/EFI/CapsuleTestData' CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule' + +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and +# you need build a newer version on your own. +# The path must terminate with '/'. +EFITOOLS_PATH = '' diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index 6ad5608cd71c..27c05971ca32 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -10,13 +10,13 @@ import pytest from capsule_defs import * # -# Fixture for UEFI secure boot test +# Fixture for UEFI capsule test # - @pytest.fixture(scope='session') def efi_capsule_data(request, u_boot_config): - """Set up a file system to be used in UEFI capsule test. + """Set up a file system to be used in UEFI capsule and + authentication test. Args: request: Pytest request object. @@ -40,6 +40,36 @@ def efi_capsule_data(request, u_boot_config): check_call('mkdir -p %s' % data_dir, shell=True) check_call('mkdir -p %s' % install_dir, shell=True) + capsule_auth_enabled = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') + if capsule_auth_enabled: + # Create private key (SIGNER.key) and certificate (SIGNER.crt) + check_call('cd %s; ' + 'openssl req -x509 -sha256 -newkey rsa:2048 ' + '-subj /CN=TEST_SIGNER/ -keyout SIGNER.key ' + '-out SIGNER.crt -nodes -days 365' + % data_dir, shell=True) + check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl' + % (data_dir, EFITOOLS_PATH), shell=True) + + # Update dtb adding capsule certificate + check_call('cd %s; ' + 'cp %s/test/py/tests/test_efi_capsule/signature.dts .' + % (data_dir, u_boot_config.source_dir), shell=True) + check_call('cd %s; ' + 'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; ' + 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb ' + '-o test_sig.dtb signature.dtbo' + % (data_dir, u_boot_config.build_dir), shell=True) + + # Create *malicious* private key (SIGNER2.key) and certificate + # (SIGNER2.crt) + check_call('cd %s; ' + 'openssl req -x509 -sha256 -newkey rsa:2048 ' + '-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key ' + '-out SIGNER2.crt -nodes -days 365' + % data_dir, shell=True) + # Create capsule files # two regions: one for u-boot.bin and the other for u-boot.env check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old -> u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir, @@ -56,6 +86,22 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' % (data_dir, u_boot_config.build_dir), shell=True) + if capsule_auth_enabled: + # firmware signed with proper key + check_call('cd %s; ' + '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' + '--private-key SIGNER.key --certificate SIGNER.crt ' + '--raw u-boot.bin.new Test11' + % (data_dir, u_boot_config.build_dir), + shell=True) + # firmware signed with *mal* key + check_call('cd %s; ' + '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' + '--private-key SIGNER2.key ' + '--certificate SIGNER2.crt ' + '--raw u-boot.bin.new Test12' + % (data_dir, u_boot_config.build_dir), + shell=True) # Create a disk image with EFI system partition check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' % diff --git a/test/py/tests/test_efi_capsule/signature.dts b/test/py/tests/test_efi_capsule/signature.dts new file mode 100644 index 000000000000..078cfc76c93c --- /dev/null +++ b/test/py/tests/test_efi_capsule/signature.dts @@ -0,0 +1,10 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; +/plugin/; + +&{/} { + signature { + capsule-key = /incbin/("SIGNER.esl"); + }; +}; diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py new file mode 100644 index 000000000000..593b032e9015 --- /dev/null +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py @@ -0,0 +1,254 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright (c) 2021, Linaro Limited +# Author: AKASHI Takahiro +# +# U-Boot UEFI: Firmware Update (Signed capsule) Test + +""" +This test verifies capsule-on-disk firmware update +with signed capsule files +""" + +import pytest +from capsule_defs import CAPSULE_DATA_DIR, CAPSULE_INSTALL_DIR + +@pytest.mark.boardspec('sandbox') +@pytest.mark.buildconfigspec('efi_capsule_firmware_raw') +@pytest.mark.buildconfigspec('efi_capsule_authenticate') +@pytest.mark.buildconfigspec('dfu') +@pytest.mark.buildconfigspec('dfu_sf') +@pytest.mark.buildconfigspec('cmd_efidebug') +@pytest.mark.buildconfigspec('cmd_fat') +@pytest.mark.buildconfigspec('cmd_memory') +@pytest.mark.buildconfigspec('cmd_nvedit_efi') +@pytest.mark.buildconfigspec('cmd_sf') +@pytest.mark.slow +class TestEfiCapsuleFirmwareSigned(object): + def test_efi_capsule_auth1( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 1 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is properly signed, the authentication + should pass and the firmware be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 1-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' + % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test11' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test11 $filesize' + % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test11' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \ + + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 1-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test11' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test11' not in ''.join(output) + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:New' in ''.join(output) + + def test_efi_capsule_auth2( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 2 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is signed but with an invalid key, + the authentication should fail and the firmware + not be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 2-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' + % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test12' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test12 $filesize' + % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test12' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \ + + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 2-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test12' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + # deleted any way + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test12' not in ''.join(output) + + # TODO: check CapsuleStatus in CapsuleXXXX + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:Old' in ''.join(output) + + def test_efi_capsule_auth3( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 3 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is not signed, the authentication + should fail and the firmware not be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 3-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' + % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test02' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test02 $filesize' + % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \ + + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 3-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + # deleted any way + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' not in ''.join(output) + + # TODO: check CapsuleStatus in CapsuleXXXX + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:Old' in ''.join(output) From patchwork Tue Nov 2 00:55:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516606 Delivered-To: patch@linaro.org Received: by 2002:ad5:5208:0:0:0:0:0 with SMTP id p8csp3917009iml; Mon, 1 Nov 2021 17:57:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzja3c5mkA4KW/KNxPHjH8not1jcB0uHoHjH2nc8HxHCQz6//RZijwqVgCocau5YLVSsNgq X-Received: by 2002:a17:907:6d06:: with SMTP id sa6mr33887548ejc.436.1635814656283; Mon, 01 Nov 2021 17:57:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635814656; cv=none; d=google.com; s=arc-20160816; b=qvr0MbzU4NcVZZnT/qKLS/yRLtsLp4VZo+tnsyFvvmF8UTB/sSWCjSSKH9O/c4IG2z OPjv0oF1jAvFpuHx/WzJMwKH/uWbk/3bEwyO5f9DdLzlN+vVK3/wvCY1lPefv7H8mUAv S+ofBDHaWL13O/oze3C2VRLaoapj3tD5zYsyHsLPQiIfhEyNYoyLVM+lw7QErSOdcj2I 1GPe4bjRsPt2sN1a53dNSDJnW8Uwf8t50E7HTb8j5ceHzuFYvFxO9YyqN+ikznxE/lQI 5iAOB/G+8yn0SwajHDE3pWHLCyydnDDml57h3Y7bRwM+r4Z2T8CpTUmCyzfxBoZohxLl d7Jg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=9x8i4P84gsc4cs9qmZXK2nd20Ndhv5tocEmiM/qnFk0=; b=w6GvRslLCQjvON88QLGh0MZgjLgNs3AC6dsLYOKWncMZ8fyo6cnUAouQAJkX1hR/Y4 myNssoufCXwwH57zcn6gYZF3KaTIW+tjrRiY/yFw6pIeNtOeYS26pA5DTDnbSYvP/bW7 1c5y6/0kUEsumI48rkYy3BosUc8pXFS/5+5x9QUjmIP5eRZjiFJEJMM2OZJV6adHyyRv 5cBqAZYGV0mftAvF71X81Rqw1+aPXYsx5rBH/2+1HCKDRmb/+p7vuZbwBhBzDrEjCity /LQmXMaD9DWPiJVSIDFxHWk7k73xAC4pXcTPH5HVac4oBab623uPooiZCMlBYEiib1bQ B6eQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=HEuknYEX; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id ga5si27991869ejc.660.2021.11.01.17.57.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:57:36 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=HEuknYEX; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D337F835FB; Tue, 2 Nov 2021 01:57:18 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="HEuknYEX"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 6DDC7835DB; Tue, 2 Nov 2021 01:56:41 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7DEA2835FE for ; Tue, 2 Nov 2021 01:56:08 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x636.google.com with SMTP id t11so13349964plq.11 for ; Mon, 01 Nov 2021 17:56:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=9x8i4P84gsc4cs9qmZXK2nd20Ndhv5tocEmiM/qnFk0=; b=HEuknYEXRizRQyi0mQ+4CzofZ/i/FiPeGSXNmt0JHlH/aQKV7SeseOSWFY22xM6vm4 9g1bvKdjPQI8FNI2BnVv27N2uE/lpdruZCia8+H1B06luZ+gZ6wwTwx6RO3Osekj7wAe 5mKlSYWhaymjt1ZqGd2gpgEyC4vTi9bpukvzOayQzRRvdoLBp/VcYp6LflN96pBnh5tf 9fiuKadRlLBlVvDP+SalmBAYZoGzgWyVjfuunNbpyf/I6baD84BbIuX5uEwVJv5M41vp aQYtSUj2Mb5ltuBYd8jCbXC0SPXiixXvrFYviGf/kmCNwYpWozoURmykOgCOjc+HinnG LYVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=9x8i4P84gsc4cs9qmZXK2nd20Ndhv5tocEmiM/qnFk0=; b=uH+yB3JAmdkSwiL1JdkfnyII3KEzo9dBz117O1suKP5QtI3nPChwP5vjLdFaHf4hix 5o9uhJ09n8MZ8Cb8jspsHT7nbnxElX9f18qt+MQUVFvRLgiSj4yw7uwe0vrr8Xc62Lll Wij6AZ0HeKd8sr8KV9/BFnCr/O2udT9ZsY/EQX3DTSsJUuseAoxI+Mqh4ScXP6oSIbk6 H1PQnFJryw4JPl6kwPm/mvuvsx/yRG7cZij41eys6RndlsYJ2JFFib+3EkjVk4FuU+Cx WWU3GH+PBrR/KC6uP33d022WcPj3QRjbG7NizU5J5elwbAnPhHTyBp7sxZ04sJJgfvcM CC6A== X-Gm-Message-State: AOAM533Mtg6zDDYfWaPTWy0E3/wjEz1uV6CCZbQ0wLKXckRfvG93x4BR j3O9B3bdVoy6/jo1EExht0tXL+tS3yrChQ== X-Received: by 2002:a17:90a:8912:: with SMTP id u18mr2685707pjn.69.1635814566751; Mon, 01 Nov 2021 17:56:06 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:a475:65cc:d4b7:aaf5]) by smtp.gmail.com with ESMTPSA id n29sm12305596pfv.29.2021.11.01.17.56.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:56:06 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v6 07/12] tools: mkeficapsule: allow for specifying GUID explicitly Date: Tue, 2 Nov 2021 09:55:07 +0900 Message-Id: <20211102005512.96019-8-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211102005512.96019-1-takahiro.akashi@linaro.org> References: <20211102005512.96019-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean The existing options, "--fit" and "--raw," are only used to put a proper GUID in a capsule header, where GUID identifies a particular FMP (Firmware Management Protocol) driver which then would handle the firmware binary in a capsule. In fact, mkeficapsule does the exact same job in creating a capsule file whatever the firmware binary type is. To prepare for the future extension, the command syntax will be a bit modified to allow users to specify arbitrary GUID for their own FMP driver. OLD: [--fit | --raw ] NEW: [--fit | --raw | --guid ] Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass Reviewed-by: Simon Glass --- doc/develop/uefi/uefi.rst | 4 +- doc/mkeficapsule.1 | 26 +++++++++---- tools/mkeficapsule.c | 78 ++++++++++++++++++++++++++++++--------- 3 files changed, 81 insertions(+), 27 deletions(-) -- 2.33.0 diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 864d61734bee..54fefd76f0f5 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -367,8 +367,8 @@ and used by the steps highlighted below. --private-key CRT.key \ --certificate CRT.crt \ --index 1 --instance 0 \ - [--fit | --raw ] \ - + [--fit | --raw | --guid 4. Insert the signature list into a device tree in the following format:: diff --git a/doc/mkeficapsule.1 b/doc/mkeficapsule.1 index 837e09ab451e..312e8a8b3188 100644 --- a/doc/mkeficapsule.1 +++ b/doc/mkeficapsule.1 @@ -5,7 +5,7 @@ mkeficapsule \- Generate EFI capsule file for U-Boot .SH SYNOPSIS .B mkeficapsule -.RB [\fIoptions\fP] " \fIcapsule-file\fP" +.RB [\fIoptions\fP] " \fIimage-blob\fP \fIcapsule-file\fP" .SH "DESCRIPTION" The @@ -21,7 +21,7 @@ Optionally, a capsule file can be signed with a given private key. In this case, the update will be authenticated by verifying the signature before applying. -\fBmkeficapsule\fP supports two different format of image files: +\fBmkeficapsule\fP takes any type of image files, including: .TP .I raw image format is a single binary blob of any type of firmware. @@ -33,16 +33,28 @@ is the same as used in the new \fIuImage\fP format and allows for multiple binary blobs in a single capsule file. This type of image file can be generated by \fBmkimage\fP. +.PP +If you want to use other types than above two, you should explicitly +specify a guid for the FMP driver. + .SH "OPTIONS" -One of \fB--fit\fP or \fB--raw\fP option must be specified. +One of \fB--fit\fP, \fB--raw\fP or \fB--guid\fP option must be specified. .TP -.BI "-f, --fit \fIfit-image-file\fP" -Specify a FIT image file +.BI "-f, --fit +Indicate that the blob is a FIT image file .TP -.BI "-r, --raw \fIraw-image-file\fP" -Specify a raw image file +.BI "-r, --raw +Indicate that the blob is a raw image file + +.TP +.BI "-g, --guid \fIguid-string\fP" +Specify guid for image blob type. The format is: + xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx + +The first three elements are in little endian, while the rest +is in big endian. .TP .BI "-i, --index \fIindex\fP" diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 086757ee8ad7..94c640bbddce 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -14,7 +14,7 @@ #include #include - +#include #include #ifdef CONFIG_TOOLS_LIBCRYPTO #include @@ -51,14 +51,15 @@ efi_guid_t efi_guid_image_type_uboot_raw = efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; #ifdef CONFIG_TOOLS_LIBCRYPTO -static const char *opts_short = "f:r:i:I:v:p:c:m:dh"; +static const char *opts_short = "frg:i:I:v:p:c:m:dh"; #else -static const char *opts_short = "f:r:i:I:v:h"; +static const char *opts_short = "frg:i:I:v:h"; #endif static struct option options[] = { - {"fit", required_argument, NULL, 'f'}, - {"raw", required_argument, NULL, 'r'}, + {"fit", no_argument, NULL, 'f'}, + {"raw", no_argument, NULL, 'r'}, + {"guid", required_argument, NULL, 'g'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, #ifdef CONFIG_TOOLS_LIBCRYPTO @@ -73,11 +74,12 @@ static struct option options[] = { static void print_usage(void) { - printf("Usage: %s [options] \n" + printf("Usage: %s [options] \n" "Options:\n" - "\t-f, --fit new FIT image file\n" - "\t-r, --raw new raw image file\n" + "\t-f, --fit FIT image type\n" + "\t-r, --raw raw image type\n" + "\t-g, --guid guid for image blob type\n" "\t-i, --index update image index\n" "\t-I, --instance update hardware instance\n" #ifdef CONFIG_TOOLS_LIBCRYPTO @@ -572,6 +574,37 @@ err: return ret; } +/** + * convert_uuid_to_guid() - convert uuid string to guid string + * @buf: String for UUID + * + * UUID and GUID have the same data structure, but their string + * formats are different due to the endianness. See lib/uuid.c. + * Since uuid_parse() can handle only UUID, this function must + * be called to get correct data for GUID when parsing a string. + * + * The correct data will be returned in @buf. + */ +void convert_uuid_to_guid(unsigned char *buf) +{ + unsigned char c; + + c = buf[0]; + buf[0] = buf[3]; + buf[3] = c; + c = buf[1]; + buf[1] = buf[2]; + buf[2] = c; + + c = buf[4]; + buf[4] = buf[5]; + buf[5] = c; + + c = buf[6]; + buf[6] = buf[7]; + buf[7] = c; +} + /** * main - main entry function of mkeficapsule * @argc: Number of arguments @@ -586,14 +619,13 @@ err: */ int main(int argc, char **argv) { - char *file; efi_guid_t *guid; + unsigned char uuid_buf[16]; unsigned long index, instance; uint64_t mcount; char *privkey_file, *cert_file; int c, idx; - file = NULL; guid = NULL; index = 0; instance = 0; @@ -608,21 +640,31 @@ int main(int argc, char **argv) switch (c) { case 'f': - if (file) { - printf("Image already specified\n"); + if (guid) { + printf("Image type already specified\n"); exit(EXIT_FAILURE); } - file = optarg; guid = &efi_guid_image_type_uboot_fit; break; case 'r': - if (file) { - printf("Image already specified\n"); + if (guid) { + printf("Image type already specified\n"); exit(EXIT_FAILURE); } - file = optarg; guid = &efi_guid_image_type_uboot_raw; break; + case 'g': + if (guid) { + printf("Image type already specified\n"); + exit(EXIT_FAILURE); + } + if (uuid_parse(optarg, uuid_buf)) { + printf("Wrong guid format\n"); + exit(EXIT_FAILURE); + } + convert_uuid_to_guid(uuid_buf); + guid = (efi_guid_t *)uuid_buf; + break; case 'i': index = strtoul(optarg, NULL, 0); break; @@ -658,14 +700,14 @@ int main(int argc, char **argv) } /* check necessary parameters */ - if ((argc != optind + 1) || !file || + if ((argc != optind + 2) || !guid || ((privkey_file && !cert_file) || (!privkey_file && cert_file))) { print_usage(); exit(EXIT_FAILURE); } - if (create_fwbin(argv[optind], file, guid, index, instance, + if (create_fwbin(argv[argc - 1], argv[argc - 2], guid, index, instance, mcount, privkey_file, cert_file) < 