| Message ID | 20201223070330.21361-1-sughosh.ganu@linaro.org |
|---|---|
| Headers | show |
| Series | qemu: arm64: Add support for uefi capsule update on qemu arm platform | expand |
On 12/23/20 8:03 AM, Sughosh Ganu wrote: > The capsule update feature is supported on a platform configuration > booting in a non-secure mode, i.e with -machine virt,secure=off option > set. This results in the platform booting u-boot directly without > the presence of trusted firmware(tf-a). Steps that need to be followed > for using this feature have been provided as part of the documentation. > > Support has also been added for enabling the capsule authentication > feature. Capsule authentication, as defined by the uefi > specification is very much on similar lines to the logic used for > variable authentication. As a result, most of the signature > verification code already in use for variable authentication has been > used for capsule authentication. > > Storage of the public key certificate, needed for the signature > verification process is in form of the efi signature list(esl) > structure. This public key is stored on an overlay which is then > merged with the platform's base fdt at runtime. The public key esl > file can be embedded into the overlay dtb using the mkeficapsule > utility that has been added as part of the capsule update support > series by Takahiro Akashi. Steps needed for enabling capsule > authentication have been provided as part of the documentation. > > This patch series needs to be applied on top of the capsule update > support patch series from Takahiro Akashi on the next branch. > > Changes since V2: > * Enable building of board_late_init for both of the Qemu arm and > arm64 variants > * Move the selection the CONFIG_BOARD_LATE_INIT to mach-qemu Kconfig > file > * Move the functions to populate the mtdparts under > board/emulation/common for allowing subsequent re-use by other Qemu > arch based platforms > * Move the functions to populate the dfu_alt_info variable under > board/emulation/common for allowing subsequent re-use by other Qemu > arch based platforms > * Move the function for fetching the public key certficate from the > platform's dtb under board/emulation/common directory. > * Move the function for checking the capsule_authentication_enabled > env variable under board/emulation/common directory. > * Moved the capsule update related documentation for the Qemu > platform to a new file under doc/board/emulation/ directory. > * Incorporated all typo review comments from Heinrich > * Put in a skeletal overlay dts file for reference, as was suggested > by Heinrich Hello Sughosh, I have applied your changes to the next branch in tag https://gitlab.denx.de/u-boot/custodians/u-boot-efi/-/tags/capsule_update_2020-12-28 Unfortunately it does not build on the sandbox: /usr/bin/ld: cmd/built-in.o: in function `mtdparts_init': c/md/mtdparts.c:1739: undefined reference to `board_mtdparts_default' /usr/bin/ld: drivers/built-in.o: in function `dfu_init_env_entities': /drivers/dfu/dfu.c:143: undefined reference to `set_dfu_alt_info' /usr/bin/ld: drivers/built-in.o: in function `mtd_search_alternate_name': /drivers/mtd/mtd_uboot.c:30: undefined reference to `board_mtdparts_default' collect2: error: ld returned 1 exit status make: *** [Makefile:1757: u-boot] Error 1 I assume this is due to selecting SYS_MTDPARTS_RUNTIME in lib/efi_loader/Kconfig. Best regards Heinrich > > > Changes since V1: > * Added support for embedding the public key cert in an overlay using > the -O option > * The earlier patch was adding a call to pci_init in board_init. Moved > the virtio_init call to board_late_init > * Change MTDPARTS_NOR[01] as config options instead of defining them in > the qemu-arm.h config header. > * Enable CONFIG_SYS_MTDPARTS_RUNTIME with CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT > * Build set_dfu_alt_info and board_get_alt_info functions only if > CONFIG_SET_DFU_ALT_INFO is defined > * Enable CONFIG_SET_DFU_ALT_INFO with > CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT > * Detect the presence of the FMP Payload header at runtime instead of > using a Kconfig option, as was suggested by Heinrich > * Change the documentation to reflect the usage of overlays for > embedding the public key certs at runtime > * Fix the build for 'make htmldocs' > > > Sughosh Ganu (14): > mkeficapsule: Add support for embedding public key in a dtb > qemu: arm: Initialise virtio devices in board_late_init > crypto: Fix the logic to calculate hash with authattributes set > qemu: common: Add support for dynamic mtdparts for the platform > qemu: common: Set dfu_alt_info variable for the platform > fsp: Move and rename fsp_types.h file > efi_loader: