Message ID | 20230812055725.252424-9-sughosh.ganu@linaro.org |
---|---|
State | Superseded |
Headers | show |
Series | Enable EFI capsule generation through binman | expand |
On Fri, 11 Aug 2023 at 23:58, Sughosh Ganu <sughosh.ganu@linaro.org> wrote: > > The EFI capsule files can now be generated as part of u-boot > build through binman. Add capsule entry nodes for the sandbox > architecture for generating the capsules. These capsules are then used > for testing the EFI capsule update functionality on the sandbox > platforms. > > Remove the corresponding logic in the test setup which was used for > generation of these capsule which is now superfluous. > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > --- > Changes since V8: > * Build the capsules for all sandbox variants. > * Remove the type property by renaming the capsule nodes as > 'efi-capsule'. > > arch/sandbox/dts/sandbox.dts | 2 + > arch/sandbox/dts/sandbox_capsule.dtsi | 315 ++++++++++++++++++ > arch/sandbox/dts/test.dts | 2 + > include/sandbox_efi_capsule.h | 21 ++ > test/py/tests/test_efi_capsule/conftest.py | 155 +-------- > .../tests/test_efi_capsule/uboot_bin_env.its | 36 -- > 6 files changed, 356 insertions(+), 175 deletions(-) > create mode 100644 arch/sandbox/dts/sandbox_capsule.dtsi > create mode 100644 include/sandbox_efi_capsule.h > delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its Reviewed-by: Simon Glass <sjg@chromium.org> One way to reduce the files is to put all the capsules in the same binman image. You could have 'size = <0x1000>' so they are all the same size. Then your test could check each one by iterating through the (single) file. Regards, Simon
hi Simon, On Sat, 12 Aug 2023 at 19:55, Simon Glass <sjg@chromium.org> wrote: > > On Fri, 11 Aug 2023 at 23:58, Sughosh Ganu <sughosh.ganu@linaro.org> wrote: > > > > The EFI capsule files can now be generated as part of u-boot > > build through binman. Add capsule entry nodes for the sandbox > > architecture for generating the capsules. These capsules are then used > > for testing the EFI capsule update functionality on the sandbox > > platforms. > > > > Remove the corresponding logic in the test setup which was used for > > generation of these capsule which is now superfluous. > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > > --- > > Changes since V8: > > * Build the capsules for all sandbox variants. > > * Remove the type property by renaming the capsule nodes as > > 'efi-capsule'. > > > > arch/sandbox/dts/sandbox.dts | 2 + > > arch/sandbox/dts/sandbox_capsule.dtsi | 315 ++++++++++++++++++ > > arch/sandbox/dts/test.dts | 2 + > > include/sandbox_efi_capsule.h | 21 ++ > > test/py/tests/test_efi_capsule/conftest.py | 155 +-------- > > .../tests/test_efi_capsule/uboot_bin_env.its | 36 -- > > 6 files changed, 356 insertions(+), 175 deletions(-) > > create mode 100644 arch/sandbox/dts/sandbox_capsule.dtsi > > create mode 100644 include/sandbox_efi_capsule.h > > delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its > > Reviewed-by: Simon Glass <sjg@chromium.org> > > One way to reduce the files is to put all the capsules in the same > binman image. You could have 'size = <0x1000>' so they are all the > same size. > > Then your test could check each one by iterating through the (single) file. This won't work, as the UEFI specification defines a particular format of the capsule file. For multiple capsules, the individual capsule files need to be present under the /EFI/UpdateCapsule/ directory on the EFI System Partition. The spec does define a format in which a single capsule file can have multiple payloads(input binaries). This is planned to be supported once support has been added for generating capsules through the config file. -sughosh