0) { printf("Creating firmware capsule failed\n"); exit(EXIT_FAILURE); From patchwork Tue Nov 2 00:55:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516604 Delivered-To: patch@linaro.org Received: by 2002:ad5:5208:0:0:0:0:0 with SMTP id p8csp3916757iml; Mon, 1 Nov 2021 17:57:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy/oA3Tbxh58ba1H99k9HOnv1RwrN24DhgW7ZxHNcBLfJ7KIimOGhu4xObv1eR79Vx0YaN+ X-Received: by 2002:aa7:cd6a:: with SMTP id ca10mr42509383edb.79.1635814637158; Mon, 01 Nov 2021 17:57:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635814637; cv=none; d=google.com; s=arc-20160816; b=DJtLDLfMR18ZRbYa8w7ERk20av4RLY7Mibkpmi4bIs/iEpquqxY9URcGayhrfv1yx3 2PfJqZfDUCuLtd9Ct81/0hMn7rwZSsYtVh7Gt+Z2O5zvF1Mz+NsCps3Eci7Wd9xkB7S0 BpS8z+0uhkeHlST/sVvSIEIvkj8/rE13g/gLMDAP1Yh06yaCZEvQLUZ5RSRyaavUpX4h aQcMx6q854QPsQ+rk78C+4h++nILPWMOOinmOpfJq0e86jYb+LAmzNjGiyYMbdoEumX6 g9S5C3ZDpzGOrrE5lNC44zFeIpxZFGCNhJuR/pc5mPrMs07dn3lH4pGjpxgZM37ryOw8 5ltQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=t7g9XnB8UBjK+9R56k3Z8QAHZsrZM4biYxbh8lXubds=; b=QGpx++ohO1mtKPvORLyadtOJ2i3xEfhj9GfeSbQNS+hAbVRz1ERnO9nz+hor1JYKVT HyPuC3gakx1j4a0M4GCrYECq6sIhVQBHpsSvXr1kZrpt3bC/b23SFianFVliY4t7WKk9 bWaXWbjlGkNr+wxoP3jFIdWflcrSJb0uq0NWmexyJ6+h96CpR3HViunVDUaH5+pgXWcH 8Q33xy1M15HIZ5id5WV20uMhg7xew8tNcQ4o46JCGrbpo7oVoPyF6U8w0nmITLxi6OkE /MZSwkKy/G3cwzQXtR42KILbjD4L+aqVJ9At9D3NQNdya5q+JJ4dIT16KuolJNbc1BxD 1r2A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=L19fzEvD; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id mp16si35839181ejc.680.2021.11.01.17.57.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:57:17 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=L19fzEvD; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 88C7D83624; Tue, 2 Nov 2021 01:56:58 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="L19fzEvD"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id BF7EE835FC; Tue, 2 Nov 2021 01:56:33 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 71F5D83600 for ; Tue, 2 Nov 2021 01:56:11 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pg1-x535.google.com with SMTP id j9so10513033pgh.1 for ; Mon, 01 Nov 2021 17:56:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=t7g9XnB8UBjK+9R56k3Z8QAHZsrZM4biYxbh8lXubds=; b=L19fzEvDrElzGVdw9l01ORFCXkNht1W58rZ6wEZ4ygQjMyj4ca0/UGWJjdHCCwJ5iO 5jSD5jaHVpZv0rCQF9ojliBas8iY/P8iwQsMkpK5hi8pClZicBL3gflG7DmHnqsnglgL QLWED3IfgooMmp0y2hOT5F3K/NmThUlMw638HHa9qZCNEKVMGioXnNSPPfFPtOPPUhTu SCkK/Sig5f3l7tYK6kxnf5oS+RN16+b7h5u3ZaVQ4shkR7MlHDL87Ifvqn0vcSdrXSHG BeBBqdMNw6BAXKCSrzgZyNWD5HxpJlV8DoI+xibjGciUh8cI9DagfvYRwIg3S6+owMtb voGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=t7g9XnB8UBjK+9R56k3Z8QAHZsrZM4biYxbh8lXubds=; b=JxLAYEEyOeumUfghQB/1S5fH9iBA1gxWBMyJitGcOYdk6PqQmo+veZ9MoF2uzr4tl3 ruUb7ZXWD9WOR0sBSrBUXDuSPA4Xc5BMEoL7Mb0M0nA6PJIZ5vWh1w4Dwxlu8cPdJufa b5Qk+qCLsEctxRWgsiAE+JSNwFdS2YViisKE8zHEbDgOig0ulHMWOXH5Cq+4Kb291dIT Nm9DHfeFB7xiULS/6Jbxxt5i6p2ppw5pWDuj4uOB3df1b6rKNV5r0t0cXrcPlmkKccpW Oie0iAd7Oi/IuX1+Pt/0w0NEkwx/5ydKS/QWhTT2esyVw7+tkqXpmspASrwiDM3dVQ8Q wxuw== X-Gm-Message-State: AOAM531sRR6ckJ5zx3Zq/MciUjkKIF6tu9wPHeLfM+JKxj2l6hfAB96g dvUpf2EFFnZZzKOAStBC8iR/SQ== X-Received: by 2002:a63:33cb:: with SMTP id z194mr24934973pgz.380.1635814569676; Mon, 01 Nov 2021 17:56:09 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:a475:65cc:d4b7:aaf5]) by smtp.gmail.com with ESMTPSA id n29sm12305596pfv.29.2021.11.01.17.56.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:56:09 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v6 08/12] test/py: efi_capsule: align with the syntax change of mkeficapsule Date: Tue, 2 Nov 2021 09:55:08 +0900 Message-Id: <20211102005512.96019-9-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211102005512.96019-1-takahiro.akashi@linaro.org> References: <20211102005512.96019-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Since the syntax of mkeficapsule was changed in the previous commit, we need to modify command line arguments in a pytest script. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- test/py/tests/test_efi_capsule/conftest.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.33.0 diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index 27c05971ca32..a5a25c53dcb4 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -80,10 +80,10 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkimage -f uboot_bin_env.its uboot_bin_env.itb' % (data_dir, u_boot_config.build_dir), shell=True) - check_call('cd %s; %s/tools/mkeficapsule --fit uboot_bin_env.itb --index 1 Test01' % + check_call('cd %s; %s/tools/mkeficapsule --index 1 --fit uboot_bin_env.itb Test01' % (data_dir, u_boot_config.build_dir), shell=True) - check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' % + check_call('cd %s; %s/tools/mkeficapsule --index 1 --raw u-boot.bin.new Test02' % (data_dir, u_boot_config.build_dir), shell=True) if capsule_auth_enabled: From patchwork Tue Nov 2 00:55:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516605 Delivered-To: patch@linaro.org Received: by 2002:ad5:5208:0:0:0:0:0 with SMTP id p8csp3916872iml; Mon, 1 Nov 2021 17:57:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzzRPTpNCNRxCOorxyN6C6VWxV04Z1GpyqEZJ7cHA9blfdleX7UkdWnBakOyZWQbL9IQEhA X-Received: by 2002:a05:6402:1102:: with SMTP id u2mr24028340edv.124.1635814646853; Mon, 01 Nov 2021 17:57:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635814646; cv=none; d=google.com; s=arc-20160816; b=iR8OU6kVq/vsO7o2ZfXLPLB6mQuxxGzqiJqwX/RbsV25kKgGhUi2f4X1IIlzsmxLIL 3Ba3j50Yc7bFlKfhovFPdrBqynRbj9v9bLKwl9qq66A+RRCVXv7FfOhUDvrsA50VTaZc oaPDNG3VwbxCbPw+JL/b9oNcLa9c6vP46wyCXbdVLlDsEx0hTH8swaCA6xEnlVaTbpU3 JiYODTMesf9XtxXkPrKkn8RSFMsdo18kJgJBVPTd6N7IWojYIzfN4IC8YCFLwq/AUlo8 BdPjrWFsp/2x6haArz7IEmP7uSPcstq+ZIa9u4O9+OSTaOItiwt2fUGZoBilYwwvFO+f KNkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=37b4CbGVq2vXfUQd07BoRyvPsjDtxkfVdV+ImREOVoM=; b=TdVQHXupoSSjvFnnthHgCO5XXzjA1KnrFCMANt33JXRjBNPqtb+SM+RqDQTD2H7LUW HyIcAiO7wyjGDu2lWXqraVytlFgxYHPKHqjDokjg4+ZaBBIxQdIBk/wKmIVq6IdaveuI DR9HRMvV1YkuNVdkOB1up11KqtiHPI+bG0jVIiwPL80x7LCo5R/FJrt2A+BVpQe9jVGf GPVtiTLNBNleZuY+2kGM36AZUbiFSEwzUxmdT3DF0G9XOgf6u39QDPJVy5pZWBVMqv0X wHsUjdVpzLjt3aOKvxhadj+Vf6jH8X5+Jp60mnKnFTlgihyXukq5AevoOusGomuw5W0I JLOw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=yQfVER6G; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id fy1si31513116ejc.23.2021.11.01.17.57.