From patchwork Tue Jan 18 04:39:44 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 532853 Delivered-To: patch@linaro.org Received: by 2002:ad5:544f:0:0:0:0:0 with SMTP id a15csp3352165imp; Mon, 17 Jan 2022 20:40:30 -0800 (PST) X-Google-Smtp-Source: ABdhPJzifbXPRKmUcmQFRqxtgDJHlKRlxBLvEHuKLZ6A6cDCDUtQiRuRgvGhoM/Nk3Bf7Z/26gfs X-Received: by 2002:a05:6402:4413:: with SMTP id y19mr9358284eda.215.1642480830131; Mon, 17 Jan 2022 20:40:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642480830; cv=none; d=google.com; s=arc-20160816; b=dd+VyQ2fOfyEEsRsnwXO2RQ7+nNUZLB4OEk+3hm0sj9nnmy5oEVXxh1UlaNZhMdLDt L6kzKdbl1bAenfoRvs0p2IKnhTABZ9e8TvpgAyXqCxIzclpQy45b9Ev5FmqDP8h93dHL IYn82PMygZuRowqPeh7I3vFsFclMoUr+uGibcNQbg9SxGJr3+f6Ag20ZrUqXErRPRWFN ZfJnyy6Sz+R2QlkqXTD6r6HJQt9WLt+Bo9d1O9YnKID6MB3706x+vsjrIJ2wMDPfW+dP HFZD/pRncryb/cph/NU0miGmsk61mIQfCfqr1BctojvDPVAdQag8q0oB9TXKl9iW4YDy ujFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=YdK4xS+KehJObphIe0jW3DAVkfXTUUC4u8DaW0NpuhY=; b=DLiqM4+Xu6p+ZNtOjRwc5/Ac+Upf3xhDV4yQ76E/S22Pm4MuPTNRvm/KqTkDYbS+ye AnQbfwfHKvhYtThfkakOEHfXYcXABIN/Dyw2MTeWFuMitssLmjFHxau3lQ0n8fcUDKHw 2dVdQPwBDAdpCOkAewS9bF1TZpRvL7aPluenm5uVL8zmorxN9hH2jIavddHe/rA7qMJT 22xrjoPaBvjp+yYfdIpvRlQnN/Go755n3vfGuH09sH+cZIuZrqegQhkGVH92h2zGDsOD RtA4VLWP9PtEBKyP4278AWkTgz65CcllnXrSr91cMUEnQt9sdkJNvmyyCQvkY3mlhydB Nduw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=LItCZfxo; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id q12si8571221edc.545.2022.01.17.20.40.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:40:30 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=LItCZfxo; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4851B837B6; Tue, 18 Jan 2022 05:40:27 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="LItCZfxo"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id F3DCE83388; Tue, 18 Jan 2022 05:40:23 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 342648313B for ; Tue, 18 Jan 2022 05:40:20 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x62b.google.com with SMTP id c3so23302462pls.5 for ; Mon, 17 Jan 2022 20:40:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=YdK4xS+KehJObphIe0jW3DAVkfXTUUC4u8DaW0NpuhY=; b=LItCZfxoekgzHDc7T1OIa0qGJHPBExOX1b69HIJ5NgFfdXZ3dQ86yNRmboWsrURykh ZyPpnU/oTx0NrCbTFV+YwK9E+vE60JtYkfwFCMmAlXx69gw3W/vhBX67TEZnmzy2HqQR NeNErVf8QE4fNy8HmbB0AFXmX93SptIuYYjZwiuEwn+uckhk1v4DMCaMG5MvPbI5mvoN 1+XLTtKKDB+ZRLqiKrQNlqSRxDHMgU41mh6eT1tgJYzyqQgzrDssQpL1S3Up4SJV6YS6 BhOHa9vBDO7xJ/nJFWPcuAyBmdvia9jvDx7ltb9b3k22RvEQ1C7z7qxrIE7/nJZaSN0d e60g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=YdK4xS+KehJObphIe0jW3DAVkfXTUUC4u8DaW0NpuhY=; b=mFVEImNjTnhxpIa4k2HwO4zovtgTxl+NsI8NLHbe5/OH4+k1KEoednk/XXQ6dpjVrT buUjot9/qD95/G4i8584SqzPvInzl3So5NnAeG75XZywsFZipL3oJR8Uxl4dWaVgcufJ tVk6HjczNQvUjinnvjA8t/B/lCFxJg1Os+mKWVK69fBSvf9GeJlIrnm7UEZQulVAF0lR 3PtZZQQPktsRsHlOy0dPPQXRO5STI53KauQ20BIemwgkNXGAFbEWrhE5xO0JMom3mnUo x0OgKeg2uZF/I4Bpb2bW/8JyVYOq1nFEu2rYCkxPVnOPbXNVh2x+VH4Me0vJzIgJ3VbF 4kvQ== X-Gm-Message-State: AOAM533fL9qFwlM6PFtN7LRvLmWU/Vi+7DNjKE+E6lAkDU63h/wfkBO3 BS7Gje3LFy6pdG5TTGVnmb7MGSJkpPP8Pg== X-Received: by 2002:a17:90a:a418:: with SMTP id y24mr15872493pjp.48.1642480818498; Mon, 17 Jan 2022 20:40:18 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:bc1a:291e:ac91:be98]) by smtp.gmail.com with ESMTPSA id y69sm15670770pfg.171.2022.01.17.20.40.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:40:18 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v9 01/11] tools: mkeficapsule: output messages to stderr instead of stdout Date: Tue, 18 Jan 2022 13:39:44 +0900 Message-Id: <20220118043954.55940-2-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220118043954.55940-1-takahiro.akashi@linaro.org> References: <20220118043954.55940-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean All the error messages should be printed out to stderr. Signed-off-by: AKASHI Takahiro Reviewed-by: Heinrich Schuchardt --- tools/mkeficapsule.c | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 4995ba4e0c2a..19d5eea3cb59 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -50,7 +50,7 @@ static struct option options[] = { static void print_usage(void) { - printf("Usage: %s [options] \n" + fprintf(stderr, "Usage: %s [options] \n" "Options:\n" "\t-f, --fit new FIT image file\n" @@ -74,28 +74,29 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, u64 offset; #ifdef DEBUG - printf("For output: %s\n", path); - printf("\tbin: %s\n\ttype: %pUl\n", bin, guid); - printf("\tindex: %ld\n\tinstance: %ld\n", index, instance); + fprintf(stderr, "For output: %s\n", path); + fprintf(stderr, "\tbin: %s\n\ttype: %pUl\n", bin, guid); + fprintf(stderr, "\tindex: %ld\n\tinstance: %ld\n", index, instance); #endif g = fopen(bin, "r"); if (!g) { - printf("cannot open %s\n", bin); + fprintf(stderr, "cannot open %s\n", bin); return -1; } if (stat(bin, &bin_stat) < 0) { - printf("cannot determine the size of %s\n", bin); + fprintf(stderr, "cannot determine the size of %s\n", bin); goto err_1; } data = malloc(bin_stat.st_size); if (!data) { - printf("cannot allocate memory: %zx\n", (size_t)bin_stat.st_size); + fprintf(stderr, "cannot allocate memory: %zx\n", + (size_t)bin_stat.st_size); goto err_1; } f = fopen(path, "w"); if (!f) { - printf("cannot open %s\n", path); + fprintf(stderr, "cannot open %s\n", path); goto err_2; } header.capsule_guid = efi_guid_fm_capsule; @@ -109,7 +110,7 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, size = fwrite(&header, 1, sizeof(header), f); if (size < sizeof(header)) { - printf("write failed (%zx)\n", size); + fprintf(stderr, "write failed (%zx)\n", size); goto err_3; } @@ -118,13 +119,13 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, capsule.payload_item_count = 1; size = fwrite(&capsule, 1, sizeof(capsule), f); if (size < (sizeof(capsule))) { - printf("write failed (%zx)\n", size); + fprintf(stderr, "write failed (%zx)\n", size); goto err_3; } offset = sizeof(capsule) + sizeof(u64); size = fwrite(&offset, 1, sizeof(offset), f); if (size < sizeof(offset)) { - printf("write failed (%zx)\n", size); + fprintf(stderr, "write failed (%zx)\n", size); goto err_3; } @@ -141,17 +142,17 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, size = fwrite(&image, 1, sizeof(image), f); if (size < sizeof(image)) { - printf("write failed (%zx)\n", size); + fprintf(stderr, "write failed (%zx)\n", size); goto err_3; } size = fread(data, 1, bin_stat.st_size, g); if (size < bin_stat.st_size) { - printf("read failed (%zx)\n", size); + fprintf(stderr, "read failed (%zx)\n", size); goto err_3; } size = fwrite(data, 1, bin_stat.st_size, f); if (size < bin_stat.st_size) { - printf("write failed (%zx)\n", size); + fprintf(stderr, "write failed (%zx)\n", size); goto err_3; } @@ -194,7 +195,7 @@ int main(int argc, char **argv) switch (c) { case 'f': if (file) { - printf("Image already specified\n"); + fprintf(stderr, "Image already specified\n"); return -1; } file = optarg; @@ -202,7 +203,7 @@ int main(int argc, char **argv) break; case 'r': if (file) { - printf("Image already specified\n"); + fprintf(stderr, "Image already specified\n"); return -1; } file = optarg; @@ -234,7 +235,7 @@ int main(int argc, char **argv) if (create_fwbin(argv[optind], file, guid, index, instance) < 0) { - printf("Creating firmware capsule failed\n"); + fprintf(stderr, "Creating firmware capsule failed\n"); exit(EXIT_FAILURE); } From patchwork Tue Jan 18 04:39:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 532854 Delivered-To: patch@linaro.org Received: by 2002:ad5:544f:0:0:0:0:0 with SMTP id a15csp3352229imp; Mon, 17 Jan 2022 20:40:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJxt3UcUNKNTES+w9m1ZZjoLWDL3EYUjRaTbZvG5QjWutf7hzlVzSsnLGl6aVjqdziAv8dt/ X-Received: by 2002:a17:906:4fc8:: with SMTP id i8mr19286372ejw.427.1642480839985; Mon, 17 Jan 2022 20:40:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642480839; cv=none; d=google.com; s=arc-20160816; b=jGz3tRKM52H4Tbj3RQOLuda3K6IVtngyQttmR4hYkIs1/xN1XcckU3fmCVmOtnILZb EmcrbNTgw039337GZrVcY5FQffGAhLu0OfZBCHMOTxB01/Bc/sbQil3pz010uFK1C0Cr 62TwBb86TenqeFnOtAgY0E6k4wMobgO28clvTKLj547MhEZPFUdBw9/aStmd4JzdGfNR yIIYKilx89I9TqxPxS2v/hNmtSxlw7RlAYcjIZHdyX9qFE13HypXbTxiREqzuAiGefS6 VtIEfPMdeY0x/rbdpb7GOLHzNaE8EHb5PN6J7pbGWJf0r3YVZUP2BVABpqVh4Cy9Op5j 7x3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=V4fAE4zrb9Z9f8o8QiYYqycnxckuGQcEerLEyWlZXD4=; b=Ap/5L7pKyUAeJoGqufCDHhSzNCfo0hiehxIF+8dpxclqQqg5sngH0gnCQMnV/bNTSQ 0J6Vsc8siRqsGE6VKeeG+lf22W6k28NvqtIMzsPbQ6Ji0llx4uvOC9UWNu5l9+9VxFNh 8+BOqJphYhQw+HPoPCMoxz62nzSDq+ZYhWDBAJ0bOuWeF9i5Cuo5x1LBKFUQu4N5bAlR gVJ8aQsO9c0qVOk6VVHRS/y1DUTHHcoH0hVWo0lmYPmzGnGAqCx0D/NNMs0s3rlRCi2m 3o5HyKw2XQtILlQLGfwo9C5t9drs3z1NRCM97qyHW0S93srQO/BRCE3SV6PDLW2SXBUt Tk3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=vRwm+9RX; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id y13si2364329ejq.763.2022.01.17.20.40.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:40:39 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=vRwm+9RX; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id C2DF383180; Tue, 18 Jan 2022 05:40:32 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="vRwm+9RX"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E8E6E830C0; Tue, 18 Jan 2022 05:40:29 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id A753583214 for ; Tue, 18 Jan 2022 05:40:24 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x62b.google.com with SMTP id f13so12998058plg.0 for ; Mon, 17 Jan 2022 20:40:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=V4fAE4zrb9Z9f8o8QiYYqycnxckuGQcEerLEyWlZXD4=; b=vRwm+9RX11AnjCt+AOT3+PFKqyiybr7p0bzX+gzFS+chUEHtuz6DpjXh4bWTkzIs7B mKW1KTSDVFLYKJEn9h1Z+8Q1ZBqFOKr/xLtrhlM51Rq4oUNINzq4R2JAFY29q4rryH6y A3va329r7yKyqTo1841KB4Rb+ACZfUGWTZyc2RpMTlAV1ArjryJKb8iIElq9M5hje6BD yrKqoYZC0Y/BqJ8b1s26MwLG99Vk0E/ZyNrSMSm+L2uvU36f0fH6G1ki0eUY+V/yxce9 UY36mqzAFcpKSADSafDupNYe65pTmnXajL02QxpYyJqY4VGRUtGO5b/yam32/I9xyefE LDag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=V4fAE4zrb9Z9f8o8QiYYqycnxckuGQcEerLEyWlZXD4=; b=y6tNhaXcfIYf7PvAioxeQXF36FCndDfVQO8Zki2Ypwsb0ktdjrGZLWk2DE2/kNZb4p eZs4kXOSV/03BzLRFYfUMijB8NfcJTc/R5fqgu6dNfh+ObPrH5AfYi2EItyc3yG6WoX1 lxRXs/98Usx+OE9tLCaGUbpcig7aVkMwALZu+Jz7oIVZlEYpl4+oa+TtxGTZeH55wnXI AGw7a/nJdQCit01+b6y0oa5z2lMfLzP+ObYWJJtI+xw0geeFxerllFEDY+HOHonp3qQQ U7yZ8ehr0Hx+6KCFYNjsJ3SIk/ZYVbfrBLkt1RL2ekoWi8QCIsQ3b0Z/cwRwA2I8kmbd oi1A== X-Gm-Message-State: AOAM530iCNhCwwbGOnms2GZQlASA2vcefx3JNiZ6iEioiR62mBxjfSg9 uUzJpRivveAe9KE15Wlsc4ZDZA== X-Received: by 2002:a17:902:b944:b0:14a:b045:4d00 with SMTP id h4-20020a170902b94400b0014ab0454d00mr10581101pls.52.1642480821669; Mon, 17 Jan 2022 20:40:21 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:bc1a:291e:ac91:be98]) by smtp.gmail.com with ESMTPSA id y69sm15670770pfg.171.2022.01.17.20.40.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:40:21 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v9 02/11] tools: mkeficapsule: rework the code a little bit Date: Tue, 18 Jan 2022 13:39:45 +0900 Message-Id: <20220118043954.55940-3-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220118043954.55940-1-takahiro.akashi@linaro.org> References: <20220118043954.55940-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Abstract common routines to make the code easily understandable. No functional change. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- tools/mkeficapsule.c | 239 ++++++++++++++++++++++++++++++------------- 1 file changed, 167 insertions(+), 72 deletions(-) diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 19d5eea3cb59..ee3e489c0b30 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -7,6 +7,7 @@ #include #include #include +#include #include #include #include @@ -51,33 +52,36 @@ static struct option options[] = { static void print_usage(void) { fprintf(stderr, "Usage: %s [options] \n" - "Options:\n" - - "\t-f, --fit new FIT image file\n" - "\t-r, --raw new raw image file\n" - "\t-i, --index update image index\n" - "\t-I, --instance update hardware instance\n" - "\t-h, --help print a help message\n", - tool_name); + "Options:\n" + + "\t-f, --fit new FIT image file\n" + "\t-r, --raw new raw image file\n" + "\t-i, --index update image index\n" + "\t-I, --instance update hardware instance\n" + "\t-h, --help print a help message\n", + tool_name); } -static int create_fwbin(char *path, char *bin, efi_guid_t *guid, - unsigned long index, unsigned long instance) +/** + * read_bin_file - read a firmware binary file + * @bin: Path to a firmware binary file + * @data: Pointer to pointer of allocated buffer + * @bin_size: Size of allocated buffer + * + * Read out a content of binary, @bin, into @data. + * A caller should free @data. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int read_bin_file(char *bin, void **data, off_t *bin_size) { - struct efi_capsule_header header; - struct efi_firmware_management_capsule_header capsule; - struct efi_firmware_management_capsule_image_header image; - FILE *f, *g; + FILE *g; struct stat bin_stat; - u8 *data; + void *buf; size_t size; - u64 offset; - -#ifdef DEBUG - fprintf(stderr, "For output: %s\n", path); - fprintf(stderr, "\tbin: %s\n\ttype: %pUl\n", bin, guid); - fprintf(stderr, "\tindex: %ld\n\tinstance: %ld\n", index, instance); -#endif + int ret = 0; g = fopen(bin, "r"); if (!g) { @@ -86,19 +90,123 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, } if (stat(bin, &bin_stat) < 0) { fprintf(stderr, "cannot determine the size of %s\n", bin); - goto err_1; + ret = -1; + goto err; + } + if (bin_stat.st_size > SIZE_MAX) { + fprintf(stderr, "file size is too large for malloc: %s\n", bin); + ret = -1; + goto err; } - data = malloc(bin_stat.st_size); - if (!data) { + buf = malloc(bin_stat.st_size); + if (!buf) { fprintf(stderr, "cannot allocate memory: %zx\n", (size_t)bin_stat.st_size); - goto err_1; + ret = -1; + goto err; + } + + size = fread(buf, 1, bin_stat.st_size, g); + if (size < bin_stat.st_size) { + fprintf(stderr, "read failed (%zx)\n", size); + ret = -1; + goto err; } + + *data = buf; + *bin_size = bin_stat.st_size; +err: + fclose(g); + + return ret; +} + +/** + * write_capsule_file - write a capsule file + * @bin: FILE stream + * @data: Pointer to data + * @bin_size: Size of data + * + * Write out data, @data, with the size @bin_size. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg) +{ + size_t size_written; + + size_written = fwrite(data, 1, size, f); + if (size_written < size) { + fprintf(stderr, "%s: write failed (%zx != %zx)\n", msg, + size_written, size); + return -1; + } + + return 0; +} + +/** + * create_fwbin - create an uefi capsule file + * @path: Path to a created capsule file + * @bin: Path to a firmware binary to encapsulate + * @guid: GUID of related FMP driver + * @index: Index number in capsule + * @instance: Instance number in capsule + * @mcount: Monotonic count in authentication information + * @private_file: Path to a private key file + * @cert_file: Path to a certificate file + * + * This function actually does the job of creating an uefi capsule file. + * All the arguments must be supplied. + * If either @private_file ror @cert_file is NULL, the capsule file + * won't be signed. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int create_fwbin(char *path, char *bin, efi_guid_t *guid, + unsigned long index, unsigned long instance) +{ + struct efi_capsule_header header; + struct efi_firmware_management_capsule_header capsule; + struct efi_firmware_management_capsule_image_header image; + FILE *f; + void *data; + off_t bin_size; + u64 offset; + int ret; + +#ifdef DEBUG + fprintf(stderr, "For output: %s\n", path); + fprintf(stderr, "\tbin: %s\n\ttype: %pUl\n", bin, guid); + fprintf(stderr, "\tindex: %ld\n\tinstance: %ld\n", index, instance); +#endif + + f = NULL; + data = NULL; + ret = -1; + + /* + * read a firmware binary + */ + if (read_bin_file(bin, &data, &bin_size)) + goto err; + + /* + * write a capsule file + */ f = fopen(path, "w"); if (!f) { fprintf(stderr, "cannot open %s\n", path); - goto err_2; + goto err; } + + /* + * capsule file header + */ header.capsule_guid = efi_guid_fm_capsule; header.header_size = sizeof(header); /* TODO: The current implementation ignores flags */ @@ -106,70 +214,57 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, header.capsule_image_size = sizeof(header) + sizeof(capsule) + sizeof(u64) + sizeof(image) - + bin_stat.st_size; - - size = fwrite(&header, 1, sizeof(header), f); - if (size < sizeof(header)) { - fprintf(stderr, "write failed (%zx)\n", size); - goto err_3; - } + + bin_size; + if (write_capsule_file(f, &header, sizeof(header), + "Capsule header")) + goto err; + /* + * firmware capsule header + * This capsule has only one firmware capsule image. + */ capsule.version = 0x00000001; capsule.embedded_driver_count = 0; capsule.payload_item_count = 1; - size = fwrite(&capsule, 1, sizeof(capsule), f); - if (size < (sizeof(capsule))) { - fprintf(stderr, "write failed (%zx)\n", size); - goto err_3; - } + if (write_capsule_file(f, &capsule, sizeof(capsule), + "Firmware capsule header")) + goto err; + offset = sizeof(capsule) + sizeof(u64); - size = fwrite(&offset, 1, sizeof(offset), f); - if (size < sizeof(offset)) { - fprintf(stderr, "write failed (%zx)\n", size); - goto err_3; - } + if (write_capsule_file(f, &offset, sizeof(offset), + "Offset to capsule image")) + goto err; + /* + * firmware capsule image header + */ image.version = 0x00000003; memcpy(&image.update_image_type_id, guid, sizeof(*guid)); image.update_image_index = index; image.reserved[0] = 0; image.reserved[1] = 0; image.reserved[2] = 0; - image.update_image_size = bin_stat.st_size; + image.update_image_size = bin_size; image.update_vendor_code_size = 0; /* none */ image.update_hardware_instance = instance; image.image_capsule_support = 0; + if (write_capsule_file(f, &image, sizeof(image), + "Firmware capsule image header")) + goto err; - size = fwrite(&image, 1, sizeof(image), f); - if (size < sizeof(image)) { - fprintf(stderr, "write failed (%zx)\n", size); - goto err_3; - } - size = fread(data, 1, bin_stat.st_size, g); - if (size < bin_stat.st_size) { - fprintf(stderr, "read failed (%zx)\n", size); - goto err_3; - } - size = fwrite(data, 1, bin_stat.st_size, f); - if (size < bin_stat.st_size) { - fprintf(stderr, "write failed (%zx)\n", size); - goto err_3; - } - - fclose(f); - fclose(g); - free(data); - - return 0; + /* + * firmware binary + */ + if (write_capsule_file(f, data, bin_size, "Firmware binary")) + goto err; -err_3: - fclose(f); -err_2: + ret = 0; +err: + if (f) + fclose(f); free(data); -err_1: - fclose(g); - return -1; + return ret; } /* From patchwork Tue Jan 18 04:39:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 532855 Delivered-To: patch@linaro.org Received: by 2002:ad5:544f:0:0:0:0:0 with SMTP id a15csp3352294imp; Mon, 17 Jan 2022 20:40:50 -0800 (PST) X-Google-Smtp-Source: ABdhPJxJOSXo/UU0WyUDF5B0cH/Gq+ruAhDNPcHiu9r9hy7lAHe+fSVMV3AFedpvA6C+qKclC41Y X-Received: by 2002:a17:907:9804:: with SMTP id ji4mr19133360ejc.417.1642480850420; Mon, 17 Jan 2022 20:40:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642480850; cv=none; d=google.com; s=arc-20160816; b=pMsdmjtTdE8QzfU5sD+Iv9PQFHMbQM3r4JDOygwp1nzelUinI4YKn8la21FFjBQH4P ydtX72mdy/Dn2lZKjUXImIfUuvmOB8S0DtHoAZyhALwxo2JqJpLzvmItUkjfo6odPs3O RaMB4An4r1GihzlN/fjo/CTN44f1fDcZSVTgZAan5y+hindrUiDj+Ondo8rg5ES4zgSC vuZ/pjawveUYzt9PoMa8LZb1iIdpBvYiTkftmaglMrX9St4NJFY9VtD9KHml/k2Thpnn agf6AqV29U23bbv79kmhOvEZgLLS/T4NFjHZ9z812unOPTT3g0hZtAi5ATGdo7Kj6krW d/7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=COOrhWQRImF30pzwi3i54Aj2RSNSuqXyqpXlD6brVhw=; b=VS6j64F/yalfV9/uDrwrOqxdpodWPLypCGj3dqSa6cXU0DubZy0+SysoLbKkzwrkZ6 nzq3bcs1hJjksHQEGTTYX5msMsm74MXLHQrFngkFfr9X11NxsNZZFq78diFZ6RtlRPMO 2XJBPqEz8M0DQbBS412ZxV3aRPZpOY/k8/vzJkdtxmXZjgr5pqRRAR+pKVmM9Xr92jBC 3MdLQ16ynXI88RXErHzMbDTO3YlKGuqI9U2wke81Ga11ykwjFMfxSK8opusMdLppktzK RY+130PXYC+zmMnZ8vvNkk4Ut1IFZgdQyhOjLgjZobBA/xoOrBxqqg2iM82ReqSUWq+S 0vtA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=dLY6+Yrn; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id bm8si8195626edb.436.2022.01.17.20.40.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:40:50 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=dLY6+Yrn; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 29DB9834A0; Tue, 18 Jan 2022 05:40:40 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="dLY6+Yrn"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id BAEB583180; Tue, 18 Jan 2022 05:40:31 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7B20F83388 for ; Tue, 18 Jan 2022 05:40:26 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x633.google.com with SMTP id c6so14828455plh.6 for ; Mon, 17 Jan 2022 20:40:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=COOrhWQRImF30pzwi3i54Aj2RSNSuqXyqpXlD6brVhw=; b=dLY6+Yrnj6tiWqs/UoNFJ5vtUmUDfDeRzOpOBq48DedQ7i6Ugzk/rg7i2NbPyWzF2o B5xsqPVG3kvKaH748Vw7IbdwG8kqk3nSxxjA8gw9PmIzaevcXCwOTjcEbj+Hhv8cmKC/ NG7aU2KOzg7zzwmMCib29jtPEhNkdWAvjOCHNvDxWPEhzAxifxRtSqV7465JCnhMr8Be iFuemyR5vm8UbXZuZ7e/QkxmGbub+6h8m/8/ieG3nhRyC9woUVoxzhpEB2bRo0V9f9gh uGC7dqx2cs+aED/T6JqQaq0Z2xnmIYx2TI9yLHtvzUlYd+/u2GkUKhly+4xuWrhpjyek dbUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=COOrhWQRImF30pzwi3i54Aj2RSNSuqXyqpXlD6brVhw=; b=hjxg8wOoyPiqg7FlHJqd3FwqRqiSSvqCVvCN6OtSVvqq54nGzYwWpnVwxc0atesNzC yVDERqZ/fokbvjchLsDPKtAkyQo7XlXNVHdG/M78YYhR0wlTXNZpdF8uAyQfWQtvied7 ox1upE93BXo6Irt31Z0/HXV8EHsEFuEPpLmZ9q1ntp6z6rvxMKGLyipGlhKyN4BekvOh 9PIjAqPN6YjKh80k9GM5uLgmsqZ0r6FfOqqnBPismpf+jsyuk0hJFV1VMaCtmEZnXKdw Psqmx/qvEXtlKCQyqJFclMYRCiaRtFTeqKK8pR7+jhzvCn+7ajd8il4IH44blD4BxUrA 6W7g== X-Gm-Message-State: AOAM531oEgs8TwTP7AKT4wFiAs1SU3LLiH0/OcerHrwb5J0f0av94IoE oI3r/bd9fDVK9o+T2+UCvzoe5Q== X-Received: by 2002:a17:902:d4c5:b0:14a:4dc5:ebc5 with SMTP id o5-20020a170902d4c500b0014a4dc5ebc5mr26304583plg.24.1642480824943; Mon, 17 Jan 2022 20:40:24 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:bc1a:291e:ac91:be98]) by smtp.gmail.com with ESMTPSA id y69sm15670770pfg.171.2022.01.17.20.40.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:40:24 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v9 03/11] tools: build mkeficapsule with tools-only_defconfig Date: Tue, 18 Jan 2022 13:39:46 +0900 Message-Id: <20220118043954.55940-4-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220118043954.55940-1-takahiro.akashi@linaro.org> References: <20220118043954.55940-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Add CONFIG_TOOLS_MKEFICAPSULE. Then we want to always build mkeficapsule if tools-only_defconfig is used. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- configs/tools-only_defconfig | 1 + tools/Kconfig | 8 ++++++++ tools/Makefile | 3 +-- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/configs/tools-only_defconfig b/configs/tools-only_defconfig index f482c9a1c1b0..5427797dd4c3 100644 --- a/configs/tools-only_defconfig +++ b/configs/tools-only_defconfig @@ -31,3 +31,4 @@ CONFIG_I2C_EDID=y # CONFIG_VIRTIO_MMIO is not set # CONFIG_VIRTIO_PCI is not set # CONFIG_VIRTIO_SANDBOX is not set +CONFIG_TOOLS_MKEFICAPSULE=y diff --git a/tools/Kconfig b/tools/Kconfig index 91ce8ae3e516..117c921da3fe 100644 --- a/tools/Kconfig +++ b/tools/Kconfig @@ -90,4 +90,12 @@ config TOOLS_SHA512 help Enable SHA512 support in the tools builds +config TOOLS_MKEFICAPSULE + bool "Build efimkcapsule command" + default y if EFI_CAPSULE_ON_DISK + help + This command allows users to create a UEFI capsule file and, + optionally sign that file. If you want to enable UEFI capsule + update feature on your target, you certainly need this. + endmenu diff --git a/tools/Makefile b/tools/Makefile index 1763f44cac43..766c0674f4a0 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -238,8 +238,7 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs hostprogs-$(CONFIG_ASN1_COMPILER) += asn1_compiler HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include -mkeficapsule-objs := mkeficapsule.o $(LIBFDT_OBJS) -hostprogs-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += mkeficapsule +hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule # We build some files with extra pedantic flags to try to minimize things # that won't build on some weird host compiler -- though there are lots of From patchwork Tue Jan 18 04:39:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 532856 Delivered-To: patch@linaro.org Received: by 2002:ad5:544f:0:0:0:0:0 with SMTP id a15csp3352370imp; Mon, 17 Jan 2022 20:41:01 -0800 (PST) X-Google-Smtp-Source: ABdhPJy2WQB9Q3SMVZUvwvq32BhZqj0IkSXokwvdLF8GL3vORIne6/QMrCvbsRP9X63yZoD4UsOZ X-Received: by 2002:a17:907:b04:: with SMTP id h4mr13175383ejl.253.1642480860926; Mon, 17 Jan 2022 20:41:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642480860; cv=none; d=google.com; s=arc-20160816; b=XxLK01koq92fDouuB2UveIFYWUzwCcLmfGpvXKcXgvoMIZydnYOHFzf4jkx68GrrZ3 21qJCec7/LojwwvSUfjoyPMJ0nb0S+vyFYUR900BlnP8yWnn0DF4f1UUxK/P9Y+P6aKl CKWGP7fMjd/GUQ9IYjgClKqbmTaJGQHe73APwWaF9mq+UDgzor6fDAuakk1oUnaf0z6E 1ToskeT4Z5nT3bzbtyoKc4xJiDPvF/PlZ/YnbeO5THDwJzy9uR1fWd515ODg5EqrZnvk ACkilyi9T2ZuRKuI+TyB+KCjdk0vxFnpTRGqY3SKDNQerKuMpjZD4115BF128HsqQe34 Zqog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=QfMSK0+Df6M1BHeiWl3T/zLZKgwGQRUljqGrZ/C0eDA=; b=sqW/HQiD10YPvZ4/sImEj1heWFvjwS0GKjHnwx8FDPdBCeEHlJSbjIpj89A7IsqN7u UTcm1+DvnSPEY6Pk3ZHHxxOyZMFc91f5wQCNZnf/L2oz+lNPB85ybpwje3QaUjHWZuzX ODQHsz9ugjskAo64FJosaKCWXoTa50OZtbdkFMAi4z8Pi+kOz1xwjPx//nF1Qv8ResEJ Kn9r6dHXxFavEHLtrQ9N/E42dNsdnCZtzqVnmSp/yu4FL4lOnrwfMK+PFAQHh51+aPN5 IJNfS2PkBykMFwexVV9HdeNLtm9FYYesgmw+biW1IBfAZSc+vP9jvxKkRQMoa9kfjUBx wbkQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=WgtB1lhk; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id eb6si676216edb.212.2022.01.17.20.41.