From patchwork Mon Dec 21 11:43:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346401 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp4384039jai; Mon, 21 Dec 2020 03:43:42 -0800 (PST) X-Google-Smtp-Source: ABdhPJz5nalqMWZqcPNVtuUFhYZOwAwfXaLl1RlgUVGO1sJnEJGiBHVuFeghOGNyHXFZLQ8Rx3IO X-Received: by 2002:a17:906:3712:: with SMTP id d18mr15235149ejc.178.1608551022645; Mon, 21 Dec 2020 03:43:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608551022; cv=none; d=google.com; s=arc-20160816; b=Z2PL7K2HelkEtc7ZJWdEbH6pgMSuMBW7Cx1yRvuYsQlgYxd5BrEqxjNwSM1jIbIlA3 sf/e0Jg4EEfPV/E+hvKHi6mMHkRYFDsTqnlh+MfHluHM7ZqMXzAqz9j4zIT80iKOGs4+ YzvdGC/eCAP3gxxGSArhrpAPWFbtZdXjyHz5xWhQlHCHn0S9QiXBRPIrF5dgUmqkpZ6J 4Ki/UAuMADBWm6LY5Y0EN3VLSnJiEMZcEIlpENE8fbWGsHYwcZAODPAd/vCAfo2hPAf3 r82zUoh7xiSin96lA0rJYNWa5tRtlqrY8cVGznsowjHu7CWecA7hXeAN4GND6ShMC9Ck pQFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=kbhsROdYaz1vykNx9/IDETkALuktKcD4FwZZwCJlk/4=; b=DaEoQJS6MRRTHtdnBPWopyw3F9C2w3zNrSGu9A5hjxg+3PQa3d/h8UgVq4pKoBZL2P ZrrePQEXScMi4JS2B88bwIpzA9q6N4jSf9YCPXdVBCwnXtYj0HDkquskgdyAFKRAijHp l2wKbJHeruPIxDstw1kvrUNRSMHU0Fi2Th21DVnbIPhO6R0vZ+NbHb29ESbEVPrIcpd6 LhjaKpqdPw/L/QwGkMxUjTT0nzXiK0vSNF99AoaJf3hYZf2oV+nh6Sr51OfurGA5AtKY h+wtmGMGHwlVbxOY+9NgJUwIM/2CrzOlsfU83mICugHGEHjXw10JfeEDqUsxKNs7uJlY jhUw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id w2si7847949edx.591.2020.12.21.03.43.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Dec 2020 03:43:42 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 22B158273A; Mon, 21 Dec 2020 12:43:37 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 00659827D7; Mon, 21 Dec 2020 12:43:33 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id A9FB98273A for ; Mon, 21 Dec 2020 12:43:30 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id DE0F31042; Mon, 21 Dec 2020 03:43:29 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 0EFA03F718; Mon, 21 Dec 2020 03:43:26 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v2 01/14] mkeficapsule: Add support for embedding public key in a dtb Date: Mon, 21 Dec 2020 17:13:01 +0530 Message-Id: <20201221114314.25588-2-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201221114314.25588-1-sughosh.ganu@linaro.org> References: <20201221114314.25588-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Add options for embedding the public key esl(efi signature list) file to the platform's dtb. The esl file is then retrieved and used for authenticating the capsule to be used for updating firmare components on the platform. The esl file can now be embedded in the dtb by invoking the following command mkeficapsule -K -D In the scenario where the esl file is to be embedded in an overlay, this can be done through the following command mkeficapsule -O -K -D This will create a node named 'signature' in the dtb, and the esl file will be stored as 'capsule-key' Signed-off-by: Sughosh Ganu --- Changes since V1: * Added support for embedding the public key cert in an overlay using the -O option tools/Makefile | 1 + tools/mkeficapsule.c | 233 ++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 222 insertions(+), 12 deletions(-) -- 2.17.1 diff --git a/tools/Makefile b/tools/Makefile index 66d9376803..6d7b48fb57 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -218,6 +218,7 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs hostprogs-$(CONFIG_ASN1_COMPILER) += asn1_compiler HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include +mkeficapsule-objs := mkeficapsule.o $(LIBFDT_OBJS) hostprogs-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += mkeficapsule # We build some files with extra pedantic flags to try to minimize things diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 3f8bc7009b..270943fc90 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -4,16 +4,22 @@ * Author: AKASHI Takahiro */ +#include #include #include #include #include #include #include +#include #include + +#include #include #include +#include "fdt_host.h" + typedef __u8 u8; typedef __u16 u16; typedef __u32 u32; @@ -23,6 +29,9 @@ typedef __s32 s32; #define aligned_u64 __aligned_u64 +#define SIGNATURE_NODENAME "signature" +#define OVERLAY_NODENAME "__overlay__" + #ifndef __packed #define __packed __attribute__((packed)) #endif @@ -43,6 +52,9 @@ static struct option options[] = { {"raw", required_argument, NULL, 'r'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, + {"dtb", required_argument, NULL, 'D'}, + {"public key", required_argument, NULL, 'K'}, + {"overlay", no_argument, NULL, 'O'}, {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0}, }; @@ -51,14 +63,183 @@ static void print_usage(void) { printf("Usage: %s [options] \n" "Options:\n" - "\t--fit new FIT image file\n" - "\t--raw new raw image file\n" - "\t--index update image index\n" - "\t--instance update hardware instance\n" - "\t--help print a help message\n", + + "\t--fit new FIT image file\n" + "\t--raw new raw image file\n" + "\t--index update image index\n" + "\t--instance update hardware instance\n" + "\t--public-key public key esl file\n" + "\t--dtb dtb file\n" + "\t--overlay the dtb file is an overlay\n" + "\t--help print a help message\n", tool_name); } +static int fdt_add_pub_key_data(void *sptr, void *dptr, size_t key_size, + bool overlay) +{ + int parent; + int ov_node; + int frag_node; + int ret = 0; + + if (overlay) { + /* + * The signature would be stored in the + * first fragment node of the overlay + */ + frag_node = fdt_first_subnode(dptr, 0); + if (frag_node == -FDT_ERR_NOTFOUND) { + fprintf(stderr, + "Couldn't find the fragment node: %s\n", + fdt_strerror(frag_node)); + goto done; + } + + ov_node = fdt_subnode_offset(dptr, frag_node, OVERLAY_NODENAME); + if (ov_node == -FDT_ERR_NOTFOUND) { + fprintf(stderr, + "Couldn't find the __overlay__ node: %s\n", + fdt_strerror(ov_node)); + goto done; + } + } else { + ov_node = 0; + } + + parent = fdt_subnode_offset(dptr, ov_node, SIGNATURE_NODENAME); + if (parent == -FDT_ERR_NOTFOUND) { + parent = fdt_add_subnode(dptr, ov_node, SIGNATURE_NODENAME); + if (parent < 0) { + ret = parent; + if (ret != -FDT_ERR_NOSPACE) { + fprintf(stderr, + "Couldn't create signature node: %s\n", + fdt_strerror(parent)); + } + } + } + if (ret) + goto done; + + /* Write the key to the FDT node */ + ret = fdt_setprop(dptr, parent, "capsule-key", + sptr, key_size); + +done: + if (ret) + ret = ret == -FDT_ERR_NOSPACE ? -ENOSPC : -EIO; + + return ret; +} + +static int add_public_key(const char *pkey_file, const char *dtb_file, + bool overlay) +{ + int ret; + int srcfd = 0; + int destfd = 0; + void *sptr = NULL; + void *dptr = NULL; + off_t src_size; + struct stat pub_key; + struct stat dtb; + + /* Find out the size of the public key */ + srcfd = open(pkey_file, O_RDONLY); + if (srcfd == -1) { + fprintf(stderr, "%s: Can't open %s: %s\n", + __func__, pkey_file, strerror(errno)); + goto err; + } + + ret = fstat(srcfd, &pub_key); + if (ret == -1) { + fprintf(stderr, "%s: Can't stat %s: %s\n", + __func__, pkey_file, strerror(errno)); + goto err; + } + + src_size = pub_key.st_size; + + /* mmap the public key esl file */ + sptr = mmap(0, src_size, PROT_READ, MAP_SHARED, srcfd, 0); + if ((sptr == MAP_FAILED) || (errno != 0)) { + fprintf(stderr, "%s: Failed to mmap %s:%s\n", + __func__, pkey_file, strerror(errno)); + goto err; + } + + /* Open the dest FDT */ + destfd = open(dtb_file, O_RDWR); + if (destfd == -1) { + fprintf(stderr, "%s: Can't open %s: %s\n", + __func__, dtb_file, strerror(errno)); + goto err; + } + + ret = fstat(destfd, &dtb); + if (ret == -1) { + fprintf(stderr, "%s: Can't stat %s: %s\n", + __func__, dtb_file, strerror(errno)); + goto err; + } + + dtb.st_size += src_size + 0x30; + if (ftruncate(destfd, dtb.st_size)) { + fprintf(stderr, "%s: Can't expand %s: %s\n", + __func__, dtb_file, strerror(errno)); + goto err;; + } + + errno = 0; + /* mmap the dtb file */ + dptr = mmap(0, dtb.st_size, PROT_READ | PROT_WRITE, MAP_SHARED, + destfd, 0); + if ((dptr == MAP_FAILED) || (errno != 0)) { + fprintf(stderr, "%s: Failed to mmap %s:%s\n", + __func__, dtb_file, strerror(errno)); + goto err; + } + + if (fdt_check_header(dptr)) { + fprintf(stderr, "%s: Invalid FDT header\n", __func__); + goto err; + } + + ret = fdt_open_into(dptr, dptr, dtb.st_size); + if (ret) { + fprintf(stderr, "%s: Cannot expand FDT: %s\n", + __func__, fdt_strerror(ret)); + goto err; + } + + /* Copy the esl file to the expanded FDT */ + ret = fdt_add_pub_key_data(sptr, dptr, src_size, overlay); + if (ret < 0) { + fprintf(stderr, "%s: Unable to add public key to the FDT\n", + __func__); + goto err; + } + + return 0; + +err: + if (sptr) + munmap(sptr, src_size); + + if (dptr) + munmap(dptr, dtb.st_size); + + if (srcfd >= 0) + close(srcfd); + + if (destfd >= 0) + close(destfd); + + return -1; +} + static int create_fwbin(char *path, char *bin, efi_guid_t *guid, unsigned long index, unsigned long instance) { @@ -173,16 +354,22 @@ err_1: int main(int argc, char **argv) { char *file; + char *pkey_file; + char *dtb_file; efi_guid_t *guid; unsigned long index, instance; int c, idx; + int ret; + bool overlay = false; file = NULL; + pkey_file = NULL; + dtb_file = NULL; guid = NULL; index = 0; instance = 0; for (;;) { - c = getopt_long(argc, argv, "f:r:i:I:v:h", options, &idx); + c = getopt_long(argc, argv, "f:r:i:I:v:D:K:Oh", options, &idx); if (c == -1) break; @@ -209,22 +396,44 @@ int main(int argc, char **argv) case 'I': instance = strtoul(optarg, NULL, 0); break; + case 'K': + if (pkey_file) { + printf("Public Key already specified\n"); + return -1; + } + pkey_file = optarg; + break; + case 'D': + if (dtb_file) { + printf("DTB file already specified\n"); + return -1; + } + dtb_file = optarg; + break; + case 'O': + overlay = true; + break; case 'h': print_usage(); return 0; } } - /* need a output file */ - if (argc != optind + 1) { + /* need a fit image file or raw image file */ + if (!file && !pkey_file && !dtb_file) { + printf("%s: %d\n", __func__, __LINE__); print_usage(); return -1; } - /* need a fit image file or raw image file */ - if (!file) { - print_usage(); - return -1; + if (pkey_file && dtb_file) { + ret = add_public_key(pkey_file, dtb_file, overlay); + if (ret == -1) { + printf("Adding public key to the dtb failed\n"); + return -1; + } else { + return 0; + } } if (create_fwbin(argv[optind], file, guid, index, instance) From patchwork Mon Dec 21 11:43:02 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346402 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp4384121jai; Mon, 21 Dec 2020 03:43:53 -0800 (PST) X-Google-Smtp-Source: ABdhPJx720yKfArjRo6dei0AWasaH5gbR9aWh15SS9UJ8TcXj+njL2qv+c6rBzP/P4dhb//hr5fZ X-Received: by 2002:a17:906:1741:: with SMTP id d1mr4626291eje.182.1608551032849; Mon, 21 Dec 2020 03:43:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608551032; cv=none; d=google.com; s=arc-20160816; b=Ngfbm15HPbjUMvjD+ne3NtmXAgLqOhnLLr/+RCHbgtKPqPRV46R2mejR4TCSGdV+go gdNAhHp/qYpaeVhs9d9q5eClMgw8rFdVnHHlAkSW6h2kzzWfc34Sd8Nr1cgWerv35sjq 7WzQjsRaK5d9ECJ+SQSqnuOKjw7WpIVAruyT9D8rx4nbuXlDpl+/mDgoEWRJ2rq1K9LQ Db6du6CGvhsIPxsZb3K4A1dj1HXoN7kQ6aGT4VWd+fYzXzmEW0RFuXAeROzURCboY9dr Xb+4V47rZ+GQQMws/4cCACU+HDOKh9gpurmCK5x4Q5ys6nq4fiFO8jFVUYAxBwEwm+TY PYew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=HP5ds6sQI/Tr0AXQhGNV/qKHObVpjQI/3vziAhcygvg=; b=hGAy99Xvt6Ug7qjBtkmIqJR/DIqZS2y/Obg3Ol69wWk9vRy6CvgS2WBwWiSy/8/SSB RD3iUsJt5RVd1SNxA0ZdPgxn250mgGV5BBPS/TUk267ndupA8MqH57/+03SrD9UaxXw6 +mkUwBBA7EAniX+RTyCoV1uMK8dyloO2AbcJXrsVy7YFrj2jjzG3uytcMBnrcv2gkkTG bm1dWKx4nDlLaK/7A3jcYlj+3N9WjmBlEGtUTtdQXmKhyeWn1CXhbp8ynskbX5KTQT2q bvx97OQPT/M1DypDUqk25NaM6q/k6c34iFEWF5A9A00H7Gpc9WatOltSxgCgcryPa75h /cSQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id g1si2020103ejf.714.2020.12.21.03.43.