[v2,12/13] doc: qemu: arm64: Fix the documentation of capsule update

Since the EDK2 GenerateCapsule script is out of date and it
doesn't generate the supported version capsule file, the document
should refer the mkeficapsule in tools.

Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>

---
 doc/board/emulation/qemu_capsule_update.rst |   11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

On 4/17/21 1:39 AM, Masami Hiramatsu wrote:
> Since the EDK2 GenerateCapsule script is out of date and it

> doesn't generate the supported version capsule file, the document

> should refer the mkeficapsule in tools.

>

> Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>

> ---

>   doc/board/emulation/qemu_capsule_update.rst |   11 ++---------

>   1 file changed, 2 insertions(+), 9 deletions(-)

>

> diff --git a/doc/board/emulation/qemu_capsule_update.rst b/doc/board/emulation/qemu_capsule_update.rst

> index 9fec75f8f1..e2a9f0db71 100644

> --- a/c

> +++ b/doc/board/emulation/qemu_capsule_update.rst

> @@ -39,16 +39,9 @@ In addition, the following config needs to be disabled(QEMU ARM specific)::

>

>       CONFIG_TFABOOT

>

> -The capsule file can be generated by using the GenerateCapsule.py

> -script in EDKII::

> -

> -    $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \

> -    <capsule_file_name> --fw-version <val> --lsv <val> --guid \

> -    e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index \

> -    <val> --verbose <u-boot.bin>

> +The capsule file can be generated by using the tools/mkeficapsule::

>

> -The above is a wrapper script(GenerateCapsule) which eventually calls

> -the actual GenerateCapsule.py script.

> +    $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name>


Thanks for the change.

Could you, please, adjust the same in chapter "Enabling Capsule
Authentication" below.

Best regards

Heinrich

>

>   As per the UEFI specification, the capsule file needs to be placed on

>   the EFI System Partition, under the \EFI\UpdateCapsule directory. The

>

On Sat, 17 Apr 2021 at 23:51, Heinrich Schuchardt <xypron.glpk@gmx.de>
wrote:

> On 4/17/21 1:39 AM, Masami Hiramatsu wrote:

> > Since the EDK2 GenerateCapsule script is out of date and it

> > doesn't generate the supported version capsule file, the document

> > should refer the mkeficapsule in tools.

> >

> > Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>

> > ---

> >   doc/board/emulation/qemu_capsule_update.rst |   11 ++---------

> >   1 file changed, 2 insertions(+), 9 deletions(-)

> >

> > diff --git a/doc/board/emulation/qemu_capsule_update.rst

> b/doc/board/emulation/qemu_capsule_update.rst

> > index 9fec75f8f1..e2a9f0db71 100644

> > --- a/c

> > +++ b/doc/board/emulation/qemu_capsule_update.rst

> > @@ -39,16 +39,9 @@ In addition, the following config needs to be

> disabled(QEMU ARM specific)::

> >

> >       CONFIG_TFABOOT

> >

> > -The capsule file can be generated by using the GenerateCapsule.py

> > -script in EDKII::

> > -

> > -    $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \

> > -    <capsule_file_name> --fw-version <val> --lsv <val> --guid \

> > -    e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index

> \

> > -    <val> --verbose <u-boot.bin>

> > +The capsule file can be generated by using the tools/mkeficapsule::

> >

> > -The above is a wrapper script(GenerateCapsule) which eventually calls

> > -the actual GenerateCapsule.py script.

> > +    $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name>

>

> Thanks for the change.

>

> Could you, please, adjust the same in chapter "Enabling Capsule

> Authentication" below.

>


Currently, we do not have support for adding authentication header to the
capsule. This is because I have been using the GenerateCapsule script in
edk2 for generation of a capsule with authentication header. I think adding
the signature to the capsule is easier when done through a python script
rather than C code. I am working on adding support for the latest version
of the EFI_FIRMWARE_MANAGEMENT_CAPSULE_IMAGE_HEADER in the GenerateCapsule
script in edk2. Meanwhile, would it be possible to have support for the
version 2 of this header in the capsule driver -- it is a minor change and
I already have a patch for it. If you are fine, I can submit a patch for
the same.