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:41:00 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=WgtB1lhk; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D302D837E2; Tue, 18 Jan 2022 05:40:45 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="WgtB1lhk"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 4BD2B837D7; Tue, 18 Jan 2022 05:40:36 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com [IPv6:2607:f8b0:4864:20::532]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id D6FB4831E9 for ; Tue, 18 Jan 2022 05:40:29 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pg1-x532.google.com with SMTP id 188so45003pgf.1 for ; Mon, 17 Jan 2022 20:40:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=QfMSK0+Df6M1BHeiWl3T/zLZKgwGQRUljqGrZ/C0eDA=; b=WgtB1lhkAICQcD/QmkrLqSCo8NzkkIdnwSNsMo1fGxdnifHTES0/lxZT8u4vuLacLY MG72YG1KarTqoER2oWE4V/gHt2nFi3UXESnMpDU3OIqx1ldO2IaO3gTTTv+ceQflE0gK IV7BPYgUroWAEv/iTHcXFvVZ11g0DbwMtQryd5RQyw69ZwDei9vzEwwWhiIAg2bJ25kU 23g60sdfXFgSJCgRqccUd08+V/iwqQDn1R/rntTdIiBl5vEVv+jOQnuvJaCHJEqzXnrJ 5qIVK7NdXMkvFxSYDjcXcjhQ7eaFwQ433T52dgSxv0AUtEP/IedORBzX+YMp3c0hqA9w ae9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=QfMSK0+Df6M1BHeiWl3T/zLZKgwGQRUljqGrZ/C0eDA=; b=EeRgugBuX95fIqhZEU6nOAo/oJlvt3O8Y6tYiZ1++9oCIqfsKgQRKzizI/yGoiu64f vnZu1XrIkmvbCQ3qMcjpzduzJaefLBwJ/IkmTCeSWxrot+6vEWBFPFRSuI0J+lKbDBkg L3pjde8n699ckAlzltWykIg5rdupvhR9J/0iWMY7FWdqMElsN+E4RPCAFKpoUL6otpfZ /9+fIrRmnB2lvzD7j0HgNEgGfiZShhRrLUXXi6qI1J4IXrFkDTMecLAzHyLPL2A4GpPT MprZva7mAqpuyyoHDrOiWjQ4v+SzpAY6LB53MnrwOFI2BlKtdrzCtHd0dR0eXgIDOh++ nTOw== X-Gm-Message-State: AOAM531gQBoChQ2s9rpPyr67Ok79yJLuUHgm7IrN5kIJhh7syEnZCvHk HHKeZObh5K9S//m7Hkgnj1OytQ== X-Received: by 2002:a63:7156:: with SMTP id b22mr21767801pgn.288.1642480828133; Mon, 17 Jan 2022 20:40:28 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:bc1a:291e:ac91:be98]) by smtp.gmail.com with ESMTPSA id y69sm15670770pfg.171.2022.01.17.20.40.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:40:27 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v9 04/11] tools: mkeficapsule: add firmware image signing Date: Tue, 18 Jan 2022 13:39:47 +0900 Message-Id: <20220118043954.55940-5-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220118043954.55940-1-takahiro.akashi@linaro.org> References: <20220118043954.55940-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean With this enhancement, mkeficapsule will be able to sign a capsule file when it is created. A signature added will be used later in the verification at FMP's SetImage() call. To do that, we need specify additional command parameters: -monotonic-cout : monotonic count -private-key : private key file -certificate : certificate file Only when all of those parameters are given, a signature will be added to a capsule file. Users are expected to maintain and increment the monotonic count at every time of the update for each firmware image. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass Acked-by: Ilias Apalodimas --- tools/Makefile | 4 + tools/eficapsule.h | 115 +++++++++++++ tools/mkeficapsule.c | 398 +++++++++++++++++++++++++++++++++++++++---- 3 files changed, 487 insertions(+), 30 deletions(-) create mode 100644 tools/eficapsule.h diff --git a/tools/Makefile b/tools/Makefile index 766c0674f4a0..afca08e2941a 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -238,6 +238,10 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs hostprogs-$(CONFIG_ASN1_COMPILER) += asn1_compiler HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include +ifeq ($(CONFIG_TOOLS_LIBCRYPTO),y) +HOSTLDLIBS_mkeficapsule += \ + $(shell pkg-config --libs libssl libcrypto 2> /dev/null || echo "-lssl -lcrypto") +endif hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule # We build some files with extra pedantic flags to try to minimize things diff --git a/tools/eficapsule.h b/tools/eficapsule.h new file mode 100644 index 000000000000..8c1560bb0671 --- /dev/null +++ b/tools/eficapsule.h @@ -0,0 +1,115 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright 2021 Linaro Limited + * Author: AKASHI Takahiro + * + * derived from efi.h and efi_api.h to make the file POSIX-compliant + */ + +#ifndef _EFI_CAPSULE_H +#define _EFI_CAPSULE_H + +#include +#include /* WIN_CERTIFICATE */ + +/* + * Gcc's predefined attributes are not recognized by clang. + */ +#ifndef __packed +#define __packed __attribute__((__packed__)) +#endif + +#ifndef __aligned +#define __aligned(x) __attribute__((__aligned__(x))) +#endif + +typedef struct { + uint8_t b[16]; +} efi_guid_t __aligned(8); + +#define EFI_GUID(a, b, c, d0, d1, d2, d3, d4, d5, d6, d7) \ + {{ (a) & 0xff, ((a) >> 8) & 0xff, ((a) >> 16) & 0xff, \ + ((a) >> 24) & 0xff, \ + (b) & 0xff, ((b) >> 8) & 0xff, \ + (c) & 0xff, ((c) >> 8) & 0xff, \ + (d0), (d1), (d2), (d3), (d4), (d5), (d6), (d7) } } + +#define EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID \ + EFI_GUID(0x6dcbd5ed, 0xe82d, 0x4c44, 0xbd, 0xa1, \ + 0x71, 0x94, 0x19, 0x9a, 0xd9, 0x2a) + +#define EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID \ + EFI_GUID(0xae13ff2d, 0x9ad4, 0x4e25, 0x9a, 0xc8, \ + 0x6d, 0x80, 0xb3, 0xb2, 0x21, 0x47) + +#define EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID \ + EFI_GUID(0xe2bb9c06, 0x70e9, 0x4b14, 0x97, 0xa3, \ + 0x5a, 0x79, 0x13, 0x17, 0x6e, 0x3f) + +#define EFI_CERT_TYPE_PKCS7_GUID \ + EFI_GUID(0x4aafd29d, 0x68df, 0x49ee, 0x8a, 0xa9, \ + 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7) + +/* flags */ +#define CAPSULE_FLAGS_PERSIST_ACROSS_RESET 0x00010000 + +struct efi_capsule_header { + efi_guid_t capsule_guid; + uint32_t header_size; + uint32_t flags; + uint32_t capsule_image_size; +} __packed; + +struct efi_firmware_management_capsule_header { + uint32_t version; + uint16_t embedded_driver_count; + uint16_t payload_item_count; + uint32_t item_offset_list[]; +} __packed; + +/* image_capsule_support */ +#define CAPSULE_SUPPORT_AUTHENTICATION 0x0000000000000001 + +struct efi_firmware_management_capsule_image_header { + uint32_t version; + efi_guid_t update_image_type_id; + uint8_t update_image_index; + uint8_t reserved[3]; + uint32_t update_image_size; + uint32_t update_vendor_code_size; + uint64_t update_hardware_instance; + uint64_t image_capsule_support; +} __packed; + +/** + * win_certificate_uefi_guid - A certificate that encapsulates + * a GUID-specific signature + * + * @hdr: Windows certificate header + * @cert_type: Certificate type + * @cert_data: Certificate data + */ +struct win_certificate_uefi_guid { + WIN_CERTIFICATE hdr; + efi_guid_t cert_type; + uint8_t cert_data[]; +} __packed; + +/** + * efi_firmware_image_authentication - Capsule authentication method + * descriptor + * + * This structure describes an authentication information for + * a capsule with IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED set + * and should be included as part of the capsule. + * Only EFI_CERT_TYPE_PKCS7_GUID is accepted. + * + * @monotonic_count: Count to prevent replay + * @auth_info: Authentication info + */ +struct efi_firmware_image_authentication { + uint64_t monotonic_count; + struct win_certificate_uefi_guid auth_info; +} __packed; + +#endif /* _EFI_CAPSULE_H */ diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index ee3e489c0b30..66dc2ee20912 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -16,21 +16,17 @@ #include #include -typedef __u8 u8; -typedef __u16 u16; -typedef __u32 u32; -typedef __u64 u64; -typedef __s16 s16; -typedef __s32 s32; - -#define aligned_u64 __aligned_u64 - -#ifndef __packed -#define __packed __attribute__((packed)) +#include +#ifdef CONFIG_TOOLS_LIBCRYPTO +#include +#include +#include +#include +#include +#include #endif -#include -#include +#include "eficapsule.h" static const char *tool_name = "mkeficapsule"; @@ -39,12 +35,25 @@ efi_guid_t efi_guid_image_type_uboot_fit = EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID; efi_guid_t efi_guid_image_type_uboot_raw = EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID; +efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; + +#ifdef CONFIG_TOOLS_LIBCRYPTO +static const char *opts_short = "f:r:i:I:v:p:c:m:dh"; +#else +static const char *opts_short = "f:r:i:I:v:h"; +#endif static struct option options[] = { {"fit", required_argument, NULL, 'f'}, {"raw", required_argument, NULL, 'r'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, +#ifdef CONFIG_TOOLS_LIBCRYPTO + {"private-key", required_argument, NULL, 'p'}, + {"certificate", required_argument, NULL, 'c'}, + {"monotonic-count", required_argument, NULL, 'm'}, + {"dump-sig", no_argument, NULL, 'd'}, +#endif {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0}, }; @@ -58,10 +67,253 @@ static void print_usage(void) "\t-r, --raw new raw image file\n" "\t-i, --index update image index\n" "\t-I, --instance update hardware instance\n" +#ifdef CONFIG_TOOLS_LIBCRYPTO + "\t-p, --private-key private key file\n" + "\t-c, --certificate signer's certificate file\n" + "\t-m, --monotonic-count monotonic count\n" + "\t-d, --dump_sig dump signature (*.p7)\n" +#endif "\t-h, --help print a help message\n", tool_name); } +/** + * auth_context - authentication context + * @key_file: Path to a private key file + * @cert_file: Path to a certificate file + * @image_data: Pointer to firmware data + * @image_size: Size of firmware data + * @auth: Authentication header + * @sig_data: Signature data + * @sig_size: Size of signature data + * + * Data structure used in create_auth_data(). @key_file through + * @image_size are input parameters. @auth, @sig_data and @sig_size + * are filled in by create_auth_data(). + */ +struct auth_context { + char *key_file; + char *cert_file; + uint8_t *image_data; + size_t image_size; + struct efi_firmware_image_authentication auth; + uint8_t *sig_data; + size_t sig_size; +}; + +static int dump_sig; + +#ifdef CONFIG_TOOLS_LIBCRYPTO +/** + * fileio-read_pkey - read out a private key + * @filename: Path to a private key file + * + * Read out a private key file and parse it into "EVP_PKEY" structure. + * + * Return: + * * Pointer to private key structure - on success + * * NULL - on failure + */ +static EVP_PKEY *fileio_read_pkey(const char *filename) +{ + EVP_PKEY *key = NULL; + BIO *bio; + + bio = BIO_new_file(filename, "r"); + if (!bio) + goto out; + + key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); + +out: + BIO_free_all(bio); + if (!key) { + fprintf(stderr, "Can't load key from file '%s'\n", filename); + ERR_print_errors_fp(stderr); + } + + return key; +} + +/** + * fileio-read_cert - read out a certificate + * @filename: Path to a certificate file + * + * Read out a certificate file and parse it into "X509" structure. + * + * Return: + * * Pointer to certificate structure - on success + * * NULL - on failure + */ +static X509 *fileio_read_cert(const char *filename) +{ + X509 *cert = NULL; + BIO *bio; + + bio = BIO_new_file(filename, "r"); + if (!bio) + goto out; + + cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); + +out: + BIO_free_all(bio); + if (!cert) { + fprintf(stderr, "Can't load certificate from file '%s'\n", + filename); + ERR_print_errors_fp(stderr); + } + + return cert; +} + +/** + * create_auth_data - compose authentication data in capsule + * @auth_context: Pointer to authentication context + * + * Fill up an authentication header (.auth) and signature data (.sig_data) + * in @auth_context, using library functions from openssl. + * All the parameters in @auth_context must be filled in by a caller. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int create_auth_data(struct auth_context *ctx) +{ + EVP_PKEY *key = NULL; + X509 *cert = NULL; + BIO *data_bio = NULL; + const EVP_MD *md; + PKCS7 *p7; + int flags, ret = -1; + + OpenSSL_add_all_digests(); + OpenSSL_add_all_ciphers(); + ERR_load_crypto_strings(); + + key = fileio_read_pkey(ctx->key_file); + if (!key) + goto err; + cert = fileio_read_cert(ctx->cert_file); + if (!cert) + goto err; + + /* + * create a BIO, containing: + * * firmware image + * * monotonic count + * in this order! + * See EDK2's FmpAuthenticatedHandlerRsa2048Sha256() + */ + data_bio = BIO_new(BIO_s_mem()); + BIO_write(data_bio, ctx->image_data, ctx->image_size); + BIO_write(data_bio, &ctx->auth.monotonic_count, + sizeof(ctx->auth.monotonic_count)); + + md = EVP_get_digestbyname("SHA256"); + if (!md) + goto err; + + /* create signature */ + /* TODO: maybe add PKCS7_NOATTR and PKCS7_NOSMIMECAP */ + flags = PKCS7_BINARY | PKCS7_DETACHED; + p7 = PKCS7_sign(NULL, NULL, NULL, data_bio, flags | PKCS7_PARTIAL); + if (!p7) + goto err; + if (!PKCS7_sign_add_signer(p7, cert, key, md, flags)) + goto err; + if (!PKCS7_final(p7, data_bio, flags)) + goto err; + + /* convert pkcs7 into DER */ + ctx->sig_data = NULL; + ctx->sig_size = ASN1_item_i2d((ASN1_VALUE *)p7, &ctx->sig_data, + ASN1_ITEM_rptr(PKCS7)); + if (!ctx->sig_size) + goto err; + + /* fill auth_info */ + ctx->auth.auth_info.hdr.dwLength = sizeof(ctx->auth.auth_info) + + ctx->sig_size; + ctx->auth.auth_info.hdr.wRevision = WIN_CERT_REVISION_2_0; + ctx->auth.auth_info.hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID; + memcpy(&ctx->auth.auth_info.cert_type, &efi_guid_cert_type_pkcs7, + sizeof(efi_guid_cert_type_pkcs7)); + + ret = 0; +err: + BIO_free_all(data_bio); + EVP_PKEY_free(key); + X509_free(cert); + + return ret; +} + +/** + * dump_signature - dump out a signature + * @path: Path to a capsule file + * @signature: Signature data + * @sig_size: Size of signature data + * + * Signature data pointed to by @signature will be saved into + * a file whose file name is @path with ".p7" suffix. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int dump_signature(const char *path, uint8_t *signature, size_t sig_size) +{ + char *sig_path; + FILE *f; + size_t size; + int ret = -1; + + sig_path = malloc(strlen(path) + 3 + 1); + if (!sig_path) + return ret; + + sprintf(sig_path, "%s.p7", path); + f = fopen(sig_path, "w"); + if (!f) + goto err; + + size = fwrite(signature, 1, sig_size, f); + if (size == sig_size) + ret = 0; + + fclose(f); +err: + free(sig_path); + return ret; +} + +/** + * free_sig_data - free out signature data + * @ctx: Pointer to authentication context + * + * Free signature data allocated in create_auth_data(). + */ +static void free_sig_data(struct auth_context *ctx) +{ + if (ctx->sig_size) + OPENSSL_free(ctx->sig_data); +} +#else +static int create_auth_data(struct auth_context *ctx) +{ + return 0; +} + +static int dump_signature(const char *path, uint8_t *signature, size_t sig_size) +{ + return 0; +} + +static void free_sig_data(struct auth_context *ctx) {} +#endif + /** * read_bin_file - read a firmware binary file * @bin: Path to a firmware binary file @@ -168,23 +420,25 @@ static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg) * * -1 - on failure */ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, - unsigned long index, unsigned long instance) + unsigned long index, unsigned long instance, + uint64_t mcount, char *privkey_file, char *cert_file) { struct efi_capsule_header header; struct efi_firmware_management_capsule_header capsule; struct efi_firmware_management_capsule_image_header image; + struct auth_context auth_context; FILE *f; void *data; off_t bin_size; - u64 offset; + uint64_t offset; int ret; #ifdef DEBUG fprintf(stderr, "For output: %s\n", path); fprintf(stderr, "\tbin: %s\n\ttype: %pUl\n", bin, guid); - fprintf(stderr, "\tindex: %ld\n\tinstance: %ld\n", index, instance); + fprintf(stderr, "\tindex: %lu\n\tinstance: %lu\n", index, instance); #endif - + auth_context.sig_size = 0; f = NULL; data = NULL; ret = -1; @@ -195,6 +449,27 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, if (read_bin_file(bin, &data, &bin_size)) goto err; + /* first, calculate signature to determine its size */ + if (privkey_file && cert_file) { + auth_context.key_file = privkey_file; + auth_context.cert_file = cert_file; + auth_context.auth.monotonic_count = mcount; + auth_context.image_data = data; + auth_context.image_size = bin_size; + + if (create_auth_data(&auth_context)) { + fprintf(stderr, "Signing firmware image failed\n"); + goto err; + } + + if (dump_sig && + dump_signature(path, auth_context.sig_data, + auth_context.sig_size)) { + fprintf(stderr, "Creating signature file failed\n"); + goto err; + } + } + /* * write a capsule file */ @@ -212,9 +487,12 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, /* TODO: The current implementation ignores flags */ header.flags = CAPSULE_FLAGS_PERSIST_ACROSS_RESET; header.capsule_image_size = sizeof(header) - + sizeof(capsule) + sizeof(u64) + + sizeof(capsule) + sizeof(uint64_t) + sizeof(image) + bin_size; + if (auth_context.sig_size) + header.capsule_image_size += sizeof(auth_context.auth) + + auth_context.sig_size; if (write_capsule_file(f, &header, sizeof(header), "Capsule header")) goto err; @@ -230,7 +508,7 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, "Firmware capsule header")) goto err; - offset = sizeof(capsule) + sizeof(u64); + offset = sizeof(capsule) + sizeof(uint64_t); if (write_capsule_file(f, &offset, sizeof(offset), "Offset to capsule image")) goto err; @@ -245,13 +523,32 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, image.reserved[1] = 0; image.reserved[2] = 0; image.update_image_size = bin_size; + if (auth_context.sig_size) + image.update_image_size += sizeof(auth_context.auth) + + auth_context.sig_size; image.update_vendor_code_size = 0; /* none */ image.update_hardware_instance = instance; image.image_capsule_support = 0; + if (auth_context.sig_size) + image.image_capsule_support |= CAPSULE_SUPPORT_AUTHENTICATION; if (write_capsule_file(f, &image, sizeof(image), "Firmware capsule image header")) goto err; + /* + * signature + */ + if (auth_context.sig_size) { + if (write_capsule_file(f, &auth_context.auth, + sizeof(auth_context.auth), + "Authentication header")) + goto err; + + if (write_capsule_file(f, auth_context.sig_data, + auth_context.sig_size, "Signature")) + goto err; + } + /* * firmware binary */ @@ -262,28 +559,43 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, err: if (f) fclose(f); + free_sig_data(&auth_context); free(data); return ret; } -/* - * Usage: - * $ mkeficapsule -f +/** + * main - main entry function of mkeficapsule + * @argc: Number of arguments + * @argv: Array of pointers to arguments + * + * Create an uefi capsule file, optionally signing it. + * Parse all the arguments and pass them on to create_fwbin(). + * + * Return: + * * 0 - on success + * * -1 - on failure */ int main(int argc, char **argv) { char *file; efi_guid_t *guid; unsigned long index, instance; + uint64_t mcount; + char *privkey_file, *cert_file; int c, idx; file = NULL; guid = NULL; index = 0; instance = 0; + mcount = 0; + privkey_file = NULL; + cert_file = NULL; + dump_sig = 0; for (;;) { - c = getopt_long(argc, argv, "f:r:i:I:v:h", options, &idx); + c = getopt_long(argc, argv, opts_short, options, &idx); if (c == -1) break; @@ -291,7 +603,7 @@ int main(int argc, char **argv) case 'f': if (file) { fprintf(stderr, "Image already specified\n"); - return -1; + exit(EXIT_FAILURE); } file = optarg; guid = &efi_guid_image_type_uboot_fit; @@ -299,7 +611,7 @@ int main(int argc, char **argv) case 'r': if (file) { fprintf(stderr, "Image already specified\n"); - return -1; + exit(EXIT_FAILURE); } file = optarg; guid = &efi_guid_image_type_uboot_raw; @@ -310,14 +622,40 @@ int main(int argc, char **argv) case 'I': instance = strtoul(optarg, NULL, 0); break; +#ifdef CONFIG_TOOLS_LIBCRYPTO + case 'p': + if (privkey_file) { + fprintf(stderr, + "Private Key already specified\n"); + exit(EXIT_FAILURE); + } + privkey_file = optarg; + break; + case 'c': + if (cert_file) { + fprintf(stderr, + "Certificate file already specified\n"); + exit(EXIT_FAILURE); + } + cert_file = optarg; + break; + case 'm': + mcount = strtoul(optarg, NULL, 0); + break; + case 'd': + dump_sig = 1; + break; +#endif /* CONFIG_TOOLS_LIBCRYPTO */ case 'h': print_usage(); - return 0; + exit(EXIT_SUCCESS); } } - /* need an output file */ - if (argc != optind + 1) { + /* check necessary parameters */ + if ((argc != optind + 1) || !file || + ((privkey_file && !cert_file) || + (!privkey_file && cert_file))) { print_usage(); exit(EXIT_FAILURE); } @@ -328,8 +666,8 @@ int main(int argc, char **argv) exit(EXIT_SUCCESS); } - if (create_fwbin(argv[optind], file, guid, index, instance) - < 0) { + if (create_fwbin(argv[optind], file, guid, index, instance, + mcount, privkey_file, cert_file) < 0) { fprintf(stderr, "Creating firmware capsule failed\n"); exit(EXIT_FAILURE); } From patchwork Tue Jan 18 04:39:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 532857 Delivered-To: patch@linaro.org Received: by 2002:ad5:544f:0:0:0:0:0 with SMTP id a15csp3352450imp; Mon, 17 Jan 2022 20:41:12 -0800 (PST) X-Google-Smtp-Source: ABdhPJzqkTuLXrR4gqr6Zd6QNZuhDa9FKEOn0IJCVWK4XMshNBWn/IN1akFU0aXuvC2jsY+tYKme X-Received: by 2002:a17:906:724a:: with SMTP id n10mr15238094ejk.659.1642480872498; Mon, 17 Jan 2022 20:41:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642480872; cv=none; d=google.com; s=arc-20160816; b=U7yqjj3Rk2UrdDSxjk2Mbc/Rb6maQtw6DUrYpnFMckYq5kWJCuWhbqAtcv2BDOE5AC 9YIJ9T0pdKbGlUgp2mTIdhHmBoiH3OHoJmwkEAYwyv8dTb/CTBCoFMYCMHq6dErza3NE eAJkdY8UkZpKrKSdB4E4HDOteXYU8O0lWbFdBcxx0dRfH7q5L9LN516YnH4OcPVqEMam PYIlLrzkmrxwyBQuFu8BD5JYvtmaJUfWTdM7dt2q69nRPpcgrT1EtRMJ7mkoRdP+ce8Z 2WOFBGrE6Hc2VKzCYfft5xdKwK3cYKQP20OIKpVLyTAbrA7/FQRObmAwHiZSuwXUViu6 Fq7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=BLaD296bB3+X+4iH6AyjgB8RxZhGevGO+Cpe2GrKalI=; b=b7pdgDkTAe0Myt/svk7O2mkqagUQ4b5on/xIhQc/2X7FXYwmHeA1ABHvvNCjgqrH7A AtJukvtJStFjeTvQbXnWAnpatNbMbsq85zNsykIQeq9cUULffZncU+82LOMBQEzjPCB2 5+sWaxHRy33v7sRYT2xDBm4m92znuZ+hz4soqhPA1uV2dIF4caqv7VUIdMaAvqriLUJI cS7ZHFskHsJwQMBTmzNR2u4zB5Qhu+Lrwjhu9kJV2zxvCr4l6yDWODP0P0Q6csOs3L2c ilhyWhh1K2iPfpnwECwo7gQU12rkvj9tVuNzolIbFMeJslgfrTgVPDQ+sCzeVT0/yR3W 1COQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=cHOACaJK; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id sd9si8566116ejc.969.2022.01.17.20.41.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:41:12 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=cHOACaJK; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D13CD837DD; Tue, 18 Jan 2022 05:40:50 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="cHOACaJK"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id DD3308365E; Tue, 18 Jan 2022 05:40:41 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 1428483214 for ; Tue, 18 Jan 2022 05:40:33 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1031.google.com with SMTP id i8-20020a17090a138800b001b3936fb375so1184997pja.1 for ; Mon, 17 Jan 2022 20:40:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=BLaD296bB3+X+4iH6AyjgB8RxZhGevGO+Cpe2GrKalI=; b=cHOACaJKHrWf3zkKuBnGHkXWYa3oljxIJfR28K19s+YRC/Uh1ARS3bs+2YAXq1AXH8 1V56yDi9dA/oWPblA5DQDSSqwRmXIwALrEA/9u7mfSxj66C+yLMP2Ao9fe3HjKox8cEH b89g2egaFluwiJn2IZRobYZpKnXZiJzeCBcJYgPLz7SwGMmVIZt2AJyeKMhSPKE1MXRf e7k1p0iBzjPZ1aTDBiAJEtUZ4WomDde59bJ4Aj47sPRsofkio0blY8gmA5hMQ4BhpgJU D3vIPNCmpV/BPgjClis7b2LIWOKq8umMKPkruy3T+xKPN7F7cICTk9l1t77UybxJ8kEM iqxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=BLaD296bB3+X+4iH6AyjgB8RxZhGevGO+Cpe2GrKalI=; b=n3pv7oeW4uAA3MK8Gp6LF2ZJqNSC9LqHwLzNDAsGUhJkagSISXGesSmes11AIFCWdR MeVQflmRCzDWflMUOxib/MPzyjfik1OYCTgoZKj57T8ILCHhAJMiFX/DUpB0pwaabpzC bICN9hH9vmv6cyLhJAXZxMFgpLZ0JEvM4z/LcCCGcVzRcQvemQ2NFweHMdoX2uTgMKZg 3GC+3laTCtfYI1DR0rmUDyzBinQMH/YU5qkFFtzRFUb8ZtndnGZYCnb4yho2tRpLBW9r KpXqVppDKYmkIlrTKvanEqpKuJHr+XxCd2rXrLR5nr2G4NtXy3yq4Xq5nrcfQ6K5wqXU cyqw== X-Gm-Message-State: AOAM531z2QSXCeYQCvJvoonKM98zPUAEMad56kgTI8HDVNVklxBnISwZ Gko8Hs2eB2/lbmBZe1jQfmB7ig== X-Received: by 2002:a17:90a:e7ca:: with SMTP id kb10mr37791338pjb.200.1642480831411; Mon, 17 Jan 2022 20:40:31 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:bc1a:291e:ac91:be98]) by smtp.gmail.com with ESMTPSA id y69sm15670770pfg.171.2022.01.17.20.40.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:40:30 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v9 05/11] tools: mkeficapsule: add man page Date: Tue, 18 Jan 2022 13:39:48 +0900 Message-Id: <20220118043954.55940-6-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220118043954.55940-1-takahiro.akashi@linaro.org> References: <20220118043954.55940-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Add a man page for mkeficapsule command. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass Acked-by: Ilias Apalodimas --- MAINTAINERS | 1 + doc/mkeficapsule.1 | 99 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 100 insertions(+) create mode 100644 doc/mkeficapsule.1 diff --git a/MAINTAINERS b/MAINTAINERS index 90666ce376cd..2b73feffafe0 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -726,6 +726,7 @@ S: Maintained T: git https://source.denx.de/u-boot/custodians/u-boot-efi.git F: doc/api/efi.rst F: doc/develop/uefi/* +F: doc/mkeficapsule.1 F: doc/usage/bootefi.rst F: drivers/rtc/emul_rtc.c F: include/capitalization.h diff --git a/doc/mkeficapsule.1 b/doc/mkeficapsule.1 new file mode 100644 index 000000000000..680362f5c4e9 --- /dev/null +++ b/doc/mkeficapsule.1 @@ -0,0 +1,99 @@ +.\" SPDX-License-Identifier: GPL-2.0+ +.\" Copyright (c) 2021, Linaro Limited +.