Message ID | 20211028062356.98224-5-takahiro.akashi@linaro.org |
---|---|
State | Superseded |
Headers | show |
Series | efi_loader: capsule: improve capsule authentication support | expand |
Hi Takahiro, On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote: > > Now we can use mkeficapsule command instead of EDK-II's script > to create a signed capsule file. So update the instruction for > capsule authentication. > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > --- > doc/develop/uefi/uefi.rst | 143 ++++++++++++++++++-------------------- > 1 file changed, 67 insertions(+), 76 deletions(-) Reviewed-by: Simon Glass <sjg@chromium.org> thoughts below > > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst > index f17138f5c765..864d61734bee 100644 > --- a/doc/develop/uefi/uefi.rst > +++ b/doc/develop/uefi/uefi.rst > @@ -284,37 +284,52 @@ Support has been added for the UEFI capsule update feature which > enables updating the U-Boot image using the UEFI firmware management > protocol (FMP). The capsules are not passed to the firmware through > the UpdateCapsule runtime service. Instead, capsule-on-disk > -functionality is used for fetching the capsule from the EFI System > -Partition (ESP) by placing the capsule file under the > -\EFI\UpdateCapsule directory. > - > -The directory \EFI\UpdateCapsule is checked for capsules only within the > -EFI system partition on the device specified in the active boot option > -determined by reference to BootNext variable or BootOrder variable processing. > -The active Boot Variable is the variable with highest priority BootNext or > -within BootOrder that refers to a device found to be present. Boot variables > -in BootOrder but referring to devices not present are ignored when determining > -active boot variable. > -Before starting a capsule update make sure your capsules are installed in the > -correct ESP partition or set BootNext. > +functionality is used for fetching capsules from the EFI System > +Partition (ESP) by placing capsule files under the directory:: > + > + \EFI\UpdateCapsule Can we use forward slashes please? What is a backslash, even? DOS? Windows? > + > +The directory is checked for capsules only within the > +EFI system partition on the device specified in the active boot option, > +which is determined by BootXXXX variable in BootNext, or if not, the highest > +priority one within BootOrder. Any BootXXXX variables referring to devices > +not present are ignored when determining the active boot option. > + > +Please note that capsules will be applied in the alphabetic order of > +capsule file names. > + > +Creating a capsule file > +*********************** > + > +A capsule file can be created by using tools/mkeficapsule. > +To build this tool, enable:: > + > + CONFIG_TOOLS_MKEFICAPSULE=y > + CONFIG_TOOLS_LIBCRYPTO=y > + > +Run the following command:: > + > + $ mkeficapsule \ > + --index 1 --instance 0 \ > + [--fit <FIT image> | --raw <raw image>] \ > + <capsule_file_name> > > Performing the update > ********************* > > -Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig > -option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable > -check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule. > - > -If that option is disabled, you'll need to set the OsIndications variable with:: > +Put capsule files under the directory mentioned above. > +Then, following the UEFI specification, you'll need to set > +the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED > +bit in OsIndications variable with:: > > => setenv -e -nv -bs -rt -v OsIndications =0x04 > > -Finally, the capsule update can be initiated either by rebooting the board, > -which is the preferred method, or by issuing the following command:: > +Since U-boot doesn't currently support SetVariable at runtime, its value > +won't be taken over across the reboot. If this is the case, you can skip > +this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS) > +set. > > - => efidebug capsule disk-update > - > -**The efidebug command is should only be used during debugging/development.** > +Finally, the capsule update can be initiated by rebooting the board. > > Enabling Capsule Authentication > ******************************* > @@ -324,82 +339,58 @@ be updated by verifying the capsule signature. The capsule signature > is computed and prepended to the capsule payload at the time of > capsule generation. This signature is then verified by using the > public key stored as part of the X509 certificate. This certificate is > -in the form of an efi signature list (esl) file, which is embedded as > -part of U-Boot. > +in the form of an efi signature list (esl) file, which is embedded in > +a device tree. > > The capsule authentication feature can be enabled through the > following config, in addition to the configs listed above for capsule > update:: > > CONFIG_EFI_CAPSULE_AUTHENTICATE=y > - CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert> > > The public and private keys used for the signing process are generated > -and used by the steps highlighted below:: > +and used by the steps highlighted below. > > - 1. Install utility commands on your host > - * OPENSSL > +1. Install utility commands on your host > + * openssl > * efitools > > - 2. Create signing keys and certificate files on your host > +2. Create signing keys and certificate files on your host:: > > $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ > -keyout CRT.key -out CRT.crt -nodes -days 365 > $ cert-to-efi-sig-list CRT.crt CRT.esl > > - $ openssl x509 -in CRT.crt -out CRT.cer -outform DER > - $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem > - > - $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt > - $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem > - > -The capsule file can be generated by using the GenerateCapsule.py > -script in EDKII:: > - > - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ > - <capsule_file_name> --monotonic-count <val> --fw-version \ > - <val> --lsv <val> --guid \ > - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ > - --update-image-index <val> --signer-private-cert \ > - /path/to/CRT.pem --trusted-public-cert \ > - /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ > - <u-boot.bin> > - > -Place the capsule generated in the above step on the EFI System > -Partition under the EFI/UpdateCapsule directory > - > -Testing on QEMU > -*************** > +3. Run the following command to create and sign the capsule file:: > > -Currently, support has been added on the QEMU ARM64 virt platform for > -updating the U-Boot binary as a raw image when the platform is booted > -in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this > -configuration, the QEMU platform needs to be booted with > -'secure=off'. The U-Boot binary placed on the first bank of the NOR > -flash at offset 0x0. The U-Boot environment is placed on the second > -NOR flash bank at offset 0x4000000. > + $ mkeficapsule --monotonic-count 1 \ > + --private-key CRT.key \ > + --certificate CRT.crt \ > + --index 1 --instance 0 \ > + [--fit <FIT image> | --raw <raw image>] \ > + <capsule_file_name> > > -The capsule update feature is enabled with the following configuration > -settings:: > +4. Insert the signature list into a device tree in the following format:: > > - CONFIG_MTD=y > - CONFIG_FLASH_CFI_MTD=y > - CONFIG_CMD_MTDPARTS=y > - CONFIG_CMD_DFU=y > - CONFIG_DFU_MTD=y > - CONFIG_PCI_INIT_R=y > - CONFIG_EFI_CAPSULE_ON_DISK=y > - CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y > - CONFIG_EFI_CAPSULE_FIRMWARE=y > - CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y > + { > + signature { > + capsule-key = [ <binary of signature list> ]; > + } Can you add this feature to binman? A new entry type that takes the capsule key could do it. We need some way of handling this a bit better. > + ... > + } > > -In addition, the following config needs to be disabled(QEMU ARM specific):: > + You can do this manually with:: > > - CONFIG_TFABOOT > + $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts > + $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo > > -The capsule file can be generated by using the tools/mkeficapsule:: > + where signature.dts looks like:: > > - $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name> > + &{/} { > + signature { > + capsule-key = /incbin/("CRT.esl"); > + }; > + }; Ick. I think your tool should just support adding the signature. > > Executing the boot manager > ~~~~~~~~~~~~~~~~~~~~~~~~~~ > -- > 2.33.0 > Regards, Simon Regards, SImon
On Thu, Oct 28, 2021 at 09:17:48PM -0600, Simon Glass wrote: > Hi Takahiro, > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro > <takahiro.akashi@linaro.org> wrote: > > > > Now we can use mkeficapsule command instead of EDK-II's script > > to create a signed capsule file. So update the instruction for > > capsule authentication. > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > > --- > > doc/develop/uefi/uefi.rst | 143 ++++++++++++++++++-------------------- > > 1 file changed, 67 insertions(+), 76 deletions(-) > > Reviewed-by: Simon Glass <sjg@chromium.org> > > thoughts below > > > > > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst > > index f17138f5c765..864d61734bee 100644 > > --- a/doc/develop/uefi/uefi.rst > > +++ b/doc/develop/uefi/uefi.rst > > @@ -284,37 +284,52 @@ Support has been added for the UEFI capsule update feature which > > enables updating the U-Boot image using the UEFI firmware management > > protocol (FMP). The capsules are not passed to the firmware through > > the UpdateCapsule runtime service. Instead, capsule-on-disk > > -functionality is used for fetching the capsule from the EFI System > > -Partition (ESP) by placing the capsule file under the > > -\EFI\UpdateCapsule directory. > > - > > -The directory \EFI\UpdateCapsule is checked for capsules only within the > > -EFI system partition on the device specified in the active boot option > > -determined by reference to BootNext variable or BootOrder variable processing. > > -The active Boot Variable is the variable with highest priority BootNext or > > -within BootOrder that refers to a device found to be present. Boot variables > > -in BootOrder but referring to devices not present are ignored when determining > > -active boot variable. > > -Before starting a capsule update make sure your capsules are installed in the > > -correct ESP partition or set BootNext. > > +functionality is used for fetching capsules from the EFI System > > +Partition (ESP) by placing capsule files under the directory:: > > + > > + \EFI\UpdateCapsule > > Can we use forward slashes please? > > What is a backslash, even? DOS? Windows? UEFI specification. In this document, all the file paths are presented with backslashes. (See section 8.5.5 in version 2.9) Anyhow U-Boot UEFI internally converts the path with slashes. > > + > > +The directory is checked for capsules only within the > > +EFI system partition on the device specified in the active boot