-sughosh


>

> Best regards

>

> Heinrich

>

> >

> >   As per the UEFI specification, the capsule file needs to be placed on

> >   the EFI System Partition, under the \EFI\UpdateCapsule directory. The

> >

>

>

Sughosh,

On Sun, Apr 18, 2021 at 01:37:58PM +0530, Sughosh Ganu wrote:
> On Sat, 17 Apr 2021 at 23:51, Heinrich Schuchardt <xypron.glpk@gmx.de>

> wrote:

> 

> > On 4/17/21 1:39 AM, Masami Hiramatsu wrote:

> > > Since the EDK2 GenerateCapsule script is out of date and it

> > > doesn't generate the supported version capsule file, the document

> > > should refer the mkeficapsule in tools.

> > >

> > > Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>

> > > ---

> > >   doc/board/emulation/qemu_capsule_update.rst |   11 ++---------

> > >   1 file changed, 2 insertions(+), 9 deletions(-)

> > >

> > > diff --git a/doc/board/emulation/qemu_capsule_update.rst

> > b/doc/board/emulation/qemu_capsule_update.rst

> > > index 9fec75f8f1..e2a9f0db71 100644

> > > --- a/c

> > > +++ b/doc/board/emulation/qemu_capsule_update.rst

> > > @@ -39,16 +39,9 @@ In addition, the following config needs to be

> > disabled(QEMU ARM specific)::

> > >

> > >       CONFIG_TFABOOT

> > >

> > > -The capsule file can be generated by using the GenerateCapsule.py

> > > -script in EDKII::

> > > -

> > > -    $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \

> > > -    <capsule_file_name> --fw-version <val> --lsv <val> --guid \

> > > -    e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index

> > \

> > > -    <val> --verbose <u-boot.bin>

> > > +The capsule file can be generated by using the tools/mkeficapsule::

> > >

> > > -The above is a wrapper script(GenerateCapsule) which eventually calls

> > > -the actual GenerateCapsule.py script.

> > > +    $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name>

> >

> > Thanks for the change.

> >

> > Could you, please, adjust the same in chapter "Enabling Capsule

> > Authentication" below.

> >

> 

> Currently, we do not have support for adding authentication header to the

> capsule. This is because I have been using the GenerateCapsule script in

> edk2 for generation of a capsule with authentication header. I think adding

> the signature to the capsule is easier when done through a python script

> rather than C code.


Why do you think so?
At a quick glance at the script, it internally uses openssl command like:
    openssl smime -sign -binary -outform DER -md sha256 \
        -signer <...> -certfile <...>
(See PayloadDescriptor.Encode in the script.)

The output from the standard output is exactly what you want
to use to build a capsule file, that is "AuthInfo".
Then you can naturally extend mkeficapsule to insert this signature
between the header and the image itself in a capsule file.

Furthermore, I believe, it is fairly straightforward to add a native
'signing' feature to mkeficapsule if you use openssl library.

-Takahiro Akashi


> I am working on adding support for the latest version

> of the EFI_FIRMWARE_MANAGEMENT_CAPSULE_IMAGE_HEADER in the GenerateCapsule

> script in edk2. Meanwhile, would it be possible to have support for the

> version 2 of this header in the capsule driver -- it is a minor change and

> I already have a patch for it. If you are fine, I can submit a patch for

> the same.