\" written by AKASHI Takahiro +.TH MAEFICAPSULE 1 "May 2021" + +.SH NAME +mkeficapsule \- Generate EFI capsule file for U-Boot + +.SH SYNOPSIS +.B mkeficapsule +.RI [ options "] " capsule-file + +.SH "DESCRIPTION" +.B mkeficapsule +command is used to create an EFI capsule file for use with the U-Boot +EFI capsule update. +A capsule file may contain various type of firmware blobs which +are to be applied to the system and must be placed in the specific +directory on the UEFI system partition. +An update will be automatically executed at next reboot. + +Optionally, a capsule file can be signed with a given private key. +In this case, the update will be authenticated by verifying the signature +before applying. + +.B mkeficapsule +supports two different format of image files: +.TP +.I raw image +format is a single binary blob of any type of firmware. + +.TP +.I FIT (Flattened Image Tree) image +format is the same as used in the new uImage format and allows for +multiple binary blobs in a single capsule file. +This type of image file can be generated by +.BR mkimage . + +.SH "OPTIONS" +One of +.BR --fit " or " --raw +option must be specified. + +.TP +.BI "-f\fR,\fB --fit " fit-image-file +Specify a FIT image file + +.TP +.BI "-r\fR,\fB --raw " raw-image-file +Specify a raw image file + +.TP +.BI "-i\fR,\fB --index " index +Specify an image index + +.TP +.BI "-I\fR,\fB --instance " instance +Specify a hardware instance + +.TP +.BR -h ", " --help +Print a help message + +.PP +With signing, +.BR --private-key ", " --certificate " and " --monotonic-count +are all mandatory. + +.TP +.BI "-p\fR,\fB --private-key " private-key-file +Specify signer's private key file in PEM + +.TP +.BI "-c\fR,\fB --certificate " certificate-file +Specify signer's certificate file in EFI certificate list format + +.TP +.BI "-m\fR,\fB --monotonic-count " count +Specify a monotonic count which is set to be monotonically incremented +at every firmware update. + +.TP +.B "-d\fR,\fB --dump_sig" +Dump signature data into *.p7 file + +.PP +.SH FILES +.TP +.I /EFI/UpdateCapsule +The directory in which all capsule files be placed + +.SH SEE ALSO +.BR mkimage (1) + +.SH AUTHORS +Written by AKASHI Takahiro + +.SH HOMEPAGE +http://www.denx.de/wiki/U-Boot/WebHome From patchwork Tue Jan 18 04:39:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 532858 Delivered-To: patch@linaro.org Received: by 2002:ad5:544f:0:0:0:0:0 with SMTP id a15csp3352536imp; Mon, 17 Jan 2022 20:41:23 -0800 (PST) X-Google-Smtp-Source: ABdhPJxhtXVh9/qehkD82/zm/UdEE9XBJB0f7V+F5aWET9PG+x4AobuuP4REVfGEefQRLmUJ4fIL X-Received: by 2002:a17:906:519b:: with SMTP id y27mr19388324ejk.649.1642480883821; Mon, 17 Jan 2022 20:41:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642480883; cv=none; d=google.com; s=arc-20160816; b=F3hp7cVJeNFm2yp6qe/cg/1FSawQe82r+6GkTD+GBlMJ9nv6AfWIJieijgdp4UeK9t pFxlaE1lAMJwIqN4IpgRoj7VDN/8mUSSre8BdUafAyvYc3EpbYGkrzbFfAjLfgjkbWgI 0VCp6Yw957EAhwvOBMnvWdruX6eNOA6u+pXtjP2KwwXa6acLG+NX+2YhB7rsDw23twE2 BQCTwQIhJYSuawpneZ6IB/f879BvENpIWps01zg4J7DEIsT9B0qoZt9mlicR3mE0ZwAK RwK3cIx/HxSKkkf4Il0viT9GDdTJtXUfLVzmR+5xNsaSKDwP6vWnPSE6z8cHOXF2fsqn A1DQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=mR1pD8an10hL1eYSQk6y2hzUF/bKxUXs6pDb/LAKo0Q=; b=IMedt0mdDbp2d7K/IjR5l5Vj2I+n5eb5ALl3uS/rJheUi4Z8NsCSWnjzs2wgvizEZI XY2AD++8hL+vWytK0hjc8LB1Zx2Vf7plOkNpRNRtsVJwMr/9GhWhSFg5E1eU5vYRfr6h vBfJqEXykg53Od7dvNJJbhar0Omo+/Fvtg5I+buenZXaXPJ2V2/hajQsX+Z58ixRHcHk X0My9GoWHYHbw5I5jHpacHOc5PLgi6WkYZRHRPqg++HF/ZxFyMxXwHr+gR9d1QumQnoP OpRIK0yXY3z6zyJDm1UerIztjgmrbnXYWd+EtOkDPouVxt2xpWzPWRbjqUjcJhOaoFzs QI8w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=gdT98dQg; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id i22si2271340ejw.647.2022.01.17.20.41.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:41:23 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=gdT98dQg; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 71CDD8380E; Tue, 18 Jan 2022 05:40:54 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="gdT98dQg"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 3BAA083214; Tue, 18 Jan 2022 05:40:42 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 41FE8837DE for ; Tue, 18 Jan 2022 05:40:36 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x102b.google.com with SMTP id z17-20020a17090ab11100b001b4d8817e04so343401pjq.2 for ; Mon, 17 Jan 2022 20:40:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=mR1pD8an10hL1eYSQk6y2hzUF/bKxUXs6pDb/LAKo0Q=; b=gdT98dQgGn2o+HJmsqxdZczgxsTADgQzEffcEkzYKtWI96V4p8zUHfAqJGtSv08O4e PshjaPYymGRDnab3JJF4kpy6Fihu4Nw7spELrh0/Q/qUqCxCPCO843hJJIDNjgxLg1dr 3GZVLK0PVeO6Ru21LikCDko6SW9qaTO+YtQaPj7xT2+nrwBn7lkctvHNhbGPWeTspMCQ k/wQqJ+m3n9yQlPe5G5jqJQ+kiniiLxSpYIcyUjhDpOTB2rR46pdNEg9lzXAqnP5p/sN V1xdY2LCAxXwvrolpeOr+k241lwrWhn2PnyoYpuyadRIPvbQcs50XtdNTzmwlRzObl0K vuLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mR1pD8an10hL1eYSQk6y2hzUF/bKxUXs6pDb/LAKo0Q=; b=NAU92rJT+Wwe1uhvpEWNurjYo90AfgAce6fxVBm+jgmgtPybPCKpQUL7Rtprvl+oXV ri1t0tgLhsrAAzjSEhnH1viONZ1o5x0GCzyH1JGYdsDU0VsGNOyubCzWiv8WQoYxkM4e Pa6ODfBIVd/dk/ARnf87BuLts5NEzA95vI/JfDW6s/v0XVTGZvkFa59BPigktnso4YFf 80nOGmyeYyiFtDFGvnlY+Qhlyz0kaDhiuaPK30xxDzhpGfePv6qD5Q8YesOoz43e5yfA 7fmKB5CIQ7QIXNXCV7QV6bVDV+fpO9p3rmU2U1D2oY/qiCfpkyxKefLGc9X9OF+/HLTD WCuw== X-Gm-Message-State: AOAM533uIm513RR51BhituPAOs1MZXy1aUETThLkC3dM+03fxTwlBNUR 1ADRdmXg71pr7nE20oLNpXQWjA== X-Received: by 2002:a17:90b:3ec5:: with SMTP id rm5mr9869519pjb.241.1642480834571; Mon, 17 Jan 2022 20:40:34 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:bc1a:291e:ac91:be98]) by smtp.gmail.com with ESMTPSA id y69sm15670770pfg.171.2022.01.17.20.40.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:40:34 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v9 06/11] doc: update UEFI document for usage of mkeficapsule Date: Tue, 18 Jan 2022 13:39:49 +0900 Message-Id: <20220118043954.55940-7-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220118043954.55940-1-takahiro.akashi@linaro.org> References: <20220118043954.55940-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Now we can use mkeficapsule command instead of EDK-II's script to create a signed capsule file. So update the instruction for capsule authentication. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass Acked-by: Ilias Apalodimas --- doc/develop/uefi/uefi.rst | 147 +++++++++++++++++++------------------- 1 file changed, 74 insertions(+), 73 deletions(-) diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 43fb10f7978e..7e1eb8256259 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -284,37 +284,56 @@ Support has been added for the UEFI capsule update feature which enables updating the U-Boot image using the UEFI firmware management protocol (FMP). The capsules are not passed to the firmware through the UpdateCapsule runtime service. Instead, capsule-on-disk -functionality is used for fetching the capsule from the EFI System -Partition (ESP) by placing the capsule file under the -\EFI\UpdateCapsule directory. - -The directory \EFI\UpdateCapsule is checked for capsules only within the -EFI system partition on the device specified in the active boot option -determined by reference to BootNext variable or BootOrder variable processing. -The active Boot Variable is the variable with highest priority BootNext or -within BootOrder that refers to a device found to be present. Boot variables -in BootOrder but referring to devices not present are ignored when determining -active boot variable. -Before starting a capsule update make sure your capsules are installed in the -correct ESP partition or set BootNext. +functionality is used for fetching capsules from the EFI System +Partition (ESP) by placing capsule files under the directory:: + + \EFI\UpdateCapsule + +The directory is checked for capsules only within the +EFI system partition on the device specified in the active boot option, +which is determined by BootXXXX variable in BootNext, or if not, the highest +priority one within BootOrder. Any BootXXXX variables referring to devices +not present are ignored when determining the active boot option. + +Please note that capsules will be applied in the alphabetic order of +capsule file names. + +Creating a capsule file +*********************** + +A capsule file can be created by using tools/mkeficapsule. +To build this tool, enable:: + + CONFIG_TOOLS_MKEFICAPSULE=y + CONFIG_TOOLS_LIBCRYPTO=y + +Run the following command:: + +.. code-block:: console + + $ mkeficapsule \ + --index 1 --instance 0 \ + [--fit | --raw ] \ + Performing the update ********************* -Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig -option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable -check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule. +Put capsule files under the directory mentioned above. +Then, following the UEFI specification, you'll need to set +the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED +bit in OsIndications variable with:: -If that option is disabled, you'll need to set the OsIndications variable with:: +.. code-block:: console => setenv -e -nv -bs -rt -v OsIndications =0x04 -Finally, the capsule update can be initiated either by rebooting the board, -which is the preferred method, or by issuing the following command:: +Since U-boot doesn't currently support SetVariable at runtime, its value +won't be taken over across the reboot. If this is the case, you can skip +this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS) +set. - => efidebug capsule disk-update - -**The efidebug command is should only be used during debugging/development.** +Finally, the capsule update can be initiated by rebooting the board. Enabling Capsule Authentication ******************************* @@ -324,82 +343,64 @@ be updated by verifying the capsule signature. The capsule signature is computed and prepended to the capsule payload at the time of capsule generation. This signature is then verified by using the public key stored as part of the X509 certificate. This certificate is -in the form of an efi signature list (esl) file, which is embedded as -part of U-Boot. +in the form of an efi signature list (esl) file, which is embedded in +a device tree. The capsule authentication feature can be enabled through the following config, in addition to the configs listed above for capsule update:: CONFIG_EFI_CAPSULE_AUTHENTICATE=y - CONFIG_EFI_CAPSULE_KEY_PATH= The public and private keys used for the signing process are generated -and used by the steps highlighted below:: +and used by the steps highlighted below. - 1. Install utility commands on your host - * OPENSSL +1. Install utility commands on your host + * openssl * efitools - 2. Create signing keys and certificate files on your host +2. Create signing keys and certificate files on your host:: + +.. code-block:: console $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ -keyout CRT.key -out CRT.crt -nodes -days 365 $ cert-to-efi-sig-list CRT.crt CRT.esl - $ openssl x509 -in CRT.crt -out CRT.cer -outform DER - $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem - - $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt - $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem - -The capsule file can be generated by using the GenerateCapsule.py -script in EDKII:: - - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ - --monotonic-count --fw-version \ - --lsv --guid \ - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ - --update-image-index --signer-private-cert \ - /path/to/CRT.pem --trusted-public-cert \ - /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ - +3. Run the following command to create and sign the capsule file:: -Place the capsule generated in the above step on the EFI System -Partition under the EFI/UpdateCapsule directory +.. code-block:: console -Testing on QEMU -*************** + $ mkeficapsule --monotonic-count 1 \ + --private-key CRT.key \ + --certificate CRT.crt \ + --index 1 --instance 0 \ + [--fit | --raw ] \ + -Currently, support has been added on the QEMU ARM64 virt platform for -updating the U-Boot binary as a raw image when the platform is booted -in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this -configuration, the QEMU platform needs to be booted with -'secure=off'. The U-Boot binary placed on the first bank of the NOR -flash at offset 0x0. The U-Boot environment is placed on the second -NOR flash bank at offset 0x4000000. +4. Insert the signature list into a device tree in the following format:: -The capsule update feature is enabled with the following configuration -settings:: + { + signature { + capsule-key = [ ]; + } + ... + } - CONFIG_MTD=y - CONFIG_FLASH_CFI_MTD=y - CONFIG_CMD_MTDPARTS=y - CONFIG_CMD_DFU=y - CONFIG_DFU_MTD=y - CONFIG_PCI_INIT_R=y - CONFIG_EFI_CAPSULE_ON_DISK=y - CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y - CONFIG_EFI_CAPSULE_FIRMWARE=y - CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y + You can do this manually with:: -In addition, the following config needs to be disabled(QEMU ARM specific):: +.. code-block:: console - CONFIG_TFABOOT + $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts + $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo -The capsule file can be generated by using the tools/mkeficapsule:: + where signature.dts looks like:: - $ mkeficapsule --raw --index 1 + &{/} { + signature { + capsule-key = /incbin/("CRT.esl"); + }; + }; Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~ From patchwork Tue Jan 18 04:39:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 532859 Delivered-To: patch@linaro.org Received: by 2002:ad5:544f:0:0:0:0:0 with SMTP id a15csp3352621imp; Mon, 17 Jan 2022 20:41:34 -0800 (PST) X-Google-Smtp-Source: ABdhPJzUURz+Zo0Wx3WGleDfamYVJWG8/Ejab0BPlA+3NZC/BRjxet6DQT/kFQftUgdjvYi3T3VS X-Received: by 2002:a50:fc83:: with SMTP id f3mr18188140edq.391.1642480894468; Mon, 17 Jan 2022 20:41:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642480894; cv=none; d=google.com; s=arc-20160816; b=NtwfPzpH5VaYRHSySbCQqVhReIkFQgJL77ss0JkrdO3kcVJWhun+e5SO5KntFECz2h FX19nZ4NqJKWKyzkNjvAlFxYiAKqOK5pdaj3xyYm6r1a7fEzTqEb2DcQXqcB9xlpXkuh 7UGOtzO+x1iGllQ3AF7zVEkUgBqtdNBDZPxKz5h5ZCmGi3Q3Of7L3LzlVXAuxVLbmudg 9EQkK8z/JFn7liy6a7ttKi+JDJoRRc2SqX+oo4aqkyobbetYnf81Y40FqncGVDiJdHce he0X/HVJnIJ3V1bU6n59+PXkIkZ0jXBpo4dZ4oOLvGxBbAa8/j4AopWwYlSC3abR7hS9 VYqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=l5pyl4PszqgCXNE7g0e6sPzj586sukrANNeq6Nk+tdM=; b=GZAlzQOXb/sh6afaVTRyzmnoVf/BNPCDPOSVPJEtLQBf9wOzXDZPg4oWzMNFS4H8f9 h68HgbbdEs8CGpEGpFsP+hV8LhkXPeg2eFcjI0vn5/Tfo3ID242HiYtDuuxyKE6x4y6f u8VSjnDu9uFLUmfvVfILWmjPM1EL7LxlrXZrGOFz5jMVgWYJtF9x8ldSdD3HhImNct3A RzMyU2zdJAoI/ancPtXfcCwJM6AZFJfglUyH6g+TvAAI3FN3gTQ421Zh66duHLypfms+ JHvQHteg895/T4VsYk9Wq62+zZj/qh2E55F3Hl5uGPXdYxC5OcsVH6O9HWWK0NS8+hZL 5mhA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ybcvNY2z; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id h3si9445202ejt.652.2022.01.17.20.41.