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:57:26 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=yQfVER6G; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 927A6835DB; Tue, 2 Nov 2021 01:57:09 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="yQfVER6G"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 5DDAD83383; Tue, 2 Nov 2021 01:56:37 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com [IPv6:2607:f8b0:4864:20::433]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 5563A83606 for ; Tue, 2 Nov 2021 01:56:14 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x433.google.com with SMTP id s5so6412356pfg.2 for ; Mon, 01 Nov 2021 17:56:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=37b4CbGVq2vXfUQd07BoRyvPsjDtxkfVdV+ImREOVoM=; b=yQfVER6GSIJyUxO66UVaIz9fAMhskCgw/3XkiQP49GsAgl4N0vAs/AbL9kcCcPG7Xz ZW8s3IXCJOFEngswgXcFItDPcsFWhDoJBwXpxFbDktq9X18Jh3sktbtcZs3pFLXR/PPq 3HhdygTUK6owSL9FChEm2KL/M3bwhkod2exicWtj7OiM1ebRwtN1E9k3AzJtv+eHMQ0b Uo6KTjsSyBzKOxL5DEtCR38dpXIa+bJgpjH1rUrNe+yUMCrln+bPc0ULD/LH1v8MZUin lEZJt52G+rkPub7T5KKUfjO4EOwiGWCFo3HiJxmZxmhZd2cWjj3dYtzsJUkbvfT22njW vw4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=37b4CbGVq2vXfUQd07BoRyvPsjDtxkfVdV+ImREOVoM=; b=OujP6h9DDNh+eMoPC+WsxmMlVguZBy8CKynihZT/e2cGNYmMFI1VbD/Yb7hE7g+vVw wf/zajkgR+D2ypXUYDuuf2u92Iqoa4gSJ5e97rFG+YNAF6gEOaRiBaGsP3NdxTzuSWuG u8IgfWmzghFV64UDVLO3MI1AuAcEhddTD9Ks/2Wi/O3CS3pvJber8RwhFz40hyFMHajN GuvpZVjVrMV19Rew+xl9ujcHuFZP3pCSEpIYCNfxJGWXRsJJ47JiClf5TFVzluR8FhJH U+E107ztnj7WqX5p4fc6INNSCEWr/FWBfK020OTeWVx2UbOHYkbWEoA+OwVyS98d2mOI q2aA== X-Gm-Message-State: AOAM530hhG1kFprO2n6psE33Sc1FnjoaRBNukrvcBGWEdlwnZYrB8LHr 20M3chQgaYy5MpY/06PnQGdYqg== X-Received: by 2002:a05:6a00:c94:b0:480:fcc2:bb2c with SMTP id a20-20020a056a000c9400b00480fcc2bb2cmr14101834pfv.30.1635814572599; Mon, 01 Nov 2021 17:56:12 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:a475:65cc:d4b7:aaf5]) by smtp.gmail.com with ESMTPSA id n29sm12305596pfv.29.2021.11.01.17.56.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:56:12 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v6 09/12] test/py: efi_capsule: add a test for "--guid" option Date: Tue, 2 Nov 2021 09:55:09 +0900 Message-Id: <20211102005512.96019-10-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211102005512.96019-1-takahiro.akashi@linaro.org> References: <20211102005512.96019-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean This test scenario tests a new feature of mkeficapsule, "--guid" option, which allows us to specify FMP driver's guid explicitly at the command line. Signed-off-by: AKASHI Takahiro --- test/py/tests/test_efi_capsule/conftest.py | 3 + .../test_efi_capsule/test_capsule_firmware.py | 67 +++++++++++++++++++ 2 files changed, 70 insertions(+) -- 2.33.0 diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index a5a25c53dcb4..9076087a12b7 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -86,6 +86,9 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkeficapsule --index 1 --raw u-boot.bin.new Test02' % (data_dir, u_boot_config.build_dir), shell=True) + check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid E2BB9C06-70E9-4B14-97A3-5A7913176E3F u-boot.bin.new Test03' % + (data_dir, u_boot_config.build_dir), + shell=True) if capsule_auth_enabled: # firmware signed with proper key check_call('cd %s; ' diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware.py b/test/py/tests/test_efi_capsule/test_capsule_firmware.py index 9eeaae27d626..9cc973560fa1 100644 --- a/test/py/tests/test_efi_capsule/test_capsule_firmware.py +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware.py @@ -247,3 +247,70 @@ class TestEfiCapsuleFirmwareFit(object): 'sf read 4000000 100000 10', 'md.b 4000000 10']) assert 'u-boot:New' in ''.join(output) + + def test_efi_capsule_fw4( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 4 - Test "--guid" option of mkeficapsule + The test scenario is the same as Case 3. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 4-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi -s ""', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test03' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test03 $filesize' % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' in ''.join(output) + + # reboot + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 4-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + output = u_boot_console.run_command_list(['efidebug capsule esrt']) + + # ensure that EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID is in the ESRT. + assert 'E2BB9C06-70E9-4B14-97A3-5A7913176E3F' in ''.join(output) + + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' not in ''.join(output) + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:New' in ''.join(output) From patchwork Tue Nov 2 00:55:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516608 Delivered-To: patch@linaro.org Received: by 2002:ad5:5208:0:0:0:0:0 with SMTP id p8csp3917403iml; Mon, 1 Nov 2021 17:58:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzr2n75U0yM6YReVycTwNhicKy2j0l0UTr8e440yx8UPaBlr3RKfJ0lLFRQbst4gHzZGIam X-Received: by 2002:aa7:cf8d:: with SMTP id z13mr11121527edx.5.1635814685856; Mon, 01 Nov 2021 17:58:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635814685; cv=none; d=google.com; s=arc-20160816; b=VAFvU04YrJge82QX88BO4hqn5gItDN1erDrDbUttsCU5DxykzivEA2p2yUH2X27IAl