From patchwork Sun Jul  9 13:33:15 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sughosh Ganu <sughosh.ganu@linaro.org>
X-Patchwork-Id: 700801
Delivered-To: patch@linaro.org
Received: by 2002:adf:fcc5:0:0:0:0:0 with SMTP id f5csp4732313wrs;
 Sun, 9 Jul 2023 06:33:52 -0700 (PDT)
X-Google-Smtp-Source: APBJJlEobepLopH1Zv47jPJL0onMHb7EI6Bc1Qzn+C1GamERLmwOCF6RD1bME/lFjGIoOBQPWsqS
X-Received: by 2002:a5e:df4a:0:b0:783:40ef:c9f6 with SMTP id
 g10-20020a5edf4a000000b0078340efc9f6mr10270210ioq.19.1688909631864;
 Sun, 09 Jul 2023 06:33:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1688909631; cv=none;
 d=google.com; s=arc-20160816;
 b=FEEte28+OS1Z91XiuNVbwNF8JAh/T9QQEco7DRgIysaxVM1XWBL1cdn9idHmKXO0LK
 8s3EeQ8Zfc8uQ6JwiC/S1Zbuf89hDgWy1rglp177WjPBFdWwnnBsoZfkbH0JNIyvHFDp
 bCQmlZxPfidTsfI88EZUUwz9v4NpCzX49Pcimf/LFzdxlLQP35JsPmQwO9sOpEyibk9n
 8oN4mtCb7mgywvlSwRaW9CowlJxdeIEX/BO7p0cpPzNH3iccP7k57N+6UXq8++FZwchW
 vyv0mViadL1Sw4iUBSeOrha2FkIuvjYZUcy/FQCirigNxQKxf7uGhNOv6SurN729HSmJ
 JI3g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:message-id:date:subject:cc:to:from;
 bh=LdH0pRsEx0lf1VJdQVVMAnC5KNkgJzcN9+nCTI+D3wo=;
 fh=Ax4qNw6J6LtF2i4dyjqzfbXv8o30YVd5o3TSwD4fPOM=;
 b=x421ANv8Y323Ap7khzm7T2GJ7cY1244/wOuDn9HdASaxBP8tGb38+u12ZZVDFJ75mu
 O1pDceZsvMN3BxjM3d2ajIG0FLv3ghd7ByGvLTosIl7JnEtXRwvwEZSPlIoZU75Lof/s
 DsbQN45BTeD8Y+IvivUZu8QDY3wZpYH2aKHpbORnEUpLlpz7/l8Hocr2GEx6DK5sEfLQ
 q2H8R5w5QGadfBW3WBlPtoxIaIqcVcUnSabzMj1ywd1Khpd6sWYeUNd1jrV75j/E64QU
 Y1KIYjnQbObrIBlIRoVy6dz1dG5g7WzUexvZLVZWURdELmRKR+n/a/cZWRllT2AftaAD
 ICwg==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates
 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender)
 smtp.mailfrom=u-boot-bounces@lists.denx.de;
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <u-boot-bounces@lists.denx.de>
Received: from phobos.denx.de (phobos.denx.de.
 [2a01:238:438b:c500:173d:9f52:ddab:ee01])
 by mx.google.com with ESMTPS id
 f19-20020a6b6213000000b00786e0d47b9dsi2282187iog.138.2023.07.09.06.33.50
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sun, 09 Jul 2023 06:33:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender)
 client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01;
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates
 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender)
 smtp.mailfrom=u-boot-bounces@lists.denx.de;
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
 by phobos.denx.de (Postfix) with ESMTP id E6EF58477A;
 Sun,  9 Jul 2023 15:33:48 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=fail (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Received: by phobos.denx.de (Postfix, from userid 109)
 id 3FA69846D9; Sun,  9 Jul 2023 15:33:47 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
 SPF_SOFTFAIL,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
 version=3.4.2
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by phobos.denx.de (Postfix) with ESMTP id D1D968063E
 for <u-boot@lists.denx.de>; Sun,  9 Jul 2023 15:33:44 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=fail (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=fail smtp.mailfrom=sughosh.ganu@linaro.org
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
 by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 139691FB;
 Sun,  9 Jul 2023 06:34:26 -0700 (PDT)
Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.46.7])
 by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id CDEBF3F762;
 Sun,  9 Jul 2023 06:33:41 -0700 (PDT)
From: Sughosh Ganu <sughosh.ganu@linaro.org>
To: u-boot@lists.denx.de
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>,
 Ilias Apalodimas <ilias.apalodimas@linaro.org>,
 Simon Glass <sjg@chromium.org>,
 Takahiro Akashi <takahiro.akashi@linaro.org>,
 Malte Schmidt <malte.schmidt-oss@weidmueller.com>,
 Tom Rini <trini@konsulko.com>
Subject: [PATCH v3 00/11] Integrate EFI capsule tasks into u-boot's build flow
Date: Sun,  9 Jul 2023 19:03:15 +0530
Message-Id: <20230709133326.1015483-1-sughosh.ganu@linaro.org>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de
X-Virus-Status: Clean

This patchset aims to bring two capsule related tasks under the u-boot
build flow.