Hi Sughosh, On Sat, 12 Aug 2023 at 09:40, Sughosh Ganu <sughosh.ganu@linaro.org> wrote: > > hi Simon, > > On Sat, 12 Aug 2023 at 19:55, Simon Glass <sjg@chromium.org> wrote: > > > > On Fri, 11 Aug 2023 at 23:58, Sughosh Ganu <sughosh.ganu@linaro.org> wrote: > > > > > > The EFI capsule files can now be generated as part of u-boot > > > build through binman. Add capsule entry nodes for the sandbox > > > architecture for generating the capsules. These capsules are then used > > > for testing the EFI capsule update functionality on the sandbox > > > platforms. > > > > > > Remove the corresponding logic in the test setup which was used for > > > generation of these capsule which is now superfluous. > > > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > > > --- > > > Changes since V8: > > > * Build the capsules for all sandbox variants. > > > * Remove the type property by renaming the capsule nodes as > > > 'efi-capsule'. > > > > > > arch/sandbox/dts/sandbox.dts | 2 + > > > arch/sandbox/dts/sandbox_capsule.dtsi | 315 ++++++++++++++++++ > > > arch/sandbox/dts/test.dts | 2 + > > > include/sandbox_efi_capsule.h | 21 ++ > > > test/py/tests/test_efi_capsule/conftest.py | 155 +-------- > > > .../tests/test_efi_capsule/uboot_bin_env.its | 36 -- > > > 6 files changed, 356 insertions(+), 175 deletions(-) > > > create mode 100644 arch/sandbox/dts/sandbox_capsule.dtsi > > > create mode 100644 include/sandbox_efi_capsule.h > > > delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its > > > > Reviewed-by: Simon Glass <sjg@chromium.org> > > > > One way to reduce the files is to put all the capsules in the same > > binman image. You could have 'size = <0x1000>' so they are all the > > same size. > > > > Then your test could check each one by iterating through the (single) file. > > This won't work, as the UEFI specification defines a particular format > of the capsule file. For multiple capsules, the individual capsule > files need to be present under the /EFI/UpdateCapsule/ directory on > the EFI System Partition. The spec does define a format in which a > single capsule file can have multiple payloads(input binaries). This > is planned to be supported once support has been added for generating > capsules through the config file. We continue to have challenges getting confused between testing and real world. For testing, we can do all sorts of things to make things simpler. We don't even need an EFI partition, etc. We can have a test which checks that U-Boot can decode an update and apply it, The current tests rely far too much on an end-to-end, black-box approach, as I might have mentioned. Regards, Simon
hi Simon, On Sat, 12 Aug 2023 at 22:33, Simon Glass <sjg@chromium.org> wrote: > > Hi Sughosh, > > On Sat, 12 Aug 2023 at 09:40, Sughosh Ganu <sughosh.ganu@linaro.org> wrote: > > > > hi Simon, > > > > On Sat, 12 Aug 2023 at 19:55, Simon Glass <sjg@chromium.org> wrote: > > > > > > On Fri, 11 Aug 2023 at 23:58, Sughosh Ganu <sughosh.ganu@linaro.org> wrote: > > > > > > > > The EFI capsule files can now be generated as part of u-boot > > > > build through binman. Add capsule entry nodes for the sandbox > > > > architecture for generating the capsules. These capsules are then used > > > > for testing the EFI capsule update functionality on the sandbox > > > > platforms. > > > > > > > > Remove the corresponding logic in the test setup which was used for > > > > generation of these capsule which is now superfluous. > > > > > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > > > > --- > > > > Changes since V8: > > > > * Build the capsules for all sandbox variants. > > > > * Remove the type property by renaming the capsule nodes as > > > > 'efi-capsule'. > > > > > > > > arch/sandbox/dts/sandbox.dts | 2 + > > > > arch/sandbox/dts/sandbox_capsule.dtsi | 315 ++++++++++++++++++ > > > > arch/sandbox/dts/test.dts | 2 + > > > > include/sandbox_efi_capsule.h | 21 ++ > > > > test/py/tests/test_efi_capsule/conftest.py | 155 +-------- > > > > .../tests/test_efi_capsule/uboot_bin_env.its | 36 -- > > > > 6 files changed, 356 insertions(+), 175 deletions(-) > > > > create mode 100644 arch/sandbox/dts/sandbox_capsule.dtsi > > > > create mode 100644 include/sandbox_efi_capsule.h > > > > delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its > > > > > > Reviewed-by: Simon Glass <sjg@chromium.org> > > > > > > One way to reduce the files is to put all the capsules in the same > > > binman image. You could have 'size = <0x1000>' so they are all the > > > same size. > > > > > > Then your test could check each one by iterating through the (single) file. > > > > This won't work, as the UEFI specification defines a particular format > > of the capsule file. For multiple capsules, the individual capsule > > files need to be present under the /EFI/UpdateCapsule/ directory on > > the EFI System Partition. The spec does define a format in which a > > single capsule file can have multiple payloads(input binaries). This > > is planned to be supported once support has been added for generating > > capsules through the config file. > > We continue to have challenges getting confused between testing and real world. > > For testing, we can do all sorts of things to make things simpler. We > don't even need an EFI partition, etc. We can have a test which checks > that U-Boot can decode an update and apply it, The current tests rely > far too much on an end-to-end, black-box approach, as I might have > mentioned. Okay, but I am stating the constraints on using a single combined file based on the way the tests work today. So if we were to generate a single file consisting of all the individual capsule files, that would break the tests. That was my point. -sughosh
Hi Sughosh, On Mon, 14 Aug 2023 at 02:17, Sughosh Ganu <sughosh.ganu@linaro.org> wrote: > > hi Simon, > > On Sat, 12 Aug 2023 at 22:33, Simon Glass <sjg@chromium.org> wrote: > > > > Hi Sughosh, > > > > On Sat, 12 Aug 2023 at 09:40, Sughosh Ganu <sughosh.ganu@linaro.org> wrote: > > > > > > hi Simon, > > > > > > On Sat, 12 Aug 2023 at 19:55, Simon Glass <sjg@chromium.org> wrote: > > > > > > > > On Fri, 11 Aug 2023 at 23:58, Sughosh Ganu <sughosh.ganu@linaro.org> wrote: > > > > > > > > > > The EFI capsule files can now be generated as part of u-boot > > > > > build through binman. Add capsule entry nodes for the sandbox > > > > > architecture for generating the capsules. These capsules are then used > > > > > for testing the EFI capsule update functionality on the sandbox > > > > > platforms. > > > > > > > > > > Remove the corresponding logic in the test setup which was used for > > > > > generation of these capsule which is now superfluous. > > > > > > > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > > > > > --- > > > > > Changes since V8: > > > > > * Build the capsules for all sandbox variants. > > > > > * Remove the type property by renaming the capsule nodes as > > > > > 'efi-capsule'. > > > > > > > > > > arch/sandbox/dts/sandbox.dts | 2 + > > > > > arch/sandbox/dts/sandbox_capsule.dtsi | 315 ++++++++++++++++++ > > > > > arch/sandbox/dts/test.dts | 2 + > > > > > include/sandbox_efi_capsule.h | 21 ++ > > > > > test/py/tests/test_efi_capsule/conftest.py | 155 +-------- > > > > > .../tests/test_efi_capsule/uboot_bin_env.its | 36 -- > > > > > 6 files changed, 356 insertions(+), 175 deletions(-) > > > > > create mode 100644 arch/sandbox/dts/sandbox_capsule.dtsi > > > > > create mode 100644 include/sandbox_efi_capsule.h > > > > > delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its > > > > > > > > Reviewed-by: Simon Glass <sjg@chromium.org> > > > > > > > > One way to reduce the files is to put all the capsules in the same > > > > binman image. You could have 'size = <0x1000>' so they are all the > > > > same size. > > > > > > > > Then your test could check each one by iterating through the (single) file. > > > > > > This won't work, as the UEFI specification defines a particular format > > > of the capsule file. For multiple capsules, the individual capsule > > > files need to be present under the /EFI/UpdateCapsule/ directory on > > > the EFI System Partition. The spec does define a format in which a > > > single capsule file can have multiple payloads(input binaries). This > > > is planned to be supported once support has been added for generating > > > capsules through the config file. > > > > We continue to have challenges getting confused between testing and real world. > > > > For testing, we can do all sorts of things to make things simpler. We > > don't even need an EFI partition, etc. We can have a test which checks > > that U-Boot can decode an update and apply it, The current tests rely > > far too much on an end-to-end, black-box approach, as I might have > > mentioned. > > Okay, but I am stating the constraints on using a single combined file > based on the way the tests work today. So if we were to generate a > single file consisting of all the individual capsule files, that would > break the tests. That was my point. Sure...my point is that the tests could use a bit of rework to make them easier and faster to run. Regards, Simon
