mbox series

[v3,00/14] qemu: arm64: Add support for uefi capsule update on qemu arm platform

Message ID 20201223070330.21361-1-sughosh.ganu@linaro.org
Headers show
Series qemu: arm64: Add support for uefi capsule update on qemu arm platform | expand

Message

Sughosh Ganu Dec. 23, 2020, 7:03 a.m. UTC
The capsule update feature is supported on a platform configuration
booting in a non-secure mode, i.e with -machine virt,secure=off option
set. This results in the platform booting u-boot directly without
the presence of trusted firmware(tf-a). Steps that need to be followed
for using this feature have been provided as part of the documentation.

Support has also been added for enabling the capsule authentication
feature. Capsule authentication, as defined by the uefi
specification is very much on similar lines to the logic used for
variable authentication. As a result, most of the signature
verification code already in use for variable authentication has been
used for capsule authentication.

Storage of the public key certificate, needed for the signature
verification process is in form of the efi signature list(esl)
structure.  This public key is stored on an overlay which is then
merged with the platform's base fdt at runtime. The public key esl
file can be embedded into the overlay dtb using the mkeficapsule
utility that has been added as part of the capsule update support
series by Takahiro Akashi. Steps needed for enabling capsule
authentication have been provided as part of the documentation.

This patch series needs to be applied on top of the capsule update
support patch series from Takahiro Akashi on the next branch.

Changes since V2:
* Enable building of board_late_init for both of the Qemu arm and
  arm64  variants
* Move the selection the CONFIG_BOARD_LATE_INIT to mach-qemu Kconfig
  file
* Move the functions to populate the mtdparts under
  board/emulation/common for allowing subsequent re-use by other Qemu
  arch based platforms
* Move the functions to populate the dfu_alt_info variable under
  board/emulation/common for allowing subsequent re-use by other Qemu
  arch based platforms
* Move the function for fetching the public key certficate from the
  platform's dtb under board/emulation/common directory.
* Move the function for checking the capsule_authentication_enabled
  env variable under board/emulation/common directory.
* Moved the capsule update related documentation for the Qemu
  platform to a new file under doc/board/emulation/ directory.
* Incorporated all typo review comments from Heinrich
* Put in a skeletal overlay dts file for reference, as was suggested
  by Heinrich


Changes since V1:
* Added support for embedding the public key cert in an overlay using
  the -O option
* The earlier patch was adding a call to pci_init in board_init. Moved
  the virtio_init call to board_late_init
* Change MTDPARTS_NOR[01] as config options instead of defining them in
  the qemu-arm.h config header.
* Enable CONFIG_SYS_MTDPARTS_RUNTIME with CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT
* Build set_dfu_alt_info and board_get_alt_info functions only if
  CONFIG_SET_DFU_ALT_INFO is defined
* Enable CONFIG_SET_DFU_ALT_INFO with
  CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT
* Detect the presence of the FMP Payload header at runtime instead of
  using a Kconfig option, as was suggested by Heinrich
* Change the documentation to reflect the usage of overlays for
  embedding the public key certs at runtime
* Fix the build for 'make htmldocs'


Sughosh Ganu (14):
  mkeficapsule: Add support for embedding public key in a dtb
  qemu: arm: Initialise virtio devices in board_late_init
  crypto: Fix the logic to calculate hash with authattributes set
  qemu: common: Add support for dynamic mtdparts for the platform
  qemu: common: Set dfu_alt_info variable for the platform
  fsp: Move and rename fsp_types.h file
  efi_loader: Add logic to parse EDKII specific fmp payload header
  dfu_mtd: Add provision to unlock mtd device
  efi_loader: Make the pkcs7 header parsing function an extern
  efi_loader: Re-factor code to build the signature store from efi
    signature list
  efi: capsule: Add support for uefi capsule authentication
  efi_loader: Enable uefi capsule authentication
  efidebug: capsule: Add a command to update capsule on disk
  qemu: arm64: Add documentation for capsule update