option, > > +which is determined by BootXXXX variable in BootNext, or if not, the highest > > +priority one within BootOrder. Any BootXXXX variables referring to devices > > +not present are ignored when determining the active boot option. > > + > > +Please note that capsules will be applied in the alphabetic order of > > +capsule file names. > > + > > +Creating a capsule file > > +*********************** > > + > > +A capsule file can be created by using tools/mkeficapsule. > > +To build this tool, enable:: > > + > > + CONFIG_TOOLS_MKEFICAPSULE=y > > + CONFIG_TOOLS_LIBCRYPTO=y > > + > > +Run the following command:: > > + > > + $ mkeficapsule \ > > + --index 1 --instance 0 \ > > + [--fit <FIT image> | --raw <raw image>] \ > > + <capsule_file_name> > > > > Performing the update > > ********************* > > > > -Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig > > -option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable > > -check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule. > > - > > -If that option is disabled, you'll need to set the OsIndications variable with:: > > +Put capsule files under the directory mentioned above. > > +Then, following the UEFI specification, you'll need to set > > +the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED > > +bit in OsIndications variable with:: > > > > => setenv -e -nv -bs -rt -v OsIndications =0x04 > > > > -Finally, the capsule update can be initiated either by rebooting the board, > > -which is the preferred method, or by issuing the following command:: > > +Since U-boot doesn't currently support SetVariable at runtime, its value > > +won't be taken over across the reboot. If this is the case, you can skip > > +this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS) > > +set. > > > > - => efidebug capsule disk-update > > - > > -**The efidebug command is should only be used during debugging/development.** > > +Finally, the capsule update can be initiated by rebooting the board. > > > > Enabling Capsule Authentication > > ******************************* > > @@ -324,82 +339,58 @@ be updated by verifying the capsule signature. The capsule signature > > is computed and prepended to the capsule payload at the time of > > capsule generation. This signature is then verified by using the > > public key stored as part of the X509 certificate. This certificate is > > -in the form of an efi signature list (esl) file, which is embedded as > > -part of U-Boot. > > +in the form of an efi signature list (esl) file, which is embedded in > > +a device tree. > > > > The capsule authentication feature can be enabled through the > > following config, in addition to the configs listed above for capsule > > update:: > > > > CONFIG_EFI_CAPSULE_AUTHENTICATE=y > > - CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert> > > > > The public and private keys used for the signing process are generated > > -and used by the steps highlighted below:: > > +and used by the steps highlighted below. > > > > - 1. Install utility commands on your host > > - * OPENSSL > > +1. Install utility commands on your host > > + * openssl > > * efitools > > > > - 2. Create signing keys and certificate files on your host > > +2. Create signing keys and certificate files on your host:: > > > > $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ > > -keyout CRT.key -out CRT.crt -nodes -days 365 > > $ cert-to-efi-sig-list CRT.crt CRT.esl > > > > - $ openssl x509 -in CRT.crt -out CRT.cer -outform DER > > - $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem > > - > > - $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt > > - $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem > > - > > -The capsule file can be generated by using the GenerateCapsule.py > > -script in EDKII:: > > - > > - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ > > - <capsule_file_name> --monotonic-count <val> --fw-version \ > > - <val> --lsv <val> --guid \ > > - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ > > - --update-image-index <val> --signer-private-cert \ > > - /path/to/CRT.pem --trusted-public-cert \ > > - /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ > > - <u-boot.bin> > > - > > -Place the capsule generated in the above step on the EFI System > > -Partition under the EFI/UpdateCapsule directory > > - > > -Testing on QEMU > > -*************** > > +3. Run the following command to create and sign the capsule file:: > > > > -Currently, support has been added on the QEMU ARM64 virt platform for > > -updating the U-Boot binary as a raw image when the platform is booted > > -in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this > > -configuration, the QEMU platform needs to be booted with > > -'secure=off'. The U-Boot binary placed on the first bank of the NOR > > -flash at offset 0x0. The U-Boot environment is placed on the second > > -NOR flash bank at offset 0x4000000. > > + $ mkeficapsule --monotonic-count 1 \ > > + --private-key CRT.key \ > > + --certificate CRT.crt \ > > + --index 1 --instance 0 \ > > + [--fit <FIT image> | --raw <raw image>] \ > > + <capsule_file_name> > > > > -The capsule update feature is enabled with the following configuration > > -settings:: > > +4. Insert the signature list into a device tree in the following format:: > > > > - CONFIG_MTD=y > > - CONFIG_FLASH_CFI_MTD=y > > - CONFIG_CMD_MTDPARTS=y > > - CONFIG_CMD_DFU=y > > - CONFIG_DFU_MTD=y > > - CONFIG_PCI_INIT_R=y > > - CONFIG_EFI_CAPSULE_ON_DISK=y > > - CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y > > - CONFIG_EFI_CAPSULE_FIRMWARE=y > > - CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y > > + { > > + signature { > > + capsule-key = [ <binary of signature list> ]; > > + } > > Can you add this feature to binman? A new entry type that takes the > capsule key could do it. We need some way of handling this a bit > better. As I said in the previous version, I don't know yet if binman is the best place. Can you give me a pointer where a similar feature is implemented in binman, please? > > + ... > > + } > > > > -In addition, the following config needs to be disabled(QEMU ARM specific):: > > + You can do this manually with:: > > > > - CONFIG_TFABOOT > > + $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts > > + $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo > > > > -The capsule file can be generated by using the tools/mkeficapsule:: > > + where signature.dts looks like:: > > > > - $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name> > > + &{/} { > > + signature { > > + capsule-key = /incbin/("CRT.esl"); > > + }; > > + }; > > Ick. I think your tool should just support adding the signature. # I may misunderstand your point. The whole purpose of this tool is to create a capsule file. Adding the signature to that file is simply an optional behavior. I don't see any reason that we should have those features in separate tools. On the other hand, step.4 mentioned above is to add public keys (x509 certificate list or signature list in UEFI terminology) to a device tree. This is a separate step. Clear? -Takahiro Akashi > > > > Executing the boot manager > > ~~~~~~~~~~~~~~~~~~~~~~~~~~ > > -- > > 2.33.0 > > > > Regards, > Simon > > > Regards, > SImon
Hi Takahiro, On Thu, 28 Oct 2021 at 23:20, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote: > > On Thu, Oct 28, 2021 at 09:17:48PM -0600, Simon Glass wrote: > > Hi Takahiro, > > > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro > > <takahiro.akashi@linaro.org> wrote: > > > > > > Now we can use mkeficapsule command instead of EDK-II's script > > > to create a signed capsule file. So update the instruction for > > > capsule authentication. > > > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > > > --- > > > doc/develop/uefi/uefi.rst | 143 ++++++++++++++++++-------------------- > > > 1 file changed, 67 insertions(+), 76 deletions(-) > > > > Reviewed-by: Simon Glass <sjg@chromium.org> > > > > thoughts below > > > > > > > > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst > > > index f17138f5c765..864d61734bee 100644 > > > --- a/doc/develop/uefi/uefi.rst > > > +++ b/doc/develop/uefi/uefi.rst > > > @@ -284,37 +284,52 @@ Support has been added for the UEFI capsule update feature which > > > enables updating the U-Boot image using the UEFI firmware management > > > protocol (FMP). The capsules are not passed to the firmware through > > > the UpdateCapsule runtime service. Instead, capsule-on-disk > > > -functionality is used for fetching the capsule from the EFI System > > > -Partition (ESP) by placing the capsule file under the > > > -\EFI\UpdateCapsule directory. > > > - > > > -The directory \EFI\UpdateCapsule is checked for capsules only within the > > > -EFI system partition on the device specified in the active boot option > > > -determined by reference to BootNext variable or BootOrder variable processing. > > > -The active Boot Variable is the variable with highest priority BootNext or > > > -within BootOrder that refers to a device found to be present. Boot variables > > > -in BootOrder but referring to devices not present are ignored when determining > > > -active boot variable. > > > -Before starting a capsule update make sure your capsules are installed in the > > > -correct ESP partition or set BootNext. > > > +functionality is used for fetching capsules from the EFI System > > > +Partition (ESP) by placing capsule files under the directory:: > > > + > > > + \EFI\UpdateCapsule > > > > Can we use forward slashes please? > > > > What is a backslash, even? DOS? Windows? > > UEFI specification. > In this document, all the file paths are presented with backslashes. > (See section 8.5.5 in version 2.9) > > Anyhow U-Boot UEFI internally converts the path with slashes. So do we need to use backslashes in U-Boot and in the docs? Can we use a forward slash instead? I had hoped those days were behind us. The backslash is used for C escapes, after all. > > > > + > > > +The directory is checked for capsules only within the > > > +EFI system partition on the device specified in the active boot option, > > > +which is determined by BootXXXX variable in BootNext, or if not, the highest > > > +priority one within BootOrder. Any BootXXXX variables referring to devices > > > +not present are ignored when determining the active boot option. > > > + > > > +Please note that capsules will be applied in the alphabetic order of > > > +capsule file names. > > > + > > > +Creating a capsule file > > > +*********************** > > > + > > > +A capsule file can be created by using tools/mkeficapsule. > > > +To build this tool, enable:: > > > + > > > + CONFIG_TOOLS_MKEFICAPSULE=y > > > + CONFIG_TOOLS_LIBCRYPTO=y > > > + > > > +Run the following command:: > > > + > > > + $ mkeficapsule \ > > > + --index 1 --instance 0 \ > > > + [--fit <FIT image> | --raw <raw image>] \ > > > + <capsule_file_name> > > > > > > Performing the update > > > ********************* > > > > > > -Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig > > > -option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable > > > -check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule. > > > - > > > -If that option is disabled, you'll need to set the OsIndications variable with:: > > > +Put capsule files under the directory mentioned above. > > > +Then, following the UEFI specification, you'll need to set > > > +the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED > > > +bit in OsIndications variable with:: > > > > > > => setenv -e -nv -bs -rt -v OsIndications =0x04 > > > > > > -Finally, the capsule update can be initiated either by rebooting the board, > > > -which is the preferred method, or by issuing the following command:: > > > +Since U-boot doesn't currently support SetVariable at runtime, its value > > > +won't be taken over across the reboot. If this is the case, you can skip > > > +this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS) > > > +set. > > > > > > - => efidebug capsule disk-update > > > - > > > -**The efidebug command is should only be used during debugging/development.