On Mon, Aug 14, 2023 at 04:51:13PM -0600, Simon Glass wrote: > Hi Sughosh, > > On Mon, 14 Aug 2023 at 02:17, Sughosh Ganu <sughosh.ganu@linaro.org> wrote: > > > > hi Simon, > > > > On Sat, 12 Aug 2023 at 22:33, Simon Glass <sjg@chromium.org> wrote: > > > > > > Hi Sughosh, > > > > > > On Sat, 12 Aug 2023 at 09:40, Sughosh Ganu <sughosh.ganu@linaro.org> wrote: > > > > > > > > hi Simon, > > > > > > > > On Sat, 12 Aug 2023 at 19:55, Simon Glass <sjg@chromium.org> wrote: > > > > > > > > > > On Fri, 11 Aug 2023 at 23:58, Sughosh Ganu <sughosh.ganu@linaro.org> wrote: > > > > > > > > > > > > The EFI capsule files can now be generated as part of u-boot > > > > > > build through binman. Add capsule entry nodes for the sandbox > > > > > > architecture for generating the capsules. These capsules are then used > > > > > > for testing the EFI capsule update functionality on the sandbox > > > > > > platforms. > > > > > > > > > > > > Remove the corresponding logic in the test setup which was used for > > > > > > generation of these capsule which is now superfluous. > > > > > > > > > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > > > > > > --- > > > > > > Changes since V8: > > > > > > * Build the capsules for all sandbox variants. > > > > > > * Remove the type property by renaming the capsule nodes as > > > > > > 'efi-capsule'. > > > > > > > > > > > > arch/sandbox/dts/sandbox.dts | 2 + > > > > > > arch/sandbox/dts/sandbox_capsule.dtsi | 315 ++++++++++++++++++ > > > > > > arch/sandbox/dts/test.dts | 2 + > > > > > > include/sandbox_efi_capsule.h | 21 ++ > > > > > > test/py/tests/test_efi_capsule/conftest.py | 155 +-------- > > > > > > .../tests/test_efi_capsule/uboot_bin_env.its | 36 -- > > > > > > 6 files changed, 356 insertions(+), 175 deletions(-) > > > > > > create mode 100644 arch/sandbox/dts/sandbox_capsule.dtsi > > > > > > create mode 100644 include/sandbox_efi_capsule.h > > > > > > delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its > > > > > > > > > > Reviewed-by: Simon Glass <sjg@chromium.org> > > > > > > > > > > One way to reduce the files is to put all the capsules in the same > > > > > binman image. You could have 'size = <0x1000>' so they are all the > > > > > same size. > > > > > > > > > > Then your test could check each one by iterating through the (single) file. > > > > > > > > This won't work, as the UEFI specification defines a particular format > > > > of the capsule file. For multiple capsules, the individual capsule > > > > files need to be present under the /EFI/UpdateCapsule/ directory on > > > > the EFI System Partition. The spec does define a format in which a > > > > single capsule file can have multiple payloads(input binaries). This > > > > is planned to be supported once support has been added for generating > > > > capsules through the config file. > > > > > > We continue to have challenges getting confused between testing and real world. > > > > > > For testing, we can do all sorts of things to make things simpler. We > > > don't even need an EFI partition, etc. We can have a test which checks > > > that U-Boot can decode an update and apply it, The current tests rely > > > far too much on an end-to-end, black-box approach, as I might have > > > mentioned. > > > > Okay, but I am stating the constraints on using a single combined file > > based on the way the tests work today. So if we were to generate a > > single file consisting of all the individual capsule files, that would > > break the tests. That was my point. > > Sure...my point is that the tests could use a bit of rework to make > them easier and faster to run. We also need to test them how they're functionally used. At some level I'd be "fine" if we had "test individual parts of the framework" tests in sandbox and "test as they're used" tests in QEMU.