 arch/arm/mach-qemu/Kconfig                    |   2 +
 arch/x86/include/asm/fsp/fsp_support.h        |   3 +-
 board/emulation/common/Kconfig                |  15 ++
 board/emulation/common/Makefile               |   5 +
 board/emulation/common/qemu_capsule.c         |  48 ++++
 board/emulation/common/qemu_dfu.c             |  68 +++++
 board/emulation/common/qemu_mtdparts.c        |  82 ++++++
 board/emulation/qemu-arm/Kconfig              |   4 +
 board/emulation/qemu-arm/qemu-arm.c           |   5 +
 cmd/efidebug.c                                |  14 ++
 doc/board/emulation/qemu_capsule_update.rst   | 210 ++++++++++++++++
 drivers/dfu/dfu_mtd.c                         |  20 +-
 include/efi_api.h                             |  18 ++
 include/efi_loader.h                          |  12 +
 .../fsp/fsp_types.h => include/signatures.h   |   6 +-
 lib/crypto/pkcs7_verify.c                     |  37 ++-
 lib/efi_loader/Kconfig                        |  19 ++
 lib/efi_loader/efi_capsule.c                  | 122 +++++++++
 lib/efi_loader/efi_firmware.c                 |  77 +++++-
 lib/efi_loader/efi_signature.c                | 192 +++++++++++----
 lib/efi_loader/efi_variable.c                 |  93 +------
 tools/Makefile                                |   1 +
 tools/mkeficapsule.c                          | 233 +++++++++++++++++-
 23 files changed, 1122 insertions(+), 164 deletions(-)
 create mode 100644 board/emulation/common/Kconfig
 create mode 100644 board/emulation/common/Makefile
 create mode 100644 board/emulation/common/qemu_capsule.c
 create mode 100644 board/emulation/common/qemu_dfu.c
 create mode 100644 board/emulation/common/qemu_mtdparts.c
 create mode 100644 doc/board/emulation/qemu_capsule_update.rst
 rename arch/x86/include/asm/fsp/fsp_types.h => include/signatures.h (95%)

-- 
2.17.1

Comments

Heinrich Schuchardt Dec. 28, 2020, 2:39 p.m. UTC | #1
On 12/23/20 8:03 AM, Sughosh Ganu wrote:
> The capsule update feature is supported on a platform configuration

> booting in a non-secure mode, i.e with -machine virt,secure=off option

> set. This results in the platform booting u-boot directly without

> the presence of trusted firmware(tf-a). Steps that need to be followed

> for using this feature have been provided as part of the documentation.

>

> Support has also been added for enabling the capsule authentication

> feature. Capsule authentication, as defined by the uefi

> specification is very much on similar lines to the logic used for

> variable authentication. As a result, most of the signature

> verification code already in use for variable authentication has been

> used for capsule authentication.

>

> Storage of the public key certificate, needed for the signature

> verification process is in form of the efi signature list(esl)

> structure.  This public key is stored on an overlay which is then

> merged with the platform's base fdt at runtime. The public key esl

> file can be embedded into the overlay dtb using the mkeficapsule

> utility that has been added as part of the capsule update support

> series by Takahiro Akashi. Steps needed for enabling capsule

> authentication have been provided as part of the documentation.

>

> This patch series needs to be applied on top of the capsule update

> support patch series from Takahiro Akashi on the next branch.

>

> Changes since V2:

> * Enable building of board_late_init for both of the Qemu arm and

>    arm64  variants

> * Move the selection the CONFIG_BOARD_LATE_INIT to mach-qemu Kconfig

>    file

> * Move the functions to populate the mtdparts under

>    board/emulation/common for allowing subsequent re-use by other Qemu

>    arch based platforms

> * Move the functions to populate the dfu_alt_info variable under

>    board/emulation/common for allowing subsequent re-use by other Qemu

>    arch based platforms

> * Move the function for fetching the public key certficate from the

>    platform's dtb under board/emulation/common directory.

> * Move the function for checking the capsule_authentication_enabled

>    env variable under board/emulation/common directory.

> * Moved the capsule update related documentation for the Qemu

>    platform to a new file under doc/board/emulation/ directory.