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:41:34 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ybcvNY2z; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id A06DA837BB; Tue, 18 Jan 2022 05:40:59 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="ybcvNY2z"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id B6C1E83214; Tue, 18 Jan 2022 05:40:47 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id C56A1831E9 for ; Tue, 18 Jan 2022 05:40:39 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x432.google.com with SMTP id i65so12018559pfc.9 for ; Mon, 17 Jan 2022 20:40:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=l5pyl4PszqgCXNE7g0e6sPzj586sukrANNeq6Nk+tdM=; b=ybcvNY2zrsG9QV/A9bL3CYFpSOKMfGvF3AEEpjt3LEydQPik7W7SEnnNUks2ElqOhg eXNDz2EPCuMhv9fttq1kIwAUlwRnajQgGvB/kr5sVC06Ep40VXo9gpTSRwyljRjKCByA VQPwxBQjN/NXocK7poUTY+5/ef6OyBGJ1XtFEXLfnxUqazNKJR2tbQQPdxrTebtVCbCD 0xyy0x/m6/yzG27J7f8mynxOa50VhbuvtpdvbgD9IoSsLX7sxtvDuw7C6O3krvVZwXZn xDKfpUpf6VvS5qpD1bgv2PN2uXpgS2xim73xWIQ31pcVScTMIzZJsILOCxg3Qps8slaa 1N+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=l5pyl4PszqgCXNE7g0e6sPzj586sukrANNeq6Nk+tdM=; b=VdziEt296SSrcAMYZ/T/rA+2ofC6v/q442N+eFFLG3fkgQIiNVyFIXo2kp6yBWaw4K A1fUFAfQxADtJj3lL3MT+gRMp3BZmA9T2QnbBBd5P3UBb9wyC359acQoIh1WjIgC8R+X H+GRK2a6m6vFteRzY9PzDSeOaEQGAnE8FyBwCFT0esi0VGKNsMqnrsBcKER/BYcLx2+/ RGXWFuQ61Xku8Up6zXDU2g9E+k7lMPQEp3G3tWa1xs/jyoDzv28tmiCrO2e8RXUukZT5 bgRoec7+sPsyQjaLaaCnCt/7QE4a0lwJYZ5bt8RpoP4jPB1dnLN9w1IJ4UcYSYaNmywB t/rg== X-Gm-Message-State: AOAM5309ZBoqZXSRrQtRF/IZ41qQKixTP8HK0AE50vtU7Sc0enzkQNG7 gpVkAH2/5hyZiM75ps0vmI0RuA== X-Received: by 2002:a62:1c12:0:b0:4bc:6d81:b402 with SMTP id c18-20020a621c12000000b004bc6d81b402mr24080213pfc.40.1642480837966; Mon, 17 Jan 2022 20:40:37 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:bc1a:291e:ac91:be98]) by smtp.gmail.com with ESMTPSA id y69sm15670770pfg.171.2022.01.17.20.40.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:40:37 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v9 07/11] test/py: efi_capsule: add image authentication test Date: Tue, 18 Jan 2022 13:39:50 +0900 Message-Id: <20220118043954.55940-8-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220118043954.55940-1-takahiro.akashi@linaro.org> References: <20220118043954.55940-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Add a couple of test cases against capsule image authentication for capsule-on-disk, where only a signed capsule file with the verified signature will be applied to the system. Due to the difficulty of embedding a public key (esl file) in U-Boot binary during pytest setup time, all the keys/certificates are pre-created. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass Acked-by: Ilias Apalodimas --- .../py/tests/test_efi_capsule/capsule_defs.py | 5 + test/py/tests/test_efi_capsule/conftest.py | 52 +++- test/py/tests/test_efi_capsule/signature.dts | 10 + .../test_capsule_firmware_signed.py | 254 ++++++++++++++++++ 4 files changed, 318 insertions(+), 3 deletions(-) create mode 100644 test/py/tests/test_efi_capsule/signature.dts create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py index 4fd6353c2040..59b40f11bd1d 100644 --- a/test/py/tests/test_efi_capsule/capsule_defs.py +++ b/test/py/tests/test_efi_capsule/capsule_defs.py @@ -3,3 +3,8 @@ # Directories CAPSULE_DATA_DIR = '/EFI/CapsuleTestData' CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule' + +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and +# you need build a newer version on your own. +# The path must terminate with '/' if it is not null. +EFITOOLS_PATH = '' diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index 6ad5608cd71c..27c05971ca32 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -10,13 +10,13 @@ import pytest from capsule_defs import * # -# Fixture for UEFI secure boot test +# Fixture for UEFI capsule test # - @pytest.fixture(scope='session') def efi_capsule_data(request, u_boot_config): - """Set up a file system to be used in UEFI capsule test. + """Set up a file system to be used in UEFI capsule and + authentication test. Args: request: Pytest request object. @@ -40,6 +40,36 @@ def efi_capsule_data(request, u_boot_config): check_call('mkdir -p %s' % data_dir, shell=True) check_call('mkdir -p %s' % install_dir, shell=True) + capsule_auth_enabled = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') + if capsule_auth_enabled: + # Create private key (SIGNER.key) and certificate (SIGNER.crt) + check_call('cd %s; ' + 'openssl req -x509 -sha256 -newkey rsa:2048 ' + '-subj /CN=TEST_SIGNER/ -keyout SIGNER.key ' + '-out SIGNER.crt -nodes -days 365' + % data_dir, shell=True) + check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl' + % (data_dir, EFITOOLS_PATH), shell=True) + + # Update dtb adding capsule certificate + check_call('cd %s; ' + 'cp %s/test/py/tests/test_efi_capsule/signature.dts .' + % (data_dir, u_boot_config.source_dir), shell=True) + check_call('cd %s; ' + 'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; ' + 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb ' + '-o test_sig.dtb signature.dtbo' + % (data_dir, u_boot_config.build_dir), shell=True) + + # Create *malicious* private key (SIGNER2.key) and certificate + # (SIGNER2.crt) + check_call('cd %s; ' + 'openssl req -x509 -sha256 -newkey rsa:2048 ' + '-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key ' + '-out SIGNER2.crt -nodes -days 365' + % data_dir, shell=True) + # Create capsule files # two regions: one for u-boot.bin and the other for u-boot.env check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old -> u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir, @@ -56,6 +86,22 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' % (data_dir, u_boot_config.build_dir), shell=True) + if capsule_auth_enabled: + # firmware signed with proper key + check_call('cd %s; ' + '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' + '--private-key SIGNER.key --certificate SIGNER.crt ' + '--raw u-boot.bin.new Test11' + % (data_dir, u_boot_config.build_dir), + shell=True) + # firmware signed with *mal* key + check_call('cd %s; ' + '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' + '--private-key SIGNER2.key ' + '--certificate SIGNER2.crt ' + '--raw u-boot.bin.new Test12' + % (data_dir, u_boot_config.build_dir), + shell=True) # Create a disk image with EFI system partition check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' % diff --git a/test/py/tests/test_efi_capsule/signature.dts b/test/py/tests/test_efi_capsule/signature.dts new file mode 100644 index 000000000000..078cfc76c93c --- /dev/null +++ b/test/py/tests/test_efi_capsule/signature.dts @@ -0,0 +1,10 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; +/plugin/; + +&{/} { + signature { + capsule-key = /incbin/("SIGNER.esl"); + }; +}; diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py new file mode 100644 index 000000000000..593b032e9015 --- /dev/null +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py @@ -0,0 +1,254 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright (c) 2021, Linaro Limited +# Author: AKASHI Takahiro +# +# U-Boot UEFI: Firmware Update (Signed capsule) Test + +""" +This test verifies capsule-on-disk firmware update +with signed capsule files +""" + +import pytest +from capsule_defs import CAPSULE_DATA_DIR, CAPSULE_INSTALL_DIR + +@pytest.mark.boardspec('sandbox') +@pytest.mark.buildconfigspec('efi_capsule_firmware_raw') +@pytest.mark.buildconfigspec('efi_capsule_authenticate') +@pytest.mark.buildconfigspec('dfu') +@pytest.mark.buildconfigspec('dfu_sf') +@pytest.mark.buildconfigspec('cmd_efidebug') +@pytest.mark.buildconfigspec('cmd_fat') +@pytest.mark.buildconfigspec('cmd_memory') +@pytest.mark.buildconfigspec('cmd_nvedit_efi') +@pytest.mark.buildconfigspec('cmd_sf') +@pytest.mark.slow +class TestEfiCapsuleFirmwareSigned(object): + def test_efi_capsule_auth1( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 1 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is properly signed, the authentication + should pass and the firmware be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 1-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' + % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test11' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test11 $filesize' + % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test11' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \ + + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 1-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test11' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test11' not in ''.join(output) + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:New' in ''.join(output) + + def test_efi_capsule_auth2( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 2 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is signed but with an invalid key, + the authentication should fail and the firmware + not be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 2-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' + % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test12' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test12 $filesize' + % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test12' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \ + + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 2-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test12' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + # deleted any way + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test12' not in ''.join(output) + + # TODO: check CapsuleStatus in CapsuleXXXX + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:Old' in ''.join(output) + + def test_efi_capsule_auth3( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 3 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is not signed, the authentication + should fail and the firmware not be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 3-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' + % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test02' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test02 $filesize' + % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \ + + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 3-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + # deleted any way + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' not in ''.join(output) + + # TODO: check CapsuleStatus in CapsuleXXXX + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:Old' in ''.join(output) From patchwork Tue Jan 18 04:39:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 532860 Delivered-To: patch@linaro.org Received: by 2002:ad5:544f:0:0:0:0:0 with SMTP id a15csp3352726imp; Mon, 17 Jan 2022 20:41:45 -0800 (PST) X-Google-Smtp-Source: ABdhPJyHlsgAwtWzlWErlXXAkBJvl8KYbOX9dcr7SRmn/0dQ2kAm66T0GQ2i8Ok7kZKOBZRjR+MC X-Received: by 2002:a17:906:4f90:: with SMTP id o16mr19421344eju.626.1642480905626; Mon, 17 Jan 2022 20:41:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642480905; cv=none; d=google.com; s=arc-20160816; b=lVm8czXo/nEDzUQZb6WcD1+3cihSzpRctuT3Ee5E9kJnyoRrLmMyDIOcBIx6Nd72Ww 4C6Jyld3S9QXqS0II+pVbiZdlTy+0ufbCxNy0+jG/XhTCeIT3YCSCYYY0NnwvgxFdhkV lkECZ9NQqKA1fPUHljFiiTe4RNF0O1sh/RsFK4WTV6U24xy5kfjtEVF2WRBhIwrGlosA 8lJdF1ztzdmvAQWacvEko212LS3ZmpPoAowFA1bk9CbNrAknoZDa9Lt8fF9YTh87Wasg ggQkXnT3m09GvYx/biY8MiI+bONW0w6TWRAvYUQdMcv2ToNownXLL2sd+/NjgVX/QpsN uW4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=OtTHsN82ZhV80vnoUKBl0zvdiP0yUOZPoarvFMhMrXY=; b=QJzJusOHevaw44wCjWuiOP3gEBhsJ4BSLVTaRjFz7sjS3mhuQZwRZJNDKZN2X5zjZ0 EV9aokyioXIPW4eLCTVZt4XUF+MWvZeLZsjApztr8megC9YiwmtuiHKfxGldAKpiXZIy JADuj6/F0FAU/A3rr+5zpZJSZQPMHCx74hEtYhlVgwWAWyBAQqzn8beMjyzoRW/gvzDz yMfeeANwwG7GPouSxF7xpPsxIxTDuOPonCvtsJ5fgS9Fx4/sv4ytnEXhCpf0pDi+ChHV K5BG7wqUbHWF9IILtYAVd5gHzJsaTXyBspGhX52w3138KxbsR1JLs0JPMJlGEpuGllXT 2Uzw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=sehoN9Sz; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id sg36si7909499ejc.328.2022.01.17.20.41.