> 

> -sughosh

> 

> 

> >

> > Best regards

> >

> > Heinrich

> >

> > >

> > >   As per the UEFI specification, the capsule file needs to be placed on

> > >   the EFI System Partition, under the \EFI\UpdateCapsule directory. The

> > >

> >

> >

Hi,

2021年4月19日(月) 9:37 Takahiro Akashi <takahiro.akashi@linaro.org>:
>

> Sughosh,

>

> On Sun, Apr 18, 2021 at 01:37:58PM +0530, Sughosh Ganu wrote:

> > On Sat, 17 Apr 2021 at 23:51, Heinrich Schuchardt <xypron.glpk@gmx.de>

> > wrote:

> >

> > > On 4/17/21 1:39 AM, Masami Hiramatsu wrote:

> > > > Since the EDK2 GenerateCapsule script is out of date and it

> > > > doesn't generate the supported version capsule file, the document

> > > > should refer the mkeficapsule in tools.

> > > >

> > > > Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>

> > > > ---

> > > >   doc/board/emulation/qemu_capsule_update.rst |   11 ++---------

> > > >   1 file changed, 2 insertions(+), 9 deletions(-)

> > > >

> > > > diff --git a/doc/board/emulation/qemu_capsule_update.rst

> > > b/doc/board/emulation/qemu_capsule_update.rst

> > > > index 9fec75f8f1..e2a9f0db71 100644

> > > > --- a/c

> > > > +++ b/doc/board/emulation/qemu_capsule_update.rst

> > > > @@ -39,16 +39,9 @@ In addition, the following config needs to be

> > > disabled(QEMU ARM specific)::

> > > >

> > > >       CONFIG_TFABOOT

> > > >

> > > > -The capsule file can be generated by using the GenerateCapsule.py

> > > > -script in EDKII::

> > > > -

> > > > -    $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \

> > > > -    <capsule_file_name> --fw-version <val> --lsv <val> --guid \

> > > > -    e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index

> > > \

> > > > -    <val> --verbose <u-boot.bin>

> > > > +The capsule file can be generated by using the tools/mkeficapsule::

> > > >

> > > > -The above is a wrapper script(GenerateCapsule) which eventually calls

> > > > -the actual GenerateCapsule.py script.

> > > > +    $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name>

> > >

> > > Thanks for the change.

> > >

> > > Could you, please, adjust the same in chapter "Enabling Capsule

> > > Authentication" below.


So as Sughosh said, since currently mkeficapsule doesn't support authentication,
I only changed it for the normal capsule update. Without this change,
the capsule
update just failed.


> > Currently, we do not have support for adding authentication header to the

> > capsule. This is because I have been using the GenerateCapsule script in

> > edk2 for generation of a capsule with authentication header. I think adding

> > the signature to the capsule is easier when done through a python script

> > rather than C code.

>

> Why do you think so?

> At a quick glance at the script, it internally uses openssl command like:

>     openssl smime -sign -binary -outform DER -md sha256 \

>         -signer <...> -certfile <...>

> (See PayloadDescriptor.Encode in the script.)

>

> The output from the standard output is exactly what you want

> to use to build a capsule file, that is "AuthInfo".

> Then you can naturally extend mkeficapsule to insert this signature

> between the header and the image itself in a capsule file.


Hmm, if it can be done by just calling openssl, I think it is easier for me
to run the tools/mkeficapsule, because I don't need to build EDK2
for U-Boot.

If GenerateCapsule becomes a standard implementation and
independent from the EDK2 project, from the interoperability point
of view, it is better to use that. But it is a part of EDK2 and the
GenerateCapsule seems out-of-date and not maintained well
(why doesn't it support the latest version yet??)

Thank you,

> Furthermore, I believe, it is fairly straightforward to add a native

> 'signing' feature to mkeficapsule if you use openssl library.

>

> -Takahiro Akashi

>

>

> > I am working on adding support for the latest version

> > of the EFI_FIRMWARE_MANAGEMENT_CAPSULE_IMAGE_HEADER in the GenerateCapsule

> > script in edk2. Meanwhile, would it be possible to have support for the

> > version 2 of this header in the capsule driver -- it is a minor change and

> > I already have a patch for it. If you are fine, I can submit a patch for

> > the same.