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Dec 2020 03:43:52 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 0DF60827FA; Mon, 21 Dec 2020 12:43:40 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 17363827DC; Mon, 21 Dec 2020 12:43:37 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 3DA618273A for ; Mon, 21 Dec 2020 12:43:34 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id F23F3101E; Mon, 21 Dec 2020 03:43:32 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 5C9283F718; Mon, 21 Dec 2020 03:43:30 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v2 02/14] qemu: arm: Initialise virtio in board_late_init Date: Mon, 21 Dec 2020 17:13:02 +0530 Message-Id: <20201221114314.25588-3-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201221114314.25588-1-sughosh.ganu@linaro.org> References: <20201221114314.25588-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean On the qemu arm platform, the virtio devices are initialised in board_init, which gets called before the initr_pci. With this, the virtio block devices on the pci bus are not initialised. Move the initialisation of virtio devices to board_late_init which gets called after the call to initr_pci. Signed-off-by: Sughosh Ganu --- Changes since V1: * The earlier patch was adding a call to pci_init in board_init. Moved the virtio_init call to board_late_init board/emulation/qemu-arm/qemu-arm.c | 5 +++++ configs/qemu_arm64_defconfig | 1 + 2 files changed, 6 insertions(+) -- 2.17.1 diff --git a/board/emulation/qemu-arm/qemu-arm.c b/board/emulation/qemu-arm/qemu-arm.c index f18f2ed7da..aa68bef469 100644 --- a/board/emulation/qemu-arm/qemu-arm.c +++ b/board/emulation/qemu-arm/qemu-arm.c @@ -64,6 +64,11 @@ struct mm_region *mem_map = qemu_arm64_mem_map; #endif int board_init(void) +{ + return 0; +} + +int board_late_init(void) { /* * Make sure virtio bus is enumerated so that peripherals diff --git a/configs/qemu_arm64_defconfig b/configs/qemu_arm64_defconfig index f6e586627a..5c855fa08c 100644 --- a/configs/qemu_arm64_defconfig +++ b/configs/qemu_arm64_defconfig @@ -14,6 +14,7 @@ CONFIG_LEGACY_IMAGE_FORMAT=y CONFIG_USE_PREBOOT=y # CONFIG_DISPLAY_CPUINFO is not set # CONFIG_DISPLAY_BOARDINFO is not set +CONFIG_BOARD_LATE_INIT=y CONFIG_PCI_INIT_R=y CONFIG_CMD_BOOTEFI_SELFTEST=y CONFIG_CMD_NVEDIT_EFI=y From patchwork Mon Dec 21 11:43:03 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346403 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp4384204jai; Mon, 21 Dec 2020 03:44:04 -0800 (PST) X-Google-Smtp-Source: ABdhPJxa1hGkX+D0z4Fz5aUWD1P/zFcLGLskkLUa+EtHz53IEVPu3mISF/dZdR/8pejtoPMU9BMl X-Received: by 2002:a05:6402:31b5:: with SMTP id dj21mr15861349edb.90.1608551044152; Mon, 21 Dec 2020 03:44:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608551044; cv=none; d=google.com; s=arc-20160816; b=qpUVEAi0SeomQwQDM/N+g0TA6d5BsLFU6DQsOGwOop8iIKLlpLa9ul+Uj/4jb3AC1j VhuK88NUO6W2eWyl9idVp+ShLi4szguTO6EpiMFwdbvx8dppLbUIcvq133bxtnB+fqQe vUzQoqdfUHC8WCU4ndtPAv575gIJNmtdsKscvtqh/XYY53jd8n1WQMmdwAEy0EAfwemU a+1vmixLFJlz/Clgo6DDKGsrtclq70UOJIy6PtYQrdOuTjS/2kwPfWTbe2n79GbKbcW6 9Nn/QYjUguKf5ADla3iGUVMpedvJXkciKEC1KQQ6aQtVADxRYhm9qqMJfv2l0rRsYMgs vCVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=Ffdb8SAbjMWJmAZvklOvtYWluQGlVJkRf2tCmZua52I=; b=FMV3I8BvYDrJrWumgFjJa8uRXKS5Mz2/PQZ2WsuaHFzlFhUUFyJazlVB5/sSxa8jNc +UO8/mUmSU5UUSqZTlDddmavgB8ip+esfUUCeOzuzcanP8djbJXzjmwrMjcNjw9Mn7/1 JM3VSGtRTUuYScvIdvgWt/69AxbvyLOfxARgVHLctD1ECMfhnuQ4nh9wGykIUGnIbrnd 7mCQScBhGAHVZmp0NRZHBek96+AaAHvJ7jQdZxJGHjYmyXZt8jSnIsxMj8HHGQxWwwAU DT0cAM9IlHrNXRVm6/o0S8+1GwKJ4MBoAMj+86lPcg/Ip8UlWpxEUIBjugVSCNS1DO+S i+ww== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id f21si9981163eds.396.2020.12.21.03.44.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Dec 2020 03:44:04 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id F11DB827EC; Mon, 21 Dec 2020 12:43:43 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id AA662827F7; Mon, 21 Dec 2020 12:43:39 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id CE687827D7 for ; Mon, 21 Dec 2020 12:43:36 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 126611063; Mon, 21 Dec 2020 03:43:36 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 70DD23F718; Mon, 21 Dec 2020 03:43:33 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v2 03/14] crypto: Fix the logic to calculate hash with authattributes set Date: Mon, 21 Dec 2020 17:13:03 +0530 Message-Id: <20201221114314.25588-4-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201221114314.25588-1-sughosh.ganu@linaro.org> References: <20201221114314.25588-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean RFC 2315 Section 9.3 describes the message digesting process. The digest calculated depends on whether the authenticated attributes are present. In case of a scenario where the authenticated attributes are present, the message digest that gets signed and is part of the pkcs7 message is computed from the auth attributes rather than the contents field. Check if the auth attributes are present, and if set, use the auth attributes to compute the hash that would be compared with the encrypted hash on the pkcs7 message. Signed-off-by: Sughosh Ganu --- Changes since V1: None lib/crypto/pkcs7_verify.c | 37 ++++++++++++++++++++++++++----------- 1 file changed, 26 insertions(+), 11 deletions(-) -- 2.17.1 diff --git a/lib/crypto/pkcs7_verify.c b/lib/crypto/pkcs7_verify.c index 320ba49f79..58683ef614 100644 --- a/lib/crypto/pkcs7_verify.c +++ b/lib/crypto/pkcs7_verify.c @@ -50,8 +50,15 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, struct image_region regions[2]; int ret = 0; - /* The digest was calculated already. */ - if (sig->digest) + /* + * [RFC2315 9.3] + * If the authenticated attributes are present, + * the message-digest is calculated on the + * attributes present in the + * authenticatedAttributes field and not just + * the contents field + */ + if (!sinfo->authattrs && sig->digest) return 0; if (!sinfo->sig->hash_algo) @@ -63,17 +70,25 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, else return -ENOPKG; - sig->digest = calloc(1, sig->digest_size); - if (!sig->digest) { - pr_warn("Sig %u: Out of memory\n", sinfo->index); - return -ENOMEM; - } + /* + * Calculate the hash only if the data is present. + * In case of authenticated variable and capsule, + * the hash has already been calculated on the + * efi_image_regions and populated + */ + if (pkcs7->data) { + sig->digest = calloc(1, sig->digest_size); + if (!sig->digest) { + pr_warn("Sig %u: Out of memory\n", sinfo->index); + return -ENOMEM; + } - regions[0].data = pkcs7->data; - regions[0].size = pkcs7->data_len; + regions[0].data = pkcs7->data; + regions[0].size = pkcs7->data_len; - /* Digest the message [RFC2315 9.3] */ - hash_calculate(sinfo->sig->hash_algo, regions, 1, sig->digest); + /* Digest the message [RFC2315 9.3] */ + hash_calculate(sinfo->sig->hash_algo, regions, 1, sig->digest); + } /* However, if there are authenticated attributes, there must be a * message digest attribute amongst them which corresponds to the From patchwork Mon Dec 21 11:43:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346404 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp4384326jai; Mon, 21 Dec 2020 03:44:15 -0800 (PST) X-Google-Smtp-Source: ABdhPJyPFlDXXbAgN/HDWJUtPEyOZLxHdhQBDoKmdjcb0CD6mHMJYaiL7+/IDad2RmBqgUpUfwEh X-Received: by 2002:a17:906:195a:: with SMTP id b26mr14900997eje.4.1608551055716; Mon, 21 Dec 2020 03:44:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608551055; cv=none; d=google.com; s=arc-20160816; b=WzAVhsVJoZo+SKTU727/IlXD218WAaMtv0/3bLKfnUv6GjTkVb5ueD3Ug63vkYP6ut nBkGD8zSaL4Ktkv+cYDNzl2bryRn1747Hb3gL5SRyAieRu5WLpZVHnF+t23KdWye+mBg qrQzJFlZE+JBvIfM2u1noIFoo9k88pTUVYqYPGD3v9Ba1nI9wqYlplD+MUSP/YRGovM5 8KPKrFwHik9BkklW6cxPWB050CafiMCP5cowLALqxd8T3GKs1nSypsfkS4ldm784AqDX Gn+6UB+luXvGI9ticpXoZCCVFVwYUNJLb2DWVLwJO70u4iSqILOPwKDvrzEy2G9LPeYS 0kiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=tAtNNjr9dWTUrrZcHKgVHGJulhF9ZcKVYXOxhgq8C5g=; b=RDm3Q9bRUQCxcuUEuMnxBtOp6jjjwpFhcJBA3lu17mPS3It3gDPCVVP3psPft7mYTb VawLSVjFWMzvJQcv0Py7HPWYPs1Ug63S5VpZI0oqkzNCgpFD3EMiW/3UebIFklqS1VqZ 8IYd7mc7nEdrdZm4GsTmClcWM6f+tzqR903hQyIpye6Qqkz64ZID7vXVBoG4gRLxsB/y NctuiQk5TXUlfgQIuWVzIGGgGjFgDjt3B2f1mHStC/t7W6XWLdhj2T8gQHK4hl38IF8d qAgT2dn4emFsMo8DsSqvBlEzzji5fI25egWj/3ttD+8YOVDS7e7xBRyuzS882YaG71Ah lSEw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id zc2si8495310ejb.427.2020.12.21.03.44.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Dec 2020 03:44:15 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 5176F82805; Mon, 21 Dec 2020 12:43:48 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 253F3827FB; Mon, 21 Dec 2020 12:43:43 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id BC754827D7 for ; Mon, 21 Dec 2020 12:43:39 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 269EC113E; Mon, 21 Dec 2020 03:43:39 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 851813F718; Mon, 21 Dec 2020 03:43:36 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v2 04/14] qemu: arm64: Add support for dynamic mtdparts for the platform Date: Mon, 21 Dec 2020 17:13:04 +0530 Message-Id: <20201221114314.25588-5-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201221114314.25588-1-sughosh.ganu@linaro.org> References: <20201221114314.25588-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Add support for setting the default values for mtd partitions on the platform for the nor flash. This would be used for updating the firmware image using uefi capsule update with the dfu mtd backend driver. Signed-off-by: Sughosh Ganu --- Changes since V1: * Change MTDPARTS_NOR[01] as config options instead of defining them in the qemu-arm.h config header. * Enable CONFIG_SYS_MTDPARTS_RUNTIME with CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT board/emulation/qemu-arm/Kconfig | 20 +++++++++ board/emulation/qemu-arm/qemu-arm.c | 70 +++++++++++++++++++++++++++++ lib/efi_loader/Kconfig | 1 + 3 files changed, 91 insertions(+) -- 2.17.1 diff --git a/board/emulation/qemu-arm/Kconfig b/board/emulation/qemu-arm/Kconfig index 02ae4d9884..ed0097963a 100644 --- a/board/emulation/qemu-arm/Kconfig +++ b/board/emulation/qemu-arm/Kconfig @@ -11,3 +11,23 @@ config BOARD_SPECIFIC_OPTIONS # dummy imply VIRTIO_BLK endif + +if TARGET_QEMU_ARM_64BIT && !TFABOOT + +config MTDPARTS_NOR0 + string "mtd boot partition for nor0" + default "64m(u-boot)" + depends on SYS_MTDPARTS_RUNTIME + help + This define the partition of nor0 used to build mtparts dynamically + for boot from nor0. + +config MTDPARTS_NOR1 + string "mtd u-boot env partition for nor1" + default "64m(u-boot-env)" + depends on SYS_MTDPARTS_RUNTIME + help + This define the partition of nor1 used to build mtparts dynamically + for the u-boot env stored on nor1. + +endif diff --git a/board/emulation/qemu-arm/qemu-arm.c b/board/emulation/qemu-arm/qemu-arm.c index aa68bef469..68f70cb9be 100644 --- a/board/emulation/qemu-arm/qemu-arm.c +++ b/board/emulation/qemu-arm/qemu-arm.c @@ -192,3 +192,73 @@ void flash_write32(u32 value, void *addr) { asm("str %" __W "1, %0" : "=m"(*(u32 *)addr) : "r"(value)); } + +#if defined(CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT) + +#include + +static void board_get_mtdparts(const char *dev, const char *partition, + char *mtdids, char *mtdparts) +{ + /* mtdids: "=, ...." */ + if (mtdids[0] != '\0') + strcat(mtdids, ","); + strcat(mtdids, dev); + strcat(mtdids, "="); + strcat(mtdids, dev); + + /* mtdparts: "mtdparts=:>;..." */ + if (mtdparts[0] != '\0') + strncat(mtdparts, ";", MTDPARTS_LEN); + else + strcat(mtdparts, "mtdparts="); + + strncat(mtdparts, dev, MTDPARTS_LEN); + strncat(mtdparts, ":", MTDPARTS_LEN); + strncat(mtdparts, partition, MTDPARTS_LEN); +} + +void board_mtdparts_default(const char **mtdids, const char **mtdparts) +{ + struct mtd_info *mtd; + struct udevice *dev; + const char *mtd_partition; + static char parts[3 * MTDPARTS_LEN + 1]; + static char ids[MTDIDS_LEN + 1]; + static bool mtd_initialized; + + if (mtd_initialized) { + *mtdids = ids; + *mtdparts = parts; + return; + } + + memset(parts, 0, sizeof(parts)); + memset(ids, 0, sizeof(ids)); + + /* probe all MTD devices */ + for (uclass_first_device(UCLASS_MTD, &dev); dev; + uclass_next_device(&dev)) { + debug("mtd device = %s\n", dev->name); + } + + mtd = get_mtd_device_nm("nor0"); + if (!IS_ERR_OR_NULL(mtd)) { + mtd_partition = CONFIG_MTDPARTS_NOR0; + board_get_mtdparts("nor0", mtd_partition, ids, parts); + put_mtd_device(mtd); + } + + mtd = get_mtd_device_nm("nor1"); + if (!IS_ERR_OR_NULL(mtd)) { + mtd_partition = CONFIG_MTDPARTS_NOR1; + board_get_mtdparts("nor1", mtd_partition, ids, parts); + put_mtd_device(mtd); + } + + mtd_initialized = true; + *mtdids = ids; + *mtdparts = parts; + debug("%s:mtdids=%s & mtdparts=%s\n", __func__, ids, parts); +} +#endif /* CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT */ diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 8746e10032..2cb0a6e399 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -135,6 +135,7 @@ config EFI_CAPSULE_FIRMWARE_MANAGEMENT bool "Capsule: Firmware Management Protocol" depends on EFI_HAVE_CAPSULE_SUPPORT default y + select SYS_MTDPARTS_RUNTIME help Select this option if you want to enable capsule-based firmware update using Firmware Management Protocol. From patchwork Mon Dec 21 11:43:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346405 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp4384446jai; Mon, 21 Dec 2020 03:44:26 -0800 (PST) X-Google-Smtp-Source: ABdhPJxxPLbilOw2Nsin5QyXJ/LqpHT4i54TAFZ9wMKW8XTfCAZzORxwkvVUFhpafYdXiAhyAUKQ X-Received: by 2002:a17:906:dd3:: with SMTP id p19mr14706936eji.221.1608551066675; Mon, 21 Dec 2020 03:44:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608551066; cv=none; d=google.com; s=arc-20160816; b=JZWg1+eInJZVDid6vG/QJqBxJaXupJpr07Lb389MSYW2HkMe4ACI2GdxVeFCVWqhW8 4ZbjF3ieHBSh3yXS82+Bffck0fphefA6s8r8sI3eJo6YVqajJ74q+qr6eSBZIc+98z0g hGYWXaONAu3mXCgxAERFnuwKCChmmsW0MbYhw/kBr0GaOZCnBX6beOjmRyyxF9ZNg6fv Zz1aYsLwYwXG+tExeRXcrvH5aMLJmJr39Y/uysFRiXpOqcLKQrSebkmBv0nvtUt5Ryd1 mM5HE+t2hFKzpVLJISLTfR3BRyD59Hw7mccxV3O2Bit3pjZ9dEDPH//dtpNW9zTnRvyi EZxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=N7RiwEAfpReA0hj4ORN3V597x5mJdFldTFhIxqJ3A9o=; b=FWbrMKH7Ah0Q3MfxD19Chb7qk/7DB72kcKwaKUz/jmOMdvIJ13+dkBbJYJWj7DfCIl DFggqW5LdSAOa42mm+2bd8KXCtgfBEC5EcRH03hVCsCIRrZ0YWHm1Q848cdWvjUsKd6/ SQLCP5Al3zdnMlqjxqdteM1hNrwJp4idr0yq5graKp2rxmkAWqy7YTv+CuLnv8Ve5PNx BZrIOVHEPn7zhzbnjIebK0sns249B5WmwA3AkYWnUDHv3iwYYsQx6R0Ls4Ljf57ys0Ja fkur5d3zqM/UhypEN7Ff5O1TWjC0DhWeTTZZ/m6obDUFB+RXqpGc+JfGIyqgHwakgP+p 5Xjw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id ce8si8748532ejb.147.2020.12.21.03.44.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Dec 2020 03:44:26 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 0CA8E82824; Mon, 21 Dec 2020 12:43:50 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 7EFA082809; Mon, 21 Dec 2020 12:43:46 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 1CD7E827EB for ; Mon, 21 Dec 2020 12:43:43 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 39BCF1042; Mon, 21 Dec 2020 03:43:42 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 9758F3F718; Mon, 21 Dec 2020 03:43:39 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v2 05/14] qemu: arm64: Set dfu_alt_info variable for the platform Date: Mon, 21 Dec 2020 17:13:05 +0530 Message-Id: <20201221114314.25588-6-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201221114314.25588-1-sughosh.ganu@linaro.org> References: <20201221114314.25588-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean The dfu framework uses the dfu_alt_info environment variable to get information that is needed for performing the firmware update. Set the dfu_alt_info for the platform to reflect the two mtd partitions created for the u-boot env and the firmware image. Signed-off-by: Sughosh Ganu --- Changes since V1: * Build set_dfu_alt_info and board_get_alt_info functions only if CONFIG_SET_DFU_ALT_INFO is defined * Enable CONFIG_SET_DFU_ALT_INFO with CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT board/emulation/qemu-arm/qemu-arm.c | 57 +++++++++++++++++++++++++++++ lib/efi_loader/Kconfig | 1 + 2 files changed, 58 insertions(+) -- 2.17.1 diff --git a/board/emulation/qemu-arm/qemu-arm.c b/board/emulation/qemu-arm/qemu-arm.c index 68f70cb9be..a7be3c7c1c 100644 --- a/board/emulation/qemu-arm/qemu-arm.c +++ b/board/emulation/qemu-arm/qemu-arm.c @@ -195,8 +195,65 @@ void flash_write32(u32 value, void *addr) #if defined(CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT) +#include #include +#define MTDPARTS_LEN 256 +#define MTDIDS_LEN 128 + +#define DFU_ALT_BUF_LEN SZ_1K + +#if defined(CONFIG_SET_DFU_ALT_INFO) +static void board_get_alt_info(struct mtd_info *mtd, char *buf) +{ + struct mtd_info *part; + bool first = true; + const char *name; + int len, partnum = 0; + + name = mtd->name; + len = strlen(buf); + + if (buf[0] != '\0') + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, "&"); + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, + "mtd %s=", name); + + list_for_each_entry(part, &mtd->partitions, node) { + partnum++; + if (!first) + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, ";"); + first = false; + + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, + "%s part %d", + part->name, partnum); + } +} + +void set_dfu_alt_info(char *interface, char *devstr) +{ + struct mtd_info *mtd; + + ALLOC_CACHE_ALIGN_BUFFER(char, buf, DFU_ALT_BUF_LEN); + + if (env_get("dfu_alt_info")) + return; + + memset(buf, 0, sizeof(buf)); + + /* probe all MTD devices */ + mtd_probe_devices(); + + mtd = get_mtd_device_nm("nor0"); + if (!IS_ERR_OR_NULL(mtd)) + board_get_alt_info(mtd, buf); + + env_set("dfu_alt_info", buf); + printf("dfu_alt_info set\n"); +} +#endif /* CONFIG_SET_DFU_ALT_INFO */ + static void board_get_mtdparts(const char *dev, const char *partition, char *mtdids, char *mtdparts) { diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 2cb0a6e399..bc47e7fe76 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -136,6 +136,7 @@ config EFI_CAPSULE_FIRMWARE_MANAGEMENT depends on EFI_HAVE_CAPSULE_SUPPORT default y select SYS_MTDPARTS_RUNTIME + select SET_DFU_ALT_INFO help Select this option if you want to enable capsule-based firmware update using Firmware Management Protocol. From patchwork Mon Dec 21 11:43:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346406 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp4384545jai; Mon, 21 Dec 2020 03:44:38 -0800 (PST) X-Google-Smtp-Source: ABdhPJzLYG4CWb2VhdA/c7W3PAamXb//0L0SWU5A0Zt5iCAnPzTJm9RPb4S2jMagonnb8RGQPlFH X-Received: by 2002:a17:907:2108:: with SMTP id qn8mr14755917ejb.127.1608551078135; Mon, 21 Dec 2020 03:44:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608551078; cv=none; d=google.com; s=arc-20160816; b=GnlSdKed4/2Helt2IEZbHX+R5w1IARpQ20D4N1Z86pnpGlhuycv1T0V04EilL+Vikg wSIx2HUdHL71AQpa2bFIUlBD3I+Vekmbly6GFjRicxLd+oAekfH3iAlKQv1xIjo9+gd/ 5wud5HV1BxpeDn+iY1V72rosk6g0pCSVqdYxvq6STiAzbTNnMZmSoN7qof4Z9FES0FpW 8cK0Ulto21EjE8sljW+YDTdXLvm2JoN2zIDJC/3ps0dub/HUWz8pOZWMAW5IMQtdCej0 VEvBTFNSTKCYhmw7TnU/3KmFnvQuv1Fd2OgQzQ/T5l+TlSNJNH73mG3zpu+Mcfr70bDl BFpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=BuCv4v6gdKIMWbceI1saQ4nHss2wDPtND7R31Pu0xkI=; b=z7U6lAda1XR3QQob3DF1+KPrQ7ef1K2Obs0pl+rEGgJcMpz5CT0UfJoZ65LsR29xQ9 5bOHx1AOsl+6L9NvYT3eHMhdZGhWSUTj79c7wzNZ2GT+67kAYmCrxuP4eXU7TLDKgNOD CJewZnNH1R5Y8OqZe9hzeZc1kaQK1SjSR0zLeWRXKaEhkNdvGcF/TcUnB6GJ1o9G0yf2 V6bHEU8vDYhd7S2pywbjj2TUmW4DisLJG0/1/Ne6/fvcnMcLMRoYd3/V9LUyTshTiVoW OsjA36+ynXRSB1/bY38Xb8IWpU/NTR3aSm5y1IPJWgEG9aFI7dAd2o60mcr+zuzygu5b bBfg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id bw26si890849ejb.644.2020.12.21.03.44.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Dec 2020 03:44:38 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id CFE618273A; Mon, 21 Dec 2020 12:43:54 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 5472882807; Mon, 21 Dec 2020 12:43:50 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 2DE6B8280A for ; Mon, 21 Dec 2020 12:43:46 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 4EBD911B3; Mon, 21 Dec 2020 03:43:45 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id AB6823F718; Mon, 21 Dec 2020 03:43:42 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v2 06/14] fsp: Move and rename fsp_types.h file Date: Mon, 21 Dec 2020 17:13:06 +0530 Message-Id: <20201221114314.25588-7-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201221114314.25588-1-sughosh.ganu@linaro.org> References: <20201221114314.25588-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean The fsp_types.h header file contains macros for building signatures of different widths. These signature macros are architecture agnostic, and can be used in all places which use signatures in a data structure. Move and rename the fsp_types.h under the common include header. Signed-off-by: Sughosh Ganu Reviewed-by: Simon Glass --- Changes since V1: None This patch had been sent to the mailing list separately[1] and has been reviewed by Simon Glass. [1] - https://lists.denx.de/pipermail/u-boot/2020-December/434849.html arch/x86/include/asm/fsp/fsp_support.h | 3 ++- .../x86/include/asm/fsp/fsp_types.h => include/signatures.h | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) rename arch/x86/include/asm/fsp/fsp_types.h => include/signatures.h (95%) -- 2.17.1 diff --git a/arch/x86/include/asm/fsp/fsp_support.h b/arch/x86/include/asm/fsp/fsp_support.h index 29e511415c..3cd3e4fcf5 