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:41:45 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=sehoN9Sz; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 0773283809; Tue, 18 Jan 2022 05:41:06 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="sehoN9Sz"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 3E581837F6; Tue, 18 Jan 2022 05:40:53 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id E80CC830C0 for ; Tue, 18 Jan 2022 05:40:42 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x435.google.com with SMTP id i17so11998953pfk.11 for ; Mon, 17 Jan 2022 20:40:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=OtTHsN82ZhV80vnoUKBl0zvdiP0yUOZPoarvFMhMrXY=; b=sehoN9SzB3IuLffYRdBvYNmEm6ksThoTpNMeWaGuv96ZQKXq3n6KjLaGwpQqKRj3Nm 4GyM5jzJeSgFu6Ll/vX+kmpaOq+paGhfgnHsNfe3iS2Si7PmZpryi9/J+CZ113As2Tsm 3xRfM6hk1aWwBE4KQM87fScqDcp4gDQaFcFK/mjlJCFo/tuxeBr22aBXGVRVdn4pRJwT i3VCzCsf3gnAyNIAyJ3ZyhJAEVbLVacwAWhbM3yzzKXSrOlRB/OtvlFjg3ubOXYUCC5K qBgUe/HD7QwYFzyseUa1Dlf4kEoZ/QRTi2yx9IO7tvnBqrt00GSEN58nEBzmuRFwqeD7 B0eA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=OtTHsN82ZhV80vnoUKBl0zvdiP0yUOZPoarvFMhMrXY=; b=L/3a48SzhiutEisuNxSwYV/X1ShiqBOZTQHpzyzQgmKxXCbTHyMRQetTLu/lKvwuzi 2qUaKasj0YixgHEx8FKcRfJKjpUZBjbpMAhv4ouBaflsl2Z15/3/Qp7VXM3i74KDMSyR zjREF3aaOHfLlweOybEFHPA+3/S7PprJjHwCUMsE4eSFEbes2IEG9Um7YaFCoKB63Fw7 v2PCzGQJSPFFGR3prdfMcEwatDAZNH8LZtdnmi0+vJH5q2v5dshFf8UuZjWO7pg/HsNv 2ntcA/+Ms5JnYFIfZIiWk3UqziIuZ2SJShXFqsAgT2eFDEx3bFars0S0PAZcyDbrWvj8 URpg== X-Gm-Message-State: AOAM53058G4EJTuGfabQXb8bUpgKLkg8xzVARWafZA+JTC7L8Jf2Ed3Q 03vbcSBlfLs+pR74/9afDuJIEw== X-Received: by 2002:a63:83c8:: with SMTP id h191mr14244006pge.499.1642480841255; Mon, 17 Jan 2022 20:40:41 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:bc1a:291e:ac91:be98]) by smtp.gmail.com with ESMTPSA id y69sm15670770pfg.171.2022.01.17.20.40.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:40:40 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v9 08/11] tools: mkeficapsule: allow for specifying GUID explicitly Date: Tue, 18 Jan 2022 13:39:51 +0900 Message-Id: <20220118043954.55940-9-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220118043954.55940-1-takahiro.akashi@linaro.org> References: <20220118043954.55940-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean The existing options, "--fit" and "--raw," are only used to put a proper GUID in a capsule header, where GUID identifies a particular FMP (Firmware Management Protocol) driver which then would handle the firmware binary in a capsule. In fact, mkeficapsule does the exact same job in creating a capsule file whatever the firmware binary type is. To prepare for the future extension, the command syntax will be a bit modified to allow users to specify arbitrary GUID for their own FMP driver. OLD: [--fit | --raw ] NEW: [--fit | --raw | --guid ] Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- doc/develop/uefi/uefi.rst | 4 +- doc/mkeficapsule.1 | 26 ++++++++---- tools/Makefile | 1 + tools/mkeficapsule.c | 87 ++++++++++++++++++++++++++++----------- 4 files changed, 85 insertions(+), 33 deletions(-) diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 7e1eb8256259..a1a2afd60bbc 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -375,8 +375,8 @@ and used by the steps highlighted below. --private-key CRT.key \ --certificate CRT.crt \ --index 1 --instance 0 \ - [--fit | --raw ] \ - + [--fit | --raw | --guid 4. Insert the signature list into a device tree in the following format:: diff --git a/doc/mkeficapsule.1 b/doc/mkeficapsule.1 index 680362f5c4e9..8babb27ee8b2 100644 --- a/doc/mkeficapsule.1 +++ b/doc/mkeficapsule.1 @@ -8,7 +8,7 @@ mkeficapsule \- Generate EFI capsule file for U-Boot .SH SYNOPSIS .B mkeficapsule -.RI [ options "] " capsule-file +.RI [ options "] " image-blob " " capsule-file .SH "DESCRIPTION" .B mkeficapsule @@ -24,7 +24,7 @@ In this case, the update will be authenticated by verifying the signature before applying. .B mkeficapsule -supports two different format of image files: +takes any type of image files, including: .TP .I raw image format is a single binary blob of any type of firmware. @@ -36,18 +36,30 @@ multiple binary blobs in a single capsule file. This type of image file can be generated by .BR mkimage . +.PP +If you want to use other types than above two, you should explicitly +specify a guid for the FMP driver. + .SH "OPTIONS" One of -.BR --fit " or " --raw +.BR --fit ", " --raw " or " --guid option must be specified. .TP -.BI "-f\fR,\fB --fit " fit-image-file -Specify a FIT image file +.BR -f ", " --fit +Indicate that the blob is a FIT image file .TP -.BI "-r\fR,\fB --raw " raw-image-file -Specify a raw image file +.BR -r ", " --raw +Indicate that the blob is a raw image file + +.TP +.BI "-g\fR,\fB --guid " guid-string +Specify guid for image blob type. The format is: + xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx + +The first three elements are in little endian, while the rest +is in big endian. .TP .BI "-i\fR,\fB --index " index diff --git a/tools/Makefile b/tools/Makefile index afca08e2941a..cbf83a252caa 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -242,6 +242,7 @@ ifeq ($(CONFIG_TOOLS_LIBCRYPTO),y) HOSTLDLIBS_mkeficapsule += \ $(shell pkg-config --libs libssl libcrypto 2> /dev/null || echo "-lssl -lcrypto") endif +HOSTLDLIBS_mkeficapsule += -luuid hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule # We build some files with extra pedantic flags to try to minimize things diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 66dc2ee20912..161affdd15eb 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -15,7 +15,7 @@ #include #include - +#include #include #ifdef CONFIG_TOOLS_LIBCRYPTO #include @@ -38,14 +38,15 @@ efi_guid_t efi_guid_image_type_uboot_raw = efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; #ifdef CONFIG_TOOLS_LIBCRYPTO -static const char *opts_short = "f:r:i:I:v:p:c:m:dh"; +static const char *opts_short = "frg:i:I:v:p:c:m:dh"; #else -static const char *opts_short = "f:r:i:I:v:h"; +static const char *opts_short = "frg:i:I:v:h"; #endif static struct option options[] = { - {"fit", required_argument, NULL, 'f'}, - {"raw", required_argument, NULL, 'r'}, + {"fit", no_argument, NULL, 'f'}, + {"raw", no_argument, NULL, 'r'}, + {"guid", required_argument, NULL, 'g'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, #ifdef CONFIG_TOOLS_LIBCRYPTO @@ -60,11 +61,12 @@ static struct option options[] = { static void print_usage(void) { - fprintf(stderr, "Usage: %s [options] \n" + fprintf(stderr, "Usage: %s [options] \n" "Options:\n" - "\t-f, --fit new FIT image file\n" - "\t-r, --raw new raw image file\n" + "\t-f, --fit FIT image type\n" + "\t-r, --raw raw image type\n" + "\t-g, --guid guid for image blob type\n" "\t-i, --index update image index\n" "\t-I, --instance update hardware instance\n" #ifdef CONFIG_TOOLS_LIBCRYPTO @@ -565,6 +567,37 @@ err: return ret; } +/** + * convert_uuid_to_guid() - convert UUID to GUID + * @buf: UUID binary + * + * UUID and GUID have the same data structure, but their binary + * formats are different due to the endianness. See lib/uuid.c. + * Since uuid_parse() can handle only UUID, this function must + * be called to get correct data for GUID when parsing a string. + * + * The correct data will be returned in @buf. + */ +void convert_uuid_to_guid(unsigned char *buf) +{ + unsigned char c; + + c = buf[0]; + buf[0] = buf[3]; + buf[3] = c; + c = buf[1]; + buf[1] = buf[2]; + buf[2] = c; + + c = buf[4]; + buf[4] = buf[5]; + buf[5] = c; + + c = buf[6]; + buf[6] = buf[7]; + buf[7] = c; +} + /** * main - main entry function of mkeficapsule * @argc: Number of arguments @@ -579,14 +612,13 @@ err: */ int main(int argc, char **argv) { - char *file; efi_guid_t *guid; + unsigned char uuid_buf[16]; unsigned long index, instance; uint64_t mcount; char *privkey_file, *cert_file; int c, idx; - file = NULL; guid = NULL; index = 0; instance = 0; @@ -601,21 +633,34 @@ int main(int argc, char **argv) switch (c) { case 'f': - if (file) { - fprintf(stderr, "Image already specified\n"); + if (guid) { + fprintf(stderr, + "Image type already specified\n"); exit(EXIT_FAILURE); } - file = optarg; guid = &efi_guid_image_type_uboot_fit; break; case 'r': - if (file) { - fprintf(stderr, "Image already specified\n"); + if (guid) { + fprintf(stderr, + "Image type already specified\n"); exit(EXIT_FAILURE); } - file = optarg; guid = &efi_guid_image_type_uboot_raw; break; + case 'g': + if (guid) { + fprintf(stderr, + "Image type already specified\n"); + exit(EXIT_FAILURE); + } + if (uuid_parse(optarg, uuid_buf)) { + fprintf(stderr, "Wrong guid format\n"); + exit(EXIT_FAILURE); + } + convert_uuid_to_guid(uuid_buf); + guid = (efi_guid_t *)uuid_buf; + break; case 'i': index = strtoul(optarg, NULL, 0); break; @@ -653,20 +698,14 @@ int main(int argc, char **argv) } /* check necessary parameters */ - if ((argc != optind + 1) || !file || + if ((argc != optind + 2) || !guid || ((privkey_file && !cert_file) || (!privkey_file && cert_file))) { print_usage(); exit(EXIT_FAILURE); } - /* need a fit image file or raw image file */ - if (!file) { - print_usage(); - exit(EXIT_SUCCESS); - } - - if (create_fwbin(argv[optind], file, guid, index, instance, + if (create_fwbin(argv[argc - 1], argv[argc - 2], guid, index, instance, mcount, privkey_file, cert_file) < 0) { fprintf(stderr, "Creating firmware capsule failed\n"); exit(EXIT_FAILURE); From patchwork Tue Jan 18 04:39:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 532861 Delivered-To: patch@linaro.org Received: by 2002:ad5:544f:0:0:0:0:0 with SMTP id a15csp3352816imp; Mon, 17 Jan 2022 20:41:57 -0800 (PST) X-Google-Smtp-Source: ABdhPJx7gya7ti4sgEQRoK1sqpHK7E6BkdYExSeUYW/2CmlR7IkSdK+vykOTP9ROmhbByACmKsz4 X-Received: by 2002:a05:6402:1210:: with SMTP id c16mr14212493edw.121.1642480917220; Mon, 17 Jan 2022 20:41:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642480917; cv=none; d=google.com; s=arc-20160816; b=DMCoQ6L8DFQ75/ke7xR8qLPQN0fVsbPjUG6TOXqpzdH/POam7iMzB5wYAs1tS6k4IQ S7atnykD40QyLGUCHtTlS5lFa7MAJ/XHFkGfL360CwXv/fwjyCNcVY+0UP54FZ6qDOOn z6M0vuf7oZWrm9T9CL625VRc5dOWzlhiInJwi4mMvSXxsvMg5NtGlOXR7NZZ6rZ4dcQ/ 4bIFyCVO0b8QtOzGCInTa+Zc4w61v86Zul4aUoxiZes1XMyNQVyqhkGrXfQWEduH0EU8 4Zurs5aMBaTG2aqtY2avKL8uOMIF7GjWC3Vp8fJNIoMC1KDasWRhgGli5VSCO84p+fWU IC6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=dRz+pYre7G66GxmnD4c+PKAAw7SxJFLHJCc2sklu4uM=; b=Hv8dtaBDUbXwkS0TdNitSeWweGcprhL76NYlwcQITmDEyETkz2HZczN5npSkVXXf6M Xg1gPyrvWDkUdgd1R8YGzbxAPGTtmzCn3f5Ja+TALmoq3dueNLtvSHAtXz47upQdOjaK L6J7JfKNT4DRu4sHkO+PA332y/rvtzRsY97EHrj5bM308xtsGmbKm3JI4baQ8d+f2T3B JTpSLI+f34xt7Fw7AkqpjovAr35CBX1XmsW98Q9+mQwBOl/pMPm2Mmsl43mUaGK2a/Li HcOolpmLyqPUsesOOATk/pIka/uS3RSGEnoc0livqQ6FYdagMCyu8p+ufE2I+BtQ+LCG ahKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=DEl2FplS; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id ho13si8447193ejc.994.2022.01.17.20.41.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:41:57 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=DEl2FplS; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 7DC0E83813; Tue, 18 Jan 2022 05:41:09 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="DEl2FplS"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 29EFA8366B; Tue, 18 Jan 2022 05:40:55 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 15B9C837E4 for ; Tue, 18 Jan 2022 05:40:46 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x634.google.com with SMTP id c3so23303217pls.5 for ; Mon, 17 Jan 2022 20:40:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=dRz+pYre7G66GxmnD4c+PKAAw7SxJFLHJCc2sklu4uM=; b=DEl2FplSzSmuuHrKW0+2PD37JFblufJv5KHvYIzOu599Q2GoBmZnshONAzv1kkYKj9 +AvFWhXLk0uOAzTL+XpdDKvb6ohfCncbOpXQziNGcSOxpe9a0AUJ+BA6dKTQO7ciI0fF 7ZdrWY/fYApPFogIi0mwyHDVdrpWc0UT+MuncguAB02rQWa6Uv8zJrhy5fyloejOFS4h RchJHJAImmEaKAZpptnNkCkNhQjrS+WnHjLO+m2nSy0InOxYwXklOUGcxMCbGVKQWngd J3yHbMRZkMzy0XFjGwKmeHR4ovTwyPx80gqd5rPSwvfS2VZnkbMMwPYj6CA4uhHWhBSc QCbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=dRz+pYre7G66GxmnD4c+PKAAw7SxJFLHJCc2sklu4uM=; b=uI6TuKBECbW+GHS18/botHrxsugvdkQ6mzBuV2VEq9uNGwpyr00CQmB6qUBYMooRyI 0GQLlXYznslaXhmPPZ/aMY0zSq4h/E5PWRoa7OIUz25OfDbqtK6eJsMXnx65tBsHMW9m fLtMP7aPPXQooHeFGrg5GdzEoHEKX51ZYgXR5xcVyxq2T2DFKGUEJi1W2dVO7uo4n6vZ Jdp5/tNC/70N2+To/zk12u+p6hDhoGl9bNtJGWgaGmt3XhqCCFRrVKmJmae2fUhk1Ekz omte8FHa7JIhmTtN/uRSP3NS4a37MYLX0SXpnyWDEQ3pkAJS75otkv1+SYpvU9s0tQeV GyeQ== X-Gm-Message-State: AOAM533OtmgCKlC9nB3dHT8tuG4FzB4u35sih0WQ5X6XhcU6Equ9hdFE mrlD24AMZx3FD80tOvmvuQXUZg== X-Received: by 2002:a17:903:11c3:b0:14a:58c4:f34c with SMTP id q3-20020a17090311c300b0014a58c4f34cmr25388495plh.151.1642480844507; Mon, 17 Jan 2022 20:40:44 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:bc1a:291e:ac91:be98]) by smtp.gmail.com with ESMTPSA id y69sm15670770pfg.171.2022.01.17.20.40.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:40:44 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v9 09/11] test/py: efi_capsule: align with the syntax change of mkeficapsule Date: Tue, 18 Jan 2022 13:39:52 +0900 Message-Id: <20220118043954.55940-10-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220118043954.55940-1-takahiro.akashi@linaro.org> References: <20220118043954.55940-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Since the syntax of mkeficapsule was changed in the previous commit, we need to modify command line arguments in a pytest script. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- test/py/tests/test_efi_capsule/conftest.