> * Incorporated all typo review comments from Heinrich

> * Put in a skeletal overlay dts file for reference, as was suggested

>    by Heinrich


Hello Sughosh,

I have applied your changes to the next branch in tag

https://gitlab.denx.de/u-boot/custodians/u-boot-efi/-/tags/capsule_update_2020-12-28

Unfortunately it does not build on the sandbox:

/usr/bin/ld: cmd/built-in.o: in function `mtdparts_init':
c/md/mtdparts.c:1739: undefined reference to `board_mtdparts_default'
/usr/bin/ld: drivers/built-in.o: in function `dfu_init_env_entities':
/drivers/dfu/dfu.c:143: undefined reference to `set_dfu_alt_info'
/usr/bin/ld: drivers/built-in.o: in function `mtd_search_alternate_name':
/drivers/mtd/mtd_uboot.c:30: undefined reference to `board_mtdparts_default'
collect2: error: ld returned 1 exit status
make: *** [Makefile:1757: u-boot] Error 1

I assume this is due to selecting SYS_MTDPARTS_RUNTIME in
lib/efi_loader/Kconfig.

Best regards

Heinrich

>

>

> Changes since V1:

> * Added support for embedding the public key cert in an overlay using

>    the -O option

> * The earlier patch was adding a call to pci_init in board_init. Moved

>    the virtio_init call to board_late_init

> * Change MTDPARTS_NOR[01] as config options instead of defining them in

>    the qemu-arm.h config header.

> * Enable CONFIG_SYS_MTDPARTS_RUNTIME with CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT

> * Build set_dfu_alt_info and board_get_alt_info functions only if

>    CONFIG_SET_DFU_ALT_INFO is defined

> * Enable CONFIG_SET_DFU_ALT_INFO with

>    CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT

> * Detect the presence of the FMP Payload header at runtime instead of

>    using a Kconfig option, as was suggested by Heinrich

> * Change the documentation to reflect the usage of overlays for

>    embedding the public key certs at runtime

> * Fix the build for 'make htmldocs'

>

>

> Sughosh Ganu (14):

>    mkeficapsule: Add support for embedding public key in a dtb

>    qemu: arm: Initialise virtio devices in board_late_init

>    crypto: Fix the logic to calculate hash with authattributes set

>    qemu: common: Add support for dynamic mtdparts for the platform

>    qemu: common: Set dfu_alt_info variable for the platform

>    fsp: Move and rename fsp_types.h file

>    efi_loader: Add logic to parse EDKII specific fmp payload header

>    dfu_mtd: Add provision to unlock mtd device

>    efi_loader: Make the pkcs7 header parsing function an extern

>    efi_loader: Re-factor code to build the signature store from efi

>      signature list

>    efi: capsule: Add support for uefi capsule authentication

>    efi_loader: Enable uefi capsule authentication

>    efidebug: capsule: Add a command to update capsule on disk

>    qemu: arm64: Add documentation for capsule update

>

>   arch/arm/mach-qemu/Kconfig                    |   2 +

>   arch/x86/include/asm/fsp/fsp_support.h        |   3 +-

>   board/emulation/common/Kconfig                |  15 ++

>   board/emulation/common/Makefile               |   5 +

>   board/emulation/common/qemu_capsule.c         |  48 ++++

>   board/emulation/common/qemu_dfu.c             |  68 +++++

>   board/emulation/common/qemu_mtdparts.c        |  82 ++++++

>   board/emulation/qemu-arm/Kconfig              |   4 +

>   board/emulation/qemu-arm/qemu-arm.c           |   5 +

>   cmd/efidebug.c                                |  14 ++

>   doc/board/emulation/qemu_capsule_update.rst   | 210 ++++++++++++++++

>   drivers/dfu/dfu_mtd.c                         |  20 +-

>   include/efi_api.h                             |  18 ++

>   include/efi_loader.h                          |  12 +

>   .../fsp/fsp_types.h => include/signatures.h   |   6 +-

>   lib/crypto/pkcs7_verify.c                     |  37 ++-

>   lib/efi_loader/Kconfig                        |  19 ++

>   lib/efi_loader/efi_capsule.c                  | 122 +++++++++

>   lib/efi_loader/efi_firmware.c                 |  77 +++++-

>   lib/efi_loader/efi_signature.c                | 192 +++++++++++----

>   lib/efi_loader/efi_variable.c                 |  93 +------

>   tools/Makefile                                |   1 +

>   tools/mkeficapsule.c                          | 233 +++++++++++++++++-

>   23 files changed, 1122 insertions(+), 164 deletions(-)