100644 --- a/arch/x86/include/asm/fsp/fsp_support.h +++ b/arch/x86/include/asm/fsp/fsp_support.h @@ -7,11 +7,12 @@ #ifndef __FSP_SUPPORT_H__ #define __FSP_SUPPORT_H__ +#include + #include #include #include #include -#include #include #include diff --git a/arch/x86/include/asm/fsp/fsp_types.h b/include/signatures.h similarity index 95% rename from arch/x86/include/asm/fsp/fsp_types.h rename to include/signatures.h index 3d5b17ecf1..4042db1e00 100644 --- a/arch/x86/include/asm/fsp/fsp_types.h +++ b/include/signatures.h @@ -4,8 +4,8 @@ * Copyright (C) 2014, Bin Meng */ -#ifndef __FSP_TYPES_H__ -#define __FSP_TYPES_H__ +#ifndef __SIGNATURES_H__ +#define __SIGNATURES_H__ /** * Returns a 16-bit signature built from 2 ASCII characters. @@ -59,4 +59,4 @@ #define SIGNATURE_64(A, B, C, D, E, F, G, H) \ (SIGNATURE_32(A, B, C, D) | ((u64)(SIGNATURE_32(E, F, G, H)) << 32)) -#endif +#endif /* __SIGNATURES_H__ */ From patchwork Mon Dec 21 11:43:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346407 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp4384690jai; Mon, 21 Dec 2020 03:44:50 -0800 (PST) X-Google-Smtp-Source: ABdhPJzmqJ3bAuv4IzzOW8Kl03wKdgqQe5/ukgRrHAdK/yuT4y5HL5u+YA215HuyqqPjdqgTzRNf X-Received: by 2002:a17:906:b793:: with SMTP id dt19mr14928129ejb.120.1608551090652; Mon, 21 Dec 2020 03:44:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608551090; cv=none; d=google.com; s=arc-20160816; b=of6S59ohdUcZyBzImTdQyWqhLeTcS3Iv4jvNJ+6dgNuCXRe3rdnT6YkeJzsC2yx0eO Ur/tkBFziQMm9wqWZiWaprrbk0RGcG2N9MYuZV3TMeNFcX3xF+NYEaANhXXQkXy/BB4a G4UdjtrOPYdnqRCQQBjPJynKfr2y0qZx4we/sjt4NFBwHZPzsyijL0PBBpFITBtwBg4n 8neRxWzumFo7KGVzy7aGJs58UKRrZOJrL8XZ7C4CUK0i5ltV4yn+9yELU8pfRmOtUHxg ow3CyfEg4tjXSld66Hn1noODcBjJCFYmpbcTIAj5O/aTkvczeE5CKOXP0naydRFaLiGP +TCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=wvCfsgR1rLmBsJ78facxQPPFwIALI1B9ZepyxGhtc+c=; b=pXeioKrGLDZIU1AWsn0gbJiexqKn4c3ZTY6ph0OcrAOzyTQq2BdUONdWaOLlEn0dnJ TIy94IuKL+aksVdnQ7bmjOWZFDYY9ousLyKDnxtmfwC+TS/r5Ot5VLKd6splQnbvSObC l9awNmTzaVyV48EEL4P+ZzsG3oj1h7SqIinZVWU0Ff3zi8jLmHCPVSjKJ98WM+06zhzD PEOoNyzbBgy5DnvEAFUmOD4kLMjsW2vb4R7pT4xQUuXwH0tmWqwzgpzPFuwmJd42Zu6k 4027uy1fu/2H5ybTkinB+bnGJOQZranEGobPfqadsG7t1NBovRGKaD0+IV/jnLYBUt8V Vv+g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id bs24si10578094edb.519.2020.12.21.03.44.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Dec 2020 03:44:50 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 1AC4C82846; Mon, 21 Dec 2020 12:43:57 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id CB4FD82829; Mon, 21 Dec 2020 12:43:51 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 0744182804 for ; Mon, 21 Dec 2020 12:43:49 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5FF09101E; Mon, 21 Dec 2020 03:43:48 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id BEB0E3F718; Mon, 21 Dec 2020 03:43:45 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v2 07/14] efi_loader: Add logic to parse EDKII specific fmp payload header Date: Mon, 21 Dec 2020 17:13:07 +0530 Message-Id: <20201221114314.25588-8-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201221114314.25588-1-sughosh.ganu@linaro.org> References: <20201221114314.25588-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean When building the capsule using scripts in edk2, a fmp header is added on top of the binary payload. Add logic to detect presence of the header. When present, the pointer to the image needs to be adjusted as per the size of the header to point to the actual binary payload. Signed-off-by: Sughosh Ganu --- Changes since V1: * Detect the presence of the FMP Payload header at runtime instead of using a Kconfig option, as was suggested by Heinrich lib/efi_loader/efi_firmware.c | 41 +++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) -- 2.17.1 diff --git a/lib/efi_loader/efi_firmware.c b/lib/efi_loader/efi_firmware.c index 72c560dbc2..5d2ecde2f1 100644 --- a/lib/efi_loader/efi_firmware.c +++ b/lib/efi_loader/efi_firmware.c @@ -11,8 +11,30 @@ #include #include #include +#include + #include +#define FMP_PAYLOAD_HDR_SIGNATURE SIGNATURE_32('M', 'S', 'S', '1') + +/** + * struct fmp_payload_header - EDK2 header for the FMP payload + * + * This structure describes the header which is preprended to the + * FMP payload by the edk2 capsule generation scripts. + * + * @signature: Header signature used to identify the header + * @header_size: Size of the structure + * @fw_version: Firmware versions used + * @lowest_supported_version: Lowest supported version + */ +struct fmp_payload_header { + u32 signature; + u32 header_size; + u32 fw_version; + u32 lowest_supported_version; +}; + /* Place holder; not supported */ static efi_status_t EFIAPI efi_firmware_get_image_unsupported( @@ -379,12 +401,31 @@ efi_status_t EFIAPI efi_firmware_raw_set_image( efi_status_t (*progress)(efi_uintn_t completion), u16 **abort_reason) { + u32 fmp_hdr_signature; + struct fmp_payload_header *header; + EFI_ENTRY("%p %d %p %ld %p %p %p\n", this, image_index, image, image_size, vendor_code, progress, abort_reason); if (!image) return EFI_EXIT(EFI_INVALID_PARAMETER); + fmp_hdr_signature = FMP_PAYLOAD_HDR_SIGNATURE; + header = (void *)image; + + if (!memcmp(&header->signature, &fmp_hdr_signature, + sizeof(fmp_hdr_signature))) { + /* + * When building the capsule with the scripts in + * edk2, a FMP header is inserted above the capsule + * payload. Compensate for this header to get the + * actual payload that is to be updated. + */ + image += header->header_size; + image_size -= header->header_size; + + } + if (dfu_write_by_alt(image_index - 1, (void *)image, image_size, NULL, NULL)) return EFI_EXIT(EFI_DEVICE_ERROR); From patchwork Mon Dec 21 11:43:08 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346408 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp4384801jai; Mon, 21 Dec 2020 03:45:01 -0800 (PST) X-Google-Smtp-Source: ABdhPJx3vsUn5pB5IR6Sje/Dais3ZBS9q1Jebp4yUXR1n6keAzsGHIuXihVP0BIgLbYL8iXjbbnq X-Received: by 2002:a05:6402:13d1:: with SMTP id a17mr15417953edx.202.1608551101783; Mon, 21 Dec 2020 03:45:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608551101; cv=none; d=google.com; s=arc-20160816; b=ZcA3tOH0Sko7vCQ3/peSeBcn4SZ1zFxHADQ3QIZBDLmPohISjS7wfGrmd56NKZuIn9 9/gLSBYqGZMCVvLC0zEkn8SPDX5qu1DkYcKn84JsQ+CzT2ObKmSulHNVjAHbHvmu8lcE Ap0e9aT0lup+pkgwXu3dax61N6MC4+8qJOqaTq/kMoLy0yYThIymgbMUWVrwjxC4x+UU ikhkGX+eChjeItTH/6Ps2NV+i2Je8svxgdknjdRtHOhnxN/xhCbe6SGlDobjtWMJC4aO mRsH1pe5ZmmR8PDr8uwDcpJ/Zcya8BFwGym9+qxUP7Qi7Dfy20uIQDBYBMCSzctxYAIP s7WQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=25Z6WjsHwJZj+DnJziorQgC4ECUXAZU0t9b7jAuHICU=; b=mJpok8GlPuJhRUUSWPep5YEPFjMt2Hzv820b20LZ0xYx2gJEHQce4JjBKb+6bpvdTX gJq2k2yu58W3kEzl8f5JYhpAM+HQw/jx1GwchlsLNo9Mn25iRNyn6LPvwRpurrNjrggb osvf7arMvE9x4520asBV+chLsFRe+yX/QDni15AIsdb+qd6Y8z/naqtFXDXQTRhvhToU RF7bIgpeek7tAuh/gI7VtV8QW98W0yJIf9i38WM82TSoaxfiQJ89ubTTMeeGzp3rTSx7 IBXUqnQ7vMlxRPVawUd3zXnLmvYIQBuYaa+s+eWUvQ8CFpLEV9sKrGfGgdULxkUQ2lch KrlQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id jo25si8986781ejb.575.2020.12.21.03.45.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Dec 2020 03:45:01 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id AC0F08282A; Mon, 21 Dec 2020 12:43:59 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id C45D28282A; Mon, 21 Dec 2020 12:43:54 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 141BC82804 for ; Mon, 21 Dec 2020 12:43:52 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 732E8101E; Mon, 21 Dec 2020 03:43:51 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id D18733F718; Mon, 21 Dec 2020 03:43:48 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v2 08/14] dfu_mtd: Add provision to unlock mtd device Date: Mon, 21 Dec 2020 17:13:08 +0530 Message-Id: <20201221114314.25588-9-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201221114314.25588-1-sughosh.ganu@linaro.org> References: <20201221114314.25588-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Prior to writing to an mtd device, mtd_erase is called. This call fails in case the sector being erased is locked. Call mtd_unlock to unlock the region which is to be erased and later written to. Lock the region once the write to the region has completed. Signed-off-by: Sughosh Ganu --- Changes since V1: None drivers/dfu/dfu_mtd.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) -- 2.17.1 diff --git a/drivers/dfu/dfu_mtd.c b/drivers/dfu/dfu_mtd.c index 36cd4e945b..b34975dbb0 100644 --- a/drivers/dfu/dfu_mtd.c +++ b/drivers/dfu/dfu_mtd.c @@ -21,7 +21,7 @@ static bool mtd_is_aligned_with_block_size(struct mtd_info *mtd, u64 size) static int mtd_block_op(enum dfu_op op, struct dfu_entity *dfu, u64 offset, void *buf, long *len) { - u64 off, lim, remaining; + u64 off, lim, remaining, lock_ofs, lock_len; struct mtd_info *mtd = dfu->data.mtd.info; struct mtd_oob_ops io_op = {}; int ret = 0; @@ -34,7 +34,7 @@ static int mtd_block_op(enum dfu_op op, struct dfu_entity *dfu, return 0; } - off = dfu->data.mtd.start + offset + dfu->bad_skip; + off = lock_ofs = dfu->data.mtd.start + offset + dfu->bad_skip; lim = dfu->data.mtd.start + dfu->data.mtd.size; if (off >= lim) { @@ -56,12 +56,19 @@ static int mtd_block_op(enum dfu_op op, struct dfu_entity *dfu, if (op == DFU_OP_WRITE) { struct erase_info erase_op = {}; - remaining = round_up(*len, mtd->erasesize); + remaining = lock_len = round_up(*len, mtd->erasesize); erase_op.mtd = mtd; erase_op.addr = off; erase_op.len = mtd->erasesize; erase_op.scrub = 0; + debug("Unlocking the mtd device\n"); + ret = mtd_unlock(mtd, lock_ofs, lock_len); + if (ret && ret != -EOPNOTSUPP) { + printf("MTD device unlock failed\n"); + return 0; + } + while (remaining) { if (erase_op.addr + remaining > lim) { printf("Limit reached 0x%llx while erasing at offset 0x%llx\n", @@ -139,6 +146,13 @@ static int mtd_block_op(enum dfu_op op, struct dfu_entity *dfu, io_op.len = mtd->writesize; } + if (op == DFU_OP_WRITE) { + /* Write done, lock again */ + debug("Locking the mtd device\n"); + ret = mtd_lock(mtd, lock_ofs, lock_len); + if (ret && ret != -EOPNOTSUPP) + printf("MTD device lock failed\n"); + } return ret; } From patchwork Mon Dec 21 11:43:09 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346409 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp4384918jai; Mon, 21 Dec 2020 03:45:12 -0800 (PST) X-Google-Smtp-Source: ABdhPJwm0x1Byb97dialJLk+OoiAH2S4OCznObx+shTTRfMLIs1iZ2oYv1+cEv851Lx+0qIq0x2f X-Received: by 2002:a17:906:7e0b:: with SMTP id e11mr14620640ejr.533.1608551112002; Mon, 21 Dec 2020 03:45:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608551111; cv=none; d=google.com; s=arc-20160816; b=lixATyHJnFCD/uzuXYV/tZUDSUdufE6FxXrSJObdMYd1XO9XhvzBuMvIT0gVIHufFc pP3IXBnq8aXMMbHpBcYOkv5/rCjSi0CFSZRLmQ7CywiHlYh/AMn7fwhyVey4uzIcKyVf znlYpuBNlGDNRvIDED5tJx0T3ubur+fb1C8DiSv+aDTjy83l5KxwK3AMfVH2ybIlgiZN Ti1mRbOn8fN18UhPZAMHNc/KzpT15//F+40HjGoVnG2jM4Taas/1OhhQpmq1NRApNjAR W0wb4qzXIcQQZTvkuqlEIYbx62lLZoqKsipbmzG7P4yeiXIJDAx97cb+wDTFsQEgTeH1 bPlw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=RlTD8k0OAMtkOLZhKPq43CI6KJZH5zb6RzXuql/U9PE=; b=ycIr8PlUTWX/kRTHFNxST1B/BFQAO/mcxpwsXZlZhbcUCxUsb4sTyGVHoRds7WN3oR xKfuuC50Wm0fNEzbXfhFlAgwB8g3wK8S5pamXLfWdqNr+TUpIgPY5TB/p2/599BrYkXa Twk2F2VJOoKFw7SREQpWtoGxa/POB2CDQRlu4GDHV8ykK7/3pva7eati0ieB0mTi6gWn TFwsyi7KBtITZ9QSZ8BKByG0Lrv3mKMGB6aI+SrQVXTZ4+Q7M9/+DXupddOf3KT2n4Ms nkXemyWHNVs4LaM549qYss7ajqxPYcI3cocLCglf+u/9V0Y1BOOFEq62Umigq2EWdDGe RmIg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id q4si10311965edg.1.2020.12.21.03.45.