> >

> > -sughosh

> >

> >

> > >

> > > Best regards

> > >

> > > Heinrich

> > >

> > > >

> > > >   As per the UEFI specification, the capsule file needs to be placed on

> > > >   the EFI System Partition, under the \EFI\UpdateCapsule directory. The

> > > >

> > >

> > >




--
Masami Hiramatsu

Am 19. April 2021 04:24:37 MESZ schrieb Masami Hiramatsu <masami.hiramatsu@linaro.org>:
>Hi,

>

>2021年4月19日(月) 9:37 Takahiro Akashi <takahiro.akashi@linaro.org>:

>>

>> Sughosh,

>>

>> On Sun, Apr 18, 2021 at 01:37:58PM +0530, Sughosh Ganu wrote:

>> > On Sat, 17 Apr 2021 at 23:51, Heinrich Schuchardt

><xypron.glpk@gmx.de>

>> > wrote:

>> >

>> > > On 4/17/21 1:39 AM, Masami Hiramatsu wrote:

>> > > > Since the EDK2 GenerateCapsule script is out of date and it

>> > > > doesn't generate the supported version capsule file, the

>document

>> > > > should refer the mkeficapsule in tools.

>> > > >

>> > > > Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>

>> > > > ---

>> > > >   doc/board/emulation/qemu_capsule_update.rst |   11

>++---------

>> > > >   1 file changed, 2 insertions(+), 9 deletions(-)

>> > > >

>> > > > diff --git a/doc/board/emulation/qemu_capsule_update.rst

>> > > b/doc/board/emulation/qemu_capsule_update.rst

>> > > > index 9fec75f8f1..e2a9f0db71 100644

>> > > > --- a/c

>> > > > +++ b/doc/board/emulation/qemu_capsule_update.rst

>> > > > @@ -39,16 +39,9 @@ In addition, the following config needs to

>be

>> > > disabled(QEMU ARM specific)::

>> > > >

>> > > >       CONFIG_TFABOOT

>> > > >

>> > > > -The capsule file can be generated by using the

>GenerateCapsule.py

>> > > > -script in EDKII::

>> > > > -

>> > > > -    $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o

>\

>> > > > -    <capsule_file_name> --fw-version <val> --lsv <val> --guid

>\

>> > > > -    e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose

>--update-image-index

>> > > \

>> > > > -    <val> --verbose <u-boot.bin>

>> > > > +The capsule file can be generated by using the

>tools/mkeficapsule::

>> > > >

>> > > > -The above is a wrapper script(GenerateCapsule) which

>eventually calls

>> > > > -the actual GenerateCapsule.py script.

>> > > > +    $ mkeficapsule --raw <u-boot.bin> --index 1

><capsule_file_name>

>> > >

>> > > Thanks for the change.

>> > >

>> > > Could you, please, adjust the same in chapter "Enabling Capsule

>> > > Authentication" below.

>

>So as Sughosh said, since currently mkeficapsule doesn't support

>authentication,

>I only changed it for the normal capsule update. Without this change,

>the capsule

>update just failed.

>

>

>> > Currently, we do not have support for adding authentication header

>to the

>> > capsule. This is because I have been using the GenerateCapsule

>script in

>> > edk2 for generation of a capsule with authentication header. I

>think adding

>> > the signature to the capsule is easier when done through a python

>script

>> > rather than C code.

>>

>> Why do you think so?

>> At a quick glance at the script, it internally uses openssl command

>like:

>>     openssl smime -sign -binary -outform DER -md sha256 \

>>         -signer <...> -certfile <...>

>> (See PayloadDescriptor.Encode in the script.)

>>

>> The output from the standard output is exactly what you want

>> to use to build a capsule file, that is "AuthInfo".

>> Then you can naturally extend mkeficapsule to insert this signature

>> between the header and the image itself in a capsule file.