>   create mode 100644 board/emulation/common/Kconfig

>   create mode 100644 board/emulation/common/Makefile

>   create mode 100644 board/emulation/common/qemu_capsule.c

>   create mode 100644 board/emulation/common/qemu_dfu.c

>   create mode 100644 board/emulation/common/qemu_mtdparts.c

>   create mode 100644 doc/board/emulation/qemu_capsule_update.rst

>   rename arch/x86/include/asm/fsp/fsp_types.h => include/signatures.h (95%)

>
Sughosh Ganu Dec. 29, 2020, 4:42 a.m. UTC | #2
hello Heinrich,

On Mon, 28 Dec 2020 at 20:09, Heinrich Schuchardt <xypron.glpk@gmx.de>
wrote:

> On 12/23/20 8:03 AM, Sughosh Ganu wrote:

> > The capsule update feature is supported on a platform configuration

> > booting in a non-secure mode, i.e with -machine virt,secure=off option

> > set. This results in the platform booting u-boot directly without

> > the presence of trusted firmware(tf-a). Steps that need to be followed

> > for using this feature have been provided as part of the documentation.

> >

> > Support has also been added for enabling the capsule authentication

> > feature. Capsule authentication, as defined by the uefi

> > specification is very much on similar lines to the logic used for

> > variable authentication. As a result, most of the signature

> > verification code already in use for variable authentication has been

> > used for capsule authentication.

> >

> > Storage of the public key certificate, needed for the signature

> > verification process is in form of the efi signature list(esl)

> > structure.  This public key is stored on an overlay which is then

> > merged with the platform's base fdt at runtime. The public key esl

> > file can be embedded into the overlay dtb using the mkeficapsule

> > utility that has been added as part of the capsule update support

> > series by Takahiro Akashi. Steps needed for enabling capsule

> > authentication have been provided as part of the documentation.

> >

> > This patch series needs to be applied on top of the capsule update

> > support patch series from Takahiro Akashi on the next branch.

> >

> > Changes since V2:

> > * Enable building of board_late_init for both of the Qemu arm and

> >    arm64  variants

> > * Move the selection the CONFIG_BOARD_LATE_INIT to mach-qemu Kconfig

> >    file

> > * Move the functions to populate the mtdparts under

> >    board/emulation/common for allowing subsequent re-use by other Qemu

> >    arch based platforms

> > * Move the functions to populate the dfu_alt_info variable under

> >    board/emulation/common for allowing subsequent re-use by other Qemu

> >    arch based platforms

> > * Move the function for fetching the public key certficate from the

> >    platform's dtb under board/emulation/common directory.

> > * Move the function for checking the capsule_authentication_enabled

> >    env variable under board/emulation/common directory.

> > * Moved the capsule update related documentation for the Qemu

> >    platform to a new file under doc/board/emulation/ directory.

> > * Incorporated all typo review comments from Heinrich

> > * Put in a skeletal overlay dts file for reference, as was suggested

> >    by Heinrich

>

> Hello Sughosh,

>

> I have applied your changes to the next branch in tag

>

>

> https://gitlab.denx.de/u-boot/custodians/u-boot-efi/-/tags/capsule_update_2020-12-28

>

> Unfortunately it does not build on the sandbox:

>

> /usr/bin/ld: cmd/built-in.o: in function `mtdparts_init':

> c/md/mtdparts.c:1739: undefined reference to `board_mtdparts_default'

> /usr/bin/ld: drivers/built-in.o: in function `dfu_init_env_entities':

> /drivers/dfu/dfu.c:143: undefined reference to `set_dfu_alt_info'

> /usr/bin/ld: drivers/built-in.o: in function `mtd_search_alternate_name':

> /drivers/mtd/mtd_uboot.c:30: undefined reference to

> `board_mtdparts_default'

> collect2: error: ld returned 1 exit status

> make: *** [Makefile:1757: u-boot] Error 1

>

> I assume this is due to selecting SYS_MTDPARTS_RUNTIME in

> lib/efi_loader/Kconfig.

>


Will fix it. Thanks.