tZPHDBCoTer6UKSz5S/9yosw/6X+MamlhwCOmL0QrYXoDRZU9CB8iiPdfRTvy+bWeHWC jPr6NSoVWcFUAdrfut4MfPRS44xGqZy0xQq56+JqjqU+SNKME7TwmYigih04mw0DmoGv 8XwYRG7ZEc0alDs/ZvSJzhn7LiFBuMToPpvnHbvyhYzp1KhK/itDIH6XrLvG/i/Yf0Rq eSSC/DRo1T9e0OOeJ8+ROrOOVR268HV6JRGy//nvRonBEV58C3aWOvjB05MD4pxncr9v tBZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=cKodfHrn3bFXlghVQ9of8BIc8y1xcIrgpj4uzdGOZHo=; b=dRU0uNb3GAzo20S0WgAyu1qMrljjJKLVDLK2+duFt5V+Gyh/cnPUp8/aX1KEcjpHXk t7nmYCkXu/aXjB+lMx0CsumQT3nBm39gbfiGtHIs7SOs3C6sASmovdxwtowi84qVeF6g Y5m1/HBYAqvxk/gwMPYhsnzcXedX1pbB09+6bMB++qAv3rDZHYeawNffaQjSM1AX8WL3 tv1KxlzEp4Splk95KO4uqjSjA7OxzLmCyyvi0JxTtCT7KKO/BCyY7LvjkYSKRXe1Lzny 2ZRyeD1ldHkVhOkCU7FH7blhA5Ey1t9prxZ1L8uP4qLzC3Qx0QLK8+AUZDb7Pta03iXV lwCA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=CGeR34uM; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id bl4si26435191ejb.277.2021.11.01.17.58.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:58:05 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=CGeR34uM; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 548E18362C; Tue, 2 Nov 2021 01:57:42 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="CGeR34uM"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id EA81A835FC; Tue, 2 Nov 2021 01:56:45 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 4BBD08360F for ; Tue, 2 Nov 2021 01:56:17 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x42c.google.com with SMTP id u33so5937485pfg.8 for ; Mon, 01 Nov 2021 17:56:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=cKodfHrn3bFXlghVQ9of8BIc8y1xcIrgpj4uzdGOZHo=; b=CGeR34uMG2IeBrgLFkaGl0AcGaRX5ATmVuGOlzsRaJqHDn5+tC3G8xmqyyGmrrOhKT jOvwXj0gq5r13lKQC22wpm0lYHiYuz61zL7g4/H9tWHIjooeB+WtwtPQp9uabbvInYF8 1moBEiAEESJeSf3qBKroMqYFeN5MrIZIz5qwJZ8idkYTpVGht9DCVeNtACcerzFu63fC VWxge1XJg7lvASFvpTJ1vN9P5fWAH/ndhVCEAye87Yb0eOCkgJYXceEgJrrz6Fqd3mUC Z6FsT7aKiytkKCbviZIf7MIMgTuDb6Ye+kBrTgRr0wdTluEqPV3aHtqgR67KEisjk+aQ N6kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=cKodfHrn3bFXlghVQ9of8BIc8y1xcIrgpj4uzdGOZHo=; b=JwTcjMCOisFVfVNb8B+92vCsaTvUlf/kqU+xJ2ogCKpRsxIehpm+P4OLmjSfPg61K0 9L/QpFnDjVZ6VfLbFbmKxIQrdnprTPHWv2gkfy6GyTuiP2sYXrkDcIer+HbW4zFro+XJ eK/Lwdk88dyyNcQtkumVqOgO5fybZzrAfFRlfIeFXD/Doxat3SjFoNReF8YinEz1i8nf THu1CRTFRqz/eTl5Lrgzf75yXTgbgFt8PpKM3b2aMKSNcVyeOWjqGs1vcF0O+MK7IHsp IsMR+O2zJPc10SR2S4RxzVZIsNsgqhsheLkA43LSmWl7xtDDMHo6GBiInUc43eySHQqm v46A== X-Gm-Message-State: AOAM530vbqfRCdRedvLJg4yL0lgEAnm96mW0BIvNtQ+GtkJbycL3WY0F Sxis7T2spsDXqGUPcnptmKvluw== X-Received: by 2002:a65:4942:: with SMTP id q2mr22114538pgs.405.1635814575603; Mon, 01 Nov 2021 17:56:15 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:a475:65cc:d4b7:aaf5]) by smtp.gmail.com with ESMTPSA id n29sm12305596pfv.29.2021.11.01.17.56.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:56:15 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v6 10/12] test/py: efi_capsule: check the results in case of CAPSULE_AUTHENTICATE Date: Tue, 2 Nov 2021 09:55:10 +0900 Message-Id: <20211102005512.96019-11-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211102005512.96019-1-takahiro.akashi@linaro.org> References: <20211102005512.96019-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Before the capsule authentication is supported, this test script works correctly, but with the feature enabled, most tests will fail due to unsigned capsules. So check the results depending on CAPSULE_AUTHENTICATE or not. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- .../test_efi_capsule/test_capsule_firmware.py | 26 ++++++++++++++++--- 1 file changed, 22 insertions(+), 4 deletions(-) -- 2.33.0 diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware.py b/test/py/tests/test_efi_capsule/test_capsule_firmware.py index 9cc973560fa1..6e803f699f2f 100644 --- a/test/py/tests/test_efi_capsule/test_capsule_firmware.py +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware.py @@ -148,6 +148,8 @@ class TestEfiCapsuleFirmwareFit(object): capsule_early = u_boot_config.buildconfig.get( 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') with u_boot_console.log.section('Test Case 2-b, after reboot'): if not capsule_early: # make sure that dfu_alt_info exists even persistent variables @@ -171,12 +173,18 @@ class TestEfiCapsuleFirmwareFit(object): 'sf probe 0:0', 'sf read 4000000 100000 10', 'md.b 4000000 10']) - assert 'u-boot:New' in ''.join(output) + if capsule_auth: + assert 'u-boot:Old' in ''.join(output) + else: + assert 'u-boot:New' in ''.join(output) output = u_boot_console.run_command_list([ 'sf read 4000000 150000 10', 'md.b 4000000 10']) - assert 'u-boot-env:New' in ''.join(output) + if capsule_auth: + assert 'u-boot-env:Old' in ''.join(output) + else: + assert 'u-boot-env:New' in ''.join(output) def test_efi_capsule_fw3( self, u_boot_config, u_boot_console, efi_capsule_data): @@ -215,6 +223,8 @@ class TestEfiCapsuleFirmwareFit(object): capsule_early = u_boot_config.buildconfig.get( 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') with u_boot_console.log.section('Test Case 3-b, after reboot'): if not capsule_early: # make sure that dfu_alt_info exists even persistent variables @@ -246,7 +256,10 @@ class TestEfiCapsuleFirmwareFit(object): 'sf probe 0:0', 'sf read 4000000 100000 10', 'md.b 4000000 10']) - assert 'u-boot:New' in ''.join(output) + if capsule_auth: + assert 'u-boot:Old' in ''.join(output) + else: + assert 'u-boot:New' in ''.join(output) def test_efi_capsule_fw4( self, u_boot_config, u_boot_console, efi_capsule_data): @@ -285,6 +298,8 @@ class TestEfiCapsuleFirmwareFit(object): capsule_early = u_boot_config.buildconfig.get( 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') with u_boot_console.log.section('Test Case 4-b, after reboot'): if not capsule_early: # make sure that dfu_alt_info exists even persistent variables @@ -313,4 +328,7 @@ class