** > > > +Finally, the capsule update can be initiated by rebooting the board. > > > > > > Enabling Capsule Authentication > > > ******************************* > > > @@ -324,82 +339,58 @@ be updated by verifying the capsule signature. The capsule signature > > > is computed and prepended to the capsule payload at the time of > > > capsule generation. This signature is then verified by using the > > > public key stored as part of the X509 certificate. This certificate is > > > -in the form of an efi signature list (esl) file, which is embedded as > > > -part of U-Boot. > > > +in the form of an efi signature list (esl) file, which is embedded in > > > +a device tree. > > > > > > The capsule authentication feature can be enabled through the > > > following config, in addition to the configs listed above for capsule > > > update:: > > > > > > CONFIG_EFI_CAPSULE_AUTHENTICATE=y > > > - CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert> > > > > > > The public and private keys used for the signing process are generated > > > -and used by the steps highlighted below:: > > > +and used by the steps highlighted below. > > > > > > - 1. Install utility commands on your host > > > - * OPENSSL > > > +1. Install utility commands on your host > > > + * openssl > > > * efitools > > > > > > - 2. Create signing keys and certificate files on your host > > > +2. Create signing keys and certificate files on your host:: > > > > > > $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ > > > -keyout CRT.key -out CRT.crt -nodes -days 365 > > > $ cert-to-efi-sig-list CRT.crt CRT.esl > > > > > > - $ openssl x509 -in CRT.crt -out CRT.cer -outform DER > > > - $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem > > > - > > > - $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt > > > - $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem > > > - > > > -The capsule file can be generated by using the GenerateCapsule.py > > > -script in EDKII:: > > > - > > > - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ > > > - <capsule_file_name> --monotonic-count <val> --fw-version \ > > > - <val> --lsv <val> --guid \ > > > - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ > > > - --update-image-index <val> --signer-private-cert \ > > > - /path/to/CRT.pem --trusted-public-cert \ > > > - /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ > > > - <u-boot.bin> > > > - > > > -Place the capsule generated in the above step on the EFI System > > > -Partition under the EFI/UpdateCapsule directory > > > - > > > -Testing on QEMU > > > -*************** > > > +3. Run the following command to create and sign the capsule file:: > > > > > > -Currently, support has been added on the QEMU ARM64 virt platform for > > > -updating the U-Boot binary as a raw image when the platform is booted > > > -in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this > > > -configuration, the QEMU platform needs to be booted with > > > -'secure=off'. The U-Boot binary placed on the first bank of the NOR > > > -flash at offset 0x0. The U-Boot environment is placed on the second > > > -NOR flash bank at offset 0x4000000. > > > + $ mkeficapsule --monotonic-count 1 \ > > > + --private-key CRT.key \ > > > + --certificate CRT.crt \ > > > + --index 1 --instance 0 \ > > > + [--fit <FIT image> | --raw <raw image>] \ > > > + <capsule_file_name> > > > > > > -The capsule update feature is enabled with the following configuration > > > -settings:: > > > +4. Insert the signature list into a device tree in the following format:: > > > > > > - CONFIG_MTD=y > > > - CONFIG_FLASH_CFI_MTD=y > > > - CONFIG_CMD_MTDPARTS=y > > > - CONFIG_CMD_DFU=y > > > - CONFIG_DFU_MTD=y > > > - CONFIG_PCI_INIT_R=y > > > - CONFIG_EFI_CAPSULE_ON_DISK=y > > > - CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y > > > - CONFIG_EFI_CAPSULE_FIRMWARE=y > > > - CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y > > > + { > > > + signature { > > > + capsule-key = [ <binary of signature list> ]; > > > + } > > > > Can you add this feature to binman? A new entry type that takes the > > capsule key could do it. We need some way of handling this a bit > > better. > > As I said in the previous version, I don't know yet if binman > is the best place. > Can you give me a pointer where a similar feature is implemented > in binman, please? See tools/binman/etype/vblock.py > > > > > + ... > > > + } > > > > > > -In addition, the following config needs to be disabled(QEMU ARM specific):: > > > + You can do this manually with:: > > > > > > - CONFIG_TFABOOT > > > + $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts > > > + $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo > > > > > > -The capsule file can be generated by using the tools/mkeficapsule:: > > > + where signature.dts looks like:: > > > > > > - $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name> > > > + &{/} { > > > + signature { > > > + capsule-key = /incbin/("CRT.esl"); > > > + }; > > > + }; > > > > Ick. I think your tool should just support adding the signature. > > # I may misunderstand your point. > > The whole purpose of this tool is to create a capsule file. > Adding the signature to that file is simply an optional behavior. > I don't see any reason that we should have those features in > separate tools. > > On the other hand, step.4 mentioned above is to add public keys (x509 > certificate list or signature list in UEFI terminology) to a device tree. > This is a separate step. > Clear? It just seems a pain to create a DT overlay to add the signature. I hope Binman can help here if you don't want to put it in your tool. I can write something if it would help. Regards, Simon
On Tue, Nov 02, 2021 at 08:57:48AM -0600, Simon Glass wrote: > Hi Takahiro, > > On Thu, 28 Oct 2021 at 23:20, AKASHI Takahiro > <takahiro.akashi@linaro.org> wrote: > > > > On Thu, Oct 28, 2021 at 09:17:48PM -0600, Simon Glass wrote: > > > Hi Takahiro, > > > > > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro > > > <takahiro.akashi@linaro.org> wrote: > > > > > > > > Now we can use mkeficapsule command instead of EDK-II's script > > > > to create a signed capsule file. So update the instruction for > > > > capsule authentication. > > > > > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > > > > --- > > > > doc/develop/uefi/uefi.rst | 143 ++++++++++++++++++-------------------- > > > > 1 file changed, 67 insertions(+), 76 deletions(-) > > > > > > Reviewed-by: Simon Glass <sjg@chromium.org> > > > > > > thoughts below > > > > > > > > > > > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst > > > > index f17138f5c765..864d61734bee 100644 > > > > --- a/doc/develop/uefi/uefi.rst > > > > +++ b/doc/develop/uefi/uefi.rst > > > > @@ -284,37 +284,52 @@ Support has been added for the UEFI capsule update feature which > > > > enables updating the U-Boot image using the UEFI firmware management > > > > protocol (FMP). The capsules are not passed to the firmware through > > > > the UpdateCapsule runtime service. Instead, capsule-on-disk > > > > -functionality is used for fetching the capsule from the EFI System > > > > -Partition (ESP) by placing the capsule file under the > > > > -\EFI\UpdateCapsule directory. > > > > - > > > > -The directory \EFI\UpdateCapsule is checked for capsules only within the > > > > -EFI system partition on the device specified in the active boot option > > > > -determined by reference to BootNext variable or BootOrder variable processing. > > > > -The active Boot Variable is the variable with highest priority BootNext or > > > > -within BootOrder that refers to a device found to be present. Boot variables > > > > -in BootOrder but referring to devices not present are ignored when determining > > > > -active boot variable. > > > > -Before starting a capsule update make sure your capsules are installed in the > > > > -correct ESP partition or set BootNext. > > > > +functionality is used for fetching capsules from the EFI System > > > > +Partition (ESP) by placing capsule files under the directory:: > > > > + > > > > + \EFI\UpdateCapsule > > > > > > Can we use forward slashes please? > > > > > > What is a backslash, even? DOS? Windows? > > > > UEFI specification. > > In this document, all the file paths are presented with backslashes. > > (See section 8.5.5 in version 2.9) > > > > Anyhow U-Boot UEFI internally converts the path with slashes. > > So do we need to use backslashes in U-Boot and in the docs? Can we use > a forward slash instead? I had hoped those days were behind us. The > backslash is used for C escapes, after all. I'd defer to the maintainer, Heinrich here. > > > > > > + > > > > +The directory is checked for capsules only within the > > > > +EFI system partition on the device specified in the active boot option, > > > > +which is determined by BootXXXX variable in BootNext, or if not, the highest > > > > +priority one within BootOrder. Any BootXXXX variables referring to devices > > > > +not present are ignored when determining the active boot option. > > > > + > > > > +Please note that capsules will be applied in the alphabetic order of > > > > +capsule file names. > > > > + > > > > +Creating a capsule file > > > > +*********************** > > > > + > > > > +A capsule file can be created by using tools/mkeficapsule. > > > > +To build this tool, enable:: > > > > + > > > > + CONFIG_TOOLS_MKEFICAPSULE=y > > > > + CONFIG_TOOLS_LIBCRYPTO=y > > > > + > > > > +Run the following command:: > > > > + > > > > + $ mkeficapsule \ > > > > + --index 1 --instance 0 \ > > > > + [--fit <FIT image> | --raw <raw image>] \ > > > > + <capsule_file_name> > > > > > > > > Performing the update > > > > ********************* > > > > > > > > -Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig > > > > -option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable > > > > -check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule. > > > > - > > > > -If that option is disabled, you'll need to set the OsIndications variable with:: > > > > +Put capsule files under the directory mentioned above. > > > > +Then, following the UEFI specification, you'll need to set > > > > +the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED > > > > +bit in OsIndications variable with:: > > > > > > > > => setenv -e -nv -bs -rt -v OsIndications =0x04 > > > > > > > > -Finally, the capsule update can be initiated either by rebooting the board, > > > > -which is the preferred method, or by issuing the following command:: > > > > +Since U-boot doesn't currently support SetVariable at runtime, its value > > > > +won't be taken over across the reboot. If this is the case, you can skip > > > > +this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS) > > > > +set. > > > > > > > > - => efidebug capsule disk-update > > > > - > > > > -**The efidebug command is should only be used during debugging/development.