Add logic to parse EDKII specific fmp payload header > dfu_mtd: Add provision to unlock mtd device > efi_loader: Make the pkcs7 header parsing function an extern > efi_loader: Re-factor code to build the signature store from efi > signature list > efi: capsule: Add support for uefi capsule authentication > efi_loader: Enable uefi capsule authentication > efidebug: capsule: Add a command to update capsule on disk > qemu: arm64: Add documentation for capsule update > > arch/arm/mach-qemu/Kconfig | 2 + > arch/x86/include/asm/fsp/fsp_support.h | 3 +- > board/emulation/common/Kconfig | 15 ++ > board/emulation/common/Makefile | 5 + > board/emulation/common/qemu_capsule.c | 48 ++++ > board/emulation/common/qemu_dfu.c | 68 +++++ > board/emulation/common/qemu_mtdparts.c | 82 ++++++ > board/emulation/qemu-arm/Kconfig | 4 + > board/emulation/qemu-arm/qemu-arm.c | 5 + > cmd/efidebug.c | 14 ++ > doc/board/emulation/qemu_capsule_update.rst | 210 ++++++++++++++++ > drivers/dfu/dfu_mtd.c | 20 +- > include/efi_api.h | 18 ++ > include/efi_loader.h | 12 + > .../fsp/fsp_types.h => include/signatures.h | 6 +- > lib/crypto/pkcs7_verify.c | 37 ++- > lib/efi_loader/Kconfig | 19 ++ > lib/efi_loader/efi_capsule.c | 122 +++++++++ > lib/efi_loader/efi_firmware.c | 77 +++++- > lib/efi_loader/efi_signature.c | 192 +++++++++++---- > lib/efi_loader/efi_variable.c | 93 +------ > tools/Makefile | 1 + > tools/mkeficapsule.c | 233 +++++++++++++++++- > 23 files changed, 1122 insertions(+), 164 deletions(-) > create mode 100644 board/emulation/common/Kconfig > create mode 100644 board/emulation/common/Makefile > create mode 100644 board/emulation/common/qemu_capsule.c > create mode 100644 board/emulation/common/qemu_dfu.c > create mode 100644 board/emulation/common/qemu_mtdparts.c > create mode 100644 doc/board/emulation/qemu_capsule_update.rst > rename arch/x86/include/asm/fsp/fsp_types.h => include/signatures.h (95%) >
hello Heinrich, On Mon, 28 Dec 2020 at 20:09, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote: > On 12/23/20 8:03 AM, Sughosh Ganu wrote: > > The capsule update feature is supported on a platform configuration > > booting in a non-secure mode, i.e with -machine virt,secure=off option > > set. This results in the platform booting u-boot directly without > > the presence of trusted firmware(tf-a). Steps that need to be followed > > for using this feature have been provided as part of the documentation. > > > > Support has also been added for enabling the capsule authentication > > feature. Capsule authentication, as defined by the uefi > > specification is very much on similar lines to the logic used for > > variable authentication. As a result, most of the signature > > verification code already in use for variable authentication has been > > used for capsule authentication. > > > > Storage of the public key certificate, needed for the signature > > verification process is in form of the efi signature list(esl) > > structure. This public key is stored on an overlay which is then > > merged with the platform's base fdt at runtime. The public key esl > > file can be embedded into the overlay dtb using the mkeficapsule > > utility that has been added as part of the capsule update support > > series by Takahiro Akashi. Steps needed for enabling capsule > > authentication have been provided as part of the documentation. > > > > This patch series needs to be applied on top of the capsule update > > support patch series from Takahiro Akashi on the next branch. > > > > Changes since V2: > > * Enable building of board_late_init for both of the Qemu arm and > > arm64 variants > > * Move the selection the CONFIG_BOARD_LATE_INIT to mach-qemu Kconfig > > file > > * Move the functions to populate the mtdparts under > > board/emulation/common for allowing subsequent re-use by other Qemu > > arch based platforms > > * Move the functions to populate the dfu_alt_info variable under > > board/emulation/common for allowing subsequent re-use by other Qemu > > arch based platforms > > * Move the function for fetching the public key certficate from the > > platform's dtb under board/emulation/common directory. > > * Move the function for checking the capsule_authentication_enabled > > env variable under board/emulation/common directory. > > * Moved the capsule update related documentation for the Qemu > > platform to a new file under doc/board/emulation/ directory. > > * Incorporated all typo review comments from Heinrich > > * Put in a skeletal overlay dts file for reference, as was suggested > > by Heinrich > > Hello Sughosh, > > I have applied your changes to the next branch in tag > > > https://gitlab.denx.de/u-boot/custodians/u-boot-efi/-/tags/capsule_update_2020-12-28 > > Unfortunately