>

>Hmm, if it can be done by just calling openssl, I think it is easier

>for me

>to run the tools/mkeficapsule, because I don't need to build EDK2

>for U-Boot.

>

>If GenerateCapsule becomes a standard implementation and

>independent from the EDK2 project, from the interoperability point

>of view, it is better to use that. But it is a part of EDK2 and the

>GenerateCapsule seems out-of-date and not maintained well

>(why doesn't it support the latest version yet??)


Sughosh told me that EDK II cannot create a signed capsule that is usable with U-Boot due to an outdated header version used by EDK II.

It should be sufficient to describe the steps used by U-Boot's test script here.

Best regards

Heinrich

>

>Thank you,

>

>> Furthermore, I believe, it is fairly straightforward to add a native

>> 'signing' feature to mkeficapsule if you use openssl library.

>>

>> -Takahiro Akashi

>>

>>

>> > I am working on adding support for the latest version

>> > of the EFI_FIRMWARE_MANAGEMENT_CAPSULE_IMAGE_HEADER in the

>GenerateCapsule

>> > script in edk2. Meanwhile, would it be possible to have support for

>the

>> > version 2 of this header in the capsule driver -- it is a minor

>change and

>> > I already have a patch for it. If you are fine, I can submit a

>patch for

>> > the same.

>> >

>> > -sughosh

>> >

>> >

>> > >

>> > > Best regards

>> > >

>> > > Heinrich

>> > >

>> > > >

>> > > >   As per the UEFI specification, the capsule file needs to be

>placed on

>> > > >   the EFI System Partition, under the \EFI\UpdateCapsule

>directory. The

>> > > >

>> > >

>> > >

>

>

>

>--

>Masami Hiramatsu

Heinrich, Sughosh,

On Mon, Apr 19, 2021 at 04:35:15AM +0200, Heinrich Schuchardt wrote:
> Am 19. April 2021 04:24:37 MESZ schrieb Masami Hiramatsu <masami.hiramatsu@linaro.org>:

> >Hi,

> >

> >2021年4月19日(月) 9:37 Takahiro Akashi <takahiro.akashi@linaro.org>:

> >>

> >> Sughosh,

> >>

> >> On Sun, Apr 18, 2021 at 01:37:58PM +0530, Sughosh Ganu wrote:

> >> > On Sat, 17 Apr 2021 at 23:51, Heinrich Schuchardt

> ><xypron.glpk@gmx.de>

> >> > wrote:

> >> >

> >> > > On 4/17/21 1:39 AM, Masami Hiramatsu wrote:

> >> > > > Since the EDK2 GenerateCapsule script is out of date and it

> >> > > > doesn't generate the supported version capsule file, the

> >document

> >> > > > should refer the mkeficapsule in tools.

> >> > > >

> >> > > > Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>

> >> > > > ---

> >> > > >   doc/board/emulation/qemu_capsule_update.rst |   11

> >++---------

> >> > > >   1 file changed, 2 insertions(+), 9 deletions(-)

> >> > > >

> >> > > > diff --git a/doc/board/emulation/qemu_capsule_update.rst

> >> > > b/doc/board/emulation/qemu_capsule_update.rst

> >> > > > index 9fec75f8f1..e2a9f0db71 100644

> >> > > > --- a/c

> >> > > > +++ b/doc/board/emulation/qemu_capsule_update.rst

> >> > > > @@ -39,16 +39,9 @@ In addition, the following config needs to

> >be

> >> > > disabled(QEMU ARM specific)::

> >> > > >

> >> > > >       CONFIG_TFABOOT

> >> > > >

> >> > > > -The capsule file can be generated by using the

> >GenerateCapsule.py

> >> > > > -script in EDKII::

> >> > > > -

> >> > > > -    $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o

> >\

> >> > > > -    <capsule_file_name> --fw-version <val> --lsv <val> --guid

> >\

> >> > > > -    e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose

> >--update-image-index

> >> > > \

> >> > > > -    <val> --verbose <u-boot.bin>

> >> > > > +The capsule file can be generated by using the

> >tools/mkeficapsule::

> >> > > >

> >> > > > -The above is a wrapper script(GenerateCapsule) which

> >eventually calls

> >> > > > -the actual GenerateCapsule.py script.