** > > > > +Finally, the capsule update can be initiated by rebooting the board. > > > > > > > > Enabling Capsule Authentication > > > > ******************************* > > > > @@ -324,82 +339,58 @@ be updated by verifying the capsule signature. The capsule signature > > > > is computed and prepended to the capsule payload at the time of > > > > capsule generation. This signature is then verified by using the > > > > public key stored as part of the X509 certificate. This certificate is > > > > -in the form of an efi signature list (esl) file, which is embedded as > > > > -part of U-Boot. > > > > +in the form of an efi signature list (esl) file, which is embedded in > > > > +a device tree. > > > > > > > > The capsule authentication feature can be enabled through the > > > > following config, in addition to the configs listed above for capsule > > > > update:: > > > > > > > > CONFIG_EFI_CAPSULE_AUTHENTICATE=y > > > > - CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert> > > > > > > > > The public and private keys used for the signing process are generated > > > > -and used by the steps highlighted below:: > > > > +and used by the steps highlighted below. > > > > > > > > - 1. Install utility commands on your host > > > > - * OPENSSL > > > > +1. Install utility commands on your host > > > > + * openssl > > > > * efitools > > > > > > > > - 2. Create signing keys and certificate files on your host > > > > +2. Create signing keys and certificate files on your host:: > > > > > > > > $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ > > > > -keyout CRT.key -out CRT.crt -nodes -days 365 > > > > $ cert-to-efi-sig-list CRT.crt CRT.esl > > > > > > > > - $ openssl x509 -in CRT.crt -out CRT.cer -outform DER > > > > - $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem > > > > - > > > > - $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt > > > > - $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem > > > > - > > > > -The capsule file can be generated by using the GenerateCapsule.py > > > > -script in EDKII:: > > > > - > > > > - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ > > > > - <capsule_file_name> --monotonic-count <val> --fw-version \ > > > > - <val> --lsv <val> --guid \ > > > > - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ > > > > - --update-image-index <val> --signer-private-cert \ > > > > - /path/to/CRT.pem --trusted-public-cert \ > > > > - /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ > > > > - <u-boot.bin> > > > > - > > > > -Place the capsule generated in the above step on the EFI System > > > > -Partition under the EFI/UpdateCapsule directory > > > > - > > > > -Testing on QEMU > > > > -*************** > > > > +3. Run the following command to create and sign the capsule file:: > > > > > > > > -Currently, support has been added on the QEMU ARM64 virt platform for > > > > -updating the U-Boot binary as a raw image when the platform is booted > > > > -in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this > > > > -configuration, the QEMU platform needs to be booted with > > > > -'secure=off'. The U-Boot binary placed on the first bank of the NOR > > > > -flash at offset 0x0. The U-Boot environment is placed on the second > > > > -NOR flash bank at offset 0x4000000. > > > > + $ mkeficapsule --monotonic-count 1 \ > > > > + --private-key CRT.key \ > > > > + --certificate CRT.crt \ > > > > + --index 1 --instance 0 \ > > > > + [--fit <FIT image> | --raw <raw image>] \ > > > > + <capsule_file_name> > > > > > > > > -The capsule update feature is enabled with the following configuration > > > > -settings:: > > > > +4. Insert the signature list into a device tree in the following format:: > > > > > > > > - CONFIG_MTD=y > > > > - CONFIG_FLASH_CFI_MTD=y > > > > - CONFIG_CMD_MTDPARTS=y > > > > - CONFIG_CMD_DFU=y > > > > - CONFIG_DFU_MTD=y > > > > - CONFIG_PCI_INIT_R=y > > > > - CONFIG_EFI_CAPSULE_ON_DISK=y > > > > - CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y > > > > - CONFIG_EFI_CAPSULE_FIRMWARE=y > > > > - CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y > > > > + { > > > > + signature { > > > > + capsule-key = [ <binary of signature list> ]; > > > > + } > > > > > > > Can you add this feature to binman? A new entry type that takes the > > > capsule key could do it. We need some way of handling this a bit > > > better. > > > > As I said in the previous version, I don't know yet if binman > > is the best place. > > Can you give me a pointer where a similar feature is implemented > > in binman, please? > > See tools/binman/etype/vblock.py I'll check it out. > > > > > > > > + ... > > > > + } > > > > > > > > -In addition, the following config needs to be disabled(QEMU ARM specific):: > > > > + You can do this manually with:: > > > > > > > > - CONFIG_TFABOOT > > > > + $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts > > > > + $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo > > > > > > > > -The capsule file can be generated by using the tools/mkeficapsule:: > > > > + where signature.dts looks like:: > > > > > > > > - $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name> > > > > + &{/} { > > > > + signature { > > > > + capsule-key = /incbin/("CRT.esl"); > > > > + }; > > > > + }; > > > > > > Ick. I think your tool should just support adding the signature. > > > > # I may misunderstand your point. > > > > The whole purpose of this tool is to create a capsule file. > > Adding the signature to that file is simply an optional behavior. > > I don't see any reason that we should have those features in > > separate tools. > > > > On the other hand, step.4 mentioned above is to add public keys (x509 > > certificate list or signature list in UEFI terminology) to a device tree. > > This is a separate step. > > Clear? > > It just seems a pain to create a DT overlay to add the signature. Pain in what sense? I have provided fdtsig.sh to avoid bothering users. > I hope Binman can help here if you don't want to put it in your tool. > I can write something if it would help. I think it's up to you to add the feature to binman, but also believe we should not and don't have to impose always using binman for this purpose on everyone, thinking of various situations that users may have. Thanks, -Takahiro Akashi > Regards, > Simon
Hi Takahiro, On Wed, 3 Nov 2021 at 19:49, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote: > > On Tue, Nov 02, 2021 at 08:57:48AM -0600, Simon Glass wrote: > > Hi Takahiro, > > > > On Thu, 28 Oct 2021 at 23:20, AKASHI Takahiro > > <takahiro.akashi@linaro.org> wrote: > > > > > > On Thu, Oct 28, 2021 at 09:17:48PM -0600, Simon Glass wrote: > > > > Hi Takahiro, > > > > > > > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro > > > > <takahiro.akashi@linaro.org> wrote: > > > > > > > > > > Now we can use mkeficapsule command instead of EDK-II's script > > > > > to create a signed capsule file. So update the instruction for > > > > > capsule authentication. > > > > > > > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > > > > > --- > > > > > doc/develop/uefi/uefi.rst | 143 ++++++++++++++++++-------------------- > > > > > 1 file changed, 67 insertions(+), 76 deletions(-) > > > > > > > > Reviewed-by: Simon Glass <sjg@chromium.org> > > > > > > > > thoughts below > > > > > > > > > > > > > > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst > > > > > index f17138f5c765..864d61734bee 100644 > > > > > --- a/doc/develop/uefi/uefi.rst > > > > > +++ b/doc/develop/uefi/uefi.rst > > > > > @@ -284,37 +284,52 @@ Support has been added for the UEFI capsule update feature which > > > > > enables updating the U-Boot image using the UEFI firmware management > > > > > protocol (FMP). The capsules are not passed to the firmware through > > > > > the UpdateCapsule runtime service. Instead, capsule-on-disk > > > > > -functionality is used for fetching the capsule from the EFI System > > > > > -Partition (ESP) by placing the capsule file under the > > > > > -\EFI\UpdateCapsule directory. > > > > > - > > > > > -The directory \EFI\UpdateCapsule is checked for capsules only within the > > > > > -EFI system partition on the device specified in the active boot option > > > > > -determined by reference to BootNext variable or BootOrder variable processing. > > > > > -The active Boot Variable is the variable with highest priority BootNext or > > > > > -within BootOrder that refers to a device found to be present. Boot variables > > > > > -in BootOrder but referring to devices not present are ignored when determining > > > > > -active boot variable. > > > > > -Before starting a capsule update make sure your capsules are installed in the > > > > > -correct ESP partition or set BootNext. > > > > > +functionality is used for fetching capsules from the EFI System > > > > > +Partition (ESP) by placing capsule files under the directory:: > > > > > + > > > > > + \EFI\UpdateCapsule > > > > > > > > Can we use forward slashes please? > > > > > > > > What is a backslash, even? DOS? Windows? > > > > > > UEFI specification. > > > In this document, all the file paths are presented with backslashes. > > > (See section 8.5.5 in version 2.9) > > > > > > Anyhow U-Boot UEFI internally converts the path with slashes. > > > > So do we need to use backslashes in U-Boot and in the docs? Can we use > > a forward slash instead? I had hoped those days were behind us. The > > backslash is used for C escapes, after all. > > I'd defer to the maintainer, Heinrich here. > > > > > > > > > + > > > > > +The directory is checked for capsules only within the > > > > > +EFI system partition on the device specified in the active boot option, > > > > > +which is determined by BootXXXX variable in BootNext, or if not, the highest > > > > > +priority one within BootOrder. Any BootXXXX variables referring to devices > > > > > +not present are ignored when determining the active boot option. > > > > > + > > > > > +Please note that capsules will be applied in the alphabetic order of > > > > > +capsule file names. > > > > > + > > > > > +Creating a capsule file > > > > > +*********************** > > > > > + > > > > > +A capsule file can be created by using tools/mkeficapsule. > > > > > +To build this tool, enable:: > > > > > + > > > > > + CONFIG_TOOLS_MKEFICAPSULE=y > > > > > + CONFIG_TOOLS_LIBCRYPTO=y > > > > > + > > > > > +Run the following command:: > > > > > + > > > > > + $ mkeficapsule \ > > > > > + --index 1 --instance 0 \ > > > > > + [--fit <FIT image> | --raw <raw image>] \ > > > > > + <capsule_file_name> > > > > > > > > > > Performing the update > > > > > ********************* > > > > > > > > > > -Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig > > > > > -option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable > > > > > -check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule. > > > > > - > > > > > -If that option is disabled, you'll need to set the OsIndications variable with:: > > > > > +Put capsule files under the directory mentioned above. > > > > > +Then, following the UEFI specification, you'll need to set > > > > > +the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED > > > > > +bit in OsIndications variable with:: > > > > > > > > > > => setenv -e -nv -bs -rt -v OsIndications =0x04 > > > > > > > > > > -Finally, the capsule update can be initiated either by rebooting the board, > > > > > -which is the preferred method, or by issuing the following command:: > > > > > +Since U-boot doesn't currently support SetVariable at runtime, its value > > > > > +won't be taken over across the reboot. If this is the case, you can skip > > > > > +this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS) > > > > > +set. > > > > > > > > > > - => efidebug capsule disk-update > > > > > - > > > > > -**The efidebug command is should only be used during debugging/development.** > > > > > +Finally, the capsule update can be initiated by rebooting the board. > > > > > > > > > > Enabling Capsule Authentication > > > > > ******************************* > > > > > @@ -324,82 +339,58 @@ be updated by verifying the capsule signature. The capsule signature > > > > > is computed and prepended to the capsule payload at the time of > > > > > capsule generation. This signature is then verified by using the > > > > > public key stored as part of the X509 certificate. This certificate is > > > > > -in the form of an efi signature list (esl) file, which is embedded as > > > > > -part of U-Boot. > > > > > +in the form of an efi signature list (esl) file, which is embedded in > > > > > +a device tree. > > > > > > > > > > The capsule authentication feature can be enabled through the > > > > > following config, in addition to the configs listed above for capsule > > > > > update:: > > > > > > > > > > CONFIG_EFI_CAPSULE_AUTHENTICATE=y > > > > > - CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert> > > > > > > > > > > The public and private keys used for the signing process are generated > > > > > -and used by the steps highlighted below:: > > > > > +and used by the steps highlighted below. > > > > > > > > > > - 1. Install utility commands on your host > > > > > - * OPENSSL > > > > > +1. Install utility commands on your host > > > > > + * openssl > > > > > * efitools > > > > > > > > > > - 2. Create signing keys and certificate files on your host > > > > > +2. Create signing keys and certificate files on your host:: > > > > > > > > > > $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ > > > > > -keyout CRT.key -out CRT.crt -nodes -days 365 > > > > > $ cert-to-efi-sig-list CRT.crt CRT.esl > > > > > > > > > > - $ openssl x509 -in CRT.crt -out CRT.cer -outform DER > > > > > - $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem > > > > > - > > > > > - $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt > > > > > - $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem > > > > > - > > > > > -The capsule file can be generated by using the GenerateCapsule.py > > > > > -script in EDKII:: > > > > > - > > > > > - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ > > > > > - <capsule_file_name> --monotonic-count <val> --fw-version \ > > > > > - <val> --lsv <val> --guid \ > > > > > - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ > > > > > - --update-image-index <val> --signer-private-cert \ > > > > > - /path/to/CRT.pem --trusted-public-cert \ > > > > > - /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ > > > > > - <u-boot.bin> > > > > > - > > > > > -Place the capsule generated in the above step on the EFI System > > > > > -Partition under the EFI/UpdateCapsule directory > > > > > - > > > > > -Testing on QEMU > > > > > -*************** > > > > > +3. Run the following command to create and sign the capsule file:: > > > > > > > > > > -Currently, support has been added on the QEMU ARM64 virt platform for > > > > > -updating the U-Boot binary as a raw image when the platform is booted > > > > > -in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this > > > > > -configuration, the QEMU platform needs to be booted with > > > > > -'secure=off'. The U-Boot binary placed on the first bank of the NOR > > > > > -flash at offset 0x0. The U-Boot environment is placed on the second > > > > > -NOR flash bank at offset 0x4000000. > > > > > + $ mkeficapsule --monotonic-count 1 \ > > > > > + --private-key CRT.key \ > > > > > + --certificate CRT.crt \ > > > > > + --index 1 --instance 0 \ > > > > > + [--fit <FIT image> | --raw <raw image>] \ > > > > > + <capsule_file_name> > > > > > > > > > > -The capsule update feature is enabled with the following configuration > > > > > -settings:: > > > > > +4. Insert the signature list into a device tree in the following format:: > > > > > > > > > > - CONFIG_MTD=y > > > > > - CONFIG_FLASH_CFI_MTD=y > > > > > - CONFIG_CMD_MTDPARTS=y > > > > > - CONFIG_CMD_DFU=y > > > > > - CONFIG_DFU_MTD=y > > > > > - CONFIG_PCI_INIT_R=y > > > > > - CONFIG_EFI_CAPSULE_ON_DISK=y > > > > > - CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y > > > > > - CONFIG_EFI_CAPSULE_FIRMWARE=y > > > > > - CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y > > > > > + { > > > > > + signature { > > > > > + capsule-key = [ <binary of signature list> ]; > > > > > + } > > > > > > > > > > Can you add this feature to binman? A new entry type that takes the > > > > capsule key could do it. We need some way of handling this a bit > > > > better. > > > > > > As I said in the previous version, I don't know yet if binman > > > is the best place. > > > Can you give me a pointer where a similar feature is implemented > > > in binman, please? > > > > See tools/binman/etype/vblock.py > > I'll check it out. > > > > > > > > > > > > + ... > > > > > + } > > > > > > > > > > -In addition, the following config needs to be disabled(QEMU ARM specific):: > > > > > + You can do this manually with:: > > > > > > > > > > - CONFIG_TFABOOT > > > > > + $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts > > > > > + $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo > > > > > > > > > > -The capsule file can be generated by using the tools/mkeficapsule:: > > > > > + where signature.dts looks like:: > > > > > > > > > > - $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name> > > > > > + &{/} { > > > > > + signature { > > > > > + capsule-key = /incbin/("CRT.esl"); > > > > > + }; > > > > > + }; > > > > > > > > Ick. I think your tool should just support adding the signature. > > > > > > # I may misunderstand your point. > > > > > > The whole purpose of this tool is to create a capsule file. > > > Adding the signature to that file is simply an optional behavior. > > > I don't see any reason that we should have those features in > > > separate tools. > > > > > > On the other hand, step.4 mentioned above is to add public keys (x509 > > > certificate list or signature list in UEFI terminology) to a device tree. > > > This is a separate step. > > > Clear? > > > > It just seems a pain to create a DT overlay to add the signature. > > Pain in what sense? > I have provided fdtsig.sh to avoid bothering users. > > > I hope Binman can help here if you don't want to put it in your tool. > > I can write something if it would help. > > I think it's up to you to add the feature to binman, > but also believe we should not and don't have to impose always > using binman for this purpose on everyone, thinking of > various situations that users may have. I am reading TLOTR at present so this came to mind... https://www.youtube.com/watch?v=wcASKPX1Ot8 What I would like is a simple way to build an image automatically, with as few steps as possible and have it work. For U-Boot we are trying to use binman internally, but binman can also be used for the 'final step'. See this talk. There is also a video somewhere. https://2019.osfc.io/talks/binman-a-data-controlled-firmware-packer-for-u-boot.html Let's try to collaborate on the firmware packaging. It is the wild west at present and the series you have here shows some of the challenges. Regards, Simon
On Thu, Nov 04, 2021 at 09:11:51AM -0600, Simon Glass wrote: > Hi Takahiro, > > On Wed, 3 Nov 2021 at 19:49, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote: > > > > On Tue, Nov 02, 2021 at 08:57:48AM -0600, Simon Glass wrote: > > > Hi Takahiro, > > > > > > On Thu, 28 Oct 2021 at 23:20, AKASHI Takahiro > > > <takahiro.akashi@linaro.org> wrote: > > > > > > > > On Thu, Oct 28, 2021 at 09:17:48PM -0600, Simon Glass wrote: > > > > > Hi Takahiro, > > > > > > > > > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro > > > > > <takahiro.akashi@linaro.org> wrote: > > > > > > > > > > > > Now we can use mkeficapsule command instead of EDK-II's script > > > > > > to create a signed capsule file. So update the instruction for > > > > > > capsule authentication. > > > > > > > > > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > > > > > > --- > > > > > > doc/develop/uefi/uefi.rst | 143 ++++++++++++++++++-------------------- > > > > > > 1 file changed, 67 insertions(+), 76 deletions(-) > > > > > > > > > > Reviewed-by: Simon Glass <sjg@chromium.org> > > > > > > > > > > thoughts below > > > > > > > > > > > > > > > > > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst > > > > > > index f17138f5c765..864d61734bee 100644 > > > > > > --- a/doc/develop/uefi/uefi.rst > > > > > > +++ b/doc/develop/uefi/uefi.rst > > > > > > @@ -284,37 +284,52 @@ Support has been added for the UEFI capsule update feature which > > > > > > enables updating the U-Boot image using the UEFI firmware management > > > > > > protocol (FMP). The capsules are not passed to the firmware through > > > > > > the UpdateCapsule runtime service. Instead, capsule-on-disk > > > > > > -functionality is used for fetching the capsule from the EFI System > > > > > > -Partition (ESP) by placing the capsule file under the > > > > > > -\EFI\UpdateCapsule directory. > > > > > > - > > > > > > -The directory \EFI\UpdateCapsule is checked for capsules only within the > > > > > > -EFI system partition on the device specified in the active boot option > > > > > > -determined by reference to BootNext variable