From patchwork Thu Nov 26 18:40:56 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 333037 Delivered-To: patch@linaro.org Received: by 2002:a92:5e16:0:0:0:0:0 with SMTP id s22csp1542240ilb; Thu, 26 Nov 2020 10:41:58 -0800 (PST) X-Google-Smtp-Source: ABdhPJzOgEMpp9YqX4wrcfj1ScXY4LoXvlzKUJaTQpACRtX/usPQGLqGrBjyvjfT2KfSymXcJE2E X-Received: by 2002:aa7:c448:: with SMTP id n8mr3893938edr.10.1606416118006; Thu, 26 Nov 2020 10:41:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606416118; cv=none; d=google.com; s=arc-20160816; b=wWRD/2QX0YUjEv9PAWfaJSbYkfXrUmt/sGLLBSxXGVcLm6OtoC3ym0dlKiNetnekvm 0TH5CcMqAUX93CbfUiXeuSLjxakIMv6F9qHLO3U0pat3zEMabtptSys0znjF2LseFsoW 9zAvaHqnGEXjZ2+D1HQSlk6LcLGDhqELEDRs0HA34d4iL6YMRH+L4BpnBTDWMqpmBOpD airz7ZZjGs6/sGy52cs7fLcNTqr0VW2kOnExIRtu5pca8Uw3uaq0/NdaLPlhD4GHC/Na 0J/Xs9ZvrjKsgJbcSZAuMfpYmv2xJv0IQEyVJ4hunwXVTP7/sf6RWZYgvKSm09QcHZOF SwOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:message-id:date:subject:cc:to :from; bh=ojcMbUc7rAU/Su5WEO7HVMx0XZI0Z/2XdHyo4FPlgnU=; b=U9NW2lmAjS5kK22xuJAUt1I7h8fpSprUU/WQ+Emq6KCIdzW1VccxC2NwbVlEV2F/1G GvIHTPhLEfBOfgza8IL75976rsGzwZ/L4+DMOxVW9muJlBO9Yl2BWVDX2lFhjMV7bNo6 Ye9benWwnNE80ga7mziph7zk/CnuUEHyPrNjS+ma0TbbkXn+xLFZMP0oGq2W5auuoX5y xHZ2J+XFaABEblP7QUEGxxL03jCAadT9SnR4JDX/IWBgz+hHyFfD30cd2/7qm7q7l/p6 WQMJMOXnx//p9HeHJMNXxp3pcxNwggbECpYS6wNxwt3Dm+WCtNKAv0EZ1dAJVYBEjA4x sYXQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id m19si2837222edb.315.2020.11.26.10.41.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Nov 2020 10:41:57 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 1A864826C9; Thu, 26 Nov 2020 19:41:55 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id D41B0826CB; Thu, 26 Nov 2020 19:41:53 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 7D1C3826BA for ; Thu, 26 Nov 2020 19:41:50 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id DAF5F31B; Thu, 26 Nov 2020 10:41:48 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id AC5CE3F23F; Thu, 26 Nov 2020 10:41:46 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini Subject: [PATCH 00/14] qemu: arm64: Add support for uefi capsule update on qemu arm64 platform Date: Fri, 27 Nov 2020 00:10:56 +0530 Message-Id: <20201126184110.30521-1-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean The following series adds support for the uefi capsule update feature on the qemu arm64 platform, along with adding support for the capsule authentication feature. The capsule update feature is supported on a platform configuration booting in a non-secure mode, i.e with -machine virt,secure=off option set. This results in the platform booting u-boot directly without the presence of trusted firmware(tf-a). Steps that need to be followed for using this feature have been provided as part of the documentation. Support has also been added for enabling the capsule authentication feature. Capsule authentication, as defined by the uefi specification is very much on similar lines to the logic used for variable authentication. As a result, most of the signature verification code already in use for variable authentication has been used for capsule authentication. Storage of the public key certificate, needed for the signature verification process is in form of the efi signature list(esl) structure. This public key is stored on the platform's device tree blob. The public key esl file can be embedded into the dtb using the mkeficapsule utility that has been added as part of the capsule update support series[1]. Steps needed for enabling capsule authentication have been provided as part of the documentation. This patch series needs to be applied on top of the capsule update support patch series from Takahiro Akashi[1] [1] - https://patchwork.ozlabs.org/project/uboot/cover/20201117002805.13902-1-takahiro.akashi@linaro.org/ Sughosh Ganu (14): qemu: arm: Use the generated DTB only when CONGIG_OF_BOARD is defined mkeficapsule: Add support for embedding public key in a dtb qemu: arm: Scan the pci bus in board_init crypto: Fix the logic to calculate hash with authattributes set qemu: arm64: Add support for dynamic mtdparts for the platform qemu: arm64: Set dfu_alt_info variable for the platform efi_loader: Add config option to indicate fmp header presence dfu_mtd: Add provision to unlock mtd device efi_loader: Make the pkcs7 header parsing function an extern efi_loader: Re-factor code to build the signature store from efi signature list efi: capsule: Add support for uefi capsule authentication efi_loader: Enable uefi capsule authentication efidebug: capsule: Add a command to update capsule on disk qemu: arm64: Add documentation for capsule update board/emulation/qemu-arm/qemu-arm.c | 170 ++++++++++++++++++++++++ cmd/efidebug.c | 14 ++ doc/board/emulation/qemu-arm.rst | 157 ++++++++++++++++++++++ drivers/dfu/dfu_mtd.c | 20 ++- include/configs/qemu-arm.h | 8 ++ include/efi_api.h | 18 +++ include/efi_loader.h | 12 ++ lib/crypto/pkcs7_verify.c | 37 ++++-- lib/efi_loader/Kconfig | 24 ++++ lib/efi_loader/efi_capsule.c | 122 +++++++++++++++++ lib/efi_loader/efi_firmware.c | 49 ++++++- lib/efi_loader/efi_signature.c | 192 ++++++++++++++++++++------- lib/efi_loader/efi_variable.c | 93 +------------ tools/Makefile | 1 + tools/mkeficapsule.c | 198 ++++++++++++++++++++++++++-- 15 files changed, 954 insertions(+), 161 deletions(-) -- 2.17.1