mbox series

[v6,00/11] efi: CapsuleUpdate: support for dynamic UUIDs

Message ID 20240808-b4-dynamic-uuid-v6-0-9332e7237119@linaro.org
Headers show
Series efi: CapsuleUpdate: support for dynamic UUIDs | expand

Message

Caleb Connolly Aug. 8, 2024, 4:21 p.m. UTC
As more boards adopt support for the EFI CapsuleUpdate mechanism, there
is a growing issue of being able to target updates to them properly. The
current mechanism of hardcoding UUIDs for each board at compile time is
unsustainable, and maintaining lists of GUIDs is similarly cumbersome.

In this series, I propose that we adopt v5 GUIDs, these are generated by
using a well-known salt GUID as well as board specific information the
DT root compatible string, these are hashed together and the result is
truncated to form a new UUID.

The well-known salt GUID can be specific to the architecture (SoC
vendor), or OEM. It is defined in the board defconfig so that vendors
can easily bring their own.

Specifically, the following fields are used to generate a GUID for a
particular fw_image:

* namespace salt
* board compatible (usually the first entry in the dt root compatible
  array).
* fw_image name (the string identifying the specific image, especially
  relevant for board that can update multiple images).

== Usage ==

Boards can enable dynamic UUID support by simply not setting the
efi_fw_image image_type_id property. Vendors may also wish to set a
custom namespace GUID (by setting CONFIG_EFI_CAPSULE_NAMESPACE_GUID).

== Limitations ==

* Changing GUIDs

The primary limitation with this approach is that if any of the source
fields change, so will the GUID for the board. It is therefore pretty
important to ensure that GUID changes are caught during development.

* Supporting multiple boards with a single image

This now requires having an entry with the GUID for every board which
might lead to larger UpdateCapsule images.

== Tooling ==

The mkeficapsule command is updated to add a new guidgen subcommand,
this can generate GUIDs that match those the board would generate at
runtime. It accepts an optional namespace GUID (if the default isn't
used), a path to the board DTB, and a list of firmware image names.

This series follows a related discussion started by Ilias:
https://lore.kernel.org/u-boot/CAC_iWjJNHa4gMF897MqYZNdbgjFG8K4kwGsTXWuy72WkYLizrw@mail.gmail.com/

CI run for this series: https://source.denx.de/u-boot/custodians/u-boot-snapdragon/-/pipelines/21419

---
Changes in v6:
- FWU -> Firmware Update in docs
- Make v5 GUIDs explicitly LE
- Link to v5: https://lore.kernel.org/r/20240719-b4-dynamic-uuid-v5-0-8a83de3fe3dc@linaro.org

Changes in v5:
- Clean up mkeficapsule genguid patch
- Add explicit tests validating the GUID type bits
- Link to v4: https://lore.kernel.org/r/20240702-b4-dynamic-uuid-v4-0-a00c82d1f504@linaro.org

Changes in v4:
- Make UUID v5 support always enabled rather than being optional.
- Fix endianness issues (thanks Vincent and Ilias)
- Merge genguid tool into mkeficapsule.
-	And move mkeficapsule over to using U-Boot's UUID code rather
	than libuuid.
- Provide a default namespace UUID for all U-Boot boards.
- Link to v3: https://lore.kernel.org/r/20240531-b4-dynamic-uuid-v3-0-ca4a4865db00@linaro.org

Changes in v3:
- Add manpage for genguid
- Add dedicated CONFIG_TOOLS_GENGUID option
- Minor code fixes addressing v2 feedback
- Link to v2: https://lore.kernel.org/r/20240529-b4-dynamic-uuid-v2-0-c26f31057bbe@linaro.org

Changes in v2:
- Move namespace UUID to be defined in defconfig
- Add tests and tooling
- Only use the first board compatible to generate UUID.
- Link to v1: https://lore.kernel.org/r/20240426-b4-dynamic-uuid-v1-0-e8154e00ec44@linaro.org