TestEfiCapsuleFirmwareFit(object): 'sf probe 0:0', 'sf read 4000000 100000 10', 'md.b 4000000 10']) - assert 'u-boot:New' in ''.join(output) + if capsule_auth: + assert 'u-boot:Old' in ''.join(output) + else: + assert 'u-boot:New' in ''.join(output) From patchwork Tue Nov 2 00:55:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516607 Delivered-To: patch@linaro.org Received: by 2002:ad5:5208:0:0:0:0:0 with SMTP id p8csp3917228iml; Mon, 1 Nov 2021 17:57:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzj0fz/VYOXNWPuSE/YL6a5Z3w6mUsBm+H+GipdIyCXBjFS7VEnRBUXL9+BG8+wfWztOZyE X-Received: by 2002:a17:906:140b:: with SMTP id p11mr40735039ejc.116.1635814669071; Mon, 01 Nov 2021 17:57:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635814669; cv=none; d=google.com; s=arc-20160816; b=RY0+/IlaztWvzBM1mQIfXi7M9J3liA6U3I1smCEU1V2tXRtNSEGd4g8eltCEzEp8DU zS+oNIvZaA11ac0uJ5KV0QTzWte6/voN+EleXTDoI8F1iIa43V2cp/QDpyvjde5PJCtX ksVYhNspPV6cc7TnepDxnE9mWcNLvs3HFKYFZ7tQG089kF8FwsEi32efuBL+PV+7fNr2 rJMbYgsCLaCPr1PpjQDm6bZFMR8Sqm2OLCi5WItLnxky9H43MKbBy9j6cdZfaj9UvZfZ KX4fx8Ust70Ome5+jLp/9SJ2jib8cXyT5A7ffK5hFUhLsOjlUVx/eFJWBdEGZzgxOkTq I+Sw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=c/XLH7vR9taN0klgqa+1gxWo68o4aMLxryw8O6vQMd0=; b=mVZ+oyclS9TbSkhrce39k0g2w9eP5I8Np8A8rdH6ifPT8AWpx70gvqZBLnppcod/ny +Wc7NV0FUl2MG08CiUn402yfHMrhzwCKGjVadfOf13WZ9XQ5aYAjqrSCnG+rPC87Smx7 jDzMP3vORki4S0PIeMnYr7mWiyrMuyVmJIvKaB7hcV2wgljovsrUME8fcg0syz91Jib7 LKzSR4TrcrkFDDW+ZFLcOixke/hHTPohSW3l6PWWbT7Yax+We8wdpnavb77SI7bpkCkL 4xjJjL1GX+wCtv60/FokxatYyrm4PmVwhqyeKdrTIbc20uof569ANilYWRUUEt3Nxj/A 4cLg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=iQj8b0Fv; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id he37si6102427ejc.123.2021.11.01.17.57.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:57:49 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=iQj8b0Fv; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 31C278361A; Tue, 2 Nov 2021 01:57:23 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="iQj8b0Fv"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 5E9F483623; Tue, 2 Nov 2021 01:56:48 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 14E3683612 for ; Tue, 2 Nov 2021 01:56:20 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pg1-x52d.google.com with SMTP id t7so18638647pgl.9 for ; Mon, 01 Nov 2021 17:56:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=c/XLH7vR9taN0klgqa+1gxWo68o4aMLxryw8O6vQMd0=; b=iQj8b0Fv7/vdwDK7xx6hKWvWFFGTP1JbJc4t6RWX78RBL8aWUUyooiGAjzM60mJ1fR voEcrAoNCHh9/p565ptkyY9dZP4Ua1Nz2OOQ3jh3ncGW5SRIsz/6SKssc2IwbpoYqPzM jropIgTw3QjZnoNkiGr6T/yT1LZnDgjOYO3oAfdvIH1on2klvEToKAwAnxXsFb9ergLy i2CALStegolHlBNT06C6dEdtIBCacgiAqQJ+KihQ9avZoGsDicW2I8t9VK99Ev/T65n8 DPYxICD2omXMtlsYE4bx4sPQ3x260oj7pb2RnPDC36dzbCqjl3Qk///WlJ6laGVgpV3s 5rhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=c/XLH7vR9taN0klgqa+1gxWo68o4aMLxryw8O6vQMd0=; b=Up6zRI26repAC4dJ8ne5KR9EyMvYdNlpqPXZtQ3NZ6D/Yty17rwwTsCEcN2swRK4qy Ce9G2yqGiUwlm1WKsiwoCvg4vLKQNFWlsth60i50tQ/Pa0BxccbYU4kjIymrrOjZc9TV yZFkBuXggpfDiDP0YhpliWSORdHkw5tUeHyanR2I6qYBfT+7Mwv1YhK39L+PwSTXybWg 3Y4MQXTec7MbM7bK0XYPEG36GCF301I9SzzNktADiwp1xFvAhoLAHR9dzlWWnOiNsNH5 0xxgLY+0YpYoMBuUF7qzt4jJ0loWwZWQKFooL6NNfk7jNPs/tyJXX0IIPD6p1cS7p2MX arzg== X-Gm-Message-State: AOAM53195IjECX0Xt1QuqCvkj0euFnKRMPFv+jkOifFw2NWpUfrWfcBR RLEJIhVCON/aHSn74zig7FqTsg== X-Received: by 2002:a63:b002:: with SMTP id h2mr24778803pgf.464.1635814578451; Mon, 01 Nov 2021 17:56:18 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:a475:65cc:d4b7:aaf5]) by smtp.gmail.com with ESMTPSA id n29sm12305596pfv.29.2021.11.01.17.56.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:56:18 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v6 11/12] (RFC) tools: add fdtsig.sh Date: Tue, 2 Nov 2021 09:55:11 +0900 Message-Id: <20211102005512.96019-12-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211102005512.96019-1-takahiro.akashi@linaro.org> References: <20211102005512.96019-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean With this script, a public key is added to a device tree blob as the default efi_get_public_key_data() expects. Signed-off-by: AKASHI Takahiro --- MAINTAINERS | 1 + tools/fdtsig.sh | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100755 tools/fdtsig.sh -- 2.33.0 diff --git a/MAINTAINERS b/MAINTAINERS index 569332db4719..860f58ef6640 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -738,6 +738,7 @@ F: cmd/bootefi.c F: cmd/efidebug.c F: cmd/nvedit_efi.c F: tools/efivar.py +F: tools/fdtsig.sh F: tools/file2include.c F: tools/mkeficapsule.c diff --git a/tools/fdtsig.sh b/tools/fdtsig.sh new file mode 100755 index 000000000000..c2b2a6dc5ec8 --- /dev/null +++ b/tools/fdtsig.sh @@ -0,0 +1,40 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0+ +# +# script to add a certificate (efi-signature-list) to dtb blob + +usage() { + if [ -n "$*" ]; then + echo "ERROR: $*" + fi + echo "Usage: "$(basename $0) " " +} + +if [ "$#" -ne 2 ]; then + usage "Arguments missing" + exit 1 +fi + +ESL=$1 +DTB=$2 +NEW_DTB=$(basename $DTB)_tmp +SIG=signature + +cat << 'EOF' > $SIG.dts +/dts-v1/; +/plugin/; + +&{/} { + signature { +EOF +echo "capsule-key = /incbin/(\"$ESL\");" >> $SIG.dts +cat << 'EOF' >> $SIG.dts + }; +}; +EOF + +dtc -@ -I dts -O dtb -o $SIG.dtbo $SIG.dts +fdtoverlay -i $DTB -o $NEW_DTB $SIG.dtbo +mv $NEW_DTB $DTB + +rm $SIG.dts $SIG.dtsn $SIG.dtbo From patchwork Tue Nov 2 00:55:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 516609 Delivered-To: patch@linaro.org Received: by 2002:ad5:5208:0:0:0:0:0 with SMTP id p8csp3917544iml; Mon, 1 Nov 2021 17:58:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxGpYQpiXXMYD6l2btZNihhAo/X3Yf4nsF7/CUjlSG1AoHhmKd6YIb3s1SgWfTE22LO0418 X-Received: by 2002:a05:6402:1c95:: with SMTP id cy21mr24353073edb.320.1635814696431; Mon, 01 Nov 2021 