it does not build on the sandbox: > > /usr/bin/ld: cmd/built-in.o: in function `mtdparts_init': > c/md/mtdparts.c:1739: undefined reference to `board_mtdparts_default' > /usr/bin/ld: drivers/built-in.o: in function `dfu_init_env_entities': > /drivers/dfu/dfu.c:143: undefined reference to `set_dfu_alt_info' > /usr/bin/ld: drivers/built-in.o: in function `mtd_search_alternate_name': > /drivers/mtd/mtd_uboot.c:30: undefined reference to > `board_mtdparts_default' > collect2: error: ld returned 1 exit status > make: *** [Makefile:1757: u-boot] Error 1 > > I assume this is due to selecting SYS_MTDPARTS_RUNTIME in > lib/efi_loader/Kconfig. > Will fix it. Thanks. -sughosh > > Best regards > > Heinrich > > > > > > > Changes since V1: > > * Added support for embedding the public key cert in an overlay using > > the -O option > > * The earlier patch was adding a call to pci_init in board_init. Moved > > the virtio_init call to board_late_init > > * Change MTDPARTS_NOR[01] as config options instead of defining them in > > the qemu-arm.h config header. > > * Enable CONFIG_SYS_MTDPARTS_RUNTIME with > CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT > > * Build set_dfu_alt_info and board_get_alt_info functions only if > > CONFIG_SET_DFU_ALT_INFO is defined > > * Enable CONFIG_SET_DFU_ALT_INFO with > > CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT > > * Detect the presence of the FMP Payload header at runtime instead of > > using a Kconfig option, as was suggested by Heinrich > > * Change the documentation to reflect the usage of overlays for > > embedding the public key certs at runtime > > * Fix the build for 'make htmldocs' > > > > > > Sughosh Ganu (14): > > mkeficapsule: Add support for embedding public key in a dtb > > qemu: arm: Initialise virtio devices in board_late_init > > crypto: Fix the logic to calculate hash with authattributes set > > qemu: common: Add support for dynamic mtdparts for the platform > > qemu: common: Set dfu_alt_info variable for the platform > > fsp: Move and rename fsp_types.h file > > efi_loader: Add logic to parse EDKII specific fmp payload header > > dfu_mtd: Add provision to unlock mtd device > > efi_loader: Make the pkcs7 header parsing function an extern > > efi_loader: Re-factor code to build the signature store from efi > > signature list > > efi: capsule: Add support for uefi capsule authentication > > efi_loader: Enable uefi capsule authentication > > efidebug: capsule: Add a command to update capsule on disk > > qemu: arm64: Add documentation for capsule update > > > > arch/arm/mach-qemu/Kconfig | 2 + > > arch/x86/include/asm/fsp/fsp_support.h | 3 +- > > board/emulation/common/Kconfig | 15 ++ > > board/emulation/common/Makefile | 5 + > > board/emulation/common/qemu_capsule.c | 48 ++++ > > board/emulation/common/qemu_dfu.c | 68 +++++ > > board/emulation/common/qemu_mtdparts.c | 82 ++++++ > > board/emulation/qemu-arm/Kconfig | 4 + > > board/emulation/qemu-arm/qemu-arm.c | 5 + > > cmd/efidebug.c | 14 ++ > > doc/board/emulation/qemu_capsule_update.rst | 210 ++++++++++++++++ > > drivers/dfu/dfu_mtd.c | 20 +- > > include/efi_api.h | 18 ++ > > include/efi_loader.h | 12 + > > .../fsp/fsp_types.h => include/signatures.h | 6 +- > > lib/crypto/pkcs7_verify.c | 37 ++- > > lib/efi_loader/Kconfig | 19 ++ > > lib/efi_loader/efi_capsule.c | 122 +++++++++ > > lib/efi_loader/efi_firmware.c | 77 +++++- > > lib/efi_loader/efi_signature.c | 192 +++++++++++---- > > lib/efi_loader/efi_variable.c | 93 +------ > > tools/Makefile | 1 + > > tools/mkeficapsule.c | 233 +++++++++++++++++- > > 23 files changed, 1122 insertions(+), 164 deletions(-) > > create mode 100644 board/emulation/common/Kconfig > > create mode 100644 board/emulation/common/Makefile > > create mode 100644 board/emulation/common/qemu_capsule.c > > create mode 100644 board/emulation/common/qemu_dfu.c > > create mode 100644 board/emulation/common/qemu_mtdparts.c > > create mode 100644 doc/board/emulation/qemu_capsule_update.rst > > rename arch/x86/include/asm/fsp/fsp_types.h => include/signatures.h > (95%) > > > >
