From patchwork Tue Feb 1 01:27:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 538930 Delivered-To: patch@linaro.org Received: by 2002:ac0:f7d2:0:0:0:0:0 with SMTP id i18csp465365imr; Mon, 31 Jan 2022 17:32:01 -0800 (PST) X-Google-Smtp-Source: ABdhPJzo+jaDgA4278GhAkjX+rJfRcy9nxcnFEjW95FygCEKy6fxCdIyUlV6c5O4NBFyMRxyiIVy X-Received: by 2002:a05:6402:650:: with SMTP id u16mr23001595edx.167.1643679121453; Mon, 31 Jan 2022 17:32:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643679121; cv=none; d=google.com; s=arc-20160816; b=0MN26Bh/AKyk8FQpModKCkUR+8MtbGXM9ooTIWxjLtczbQkjwjoxdj8uo2kG3X0RYf XfIQ40uGXep5y4ltjF3X7CznxsYUQJ/3NzAg3O0Fcf9ocurIv5tVulc51QvCo+u0fcKn 4hY3bvrHi+S1rzR76U0EbddgZt/e9D5fCzeiL7Xv4ZfIip6GbOyKRPW3zN8u/a9AcOIP 1KM3CrALyJnYRT0IhHH3k0BJ2xJ4cDqGo2P8ju+H4NfZGSKmR/he/+cZ6TwpM0SrgCrR cEKzZjytiRng0EUf5p2yx0P8+Bwz0vPrb8C0H9LCbg3rpzOPh+cANX43P7pCV1zC9tOS RdaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=vAUrccOcjJ2G+C/4lh4EvbKPHQfuGlK697Ng84jVThE=; b=CZJs4ksnna9yxu1ZTEE93rZlWfP8XIsxWv9n4cL7wcYd2HAfRc9C4AJNPMMRiZtkAe 8b0JUvewq7sXnods2ttm1zjcKLdoqON5HOrRa00GVXQwsD20pude9p5EPFFjG10Zb+i1 HzqBmfC/1b+7OQNyWjF7pXRGCduxZI0xFIXXaikDekhhuY/4okZJK7lz9RHcxHi/mJT4 HsQ8KsvirNK3r0qgcQl7cY4mT0zwbYdvV0ZVjhUpHZKeqd21f6CMBRJcF9cvdy3mWN2m KDQosVsAmWYXvNu41fYa8Mpir0C1Dzao2wupyvO+aVvaQg12gxh/LF+Mjb/vgIleOQ7J sTzg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=qKk7XEGT; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id sa30si8739122ejc.85.2022.01.31.17.32.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 17:32:01 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=qKk7XEGT; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 6758C83689; Tue, 1 Feb 2022 02:31:55 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="qKk7XEGT"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id EEC38831F8; Tue, 1 Feb 2022 02:31:53 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 8103783076 for ; Tue, 1 Feb 2022 02:31:50 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x42e.google.com with SMTP id i65so14429857pfc.9 for ; Mon, 31 Jan 2022 17:31:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=vAUrccOcjJ2G+C/4lh4EvbKPHQfuGlK697Ng84jVThE=; b=qKk7XEGTdY312GYjcFUhC3z7DNfVhEpbZMDpDleLXkjnhpxVpl9dcQrZlOYxYaUTse ZcPvRbfwR2Gv4i2oeVH/dRX/ii975R78peUOYYSQ7aloz6/JUH0k/DsdmdrPFZNBZVAX yMTwWlWT794vpahUGhq7PMYUvYuK4R0goEFLNRfv/dJCPMYm0dJt7TLKha3XZI6Hjw86 gb99c2ymE46j9s1+rZ9zPariCRmZvhNC+onHCognaykoncxV5B76tlzecZJzRPtS2ji0 zKrY/Aqn/UBVqzBbUsgA56tjslkPUeXTpySIENvGa/db+LStO4B/InUcSbRD7V7SIchR reyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=vAUrccOcjJ2G+C/4lh4EvbKPHQfuGlK697Ng84jVThE=; b=DyQLnONFtGyCBmdY4GPXli/3ZMeo6ZNxjez/Xx9fkRQ6foj2YmqXKTU7o/1bfI4UIi SdNmPqmMIFVqZNV+KPIQ7oIEYJFVAyFH3HvT78RJXVPBIrkKdzSjIe76efBbrivAjuLV EbC6kOcLfL03AkepAkkw7IOgJ8nXNAShgPi7QHyaXYo4OxMH4XwN1WPTkFR3YXTrIgjk zoYkwgBkPaD5AjR/QpPZJZC448gUgBAAxXvAEBlea8L/Sxk+9Hju/kKL9jgfHU9ppDsZ geVcUmGqw5LhUgfu6KAR1phaaTpZWNjGaRu/Ur1abbdZboWaIUABCSO2vXveC6J2roCY C6bQ== X-Gm-Message-State: AOAM531Hv+bJa3Ke9A0KyzesVnG0LQOHuQk/spN6DDnJKMelAvtjLaFp u0pM+Lf/Ki4s0v0dv3u98og88w== X-Received: by 2002:a63:4b4a:: with SMTP id k10mr18990945pgl.488.1643679108867; Mon, 31 Jan 2022 17:31:48 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:a8:b825:f6dd:417]) by smtp.gmail.com with ESMTPSA id u18sm20733784pfi.185.2022.01.31.17.31.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 17:31:48 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: sjg@chromium.org, ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v10 1/9] tools: build mkeficapsule with tools-only_defconfig Date: Tue, 1 Feb 2022 10:27:32 +0900 Message-Id: <20220201012740.63070-2-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220201012740.63070-1-takahiro.akashi@linaro.org> References: <20220201012740.63070-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean Add CONFIG_TOOLS_MKEFICAPSULE. Then we want to always build mkeficapsule if tools-only_defconfig is used. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- configs/tools-only_defconfig | 1 + tools/Kconfig | 8 ++++++++ tools/Makefile | 3 +-- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/configs/tools-only_defconfig b/configs/tools-only_defconfig index 1f8e90a69f53..2246b3c660a6 100644 --- a/configs/tools-only_defconfig +++ b/configs/tools-only_defconfig @@ -34,3 +34,4 @@ CONFIG_I2C_EDID=y # CONFIG_VIRTIO_SANDBOX is not set # CONFIG_GENERATE_ACPI_TABLE is not set # CONFIG_EFI_LOADER is not set +CONFIG_TOOLS_MKEFICAPSULE=y diff --git a/tools/Kconfig b/tools/Kconfig index 91ce8ae3e516..117c921da3fe 100644 --- a/tools/Kconfig +++ b/tools/Kconfig @@ -90,4 +90,12 @@ config TOOLS_SHA512 help Enable SHA512 support in the tools builds +config TOOLS_MKEFICAPSULE + bool "Build efimkcapsule command" + default y if EFI_CAPSULE_ON_DISK + help + This command allows users to create a UEFI capsule file and, + optionally sign that file. If you want to enable UEFI capsule + update feature on your target, you certainly need this. + endmenu diff --git a/tools/Makefile b/tools/Makefile index 1763f44cac43..766c0674f4a0 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -238,8 +238,7 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs hostprogs-$(CONFIG_ASN1_COMPILER) += asn1_compiler HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include -mkeficapsule-objs := mkeficapsule.o $(LIBFDT_OBJS) -hostprogs-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += mkeficapsule +hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule # We build some files with extra pedantic flags to try to minimize things # that won't build on some weird host compiler -- though there are lots of From patchwork Tue Feb 1 01:27:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 538931 Delivered-To: patch@linaro.org Received: by 2002:ac0:f7d2:0:0:0:0:0 with SMTP id i18csp465441imr; Mon, 31 Jan 2022 17:32:11 -0800 (PST) X-Google-Smtp-Source: ABdhPJyLwCZKV/XDl+jgux7KZIug5ZuSRnMBNEZHjPb51fTXh5mdqh2u/RlXdf7URDODZLVk204D X-Received: by 2002:a17:907:8a0a:: with SMTP id sc10mr19829129ejc.332.1643679131050; Mon, 31 Jan 2022 17:32:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643679131; cv=none; d=google.com; s=arc-20160816; b=E5F/rQ+lAFJUKY+mtxAuYpqviS6iEx9RelYTLgycID7fsZpU98Cn/udwI2ZFyx5CEh a2NPtxbnkrq2N7dXKkZYb9HwGYoh7uITzc8CaiofCcnsTnUtkA8aiCYp34DR7EPJH91z koH8GxTgFGUdvX1em7uLvs1LhAzqsk/T4NnKUhUaBnpxy8Upl1by+i4g8XPSWYop/ULj M3JMI+1m1oiS89kolwY+o+IEE3lXUTzHrsAZsCOIGk4yJneBM8Me/MYnJN5ybAlnC+zT mW6fkEF+X1PuBldmrKbfq21/s8iRQs3CC/B7sZA5+maYSp0Xo9eGRK/o0eV2ENzuknEv YXOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ii+lC+gGkPZcH/1AOJZPrNdCqhPPTdhlqM66NRwMePM=; b=LYWS712kI/87R0z7ZsNPirzNgpX+zrlQ/EbSJSBJCCHqeCS3VrB1X9eJjvcYI1Ha7v 1G1NxuKwkYSk/eOSCFKu3Zh2r08t0McxwAzHjKyM+9QQfgr5RvUq+KifS+aFg8I3IqA9 3jQo3yJaW46yfM9R63En5iU9qhH8+q3wyUu6YyMfddRZLT7uam6WB22Zc4vrhb+wAqK1 x+L+M4PUrX9NCOG0F0Bil/Qpg1v+rjJTW7y3vQAhIuWshLd3kQ6foWAB7mziVrz46SOZ x3CzwWlmyUZOSj7UuKbED7v09bqIMG4L4oXM/u2CMsgcV+pg6jbBrlINNzGivntw5B0A wB+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="llB/aTj6"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id cq4si8937040edb.595.2022.01.31.17.32.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 17:32:11 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="llB/aTj6"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 9785F836AC; Tue, 1 Feb 2022 02:31:59 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="llB/aTj6"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 30ED5831F8; Tue, 1 Feb 2022 02:31:58 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id A80CB834E5 for ; Tue, 1 Feb 2022 02:31:53 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pg1-x530.google.com with SMTP id j10so13901304pgc.6 for ; Mon, 31 Jan 2022 17:31:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ii+lC+gGkPZcH/1AOJZPrNdCqhPPTdhlqM66NRwMePM=; b=llB/aTj6tIWVyFv0vGOBHXeARD9faVCeplKQSb78vlHQRQz2FjZGjl8Q9FyQVos1ci qmXuRtZPDEqutW4nDM5dR+kwVrf9NvbWlmfdm6FZmOndNqaWRRE7kZmAeNJjH/SPj3sh M6KjCgEVkApfGameegeHESrZcAJpMkgFLwXWYyYtDafDDsgrtJfrEQRm7B8hqodVZOSU k0J1bnEM7hCZPKqao5L810c9IHd3/aFqir/Gw1w9QfvdYLBDA8aXGsAbZ2RXSF34p7xH 5BF3dxc0l4+MJfhwGAkF+4CjSECsVnwQQXC00jo9DH/f9FC+U1/MmLAipHRdjOfm4f23 9r/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ii+lC+gGkPZcH/1AOJZPrNdCqhPPTdhlqM66NRwMePM=; b=PlJUHMysp7ezuWUvi++SSQxZ0A1o5P/57j5Uo5bgqdiYWxQD3Cs+ZcH9olw5u/KS0Q 4vW55myJRrJrIE8VHGmOL0Fr3sD1cBOtIGwIXqDtv8SAqGjDa0aVDrTFYrXeNvta5tMd txNtl9oZYpueq9flsTSIncm5XB6qA2d3RLET+7aBXrCKVH/Gjh7yL1DCXsnzYJkghUKZ ROTLb1fuyonuFWImhVxYL2F4c+Ik67Uv48H2AZ0qe3J7xfxDYeyoZm7KpmHLTLVpMmN5 QwItRBlFTm+DoUMwOwDxNALG/mWJs9pPFaT+oACe5IunPwIMfLDG6qrxk6/+Ceu2GFXR N/Bw== X-Gm-Message-State: AOAM532dD9wQ76Bh32NGV27NaxP2xU18OEn3TOrOIl4QhmMHwFHfRBgT J5AoOLnC/4/R4h5GRzhoNfCy2g== X-Received: by 2002:a05:6a00:178e:: with SMTP id s14mr22422517pfg.16.1643679111866; Mon, 31 Jan 2022 17:31:51 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:a8:b825:f6dd:417]) by smtp.gmail.com with ESMTPSA id u18sm20733784pfi.185.2022.01.31.17.31.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 17:31:51 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: sjg@chromium.org, ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v10 2/9] tools: mkeficapsule: add firmware image signing Date: Tue, 1 Feb 2022 10:27:33 +0900 Message-Id: <20220201012740.63070-3-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220201012740.63070-1-takahiro.akashi@linaro.org> References: <20220201012740.63070-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean With this enhancement, mkeficapsule will be able to sign a capsule file when it is created. A signature added will be used later in the verification at FMP's SetImage() call. To do that, we need specify additional command parameters: -monotonic-cout : monotonic count -private-key : private key file -certificate : certificate file Only when all of those parameters are given, a signature will be added to a capsule file. Users are expected to maintain and increment the monotonic count at every time of the update for each firmware image. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass Acked-by: Ilias Apalodimas --- tools/Makefile | 1 + tools/eficapsule.h | 115 +++++++++++++ tools/mkeficapsule.c | 380 +++++++++++++++++++++++++++++++++++++++---- 3 files changed, 462 insertions(+), 34 deletions(-) create mode 100644 tools/eficapsule.h diff --git a/tools/Makefile b/tools/Makefile index 766c0674f4a0..8da07d60a755 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -238,6 +238,7 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs hostprogs-$(CONFIG_ASN1_COMPILER) += asn1_compiler HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include +HOSTLDLIBS_mkeficapsule += -lgnutls hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule # We build some files with extra pedantic flags to try to minimize things diff --git a/tools/eficapsule.h b/tools/eficapsule.h new file mode 100644 index 000000000000..8c1560bb0671 --- /dev/null +++ b/tools/eficapsule.h @@ -0,0 +1,115 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright 2021 Linaro Limited + * Author: AKASHI Takahiro + * + * derived from efi.h and efi_api.h to make the file POSIX-compliant + */ + +#ifndef _EFI_CAPSULE_H +#define _EFI_CAPSULE_H + +#include +#include /* WIN_CERTIFICATE */ + +/* + * Gcc's predefined attributes are not recognized by clang. + */ +#ifndef __packed +#define __packed __attribute__((__packed__)) +#endif + +#ifndef __aligned +#define __aligned(x) __attribute__((__aligned__(x))) +#endif + +typedef struct { + uint8_t b[16]; +} efi_guid_t __aligned(8); + +#define EFI_GUID(a, b, c, d0, d1, d2, d3, d4, d5, d6, d7) \ + {{ (a) & 0xff, ((a) >> 8) & 0xff, ((a) >> 16) & 0xff, \ + ((a) >> 24) & 0xff, \ + (b) & 0xff, ((b) >> 8) & 0xff, \ + (c) & 0xff, ((c) >> 8) & 0xff, \ + (d0), (d1), (d2), (d3), (d4), (d5), (d6), (d7) } } + +#define EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID \ + EFI_GUID(0x6dcbd5ed, 0xe82d, 0x4c44, 0xbd, 0xa1, \ + 0x71, 0x94, 0x19, 0x9a, 0xd9, 0x2a) + +#define EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID \ + EFI_GUID(0xae13ff2d, 0x9ad4, 0x4e25, 0x9a, 0xc8, \ + 0x6d, 0x80, 0xb3, 0xb2, 0x21, 0x47) + +#define EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID \ + EFI_GUID(0xe2bb9c06, 0x70e9, 0x4b14, 0x97, 0xa3, \ + 0x5a, 0x79, 0x13, 0x17, 0x6e, 0x3f) + +#define EFI_CERT_TYPE_PKCS7_GUID \ + EFI_GUID(0x4aafd29d, 0x68df, 0x49ee, 0x8a, 0xa9, \ + 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7) + +/* flags */ +#define CAPSULE_FLAGS_PERSIST_ACROSS_RESET 0x00010000 + +struct efi_capsule_header { + efi_guid_t capsule_guid; + uint32_t header_size; + uint32_t flags; + uint32_t capsule_image_size; +} __packed; + +struct efi_firmware_management_capsule_header { + uint32_t version; + uint16_t embedded_driver_count; + uint16_t payload_item_count; + uint32_t item_offset_list[]; +} __packed; + +/* image_capsule_support */ +#define CAPSULE_SUPPORT_AUTHENTICATION 0x0000000000000001 + +struct efi_firmware_management_capsule_image_header { + uint32_t version; + efi_guid_t update_image_type_id; + uint8_t update_image_index; + uint8_t reserved[3]; + uint32_t update_image_size; + uint32_t update_vendor_code_size; + uint64_t update_hardware_instance; + uint64_t image_capsule_support; +} __packed; + +/** + * win_certificate_uefi_guid - A certificate that encapsulates + * a GUID-specific signature + * + * @hdr: Windows certificate header + * @cert_type: Certificate type + * @cert_data: Certificate data + */ +struct win_certificate_uefi_guid { + WIN_CERTIFICATE hdr; + efi_guid_t cert_type; + uint8_t cert_data[]; +} __packed; + +/** + * efi_firmware_image_authentication - Capsule authentication method + * descriptor + * + * This structure describes an authentication information for + * a capsule with IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED set + * and should be included as part of the capsule. + * Only EFI_CERT_TYPE_PKCS7_GUID is accepted. + * + * @monotonic_count: Count to prevent replay + * @auth_info: Authentication info + */ +struct efi_firmware_image_authentication { + uint64_t monotonic_count; + struct win_certificate_uefi_guid auth_info; +} __packed; + +#endif /* _EFI_CAPSULE_H */ diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 243fd6e48370..b996c66ad26a 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -16,21 +16,13 @@ #include #include -typedef __u8 u8; -typedef __u16 u16; -typedef __u32 u32; -typedef __u64 u64; -typedef __s16 s16; -typedef __s32 s32; +#include -#define aligned_u64 __aligned_u64 +#include +#include +#include -#ifndef __packed -#define __packed __attribute__((packed)) -#endif - -#include -#include +#include "eficapsule.h" static const char *tool_name = "mkeficapsule"; @@ -39,12 +31,19 @@ efi_guid_t efi_guid_image_type_uboot_fit = EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID; efi_guid_t efi_guid_image_type_uboot_raw = EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID; +efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; + +static const char *opts_short = "f:r:i:I:v:p:c:m:dh"; static struct option options[] = { {"fit", required_argument, NULL, 'f'}, {"raw", required_argument, NULL, 'r'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, + {"private-key", required_argument, NULL, 'p'}, + {"certificate", required_argument, NULL, 'c'}, + {"monotonic-count", required_argument, NULL, 'm'}, + {"dump-sig", no_argument, NULL, 'd'}, {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0}, }; @@ -58,10 +57,40 @@ static void print_usage(void) "\t-r, --raw new raw image file\n" "\t-i, --index update image index\n" "\t-I, --instance update hardware instance\n" + "\t-p, --private-key private key file\n" + "\t-c, --certificate signer's certificate file\n" + "\t-m, --monotonic-count monotonic count\n" + "\t-d, --dump_sig dump signature (*.p7)\n" "\t-h, --help print a help message\n", tool_name); } +/** + * auth_context - authentication context + * @key_file: Path to a private key file + * @cert_file: Path to a certificate file + * @image_data: Pointer to firmware data + * @image_size: Size of firmware data + * @auth: Authentication header + * @sig_data: Signature data + * @sig_size: Size of signature data + * + * Data structure used in create_auth_data(). @key_file through + * @image_size are input parameters. @auth, @sig_data and @sig_size + * are filled in by create_auth_data(). + */ +struct auth_context { + char *key_file; + char *cert_file; + uint8_t *image_data; + size_t image_size; + struct efi_firmware_image_authentication auth; + uint8_t *sig_data; + size_t sig_size; +}; + +static int dump_sig; + /** * read_bin_file - read a firmware binary file * @bin: Path to a firmware binary file @@ -75,7 +104,7 @@ static void print_usage(void) * * 0 - on success * * -1 - on failure */ -static int read_bin_file(char *bin, void **data, off_t *bin_size) +static int read_bin_file(char *bin, uint8_t **data, off_t *bin_size) { FILE *g; struct stat bin_stat; @@ -147,6 +176,205 @@ static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg) return 0; } +/** + * create_auth_data - compose authentication data in capsule + * @auth_context: Pointer to authentication context + * + * Fill up an authentication header (.auth) and signature data (.sig_data) + * in @auth_context, using library functions from openssl. + * All the parameters in @auth_context must be filled in by a caller. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int create_auth_data(struct auth_context *ctx) +{ + gnutls_datum_t cert; + gnutls_datum_t key; + off_t file_size; + gnutls_privkey_t pkey; + gnutls_x509_crt_t x509; + gnutls_pkcs7_t pkcs7; + gnutls_datum_t data; + gnutls_datum_t signature; + int ret; + + ret = read_bin_file(ctx->cert_file, &cert.data, &file_size); + if (ret < 0) + return -1; + if (file_size > UINT_MAX) + return -1; + cert.size = file_size; + + ret = read_bin_file(ctx->key_file, &key.data, &file_size); + if (ret < 0) + return -1; + if (ret < 0) + return -1; + if (file_size > UINT_MAX) + return -1; + key.size = file_size; + + /* + * For debugging, + * gnutls_global_set_time_function(mytime); + * gnutls_global_set_log_function(tls_log_func); + * gnutls_global_set_log_level(6); + */ + + ret = gnutls_privkey_init(&pkey); + if (ret < 0) { + fprintf(stderr, "error in gnutls_privkey_init(): %s\n", + gnutls_strerror(ret)); + return -1; + } + + ret = gnutls_x509_crt_init(&x509); + if (ret < 0) { + fprintf(stderr, "error in gnutls_x509_crt_init(): %s\n", + gnutls_strerror(ret)); + return -1; + } + + /* load a private key */ + ret = gnutls_privkey_import_x509_raw(pkey, &key, GNUTLS_X509_FMT_PEM, + 0, 0); + if (ret < 0) { + fprintf(stderr, + "error in gnutls_privkey_import_x509_raw(): %s\n", + gnutls_strerror(ret)); + return -1; + } + + /* load x509 certificate */ + ret = gnutls_x509_crt_import(x509, &cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fprintf(stderr, "error in gnutls_x509_crt_import(): %s\n", + gnutls_strerror(ret)); + return -1; + } + + /* generate a PKCS #7 structure */ + ret = gnutls_pkcs7_init(&pkcs7); + if (ret < 0) { + fprintf(stderr, "error in gnutls_pkcs7_init(): %s\n", + gnutls_strerror(ret)); + return -1; + } + + /* sign */ + /* + * Data should have + * * firmware image + * * monotonic count + * in this order! + * See EDK2's FmpAuthenticatedHandlerRsa2048Sha256() + */ + data.size = ctx->image_size + sizeof(ctx->auth.monotonic_count); + data.data = malloc(data.size); + if (!data.data) { + fprintf(stderr, "allocating memory (0x%x) failed\n", data.size); + return -1; + } + memcpy(data.data, ctx->image_data, ctx->image_size); + memcpy(data.data + ctx->image_size, &ctx->auth.monotonic_count, + sizeof(ctx->auth.monotonic_count)); + + ret = gnutls_pkcs7_sign(pkcs7, x509, pkey, &data, NULL, NULL, + GNUTLS_DIG_SHA256, + /* GNUTLS_PKCS7_EMBED_DATA? */ + GNUTLS_PKCS7_INCLUDE_CERT | + GNUTLS_PKCS7_INCLUDE_TIME); + if (ret < 0) { + fprintf(stderr, "error in gnutls_pkcs7)sign(): %s\n", + gnutls_strerror(ret)); + return -1; + } + + /* export */ + ret = gnutls_pkcs7_export2(pkcs7, GNUTLS_X509_FMT_DER, &signature); + if (ret < 0) { + fprintf(stderr, "error in gnutls_pkcs7_export2: %s\n", + gnutls_strerror(ret)); + return -1; + } + ctx->sig_data = signature.data; + ctx->sig_size = signature.size; + + /* fill auth_info */ + ctx->auth.auth_info.hdr.dwLength = sizeof(ctx->auth.auth_info) + + ctx->sig_size; + ctx->auth.auth_info.hdr.wRevision = WIN_CERT_REVISION_2_0; + ctx->auth.auth_info.hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID; + memcpy(&ctx->auth.auth_info.cert_type, &efi_guid_cert_type_pkcs7, + sizeof(efi_guid_cert_type_pkcs7)); + + /* + * For better clean-ups, + * gnutls_pkcs7_deinit(pkcs7); + * gnutls_privkey_deinit(pkey); + * gnutls_x509_crt_deinit(x509); + * free(cert.data); + * free(key.data); + * if error + * gnutls_free(signature.data); + */ + + return 0; +} + +/** + * dump_signature - dump out a signature + * @path: Path to a capsule file + * @signature: Signature data + * @sig_size: Size of signature data + * + * Signature data pointed to by @signature will be saved into + * a file whose file name is @path with ".p7" suffix. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int dump_signature(const char *path, uint8_t *signature, size_t sig_size) +{ + char *sig_path; + FILE *f; + size_t size; + int ret = -1; + + sig_path = malloc(strlen(path) + 3 + 1); + if (!sig_path) + return ret; + + sprintf(sig_path, "%s.p7", path); + f = fopen(sig_path, "w"); + if (!f) + goto err; + + size = fwrite(signature, 1, sig_size, f); + if (size == sig_size) + ret = 0; + + fclose(f); +err: + free(sig_path); + return ret; +} + +/** + * free_sig_data - free out signature data + * @ctx: Pointer to authentication context + * + * Free signature data allocated in create_auth_data(). + */ +static void free_sig_data(struct auth_context *ctx) +{ + if (ctx->sig_size) + gnutls_free(ctx->sig_data); +} + /** * create_fwbin - create an uefi capsule file * @path: Path to a created capsule file @@ -168,23 +396,25 @@ static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg) * * -1 - on failure */ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, - unsigned long index, unsigned long instance) + unsigned long index, unsigned long instance, + uint64_t mcount, char *privkey_file, char *cert_file) { struct efi_capsule_header header; struct efi_firmware_management_capsule_header capsule; struct efi_firmware_management_capsule_image_header image; + struct auth_context auth_context; FILE *f; - void *data; + uint8_t *data; off_t bin_size; - u64 offset; + uint64_t offset; int ret; #ifdef DEBUG - printf("For output: %s\n", path); - printf("\tbin: %s\n\ttype: %pUl\n", bin, guid); - printf("\tindex: %ld\n\tinstance: %ld\n", index, instance); + fprintf(stderr, "For output: %s\n", path); + fprintf(stderr, "\tbin: %s\n\ttype: %pUl\n", bin, guid); + fprintf(stderr, "\tindex: %lu\n\tinstance: %lu\n", index, instance); #endif - + auth_context.sig_size = 0; f = NULL; data = NULL; ret = -1; @@ -195,6 +425,27 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, if (read_bin_file(bin, &data, &bin_size)) goto err; + /* first, calculate signature to determine its size */ + if (privkey_file && cert_file) { + auth_context.key_file = privkey_file; + auth_context.cert_file = cert_file; + auth_context.auth.monotonic_count = mcount; + auth_context.image_data = data; + auth_context.image_size = bin_size; + + if (create_auth_data(&auth_context)) { + fprintf(stderr, "Signing firmware image failed\n"); + goto err; + } + + if (dump_sig && + dump_signature(path, auth_context.sig_data, + auth_context.sig_size)) { + fprintf(stderr, "Creating signature file failed\n"); + goto err; + } + } + /* * write a capsule file */ @@ -212,9 +463,12 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, /* TODO: The current implementation ignores flags */ header.flags = CAPSULE_FLAGS_PERSIST_ACROSS_RESET; header.capsule_image_size = sizeof(header) - + sizeof(capsule) + sizeof(u64) + + sizeof(capsule) + sizeof(uint64_t) + sizeof(image) + bin_size; + if (auth_context.sig_size) + header.capsule_image_size += sizeof(auth_context.auth) + + auth_context.sig_size; if (write_capsule_file(f, &header, sizeof(header), "Capsule header")) goto err; @@ -230,7 +484,7 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, "Firmware capsule header")) goto err; - offset = sizeof(capsule) + sizeof(u64); + offset = sizeof(capsule) + sizeof(uint64_t); if (write_capsule_file(f, &offset, sizeof(offset), "Offset to capsule image")) goto err; @@ -245,13 +499,32 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, image.reserved[1] = 0; image.reserved[2] = 0; image.update_image_size = bin_size; + if (auth_context.sig_size) + image.update_image_size += sizeof(auth_context.auth) + + auth_context.sig_size; image.update_vendor_code_size = 0; /* none */ image.update_hardware_instance = instance; image.image_capsule_support = 0; + if (auth_context.sig_size) + image.image_capsule_support |= CAPSULE_SUPPORT_AUTHENTICATION; if (write_capsule_file(f, &image, sizeof(image), "Firmware capsule image header")) goto err; + /* + * signature + */ + if (auth_context.sig_size) { + if (write_capsule_file(f, &auth_context.auth, + sizeof(auth_context.auth), + "Authentication header")) + goto err; + + if (write_capsule_file(f, auth_context.sig_data, + auth_context.sig_size, "Signature")) + goto err; + } + /* * firmware binary */ @@ -262,28 +535,43 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, err: if (f) fclose(f); + free_sig_data(&auth_context); free(data); return ret; } -/* - * Usage: - * $ mkeficapsule -f +/** + * main - main entry function of mkeficapsule + * @argc: Number of arguments + * @argv: Array of pointers to arguments + * + * Create an uefi capsule file, optionally signing it. + * Parse all the arguments and pass them on to create_fwbin(). + * + * Return: + * * 0 - on success + * * -1 - on failure */ int main(int argc, char **argv) { char *file; efi_guid_t *guid; unsigned long index, instance; + uint64_t mcount; + char *privkey_file, *cert_file; int c, idx; file = NULL; guid = NULL; index = 0; instance = 0; + mcount = 0; + privkey_file = NULL; + cert_file = NULL; + dump_sig = 0; for (;;) { - c = getopt_long(argc, argv, "f:r:i:I:v:h", options, &idx); + c = getopt_long(argc, argv, opts_short, options, &idx); if (c == -1) break; @@ -291,7 +579,7 @@ int main(int argc, char **argv) case 'f': if (file) { fprintf(stderr, "Image already specified\n"); - return -1; + exit(EXIT_FAILURE); } file = optarg; guid = &efi_guid_image_type_uboot_fit; @@ -299,7 +587,7 @@ int main(int argc, char **argv) case 'r': if (file) { fprintf(stderr, "Image already specified\n"); - return -1; + exit(EXIT_FAILURE); } file = optarg; guid = &efi_guid_image_type_uboot_raw; @@ -310,14 +598,38 @@ int main(int argc, char **argv) case 'I': instance = strtoul(optarg, NULL, 0); break; + case 'p': + if (privkey_file) { + fprintf(stderr, + "Private Key already specified\n"); + exit(EXIT_FAILURE); + } + privkey_file = optarg; + break; + case 'c': + if (cert_file) { + fprintf(stderr, + "Certificate file already specified\n"); + exit(EXIT_FAILURE); + } + cert_file = optarg; + break; + case 'm': + mcount = strtoul(optarg, NULL, 0); + break; + case 'd': + dump_sig = 1; + break; case 'h': print_usage(); - return 0; + exit(EXIT_SUCCESS); } } - /* need an output file */ - if (argc != optind + 1) { + /* check necessary parameters */ + if ((argc != optind + 1) || !file || + ((privkey_file && !cert_file) || + (!privkey_file && cert_file))) { print_usage(); exit(EXIT_FAILURE); } @@ -328,8 +640,8 @@ int main(int argc, char **argv) exit(EXIT_SUCCESS); } - if (create_fwbin(argv[optind], file, guid, index, instance) - < 0) { + if (create_fwbin(argv[optind], file, guid, index, instance, + mcount, privkey_file, cert_file) < 0) { fprintf(stderr, "Creating firmware capsule failed\n"); exit(EXIT_FAILURE); } From patchwork Tue Feb 1 01:27:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 538932 Delivered-To: patch@linaro.org Received: by 2002:ac0:f7d2:0:0:0:0:0 with SMTP id i18csp465541imr; Mon, 31 Jan 2022 17:32:21 -0800 (PST) X-Google-Smtp-Source: ABdhPJzpbtrl77DlYgRbVr0vGtQQayaS8uZvgZK3OGH1PRe55c4UXFAKgpHUdloNJcMRVDAMsdqc X-Received: by 2002:a17:907:8315:: with SMTP id mq21mr19329549ejc.375.1643679140988; Mon, 31 Jan 2022 17:32:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643679140; cv=none; d=google.com; s=arc-20160816; b=OjIFniYKCnTNH58VmVj6oOUGuBb9+J5EvG8e531CGfWgAVKc5TnAqJQP8V7cBTtAbE IQyw1Ljcxf/3O8laIuOHv82sMVikIsiPRRjDvSwivEMLZprrrJtm0i/0nU2fHHVsiww9 bg6dkHJxqgjQCyWGsc9EW3iC911SpQuYfbGGyiHJcng6keM5Ab8HthilQ8ttvZWrmD6v 5R11KglfzrXcWrNTQi06S0atvP6JqLPhX13h0Y11jfEynIV2O3SD3M7/oAMSxbEhBvRA sXvOBeNBPkhXbkW5DBeQlM4BWBV4/HL/LFqPXsDpy27AxzHJYtDmhBWD9rB+ZoNjUZrX gjkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ol9ddRwnpZf0xiKIvRWpCX3zHIM2hmcgqKnrCjt/dOk=; b=cGBk52lykYG9HI6XJnXAuZdM9XLgrJq6wLL/vi+gsp4Pr4nklD/h7aiSZ+bdbcGTdx movLLHWsjZiugxvUMB1WBRh94kaZEaIObdk55tyWg+s7yYfldx1B/lhtzY7ndrs5D/U+ X49HXYM1juN4Ay5dplIJ5KEyixSHh+FEFEnDpDTRJzOI9unYkyJ99XirVW+HLHESf/PB EulbgsI4/x7tSzkPQtjjl/G1Gbg7QtLP45ZCZAzNC5+mJJt8JVxurG98ZNn56wHYLdsq JXj86KsUTKcW+m9fikbRr4faDpioiTRKVXptozQkdbAqhkw8ZY7fXNWX8CM3ZHOY1PKO LcWQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=oAis9Qb3; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id s7si8864651edq.265.2022.01.31.17.32.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 17:32:20 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=oAis9Qb3; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 10A2C836B8; Tue, 1 Feb 2022 02:32:04 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="oAis9Qb3"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 8D1B98359C; Tue, 1 Feb 2022 02:32:01 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 6020F836A4 for ; Tue, 1 Feb 2022 02:31:56 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1030.google.com with SMTP id h20-20020a17090adb9400b001b518bf99ffso1017473pjv.1 for ; Mon, 31 Jan 2022 17:31:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ol9ddRwnpZf0xiKIvRWpCX3zHIM2hmcgqKnrCjt/dOk=; b=oAis9Qb3pqHnN3E5sbYf6LgiUkjWweG2DeMrEp2ehKPFYLZd9+nEJixmCjHas5wdpQ kRjhauteOOAoSFmSx8ik1N7NcFSlv1Gtp4ASq89e7TT5Zi8QJ1P1AOqhpSCcaKGV4kHR i293vhP+b21RZUsPhA8YTToFAghRqH0BtpizpouD6qLLME0yfbCF/YhqnThWrdWFD8oA kxtBUU6SJRFsMUBZ4AV/tyAV5rHgv77yMzKitTacTI4Va//rc4yZgUne8+uE7KTTxc7c vst5isE5KKJs5qJgijYG4F7m1/rFnTrlCH4iFbYu4dxx/+P+9/oC3Dntc6ic8u8MOPYI ERtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ol9ddRwnpZf0xiKIvRWpCX3zHIM2hmcgqKnrCjt/dOk=; b=X+QGqhm0Y6aR0LRoNTgPdU1nZyluVCk9O1tmI/4h0t+XTPqIqZGTyTYSt8dRTu33ps jK5LMnXdZS9+Wp5Omi5bVmEAx8XXOqbEWWdrd77tNNd5PDNa0v9ghvIt6Zrs8ehBPE6l t4mgws+urCHXU3HQAXqiNGPT0vtoMfefhWQESHdeisNi0tLG3I8j0yDNVLMr7cfFe7P5 wGt1FZDvitgcZsSJhcoef2p9t+bgD4rQ0EBHk3fWTvbpuK6ZNIhPq0XwYmG1rZTOe5qA wa4Q7nPHLvM1vQgKJUDzr1UbvKKpClHgZ9PeBhy5M5J2nESdw6WcSSBRLs/Ot7yIiCOL BxMw== X-Gm-Message-State: AOAM5302LcxLOvThro2zlM/fxSy8SfcV7EKSHAV6Qf/kyX7m7y/dxkPN l0IRT/H1/txgEgtX79t+2HXkhw== X-Received: by 2002:a17:90b:1b46:: with SMTP id nv6mr27722886pjb.178.1643679114751; Mon, 31 Jan 2022 17:31:54 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:a8:b825:f6dd:417]) by smtp.gmail.com with ESMTPSA id u18sm20733784pfi.185.2022.01.31.17.31.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 17:31:54 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: sjg@chromium.org, ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v10 3/9] tools: mkeficapsule: add man page Date: Tue, 1 Feb 2022 10:27:34 +0900 Message-Id: <20220201012740.63070-4-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220201012740.63070-1-takahiro.akashi@linaro.org> References: <20220201012740.63070-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean Add a man page for mkeficapsule command. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass Acked-by: Ilias Apalodimas --- MAINTAINERS | 1 + doc/mkeficapsule.1 | 99 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 100 insertions(+) create mode 100644 doc/mkeficapsule.1 diff --git a/MAINTAINERS b/MAINTAINERS index dcdd99e368d1..2a8f70d70833 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -749,6 +749,7 @@ S: Maintained T: git https://source.denx.de/u-boot/custodians/u-boot-efi.git F: doc/api/efi.rst F: doc/develop/uefi/* +F: doc/mkeficapsule.1 F: doc/usage/bootefi.rst F: drivers/rtc/emul_rtc.c F: include/capitalization.h diff --git a/doc/mkeficapsule.1 b/doc/mkeficapsule.1 new file mode 100644 index 000000000000..680362f5c4e9 --- /dev/null +++ b/doc/mkeficapsule.1 @@ -0,0 +1,99 @@ +.\" SPDX-License-Identifier: GPL-2.0+ +.