mbox series

[v2,0/8] Integrate EFI capsule tasks into u-boot's build flow

Message ID 20230624134118.944567-1-sughosh.ganu@linaro.org
Headers show
Series Integrate EFI capsule tasks into u-boot's build flow | expand

Message

Sughosh Ganu June 24, 2023, 1:41 p.m. UTC 
This patchset aims to bring two capsule related tasks under the u-boot
build flow.

One is the embedding of the public key into the platform's dtb. The
public key is in the form of an EFI Signature List(ESL) file and is
used for capsule authentication. This is being achieved through
binman, with an entry type added for raw images, and properties added
to the binman fit entry type to enable embedding the ESL into all the
DTB's that get packaged into the FIT. The path to the ESL file is
being provided through a Kconfig symbol(CONFIG_EFI_CAPSULE_ESL_FILE).

Changes have also been made to the test flow so that the keys used for
signing the capsule, and the ESL file, are generated prior to invoking
the u-boot's build, which enables embedding the ESL file into the dtb
as part of the u-boot build flow.

The other task is to add a make target for generating capsules. This
is being achieved by adding support for parsing a config file to get
the capsule generation parameters. Multiple payloads can be specified,
resulting in generation of multiple capsules with a single invocation
of the command. The path to the config file is to be specified through
a Kconfig symbol(CONFIG_EFI_CAPSULE_CFG_FILE).

Changes have been made to the efi capsule test setup, whereby, with
the above config symbol having been populated, the capsule files are
generated through the make capsule command. The requisite config file
has been placed under the test/py/tests/test_efi_capsule/ directory,
which results in generation of the same set of capsule files.

Currently, the capsule authentication feature is tested on the sandbox
and sandbox_flattree variants. The capsule generation through config
file is enabled for the sandbox variant, with the sandbox_flattree
variant generating capsules through the command-line parameters.

The document has been updated to reflect the above changes.


Changes since V1:

At a broad level, this version takes a stab at using binman for
embedding the ESL file into the DTB's. This is being done for both raw
images and FIT images. I had mentioned the issue of dependency when
using binman for generating capsules[1], which is why I have stuck
with using the make target for generating capsules.

[1] - https://lists.denx.de/pipermail/u-boot/2023-June/520814.html


* New patch
* Use fdt_add_pubkey tool for adding the ESL into the dtb instead of
  using the shell script used in the earlier version.
* Achieve the embedding of the ESL into the DTB through binman
* Add an entry type fdt-esl-embed for embedding the ESL for raw
  images.
* Add logic in binman's fit entry type for embedding the ESL into all
  the DTB's which are part of the FIT image.
* Add corresponding documentation entries in binman for the above
  changes.
* Add the logic to generate the keys in the yml files which get used
  in the CI setup.
* Add a fdt-esl-embed node in sandbox's binman node with capsule
  authentication enabled.
* Add a cfg-file parameter to pass the config file to the mkeficapsule
  tool. This results in generation of the same tool image irrespective
  of using command-line parameters or config file.
* Call the mkeficapsule utility with the cfg-file parameter when
  building capsules via the config file.


Sughosh Ganu (8):
  fdt_add_pubkey: Add support for adding ESL public key under signature
    node
  capsule: authenticate: Embed capsule public key in platform's dtb
  test: py: Change capsule authenticate test flow
  doc: capsule: Document the new mechanism to embed ESL file into dtb
  tools: mkeficapsule: Add support for parsing capsule params from
    config file
  Makefile: Add a target for building capsules
  test: efi_capsule: Test capsule generation from config file
  doc: Add documentation to describe capsule config file format

 .azure-pipelines.yml                          |  17 +
 .gitlab-ci.yml                                |  15 +
 Makefile                                      |   9 +
 arch/sandbox/dts/sandbox.dts                  |   4 +
 arch/sandbox/dts/sandbox_capsule.dtsi         |  12 +
 arch/sandbox/dts/test.dts                     |   4 +
 configs/sandbox_defconfig                     |   2 +
 configs/sandbox_flattree_defconfig            |   1 +
 doc/develop/uefi/uefi.rst                     |  83 ++++-
 lib/efi_loader/Kconfig                        |  11 +
 test/py/conftest.py                           |  64 ++++
 test/py/tests/test_efi_capsule/conftest.py    | 142 ++++---
 .../test_efi_capsule/sandbox_capsule_cfg.txt  |  75 ++++
 test/py/tests/test_efi_capsule/signature.dts  |  10 -
 tools/Kconfig                                 |   9 +
 tools/Makefile                                |   3 +-
 tools/binman/btool/fdt_add_pubkey.py          |  73 ++++
 tools/binman/entries.rst                      |  49 +++
 tools/binman/etype/fdt_esl_embed.py           |  80 ++++
 tools/binman/etype/fit.py                     |  31 ++
 tools/eficapsule.h                            | 110 ++++++
 tools/fdt_add_pubkey.c                        |  16 +-
 tools/fdt_add_pubkey_esl.c                    |  98 +++++
 tools/mkeficapsule.c                          |  84 +++--
 tools/mkeficapsule_parse.c                    | 345 ++++++++++++++++++
 25 files changed, 1216 insertions(+), 131 deletions(-)
 create mode 100644 arch/sandbox/dts/sandbox_capsule.dtsi
 create mode 100644 test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
 delete mode 100644 test/py/tests/test_efi_capsule/signature.dts
 create mode 100644 tools/binman/btool/fdt_add_pubkey.py
 create mode 100644 tools/binman/etype/fdt_esl_embed.py
 create mode 100644 tools/fdt_add_pubkey_esl.c
 create mode 100644 tools/mkeficapsule_parse.c