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Dec 2020 03:45:11 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4447F8283E; Mon, 21 Dec 2020 12:44:05 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 1B8638288F; Mon, 21 Dec 2020 12:43:59 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 2719682804 for ; Mon, 21 Dec 2020 12:43:55 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 868591042; Mon, 21 Dec 2020 03:43:54 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id E4F1E3F718; Mon, 21 Dec 2020 03:43:51 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v2 09/14] efi_loader: Make the pkcs7 header parsing function an extern Date: Mon, 21 Dec 2020 17:13:09 +0530 Message-Id: <20201221114314.25588-10-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201221114314.25588-1-sughosh.ganu@linaro.org> References: <20201221114314.25588-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean The pkcs7 header parsing functionality is pretty generic, and can be used by other features like capsule authentication. Make the function an extern, also changing it's name to efi_parse_pkcs7_header Signed-off-by: Sughosh Ganu --- Changes since V1: None include/efi_loader.h | 4 ++ lib/efi_loader/efi_signature.c | 85 +++++++++++++++++++++++++++++++ lib/efi_loader/efi_variable.c | 93 ++-------------------------------- 3 files changed, 93 insertions(+), 89 deletions(-) -- 2.17.1 diff --git a/include/efi_loader.h b/include/efi_loader.h index 365f3d01dc..8807fcd913 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -818,6 +818,10 @@ bool efi_secure_boot_enabled(void); bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp, WIN_CERTIFICATE **auth, size_t *auth_len); +struct pkcs7_message *efi_parse_pkcs7_header(const void *buf, + size_t buflen, + u8 **tmpbuf); + /* runtime implementation of memcpy() */ void efi_memcpy_runtime(void *dest, const void *src, size_t n); diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 79dee27421..9ab071b611 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -27,6 +27,91 @@ const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID; const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; #ifdef CONFIG_EFI_SECURE_BOOT +static u8 pkcs7_hdr[] = { + /* SEQUENCE */ + 0x30, 0x82, 0x05, 0xc7, + /* OID: pkcs7-signedData */ + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, + /* Context Structured? */ + 0xa0, 0x82, 0x05, 0xb8, +}; + +/** + * efi_parse_pkcs7_header - parse a signature in payload + * @buf: Pointer to payload's value + * @buflen: Length of @buf + * @tmpbuf: Pointer to temporary buffer + * + * Parse a signature embedded in payload's value and instantiate + * a pkcs7_message structure. Since pkcs7_parse_message() accepts only + * pkcs7's signedData, some header needed be prepended for correctly + * parsing authentication data + * A temporary buffer will be allocated if needed, and it should be + * kept valid during the authentication because some data in the buffer + * will be referenced by efi_signature_verify(). + * + * Return: Pointer to pkcs7_message structure on success, NULL on error + */ +struct pkcs7_message *efi_parse_pkcs7_header(const void *buf, + size_t buflen, + u8 **tmpbuf) +{ + u8 *ebuf; + size_t ebuflen, len; + struct pkcs7_message *msg; + + /* + * This is the best assumption to check if the binary is + * already in a form of pkcs7's signedData. + */ + if (buflen > sizeof(pkcs7_hdr) && + !memcmp(&((u8 *)buf)[4], &pkcs7_hdr[4], 11)) { + msg = pkcs7_parse_message(buf, buflen); + if (IS_ERR(msg)) + return NULL; + return msg; + } + + /* + * Otherwise, we should add a dummy prefix sequence for pkcs7 + * message parser to be able to process. + * NOTE: EDK2 also uses similar hack in WrapPkcs7Data() + * in CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c + * TODO: + * The header should be composed in a more refined manner. + */ + EFI_PRINT("Makeshift prefix added to authentication data\n"); + ebuflen = sizeof(pkcs7_hdr) + buflen; + if (ebuflen <= 0x7f) { + EFI_PRINT("Data is too short\n"); + return NULL; + } + + ebuf = malloc(ebuflen); + if (!ebuf) { + EFI_PRINT("Out of memory\n"); + return NULL; + } + + memcpy(ebuf, pkcs7_hdr, sizeof(pkcs7_hdr)); + memcpy(ebuf + sizeof(pkcs7_hdr), buf, buflen); + len = ebuflen - 4; + ebuf[2] = (len >> 8) & 0xff; + ebuf[3] = len & 0xff; + len = ebuflen - 0x13; + ebuf[0x11] = (len >> 8) & 0xff; + ebuf[0x12] = len & 0xff; + + msg = pkcs7_parse_message(ebuf, ebuflen); + + if (IS_ERR(msg)) { + free(ebuf); + return NULL; + } + + *tmpbuf = ebuf; + return msg; +} /** * efi_hash_regions - calculate a hash value diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index 0c689cfb47..ba0874e9e7 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -24,91 +24,6 @@ #include #ifdef CONFIG_EFI_SECURE_BOOT -static u8 pkcs7_hdr[] = { - /* SEQUENCE */ - 0x30, 0x82, 0x05, 0xc7, - /* OID: pkcs7-signedData */ - 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, - /* Context Structured? */ - 0xa0, 0x82, 0x05, 0xb8, -}; - -/** - * efi_variable_parse_signature - parse a signature in variable - * @buf: Pointer to variable's value - * @buflen: Length of @buf - * @tmpbuf: Pointer to temporary buffer - * - * Parse a signature embedded in variable's value and instantiate - * a pkcs7_message structure. Since pkcs7_parse_message() accepts only - * pkcs7's signedData, some header needed be prepended for correctly - * parsing authentication data, particularly for variable's. - * A temporary buffer will be allocated if needed, and it should be - * kept valid during the authentication because some data in the buffer - * will be referenced by efi_signature_verify(). - * - * Return: Pointer to pkcs7_message structure on success, NULL on error - */ -static struct pkcs7_message *efi_variable_parse_signature(const void *buf, - size_t buflen, - u8 **tmpbuf) -{ - u8 *ebuf; - size_t ebuflen, len; - struct pkcs7_message *msg; - - /* - * This is the best assumption to check if the binary is - * already in a form of pkcs7's signedData. - */ - if (buflen > sizeof(pkcs7_hdr) && - !memcmp(&((u8 *)buf)[4], &pkcs7_hdr[4], 11)) { - msg = pkcs7_parse_message(buf, buflen); - if (IS_ERR(msg)) - return NULL; - return msg; - } - - /* - * Otherwise, we should add a dummy prefix sequence for pkcs7 - * message parser to be able to process. - * NOTE: EDK2 also uses similar hack in WrapPkcs7Data() - * in CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c - * TODO: - * The header should be composed in a more refined manner. - */ - EFI_PRINT("Makeshift prefix added to authentication data\n"); - ebuflen = sizeof(pkcs7_hdr) + buflen; - if (ebuflen <= 0x7f) { - EFI_PRINT("Data is too short\n"); - return NULL; - } - - ebuf = malloc(ebuflen); - if (!ebuf) { - EFI_PRINT("Out of memory\n"); - return NULL; - } - - memcpy(ebuf, pkcs7_hdr, sizeof(pkcs7_hdr)); - memcpy(ebuf + sizeof(pkcs7_hdr), buf, buflen); - len = ebuflen - 4; - ebuf[2] = (len >> 8) & 0xff; - ebuf[3] = len & 0xff; - len = ebuflen - 0x13; - ebuf[0x11] = (len >> 8) & 0xff; - ebuf[0x12] = len & 0xff; - - msg = pkcs7_parse_message(ebuf, ebuflen); - - if (IS_ERR(msg)) { - free(ebuf); - return NULL; - } - - *tmpbuf = ebuf; - return msg; -} /** * efi_variable_authenticate - authenticate a variable @@ -215,10 +130,10 @@ static efi_status_t efi_variable_authenticate(u16 *variable, goto err; /* ebuf should be kept valid during the authentication */ - var_sig = efi_variable_parse_signature(auth->auth_info.cert_data, - auth->auth_info.hdr.dwLength - - sizeof(auth->auth_info), - &ebuf); + var_sig = efi_parse_pkcs7_header(auth->auth_info.cert_data, + auth->auth_info.hdr.dwLength + - sizeof(auth->auth_info), + &ebuf); if (!var_sig) { EFI_PRINT("Parsing variable's signature failed\n"); goto err; From patchwork Mon Dec 21 11:43:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346410 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp4385022jai; Mon, 21 Dec 2020 03:45:22 -0800 (PST) X-Google-Smtp-Source: ABdhPJz9SgmaiT6xB4OLHbQzQU/Pci67xuanaLUIXXFknhQKEnNvu0Yy0UQUgG+wNlamKKzW/YYo X-Received: by 2002:a05:6402:1d18:: with SMTP id dg24mr15343711edb.221.1608551122143; Mon, 21 Dec 2020 03:45:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608551122; cv=none; d=google.com; s=arc-20160816; b=J4TCB32IX44cg7g0f4NgmThmOFvDjnyX/9fu8sDxq+8KAf3wGWZQ0hD3cODi5USgwV saGbI1MB7N4+yJmRH/6JN04eKzVBJD8okkqlZB3fgaU/6qckI6Vdeoeu6QGLr0cgRHxy Ht3KQ+BBv4CDs9jVNaOO+pM2K/pY0rtGqZnUdQSpRFivbFKrY5cB8bls8yp9ObKqjoZS OCA8NkG6Qm1UqxJNZFiDl3kvYVxwfPxOf6y1FWUfxqoM5CUn/+uHaMFc04hjXUjDRP43 WRt137jc5aoAGlS3VQlQQCRstgV3vHZ+PxiN0bCSmN81ObSlDEUG6QYMYu5VczYE/7Sp PK5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=vXVSJjBSqgcpv2oZ8LjHANcUcyxX8QDhIUgjBOXdlLM=; b=xn04bQ7WnU6lafrth7eaDTltBi8f6toDBPNP9lEZK92TYRD1g0/mjsmhKD1T/6dUQV AKurZgRK2BsZ3vk0OU/X4x4Mht0+SroxFtItRIlwHXagaWvwcQ/HD5kfySJXsC66wDyx Ux7oISenfpoMlvm1e1rMhR7Kf7IKCH5Qu1g2gLwDIAexfdQnQ9rKTUHTDX2vJBNglPTo ytBRL9V7vWMSIJQ3Etmcboo6TsYFtXBBIc0FxVqKetwuRUCHsDy7OLthyXdURTEUrsPE 3kTLMgKMOuL7Qf9kVPj76c04HP+UFb0W1gkJ7PjHvCm6/1OcYkYufbiilu0KJYU+jiFz xurg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id hr21si9405013ejc.446.2020.12.21.03.45.