From patchwork Thu Oct 7 06:23:29 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 515426 Delivered-To: patch@linaro.org Received: by 2002:ac0:b5cc:0:0:0:0:0 with SMTP id x12csp1003752ime; Wed, 6 Oct 2021 23:24:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwP5vhvLWCIU0wcSlY5EwNQVGb6H1pTys9wu1SdNETgNHYXdV30EFdvk8GnL7jOHtYuSKt+ X-Received: by 2002:a05:6402:2048:: with SMTP id bc8mr3746934edb.142.1633587871502; Wed, 06 Oct 2021 23:24:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633587871; cv=none; d=google.com; s=arc-20160816; b=n3jR881qtBISyMRP/pHIAjGk5fM4P4xgbNy0UvKYJK6KY3gB/fuEygLSOFhvxMRv/e MSAw5+i1Sd1SPFNee6OFoUoqHwPf2t/uSthLNOuTK28crXZ4iPL2SdAkZgLFFF1UEhFL D6KYImiKQIP+cCacrUcSDqZCwb6vVTdMPA/mb31xVMUT87y+n4WPr2de3cUt1Kn8dPSM zRg6JnsOAvcguqzTrKCCjIuwEP7q70gfY+2gbUKtM5k7rXah0t0O+LZqCNHU8LOyRx18 WGst4E2+qiWAGWQG0h5UK3EnKgsp/MtrkQCvR9Fng/I8zumuEc3bHeYpzbF6K5QIoL/6 RzbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature; bh=KEQYXPnd24NDWypUqVpxFT4LoPedduw8ph4VU74i1VY=; b=Q21L0aOs/aDYjw2//qEaSJ2OXnIrT5g82OUqBXoxaBcfOWVTXxkaBeQnXOPsQxfg9R MMBKd4JfX3BZDi+a+dsaCYumBMS9MXIIgTaJ/o/w94ZoyGBiuUttjZTtNpoXeFhljMbL hn2WOlfnn4Pb5HpGW6LW2jPzR0/MHT1S/zb6hO9ZDAFRcDh/sBuM98J2TjeNb+75/O1y qULEBmCKJ57VKiN775lJ084r6N0hNnqSukJFhZ0hdJpelSAya2rxoTCliwWwe7eQKL2N N/pFYujudiwA7VOu9efyL/kh5ybd3nsytKWsImqNoJE7JDhgtiBcdBpMadabgqkEDvEF dWkA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=iHIwB0L5; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id g23si4333565edr.296.2021.10.06.23.24.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:24:31 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=iHIwB0L5; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id EF5298336A; Thu, 7 Oct 2021 08:24:28 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="iHIwB0L5"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 3A71B83436; Thu, 7 Oct 2021 08:24:27 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id D6E8F832A1 for ; Thu, 7 Oct 2021 08:24:20 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x62e.google.com with SMTP id w11so3176355plz.13 for ; Wed, 06 Oct 2021 23:24:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=KEQYXPnd24NDWypUqVpxFT4LoPedduw8ph4VU74i1VY=; b=iHIwB0L5ppagyMnoXpZ02EuKRB+djTZYZy6sQ/3HmE2Zj8o19yuDV7vtqAsZONUPso id06wl5Xm2NCEVgwCrTcbzuHGjor5DVIlmzPS8tVzP/kR6h5waqtSwJKyBaeniVEDDDB spIblsg6me4kcIEuViYkE+r1KzutRfZ/9OwXt8RixMtZL8KSCYPLs7D9a02BugpgFrDr VL+moY+kn7bUPGBAZO7EvDT0gGP1lOHe6QwUtyyqya8qNPi15Cv2ZJXm9iMpfnrD6lam PDS4+2ZOXFnrTrCq3rdN0vUsP3/HPXcymst0BcSq87zcv2Tx5ZYRQpI+DcQb5ou55CjQ us3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=KEQYXPnd24NDWypUqVpxFT4LoPedduw8ph4VU74i1VY=; b=oYPTmvOxD7zxZ6QNqkDmCTGYCnIGx9cPzWj5dOsq8pULw2CDQpJIFHH1V4LqHmz4TE tJCEGTCnGZ3QAD2ttjM6EBo0Zn5ux30fjBkIJHWqFEXfk3A/r/NpsGwjUPLWtlsOa8b1 FgQ0fwtZ3OjV0qOtBUUoDUOWnQfRPeULFcm5sQfvg3C769931DcNaH20B+fGpjirv7ZV ClofnED75jAjzE0z256XIMTwW3J9mK8YK4T/V3Z6Vxy+8hHYqSl2FuycMrIQuu6bfkhH tBy3jgo9YEwGrK+e1wWsNdCbh9Cb4eAkupeY9NkL+FuOgh2p6UHdbR6KKTVNn3C6cYrH 1cOQ== X-Gm-Message-State: AOAM530vJuqMq4PHVLueEwt/UzkAhAbTSfpEJWO1B/wBfjlpdme/VSzG bJnr4W7Yt7z2jvwUrC68ue/mIw== X-Received: by 2002:a17:90a:4e:: with SMTP id 14mr3430410pjb.180.1633587858706; Wed, 06 Oct 2021 23:24:18 -0700 (PDT) Received: from localhost.localdomain (122-100-26-39m5.mineo.jp. [122.100.26.39]) by smtp.gmail.com with ESMTPSA id b17sm22131859pgl.61.2021.10.06.23.24.