diff --git a/arch/sandbox/dts/sandbox.dts b/arch/sandbox/dts/sandbox.dts index 1039b029f4..3da96ae99d 100644 --- a/arch/sandbox/dts/sandbox.dts +++ b/arch/sandbox/dts/sandbox.dts @@ -107,3 +107,5 @@ #if IS_ENABLED(CONFIG_SUPPORT_VPL) #include "sandbox_vpl.dtsi" #endif + +#include "sandbox_capsule.dtsi" diff --git a/arch/sandbox/dts/sandbox_capsule.dtsi b/arch/sandbox/dts/sandbox_capsule.dtsi new file mode 100644 index 0000000000..bd48f18760 --- /dev/null +++ b/arch/sandbox/dts/sandbox_capsule.dtsi @@ -0,0 +1,315 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Devicetree file with binman nodes for generating capsules. + */ + +#include <sandbox_efi_capsule.h> + +&binman { + itb { + filename = UBOOT_FIT_IMAGE; + + fit { + description = "Automatic U-Boot environment update"; + #address-cells = <2>; + + images { + u-boot-bin { + description = "U-Boot binary on SPI Flash"; + compression = "none"; + type = "firmware"; + arch = "sandbox"; + load = <0>; + text { + text = "u-boot:New"; + }; + + hash-1 { + algo = "sha1"; + }; + }; + u-boot-env { + description = "U-Boot environment on SPI Flash"; + compression = "none"; + type = "firmware"; + arch = "sandbox"; + load = <0>; + text { + text = "u-boot-env:New"; + }; + + hash-1 { + algo = "sha1"; + }; + }; + }; + }; + }; + + capsule1 { + filename = "Test01"; + efi-capsule { + image-index = <0x1>; + image-guid = SANDBOX_UBOOT_IMAGE_GUID; + + text { + text = "u-boot:New"; + }; + }; + }; + + capsule2 { + filename = "Test02"; + efi-capsule { + image-index = <0x2>; + image-guid = SANDBOX_UBOOT_ENV_IMAGE_GUID; + + text { + text = "u-boot-env:New"; + }; + }; + }; + + capsule3 { + filename = "Test03"; + efi-capsule { + image-index = <0x1>; + image-guid = SANDBOX_INCORRECT_GUID; + + text { + text = "u-boot:New"; + }; + }; + }; + + capsule4 { + filename = "Test04"; + efi-capsule { + image-index = <0x1>; + image-guid = SANDBOX_FIT_IMAGE_GUID; + + blob { + filename = UBOOT_FIT_IMAGE; + }; + }; + }; + + capsule5 { + filename = "Test05"; + efi-capsule { + image-index = <0x1>; + image-guid = SANDBOX_INCORRECT_GUID; + + blob { + filename = UBOOT_FIT_IMAGE; + }; + }; + }; + + capsule6 { + filename = "Test101"; + efi-capsule { + image-index = <0x1>; + fw-version = <0x5>; + image-guid = SANDBOX_UBOOT_IMAGE_GUID; + + text { + text = "u-boot:New"; + }; + }; + }; + + capsule7 { + filename = "Test102"; + efi-capsule { + image-index = <0x2>; + fw-version = <0xa>; + image-guid = SANDBOX_UBOOT_ENV_IMAGE_GUID; + + text { + text = "u-boot-env:New"; + }; + }; + }; + + capsule8 { + filename = "Test103"; + efi-capsule { + image-index = <0x1>; + fw-version = <0x2>; + image-guid = SANDBOX_UBOOT_IMAGE_GUID; + + text { + text = "u-boot:New"; + }; + }; + }; + + capsule9 { + filename = "Test104"; + efi-capsule { + image-index = <0x1>; + fw-version = <0x5>; + image-guid = SANDBOX_FIT_IMAGE_GUID; + + blob { + filename = UBOOT_FIT_IMAGE; + }; + }; + }; + + capsule10 { + filename = "Test105"; + efi-capsule { + image-index = <0x1>; + fw-version = <0x2>; + image-guid = SANDBOX_FIT_IMAGE_GUID; + + blob { + filename = UBOOT_FIT_IMAGE; + }; + }; + }; + +#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE + capsule11 { + filename = "Test11"; + efi-capsule { + image-index = <0x1>; + image-guid = SANDBOX_UBOOT_IMAGE_GUID; + private-key = CAPSULE_PRIV_KEY; + public-key-cert = CAPSULE_PUB_KEY; + monotonic-count = <0x1>; + + text { + text = "u-boot:New"; + }; + }; + }; + + capsule12 { + filename = "Test12"; + efi-capsule { + image-index = <0x1>; + image-guid = SANDBOX_UBOOT_IMAGE_GUID; + private-key = CAPSULE_INVAL_KEY; + public-key-cert = CAPSULE_INVAL_PUB_KEY; + monotonic-count = <0x1>; + + text { + text = "u-boot:New"; + }; + }; + }; + + capsule13 { + filename = "Test13"; + efi-capsule { + image-index = <0x1>; + image-guid = SANDBOX_FIT_IMAGE_GUID; + private-key = CAPSULE_PRIV_KEY; + public-key-cert = CAPSULE_PUB_KEY; + monotonic-count = <0x1>; + + blob { + filename = UBOOT_FIT_IMAGE; + }; + }; + }; + + capsule14 { + filename = "Test14"; + efi-capsule { + image-index = <0x1>; + image-guid = SANDBOX_FIT_IMAGE_GUID; + private-key = CAPSULE_INVAL_KEY; + public-key-cert = CAPSULE_INVAL_PUB_KEY; + monotonic-count = <0x1>; + + blob { + filename = UBOOT_FIT_IMAGE; + }; + }; + }; + + capsule15 { + filename = "Test111"; + efi-capsule { + image-index = <0x1>; + fw-version = <0x5>; + image-guid = SANDBOX_UBOOT_IMAGE_GUID; + private-key = CAPSULE_PRIV_KEY; + public-key-cert = CAPSULE_PUB_KEY; + monotonic-count = <0x1>; + + text { + text = "u-boot:New"; + }; + }; + }; + + capsule16 { + filename = "Test112"; + efi-capsule { + image-index = <0x2>; + fw-version = <0xa>; + image-guid = SANDBOX_UBOOT_ENV_IMAGE_GUID; + private-key = CAPSULE_PRIV_KEY; + public-key-cert = CAPSULE_PUB_KEY; + monotonic-count = <0x1>; + + text { + text = "u-boot-env:New"; + }; + }; + }; + + capsule17 { + filename = "Test113"; + efi-capsule { + image-index = <0x1>; + fw-version = <0x2>; + image-guid = SANDBOX_UBOOT_IMAGE_GUID; + private-key = CAPSULE_PRIV_KEY; + public-key-cert = CAPSULE_PUB_KEY; + monotonic-count = <0x1>; + + text { + text = "u-boot:New"; + }; + }; + }; + + capsule18 { + filename = "Test114"; + efi-capsule { + image-index = <0x1>; + fw-version = <0x5>; + image-guid = SANDBOX_FIT_IMAGE_GUID; + private-key = CAPSULE_PRIV_KEY; + public-key-cert = CAPSULE_PUB_KEY; + monotonic-count = <0x1>; + + blob { + filename = UBOOT_FIT_IMAGE; + }; + }; + }; + + capsule19 { + filename = "Test115"; + efi-capsule { + image-index = <0x1>; + fw-version = <0x2>; + image-guid = SANDBOX_FIT_IMAGE_GUID; + private-key = CAPSULE_PRIV_KEY; + public-key-cert = CAPSULE_PUB_KEY; + monotonic-count = <0x1>; + + blob { + filename = UBOOT_FIT_IMAGE; + }; + }; + }; +#endif /* CONFIG_EFI_CAPSULE_AUTHENTICATE */ +}; diff --git a/arch/sandbox/dts/test.dts b/arch/sandbox/dts/test.dts index 9b731a29cf..54368047f0 100644 --- a/arch/sandbox/dts/test.dts +++ b/arch/sandbox/dts/test.dts @@ -1850,3 +1850,5 @@ #endif #include "cedit.dtsi" + +#include "sandbox_capsule.dtsi" diff --git a/include/sandbox_efi_capsule.h b/include/sandbox_efi_capsule.h new file mode 100644 index 0000000000..3e288e8a84 --- /dev/null +++ b/include/sandbox_efi_capsule.h @@ -0,0 +1,21 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Copyright (c) 2023, Linaro Limited + */ + +#if !defined(_SANDBOX_EFI_CAPSULE_H_) +#define _SANDBOX_EFI_CAPSULE_H_ + +#define SANDBOX_UBOOT_IMAGE_GUID "09d7cf52-0720-4710-91d1-08469b7fe9c8" +#define SANDBOX_UBOOT_ENV_IMAGE_GUID "5a7021f5-fef2-48b4-aaba-832e777418c0" +#define SANDBOX_FIT_IMAGE_GUID "3673b45d-6a7c-46f3-9e60-adabb03f7937" +#define SANDBOX_INCORRECT_GUID "058b7d83-50d5-4c47-a195-60d86ad341c4" + +#define UBOOT_FIT_IMAGE "u-boot_bin_env.itb" + +#define CAPSULE_PRIV_KEY "capsule_priv_key_good.key" +#define CAPSULE_PUB_KEY "capsule_pub_key_good.crt" +#define CAPSULE_INVAL_KEY "capsule_priv_key_bad.key" +#define CAPSULE_INVAL_PUB_KEY "capsule_pub_key_bad.crt" + +#endif /* _SANDBOX_EFI_CAPSULE_H_ */ diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index 054be1ee97..7eead9bc64 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -34,15 +34,20 @@ def efi_capsule_data(request, u_boot_config): capsule_auth_enabled = u_boot_config.buildconfig.get( 'config_efi_capsule_authenticate') + key_dir = u_boot_config.source_dir + '/board/sandbox' if capsule_auth_enabled: - # Create private key (SIGNER.key) and certificate (SIGNER.crt) - check_call('cd %s; ' - 'openssl req -x509 -sha256 -newkey rsa:2048 ' - '-subj /CN=TEST_SIGNER/ -keyout SIGNER.key ' - '-out SIGNER.crt -nodes -days 365' - % data_dir, shell=True) - check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl' - % (data_dir, EFITOOLS_PATH), shell=True) + # Get the keys from the board directory + check_call('cp %s/capsule_priv_key_good.key %s/SIGNER.key' + % (key_dir, data_dir), shell=True) + check_call('cp %s/capsule_pub_key_good.crt %s/SIGNER.crt' + % (key_dir, data_dir), shell=True) + check_call('cp %s/capsule_pub_esl_good.esl %s/SIGNER.esl' + % (key_dir, data_dir), shell=True) + + check_call('cp %s/capsule_priv_key_bad.key %s/SIGNER2.key' + % (key_dir, data_dir), shell=True) + check_call('cp %s/capsule_pub_key_bad.crt %s/SIGNER2.crt' + % (key_dir, data_dir), shell=True) # Update dtb adding capsule certificate check_call('cd %s; ' @@ -54,14 +59,6 @@ def efi_capsule_data(request, u_boot_config): '-o test_sig.dtb