---
Caleb Connolly (11):
      efi: define struct efi_guid
      lib: uuid: add UUID v5 support
      efi: add a helper to generate dynamic UUIDs
      doc: uefi: document dynamic UUID generation
      sandbox: switch to dynamic UUIDs
      lib: uuid: supporting building as part of host tools
      include: export uuid.h
      tools: mkeficapsule: use u-boot UUID library
      tools: mkeficapsule: support generating dynamic GUIDs
      test: lib/uuid: add unit tests for dynamic UUIDs
      test: lib/uuid: add tests for UUID version/variant bits

 arch/arm/mach-rockchip/board.c                     |   2 +-
 board/cobra5272/flash.c                            |   2 +-
 board/gardena/smart-gateway-mt7688/board.c         |   2 +-
 board/sandbox/sandbox.c                            |  16 --
 board/socrates/socrates.c                          |   2 +-
 board/xilinx/common/board.c                        |   2 +-
 cmd/efi.c                                          |   2 +-
 cmd/efi_common.c                                   |   2 +-
 cmd/flash.c                                        |   2 +-
 cmd/gpt.c                                          |   2 +-
 cmd/nvedit_efi.c                                   |   2 +-
 cmd/x86/hob.c                                      |   2 +-
 common/flash.c                                     |   2 +-
 disk/part_efi.c                                    |   2 +-
 doc/develop/uefi/uefi.rst                          |  27 +++
 doc/mkeficapsule.1                                 |  23 +++
 drivers/firmware/arm-ffa/arm-ffa-uclass.c          |   2 +-
 env/sf.c                                           |   2 +-
 fs/btrfs/btrfs.c                                   |   2 +-
 fs/btrfs/compat.h                                  |   2 +-
 fs/btrfs/disk-io.c                                 |   2 +-
 fs/ext4/ext4fs.c                                   |   2 +-
 include/efi.h                                      |   2 +-
 include/fwu.h                                      |   2 +-
 include/part.h                                     |   2 +-
 include/rkmtd.h                                    |   2 +-
 include/sandbox_efi_capsule.h                      |   6 +-
 include/{ => u-boot}/uuid.h                        |  21 ++-
 lib/Kconfig                                        |   1 +
 lib/acpi/acpi_dp.c                                 |   2 +-
 lib/acpi/acpigen.c                                 |   2 +-
 lib/efi/efi_app.c                                  |   2 +-
 lib/efi_loader/Kconfig                             |  12 ++
 lib/efi_loader/efi_capsule.c                       |   1 +
 lib/efi_loader/efi_device_path.c                   |   2 +-
 lib/efi_loader/efi_firmware.c                      |  55 +++++-
 lib/efi_loader/efi_variable.c                      |   2 +-
 lib/fwu_updates/fwu_mtd.c                          |   2 +-
 lib/uuid.c                                         | 102 +++++++---
 lib/vsprintf.c                                     |   2 +-
 net/bootp.c                                        |   2 +-
 test/dm/acpi_dp.c                                  |   2 +-
 test/dm/acpigen.c                                  |   2 +-
 test/lib/uuid.c                                    | 120 +++++++++++-
 .../test_efi_capsule/test_capsule_firmware_fit.py  |   2 +-
 .../test_efi_capsule/test_capsule_firmware_raw.py  |   8 +-
 .../test_capsule_firmware_signed_fit.py            |   2 +-
 .../test_capsule_firmware_signed_raw.py            |   4 +-
 test/py/tests/test_efi_capsule/version.dtso        |   6 +-
 tools/Makefile                                     |   8 +-
 tools/binman/etype/efi_capsule.py                  |   2 +-
 tools/binman/ftest.py                              |   2 +-
 tools/eficapsule.h                                 |   2 +-
 tools/mkeficapsule.c                               | 209 ++++++++++++++++-----
 54 files changed, 546 insertions(+), 149 deletions(-)
---
change-id: 20240422-b4-dynamic-uuid-1a5ab1486c27
base-commit: 07e73b0483a844e4581c8c94d01e73ca22c0ab50

// Caleb (they/them)