\" Copyright (c) 2021, Linaro Limited +.\" written by AKASHI Takahiro +.TH MAEFICAPSULE 1 "May 2021" + +.SH NAME +mkeficapsule \- Generate EFI capsule file for U-Boot + +.SH SYNOPSIS +.B mkeficapsule +.RI [ options "] " capsule-file + +.SH "DESCRIPTION" +.B mkeficapsule +command is used to create an EFI capsule file for use with the U-Boot +EFI capsule update. +A capsule file may contain various type of firmware blobs which +are to be applied to the system and must be placed in the specific +directory on the UEFI system partition. +An update will be automatically executed at next reboot. + +Optionally, a capsule file can be signed with a given private key. +In this case, the update will be authenticated by verifying the signature +before applying. + +.B mkeficapsule +supports two different format of image files: +.TP +.I raw image +format is a single binary blob of any type of firmware. + +.TP +.I FIT (Flattened Image Tree) image +format is the same as used in the new uImage format and allows for +multiple binary blobs in a single capsule file. +This type of image file can be generated by +.BR mkimage . + +.SH "OPTIONS" +One of +.BR --fit " or " --raw +option must be specified. + +.TP +.BI "-f\fR,\fB --fit " fit-image-file +Specify a FIT image file + +.TP +.BI "-r\fR,\fB --raw " raw-image-file +Specify a raw image file + +.TP +.BI "-i\fR,\fB --index " index +Specify an image index + +.TP +.BI "-I\fR,\fB --instance " instance +Specify a hardware instance + +.TP +.BR -h ", " --help +Print a help message + +.PP +With signing, +.BR --private-key ", " --certificate " and " --monotonic-count +are all mandatory. + +.TP +.BI "-p\fR,\fB --private-key " private-key-file +Specify signer's private key file in PEM + +.TP +.BI "-c\fR,\fB --certificate " certificate-file +Specify signer's certificate file in EFI certificate list format + +.TP +.BI "-m\fR,\fB --monotonic-count " count +Specify a monotonic count which is set to be monotonically incremented +at every firmware update. + +.TP +.B "-d\fR,\fB --dump_sig" +Dump signature data into *.p7 file + +.PP +.SH FILES +.TP +.I /EFI/UpdateCapsule +The directory in which all capsule files be placed + +.SH SEE ALSO +.BR mkimage (1) + +.SH AUTHORS +Written by AKASHI Takahiro + +.SH HOMEPAGE +http://www.denx.de/wiki/U-Boot/WebHome From patchwork Tue Feb 1 01:27:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 538933 Delivered-To: patch@linaro.org Received: by 2002:ac0:f7d2:0:0:0:0:0 with SMTP id i18csp465614imr; Mon, 31 Jan 2022 17:32:30 -0800 (PST) X-Google-Smtp-Source: ABdhPJzj8OvLk9f0mzl9qPRjtPYKN7Rk5XBdtXTgMcxnfxTJ33xeOQH3OEi/RvyRVzTSKqt05vAE X-Received: by 2002:a05:6402:35d4:: with SMTP id z20mr23074941edc.13.1643679150138; Mon, 31 Jan 2022 17:32:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643679150; cv=none; d=google.com; s=arc-20160816; b=LHA3gIt0gCkm7yctx2sCbzotPxTwvaXbBdVHrBbQ8aZs3hKG+Rld1pGeRImYw54uJY JIgo9R4vJzb8kdKNbn7qDBd2flebJi1fh42GA9M6oDJqsYkvwcTNkcLfSjkgH9rg/RvD yvRZGCSMs3fCmoJgAR9qkbwfSNw+RBfDG79sdyYNh6LnowBKXU4jY8hdtdNGcD9y5oko qDmaTSMSKpM28tdoec06sfGFygXQz58tQgS/DGiiMEPV8HbaANZUiKKDHhL4rdzeswfz Q7RrfKkLtM9YBsXU4x1/33iUA+mfCYBvxjdiUi+MKao60jMOi7QEJywEUv5FVlqSI17J haHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=mR1pD8an10hL1eYSQk6y2hzUF/bKxUXs6pDb/LAKo0Q=; b=FUGdpDycxPAMKUuPbEMMYVk9pLhText4VMkqowNwkQWZFFWrYbkb88JjU0pXRgYu9J K/6ejc0K9tX6ymMTVmuLN3BCKHs2BERnxjphUHiQAYQWhrkYGXE9N6BcCtUBVRMTJEjc Wuwp11jogs2t5N7fZcy/iMX7R8fuUgj7w87viA/C42bd2Krdk0ovSBUOt6Y8bGjvoW99 rUrmZtxtTlMO+0RpioD7UUJs6t32rpbsYUDQBbSgqJIVG1czHxZk2Q4bUXQmdcB2T8I2 290QXYsMrbLhEsV7+LzeIlI+EMawCBs5RTWQSzBNiEbxG3v9IuZ+lAPj8pdcRVI9Tw/Q vhgg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=IYh9YPQX; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id f15si8182900ejl.162.2022.01.31.17.32.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 17:32:30 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=IYh9YPQX; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 7067C836C3; Tue, 1 Feb 2022 02:32:07 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="IYh9YPQX"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 84DD2836A6; Tue, 1 Feb 2022 02:32:04 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 4386083076 for ; Tue, 1 Feb 2022 02:31:59 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1032.google.com with SMTP id o64so15654185pjo.2 for ; Mon, 31 Jan 2022 17:31:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=mR1pD8an10hL1eYSQk6y2hzUF/bKxUXs6pDb/LAKo0Q=; b=IYh9YPQXA/K+eXWQExkG7DiW/xIIaJCOqNrLECj1NAn3gr2y5wclE2TgWDZbfDYb7w C5RhaVf7BMf1rjxUIrlxz+ENM7kvvlSfPoz4ZFkoNOTbmTg+hxAlqqq6cMMvTK1nez4B /pEjq1veDitXkl8kobyJLEFxl52mzqRidFNC8bYdRmFPrAx8xj1HWYs1GT6SiybN1wlc +groXmpT7x/9PNuCxBGraIZSMtLXCJnMAuwlfY6bFcXLwsP0BXkgVq7ShKUcVUqt91lI n5JO9DNEjm+PZ6mDTe530ZIMtQaJ8J/f350/h+xyXzzPALVAt3t2HwIuJXW2s7rE4I1q GLBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mR1pD8an10hL1eYSQk6y2hzUF/bKxUXs6pDb/LAKo0Q=; b=eoyer0tw10ChVgNpSOmG7RZ0lDhVr+BpWZ8keCvzYJmVFE8xcFPYma50TfWfC9S9Bs lrNcBtuiZuZNjOl+4aHb+1MM/8j/7TNxTtkGPhnVv01wuj1Qjx9xcw+6RL/Fqt1iqqUi a5W586AwqGPGHb1mLQZG8iWyLZCsNsBPkQlMj/flBc2p0Ke6fUgeRURlvw2Lfk4IWCf+ A/xeflonZTd/aaa8Q6+nyIPY0pPqRadMi2FQ7Ktedql/P5199h1xMlSJ9TXA1tyTgJBm GmYQvP4W3c/sZIDJvKZGiKfF1wJDI9HDj3dMvEvmirU7lkniuasFg3FMBEYlpdCtIi/K AKhQ== X-Gm-Message-State: AOAM530clRUN1xzet2uLhM1LFNV8r0wlF+9GsQi9V8ZR/84iSKIX1HTV fTtfsv42D9LK5BuN9aqvkKiqqg== X-Received: by 2002:a17:90a:e284:: with SMTP id d4mr4007538pjz.5.1643679117627; Mon, 31 Jan 2022 17:31:57 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:a8:b825:f6dd:417]) by smtp.gmail.com with ESMTPSA id u18sm20733784pfi.185.2022.01.31.17.31.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 17:31:57 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: sjg@chromium.org, ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v10 4/9] doc: update UEFI document for usage of mkeficapsule Date: Tue, 1 Feb 2022 10:27:35 +0900 Message-Id: <20220201012740.63070-5-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220201012740.63070-1-takahiro.akashi@linaro.org> References: <20220201012740.63070-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean Now we can use mkeficapsule command instead of EDK-II's script to create a signed capsule file. So update the instruction for capsule authentication. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass Acked-by: Ilias Apalodimas --- doc/develop/uefi/uefi.rst | 147 +++++++++++++++++++------------------- 1 file changed, 74 insertions(+), 73 deletions(-) diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 43fb10f7978e..7e1eb8256259 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -284,37 +284,56 @@ Support has been added for the UEFI capsule update feature which enables updating the U-Boot image using the UEFI firmware management protocol (FMP). The capsules are not passed to the firmware through the UpdateCapsule runtime service. Instead, capsule-on-disk -functionality is used for fetching the capsule from the EFI System -Partition (ESP) by placing the capsule file under the -\EFI\UpdateCapsule directory. - -The directory \EFI\UpdateCapsule is checked for capsules only within the -EFI system partition on the device specified in the active boot option -determined by reference to BootNext variable or BootOrder variable processing. -The active Boot Variable is the variable with highest priority BootNext or -within BootOrder that refers to a device found to be present. Boot variables -in BootOrder but referring to devices not present are ignored when determining -active boot variable. -Before starting a capsule update make sure your capsules are installed in the -correct ESP partition or set BootNext. +functionality is used for fetching capsules from the EFI System +Partition (ESP) by placing capsule files under the directory:: + + \EFI\UpdateCapsule + +The directory is checked for capsules only within the +EFI system partition on the device specified in the active boot option, +which is determined by BootXXXX variable in BootNext, or if not, the highest +priority one within BootOrder. Any BootXXXX variables referring to devices +not present are ignored when determining the active boot option. + +Please note that capsules will be applied in the alphabetic order of +capsule file names. + +Creating a capsule file +*********************** + +A capsule file can be created by using tools/mkeficapsule. +To build this tool, enable:: + + CONFIG_TOOLS_MKEFICAPSULE=y + CONFIG_TOOLS_LIBCRYPTO=y + +Run the following command:: + +.. code-block:: console + + $ mkeficapsule \ + --index 1 --instance 0 \ + [--fit | --raw ] \ + Performing the update ********************* -Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig -option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable -check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule. +Put capsule files under the directory mentioned above. +Then, following the UEFI specification, you'll need to set +the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED +bit in OsIndications variable with:: -If that option is disabled, you'll need to set the OsIndications variable with:: +.. code-block:: console => setenv -e -nv -bs -rt -v OsIndications =0x04 -Finally, the capsule update can be initiated either by rebooting the board, -which is the preferred method, or by issuing the following command:: +Since U-boot doesn't currently support SetVariable at runtime, its value +won't be taken over across the reboot. If this is the case, you can skip +this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS) +set. - => efidebug capsule disk-update - -**The efidebug command is should only be used during debugging/development.