> >> > > > +    $ mkeficapsule --raw <u-boot.bin> --index 1

> ><capsule_file_name>

> >> > >

> >> > > Thanks for the change.

> >> > >

> >> > > Could you, please, adjust the same in chapter "Enabling Capsule

> >> > > Authentication" below.

> >

> >So as Sughosh said, since currently mkeficapsule doesn't support

> >authentication,

> >I only changed it for the normal capsule update. Without this change,

> >the capsule

> >update just failed.

> >

> >

> >> > Currently, we do not have support for adding authentication header

> >to the

> >> > capsule. This is because I have been using the GenerateCapsule

> >script in

> >> > edk2 for generation of a capsule with authentication header. I

> >think adding

> >> > the signature to the capsule is easier when done through a python

> >script

> >> > rather than C code.

> >>

> >> Why do you think so?

> >> At a quick glance at the script, it internally uses openssl command

> >like:

> >>     openssl smime -sign -binary -outform DER -md sha256 \

> >>         -signer <...> -certfile <...>

> >> (See PayloadDescriptor.Encode in the script.)

> >>

> >> The output from the standard output is exactly what you want

> >> to use to build a capsule file, that is "AuthInfo".

> >> Then you can naturally extend mkeficapsule to insert this signature

> >> between the header and the image itself in a capsule file.

> >

> >Hmm, if it can be done by just calling openssl, I think it is easier

> >for me

> >to run the tools/mkeficapsule, because I don't need to build EDK2

> >for U-Boot.

> >

> >If GenerateCapsule becomes a standard implementation and

> >independent from the EDK2 project, from the interoperability point

> >of view, it is better to use that. But it is a part of EDK2 and the

> >GenerateCapsule seems out-of-date and not maintained well

> >(why doesn't it support the latest version yet??)

> 

> Sughosh told me that EDK II cannot create a signed capsule that is usable with U-Boot due to an outdated header version used by EDK II.


I decided to add a signing feature to mkeficapsule, and actually
have finished the coding (half-a-day work). Yet I have to find some time
to debug the command as I have never tried capsule authentication.
(Hopefully Masami will help here.)

The syntax will look like:
  mkeficapsule -m <mono count> -P <private key> -C <certificate file>
    -r <firmware image> <capsule file>

-Takahiro Akashi

> It should be sufficient to describe the steps used by U-Boot's test script here.

> 

> Best regards

> 

> Heinrich

> 

> >

> >Thank you,

> >

> >> Furthermore, I believe, it is fairly straightforward to add a native

> >> 'signing' feature to mkeficapsule if you use openssl library.

> >>

> >> -Takahiro Akashi

> >>

> >>

> >> > I am working on adding support for the latest version

> >> > of the EFI_FIRMWARE_MANAGEMENT_CAPSULE_IMAGE_HEADER in the

> >GenerateCapsule

> >> > script in edk2. Meanwhile, would it be possible to have support for

> >the

> >> > version 2 of this header in the capsule driver -- it is a minor

> >change and

> >> > I already have a patch for it. If you are fine, I can submit a

> >patch for

> >> > the same.

> >> >

> >> > -sughosh

> >> >

> >> >

> >> > >

> >> > > Best regards

> >> > >

> >> > > Heinrich

> >> > >

> >> > > >

> >> > > >   As per the UEFI specification, the capsule file needs to be

> >placed on

> >> > > >   the EFI System Partition, under the \EFI\UpdateCapsule

> >directory. The

> >> > > >

> >> > >

> >> > >

> >

> >

> >

> >--

> >Masami Hiramatsu

>