signature.dtbo' % (data_dir, u_boot_config.build_dir), shell=True) - # Create *malicious* private key (SIGNER2.key) and certificate - # (SIGNER2.crt) - check_call('cd %s; ' - 'openssl req -x509 -sha256 -newkey rsa:2048 ' - '-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key ' - '-out SIGNER2.crt -nodes -days 365' - % data_dir, shell=True) - # Update dtb to add the version information check_call('cd %s; ' 'cp %s/test/py/tests/test_efi_capsule/version.dts .' @@ -79,132 +76,12 @@ def efi_capsule_data(request, u_boot_config): '-o test_ver.dtb version.dtbo' % (data_dir, u_boot_config.build_dir), shell=True) - # Create capsule files + + check_call('cp %s/u-boot_bin_env.itb %s ' % (u_boot_config.build_dir, data_dir), shell=True) + check_call('cp %s/Test* %s ' % (u_boot_config.build_dir, data_dir), shell=True) # two regions: one for u-boot.bin and the other for u-boot.env check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old > u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir, shell=True) - check_call('sed -e \"s?BINFILE1?u-boot.bin.new?\" -e \"s?BINFILE2?u-boot.env.new?\" %s/test/py/tests/test_efi_capsule/uboot_bin_env.its > %s/uboot_bin_env.its' % - (u_boot_config.source_dir, data_dir), - shell=True) - check_call('cd %s; %s/tools/mkimage -f uboot_bin_env.its uboot_bin_env.itb' % - (data_dir, u_boot_config.build_dir), - shell=True) - check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test01' % - (data_dir, u_boot_config.build_dir), - shell=True) - check_call('cd %s; %s/tools/mkeficapsule --index 2 --guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 u-boot.env.new Test02' % - (data_dir, u_boot_config.build_dir), - shell=True) - check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 058B7D83-50D5-4C47-A195-60D86AD341C4 u-boot.bin.new Test03' % - (data_dir, u_boot_config.build_dir), - shell=True) - check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test04' % - (data_dir, u_boot_config.build_dir), - shell=True) - check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 058B7D83-50D5-4C47-A195-60D86AD341C4 uboot_bin_env.itb Test05' % - (data_dir, u_boot_config.build_dir), - shell=True) - check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 5 ' - '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test101' % - (data_dir, u_boot_config.build_dir), - shell=True) - check_call('cd %s; %s/tools/mkeficapsule --index 2 --fw-version 10 ' - '--guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 u-boot.env.new Test102' % - (data_dir, u_boot_config.build_dir), - shell=True) - check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 2 ' - '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test103' % - (data_dir, u_boot_config.build_dir), - shell=True) - check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 5 ' - '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test104' % - (data_dir, u_boot_config.build_dir), - shell=True) - check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 2 ' - '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test105' % - (data_dir, u_boot_config.build_dir), - shell=True) - - if capsule_auth_enabled: - # raw firmware signed with proper key - check_call('cd %s; ' - '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' - '--private-key SIGNER.key --certificate SIGNER.crt ' - '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 ' - 'u-boot.bin.new Test11' - % (data_dir, u_boot_config.build_dir), - shell=True) - # raw firmware signed with *mal* key - check_call('cd %s; ' - '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' - '--private-key SIGNER2.key ' - '--certificate SIGNER2.crt ' - '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 ' - 'u-boot.bin.new Test12' - % (data_dir, u_boot_config.build_dir), - shell=True) - # FIT firmware signed with proper key - check_call('cd %s; ' - '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' - '--private-key SIGNER.key --certificate SIGNER.crt ' - '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 ' - 'uboot_bin_env.itb Test13' - % (data_dir, u_boot_config.build_dir), - shell=True) - # FIT firmware signed with *mal* key - check_call('cd %s; ' - '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' - '--private-key