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Dec 2020 03:45:22 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 06464828C0; Mon, 21 Dec 2020 12:44:08 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id B559B8283E; Mon, 21 Dec 2020 12:44:03 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 556818286C for ; Mon, 21 Dec 2020 12:43:58 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 99B061042; Mon, 21 Dec 2020 03:43:57 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 03F223F718; Mon, 21 Dec 2020 03:43:54 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v2 10/14] efi_loader: Re-factor code to build the signature store from efi signature list Date: Mon, 21 Dec 2020 17:13:10 +0530 Message-Id: <20201221114314.25588-11-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201221114314.25588-1-sughosh.ganu@linaro.org> References: <20201221114314.25588-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean The efi_sigstore_parse_sigdb function reads the uefi authenticated variable, stored in the signature database format and builds the signature store structure. Factor out the code for building the signature store. This can then be used by the capsule authentication routine to build the signature store even when the signature database is not stored as an uefi authenticated variable Signed-off-by: Sughosh Ganu --- Changes since V1: None include/efi_loader.h | 2 + lib/efi_loader/efi_signature.c | 103 +++++++++++++++++++-------------- 2 files changed, 63 insertions(+), 42 deletions(-) -- 2.17.1 diff --git a/include/efi_loader.h b/include/efi_loader.h index 8807fcd913..73c3c4b85a 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -811,6 +811,8 @@ efi_status_t efi_image_region_add(struct efi_image_regions *regs, int nocheck); void efi_sigstore_free(struct efi_signature_store *sigstore); +struct efi_signature_store *efi_build_signature_store(void *sig_list, + efi_uintn_t size); struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name); bool efi_secure_boot_enabled(void); diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 9ab071b611..87525bdc80 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -736,6 +736,63 @@ err: return NULL; } +/** + * efi_sigstore_parse_sigdb - parse the signature list and populate + * the signature store + * + * @sig_list: Pointer to the signature list + * @size: Size of the signature list + * + * Parse the efi signature list and instantiate a signature store + * structure. + * + * Return: Pointer to signature store on success, NULL on error + */ +struct efi_signature_store *efi_build_signature_store(void *sig_list, + efi_uintn_t size) +{ + struct efi_signature_list *esl; + struct efi_signature_store *sigstore = NULL, *siglist; + + esl = sig_list; + while (size > 0) { + /* List must exist if there is remaining data. */ + if (size < sizeof(*esl)) { + EFI_PRINT("Signature list in wrong format\n"); + goto err; + } + + if (size < esl->signature_list_size) { + EFI_PRINT("Signature list in wrong format\n"); + goto err; + } + + /* Parse a single siglist. */ + siglist = efi_sigstore_parse_siglist(esl); + if (!siglist) { + EFI_PRINT("Parsing of signature list of failed\n"); + goto err; + } + + /* Append siglist */ + siglist->next = sigstore; + sigstore = siglist; + + /* Next */ + size -= esl->signature_list_size; + esl = (void *)esl + esl->signature_list_size; + } + free(sig_list); + + return sigstore; + +err: + efi_sigstore_free(sigstore); + free(sig_list); + + return NULL; +} + /** * efi_sigstore_parse_sigdb - parse a signature database variable * @name: Variable's name @@ -747,8 +804,7 @@ err: */ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name) { - struct efi_signature_store *sigstore = NULL, *siglist; - struct efi_signature_list *esl; + struct efi_signature_store *sigstore = NULL; const efi_guid_t *vendor; void *db; efi_uintn_t db_size; @@ -784,47 +840,10 @@ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name) ret = EFI_CALL(efi_get_variable(name, vendor, NULL, &db_size, db)); if (ret != EFI_SUCCESS) { EFI_PRINT("Getting variable, %ls, failed\n", name); - goto err; - } - - /* Parse siglist list */ - esl = db; - while (db_size > 0) { - /* List must exist if there is remaining data. */ - if (db_size < sizeof(*esl)) { - EFI_PRINT("variable, %ls, in wrong format\n", name); - goto err; - } - - if (db_size < esl->signature_list_size) { - EFI_PRINT("variable, %ls, in wrong format\n", name); - goto err; - } - - /* Parse a single siglist. */ - siglist = efi_sigstore_parse_siglist(esl); - if (!siglist) { - EFI_PRINT("Parsing signature list of %ls failed\n", - name); - goto err; - } - - /* Append siglist */ - siglist->next = sigstore; - sigstore = siglist; - - /* Next */ - db_size -= esl->signature_list_size; - esl = (void *)esl + esl->signature_list_size; + free(db); + return NULL; } - free(db); - - return sigstore; -err: - efi_sigstore_free(sigstore); - free(db); - - return NULL; + return efi_build_signature_store(db, db_size); } #endif /* CONFIG_EFI_SECURE_BOOT */ From patchwork Mon Dec 21 11:43:11 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346411 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp4385130jai; Mon, 21 Dec 2020 03:45:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJyrw9pn/KlU6f9/PJow/xNUpY2OnHaFDTszyXcJvT4BmoLWPkjVmYDeIOIemUgQsvU2SLLJ X-Received: by 2002:a50:fd18:: with SMTP id i24mr15759729eds.146.1608551132303; Mon, 21 Dec 2020 03:45:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608551132; cv=none; d=google.com; s=arc-20160816; b=RkerdCthyMd5zVNG/ALAoiBIJ4je+WGZ7mcrYEpr0ZUWlAUGaToLjdQjGev2nBWlBJ +Ccy5fs8lb99PDmvXFZ0hsSJKANA1dqT+pZfgqwaoLaSlGcRNspQCkSXALovqYd5WhW7 DLClUXzivKlbCDTJjeOfbKKhkUA0lxLAfdD3tO52wqRYqc00UaHVzGQV3vYxTgD3gZyi 5Nt4OVq8mnACESgXjSI2MJZ4I5LNrw2LsroREJN6Mi7JjEDmaLYhCvu6MXdhsdjriyZC 43LMqEHoTlJ0IjIDHn7xR4TI8BN0355xxL2MxLt8+kazp0nlZ8WRBL6C8qMDQPahw3vN tHSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=5WmXgSwWNS4sOgG07zy4jtUFS5S9ZxOPJ+MCkhXlyvg=; b=froECDBJFb3Hq+IFNdyDHXWiqLc5omvTY6sqVVylLB8SVl5g/Ijx7+YCkBMSIu3bQy RaQNTFrjf7X/zEUUYIqAmw7GikVF7iSOK0tM6XICQQv1WnfBz2Iekrtyp2LgxNo6/0Tr /6VjOyPsVawWczH+WT5ro6DF9o/lGqT4TFfl39uuAgYkpUGhgO9c1Lu0bdr4KYBKj4ju onOeoQgc/Wh/asa3eXLXUiEcWa3dPqPpYenjuDsyHP6Ngz7z3GAXCC4cwYIwOQ/g1G8r O/lMxUMtu0A1lp/ydmFhl5BnDvDe+OP9SVcCX4WQ/VthEFD4SRnFFHRAHXpkgaW+mDyV ZFwg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id b7si10735377edy.561.2020.12.21.03.45.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Dec 2020 03:45:32 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4E256828F9; Mon, 21 Dec 2020 12:44:12 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id D2C44828D9; Mon, 21 Dec 2020 12:44:07 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 2FC148289E for ; Mon, 21 Dec 2020 12:44:01 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id ACC8D101E; Mon, 21 Dec 2020 03:44:00 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 173883F718; Mon, 21 Dec 2020 03:43:57 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v2 11/14] efi: capsule: Add support for uefi capsule authentication Date: Mon, 21 Dec 2020 17:13:11 +0530 Message-Id: <20201221114314.25588-12-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201221114314.25588-1-sughosh.ganu@linaro.org> References: <20201221114314.25588-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Add support for authenticating uefi capsules. Most of the signature verification functionality is shared with the uefi secure boot feature. The root certificate containing the public key used for the signature verification is stored as part of the device tree blob. The root certificate is stored as an efi signature list(esl) file -- this file contains the x509 certificate which is the root certificate. Signed-off-by: Sughosh Ganu --- Changes since V1: None board/emulation/qemu-arm/qemu-arm.c | 36 ++++++++ include/efi_api.h | 18 ++++ include/efi_loader.h | 6 ++ lib/efi_loader/Kconfig | 17 ++++ lib/efi_loader/efi_capsule.c | 122 ++++++++++++++++++++++++++++ lib/efi_loader/efi_signature.c | 4 +- 6 files changed, 201 insertions(+), 2 deletions(-) -- 2.17.1 diff --git a/board/emulation/qemu-arm/qemu-arm.c b/board/emulation/qemu-arm/qemu-arm.c index a7be3c7c1c..c10bd0401f 100644 --- a/board/emulation/qemu-arm/qemu-arm.c +++ b/board/emulation/qemu-arm/qemu-arm.c @@ -203,6 +203,42 @@ void flash_write32(u32 value, void *addr) #define DFU_ALT_BUF_LEN SZ_1K +int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) +{ + const void *fdt_blob = gd->fdt_blob; + const void *blob; + const char *cnode_name = "capsule-key"; + const char *snode_name = "signature"; + int sig_node; + int len; + + sig_node = fdt_subnode_offset(fdt_blob, 0, snode_name); + if (sig_node < 0) { + EFI_PRINT("Unable to get signature node offset\n"); + return -FDT_ERR_NOTFOUND; + } + + blob = fdt_getprop(fdt_blob, sig_node, cnode_name, &len); + + if (!blob || len < 0) { + EFI_PRINT("Unable to get capsule-key value\n"); + *pkey = NULL; + *pkey_len = 0; + return -FDT_ERR_NOTFOUND; + } + + *pkey = (void *)blob; + *pkey_len = len; + + return 0; +} + +bool efi_capsule_auth_enabled(void) +{ + return env_get("capsule_authentication_enabled") != NULL ? + true : false; +} + #if defined(CONFIG_SET_DFU_ALT_INFO) static void board_get_alt_info(struct mtd_info *mtd, char *buf) { diff --git a/include/efi_api.h b/include/efi_api.h index e82d4ca9ff..ecb43a0607 100644 --- a/include/efi_api.h +++ b/include/efi_api.h @@ -1812,6 +1812,24 @@ struct efi_variable_authentication_2 { struct win_certificate_uefi_guid auth_info; } __attribute__((__packed__)); +/** + * efi_firmware_image_authentication - Capsule authentication method + * descriptor + * + * This structure describes an authentication information for + * a capsule with IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED set + * and should be included as part of the capsule. + * Only EFI_CERT_TYPE_PKCS7_GUID is accepted. + * + * @monotonic_count: Count to prevent replay + * @auth_info: Authentication info + */ +struct efi_firmware_image_authentication { + uint64_t monotonic_count; + struct win_certificate_uefi_guid auth_info; +} __attribute__((__packed__)); + + /** * efi_signature_data - A format of signature * diff --git a/include/efi_loader.h b/include/efi_loader.h index 73c3c4b85a..fb3e974aa1 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -817,6 +817,8 @@ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name); bool efi_secure_boot_enabled(void); +bool efi_capsule_auth_enabled(void); + bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp, WIN_CERTIFICATE **auth, size_t *auth_len); @@ -844,6 +846,10 @@ efi_status_t EFIAPI efi_query_capsule_caps( u64 *maximum_capsule_size, u32 *reset_type); +efi_status_t efi_capsule_authenticate(const void *capsule, + efi_uintn_t capsule_size, + void **image, efi_uintn_t *image_size); + #define EFI_CAPSULE_DIR L"\\EFI\\UpdateCapsule\\" /* Hook at initialization */ diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index bc47e7fe76..3e8533c430 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -141,6 +141,23 @@ config EFI_CAPSULE_FIRMWARE_MANAGEMENT Select this option if you want to enable capsule-based firmware update using Firmware Management Protocol. +config EFI_CAPSULE_AUTHENTICATE + bool "Update Capsule authentication" + depends on EFI_CAPSULE_FIRMWARE + depends on EFI_CAPSULE_ON_DISK + depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT + select SHA256 + select RSA + select RSA_VERIFY + select RSA_VERIFY_WITH_PKEY + select X509_CERTIFICATE_PARSER + select PKCS7_MESSAGE_PARSER + select PKCS7_VERIFY + default n + help + Select this option if you want to enable capsule + authentication + config EFI_CAPSULE_FIRMWARE_FIT bool "FMP driver for FIT image" depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c index ea22ee7968..d9a7bbd509 100644 --- a/lib/efi_loader/efi_capsule.c +++ b/lib/efi_loader/efi_capsule.c @@ -14,6 +14,10 @@ #include #include +#include +#include +#include + const efi_guid_t efi_guid_capsule_report = EFI_CAPSULE_REPORT_GUID; static const efi_guid_t efi_guid_firmware_management_capsule_id = EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID; @@ -191,6 +195,124 @@ skip: return NULL; } +#if defined(CONFIG_EFI_CAPSULE_AUTHENTICATE) + +const efi_guid_t efi_guid_capsule_root_cert_guid = + EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID; + +__weak int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) +{ + /* The platform is supposed to provide + * a method for getting the public key + * stored in the form of efi signature + * list + */ + return 0; +} + +efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size, + void **image, efi_uintn_t *image_size) +{ + u8 *buf; + int ret; + void *fdt_pkey, *pkey; + efi_uintn_t pkey_len; + uint64_t monotonic_count; + struct efi_signature_store *truststore; + struct pkcs7_message *capsule_sig; + struct efi_image_regions *regs; + struct efi_firmware_image_authentication *auth_hdr; + efi_status_t status; + + status = EFI_SECURITY_VIOLATION; + capsule_sig = NULL; + truststore = NULL; + regs = NULL; + + /* Sanity checks */ + if (capsule == NULL || capsule_size == 0) + goto out; + + auth_hdr = (struct efi_firmware_image_authentication *)capsule; + if (capsule_size < sizeof(*auth_hdr)) + goto out; + + if (auth_hdr->auth_info.hdr.dwLength <= + offsetof(struct win_certificate_uefi_guid, cert_data)) + goto out; + + if (guidcmp(&auth_hdr->auth_info.cert_type, &efi_guid_cert_type_pkcs7)) + goto out; + + *image = (uint8_t *)capsule + sizeof(auth_hdr->monotonic_count) + + auth_hdr->auth_info.hdr.dwLength; + *image_size = capsule_size - auth_hdr->auth_info.hdr.dwLength - + sizeof(auth_hdr->monotonic_count); + memcpy(&monotonic_count, &auth_hdr->monotonic_count, + sizeof(monotonic_count)); + + /* data to be digested */ + regs = calloc(sizeof(*regs) + sizeof(struct image_region) * 2, 1); + if (!regs) + goto out; + + regs->max = 2; + efi_image_region_add(regs, (uint8_t *)*image, + (uint8_t *)*image + *image_size, 1); + + efi_image_region_add(regs, (uint8_t *)&monotonic_count, + (uint8_t *)&monotonic_count + sizeof(monotonic_count), + 1); + + capsule_sig = efi_parse_pkcs7_header(auth_hdr->auth_info.cert_data, + auth_hdr->auth_info.hdr.dwLength + - sizeof(auth_hdr->auth_info), + &buf); + if (IS_ERR(capsule_sig)) { + debug("Parsing variable's pkcs7 header failed\n"); + capsule_sig = NULL; + goto out; + } + + ret = efi_get_public_key_data(&fdt_pkey, &pkey_len); + if (ret < 0) + goto out; + + pkey = malloc(pkey_len); + if (!pkey) + goto out; + + memcpy(pkey, fdt_pkey, pkey_len); + truststore = efi_build_signature_store(pkey, pkey_len); + if (!truststore) + goto out; + + /* verify signature */ + if (efi_signature_verify(regs, capsule_sig, truststore, NULL)) { + debug("Verified\n"); + } else { + debug("Verifying variable's signature failed\n"); + goto out; + } + + status = EFI_SUCCESS; + +out: + efi_sigstore_free(truststore); + pkcs7_free_message(capsule_sig); + free(regs); + + return status; +} +#else +efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size, + void **image, efi_uintn_t *image_size) +{ + return EFI_UNSUPPORTED; +} +#endif /* CONFIG_EFI_CAPSULE_AUTHENTICATE */ + + /** * efi_capsule_update_firmware - update firmware from capsule * @capsule_data: Capsule diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 87525bdc80..c7ec275414 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -26,7 +26,7 @@ const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID; const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID; const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; -#ifdef CONFIG_EFI_SECURE_BOOT +#if defined(CONFIG_EFI_SECURE_BOOT) || defined(CONFIG_EFI_CAPSULE_AUTHENTICATE) static u8 pkcs7_hdr[] = { /* SEQUENCE */ 0x30, 0x82, 0x05, 0xc7, @@ -846,4 +846,4 @@ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name) return efi_build_signature_store(db, db_size); } -#endif /* CONFIG_EFI_SECURE_BOOT */ +#endif /* CONFIG_EFI_SECURE_BOOT || CONFIG_EFI_CAPSULE_AUTHENTICATE */ From patchwork Mon Dec 21 11:43:12 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346412 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp4385274jai; Mon, 21 Dec 2020 03:45:44 -0800 (PST) X-Google-Smtp-Source: ABdhPJwFaI3XGIzekQdEY4Ku/D/y1gmSHn+OtiWR2iNqF3SUa+F5vQXzj17mxGxaXBt5KAUYjI32 X-Received: by 2002:a17:907:204b:: with SMTP id pg11mr15417295ejb.192.1608551143934; Mon, 21 Dec 2020 03:45:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608551143; cv=none; d=google.com; s=arc-20160816; b=Jk3dxbtitE7p/AMCpkQRoGNxGNOGjD81gFA/Op2MZY9gP5ekQMfxeATqd8F9rIK9pI g3S/4YpIxo8QJ/eM7owtHcTk1DC0JLM9ZSi+Dtxm+y48pREAmjOqHW16/ZI7FNbbCdWw jYE6t6mvxyn1B7bp7H1xYpwwN8AjHngL70k1U8xSrKWWBuEdP7BVFYfmLq18OdxUQbsB Q5KBGcGkVwFpvwXnUI24qaFUywqEZF6yOCr4508IGP9ght3DGOI+X+unJuLDubVlDXi7 6cr2ugMjhZ27IyN2rZWElW6oUBYPqxK4E3maB5vytyA7MXVC9oSRsBn93wvtt5OJjj4m z27g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=s2l5UGyDFQOPqGhPKWYkutcinrwZkyj2wgJd6t+5OAw=; b=rkbgZSfAmYEttV6RNK1gSuF90vtaKXjvq7p0EsldovY5lZDqkwlA5Y21jpKigV6brd DYzUcO7ml8nmuWZj5h8dYHzAilIUmhkoIp89Dgp0jKXq07dV8xzYCFoADRs2wraHOHNq 5Q1Simfrm9Ekl63gNH67kECf8f8C71CB6569K6tw3ZqV9URR4D82AD9ABy12Pdlmg9c2 M5Q6GI9gmCLd6tsUNzZb1T8IhsGWrasXYxcfHrEWwktaoR5kfB8vVmwR5xMGBQzDHh1B kn1xx1KKGrHX3PzWMe2ObJB9wZ2SJAsL/dV09umzaoA2cF3EfqpSWcC/oUV0oUR1v1X7 lqHQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id ga28si8270106ejc.221.2020.12.21.03.45.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Dec 2020 03:45:43 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 8E58A82922; Mon, 21 Dec 2020 12:44:14 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id CF492828E6; Mon, 21 Dec 2020 12:44:08 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 30DF7827FA for ; Mon, 21 Dec 2020 12:44:05 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id C06A8101E; Mon, 21 Dec 2020 03:44:03 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 2A82F3F718; Mon, 21 Dec 2020 03:44:00 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v2 12/14] efi_loader: Enable uefi capsule authentication Date: Mon, 21 Dec 2020 17:13:12 +0530 Message-Id: <20201221114314.25588-13-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201221114314.25588-1-sughosh.ganu@linaro.org> References: <20201221114314.25588-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Add support for enabling uefi capsule authentication. This feature is enabled by setting the environment variable "capsule_authentication_enabled". The following configs are needed for enabling uefi capsule update and capsule authentication features on the platform. CONFIG_EFI_HAVE_CAPSULE_SUPPORT=y CONFIG_EFI_CAPSULE_ON_DISK=y CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y CONFIG_EFI_CAPSULE_FIRMWARE=y CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y CONFIG_EFI_CAPSULE_AUTHENTICATE=y Signed-off-by: Sughosh Ganu --- Changes since V1: None lib/efi_loader/efi_firmware.c | 36 ++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) -- 2.17.1 diff --git a/lib/efi_loader/efi_firmware.c b/lib/efi_loader/efi_firmware.c index 5d2ecde2f1..5e401bbca2 100644 --- a/lib/efi_loader/efi_firmware.c +++ b/lib/efi_loader/efi_firmware.c @@ -184,9 +184,16 @@ static efi_status_t efi_get_dfu_info( image_info[i].version_name = NULL; /* not supported */ image_info[i].size = 0; image_info[i].attributes_supported = - IMAGE_ATTRIBUTE_IMAGE_UPDATABLE; + IMAGE_ATTRIBUTE_IMAGE_UPDATABLE | + IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED; image_info[i].attributes_setting = IMAGE_ATTRIBUTE_IMAGE_UPDATABLE; + + /* Check if the capsule authentication is enabled */ + if (env_get("capsule_authentication_enabled")) + image_info[0].attributes_setting |= + IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED; + image_info[i].lowest_supported_image_version = 0; image_info[i].last_attempt_version = 0; image_info[i].last_attempt_status = LAST_ATTEMPT_STATUS_SUCCESS; @@ -403,6 +410,9 @@ efi_status_t EFIAPI efi_firmware_raw_set_image( { u32 fmp_hdr_signature; struct fmp_payload_header *header; + void *capsule_payload; + efi_status_t status; + efi_uintn_t capsule_payload_size; EFI_ENTRY("%p %d %p %ld %p %p %p\n", this, image_index, image, image_size, vendor_code, progress, abort_reason); @@ -410,6 +420,30 @@ efi_status_t EFIAPI efi_firmware_raw_set_image( if (!image) return EFI_EXIT(EFI_INVALID_PARAMETER); + /* Authenticate the capsule if authentication enabled */ + if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) && + env_get("capsule_authentication_enabled")) { + capsule_payload = NULL; + capsule_payload_size = 0; + status = efi_capsule_authenticate(image, image_size, + &capsule_payload, + &capsule_payload_size); + + if (status == EFI_SECURITY_VIOLATION) { + printf("Capsule authentication check failed. Aborting update\n"); + return EFI_EXIT(status); + } else if (status != EFI_SUCCESS) { + return EFI_EXIT(status); + } + + debug("Capsule authentication successfull\n"); + image = capsule_payload; + image_size = capsule_payload_size; + } else { + debug("Capsule authentication disabled. "); + debug("Updating capsule without authenticating.\n"); + } + fmp_hdr_signature = FMP_PAYLOAD_HDR_SIGNATURE; header = (void *)image; From patchwork Mon Dec 21 11:43:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346414 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp4385499jai; Mon, 21 Dec 2020 03:46:04 -0800 (PST) X-Google-Smtp-Source: ABdhPJzFD/mkfPHHNOuX2iWuKC6qVaOEks5iLDMgqeCwKSsqVbvtyPth5gPcx2guYO8eZ07wT+v+ X-Received: by 2002:a17:906:3b8b:: with SMTP id u11mr14714762ejf.489.1608551164516; Mon, 21 Dec 2020 03:46:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608551164; cv=none; d=google.com; s=arc-20160816; b=TwHn69ykoyxUCWgBBIUjpoTSBwe08n7Le+eS4PoGvM+lDND16D8wQgkY538is5G1ac FffYBUG2d4NGNWa884UhxQi25MroJkXil28IJNdUPk15WeECzuzI8h+mJedhZomQb/LG ULLHgtZ+EE5FasTomgfkM3pGw0NYStuIwfLTR01OTwCkFfRDQrzjKNWQzhGYykSgwFq3 59gmC84e1NZ6ZkfqYqD9VzT9sVSf+3lZ2m3hh2mcQK1BFUeiIerfH1gphYqvZhugXbm5 4lfKYVQck5nwtUI90zs6q9plMy7CzbOO55/z9KW8+is253oXIhe4Er0UeZsWBqKOQRIl e43Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=7JATvhLb8wOiHvq0b4qQLhFGisQ342y8MD3vHE6L5ZM=; b=BmALY4rnRuBQttlEt8v0AMqplrbPEFIuHS1ujJvrht0UDXLtbPoA2RBkJTAzMlyMLG wo061pi7BOE01/2G3CEKJO8Xoq9rdMXU+O8perL73x7zYVNArbjJAgzYqShcQwO3oAMr FB7jueA+8pxVE052qcSO9lYN6NVudu77rrmhH/ljMvYR6/Tan0IKdnyBxy61K75ULTbG CWE6N1BVR0A+wVnXvjpPWF9E47Q9dAxK5mrgCxHSX6mUkpzxvZt1IYrhxt/ZJGCSkJrU xAVnC402PXFrw0FSit1hWa4omsEtvUECOmt6PIwzYfoptdBeH9Nt9JS/1RrSb6MmpxjU 9ceQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id cz22si10643788edb.241.2020.12.21.03.46.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Dec 2020 03:46:04 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 18AE6828E6; Mon, 21 Dec 2020 12:44:23 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 95E07827CC; Mon, 21 Dec 2020 12:44:15 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 5A750828CF for ; Mon, 21 Dec 2020 12:44:07 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id D63A41063; Mon, 21 Dec 2020 03:44:06 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 3D1333F718; Mon, 21 Dec 2020 03:44:04 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v2 13/14] efidebug: capsule: Add a command to update capsule on disk Date: Mon, 21 Dec 2020 17:13:13 +0530 Message-Id: <20201221114314.25588-14-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201221114314.25588-1-sughosh.ganu@linaro.org> References: <20201221114314.25588-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Add a efidebug subcommand to initiate a firmware update using the efi firmware management protocol(fmp) set_image routine. The firmware update can be initiated through 'efidebug capsule disk-update' This would locate the efi capsule file on the efi system partition, and call the platform's set_image fmp routine to initiate the firmware update. Signed-off-by: Sughosh Ganu --- Changes since V1: None cmd/efidebug.