or BootOrder variable processing. > > > > > > -The active Boot Variable is the variable with highest priority BootNext or > > > > > > -within BootOrder that refers to a device found to be present. Boot variables > > > > > > -in BootOrder but referring to devices not present are ignored when determining > > > > > > -active boot variable. > > > > > > -Before starting a capsule update make sure your capsules are installed in the > > > > > > -correct ESP partition or set BootNext. > > > > > > +functionality is used for fetching capsules from the EFI System > > > > > > +Partition (ESP) by placing capsule files under the directory:: > > > > > > + > > > > > > + \EFI\UpdateCapsule > > > > > > > > > > Can we use forward slashes please? > > > > > > > > > > What is a backslash, even? DOS? Windows? > > > > > > > > UEFI specification. > > > > In this document, all the file paths are presented with backslashes. > > > > (See section 8.5.5 in version 2.9) > > > > > > > > Anyhow U-Boot UEFI internally converts the path with slashes. > > > > > > So do we need to use backslashes in U-Boot and in the docs? Can we use > > > a forward slash instead? I had hoped those days were behind us. The > > > backslash is used for C escapes, after all. > > > > I'd defer to the maintainer, Heinrich here. > > > > > > > > > > > > + > > > > > > +The directory is checked for capsules only within the > > > > > > +EFI system partition on the device specified in the active boot option, > > > > > > +which is determined by BootXXXX variable in BootNext, or if not, the highest > > > > > > +priority one within BootOrder. Any BootXXXX variables referring to devices > > > > > > +not present are ignored when determining the active boot option. > > > > > > + > > > > > > +Please note that capsules will be applied in the alphabetic order of > > > > > > +capsule file names. > > > > > > + > > > > > > +Creating a capsule file > > > > > > +*********************** > > > > > > + > > > > > > +A capsule file can be created by using tools/mkeficapsule. > > > > > > +To build this tool, enable:: > > > > > > + > > > > > > + CONFIG_TOOLS_MKEFICAPSULE=y > > > > > > + CONFIG_TOOLS_LIBCRYPTO=y > > > > > > + > > > > > > +Run the following command:: > > > > > > + > > > > > > + $ mkeficapsule \ > > > > > > + --index 1 --instance 0 \ > > > > > > + [--fit <FIT image> | --raw <raw image>] \ > > > > > > + <capsule_file_name> > > > > > > > > > > > > Performing the update > > > > > > ********************* > > > > > > > > > > > > -Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig > > > > > > -option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable > > > > > > -check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule. > > > > > > - > > > > > > -If that option is disabled, you'll need to set the OsIndications variable with:: > > > > > > +Put capsule files under the directory mentioned above. > > > > > > +Then, following the UEFI specification, you'll need to set > > > > > > +the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED > > > > > > +bit in OsIndications variable with:: > > > > > > > > > > > > => setenv -e -nv -bs -rt -v OsIndications =0x04 > > > > > > > > > > > > -Finally, the capsule update can be initiated either by rebooting the board, > > > > > > -which is the preferred method, or by issuing the following command:: > > > > > > +Since U-boot doesn't currently support SetVariable at runtime, its value > > > > > > +won't be taken over across the reboot. If this is the case, you can skip > > > > > > +this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS) > > > > > > +set. > > > > > > > > > > > > - => efidebug capsule disk-update > > > > > > - > > > > > > -**The efidebug command is should only be used during debugging/development.** > > > > > > +Finally, the capsule update can be initiated by rebooting the board. > > > > > > > > > > > > Enabling Capsule Authentication > > > > > > ******************************* > > > > > > @@ -324,82 +339,58 @@ be updated by verifying the capsule signature. The capsule signature > > > > > > is computed and prepended to the capsule payload at the time of > > > > > > capsule generation. This signature is then verified by using the > > > > > > public key stored as part of the X509 certificate. This certificate is > > > > > > -in the form of an efi signature list (esl) file, which is embedded as > > > > > > -part of U-Boot. > > > > > > +in the form of an efi signature list (esl) file, which is embedded in > > > > > > +a device tree. > > > > > > > > > > > > The capsule authentication feature can be enabled through the > > > > > > following config, in addition to the configs listed above for capsule > > > > > > update:: > > > > > > > > > > > > CONFIG_EFI_CAPSULE_AUTHENTICATE=y > > > > > > - CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert> > > > > > > > > > > > > The public and private keys used for the signing process are generated > > > > > > -and used by the steps highlighted below:: > > > > > > +and used by the steps highlighted below. > > > > > > > > > > > > - 1. Install utility commands on your host > > > > > > - * OPENSSL > > > > > > +1. Install utility commands on your host > > > > > > + * openssl > > > > > > * efitools > > > > > > > > > > > > - 2. Create signing keys and certificate files on your host > > > > > > +2. Create signing keys and certificate files on your host:: > > > > > > > > > > > > $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ > > > > > > -keyout CRT.key -out CRT.crt -nodes -days 365 > > > > > > $ cert-to-efi-sig-list CRT.crt CRT.esl > > > > > > > > > > > > - $ openssl x509 -in CRT.crt -out CRT.cer -outform DER > > > > > > - $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem > > > > > > - > > > > > > - $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt > > > > > > - $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem > > > > > > - > > > > > > -The capsule file can be generated by using the GenerateCapsule.py > > > > > > -script in EDKII:: > > > > > > - > > > > > > - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ > > > > > > - <capsule_file_name> --monotonic-count <val> --fw-version \ > > > > > > - <val> --lsv <val> --guid \ > > > > > > - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ > > > > > > - --update-image-index <val> --signer-private-cert \ > > > > > > - /path/to/CRT.pem --trusted-public-cert \ > > > > > > - /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ > > > > > > - <u-boot.bin> > > > > > > - > > > > > > -Place the capsule generated in the above step on the EFI System > > > > > > -Partition under the EFI/UpdateCapsule directory > > > > > > - > > > > > > -Testing on QEMU > > > > > > -*************** > > > > > > +3. Run the following command to create and sign the capsule file:: > > > > > > > > > > > > -Currently, support has been added on the QEMU ARM64 virt platform for > > > > > > -updating the U-Boot binary as a raw image when the platform is booted > > > > > > -in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this > > > > > > -configuration, the QEMU platform needs to be booted with > > > > > > -'secure=off'. The U-Boot binary placed on the first bank of the NOR > > > > > > -flash at offset 0x0. The U-Boot environment is placed on the second > > > > > > -NOR flash bank at offset 0x4000000. > > > > > > + $ mkeficapsule --monotonic-count 1 \ > > > > > > + --private-key CRT.key \ > > > > > > + --certificate CRT.crt \ > > > > > > + --index 1 --instance 0 \ > > > > > > + [--fit <FIT image> | --raw <raw image>] \ > > > > > > + <capsule_file_name> > > > > > > > > > > > > -The capsule update feature is enabled with the following configuration > > > > > > -settings:: > > > > > > +4. Insert the signature list into a device tree in the following format:: > > > > > > > > > > > > - CONFIG_MTD=y > > > > > > - CONFIG_FLASH_CFI_MTD=y > > > > > > - CONFIG_CMD_MTDPARTS=y > > > > > > - CONFIG_CMD_DFU=y > > > > > > - CONFIG_DFU_MTD=y > > > > > > - CONFIG_PCI_INIT_R=y > > > > > > - CONFIG_EFI_CAPSULE_ON_DISK=y > > > > > > - CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y > > > > > > - CONFIG_EFI_CAPSULE_FIRMWARE=y > > > > > > - CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y > > > > > > + { > > > > > > + signature { > > > > > > + capsule-key = [ <binary of signature list> ]; > > > > > > + } > > > > > > > > > > > > > Can you add this feature to binman? A new entry type that takes the > > > > > capsule key could do it. We need some way of handling this a bit > > > > > better. > > > > > > > > As I said in the previous version, I don't know yet if binman > > > > is the best place. > > > > Can you give me a pointer where a similar feature is implemented > > > > in binman, please? > > > > > > See tools/binman/etype/vblock.py > > > > I'll check it out. > > > > > > > > > > > > > > > > + ... > > > > > > + } > > > > > > > > > > > > -In addition, the following config needs to be disabled(QEMU ARM specific):: > > > > > > + You can do this manually with:: > > > > > > > > > > > > - CONFIG_TFABOOT > > > > > > + $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts > > > > > > + $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo > > > > > > > > > > > > -The capsule file can be generated by using the tools/mkeficapsule:: > > > > > > + where signature.dts looks like:: > > > > > > > > > > > > - $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name> > > > > > > + &{/} { > > > > > > + signature { > > > > > > + capsule-key = /incbin/("CRT.esl"); > > > > > > + }; > > > > > > + }; > > > > > > > > > > Ick. I think your tool should just support adding the signature. > > > > > > > > # I may misunderstand your point. > > > > > > > > The whole purpose of this tool is to create a capsule file. > > > > Adding the signature to that file is simply an optional behavior. > > > > I don't see any reason that we should have those features in > > > > separate tools. > > > > > > > > On the other hand, step.4 mentioned above is to add public keys (x509 > > > > certificate list or signature list in UEFI terminology) to a device tree. > > > > This is a separate step. > > > > Clear? > > > > > > It just seems a pain to create a DT overlay to add the signature. > > > > Pain in what sense? > > I have provided fdtsig.sh to avoid bothering users. > > > > > I hope Binman can help here if you don't want to put it in your tool. > > > I can write something if it would help. > > > > I think it's up to you to add the feature to binman, > > but also believe we should not and don't have to impose always > > using binman for this purpose on everyone, thinking of > > various situations that users may have. > > I am reading TLOTR at present so this came to mind... > > https://www.youtube.com/watch?v=wcASKPX1Ot8 OK, you don't rob me of my mkeficapsule, but help me :) -Takahiro Akashi > What I would like is a simple way to build an image automatically, > with as few steps as possible and have it work. For U-Boot we are > trying to use binman internally, but binman can also be used for the > 'final step'. > > See this talk. There is also a video somewhere. > > https://2019.osfc.io/talks/binman-a-data-controlled-firmware-packer-for-u-boot.html > > Let's try to collaborate on the firmware packaging. It is the wild > west at present and the series you have here shows some of the > challenges. > > Regards, > Simon