** +Finally, the capsule update can be initiated by rebooting the board. Enabling Capsule Authentication ******************************* @@ -324,82 +343,64 @@ be updated by verifying the capsule signature. The capsule signature is computed and prepended to the capsule payload at the time of capsule generation. This signature is then verified by using the public key stored as part of the X509 certificate. This certificate is -in the form of an efi signature list (esl) file, which is embedded as -part of U-Boot. +in the form of an efi signature list (esl) file, which is embedded in +a device tree. The capsule authentication feature can be enabled through the following config, in addition to the configs listed above for capsule update:: CONFIG_EFI_CAPSULE_AUTHENTICATE=y - CONFIG_EFI_CAPSULE_KEY_PATH= The public and private keys used for the signing process are generated -and used by the steps highlighted below:: +and used by the steps highlighted below. - 1. Install utility commands on your host - * OPENSSL +1. Install utility commands on your host + * openssl * efitools - 2. Create signing keys and certificate files on your host +2. Create signing keys and certificate files on your host:: + +.. code-block:: console $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ -keyout CRT.key -out CRT.crt -nodes -days 365 $ cert-to-efi-sig-list CRT.crt CRT.esl - $ openssl x509 -in CRT.crt -out CRT.cer -outform DER - $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem - - $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt - $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem - -The capsule file can be generated by using the GenerateCapsule.py -script in EDKII:: - - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ - --monotonic-count --fw-version \ - --lsv --guid \ - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ - --update-image-index --signer-private-cert \ - /path/to/CRT.pem --trusted-public-cert \ - /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ - +3. Run the following command to create and sign the capsule file:: -Place the capsule generated in the above step on the EFI System -Partition under the EFI/UpdateCapsule directory +.. code-block:: console -Testing on QEMU -*************** + $ mkeficapsule --monotonic-count 1 \ + --private-key CRT.key \ + --certificate CRT.crt \ + --index 1 --instance 0 \ + [--fit | --raw ] \ + -Currently, support has been added on the QEMU ARM64 virt platform for -updating the U-Boot binary as a raw image when the platform is booted -in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this -configuration, the QEMU platform needs to be booted with -'secure=off'. The U-Boot binary placed on the first bank of the NOR -flash at offset 0x0. The U-Boot environment is placed on the second -NOR flash bank at offset 0x4000000. +4. Insert the signature list into a device tree in the following format:: -The capsule update feature is enabled with the following configuration -settings:: + { + signature { + capsule-key = [ ]; + } + ... + } - CONFIG_MTD=y - CONFIG_FLASH_CFI_MTD=y - CONFIG_CMD_MTDPARTS=y - CONFIG_CMD_DFU=y - CONFIG_DFU_MTD=y - CONFIG_PCI_INIT_R=y - CONFIG_EFI_CAPSULE_ON_DISK=y - CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y - CONFIG_EFI_CAPSULE_FIRMWARE=y - CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y + You can do this manually with:: -In addition, the following config needs to be disabled(QEMU ARM specific):: +.. code-block:: console - CONFIG_TFABOOT + $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts + $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo -The capsule file can be generated by using the tools/mkeficapsule:: + where signature.dts looks like:: - $ mkeficapsule --raw --index 1 + &{/} { + signature { + capsule-key = /incbin/("CRT.esl"); + }; + }; Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~ From patchwork Tue Feb 1 01:27:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 538934 Delivered-To: patch@linaro.org Received: by 2002:ac0:f7d2:0:0:0:0:0 with SMTP id i18csp465706imr; Mon, 31 Jan 2022 17:32:39 -0800 (PST) X-Google-Smtp-Source: ABdhPJw9fL4eY/fLyIzGM7qW7SVf+T5IMnMneqafzaa7mzJsYN7HxB6ZBHxEnsGqNuPXCqvj50SK X-Received: by 2002:a17:906:1d14:: with SMTP id n20mr19136660ejh.714.1643679159629; Mon, 31 Jan 2022 17:32:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643679159; cv=none; d=google.com; s=arc-20160816; b=PCcaR9jquKXYXHzYrOnGqpTgmQP4QUYVsKW3vDrD8Zdy+GQbl9C3dj3mxDmZ48BIt5 ZUJHvlrIYuiDPHpNZ1rm7kpi9tu+c6WsrJEqNPU/h54w8/qqQdndEpVoFXQfoVTvXrCd d56n4Vl8OhJOPGtPI0Le7waaR7unfL2JFc3cnwpORHMHI2abJGDH0TjfY3hlO2xNC7Si eWyZBr0ESKs0mP3ycTwwBU0J/uV/U5zHyINrVxzEWBxs3512LdxnsBqbuJKD8qiMAMdn fVUtVrjLkeuDLtyaw2m21MeL/QsGstH5NedIaNVZf7HJq/88lSRvXDN+jzU3Tt2RRpdY pd6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=l5pyl4PszqgCXNE7g0e6sPzj586sukrANNeq6Nk+tdM=; b=KtwelHAZKwd4mpiaoEtnAqDe3uVsSztmixqVtVmKa80k9Bkvy4zBeY8i0pnL4uTfBA sgJqdfU5/p4ihRmpXPDHTagekZryFDU5uMIMBbA2qeZDFvQkUgYYT6AkkwjPZxGqcE0F o+5pnNMG/Zx2gf7ka4Jv8wN+1yA1BHaAtkZWfv+skEC0qZEA9vVAlliHSo+5QK4ex0qg xCblE70X+ZAVPS1VmxOkVZ/4YCDpD/ToxamMuELvPcPkrFHRpH75SotnuhPQZyFLEiZf 28Y2qYBYlNHuXRlkCKxKz9kA4AA9PTqRLOk3z5tXVVJeIsNPAMso5DX07bsKxwpL/GK9 tyvQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Enp1FYdg; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id w15si9012963ejz.710.2022.01.31.17.32.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 17:32:39 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Enp1FYdg; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4DD22836B9; Tue, 1 Feb 2022 02:32:11 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Enp1FYdg"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 44CDE81D5D; Tue, 1 Feb 2022 02:32:09 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7456A8366F for ; Tue, 1 Feb 2022 02:32:02 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1036.google.com with SMTP id h20-20020a17090adb9400b001b518bf99ffso1017666pjv.1 for ; Mon, 31 Jan 2022 17:32:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=l5pyl4PszqgCXNE7g0e6sPzj586sukrANNeq6Nk+tdM=; b=Enp1FYdg4pMDkLUvmyjbjOUmZJyLDkCUsb5PcXLbslHsZH4XbTDmFoSF3KhyfTJLuw WoaHCHDZPm2u/saGqn7TsrefK8AUCsjFKYAhHHYzd2GFyF2O32oRdTvFOrrfEKc+LXN6 gM9zO8iFsxVJGkKpSA5lw+VHaUVZKDcFdO9yHdL1pwuI8GST0x1hhwpQznlOK2QnObph /kaLEAFt+f9eWoPMkD0YJGJYMwNCbwAjZ7bJyLMlWX2/sooGYVQ8ju0iBY5cTudC963m lJJtSUXhQoCdJbwk87MeGfffNq4M2ZqHLdhzkfYyvFn+r2GGhfMSoydzEn0tF45hTax4 aJig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=l5pyl4PszqgCXNE7g0e6sPzj586sukrANNeq6Nk+tdM=; b=exXbjehwy0tiSXCmi7wxqdXD9hH4nD2pYjwno4ovHGRIkyqGz7uD+lt29irOO2VUdF 9dNRkDzJh5vXguTvxtsdGnhlRrCyCXv4UoMTJtz7QW8V2i2kaUsTpigHUJM+3P1k/6cw f+wRAzjeRgPu6yqzjQ7iFSwr1YuZkMToRFb2UQmr6vGwhtKNS3dJ+te90nKXYCSzq3uA ednCsYI3cBtDvx4YEQ1G0qGZEIKz+oSRGB9TNSo1oxUcGEra0NZPFqWLhyXPDk/H7FAq MQhhl0k7K3r/CP3MjfK49cLd0l9csv1LJbnBxJwzoMY+FRiYITasSS+RyZLvy5bL27xq Fong== X-Gm-Message-State: AOAM5322Li+bK6Pcmn6bbuuUECEJ24ba6IPH0f6tLeEDDsfBbjWaJ08S LdsX7509NL2sT5qhSX+x0dPs9w== X-Received: by 2002:a17:902:c10a:: with SMTP id 10mr22101045pli.82.1643679120658; Mon, 31 Jan 2022 17:32:00 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:a8:b825:f6dd:417]) by smtp.gmail.com with ESMTPSA id u18sm20733784pfi.185.2022.01.31.17.31.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 17:32:00 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: sjg@chromium.org, ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v10 5/9] test/py: efi_capsule: add image authentication test Date: Tue, 1 Feb 2022 10:27:36 +0900 Message-Id: <20220201012740.63070-6-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220201012740.63070-1-takahiro.akashi@linaro.org> References: <20220201012740.63070-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean Add a couple of test cases against capsule image authentication for capsule-on-disk, where only a signed capsule file with the verified signature will be applied to the system. Due to the difficulty of embedding a public key (esl file) in U-Boot binary during pytest setup time, all the keys/certificates are pre-created. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass Acked-by: Ilias Apalodimas --- .../py/tests/test_efi_capsule/capsule_defs.py | 5 + test/py/tests/test_efi_capsule/conftest.py | 52 +++- test/py/tests/test_efi_capsule/signature.dts | 10 + .../test_capsule_firmware_signed.py | 254 ++++++++++++++++++ 4 files changed, 318 insertions(+), 3 deletions(-) create mode 100644 test/py/tests/test_efi_capsule/signature.dts create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py index 4fd6353c2040..59b40f11bd1d 100644 --- a/test/py/tests/test_efi_capsule/capsule_defs.py +++ b/test/py/tests/test_efi_capsule/capsule_defs.py @@ -3,3 +3,8 @@ # Directories CAPSULE_DATA_DIR = '/EFI/CapsuleTestData' CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule' + +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and +# you need build a newer version on your own. +# The path must terminate with '/' if it is not null. +EFITOOLS_PATH = '' diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index 6ad5608cd71c..27c05971ca32 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -10,13 +10,13 @@ import pytest from capsule_defs import * # -# Fixture for UEFI secure boot test +# Fixture for UEFI capsule test # - @pytest.fixture(scope='session') def efi_capsule_data(request, u_boot_config): - """Set up a file system to be used in UEFI capsule test. + """Set up a file system to be used in UEFI capsule and + authentication test. Args: request: Pytest request object. @@ -40,6 +40,36 @@ def efi_capsule_data(request, u_boot_config): check_call('mkdir -p %s' % data_dir, shell=True) check_call('mkdir -p %s' % install_dir, shell=True) + capsule_auth_enabled = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') + if capsule_auth_enabled: + # Create private key (SIGNER.key) and certificate (SIGNER.crt) + check_call('cd %s; ' + 'openssl req -x509 -sha256 -newkey rsa:2048 ' + '-subj /CN=TEST_SIGNER/ -keyout SIGNER.key ' + '-out SIGNER.crt -nodes -days 365' + % data_dir, shell=True) + check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl' + % (data_dir, EFITOOLS_PATH), shell=True) + + # Update dtb adding capsule certificate + check_call('cd %s; ' + 'cp %s/test/py/tests/test_efi_capsule/signature.dts .' + % (data_dir, u_boot_config.source_dir), shell=True) + check_call('cd %s; ' + 'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; ' + 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb ' + '-o test_sig.dtb signature.dtbo' + % (data_dir, u_boot_config.build_dir), shell=True) + + # Create *malicious* private key (SIGNER2.key) and certificate + # (SIGNER2.crt) + check_call('cd %s; ' + 'openssl req -x509 -sha256 -newkey rsa:2048 ' + '-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key ' + '-out SIGNER2.crt -nodes -days 365' + % data_dir, shell=True) + # Create capsule files # two regions: one for u-boot.bin and the other for u-boot.env check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old -> u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir, @@ -56,6 +86,22 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' % (data_dir, u_boot_config.build_dir), shell=True) + if capsule_auth_enabled: + # firmware signed with proper key + check_call('cd %s; ' + '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' + '--private-key SIGNER.key --certificate SIGNER.crt ' + '--raw u-boot.bin.new Test11' + % (data_dir, u_boot_config.build_dir), + shell=True) + # firmware signed with *mal* key + check_call('cd %s; ' + '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' + '--private-key SIGNER2.key ' + '--certificate SIGNER2.crt ' + '--raw u-boot.bin.new Test12' + % (data_dir, u_boot_config.build_dir), + shell=True) # Create a disk image with EFI system partition check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' % diff --git a/test/py/tests/test_efi_capsule/signature.dts b/test/py/tests/test_efi_capsule/signature.dts new file mode 100644 index 000000000000..078cfc76c93c --- /dev/null +++ b/test/py/tests/test_efi_capsule/signature.dts @@ -0,0 +1,10 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; +/plugin/; + +&{/} { + signature { + capsule-key = /incbin/("SIGNER.esl"); + }; +}; diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py new file mode 100644 index 000000000000..593b032e9015 --- /dev/null +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py @@ -0,0 +1,254 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright (c) 2021, Linaro Limited +# Author: AKASHI Takahiro +# +# U-Boot UEFI: Firmware Update (Signed capsule) Test + +""" +This test verifies capsule-on-disk firmware update +with signed capsule files +""" + +import pytest +from capsule_defs import CAPSULE_DATA_DIR, CAPSULE_INSTALL_DIR + +@pytest.mark.boardspec('sandbox') +@pytest.mark.buildconfigspec('efi_capsule_firmware_raw') +@pytest.mark.buildconfigspec('efi_capsule_authenticate') +@pytest.mark.buildconfigspec('dfu') +@pytest.mark.buildconfigspec('dfu_sf') +@pytest.mark.buildconfigspec('cmd_efidebug') +@pytest.mark.buildconfigspec('cmd_fat') +@pytest.mark.buildconfigspec('cmd_memory') +@pytest.mark.buildconfigspec('cmd_nvedit_efi') +@pytest.mark.buildconfigspec('cmd_sf') +@pytest.mark.slow +class TestEfiCapsuleFirmwareSigned(object): + def test_efi_capsule_auth1( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 1 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is properly signed, the authentication + should pass and the firmware be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 1-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' + % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test11' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test11 $filesize' + % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test11' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \ + + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 1-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test11' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test11' not in ''.join(output) + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:New' in ''.join(output) + + def test_efi_capsule_auth2( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 2 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is signed but with an invalid key, + the authentication should fail and the firmware + not be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 2-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' + % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test12' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test12 $filesize' + % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test12' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \ + + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 2-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test12' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + # deleted any way + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test12' not in ''.join(output) + + # TODO: check CapsuleStatus in CapsuleXXXX + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:Old' in ''.join(output) + + def test_efi_capsule_auth3( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 3 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is not signed, the authentication + should fail and the firmware not be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 3-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' + % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test02' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test02 $filesize' + % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \ + + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 3-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + # deleted any way + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' not in ''.join(output) + + # TODO: check CapsuleStatus in CapsuleXXXX + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:Old' in ''.join(output) From patchwork Tue Feb 1 01:27:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 538935 Delivered-To: patch@linaro.org Received: by 2002:ac0:f7d2:0:0:0:0:0 with SMTP id i18csp465779imr; Mon, 31 Jan 2022 17:32:50 -0800 (PST) X-Google-Smtp-Source: ABdhPJz3K8hSKWKldW2JyOXS1hW6UPe59B2HdMqY2Ora6+eMzfc8BKjUQlXbHuYd8eHTnCIeP7qE X-Received: by 2002:a17:907:2d0d:: with SMTP id gs13mr19170616ejc.161.1643679169958; Mon, 31 Jan 2022 17:32:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643679169; cv=none; d=google.com; s=arc-20160816; b=UWyLV/xDu8a6BZ/t7gIU3K5jcWbIa8hlIMTm2M3fKxHf/XLRrzJchPYW8E5FwKSP85 /rTp7/d8Q3apoID5+VXB4PJNnj7d48baPsw0Zxq8w7rXPCNCTsolSR7Q70FpN3EjhW9h 4OzzP7IMlNedeZfpPPfbnVFtp+sa8CgAQQktlO4gpAExlzQaNpc8HoWfQZjAeBGuI2Xa lDWMUrZqGNBhBpwbHZbjuAkyo+xc52IX0VZMvEZTCYIj0h+RUZrXK/xno3zLWB8YwXak DCtoNb1ihsXClkTR15adiLCvtLTIduiWraumXWCu8or7e5d7lN8MIqexbe9TQWl9UL7/ UJPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=yC7jAUL48I2DG/tqxQBiytYePsRhR/wlEWwwT4HHOm0=; b=ZFhjxMHpk6vY5420U2UWLblhWVRf3he1WeIT6D+KzxP2FsIpUA89p7avW9iHXrqqrK ue7zTA5PfG+YWIkzg11mQ6cQght+2FZ2BDwdm/0PJ7CB+mmsP61gkX0jDdn8CQUijysY HniR0oN98Ogegxc4/Fr/90IPfzEzKDG41f44vl+5CM/u6cglpAUghGAklbzTSP1Rx6ER 809U8Ou2UPREYBmyL4p5i22GCgnECyV3zsD7BihPnA9NuDPwNe6CPPIae0zGY7yzAe1Z mxEmAQ2a6Lr6DG0aAJWE7F6SC3bLjew+zRFxV1b90fKRItkxcxTzHHRh61dsib9Ew1Pi wviw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=qZJUx2Es; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id go20si7942463ejc.784.2022.01.31.17.32.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 17:32:49 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=qZJUx2Es; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 904BB837B5; Tue, 1 Feb 2022 02:32:13 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="qZJUx2Es"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id C9ED581D5D; Tue, 1 Feb 2022 02:32:09 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 3CB86836BE for ; Tue, 1 Feb 2022 02:32:05 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1029.google.com with SMTP id h12so15629940pjq.3 for ; Mon, 31 Jan 2022 17:32:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=yC7jAUL48I2DG/tqxQBiytYePsRhR/wlEWwwT4HHOm0=; b=qZJUx2Es1RvnFXrC35sGrfUQdQT+nwLRop+PEKpuh1+zxZFQ9fD2fggrpJxJLfItDa 5kWj15goT2W6J99/jUQaIm3yF4JycZDZYw16A2TOvg8Ok9HDugnNzx6PuQHy8CjsVD9r AHqItm+iLqJZmTHJoJySyQgzGITeotDntm+kFZljEAhzuHBJy9W3xLfX/pJfiZHXHdHe Hfrrk9cC2i0JSVlzWPt0U5oxk2bCvfcnTp71oWOBQZXJnp7GdQv1HUJD9AmHZNKelyGn V7elxUJ3KjhrOknu+7pNXEz6nJpXOTHLJQrB8f0Xpe0fGgDKD3t6VmuL9Z+5ljfK+KQS YCGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=yC7jAUL48I2DG/tqxQBiytYePsRhR/wlEWwwT4HHOm0=; b=viZE3/j593xXMaKMMEHJ3R3jUudxGfCo7ovM4yx9Pi6rpTw4m0Ewk3NyijJnFM44IV BgBdj01s80kpeDPuX26JxeHy8ggE/R3o/i2bce986upGvSgNkLaJeBnnxYmeyeuI6gCK TkavhWoC4JvEMlruTBnlALWMjoWjuIsyzeGrEBpn/94n88EyoAHSS72XZGvfBGETAGbg fopJOHAA+TnPuf78Lq2r1/oEkLKimGWLxIwH5hgiyY8FkecG/vcy/ZWyvnFsoQ2JxeVr IotThL8bTQUwmifXLuxJiSRgEKJweYvi8xeEF2bvo0lFgLZ2P7uJbLl8hEu1WIc6I3de 8HLg== X-Gm-Message-State: AOAM5333HRQwuBFGkZ/HsbIiRwA5RT2dbt9pViQMrp4rr5yXmVSLcQIj 4ff+/XkzhDQrO06C+QzLyFT4OQ== X-Received: by 2002:a17:903:120d:: with SMTP id l13mr23232683plh.120.1643679123530; Mon, 31 Jan 2022 17:32:03 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:a8:b825:f6dd:417]) by smtp.gmail.com with ESMTPSA id u18sm20733784pfi.185.2022.01.31.17.32.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 17:32:03 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: sjg@chromium.org, ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v10 6/9] tools: mkeficapsule: allow for specifying GUID explicitly Date: Tue, 1 Feb 2022 10:27:37 +0900 Message-Id: <20220201012740.63070-7-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220201012740.63070-1-takahiro.akashi@linaro.org> References: <20220201012740.63070-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean The existing options, "--fit" and "--raw," are only used to put a proper GUID in a capsule header, where GUID identifies a particular FMP (Firmware Management Protocol) driver which then would handle the firmware binary in a capsule. In fact, mkeficapsule does the exact same job in creating a capsule file whatever the firmware binary type is. To prepare for the future extension, the command syntax will be a bit modified to allow users to specify arbitrary GUID for their own FMP driver. OLD: [--fit | --raw ] NEW: [--fit | --raw | --guid ] Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- doc/develop/uefi/uefi.rst | 4 +- doc/mkeficapsule.1 | 26 ++++++++---- tools/Makefile | 2 +- tools/mkeficapsule.c | 85 ++++++++++++++++++++++++++++----------- 4 files changed, 84 insertions(+), 33 deletions(-) diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 7e1eb8256259..a1a2afd60bbc 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -375,8 +375,8 @@ and used by the steps highlighted below. --private-key CRT.key \ --certificate CRT.crt \ --index 1 --instance 0 \ - [--fit | --raw ] \ - + [--fit | --raw | --guid 4. Insert the signature list into a device tree in the following format:: diff --git a/doc/mkeficapsule.1 b/doc/mkeficapsule.1 index 680362f5c4e9..8babb27ee8b2 100644 --- a/doc/mkeficapsule.1 +++ b/doc/mkeficapsule.1 @@ -8,7 +8,7 @@ mkeficapsule \- Generate EFI capsule file for U-Boot .SH SYNOPSIS .B mkeficapsule -.RI [ options "] " capsule-file +.RI [ options "] " image-blob " " capsule-file .SH "DESCRIPTION" .B mkeficapsule @@ -24,7 +24,7 @@ In this case, the update will be authenticated by verifying the signature before applying. .B mkeficapsule -supports two different format of image files: +takes any type of image files, including: .TP .I raw image format is a single binary blob of any type of firmware. @@ -36,18 +36,30 @@ multiple binary blobs in a single capsule file. This type of image file can be generated by .BR mkimage . +.PP +If you want to use other types than above two, you should explicitly +specify a guid for the FMP driver. + .SH "OPTIONS" One of -.BR --fit " or " --raw +.BR --fit ", " --raw " or " --guid option must be specified. .TP -.BI "-f\fR,\fB --fit " fit-image-file -Specify a FIT image file +.BR -f ", " --fit +Indicate that the blob is a FIT image file .TP -.BI "-r\fR,\fB --raw " raw-image-file -Specify a raw image file +.BR -r ", " --raw +Indicate that the blob is a raw image file + +.TP +.BI "-g\fR,\fB --guid " guid-string +Specify guid for image blob type. The format is: + xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx + +The first three elements are in little endian, while the rest +is in big endian. .TP .BI "-i\fR,\fB --index " index diff --git a/tools/Makefile b/tools/Makefile index 8da07d60a755..5409ff2879c6 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -238,7 +238,7 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs hostprogs-$(CONFIG_ASN1_COMPILER) += asn1_compiler HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include -HOSTLDLIBS_mkeficapsule += -lgnutls +HOSTLDLIBS_mkeficapsule += -lgnutls -luuid hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule # We build some files with extra pedantic flags to try to minimize things diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index b996c66ad26a..7ff1f999db85 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -15,7 +15,7 @@ #include #include - +#include #include #include @@ -33,11 +33,12 @@ efi_guid_t efi_guid_image_type_uboot_raw = EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID; efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; -static const char *opts_short = "f:r:i:I:v:p:c:m:dh"; +static const char *opts_short = "frg:i:I:v:p:c:m:dh"; static struct option options[] = { - {"fit", required_argument, NULL, 'f'}, - {"raw", required_argument, NULL, 'r'}, + {"fit", no_argument, NULL, 'f'}, + {"raw", no_argument, NULL, 'r'}, + {"guid", required_argument, NULL, 'g'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, {"private-key", required_argument, NULL, 'p'}, @@ -50,11 +51,12 @@ static struct option options[] = { static void print_usage(void) { - printf("Usage: %s [options] \n" + fprintf(stderr, "Usage: %s [options] \n" "Options:\n" - "\t-f, --fit new FIT image file\n" - "\t-r, --raw new raw image file\n" + "\t-f, --fit FIT image type\n" + "\t-r, --raw raw image type\n" + "\t-g, --guid guid for image blob type\n" "\t-i, --index update image index\n" "\t-I, --instance update hardware instance\n" "\t-p, --private-key private key file\n" @@ -541,6 +543,37 @@ err: return ret; } +/** + * convert_uuid_to_guid() - convert UUID to GUID + * @buf: UUID binary + * + * UUID and GUID have the same data structure, but their binary + * formats are different due to the endianness. See lib/uuid.c. + * Since uuid_parse() can handle only UUID, this function must + * be called to get correct data for GUID when parsing a string. + * + * The correct data will be returned in @buf. + */ +void convert_uuid_to_guid(unsigned char *buf) +{ + unsigned char c; + + c = buf[0]; + buf[0] = buf[3]; + buf[3] = c; + c = buf[1]; + buf[1] = buf[2]; + buf[2] = c; + + c = buf[4]; + buf[4] = buf[5]; + buf[5] = c; + + c = buf[6]; + buf[6] = buf[7]; + buf[7] = c; +} + /** * main - main entry function of mkeficapsule * @argc: Number of arguments @@ -555,14 +588,13 @@ err: */ int main(int argc, char **argv) { - char *file; efi_guid_t *guid; + unsigned char uuid_buf[16]; unsigned long index, instance; uint64_t mcount; char *privkey_file, *cert_file; int c, idx; - file = NULL; guid = NULL; index = 0; instance = 0; @@ -577,21 +609,34 @@ int main(int argc, char **argv) switch (c) { case 'f': - if (file) { - fprintf(stderr, "Image already specified\n"); + if (guid) { + fprintf(stderr, + "Image type already specified\n"); exit(EXIT_FAILURE); } - file = optarg; guid = &efi_guid_image_type_uboot_fit; break; case 'r': - if (file) { - fprintf(stderr, "Image already specified\n"); + if (guid) { + fprintf(stderr, + "Image type already specified\n"); exit(EXIT_FAILURE); } - file = optarg; guid = &efi_guid_image_type_uboot_raw; break; + case 'g': + if (guid) { + fprintf(stderr, + "Image type already specified\n"); + exit(EXIT_FAILURE); + } + if (uuid_parse(optarg, uuid_buf)) { + fprintf(stderr, "Wrong guid format\n"); + exit(EXIT_FAILURE); + } + convert_uuid_to_guid(uuid_buf); + guid = (efi_guid_t *)uuid_buf; + break; case 'i': index = strtoul(optarg, NULL, 0); break; @@ -627,20 +672,14 @@ int main(int argc, char **argv) } /* check necessary parameters */ - if ((argc != optind + 1) || !file || + if ((argc != optind + 2) || !guid || ((privkey_file && !cert_file) || (!privkey_file && cert_file))) { print_usage(); exit(EXIT_FAILURE); } - /* need a fit image file or raw image file */ - if (!file) { - print_usage(); - exit(EXIT_SUCCESS); - } - - if (create_fwbin(argv[optind], file, guid, index, instance, + if (create_fwbin(argv[argc - 1], argv[argc - 2], guid, index, instance, mcount, privkey_file, cert_file) < 0) { fprintf(stderr, "Creating firmware capsule failed\n"); exit(EXIT_FAILURE); From patchwork Tue Feb 1 01:27:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 538937 Delivered-To: patch@linaro.org Received: by 2002:ac0:f7d2:0:0:0:0:0 with SMTP id i18csp465952imr; Mon, 31 Jan 2022 17:33:11 -0800 (PST) X-Google-Smtp-Source: ABdhPJyG1iYiKLL9mgbcKD1AkF3kQcQfNPuaomHnK3Urc59Jd86JRhEJWe+9lUxEGCp27JUOd4n3 X-Received: by 2002:a50:aadd:: with SMTP id r29mr23372636edc.236.1643679190672; Mon, 31 Jan 2022 17:33:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643679190; cv=none; d=google.com; s=arc-20160816; b=taeGnSDZj0AIDMPDnBwYulbwxOqFh/hYyLD8ofI9+ROIlEF1d8AOiKXmT1kvKb4JA5 WJomfSgOGmiBj0l43uIW1GSiSARk1ahLA93NmeUcBeJZskHkXxiaRyefQo0d5Kt/sb1i X37CU7HHDUtDyi8sZVUF/U0sDp8gcHoB078lGttGd9kFeQGt+br/V90eldQuCmorDnXD CuyLkxGGkrT1ICb0iYjqT1gQPvHz2FjldjGAnaCqM92drnBXBR/RrQj0x1DdcB+nUZPG pUyxB5EtMl8Xy5VoJyPcmFeGyCaL2lxQbKrJndjqwryQU9ktaQSeVinnaeCheQwS+16j t8uA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=dRz+pYre7G66GxmnD4c+PKAAw7SxJFLHJCc2sklu4uM=; b=DlzbzvMppGJhA+SfnICehJuwGyBZAYmW24+yWypaGh/7OI83kfE2vCGCjhRf45M1WJ 39hQ9wILdxgF0Ae70Z6nLh7zD6O9criOoKmpQDSVAXPKrJg42ishl7K0QpgyOTOnoolU W1s+1hpzBR4P9mCAbfhw42qcL9JWKBGMBht2hGC3C/BKQckqCOQ2CgXTy+4BAZ41MLVp hChNVgtX9jtnpq7QdV5UI+QLHGljQxa460MfUuW3giQF5IOjiF6pEH4p70M0v6uLlAHc zzYaQ+eBojD/z1Fzz8hpEwFSLHjEh2M+rDq6oxR12g+wlMhtsCjzKPU87OrXm68f+r8g g1iQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YLBS9G+I; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id n6si8724429ejl.34.2022.01.31.17.33.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 17:33:10 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YLBS9G+I; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4E1F1836D2; Tue, 1 Feb 2022 02:32:19 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="YLBS9G+I"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 35C7F8359C; Tue, 1 Feb 2022 02:32:16 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id E9CB9836D2 for ; Tue, 1 Feb 2022 02:32:07 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x432.google.com with SMTP id i17so14411665pfq.13 for ; Mon, 31 Jan 2022 17:32:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=dRz+pYre7G66GxmnD4c+PKAAw7SxJFLHJCc2sklu4uM=; b=YLBS9G+IFQYvo4JIH0rTwKdEPjA3QnPwSfD3mpTJ6ApCXAshe9dQfkrq1QsDVxF4Il sKj2jatAkhrp9qmkQ33RaKHKsmI94lwDrg/NofSgr6ELGnR6oIe7GLzO444x6KYyo7s/ fToMX5stUtEJ27g1ZxB7ZJ43IVMLRIR8iVASKzVrETXmyrhtlBeSi1WTS3w/9r2USZci IkKhTq/iuTWbcgqMKgn6Uy2gax3BFcnGk5S9RIVV86gi2YBva3bWjkMuhhyRqoqRLzPY 1rR7k6AuDjgb1/uGu1/JnEV3oYx1zHbq8J9a1ZueJZfZSWbGxlAB/x+Hb1X7NyYWAviw D3pg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=dRz+pYre7G66GxmnD4c+PKAAw7SxJFLHJCc2sklu4uM=; b=2XoNaqbVWfj3HxG17u0hhjPrB14QI0isEqvE5b+WMAClJ5sCA7yfduIGeprtkwoj6H TstPp7TVKr8Fuq+kBAIyiJDWbhKDnsaOJab1lEC8P3NhSmQHlXQCoGkiSIF88ImYBGSo MEpTNxJQwu2rfbzpC4WWdRf+6kkoQ4T1Ih+5IaCaFf1LKdoDYGHV+EamMCbPMk+JSLtn SYky1Dje+kCK1mEYQP0zHJ/oOvrC4l5jK9gQBOi8/Na4tm9aP+vwqLCDqohvqGtDqfca M+h9c0tgr115o4M0AxKgzSw/q7Ng6GZkh9M5pXKnhVIJYD6o+uM0+CKe26nMymvcwgvc ivoA== X-Gm-Message-State: AOAM530QEPo/FgERimVkp+6rJxQkW/YOJOOexGLyJaQT3r7BOk9jjMzB WRL9FGacg2nnRsxa0V3rvlRSRQ== X-Received: by 2002:a62:1715:: with SMTP id 21mr22396814pfx.59.1643679126379; Mon, 31 Jan 2022 17:32:06 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:a8:b825:f6dd:417]) by smtp.gmail.com with ESMTPSA id u18sm20733784pfi.185.2022.01.31.17.32.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 17:32:06 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: sjg@chromium.org, ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v10 7/9] test/py: efi_capsule: align with the syntax change of mkeficapsule Date: Tue, 1 Feb 2022 10:27:38 +0900 Message-Id: <20220201012740.63070-8-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220201012740.63070-1-takahiro.akashi@linaro.org> References: <20220201012740.63070-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean Since the syntax of mkeficapsule was changed in the previous commit, we need to modify command line arguments in a pytest script. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- test/py/tests/test_efi_capsule/conftest.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index 27c05971ca32..a5a25c53dcb4 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -80,10 +80,10 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkimage -f uboot_bin_env.its uboot_bin_env.itb' % (data_dir, u_boot_config.build_dir), shell=True) - check_call('cd %s; %s/tools/mkeficapsule --fit uboot_bin_env.itb --index 1 Test01' % + check_call('cd %s; %s/tools/mkeficapsule --index 1 --fit uboot_bin_env.itb Test01' % (data_dir, u_boot_config.build_dir), shell=True) - check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' % + check_call('cd %s; %s/tools/mkeficapsule --index 1 --raw u-boot.bin.new Test02' % (data_dir, u_boot_config.build_dir), shell=True) if capsule_auth_enabled: From patchwork Tue Feb 1 01:27:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 538936 Delivered-To: patch@linaro.org Received: by 2002:ac0:f7d2:0:0:0:0:0 with SMTP id i18csp465866imr; Mon, 31 Jan 2022 17:33:00 -0800 (PST) X-Google-Smtp-Source: ABdhPJzO5kR+MvlJ/i13mnmhT0WzC3gP/LoNBoIvJ7EPRjlGVdOquvwMXUYgspv82uyDs/ybkz4s X-Received: by 2002:a17:907:b01:: with SMTP id h1mr18733374ejl.728.1643679180203; Mon, 31 Jan 2022 17:33:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643679180; cv=none; d=google.com; s=arc-20160816; b=aodW37D/TppFIoORuFKoEsgWjPYjTIQDTw/C3C3bZsBqMKJEtvhKexA9feWBSGtiV1 oGkNbLni1K9uHxsN6tNOWgrxbDbdiFU9/GCvWC/wJpyC2j8kLUgputPgghbzh1+BZfcv H5pIV5S8apLkzBeyHs+vDNYf+aD0+Fun8D1ZLKLrAzer9oa66qavYXW3ZtH/86wQp09R wTSsRJKaUeYF5aKZmX39JWjDNwBgocM3+/2Dy9SOX7awAQIHyiPAth/sLPyvrUZ84av5 uu8FITCW5ht502Z+Y1HEOMh3J7c2XUvPs+p6hp3wQsh26fq51r4lrRY9Y19esyi7UlOD nYwQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=37b4CbGVq2vXfUQd07BoRyvPsjDtxkfVdV+ImREOVoM=; b=Z999ubpty9G9O85w5l1qUzOZnOAeuDoYB/17dL3XxqDmVdW6+K5xPsqvYpZZPWQZI5 UJ2dfQSpoN/d5GBTH4L702kmmp0JqeitC33pHu7JEPQUPVzIc2Mr/dqmpdM57yB55+pX sPAU7PW+gt0rDehEmYyP273PR52wQ99kCbutc+ms/OfK9ajdAXIiZ1zM72NdQSm56u8o 7bjKHtVWdU5twb1hLMljz6B5LftXQEFhmqfHJXr9/C4k6ybOqfF3V7Xdo2mUdBcZOt8u CorruOqQ11wwarseMfuBFM7fvdMVJZR1TLAUgLCbmhaNi9GZfhB3V35H76bwq8rYYevk dxgw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=msqV0dAN; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id 16si8409271ejf.172.2022.01.31.17.32.