Comments

Caleb Connolly Aug. 8, 2024, 4:56 p.m. UTC | #1
Small CI issue, I'll fix it up and resend

https://source.denx.de/u-boot/custodians/u-boot-snapdragon/-/jobs/884570

On 08/08/2024 18:21, Caleb Connolly wrote:
> As more boards adopt support for the EFI CapsuleUpdate mechanism, there
> is a growing issue of being able to target updates to them properly. The
> current mechanism of hardcoding UUIDs for each board at compile time is
> unsustainable, and maintaining lists of GUIDs is similarly cumbersome.
> 
> In this series, I propose that we adopt v5 GUIDs, these are generated by
> using a well-known salt GUID as well as board specific information the
> DT root compatible string, these are hashed together and the result is
> truncated to form a new UUID.
> 
> The well-known salt GUID can be specific to the architecture (SoC
> vendor), or OEM. It is defined in the board defconfig so that vendors
> can easily bring their own.
> 
> Specifically, the following fields are used to generate a GUID for a
> particular fw_image:
> 
> * namespace salt
> * board compatible (usually the first entry in the dt root compatible
>    array).
> * fw_image name (the string identifying the specific image, especially
>    relevant for board that can update multiple images).
> 
> == Usage ==
> 
> Boards can enable dynamic UUID support by simply not setting the
> efi_fw_image image_type_id property. Vendors may also wish to set a
> custom namespace GUID (by setting CONFIG_EFI_CAPSULE_NAMESPACE_GUID).
> 
> == Limitations ==
> 
> * Changing GUIDs
> 
> The primary limitation with this approach is that if any of the source
> fields change, so will the GUID for the board. It is therefore pretty
> important to ensure that GUID changes are caught during development.
> 
> * Supporting multiple boards with a single image
> 
> This now requires having an entry with the GUID for every board which
> might lead to larger UpdateCapsule images.
> 
> == Tooling ==
> 
> The mkeficapsule command is updated to add a new guidgen subcommand,
> this can generate GUIDs that match those the board would generate at
> runtime. It accepts an optional namespace GUID (if the default isn't
> used), a path to the board DTB, and a list of firmware image names.
> 
> This series follows a related discussion started by Ilias:
> https://lore.kernel.org/u-boot/CAC_iWjJNHa4gMF897MqYZNdbgjFG8K4kwGsTXWuy72WkYLizrw@mail.gmail.com/
> 
> CI run for this series: https://source.denx.de/u-boot/custodians/u-boot-snapdragon/-/pipelines/21419
> 
> ---
> Changes in v6:
> - FWU -> Firmware Update in docs
> - Make v5 GUIDs explicitly LE
> - Link to v5: https://lore.kernel.org/r/20240719-b4-dynamic-uuid-v5-0-8a83de3fe3dc@linaro.org
> 
> Changes in v5:
> - Clean up mkeficapsule genguid patch
> - Add explicit tests validating the GUID type bits
> - Link to v4: https://lore.kernel.org/r/20240702-b4-dynamic-uuid-v4-0-a00c82d1f504@linaro.org
> 
> Changes in v4:
> - Make UUID v5 support always enabled rather than being optional.
> - Fix endianness issues (thanks Vincent and Ilias)
> - Merge genguid tool into mkeficapsule.
> -	And move mkeficapsule over to using U-Boot's UUID code rather
> 	than libuuid.
> - Provide a default namespace UUID for all U-Boot boards.
> - Link to v3: https://lore.kernel.org/r/20240531-b4-dynamic-uuid-v3-0-ca4a4865db00@linaro.org
> 
> Changes in v3:
> - Add manpage for genguid
> - Add dedicated CONFIG_TOOLS_GENGUID option
> - Minor code fixes addressing v2 feedback
> - Link to v2: https://lore.kernel.org/r/20240529-b4-dynamic-uuid-v2-0-c26f31057bbe@linaro.org
> 
> Changes in v2:
> - Move namespace UUID to be defined in defconfig
> - Add tests and tooling
> - Only use the first board compatible to generate UUID.
> - Link to v1: https://lore.kernel.org/r/20240426-b4-dynamic-uuid-v1-0-e8154e00ec44@linaro.org
> 
> ---
> Caleb Connolly (11):
>        efi: define struct efi_guid
>        lib: uuid: add UUID v5 support
>        efi: add a helper to generate dynamic UUIDs
>        doc: uefi: document dynamic UUID generation
