From patchwork Tue Feb 1 01:27:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 538929 Delivered-To: patch@linaro.org Received: by 2002:ac0:f7d2:0:0:0:0:0 with SMTP id i18csp465271imr; Mon, 31 Jan 2022 17:31:52 -0800 (PST) X-Google-Smtp-Source: ABdhPJzmKB7yLI5AL3BdGdq77ocLbKbY1t+lJd/niYdPgsWcddv5Tm7g6zLa0diwXSAvNoDZKUIH X-Received: by 2002:a17:906:c110:: with SMTP id do16mr18683478ejc.175.1643679112028; Mon, 31 Jan 2022 17:31:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643679112; cv=none; d=google.com; s=arc-20160816; b=R7lwuJJ2asFCt/ZdTkzILIrIAk9FLjnHQC9aFiHCClQY58CWOvGJcxN0IbV8lJmgZX eIjwdKepZduoixK2lpI9EYr2pqP3cXIeGzNLQN1gAmGb4aKZi3gM5UgSOOpS8x7YJPUj yiH0gMN3rl5qiifB3sNTVSOL87XazOl7XoIM87GV2UnIg0w54+h0MgF9GLcrULH/XTNN D29THMb/05zYoaNyd0Ufvp0YrzBCamVQOtzC6qhtmyqx5vJ6WPY1Wxrow5K9AfXTfVAP JIro9IRB2zZHAUndwz10iLZ+Zhrz+5DZVGhAcvaN4FIrCFQ3uC+2Vx9lOzw1BmnJXqZh CBDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature; bh=vPOHGic6wskiQhcac++ioVOaY7uVSIKuwKIFXwCFGLI=; b=QIAFsc1eUyNGwVcSJobS0LdJlYma3y7U55M9bUUkoga2Em+xDAFJQJDSB+QDEz6Rd1 XNrT2A1LK8gd8AaiuinUJTAgcrup6jFpo+WYvlF6/BF9HByXcC0bm9tJZgiUvqCUbQHR oCRcBwl789Aa+ba1A6Xgvdakfku6IqeeCIX7vnQxvOcAp9TdEBSVZgqilYLzHG2B5mJd Iy2iQ7e00dhG5ZN7YlZL5/xIx+W3P4S/QYWsDnU9xpB35vzcncD8OWvzk8VnZhuFj/4+ cn/L+1DpqiAEZNiCl3j51y3pudBDERiDxmDeYS7TB0EN9ADXYUcf/2fpIX1xDY5/9AOB AGDA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=yxRyo68c; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id ht10si2977750ejc.820.2022.01.31.17.31.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 17:31:52 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=yxRyo68c; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 0F0E18141E; Tue, 1 Feb 2022 02:31:49 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="yxRyo68c"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id A2B9781D5D; Tue, 1 Feb 2022 02:31:46 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com [IPv6:2607:f8b0:4864:20::532]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 53C5C80882 for ; Tue, 1 Feb 2022 02:31:43 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pg1-x532.google.com with SMTP id h23so13874668pgk.11 for ; Mon, 31 Jan 2022 17:31:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=vPOHGic6wskiQhcac++ioVOaY7uVSIKuwKIFXwCFGLI=; b=yxRyo68cCVbvA8+I4irf9hn4KWyycd8BpP9f8C5pS0FRLDXguCf6h9CPH9CvtGrsgi A2ScYOF6Nn8HZKyfbO57YY3CAuZyhn6m5Cs3YYk8r7h3JycJ60GkHfHuJ8JsgAyL/e8E ErscclR8TpX9NiG35sFEv/nUJqZUHDoLmHn529XIngBj+jPMUdQG2YUAyQCfYTmRe/wb WpZGdmABL4Bt4jdqWR4H7yDmKfSkfo59s/fFLylw8xHq95/wYZzqe0/2Cazt3dzDh6Vc 50Hwdgc92P1OOOQhwK0Lf9+68vpC0wEGRP5Ep0fmtn4N7G2tdy8YxZI9xmHO5FrsF8VY X0SA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=vPOHGic6wskiQhcac++ioVOaY7uVSIKuwKIFXwCFGLI=; b=uo3d1eU/dJ8wpym9xSDE9kTInyRWa0Pv/JrRIgCP6m4T+Lbb0DuGAFLfQCTp6zbB7c VilLNKWw7WyzF5Adpa6vsayj9SQa6GXuGOhfsl5Vo6MPZrvxvW8WCAF1MgdfP3MAJ0kd A2f2JfKt1WtHtzQuU12FJNOKrN06ZaKpPF4WgyIj6AVWhQRov5CTvs67PCNU9Zht3chY uPG6Mlq6+wUceHZ/nUHXP8xF8cvzeioVkcxotWdpOtBfYVeZ2c8qkVUxou+/VGEeSs+D syK1w+6h8aO1PZxbdepqGSIy/6Ixbng9w32K8PDHKnJIUINllrJ2kPVUGapvYMhz8qPY Q91g== X-Gm-Message-State: AOAM531j9v2y+h0N8jrFRHDKAnkZk3WC8Wk1xks8vawY+EMMLTt8KWtI K21hHZGgA+8Ma2Bb4Pgs6tIESQ== X-Received: by 2002:a62:7b51:: with SMTP id w78mr22813385pfc.8.1643679101524; Mon, 31 Jan 2022 17:31:41 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:a8:b825:f6dd:417]) by smtp.gmail.com with ESMTPSA id u18sm20733784pfi.185.2022.01.31.17.31.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 17:31:41 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: sjg@chromium.org, ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v10 0/9] efi_loader: capsule: improve capsule authentication support Date: Tue, 1 Feb 2022 10:27:31 +0900 Message-Id: <20220201012740.63070-1-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean # In this version, the crypto library was changed from openssl to # gnutls to avoid the license issue. So the dockerfile for sandbox # CI should be updated for necessary packages as well. As I proposed and discussed in [1] and [2], I have made a couple of improvements on the current implementation of capsule update in this patch set. * add signing feature to mkeficapsule * add "--guid" option to mkeficapsule * add man page of mkeficapsule * update uefi document regarding capsule update * revise pytests [1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html [2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html Prerequisite patches ==================== None Test ==== * locally passed the pytest which is included in this patch series on sandbox built. (CONFIG_EFI_CAPSULE_AUTHENTICATE should explicitly be turned on in order to exercise the authentication code.) Changes ======= v10 (Feb 1, 2022) * rebased on v2022.04-rc1 * drop already-merge patches * change crypto library from openssl to gnutls (patch#2) v9 (Jan 18, 2022) * rebased on v2022.01 * print the output messages to stderr (patch#1,#2, #4 and #6) * use SIZE_MAX instead of (u32)!0U (patch#2) * revise and re-format the man page of mkeficapsule (patch#5) * add "code-block:: console" directives for command line examples in a ReST document (patch#6) * describe the case when a trailing '/' in EFITOOLS_PATH is needed (patch#7) * describe UUID data as a binary rather than a string (patch#8) * drop fdtsig.sh-related patches (patch#12,#13 in v8) v8 (Dec 20, 2021) * rebase on v2022.01-rc3 * move the definition of CONFIG_TOOLS_MKEFICAPSULE to a proper patch (patch#2) v7 (Nov 16, 2021) * rebased on pre-v2022.01-rc2 * drop already-merged patch * check for a size of firmware binary file (patch#1) * enable mkeficapsule in tools-only_defconfig (patch#2) * define eficapsule.h and include it from mkeficapsule (patch#3) Hopefully, the tool can now compile on non-linux host. v6 (Nov 02, 2021) * rebased on pre-v2022.01-rc1 * add patch#2 to rework/refactor the code for better readability (patch#2) * use exit(EXIT_SUCCESS/FAILURE) (patch#3) * truncate >80chars lines in pytest scripts (patch#6) v5 (Oct 27, 2021) * rebased on pre-v2022.01-rc1 (WIP/26Oct2021) * drop already-merged patches * drop __weak from efi_get_public_key_data() (patch#1) * describe the format of public key node in device tree (patch#4) * re-order patches by grouping closely-related patches (patch#6-8) * modify pytest to make the test results correctly verified either with or without CONFIG_EFI_CAPSULE_AUTHENTICATE (patch#9) * add RFCs for embedding public keys during the build process (patch#10,11) v4 (Oct 7, 2021) * rebased on v2021.10 * align with "Revert "efi_capsule: Move signature from DTB to .rodata"" * add more missing *revert* commits (patch#1,#2,#3) * add fdtsig.sh, replacing dtb support in mkeficapsule (patch#4) * update/revise the man/uefi doc (patch#6,#7) * fix a bug in parsing guid string (patch#8) * add a test for "--guid" option (patch#10) * use dtb-based authentication test as done in v1 (patch#11) v3 (Aug 31, 2021) * rebased on v2021.10-rc3 * remove pytest-related patches * add function descriptions in mkeficapsule.c * correct format specifiers in printf() * let main() return 0 or -1 only * update doc/develop/uefi/uefi.rst for syntax change of mkeficapsule v2 (July 28, 2021) * rebased on v2021.10-rc* * removed dependency on target's configuration * removed fdtsig.sh and others * add man page * update the UEFI document * add dedicate defconfig for testing on sandbox * add gitlab CI support * add "--guid" option to mkeficapsule (yet rather RFC) Initial release (May 12, 2021) * based on v2021.07-rc2 AKASHI Takahiro (9): tools: build mkeficapsule with tools-only_defconfig tools: mkeficapsule: add firmware image signing tools: mkeficapsule: add man page doc: update UEFI document for usage of mkeficapsule test/py: efi_capsule: add image authentication test tools: mkeficapsule: allow for specifying GUID explicitly test/py: efi_capsule: align with the syntax change of mkeficapsule test/py: efi_capsule: add a test for "--guid" option test/py: efi_capsule: check the results in case of CAPSULE_AUTHENTICATE MAINTAINERS | 1 + configs/tools-only_defconfig | 1 + doc/develop/uefi/uefi.rst | 147 +++--- doc/mkeficapsule.1 | 111 +++++ .../py/tests/test_efi_capsule/capsule_defs.py | 5 + test/py/tests/test_efi_capsule/conftest.py | 59 ++- test/py/tests/test_efi_capsule/signature.dts | 10 + .../test_efi_capsule/test_capsule_firmware.py | 91 +++- .../test_capsule_firmware_signed.py | 254 ++++++++++ tools/Kconfig | 8 + tools/Makefile | 4 +- tools/eficapsule.h | 115 +++++ tools/mkeficapsule.c | 459 +++++++++++++++--- 13 files changed, 1128 insertions(+), 137 deletions(-) create mode 100644 doc/mkeficapsule.1 create mode 100644 test/py/tests/test_efi_capsule/signature.dts create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py create mode 100644 tools/eficapsule.h