17:58:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635814696; cv=none; d=google.com; s=arc-20160816; b=k9T5PR7qzu9D+ZwTqi3EJRDNqMBMAlJHmTnO+BbRP77nFcciYq5y+/NyRHk+lkAlP4 bVox5UFAIZsdF7VTWaTg6FxNql9M9Gm8GpAqf38OZKh/11+BdYSEbcG8Itf075y3S5Px TstiXjWOJF6Cvn9qgLSWlIUlfv7on/W9Olc1xt3bqmfyJhE5y3P2x4+84PJzmyCz7jSu WwNAKvnde8ma38dJC3UFoUvMmdYdrHD+2IV2Zk8qFvvrqnRReeYDmYCEECI7dWNoY7Gf WF5GGroxw8Lj667YVgX2aCDt+wfDMKtSHBtcfjPpsMPOoorUrRnPtia0/bOfTfFXiKCP SwjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6iiymLorAL8Tnpa1lqZvk6MLjBUdYK7Mr5qkX19bD18=; b=NgUeZKXL6rdTYp6VVK+mWUWIs3hmFY5B99O27bNfw13SVbzTUYFblwXQgrrcYObhTf TwMHX6W10qmswlNfIF67gQ6GcCsS5rVNqNN7ycOrJnmTyZsV9JXVY2kagt09ad/EzkZp ElSf5SQjwwhKcAYwLEHShd7Zm/tBPawYvtNJlP9XCXRoTZaGDg64IAGTYlASS/H+KyoD byTAJocCFwdnS8hJqQ/aueSlJW+2hWKJkVzJbX5hKoKLEJ+FYQf2dgMgbiA7kDpzuycq lhyvjAerk1nwLQKn2RIPngtBiyhwd8929mu3j6JBb8I8nLHBNuF7kE8JZOF5uqC1jtuu F1UA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=FqJfOdAv; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id hs5si28495760ejc.359.2021.11.01.17.58.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:58:16 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=FqJfOdAv; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id E771083632; Tue, 2 Nov 2021 01:57:45 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="FqJfOdAv"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 8B94783613; Tue, 2 Nov 2021 01:56:50 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 114308352D for ; Tue, 2 Nov 2021 01:56:23 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x62a.google.com with SMTP id u17so4226347plg.9 for ; Mon, 01 Nov 2021 17:56:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=6iiymLorAL8Tnpa1lqZvk6MLjBUdYK7Mr5qkX19bD18=; b=FqJfOdAvf6YDnla4NPe3bLqGo4YlkgHl1nTsqPtYRT/IrMpK7MG6o7X5CWnCjdoK+S 8+4lnl9MkFPTRTUEYs/F3eOAFIXbx+bR09mcL1AqAOVK31nrN6dw/1aTqN900Wqlc4hD GT/Hmc57LBX2HO1YaYWXIBAb0nlyp55/5ktp5Ewhg7xplwZY02E+lhfHXaUE8mOhbG7t 8RN8YvC4hE8ZlVbqpm9l73bcwaGyuPO4Be3fpmntGfW/c/RfUNVflA46LrqDf8LrFXCf GkIobVuELzlSB/SpmWjecy/OTN0mSGyJUxQ23hJ1c9cd7H3HDTu7C5cXHDXIN1rml1lB TBTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=6iiymLorAL8Tnpa1lqZvk6MLjBUdYK7Mr5qkX19bD18=; b=GBf+qA/mYLWlBQYv9VQuij7Dc61E3AzjnXC0Agk17bIb2H4qJBRkySa504hEbNqJgs 8FD1gmJGuMY14ap/c6yyGBgfmun4SMOz8FuQnSNxv+kZxGUY4Vnv/1+UtEKvI9jTMnbI z+hc2tZK8s8JHBURLypy3cGceOKmBvBMwiftW0eiAH34jrI8b1JGT9+AL2+wT0d3rLQK a2kEXfDq9djXsm+Jw87SfHoOKMN4cK4vuWJCQl4HZaO8rWJhW9hTxnhLJjtjSIVRXrOz VqTxDKbkbslis6SurQH2RyNgamJDPFPfVfglX9FB7ZmAVv5SYP7AWL28MBbz5EFj5Wzy R9/A== X-Gm-Message-State: AOAM530/lwPeNXXFyreFNu+VzrYltWvzXM+/RJVUqSmRkpdFv+QjvB7Q udglXX/6oJO/MWIJPdQPBf/lmA== X-Received: by 2002:a17:90b:4f88:: with SMTP id qe8mr2605473pjb.223.1635814581398; Mon, 01 Nov 2021 17:56:21 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:a475:65cc:d4b7:aaf5]) by smtp.gmail.com with ESMTPSA id n29sm12305596pfv.29.2021.11.01.17.56.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 17:56:21 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v6 12/12] (RFC) efi_loader, dts: add public keys for capsules to device tree Date: Tue, 2 Nov 2021 09:55:12 +0900 Message-Id: <20211102005512.96019-13-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211102005512.96019-1-takahiro.akashi@linaro.org> References: <20211102005512.96019-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean By specifying CONFIG_EFI_CAPSULE_KEY_PATH, the build process will automatically insert the given key into the device tree. Otherwise, users are required to do so manually, possibly, with the utility script, fdtsig.sh. Signed-off-by: AKASHI Takahiro --- doc/develop/uefi/uefi.rst | 4 ++++ dts/Makefile | 23 +++++++++++++++++++++-- lib/efi_loader/Kconfig | 7 +++++++ 3 files changed, 32 insertions(+), 2 deletions(-) -- 2.33.0 diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 54fefd76f0f5..7f85b9e5a4a6 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -347,6 +347,7 @@ following config, in addition to the configs listed above for capsule update:: CONFIG_EFI_CAPSULE_AUTHENTICATE=y + CONFIG_EFI_CAPSULE_KEY_PATH= The public and private keys used for the signing process are generated and used by the steps highlighted below. @@ -392,6 +393,9 @@ and used by the steps highlighted below. }; }; + If CONFIG_EFI_CAPSULE_KEY_PATH is specified, the build process will + take care of it for you. + Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/dts/Makefile b/dts/Makefile index cb3111382959..6c5486719ecd 100644 --- a/dts/Makefile +++ b/dts/Makefile @@ -20,11 +20,30 @@ $(obj)/dt-$(SPL_NAME).dtb: dts/dt.dtb $(objtree)/tools/fdtgrep FORCE mkdir -p $(dir $@) $(call if_changed,fdtgrep) +quiet_cmd_fdtsig = FDTSIG $@ + cmd_fdtsig = \ + cat $< > $@; \ + $(srctree)/tools/fdtsig.sh \ + $(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)) $@ + +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y) +ifneq ($(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)),) +DTB_ov := $(obj)/dt.dtb_ov + +$(obj)/dt.dtb_ov: $(DTB) FORCE + $(call if_changed,fdtsig) +else +DTB_ov := $(DTB) +endif +else +DTB_ov := $(DTB) +endif + ifeq ($(CONFIG_OF_DTB_PROPS_REMOVE),y) -$(obj)/dt.dtb: $(DTB) $(objtree)/tools/fdtgrep FORCE +$(obj)/dt.dtb: $(DTB_ov) $(objtree)/tools/fdtgrep FORCE $(call if_changed,fdt_rm_props) else -$(obj)/dt.dtb: $(DTB) FORCE +$(obj)/dt.dtb: $(DTB_ov) FORCE $(call if_changed,shipped) endif diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 52f71c07c991..d12b1e56ae80 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -208,6 +208,13 @@ config EFI_CAPSULE_AUTHENTICATE Select this option if you want to enable capsule authentication +config EFI_CAPSULE_KEY_PATH + string "Path to .esl cert for capsule authentication" + depends on EFI_CAPSULE_AUTHENTICATE + help + Provide the EFI signature list (esl) certificate used for capsule + authentication + config EFI_DEVICE_PATH_TO_TEXT bool "Device path to text protocol" default y