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:24:18 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v4 00/11] efi_loader: capsule: improve capsule authentication support Date: Thu, 7 Oct 2021 15:23:29 +0900 Message-Id: <20211007062340.72207-1-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean As I proposed and discussed in [1] and [2], I have made a couple of improvements on the current implementation of capsule update in this patch set. * add signing feature to mkeficapsule * add "--guid" option to mkeficapsule * add man page of mkeficapsule [1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html [2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html Prerequisite patches ==================== None Test ==== * locally passed the pytest which is included in this patch series on sandbox built. (CONFIG_EFI_CAPSULE_AUTHENTICATE is required for authentication test.) Changes ======= v4 (Oct 7, 2021) * rebased on v2021.10 * align with "Revert "efi_capsule: Move signature from DTB to .rodata"" * add more missing *revert* commits (patch#1,#2,#3) * add fdtsig.sh, replacing dtb support in mkeficapsule (patch#4) * update/revise the man/uefi doc (patch#6,#7) * fix a bug in parsing guid string (patch#8) * add a test for "--guid" option (patch#10) * use dtb-based authentication test as done in v1 (patch#11) v3 (Aug 31, 2021) * rebased on v2021.10-rc3 * remove pytest-related patches * add function descriptions in mkeficapsule.c * correct format specifiers in printf() * let main() return 0 or -1 only * update doc/develop/uefi/uefi.rst for syntax change of mkeficapsule v2 (July 28, 2021) * rebased on v2021.10-rc* * removed dependency on target's configuration * removed fdtsig.sh and others * add man page * update the UEFI document * add dedicate defconfig for testing on sandbox * add gitlab CI support * add "--guid" option to mkeficapsule (yet rather RFC) Initial release (May 12, 2021) * based on v2021.07-rc2 AKASHI Takahiro (11): Revert "Revert "mkeficapsule: Remove dtb related options"" Revert "Revert "doc: Update CapsuleUpdate READMEs"" efi_loader: capsule: add back efi_get_public_key_data() tools: add fdtsig.sh tools: mkeficapsule: add firmwware image signing tools: mkeficapsule: add man page doc: update UEFI document for usage of mkeficapsule tools: mkeficapsule: allow for specifying GUID explicitly test/py: efi_capsule: align with the syntax change of mkeficapsule test/py: efi_capsule: add a test for "--guid" option test/py: efi_capsule: add image authentication test MAINTAINERS | 2 + doc/develop/uefi/uefi.rst | 94 +++ doc/mkeficapsule.1 | 107 +++ lib/efi_loader/efi_capsule.c | 36 + .../py/tests/test_efi_capsule/capsule_defs.py | 5 + test/py/tests/test_efi_capsule/conftest.py | 42 +- test/py/tests/test_efi_capsule/signature.dts | 10 + .../test_efi_capsule/test_capsule_firmware.py | 67 ++ .../test_capsule_firmware_signed.py | 233 +++++++ tools/Kconfig | 7 + tools/Makefile | 8 +- tools/fdtsig.sh | 40 ++ tools/mkeficapsule.c | 638 ++++++++++++------ 13 files changed, 1062 insertions(+), 227 deletions(-) create mode 100644 doc/mkeficapsule.1 create mode 100644 test/py/tests/test_efi_capsule/signature.dts create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py create mode 100755 tools/fdtsig.sh -- 2.33.0