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index 27c05971ca32..a5a25c53dcb4 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -80,10 +80,10 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkimage -f uboot_bin_env.its uboot_bin_env.itb' % (data_dir, u_boot_config.build_dir), shell=True) - check_call('cd %s; %s/tools/mkeficapsule --fit uboot_bin_env.itb --index 1 Test01' % + check_call('cd %s; %s/tools/mkeficapsule --index 1 --fit uboot_bin_env.itb Test01' % (data_dir, u_boot_config.build_dir), shell=True) - check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' % + check_call('cd %s; %s/tools/mkeficapsule --index 1 --raw u-boot.bin.new Test02' % (data_dir, u_boot_config.build_dir), shell=True) if capsule_auth_enabled: From patchwork Tue Jan 18 04:39:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 532862 Delivered-To: patch@linaro.org Received: by 2002:ad5:544f:0:0:0:0:0 with SMTP id a15csp3352920imp; Mon, 17 Jan 2022 20:42:08 -0800 (PST) X-Google-Smtp-Source: ABdhPJzwzOt95rRQdye5mG2+cT+yQ0VyfreR3yDlwQdxVucPQAQGAk4OLEI9rcURCXFnc+rQVqXp X-Received: by 2002:a17:907:9694:: with SMTP id hd20mr19083397ejc.571.1642480928826; Mon, 17 Jan 2022 20:42:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642480928; cv=none; d=google.com; s=arc-20160816; b=AHvQWHelYWKPIAfdHZPYpPGOos/dzYM/Ka4pDNwwVihm/SrqLWFSWb8TDgWvnZbjlx 5aDAwTTrIyfFzGmZybrKwZP2QERejELeMeObDLbuXeHoaEorlsMeNlY26AewUyjzdJbX qKDkUWpyGamS9Q6UUHx8HU7FN4AXz1Vkhxjndt7XhcbDZH+4nGWoEDTJDBS8zvhJ4kGH 0APjYIFz2Ea6VgFrb1Q0vqnkW18FlLM6iRPI+kzSMHsRZaG8RRs9bsfkLRCgfnOMVJv/ kjlhRtrYruHSd6miXZE2no5jj5ky87iFp6UqdHcsKDavS6Qt6i1QKKFk8frbx6veIxUp KRdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=37b4CbGVq2vXfUQd07BoRyvPsjDtxkfVdV+ImREOVoM=; b=XRa28ykCV2+hiNNJ5QcI/MubPkdgY1ExOLpH3hva3eq8QZ6NRKzBTYHW/CPgw9wGOp PHuFP0UIj17uOagU6lGBQz0+qRorM9jdQCxT0cr8Dhd31fAZ1JBxVNEp/hVWYTxuDPQG W5PFvObnLcgxIILqbo91Z4Wwoppw2S0BlKQK5MpJSdIOHrvmXYzsZe1su1GZwYBhaAMr aFq4OKa/M2Jon+8Qbj+I+BdA5Yhv8+i/AANiIjdJeZouwfB2boXh7mXWgrUPKJyzo+Br Pw3Jy7YB1kxgn2/aeQyYZwHFX70e2XBDIwvtPASfC8ClH9+8JbB0vtDTyw5MTiN43mv6 29SQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=G4oN1NzG; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id c20si9642424ede.538.2022.01.17.20.42.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:42:08 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=G4oN1NzG; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 8A541837FD; Tue, 18 Jan 2022 05:41:13 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="G4oN1NzG"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 271E0837F6; Tue, 18 Jan 2022 05:40:56 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com [IPv6:2607:f8b0:4864:20::436]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 58620837F0 for ; Tue, 18 Jan 2022 05:40:49 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x436.google.com with SMTP id r5so4895608pfl.2 for ; Mon, 17 Jan 2022 20:40:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=37b4CbGVq2vXfUQd07BoRyvPsjDtxkfVdV+ImREOVoM=; b=G4oN1NzGHNFxzxRjmTiFvdnSRh8atk5pxU1L+mxlZLy8gv404sTSnmAycbpi6IO1dJ rA+zGChhxHztvZ/18v4XeNPmly6qYu44Ixj8o9L0p9M6Ma1/nNDIHGqxoHP8GDsjOa78 Mcli00ttvR71nt5BfvKtNzEsaeJX6SQA4YkFHBt/x2kL4hOpXlqNV75Zi6cFT1DuxNNK 1mwY5J+dLOycAslVawb3BMv1+q4yfRW5aeqddEZujMZmazN/B2ciL3iaCJhEY+7cFHjE B2uCCEQy1NOYYYajUgoUkOV+ITMxDro8bzpRAHl8hTsyWUWRPNIIdcNcP+pWvhDIJZgQ 10zg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=37b4CbGVq2vXfUQd07BoRyvPsjDtxkfVdV+ImREOVoM=; b=iaW/vfQ/zGkj22+l9LeeKKiNL1YrAKzaJQGXkDwEbngWXpz8LXQ+ZElncxa505Ijkc o+Q0wgyZyRp+IY7YRy6t/J6o6syplYEOeBvUOThLyZ+TwSLIOrHSWZ+xMJY7Egih6QOj CAXa6yLZ7Fn8mJDAcUX+TOnuShdP+FccOW9phHqLEZEnFIH+oZdZLhsJZN5uNB1+tv/J MqtQQkAeEK88hxRKiKv7hKEE6+aegp426hBX/ll1sGu1SCkqC1IvtkW9fM3+umt89bYb DKhQJqxRcUqjaKWlOxdX2ipwWA5kgSgMgpOV6xGEVBq1gDCHnQWTQ/xAl7V1FsTFMFQ8 0U3A== X-Gm-Message-State: AOAM532p8njkNbCE/cpM2SOZQhZ6ggpckX21xyRQsZgPmKYDdTn6n5Nr rRTJL306L7zjo77cL4kk4hm/y1vyc11yiA== X-Received: by 2002:a63:2cd2:: with SMTP id s201mr21733507pgs.53.1642480847691; Mon, 17 Jan 2022 20:40:47 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:bc1a:291e:ac91:be98]) by smtp.gmail.com with ESMTPSA id y69sm15670770pfg.171.2022.01.17.20.40.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:40:47 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v9 10/11] test/py: efi_capsule: add a test for "--guid" option Date: Tue, 18 Jan 2022 13:39:53 +0900 Message-Id: <20220118043954.55940-11-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220118043954.55940-1-takahiro.akashi@linaro.org> References: <20220118043954.55940-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean This test scenario tests a new feature of mkeficapsule, "--guid" option, which allows us to specify FMP driver's guid explicitly at the command line. Signed-off-by: AKASHI Takahiro --- test/py/tests/test_efi_capsule/conftest.py | 3 + .../test_efi_capsule/test_capsule_firmware.py | 67 +++++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index a5a25c53dcb4..9076087a12b7 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -86,6 +86,9 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkeficapsule --index 1 --raw u-boot.bin.new Test02' % (data_dir, u_boot_config.build_dir), shell=True) + check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid E2BB9C06-70E9-4B14-97A3-5A7913176E3F u-boot.bin.new Test03' % + (data_dir, u_boot_config.build_dir), + shell=True) if capsule_auth_enabled: # firmware signed with proper key check_call('cd %s; ' diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware.py b/test/py/tests/test_efi_capsule/test_capsule_firmware.py index 9eeaae27d626..9cc973560fa1 100644 --- a/test/py/tests/test_efi_capsule/test_capsule_firmware.py +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware.py @@ -247,3 +247,70 @@ class TestEfiCapsuleFirmwareFit(object): 'sf read 4000000 100000 10', 'md.b 4000000 10']) assert 'u-boot:New' in ''.join(output) + + def test_efi_capsule_fw4( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 4 - Test "--guid" option of mkeficapsule + The test scenario is the same as Case 3. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 4-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi -s ""', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test03' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test03 $filesize' % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' in ''.join(output) + + # reboot + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 4-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + output = u_boot_console.run_command_list(['efidebug capsule esrt']) + + # ensure that EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID is in the ESRT. + assert 'E2BB9C06-70E9-4B14-97A3-5A7913176E3F' in ''.join(output) + + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' not in ''.join(output) + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:New' in ''.join(output) From patchwork Tue Jan 18 04:39:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 532863 Delivered-To: patch@linaro.org Received: by 2002:ad5:544f:0:0:0:0:0 with SMTP id a15csp3353012imp; Mon, 17 Jan 2022 20:42:20 -0800 (PST) X-Google-Smtp-Source: ABdhPJw+bSHmgJ/lAKlpySx9ssBlht0bu+zj3Nv/fXAjJDQv8EzweUS1curyG9pXgrRhyuiakIjM X-Received: by 2002:a17:906:69c8:: with SMTP id g8mr4913163ejs.356.1642480940050; Mon, 17 Jan 2022 20:42:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642480940; cv=none; d=google.com; s=arc-20160816; b=e7boIVmqIcAt5a6HdeILZsmxJzQLDiMo+J6kCY65bw8+Ez8Mn72k9+ieDtlas0/wL/ xSY4Zb6/H9TVowxpMu+Pyl6Y9eJva6I+leyYLXCMrpr8DFae0dIeF9S+OSYsSFhnjNZn penlPeiFJSi0lk6CjLHc762Qffw3PG1/lPoCyrlxvHueovr2DG50T4Rjn/or1VssYwNx mrhSdiXEa4hihkoL5Vrv4R0O2IaMG7t70PTOn77xtxpaNISUpB+VFKhSeECHrW7rHYG+ Z9ddhDHOfGuJkjKxJlMClyeohMvrRe+nXNJt+sA+OWulDs2UGgLZCn1Or0I7tfztuh1H 7gUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=IWerVfIYQG4PYlCT6/iZD5GfRSLOO0VoGD6nCIjvwMk=; b=cIOskSIdr8J3n/0J7MhP6/gDrcShoB1Y/j9+vf2Yfe05B1U8sLwGcn5/1iqULE61yq ZryVdEwiW9k5dLA/kiK1L2HKYVfdVh+bCjsgjqGICai4SnQYk2EbwObc5eHxEbEl+ESb +8+iP4gM/srEvcKZlNxmC67UF6NV+VaCIGWMfkX54gBSAnVqeQ3QYQnYXPMkEfWKI4/s axbtrPUmuYhy6c/DV1Hr4Wc/aaqbQ/wQUGlbZ7Ej08pTKb7LHUoIXr1gZaU/KZtiRR8F +6P+bis/LIbRqe3S6szDscCr9t2dAjj29+jb7KAu5P1gABgKgKRHQ2sEJctKFRajwRHU gViQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=fiJ5fDcK; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id ga29si3123386ejc.832.2022.01.17.20.42.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:42:20 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=fiJ5fDcK; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id F13D883826; Tue, 18 Jan 2022 05:41:17 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="fiJ5fDcK"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 6180C83563; Tue, 18 Jan 2022 05:40:58 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 8E997831E9 for ; Tue, 18 Jan 2022 05:40:52 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x62c.google.com with SMTP id c3so23303410pls.5 for ; Mon, 17 Jan 2022 20:40:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=IWerVfIYQG4PYlCT6/iZD5GfRSLOO0VoGD6nCIjvwMk=; b=fiJ5fDcKCZBVeHW5Uw9+zL4packFJgoDdDFrLtBhN0K5rREik2bEYxUaB5CYad1+/F Tn3sT3Ksue6Mwb238RNgfuDfskTGcGsiz4O+snis76cT9BuCTzrtoULMkBfXyTEs9M3m Yqs9LMPVGNOsbmdlMXj4l8AQbh3Hax3hz0P8T2rzESUz3YBR85HNkSeEgZ8oIDY7uwOG o/SlQOKYmESH067a5FkLCEJtvOcSPLIEAHIxjdRIsZL8tqd83ivWO6oX7LiYDpmsrlIL SYu/tt56VICoNr+0m45ILbji9uqYx2QNsnuZheqxdXMfhx2VmRNHzejKleewGKboeqIo Z4qw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=IWerVfIYQG4PYlCT6/iZD5GfRSLOO0VoGD6nCIjvwMk=; b=UzV0moP+7VLghynY4bUthP5sJPG4+ScXX8rCHdj5VeeKuIye6+wmJz3oYLV+oVDDrA 9SgNh/iVd2mdfhPRy1sPXZOpr/AvhhkXm9eFYH8eVFLq/bZNrV1Z4u3rnJ25jTsZ2gsm zardt1q5HqzweqCX4VKUNhnu0Yo3UmUz3FeDmS4XmNhvcMGR7SGMFAperG/cbSYt7utN vuYF/FBytRNHhnW8mxnUa3+WxSrFuIDpymvnIuLF+du3opYmYBnIktfNSdnaHXZpn6+O PztuCyU1i1oUejMkXadpEcVgOMWahGkwwk3NKo3GtKHxTz666q3gOqy/TzMILmwY90kn m7Gw== X-Gm-Message-State: AOAM532qBdtXa8+sj6k3jQYrHFAO+sCLN5K7cR9StBglXzOVuhqu7xsg V+WXz+1/EfrxPzkB2BaOZ8mnCg== X-Received: by 2002:a17:902:e0c4:b0:14a:9ad7:9a02 with SMTP id e4-20020a170902e0c400b0014a9ad79a02mr1698875pla.109.1642480850998; Mon, 17 Jan 2022 20:40:50 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:bc1a:291e:ac91:be98]) by smtp.gmail.com with ESMTPSA id y69sm15670770pfg.171.2022.01.17.20.40.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Jan 2022 20:40:50 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v9 11/11] test/py: efi_capsule: check the results in case of CAPSULE_AUTHENTICATE Date: Tue, 18 Jan 2022 13:39:54 +0900 Message-Id: <20220118043954.55940-12-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220118043954.55940-1-takahiro.akashi@linaro.org> References: <20220118043954.55940-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Before the capsule authentication is supported, this test script works correctly, but with the feature enabled, most tests will fail due to unsigned capsules. So check the results depending on CAPSULE_AUTHENTICATE or not. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- .../test_efi_capsule/test_capsule_firmware.py | 26 ++++++++++++++++--- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware.py b/test/py/tests/test_efi_capsule/test_capsule_firmware.py index 9cc973560fa1..6e803f699f2f 100644 --- a/test/py/tests/test_efi_capsule/test_capsule_firmware.py +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware.py @@ -148,6 +148,8 @@ class TestEfiCapsuleFirmwareFit(object): capsule_early = u_boot_config.buildconfig.get( 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') with u_boot_console.log.section('Test Case 2-b, after reboot'): if not capsule_early: # make sure that dfu_alt_info exists even persistent variables @@ -171,12 +173,18 @@ class TestEfiCapsuleFirmwareFit(object): 'sf probe 0:0', 'sf read 4000000 100000 10', 'md.b 4000000 10']) - assert 'u-boot:New' in ''.join(output) + if capsule_auth: + assert 'u-boot:Old' in ''.join(output) + else: + assert 'u-boot:New' in ''.join(output) output = u_boot_console.run_command_list([ 'sf read 4000000 150000 10', 'md.b 4000000 10']) - assert 'u-boot-env:New' in ''.join(output) + if capsule_auth: + assert 'u-boot-env:Old' in ''.join(output) + else: + assert 'u-boot-env:New' in ''.join(output) def test_efi_capsule_fw3( self, u_boot_config, u_boot_console, efi_capsule_data): @@ -215,6 +223,8 @@ class TestEfiCapsuleFirmwareFit(object): capsule_early = u_boot_config.buildconfig.get( 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') with u_boot_console.log.section('Test Case 3-b, after reboot'): if not capsule_early: # make sure that dfu_alt_info exists even persistent variables @@ -246,7 +256,10 @@ class TestEfiCapsuleFirmwareFit(object): 'sf probe 0:0', 'sf read 4000000 100000 10', 'md.b 4000000 10']) - assert 'u-boot:New' in ''.join(output) + if capsule_auth: + assert 'u-boot:Old' in ''.join(output) + else: + assert 'u-boot:New' in ''.join(output) def test_efi_capsule_fw4( self, u_boot_config, u_boot_console, efi_capsule_data): @@ -285,6 +298,8 @@ class TestEfiCapsuleFirmwareFit(object): capsule_early = u_boot_config.buildconfig.get( 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') with u_boot_console.log.section('Test Case 4-b, after reboot'): if not capsule_early: # make sure that dfu_alt_info exists even persistent variables @@ -313,4 +328,7 @@ class TestEfiCapsuleFirmwareFit(object): 'sf probe 0:0', 'sf read 4000000 100000 10', 'md.b 4000000 10']) - assert 'u-boot:New' in ''.join(output) + if capsule_auth: + assert 'u-boot:Old' in ''.join(output) + else: + assert 'u-boot:New' in ''.join(output)