-sughosh


>

> Best regards

>

> Heinrich

>

> >

> >

> > Changes since V1:

> > * Added support for embedding the public key cert in an overlay using

> >    the -O option

> > * The earlier patch was adding a call to pci_init in board_init. Moved

> >    the virtio_init call to board_late_init

> > * Change MTDPARTS_NOR[01] as config options instead of defining them in

> >    the qemu-arm.h config header.

> > * Enable CONFIG_SYS_MTDPARTS_RUNTIME with

> CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT

> > * Build set_dfu_alt_info and board_get_alt_info functions only if

> >    CONFIG_SET_DFU_ALT_INFO is defined

> > * Enable CONFIG_SET_DFU_ALT_INFO with

> >    CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT

> > * Detect the presence of the FMP Payload header at runtime instead of

> >    using a Kconfig option, as was suggested by Heinrich

> > * Change the documentation to reflect the usage of overlays for

> >    embedding the public key certs at runtime

> > * Fix the build for 'make htmldocs'

> >

> >

> > Sughosh Ganu (14):

> >    mkeficapsule: Add support for embedding public key in a dtb

> >    qemu: arm: Initialise virtio devices in board_late_init

> >    crypto: Fix the logic to calculate hash with authattributes set

> >    qemu: common: Add support for dynamic mtdparts for the platform

> >    qemu: common: Set dfu_alt_info variable for the platform

> >    fsp: Move and rename fsp_types.h file

> >    efi_loader: Add logic to parse EDKII specific fmp payload header

> >    dfu_mtd: Add provision to unlock mtd device

> >    efi_loader: Make the pkcs7 header parsing function an extern

> >    efi_loader: Re-factor code to build the signature store from efi

> >      signature list

> >    efi: capsule: Add support for uefi capsule authentication

> >    efi_loader: Enable uefi capsule authentication

> >    efidebug: capsule: Add a command to update capsule on disk

> >    qemu: arm64: Add documentation for capsule update

> >

> >   arch/arm/mach-qemu/Kconfig                    |   2 +

> >   arch/x86/include/asm/fsp/fsp_support.h        |   3 +-

> >   board/emulation/common/Kconfig                |  15 ++

> >   board/emulation/common/Makefile               |   5 +

> >   board/emulation/common/qemu_capsule.c         |  48 ++++

> >   board/emulation/common/qemu_dfu.c             |  68 +++++

> >   board/emulation/common/qemu_mtdparts.c        |  82 ++++++

> >   board/emulation/qemu-arm/Kconfig              |   4 +

> >   board/emulation/qemu-arm/qemu-arm.c           |   5 +

> >   cmd/efidebug.c                                |  14 ++

> >   doc/board/emulation/qemu_capsule_update.rst   | 210 ++++++++++++++++

> >   drivers/dfu/dfu_mtd.c                         |  20 +-

> >   include/efi_api.h                             |  18 ++

> >   include/efi_loader.h                          |  12 +

> >   .../fsp/fsp_types.h => include/signatures.h   |   6 +-

> >   lib/crypto/pkcs7_verify.c                     |  37 ++-

> >   lib/efi_loader/Kconfig                        |  19 ++

> >   lib/efi_loader/efi_capsule.c                  | 122 +++++++++

> >   lib/efi_loader/efi_firmware.c                 |  77 +++++-

> >   lib/efi_loader/efi_signature.c                | 192 +++++++++++----

> >   lib/efi_loader/efi_variable.c                 |  93 +------

> >   tools/Makefile                                |   1 +

> >   tools/mkeficapsule.c                          | 233 +++++++++++++++++-

> >   23 files changed, 1122 insertions(+), 164 deletions(-)

> >   create mode 100644 board/emulation/common/Kconfig

> >   create mode 100644 board/emulation/common/Makefile

> >   create mode 100644 board/emulation/common/qemu_capsule.c

> >   create mode 100644 board/emulation/common/qemu_dfu.c

> >   create mode 100644 board/emulation/common/qemu_mtdparts.c

> >   create mode 100644 doc/board/emulation/qemu_capsule_update.rst

> >   rename arch/x86/include/asm/fsp/fsp_types.h => include/signatures.h

> (95%)

> >

>

>