One is the embedding of the public key into the platform's dtb. The
public key is in the form of an EFI Signature List(ESL) file and is
used for capsule authentication. This is being achieved by adding the
signature node containing the capsule public key in the architecture's
u-boot.dtsi file. Currently, the u-boot.dtsi file has been added for
the sandbox and arm architectures. The path to the ESL file is being
provided through a Kconfig symbol(CONFIG_EFI_CAPSULE_ESL_FILE).

Changes have also been made to the test flow so that the keys used for
signing the capsule, and the ESL file, are generated prior to invoking
the u-boot's build, which enables embedding the ESL file into the dtb
as part of the u-boot build.

The other task is related to generation of capsules. Support is being
added to generate capsules by specifying the capsule parameters in a
config file. Calling the mkeficapsule tool then results in generation
of the corresponding capsule files. The capsules can be generated as
part of u-boot build, and this is being achieved through binman, by
adding a capsule entry type. The capsules can be generated either by
specifying the capsule parameters in a config file, or through
specifying them as properties under the capsule entry node. If using
the config file, the path to the config file is to be specified
through a Kconfig symbol(CONFIG_EFI_CAPSULE_CFG_FILE).

Changes have also been made to the efi capsule update feature testing
setup on the sandbox variants. Currently, the capsule files and the
public key ESL file are generated after u-boot has been built. This
logic has been changed so that the capsule input files along with the
keys needed for capsule signing and authentication are generated prior
to initiation of the u-boot build. The placement of all the files
needed for generation of capsules, along with the generated capsule
files is under the /tmp/capsules/ directory.

Currently, the capsule update feature is tested on the sandbox
and sandbox_flattree variants in CI. The capsule generation through
config file is enabled for the sandbox variant, with the
sandbox_flattree variant generating capsules through the command-line
parameters.

The document has been updated to reflect the above changes.

Changes since V2:
This version embeds the capsule auth related public key through the
u-boot.dtsi file. The capsule generation has been moved to binman. The
changes in the test setup have been split into multiple patches,
instead of a single monolithic patch.

* Add the public key ESL file through the u-boot.dtsi
* Add the dtsi files for sandbox and arm architectures
* Add a check in the Makefile that the ESL file path is not empty.
* Highlight the need to use the u-boot.dtsi file for embedding the
  public key ESL into the DTB.
* Add a Kconfig boolean symbol CONFIG_EFI_USE_CAPSULE_CFG_FILE which
  can be used to generate capsules through config file or parameters.
* New patch which generates capsules through binman replacing the
  earlier make target.
* New patch setting up the capsule files needed for CI run
* New patch for setting up the capsule files in the pytest setup
  before initiation of u-boot build.
* New patch for removing the capsule key and ESL generation logic from
  the capsule test config file.
* New patch to add the capsule generation config file for sandbox.
* New patch for generating the capsules and capsule input files
  through binman.


Sughosh Ganu (11):
  nuvoton: npcm845-evb: Add a newline at the end of file
  capsule: authenticate: Add capsule public key in platform's dtb
  doc: capsule: Document the new mechanism to embed ESL file into dtb
  tools: mkeficapsule: Add support for parsing capsule params from
    config file
  doc: Add documentation to describe capsule config file format
  binman: capsule: Add support for generating capsules
  CI: capsule: Setup the files needed for capsule update testing
  test: py: Setup capsule files for testing
  test: capsule: Remove public key embed logic from capsule update test
  sandbox: capsule: Add a config file for generating capsules
  sandbox: capsule: Generate capsule related files through binman

 .azure-pipelines.yml                          |  22 ++
 .gitlab-ci.yml                                |  20 +
 arch/arm/dts/nuvoton-npcm845-evb.dts          |   2 +-
 arch/arm/dts/u-boot.dtsi                      |  17 +
 arch/sandbox/dts/u-boot.dtsi                  | 160 ++++++++
 configs/sandbox_defconfig                     |   3 +
 configs/sandbox_flattree_defconfig            |   1 +
 doc/develop/uefi/uefi.rst                     |  86 ++++-
 lib/efi_loader/Kconfig                        |  11 +
 lib/efi_loader/Makefile                       |   7 +
 test/py/conftest.py                           |  92 +++++
 test/py/tests/test_efi_capsule/conftest.py    |  92 +----
 .../test_efi_capsule/sandbox_capsule_cfg.txt  |  75 ++++
 test/py/tests/test_efi_capsule/signature.dts  |  10 -
 .../tests/test_efi_capsule/uboot_bin_env.its  |  36 --
 tools/Kconfig                                 |  16 +
 tools/Makefile                                |   1 +
 tools/binman/btool/mkeficapsule.py            |  91 +++++
 tools/binman/entries.rst                      |  27 ++
 tools/binman/etype/capsule.py                 | 102 ++++++
 tools/eficapsule.h                            | 110 ++++++
 tools/mkeficapsule.c                          |  84 +++--
 tools/mkeficapsule_parse.c                    | 345 ++++++++++++++++++
 23 files changed, 1232 insertions(+), 178 deletions(-)
 create mode 100644 arch/arm/dts/u-boot.dtsi
 create mode 100644 arch/sandbox/dts/u-boot.dtsi
 create mode 100644 test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
 delete mode 100644 test/py/tests/test_efi_capsule/signature.dts
 delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its
 create mode 100644 tools/binman/btool/mkeficapsule.py
 create mode 100644 tools/binman/etype/capsule.py
 create mode 100644 tools/mkeficapsule_parse.c