Hi Takahiro, On Thu, 4 Nov 2021 at 21:15, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote: > > On Thu, Nov 04, 2021 at 09:11:51AM -0600, Simon Glass wrote: > > Hi Takahiro, > > > > On Wed, 3 Nov 2021 at 19:49, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote: > > > > > > On Tue, Nov 02, 2021 at 08:57:48AM -0600, Simon Glass wrote: > > > > Hi Takahiro, > > > > > > > > On Thu, 28 Oct 2021 at 23:20, AKASHI Takahiro > > > > <takahiro.akashi@linaro.org> wrote: > > > > > > > > > > On Thu, Oct 28, 2021 at 09:17:48PM -0600, Simon Glass wrote: > > > > > > Hi Takahiro, > > > > > > > > > > > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro > > > > > > <takahiro.akashi@linaro.org> wrote: > > > > > > > > > > > > > > Now we can use mkeficapsule command instead of EDK-II's script > > > > > > > to create a signed capsule file. So update the instruction for > > > > > > > capsule authentication. > > > > > > > > > > > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > > > > > > > --- > > > > > > > doc/develop/uefi/uefi.rst | 143 ++++++++++++++++++-------------------- > > > > > > > 1 file changed, 67 insertions(+), 76 deletions(-) > > > > > > > > > > > > Reviewed-by: Simon Glass <sjg@chromium.org> > > > > > > > > > > > > thoughts below > > > > > > > > > > > > > > > > > > > > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst > > > > > > > index f17138f5c765..864d61734bee 100644 > > > > > > > --- a/doc/develop/uefi/uefi.rst > > > > > > > +++ b/doc/develop/uefi/uefi.rst > > > > > > > @@ -284,37 +284,52 @@ Support has been added for the UEFI capsule update feature which > > > > > > > enables updating the U-Boot image using the UEFI firmware management > > > > > > > protocol (FMP). The capsules are not passed to the firmware through > > > > > > > the UpdateCapsule runtime service. Instead, capsule-on-disk > > > > > > > -functionality is used for fetching the capsule from the EFI System > > > > > > > -Partition (ESP) by placing the capsule file under the > > > > > > > -\EFI\UpdateCapsule directory. > > > > > > > - > > > > > > > -The directory \EFI\UpdateCapsule is checked for capsules only within the > > > > > > > -EFI system partition on the device specified in the active boot option > > > > > > > -determined by reference to BootNext variable or BootOrder variable processing. > > > > > > > -The active Boot Variable is the variable with highest priority BootNext or > > > > > > > -within BootOrder that refers to a device found to be present. Boot variables > > > > > > > -in BootOrder but referring to devices not present are ignored when determining > > > > > > > -active boot variable. > > > > > > > -Before starting a capsule update make sure your capsules are installed in the > > > > > > > -correct ESP partition or set BootNext. > > > > > > > +functionality is used for fetching capsules from the EFI System > > > > > > > +Partition (ESP) by placing capsule files under the directory:: > > > > > > > + > > > > > > > + \EFI\UpdateCapsule > > > > > > > > > > > > Can we use forward slashes please? > > > > > > > > > > > > What is a backslash, even? DOS? Windows? > > > > > > > > > > UEFI specification. > > > > > In this document, all the file paths are presented with backslashes. > > > > > (See section 8.5.5 in version 2.9) > > > > > > > > > > Anyhow U-Boot UEFI internally converts the path with slashes. > > > > > > > > So do we need to use backslashes in U-Boot and in the docs? Can we use > > > > a forward slash instead? I had hoped those days were behind us. The > > > > backslash is used for C escapes, after all. > > > > > > I'd defer to the maintainer, Heinrich here. > > > > > > > > > > > > > > > + > > > > > > > +The directory is checked for capsules only within the > > > > > > > +EFI system partition on the device specified in the active boot option, > > > > > > > +which is determined by BootXXXX variable in BootNext, or if not, the highest > > > > > > > +priority one within BootOrder. Any BootXXXX variables referring to devices > > > > > > > +not present are ignored when determining the active boot option. > > > > > > > + > > > > > > > +Please note that capsules will be applied in the alphabetic order of > > > > > > > +capsule file names. > > > > > > > + > > > > > > > +Creating a capsule file > > > > > > > +*********************** > > > > > > > + > > > > > > > +A capsule file can be created by using tools/mkeficapsule. > > > > > > > +To build this tool, enable:: > > > > > > > + > > > > > > > + CONFIG_TOOLS_MKEFICAPSULE=y > > > > > > > + CONFIG_TOOLS_LIBCRYPTO=y > > > > > > > + > > > > > > > +Run the following command:: > > > > > > > + > > > > > > > + $ mkeficapsule \ > > > > > > > + --index 1 --instance 0 \ > > > > > > > + [--fit <FIT image> | --raw <raw image>] \ > > > > > > > + <capsule_file_name> > > > > > > > > > > > > > > Performing the update > > > > > > > ********************* > > > > > > > > > > > > > > -Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig > > > > > > > -option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable > > > > > > > -check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule. > > > > > > > - > > > > > > > -If that option is disabled, you'll need to set the OsIndications variable with:: > > > > > > > +Put capsule files under the directory mentioned above. > > > > > > > +Then, following the UEFI specification, you'll need to set > > > > > > > +the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED > > > > > > > +bit in OsIndications variable with:: > > > > > > > > > > > > > > => setenv -e -nv -bs -rt -v OsIndications =0x04 > > > > > > > > > > > > > > -Finally, the capsule update can be initiated either by rebooting the board, > > > > > > > -which is the preferred method, or by issuing the following command:: > > > > > > > +Since U-boot doesn't currently support SetVariable at runtime, its value > > > > > > > +won't be taken over across the reboot. If this is the case, you can skip > > > > > > > +this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS) > > > > > > > +set. > > > > > > > > > > > > > > - => efidebug capsule disk-update > > > > > > > - > > > > > > > -**The efidebug command is should only be used during debugging/development.** > > > > > > > +Finally, the capsule update can be initiated by rebooting the board. > > > > > > > > > > > > > > Enabling Capsule Authentication > > > > > > > ******************************* > > > > > > > @@ -324,82 +339,58 @@ be updated by verifying the capsule signature. The capsule signature > > > > > > > is computed and prepended to the capsule payload at the time of > > > > > > > capsule generation. This signature is then verified by using the > > > > > > > public key stored as part of the X509 certificate. This certificate is > > > > > > > -in the form of an efi signature list (esl) file, which is embedded as > > > > > > > -part of U-Boot. > > > > > > > +in the form of an efi signature list (esl) file, which is embedded in > > > > > > > +a device tree. > > > > > > > > > > > > > > The capsule authentication feature can be enabled through the > > > > > > > following config, in addition to the configs listed above for capsule > > > > > > > update:: > > > > > > > > > > > > > > CONFIG_EFI_CAPSULE_AUTHENTICATE=y > > > > > > > - CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert> > > > > > > > > > > > > > > The public and private keys used for the signing process are generated > > > > > > > -and used by the steps highlighted below:: > > > > > > > +and used by the steps highlighted below. > > > > > > > > > > > > > > - 1. Install utility commands on your host > > > > > > > - * OPENSSL > > > > > > > +1. Install utility commands on your host > > > > > > > + * openssl > > > > > > > * efitools > > > > > > > > > > > > > > - 2. Create signing keys and certificate files on your host > > > > > > > +2. Create signing keys and certificate files on your host:: > > > > > > > > > > > > > > $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ > > > > > > > -keyout CRT.key -out CRT.crt -nodes -days 365 > > > > > > > $ cert-to-efi-sig-list CRT.crt CRT.esl > > > > > > > > > > > > > > - $ openssl x509 -in CRT.crt -out CRT.cer -outform DER > > > > > > > - $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem > > > > > > > - > > > > > > > - $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt > > > > > > > - $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem > > > > > > > - > > > > > > > -The capsule file can be generated by using the GenerateCapsule.py > > > > > > > -script in EDKII:: > > > > > > > - > > > > > > > - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ > > > > > > > - <capsule_file_name> --monotonic-count <val> --fw-version \ > > > > > > > - <val> --lsv <val> --guid \ > > > > > > > - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ > > > > > > > - --update-image-index <val> --signer-private-cert \ > > > > > > > - /path/to/CRT.pem --trusted-public-cert \ > > > > > > > - /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ > > > > > > > - <u-boot.bin> > > > > > > > - > > > > > > > -Place the capsule generated in the above step on the EFI System > > > > > > > -Partition under the EFI/UpdateCapsule directory > > > > > > > - > > > > > > > -Testing on QEMU > > > > > > > -*************** > > > > > > > +3. Run the following command to create and sign the capsule file:: > > > > > > > > > > > > > > -Currently, support has been added on the QEMU ARM64 virt platform for > > > > > > > -updating the U-Boot binary as a raw image when the platform is booted > > > > > > > -in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this > > > > > > > -configuration, the QEMU platform needs to be booted with > > > > > > > -'secure=off'. The U-Boot binary placed on the first bank of the NOR > > > > > > > -flash at offset 0x0. The U-Boot environment is placed on the second > > > > > > > -NOR flash bank at offset 0x4000000. > > > > > > > + $ mkeficapsule --monotonic-count 1 \ > > > > > > > + --private-key CRT.key \ > > > > > > > + --certificate CRT.crt \ > > > > > > > + --index 1 --instance 0 \ > > > > > > > + [--fit <FIT image> | --raw <raw image>] \ > > > > > > > + <capsule_file_name> > > > > > > > > > > > > > > -The capsule update feature is enabled with the following configuration > > > > > > > -settings:: > > > > > > > +4. Insert the signature list into a device tree in the following format:: > > > > > > > > > > > > > > - CONFIG_MTD=y > > > > > > > - CONFIG_FLASH_CFI_MTD=y > > > > > > > - CONFIG_CMD_MTDPARTS=y > > > > > > > - CONFIG_CMD_DFU=y > > > > > > > - CONFIG_DFU_MTD=y > > > > > > > - CONFIG_PCI_INIT_R=y > > > > > > > - CONFIG_EFI_CAPSULE_ON_DISK=y > > > > > > > - CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y > > > > > > > - CONFIG_EFI_CAPSULE_FIRMWARE=y > > > > > > > - CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y > > > > > > > + { > > > > > > > + signature { > > > > > > > + capsule-key = [ <binary of signature list> ]; > > > > > > > + } > > > > > > > > > > > > > > > > Can you add this feature to binman? A new entry type that takes the > > > > > > capsule key could do it. We need some way of handling this a bit > > > > > > better. > > > > > > > > > > As I said in the previous version, I don't know yet if binman > > > > > is the best place. > > > > > Can you give me a pointer where a similar feature is implemented > > > > > in binman, please? > > > > > > > > See tools/binman/etype/vblock.py > > > > > > I'll check it out. > > > > > > > > > > > > > > > > > > > > + ... > > > > > > > + } > > > > > > > > > > > > > > -In addition, the following config needs to be disabled(QEMU ARM specific):: > > > > > > > + You can do this manually with:: > > > > > > > > > > > > > > - CONFIG_TFABOOT > > > > > > > + $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts > > > > > > > + $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo > > > > > > > > > > > > > > -The capsule file can be generated by using the tools/mkeficapsule:: > > > > > > > + where signature.dts looks like:: > > > > > > > > > > > > > > - $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name> > > > > > > > + &{/} { > > > > > > > + signature { > > > > > > > + capsule-key = /incbin/("CRT.esl"); > > > > > > > + }; > > > > > > > + }; > > > > > > > > > > > > Ick. I think your tool should just support adding the signature. > > > > > > > > > > # I may misunderstand your point. > > > > > > > > > > The whole purpose of this tool is to create a capsule file. > > > > > Adding the signature to that file is simply an optional behavior. > > > > > I don't see any reason that we should have those features in > > > > > separate tools. > > > > > > > > > > On the other hand, step.4 mentioned above is to add public keys (x509 > > > > > certificate list or signature list in UEFI terminology) to a device tree. > > > > > This is a separate step. > > > > > Clear? > > > > > > > > It just seems a pain to create a DT overlay to add the signature. > > > > > > Pain in what sense? > > > I have provided fdtsig.sh to avoid bothering users. > > > > > > > I hope Binman can help here if you don't want to put it in your tool. > > > > I can write something if it would help. > > > > > > I think it's up to you to add the feature to binman, > > > but also believe we should not and don't have to impose always > > > using binman for this purpose on everyone, thinking of > > > various situations that users may have. > > > > I am reading TLOTR at present so this came to mind... > > > > https://www.youtube.com/watch?v=wcASKPX1Ot8 > > OK, you don't rob me of my mkeficapsule, but help me :) :-) Yes I think binman can call that tool. - Simon > > -Takahiro Akashi > > > > What I would like is a simple way to build an image automatically, > > with as few steps as possible and have it work. For U-Boot we are > > trying to use binman internally, but binman can also be used for the > > 'final step'. > > > > See this talk. There is also a video somewhere. > > > > https://2019.osfc.io/talks/binman-a-data-controlled-firmware-packer-for-u-boot.html > > > > Let's try to collaborate on the firmware packaging. It is the wild > > west at present and the series you have here shows some of the > > challenges. > > > > Regards, > > Simon
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index f17138f5c765..864d61734bee 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -284,37 +284,52 @@ Support has been added for the UEFI capsule update feature which enables updating the U-Boot image using the UEFI firmware management protocol (FMP). The capsules are not passed to the firmware through the UpdateCapsule runtime service. Instead, capsule-on-disk -functionality is used for fetching the capsule from the EFI System -Partition (ESP) by placing the capsule file under the -\EFI\UpdateCapsule directory. - -The directory \EFI\UpdateCapsule is checked for capsules only within the -EFI system partition on the device specified in the active boot option -determined by reference to BootNext variable or BootOrder variable processing. -The active Boot Variable is the variable with highest priority BootNext or -within BootOrder that refers to a device found to be present. Boot variables -in BootOrder but referring to devices not present are ignored when determining -active boot variable. -Before starting a capsule update make sure your capsules are installed in the -correct ESP partition or set BootNext. +functionality is used for fetching capsules from the EFI System +Partition (ESP) by placing capsule files under the directory:: + + \EFI\UpdateCapsule + +The directory is checked for capsules only within the +EFI system partition on the device specified in the active boot option, +which is determined by BootXXXX variable in BootNext, or if not, the highest +priority one within BootOrder. Any BootXXXX variables referring to devices +not present are ignored when determining the active boot option. + +Please note that capsules will be applied in the alphabetic order of +capsule file names. + +Creating a capsule file +*********************** + +A capsule file can be created by using tools/mkeficapsule. +To build this tool, enable:: + + CONFIG_TOOLS_MKEFICAPSULE=y + CONFIG_TOOLS_LIBCRYPTO=y + +Run the following command:: + + $ mkeficapsule \ + --index 1 --instance 0 \ + [--fit <FIT image> | --raw <raw image>] \ + <capsule_file_name> Performing the update ********************* -Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig -option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable -check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule. - -If that option is disabled, you'll need to set the OsIndications variable with:: +Put capsule files under the directory mentioned above. +Then, following the UEFI specification, you'll need to set +the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED +bit in OsIndications variable with:: => setenv -e -nv -bs -rt -v OsIndications =0x04 -Finally, the capsule update can be initiated either by rebooting the board, -which is the preferred method, or by issuing the following command:: +Since U-boot doesn't currently support SetVariable at runtime, its value +won't be taken over across the reboot. If this is the case, you can skip +this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS) +set. - => efidebug capsule disk-update - -**The efidebug command is should only be used during debugging/development.** +Finally, the capsule update can be initiated by rebooting the board. Enabling Capsule Authentication ******************************* @@ -324,82 +339,58 @@ be updated by verifying the capsule signature. The capsule signature is computed and prepended to the capsule payload at the time of capsule generation. This signature is then verified by using the public key stored as part of the X509 certificate. This certificate is -in the form of an efi signature list (esl) file, which is embedded as -part of U-Boot. +in the form of an efi signature list (esl) file, which is embedded in +a device tree. The capsule authentication feature can be enabled through the following config, in addition to the configs listed above for capsule update:: CONFIG_EFI_CAPSULE_AUTHENTICATE=y - CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert> The public and private keys used for the signing process are generated -and used by the steps highlighted below:: +and used by the steps highlighted below. - 1. Install utility commands on your host - * OPENSSL +1. Install utility commands on your host + * openssl * efitools - 2. Create signing keys and certificate files on your host +2. Create signing keys and certificate files on your host:: $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ -keyout CRT.key -out CRT.crt -nodes -days 365 $ cert-to-efi-sig-list CRT.crt CRT.esl - $ openssl x509 -in CRT.crt -out CRT.cer -outform DER - $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem - - $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt - $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem - -The capsule file can be generated by using the GenerateCapsule.py -script in EDKII:: - - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ - <capsule_file_name> --monotonic-count <val> --fw-version \ - <val> --lsv <val> --guid \ - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ - --update-image-index <val> --signer-private-cert \ - /path/to/CRT.pem --trusted-public-cert \ - /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ - <u-boot.bin> - -Place the capsule generated in the above step on the EFI System -Partition under the EFI/UpdateCapsule directory - -Testing on QEMU -*************** +3. Run the following command to create and sign the capsule file:: -Currently, support has been added on the QEMU ARM64 virt platform for -updating the U-Boot binary as a raw image when the platform is booted -in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this -configuration, the QEMU platform needs to be booted with -'secure=off'. The U-Boot binary placed on the first bank of the NOR -flash at offset 0x0. The U-Boot environment is placed on the second -NOR flash bank at offset 0x4000000. + $ mkeficapsule --monotonic-count 1 \ + --private-key CRT.key \ + --certificate CRT.crt \ + --index 1 --instance 0 \ + [--fit <FIT image> | --raw <raw image>] \ + <capsule_file_name> -The capsule update feature is enabled with the following configuration -settings:: +4. Insert the signature list into a device tree in the following format:: - CONFIG_MTD=y - CONFIG_FLASH_CFI_MTD=y - CONFIG_CMD_MTDPARTS=y - CONFIG_CMD_DFU=y - CONFIG_DFU_MTD=y - CONFIG_PCI_INIT_R=y - CONFIG_EFI_CAPSULE_ON_DISK=y - CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y - CONFIG_EFI_CAPSULE_FIRMWARE=y - CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y + { + signature { + capsule-key = [ <binary of signature list> ]; + } + ... + } -In addition, the following config needs to be disabled(QEMU ARM specific):: + You can do this manually with:: - CONFIG_TFABOOT + $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts + $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo -The capsule file can be generated by using the tools/mkeficapsule:: + where signature.dts looks like:: - $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name> + &{/} { + signature { + capsule-key = /incbin/("CRT.esl"); + }; + }; Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~
Now we can use mkeficapsule command instead of EDK-II's script to create a signed capsule file. So update the instruction for capsule authentication. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> --- doc/develop/uefi/uefi.rst | 143 ++++++++++++++++++-------------------- 1 file changed, 67 insertions(+), 76 deletions(-) -- 2.33.0