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 17:33:00 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=msqV0dAN; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 0835C836C0; Tue, 1 Feb 2022 02:32:17 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="msqV0dAN"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 109188359C; Tue, 1 Feb 2022 02:32:15 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 117138359C for ; Tue, 1 Feb 2022 02:32:11 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x102d.google.com with SMTP id z14-20020a17090ab10e00b001b6175d4040so1045935pjq.0 for ; Mon, 31 Jan 2022 17:32:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=37b4CbGVq2vXfUQd07BoRyvPsjDtxkfVdV+ImREOVoM=; b=msqV0dANoCiHOSI2VD/kCpP8XVCVnAvy51FKNxzOZh8yJKQeVpzU8DhSjputHc2IgP y2Ev246R9CGynD7RjS3qmpj7bDJYER0kVkw4ICH3qb4SsNUGGOOPaKfIoFjXhgD107H/ MZlpETjI578pojjCF9QWh3jkCMZEVpHIV+YhuCuM0/V38ghILgXj4lhw33vbz805VUfB kGpjqOVs5rcijOckC7NQwJ9+YLzvj9YlJLcAzeifcKKJmaa3uUjCi14j+VneqYbqkq4x rltBN6B4Uvvx2eYZWGRNVpzjDL2xYfURxaxAHuGBB7oM6FHjDDAXS6GYg17chOSsny6y bbhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=37b4CbGVq2vXfUQd07BoRyvPsjDtxkfVdV+ImREOVoM=; b=ND3h/5DMJ25NszjFQp8T3s4nqas8UYov5P4EcjXx/z7o0ZSEWCOfxCX05eebZcFrpG zlB5EvYlfzU7oHhMNgdrtgS4y3G7Pew8ZuqNaAEhKzSvji7tLDclHLTOdC32UmUCpXJX nRk8tb0V8CECnQ9icetIVW0oJLGcbIRKo8+NC/0JtKIPgnt9PWPJFVxanZU4FOeeSgXN uZdK9A902JgH0GaNWufone9kPDrjQ2UwpoaEgMJEDSubCc9zg2m8IVIQBW5OhzjH0kzb RlTjr9QypFqGHSDBhgIgW7qx7uWHc2s6d0Y1MlMMpGdHgcBWGr6dqZowXn9KHAOlsnzA Y9nQ== X-Gm-Message-State: AOAM530m0XMr9ppg+fVYk/+uCW08TPWSIQheNVrcafs/5RNzwym4MOVj fKx1TLqj2CKVusH3mgIaqYEYng== X-Received: by 2002:a17:90b:23d4:: with SMTP id md20mr31987940pjb.199.1643679129471; Mon, 31 Jan 2022 17:32:09 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:a8:b825:f6dd:417]) by smtp.gmail.com with ESMTPSA id u18sm20733784pfi.185.2022.01.31.17.32.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 17:32:09 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: sjg@chromium.org, ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v10 8/9] test/py: efi_capsule: add a test for "--guid" option Date: Tue, 1 Feb 2022 10:27:39 +0900 Message-Id: <20220201012740.63070-9-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220201012740.63070-1-takahiro.akashi@linaro.org> References: <20220201012740.63070-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean This test scenario tests a new feature of mkeficapsule, "--guid" option, which allows us to specify FMP driver's guid explicitly at the command line. Signed-off-by: AKASHI Takahiro --- test/py/tests/test_efi_capsule/conftest.py | 3 + .../test_efi_capsule/test_capsule_firmware.py | 67 +++++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index a5a25c53dcb4..9076087a12b7 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -86,6 +86,9 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkeficapsule --index 1 --raw u-boot.bin.new Test02' % (data_dir, u_boot_config.build_dir), shell=True) + check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid E2BB9C06-70E9-4B14-97A3-5A7913176E3F u-boot.bin.new Test03' % + (data_dir, u_boot_config.build_dir), + shell=True) if capsule_auth_enabled: # firmware signed with proper key check_call('cd %s; ' diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware.py b/test/py/tests/test_efi_capsule/test_capsule_firmware.py index 9eeaae27d626..9cc973560fa1 100644 --- a/test/py/tests/test_efi_capsule/test_capsule_firmware.py +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware.py @@ -247,3 +247,70 @@ class TestEfiCapsuleFirmwareFit(object): 'sf read 4000000 100000 10', 'md.b 4000000 10']) assert 'u-boot:New' in ''.join(output) + + def test_efi_capsule_fw4( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 4 - Test "--guid" option of mkeficapsule + The test scenario is the same as Case 3. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 4-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi -s ""', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test03' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test03 $filesize' % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' in ''.join(output) + + # reboot + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 4-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + output = u_boot_console.run_command_list(['efidebug capsule esrt']) + + # ensure that EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID is in the ESRT. + assert 'E2BB9C06-70E9-4B14-97A3-5A7913176E3F' in ''.join(output) + + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' not in ''.join(output) + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:New' in ''.join(output) From patchwork Tue Feb 1 01:27:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 538938 Delivered-To: patch@linaro.org Received: by 2002:ac0:f7d2:0:0:0:0:0 with SMTP id i18csp466040imr; Mon, 31 Jan 2022 17:33:21 -0800 (PST) X-Google-Smtp-Source: ABdhPJwtl/rXB2ucS00TXnxJUsPZhP9R2CYBHYzhp5sgUk7BZ0Dh5b0t7G7IFdnWHOcLg5VV100w X-Received: by 2002:a17:906:d54e:: with SMTP id cr14mr19680400ejc.692.1643679201254; Mon, 31 Jan 2022 17:33:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643679201; cv=none; d=google.com; s=arc-20160816; b=tuV1odz+sdoY+LbB0B561h5mt+Yao/pRFhRBMEiue1Zn7qlGi3q/i76uEUYHkRzWWZ qAnTwdGnEF1+AbrVfqa2vpSFxkAHRHe2Lxu05hX+hdqs+diGdWGn/Cfoklb/Z+SlC2qS kFC6BjUL88YPXTnEkYF2MraGWX6HhSpOK79QYmpYnPxzY4y1WcudAfWt2mw4Dwv2J3Ax INV+LA+AAhXYl2yXryBGT4FLFFPef7OKpanSRXOpadCdX0q9KUjcXIYPeub0LFo8XQlC Gj3npxpkbLlnAiu/lPSalEai490A3P83TAXNys0bJo1p5oRlgUGxW3SjAWoHk4higg9A UbJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=IWerVfIYQG4PYlCT6/iZD5GfRSLOO0VoGD6nCIjvwMk=; b=PK5rDXC//Ww/kTNFg+jXG3Nd/6Vwy6Xjiahbb1Squ3cvnPRVPZKf1ZRcZ/FBavqA/2 GsKE+poSaWW4PAMokaqE3JesK10uSxcVTj0is29hrZJy5D0kCHcWQfCpGGaiInjUTDub lfzVL2J7fAbmaxw+EdOE1y9SiONGP7pDOmsAHHQTGtLY+mhjjFlTkWiC/kYgiVWk0ccU qh8ginsPGoqR5X6PdcJ8waKtUcu6wIw7O8HNxg35LvRHOHx5ysa4mbpJ6/HU4oAbV/Jj uLj1+fzqUf2fG7mpnp8PbPPAxBkZoEOMwVuzgTOY++19cNfztnAJmyTcTilUjrLXLJLs ho1Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=g1g8cO8D; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id g13si9039890edz.310.2022.01.31.17.33.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 17:33:21 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=g1g8cO8D; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id EEB5C834E5; Tue, 1 Feb 2022 02:32:21 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="g1g8cO8D"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 8F191836AB; Tue, 1 Feb 2022 02:32:18 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 1F533837C5 for ; Tue, 1 Feb 2022 02:32:14 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x434.google.com with SMTP id c194so1928541pfb.12 for ; Mon, 31 Jan 2022 17:32:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=IWerVfIYQG4PYlCT6/iZD5GfRSLOO0VoGD6nCIjvwMk=; b=g1g8cO8DzZ9K2uruoU8OfOpLgvaOPS8eJCafHc+2Qv86EzV4mwVBI7/A7Fo/yNX9Vi CUNw13z5IAs06jP0fXt3jVc6CX1EjEoV4FgpmzWZQhcBn/CffHJmdBxfQIioIUHusS10 EHzbm2mTW4bdBtEGOvmnonIAqoIhpUvomFr4/z0j4nI+u4XCA5yuBK1wSWp7KKeAAKTB o6Li4Yrg1YaIY4DPqyQBgTcHe2NVHhNk15Y4gbYj6rlCCh1q4QDnQTCjW32dqVuXpWLO lpP3m+Hv1SCZxq+WbB/xBekbKWDLGZ6UyL+bbBrEKCGgcH8I6yyhwzCmHn5TwKNMLN1j OoGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=IWerVfIYQG4PYlCT6/iZD5GfRSLOO0VoGD6nCIjvwMk=; b=SJ/qlpc2V5xNJ/jVZmX/zpLFu1ZmvTvAjTb3lU0nX8AdfCLTVy8bu9DOzyo4YUe3pG +3/rmEA3JQ6YINYEHbwokBTjhqCyVOYwChi/S5oVpC37hF6J6v9i5xmSiTfewtoqeU5/ fL9p4/MS+KOKrtHvJHW5Z5ukRsgEkobu1ZakHqwfFeXx0cHyfIlU5b+1WYzyL8I60VHE aRiw4kXnfMd2DqPIin5X0G/X43iPcW3E0TfGg3B8EHQvl5NptNx5qB9k9C2a+B2nuidy 49dKYkQ5/a77e8QYgty8mNt86d18NyuYXaOCxxP0xQdpEGCvn5xStdRPO+MXVzXNCIYK lsoQ== X-Gm-Message-State: AOAM531wB/xJOtXgFlI/DpBA14yOAJZz6NjUSvMSqJMsJDsAO2M0UI0N 1rRpESoor5/0Y9bgv2VeY5BxPg== X-Received: by 2002:a63:8543:: with SMTP id u64mr19091247pgd.600.1643679132422; Mon, 31 Jan 2022 17:32:12 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:a8:b825:f6dd:417]) by smtp.gmail.com with ESMTPSA id u18sm20733784pfi.185.2022.01.31.17.32.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 17:32:12 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: sjg@chromium.org, ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v10 9/9] test/py: efi_capsule: check the results in case of CAPSULE_AUTHENTICATE Date: Tue, 1 Feb 2022 10:27:40 +0900 Message-Id: <20220201012740.63070-10-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220201012740.63070-1-takahiro.akashi@linaro.org> References: <20220201012740.63070-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean Before the capsule authentication is supported, this test script works correctly, but with the feature enabled, most tests will fail due to unsigned capsules. So check the results depending on CAPSULE_AUTHENTICATE or not. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- .../test_efi_capsule/test_capsule_firmware.py | 26 ++++++++++++++++--- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware.py b/test/py/tests/test_efi_capsule/test_capsule_firmware.py index 9cc973560fa1..6e803f699f2f 100644 --- a/test/py/tests/test_efi_capsule/test_capsule_firmware.py +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware.py @@ -148,6 +148,8 @@ class TestEfiCapsuleFirmwareFit(object): capsule_early = u_boot_config.buildconfig.get( 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') with u_boot_console.log.section('Test Case 2-b, after reboot'): if not capsule_early: # make sure that dfu_alt_info exists even persistent variables @@ -171,12 +173,18 @@ class TestEfiCapsuleFirmwareFit(object): 'sf probe 0:0', 'sf read 4000000 100000 10', 'md.b 4000000 10']) - assert 'u-boot:New' in ''.join(output) + if capsule_auth: + assert 'u-boot:Old' in ''.join(output) + else: + assert 'u-boot:New' in ''.join(output) output = u_boot_console.run_command_list([ 'sf read 4000000 150000 10', 'md.b 4000000 10']) - assert 'u-boot-env:New' in ''.join(output) + if capsule_auth: + assert 'u-boot-env:Old' in ''.join(output) + else: + assert 'u-boot-env:New' in ''.join(output) def test_efi_capsule_fw3( self, u_boot_config, u_boot_console, efi_capsule_data): @@ -215,6 +223,8 @@ class TestEfiCapsuleFirmwareFit(object): capsule_early = u_boot_config.buildconfig.get( 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') with u_boot_console.log.section('Test Case 3-b, after reboot'): if not capsule_early: # make sure that dfu_alt_info exists even persistent variables @@ -246,7 +256,10 @@ class TestEfiCapsuleFirmwareFit(object): 'sf probe 0:0', 'sf read 4000000 100000 10', 'md.b 4000000 10']) - assert 'u-boot:New' in ''.join(output) + if capsule_auth: + assert 'u-boot:Old' in ''.join(output) + else: + assert 'u-boot:New' in ''.join(output) def test_efi_capsule_fw4( self, u_boot_config, u_boot_console, efi_capsule_data): @@ -285,6 +298,8 @@ class TestEfiCapsuleFirmwareFit(object): capsule_early = u_boot_config.buildconfig.get( 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') with u_boot_console.log.section('Test Case 4-b, after reboot'): if not capsule_early: # make sure that dfu_alt_info exists even persistent variables @@ -313,4 +328,7 @@ class TestEfiCapsuleFirmwareFit(object): 'sf probe 0:0', 'sf read 4000000 100000 10', 'md.b 4000000 10']) - assert 'u-boot:New' in ''.join(output) + if capsule_auth: + assert 'u-boot:Old' in ''.join(output) + else: + assert 'u-boot:New' in ''.join(output)