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) -- 2.17.1 diff --git a/cmd/efidebug.c b/cmd/efidebug.c index fa9d7fe757..5fb7b1e3c6 100644 --- a/cmd/efidebug.c +++ b/cmd/efidebug.c @@ -79,6 +79,16 @@ static int do_efi_capsule_update(struct cmd_tbl *cmdtp, int flag, return CMD_RET_SUCCESS; } +static int do_efi_capsule_on_disk_update(struct cmd_tbl *cmdtp, int flag, + int argc, char * const argv[]) +{ + efi_status_t ret; + + ret = efi_launch_capsules(); + + return ret == EFI_SUCCESS ? CMD_RET_SUCCESS : CMD_RET_FAILURE; +} + /** * do_efi_capsule_show() - show capsule information * @@ -207,6 +217,8 @@ static struct cmd_tbl cmd_efidebug_capsule_sub[] = { "", ""), U_BOOT_CMD_MKENT(show, CONFIG_SYS_MAXARGS, 1, do_efi_capsule_show, "", ""), + U_BOOT_CMD_MKENT(disk-update, 0, 0, do_efi_capsule_on_disk_update, + "", ""), U_BOOT_CMD_MKENT(result, CONFIG_SYS_MAXARGS, 1, do_efi_capsule_res, "", ""), }; @@ -1544,6 +1556,8 @@ static char efidebug_help_text[] = #ifdef CONFIG_EFI_HAVE_CAPSULE_SUPPORT "efidebug capsule update [-v] \n" " - process a capsule\n" + "efidebug capsule disk-update\n" + " - update a capsule from disk\n" "efidebug capsule show \n" " - show capsule information\n" "efidebug capsule result []\n" From patchwork Mon Dec 21 11:43:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346413 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp4385380jai; Mon, 21 Dec 2020 03:45:54 -0800 (PST) X-Google-Smtp-Source: ABdhPJxO6qXBmkaKi3zp0qr+UlKkb0v3los0sUQRk32+7Dl2LoZOpPOJdTP3g6xQytEf1uFsmXH9 X-Received: by 2002:a17:906:fb0e:: with SMTP id lz14mr15330953ejb.232.1608551153975; Mon, 21 Dec 2020 03:45:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608551153; cv=none; d=google.com; s=arc-20160816; b=AkTX+OQUIJ1JpWriXPsPmJRvclgMkoMSLeCdqpkHcVepCgRifZ+8/ASqiycjDvByHf tgOuD+3YvibuohISaH3x4nrJqVryd4HtTV86hVxlkG6SGLoa7lfiHqJxSyXJhpuYArfw Tar51sGySPo3pDJP5jeeH/ePYTC7LWKtJ2iasReMOtRLVmdp9dt8v0kJwOCnjV5qqu27 LyiVBLn5sDTHdZVbYSkGZQQRE8r2kN6ks9TnHafS8mdfHXgqqdjbn7pGt7HqHW50YY6p XBGYia5e7R1q1s+V2xPDblRead8VjUa0ohlByd2t04uWJOkGwpoPvwv3CqMftPugCnAr E3Qg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=jD12VWG730AF1zML5/6+KijZ5cnIkooE8KVojC/wQkg=; b=ySIWDlRg0vHq+/41XlKGoTHhzuzABB0FbLSFMsqHLt2d1WkVOHRCst++raBsb/dttF BNxPTzaMkZzjC/LMF/AKjhkMVZgQ/hHuIA/NmyC/67sttah1/V5yNXDBi/94w52E6oYc YntaW5EeLH5BgVwZ3kQQ3NeHuMvWZsaS3f+ub4lx099yxKaEPojSzcULybxCAKzm/AAo cZ6DQLuo8JaQzwn02/r+4rDS1VwzhUpb5bG/7y24/A2BC2jRrGKoPDjiF7FsrpMfu3EY 9yMGxQvRAMkArEwWs4PPpGS9NAU8I76bHiN7qgqi0uGEThLVG3Tzca4uGH3Uz4BP/43a +BLw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id dd19si10565539edb.502.2020.12.21.03.45.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Dec 2020 03:45:53 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id CF5CD8291B; Mon, 21 Dec 2020 12:44:20 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 37A678291E; Mon, 21 Dec 2020 12:44:14 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id A5CD9828E6 for ; Mon, 21 Dec 2020 12:44:10 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id E82A3113E; Mon, 21 Dec 2020 03:44:09 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 5213A3F718; Mon, 21 Dec 2020 03:44:07 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v2 14/14] qemu: arm64: Add documentation for capsule update Date: Mon, 21 Dec 2020 17:13:14 +0530 Message-Id: <20201221114314.25588-15-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201221114314.25588-1-sughosh.ganu@linaro.org> References: <20201221114314.25588-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Add documentation highlighting the steps for using the uefi capsule update feature for updating the u-boot firmware image. Signed-off-by: Sughosh Ganu --- Changes since V1: * Change the documentation to reflect the usage of overlays for embedding the public key certs at runtime * Fix the build for 'make htmldocs' doc/board/emulation/qemu-arm.rst | 188 +++++++++++++++++++++++++++++++ 1 file changed, 188 insertions(+) -- 2.17.1 diff --git a/doc/board/emulation/qemu-arm.rst b/doc/board/emulation/qemu-arm.rst index 8d7fda10f1..11d91811b3 100644 --- a/doc/board/emulation/qemu-arm.rst +++ b/doc/board/emulation/qemu-arm.rst @@ -90,3 +90,191 @@ The debug UART on the ARM virt board uses these settings:: CONFIG_DEBUG_UART_PL010=y CONFIG_DEBUG_UART_BASE=0x9000000 CONFIG_DEBUG_UART_CLOCK=0 + +Enabling Uefi Capsule Update feature +------------------------------------ + +Support has been added for the uefi capsule update feature which +enables updating the u-boot image using the uefi firmware management +protocol (fmp). The capsules are not passed to the firmware through +the UpdateCapsule runtime service. Instead, capsule-on-disk +functionality is used for fetching the capsule from the EFI System +Partition (ESP). + +Currently, support has been added for updating the u-boot binary as a +raw image when the platform is booted in non-secure mode, i.e with +CONFIG_TFABOOT disabled. For this configuration, the qemu platform +needs to be booted with 'secure=off'. The u-boot binary placed on the +first bank of the Nor Flash at offset 0x0. The u-boot environment is +placed on the second Nor Flash bank at offset 0x4000000. + +The capsule update feature is enabled with the following configs:: + + CONFIG_MTD=y + CONFIG_FLASH_CFI_MTD=y + CONFIG_CMD_MTDPARTS=y + CONFIG_CMD_DFU=y + CONFIG_DFU_MTD=y + CONFIG_PCI_INIT_R=y + CONFIG_EFI_CAPSULE_ON_DISK=y + CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y + CONFIG_EFI_CAPSULE_FIRMWARE=y + CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y + CONFIG_EFI_CAPSULE_FMP_HEADER=y + +In addition, the following config needs to be disabled:: + + CONFIG_TFABOOT + +The capsule file can be generated by using the GenerateCapsule.py +script in edk2:: + + $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ + --fw-version --lsv --guid \ + e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index \ + --verbose + +As per the uefi specification, the capsule file needs to be placed on +the EFI System Partition, under the EFI/UpdateCapsule/ directory. The +EFI System Partition can be a virtio-blk-device. + +Before initiating the firmware update, the efi variables BootNext, +BootXXXX and OsIndications need to be set. The BootXXXX variable needs +to be pointing to the EFI System Partition which contains the capsule +file. The BootNext, BootXXXX and OsIndications variables can be set +using the following commands:: + + => efidebug boot add 0 Boot0000 virtio 0:1 + => efidebug boot next 0 + => setenv -e -nv -bs -rt -v OsIndications =0x04 + => saveenv + +Finally, the capsule update can be initiated with the following +command:: + + => efidebug capsule disk-update + +The updated u-boot image will be booted on subsequent boot. + +Enabling Capsule Authentication +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The uefi specification defines a way of authenticating the capsule to +be updated by verifying the capsule signature. The capsule signature +is computed and prepended to the capsule payload at the time of +capsule generation. This signature is then verified by using the +public key stored as part of the X509 certificate. This certificate is +in the form of an efi signature list (esl) file, which is embedded as +part of the platform's device tree blob using the mkeficapsule +utility. + +On the qemu virt platforms, the device-tree is generated on the fly +based on the devices configured. This device tree is then passed on to +the various software components booting on the platform, including +u-boot. Therefore, on the qemu virt platform, the signatute is +embedded on an overlay. This overlay is then applied at runtime to the +base platform device-tree. Steps needed for embedding the esl file in +the overlay are highlighted below. + +The capsule authentication feature can be enabled through the +following config, in addition to the configs listed above for capsule +update:: + + CONFIG_EFI_CAPSULE_AUTHENTICATE=y + +The public and private keys used for the signing process are generated +and used by the steps highlighted below:: + + 1. Install utility commands on your host + * openssl + * efitools + + 2. Create signing keys and certificate files on your host + + $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ + -keyout CRT.key -out CRT.crt -nodes -days 365 + $ cert-to-efi-sig-list CRT.crt CRT.esl + + $ openssl x509 -in CRT.crt -out CRT.cer -outform DER + $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem + + $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt + $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem + +The capsule file can be generated by using the GenerateCapsule.py +script in edk2:: + + $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ + --monotonic-count --fw-version \ + --lsv --guid \ + e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ + --update-image-index --signer-private-cert \ + /path/to/CRT.pem --trusted-public-cert \ + /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ + + +Place the capsule generated in the above step on the EFI System +Partition under the EFI/UpdateCapsule directory + +For embedding the public key certificate, the following steps need to +be followed:: + + 1. Generate a skeleton overlay dts file, with a single fragment + node and an empty __overlay__ node + + 2. Convert the dts to a corresponding dtb with the following + command + ./scripts/dtc/dtc -@ -I dts -O dtb -o \ + + + 3. Run the dtb file generated above through the mkeficapsule tool + in u-boot + ./tools/mkeficapsule -O -D + +Running the above command results in the creation of a 'signature' +node in the dtb, under which the public key is stored as a +'capsule-key' property. The '-O' option is to be used since the +public key certificate(esl) file is being embedded in an overlay. + +The dtb file embedded with the certificate is now to be placed on an +EFI System Partition. This would then be loaded and "merged" with the +base platform fdt at runtime. + +Build u-boot with the following steps:: + + $ make qemu_arm64_defconfig + $ make menuconfig + Disable CONFIG_TFABOOT + Enable CONFIG_EFI_CAPSULE_AUTHENTICATE + Enable all configs needed for capsule update(listed above) + $ make all + +Boot the platform and perform the following steps on the u-boot +command line:: + + 1. Enable capsule authentication by setting the following env + variable + + => setenv capsule_authentication_enabled 1 + => saveenv + + 2. Load the overlay dtb to memory and merge it with the base fdt + + => fatload virtio 0:1 <$fdtovaddr> EFI/ + => fdt addr $fdtcontroladdr + => fdt resize + => fdt apply <$fdtovaddr> + + 3. Set the following env and efi Boot variables + + => setenv -e -nv -bs -rt -v OsIndications =0x04 + => efidebug boot add 0 Boot0000 virtio 0:1 + => efidebug boot next 0 + => saveenv + + 4. Finally, the capsule update can be initiated with the following + command + + => efidebug capsule disk-update + +On subsequent reboot, the platform should boot the updated u-boot binary.