SIGNER2.key ' - '--certificate SIGNER2.crt ' - '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 ' - 'uboot_bin_env.itb Test14' - % (data_dir, u_boot_config.build_dir), - shell=True) - # raw firmware signed with proper key with version information - check_call('cd %s; ' - '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' - '--fw-version 5 ' - '--private-key SIGNER.key --certificate SIGNER.crt ' - '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 ' - 'u-boot.bin.new Test111' - % (data_dir, u_boot_config.build_dir), - shell=True) - # raw firmware signed with proper key with version information - check_call('cd %s; ' - '%s/tools/mkeficapsule --index 2 --monotonic-count 1 ' - '--fw-version 10 ' - '--private-key SIGNER.key --certificate SIGNER.crt ' - '--guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 ' - 'u-boot.env.new Test112' - % (data_dir, u_boot_config.build_dir), - shell=True) - # raw firmware signed with proper key with lower version information - check_call('cd %s; ' - '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' - '--fw-version 2 ' - '--private-key SIGNER.key --certificate SIGNER.crt ' - '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 ' - 'u-boot.bin.new Test113' - % (data_dir, u_boot_config.build_dir), - shell=True) - # FIT firmware signed with proper key with version information - check_call('cd %s; ' - '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' - '--fw-version 5 ' - '--private-key SIGNER.key --certificate SIGNER.crt ' - '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 ' - 'uboot_bin_env.itb Test114' - % (data_dir, u_boot_config.build_dir), - shell=True) - # FIT firmware signed with proper key with lower version information - check_call('cd %s; ' - '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' - '--fw-version 2 ' - '--private-key SIGNER.key --certificate SIGNER.crt ' - '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 ' - 'uboot_bin_env.itb Test115' - % (data_dir, u_boot_config.build_dir), - shell=True) # Create a disk image with EFI system partition check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' % diff --git a/test/py/tests/test_efi_capsule/uboot_bin_env.its b/test/py/tests/test_efi_capsule/uboot_bin_env.its deleted file mode 100644 index fc65907481..0000000000 --- a/test/py/tests/test_efi_capsule/uboot_bin_env.its +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Automatic software update for U-Boot - * Make sure the flashing addresses ('load' prop) is correct for your board! - */ - -/dts-v1/; - -/ { - description = "Automatic U-Boot environment update"; - #address-cells = <2>; - - images { - u-boot-bin { - description = "U-Boot binary on SPI Flash"; - data = /incbin/("BINFILE1"); - compression = "none"; - type = "firmware"; - arch = "sandbox"; - load = <0>; - hash-1 { - algo = "sha1"; - }; - }; - u-boot-env { - description = "U-Boot environment on SPI Flash"; - data = /incbin/("BINFILE2"); - compression = "none"; - type = "firmware"; - arch = "sandbox"; - load = <0>; - hash-1 { - algo = "sha1"; - }; - }; - }; -};
The EFI capsule files can now be generated as part of u-boot build through binman. Add capsule entry nodes for the sandbox architecture for generating the capsules. These capsules are then used for testing the EFI capsule update functionality on the sandbox platforms. Remove the corresponding logic in the test setup which was used for generation of these capsule which is now superfluous. Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> --- Changes since V8: * Build the capsules for all sandbox variants. * Remove the type property by renaming the capsule nodes as 'efi-capsule'. arch/sandbox/dts/sandbox.dts | 2 + arch/sandbox/dts/sandbox_capsule.dtsi | 315 ++++++++++++++++++ arch/sandbox/dts/test.dts | 2 + include/sandbox_efi_capsule.h | 21 ++ test/py/tests/test_efi_capsule/conftest.py | 155 +-------- .../tests/test_efi_capsule/uboot_bin_env.its | 36 -- 6 files changed, 356 insertions(+), 175 deletions(-) create mode 100644 arch/sandbox/dts/sandbox_capsule.dtsi create mode 100644 include/sandbox_efi_capsule.h delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its