>        sandbox: switch to dynamic UUIDs
>        lib: uuid: supporting building as part of host tools
>        include: export uuid.h
>        tools: mkeficapsule: use u-boot UUID library
>        tools: mkeficapsule: support generating dynamic GUIDs
>        test: lib/uuid: add unit tests for dynamic UUIDs
>        test: lib/uuid: add tests for UUID version/variant bits
> 
>   arch/arm/mach-rockchip/board.c                     |   2 +-
>   board/cobra5272/flash.c                            |   2 +-
>   board/gardena/smart-gateway-mt7688/board.c         |   2 +-
>   board/sandbox/sandbox.c                            |  16 --
>   board/socrates/socrates.c                          |   2 +-
>   board/xilinx/common/board.c                        |   2 +-
>   cmd/efi.c                                          |   2 +-
>   cmd/efi_common.c                                   |   2 +-
>   cmd/flash.c                                        |   2 +-
>   cmd/gpt.c                                          |   2 +-
>   cmd/nvedit_efi.c                                   |   2 +-
>   cmd/x86/hob.c                                      |   2 +-
>   common/flash.c                                     |   2 +-
>   disk/part_efi.c                                    |   2 +-
>   doc/develop/uefi/uefi.rst                          |  27 +++
>   doc/mkeficapsule.1                                 |  23 +++
>   drivers/firmware/arm-ffa/arm-ffa-uclass.c          |   2 +-
>   env/sf.c                                           |   2 +-
>   fs/btrfs/btrfs.c                                   |   2 +-
>   fs/btrfs/compat.h                                  |   2 +-
>   fs/btrfs/disk-io.c                                 |   2 +-
>   fs/ext4/ext4fs.c                                   |   2 +-
>   include/efi.h                                      |   2 +-
>   include/fwu.h                                      |   2 +-
>   include/part.h                                     |   2 +-
>   include/rkmtd.h                                    |   2 +-
>   include/sandbox_efi_capsule.h                      |   6 +-
>   include/{ => u-boot}/uuid.h                        |  21 ++-
>   lib/Kconfig                                        |   1 +
>   lib/acpi/acpi_dp.c                                 |   2 +-
>   lib/acpi/acpigen.c                                 |   2 +-
>   lib/efi/efi_app.c                                  |   2 +-
>   lib/efi_loader/Kconfig                             |  12 ++
>   lib/efi_loader/efi_capsule.c                       |   1 +
>   lib/efi_loader/efi_device_path.c                   |   2 +-
>   lib/efi_loader/efi_firmware.c                      |  55 +++++-
>   lib/efi_loader/efi_variable.c                      |   2 +-
>   lib/fwu_updates/fwu_mtd.c                          |   2 +-
>   lib/uuid.c                                         | 102 +++++++---
>   lib/vsprintf.c                                     |   2 +-
>   net/bootp.c                                        |   2 +-
>   test/dm/acpi_dp.c                                  |   2 +-
>   test/dm/acpigen.c                                  |   2 +-
>   test/lib/uuid.c                                    | 120 +++++++++++-
>   .../test_efi_capsule/test_capsule_firmware_fit.py  |   2 +-
>   .../test_efi_capsule/test_capsule_firmware_raw.py  |   8 +-
>   .../test_capsule_firmware_signed_fit.py            |   2 +-
>   .../test_capsule_firmware_signed_raw.py            |   4 +-
>   test/py/tests/test_efi_capsule/version.dtso        |   6 +-
>   tools/Makefile                                     |   8 +-
>   tools/binman/etype/efi_capsule.py                  |   2 +-
>   tools/binman/ftest.py                              |   2 +-
>   tools/eficapsule.h                                 |   2 +-
>   tools/mkeficapsule.c                               | 209 ++++++++++++++++-----
>   54 files changed, 546 insertions(+), 149 deletions(-)
> ---
> change-id: 20240422-b4-dynamic-uuid-1a5ab1486c27
> base-commit: 07e73b0483a844e4581c8c94d01e73ca22c0ab50
> 
> // Caleb (they/them)
>