The capsule update feature is supported on a platform configuration booting in a non-secure mode, i.e with -machine virt,secure=off option set. This results in the platform booting u-boot directly without the presence of trusted firmware(tf-a). Steps that need to be followed for using this feature have been provided as part of the documentation. Support has also been added for enabling the capsule authentication feature. Capsule authentication, as defined by the uefi specification is very much on similar lines to the logic used for variable authentication. As a result, most of the signature verification code already in use for variable authentication has been used for capsule authentication. Storage of the public key certificate, needed for the signature verification process is in form of the efi signature list(esl) structure. This public key is stored on an overlay which is then merged with the platform's base fdt at runtime. The public key esl file can be embedded into the overlay dtb using the mkeficapsule utility that has been added as part of the capsule update support series by Takahiro Akashi. Steps needed for enabling capsule authentication have been provided as part of the documentation. This patch series needs to be applied on top of the capsule update support patch series from Takahiro Akashi on the next branch. Changes since V2: * Enable building of board_late_init for both of the Qemu arm and arm64 variants * Move the selection the CONFIG_BOARD_LATE_INIT to mach-qemu Kconfig file * Move the functions to populate the mtdparts under board/emulation/common for allowing subsequent re-use by other Qemu arch based platforms * Move the functions to populate the dfu_alt_info variable under board/emulation/common for allowing subsequent re-use by other Qemu arch based platforms * Move the function for fetching the public key certficate from the platform's dtb under board/emulation/common directory. * Move the function for checking the capsule_authentication_enabled env variable under board/emulation/common directory. * Moved the capsule update related documentation for the Qemu platform to a new file under doc/board/emulation/ directory. * Incorporated all typo review comments from Heinrich * Put in a skeletal overlay dts file for reference, as was suggested by Heinrich Changes since V1: * Added support for embedding the public key cert in an overlay using the -O option * The earlier patch was adding a call to pci_init in board_init. Moved the virtio_init call to board_late_init * Change MTDPARTS_NOR[01] as config options instead of defining them in the qemu-arm.h config header. * Enable CONFIG_SYS_MTDPARTS_RUNTIME with CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT * Build set_dfu_alt_info and board_get_alt_info functions only if CONFIG_SET_DFU_ALT_INFO is defined * Enable CONFIG_SET_DFU_ALT_INFO with CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT * Detect the presence of the FMP Payload header at runtime instead of using a Kconfig option, as was suggested by Heinrich * Change the documentation to reflect the usage of overlays for embedding the public key certs at runtime * Fix the build for 'make htmldocs' Sughosh Ganu (14): mkeficapsule: Add support for embedding public key in a dtb qemu: arm: Initialise virtio devices in board_late_init crypto: Fix the logic to calculate hash with authattributes set qemu: common: Add support for dynamic mtdparts for the platform qemu: common: Set dfu_alt_info variable for the platform fsp: Move and rename fsp_types.h file efi_loader: Add logic to parse EDKII specific fmp payload header dfu_mtd: Add provision to unlock mtd device efi_loader: Make the pkcs7 header parsing function an extern efi_loader: Re-factor code to build the signature store from efi signature list efi: capsule: Add support for uefi capsule authentication efi_loader: Enable uefi capsule authentication efidebug: capsule: Add a command to update capsule on disk qemu: arm64: Add documentation for capsule update arch/arm/mach-qemu/Kconfig | 2 + arch/x86/include/asm/fsp/fsp_support.h | 3 +- board/emulation/common/Kconfig | 15 ++ board/emulation/common/Makefile | 5 + board/emulation/common/qemu_capsule.c | 48 ++++ board/emulation/common/qemu_dfu.c | 68 +++++ board/emulation/common/qemu_mtdparts.c | 82 ++++++ board/emulation/qemu-arm/Kconfig | 4 + board/emulation/qemu-arm/qemu-arm.c | 5 + cmd/efidebug.c | 14 ++ doc/board/emulation/qemu_capsule_update.rst | 210 ++++++++++++++++ drivers/dfu/dfu_mtd.c | 20 +- include/efi_api.h | 18 ++ include/efi_loader.h | 12 + .../fsp/fsp_types.h => include/signatures.h | 6 +- lib/crypto/pkcs7_verify.c | 37 ++- lib/efi_loader/Kconfig | 19 ++ lib/efi_loader/efi_capsule.c | 122 +++++++++ lib/efi_loader/efi_firmware.c | 77 +++++- lib/efi_loader/efi_signature.c | 192 +++++++++++---- lib/efi_loader/efi_variable.c | 93 +------ tools/Makefile | 1 + tools/mkeficapsule.c | 233 +++++++++++++++++- 23 files changed, 1122 insertions(+), 164 deletions(-) create mode 100644 board/emulation/common/Kconfig create mode 100644 board/emulation/common/Makefile create mode 100644 board/emulation/common/qemu_capsule.c create mode 100644 board/emulation/common/qemu_dfu.c create mode 100644 board/emulation/common/qemu_mtdparts.c create mode 100644 doc/board/emulation/qemu_capsule_update.rst rename arch/x86/include/asm/fsp/fsp_types.h => include/signatures.h (95%) -- 2.17.1