From patchwork Tue Jul 25 08:57:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 706123 Delivered-To: patch@linaro.org Received: by 2002:a5d:464f:0:b0:317:2194:b2bc with SMTP id j15csp68220wrs; Tue, 25 Jul 2023 02:02:44 -0700 (PDT) X-Google-Smtp-Source: APBJJlFhGsOzFvwDhvP04HlJFC9iQ00pM8yjFTIlOOQFwNUN/N7k8a1Ize1XnfBSIct7XkSvZOgr X-Received: by 2002:adf:dbce:0:b0:314:fe8:94d8 with SMTP id e14-20020adfdbce000000b003140fe894d8mr7969761wrj.31.1690275764834; Tue, 25 Jul 2023 02:02:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690275764; cv=none; d=google.com; s=arc-20160816; b=Vf8YWF0IuqxYaPGyxG/75kSfK/aCWd27tCL6teHfct3HsdvLMNvkyy2E9Ya4ADqxI3 0aA/gjpGKA8pzsQLm8iGTpsGqabclZ+8NaXmdcSuGsC8sVVVEpadIbN+sV1oTHpjGIJ8 BwJjnfmcNDlAtA40G4n1XI90dlJvsF+w93w8B+Q1y8pnAJlH+BgDMwCWAbnZ66q2e33I g8A8GhMSIopZlL5CktFg2Dd57TfLXAXg9mfxgh363xAHWBRTtYCS0v1orLBHKWZNgqaN gwPnaJgBjVkXBKJh/FicF2jAB9ywZLOBIX81e4VHrtNAQuTQcXKUiqWuQMMBrmbDvw6n ohZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from; bh=BFem7uFGql43Sp1psJNpPJ8ZWgokJVBROmNW5ICZmIE=; fh=+VHZcQFytvjm817rO59VUXPZcjow18EhayO47FzvDvY=; b=0ZhU5HMUyKURxxjdK1/SqP9NvX3D8FEhqjvX9no7AOQYSivcf7CjC50np+OQjXd4Yx wujgOHy8DV4/BNKD/gNqQyZtamRik5H2LtVZph2JloylMpo0a2ybMcL6D2wyrciP6g4O MSNI4DDMIgMm8T6+Ix6Rs37RQa0fUiMVBkRS2gdDapJeC0YyCKyE4NTDx36dWKEaid7u ZkyA94MJXYcTXyfAPxeBaony6hUYivEadxXWvjGzCzbC8MqK2pqGEEqh9TD4CX2SjZez aZx7TAjJualmHBn3UGNvZxfd56dHjXq3N8UNDNpXrMviE/VhA7hjVZBB4Tbscd9cOXpM vqyg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id y1-20020adfdf01000000b0030ae4ed90a0si6131393wrl.443.2023.07.25.02.02.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Jul 2023 02:02:44 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 0B2DF86ACE; Tue, 25 Jul 2023 11:02:30 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 6ACD686797; Tue, 25 Jul 2023 10:59:44 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_SOFTFAIL,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 6ED1186708 for ; Tue, 25 Jul 2023 10:57:55 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id CC5B915BF; Tue, 25 Jul 2023 01:58:37 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.46.7]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 1F6523F6C4; Tue, 25 Jul 2023 01:57:51 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Simon Glass , Takahiro Akashi , Malte Schmidt , Michal Simek , Tom Rini Subject: [PATCH v5 00/12] Integrate EFI capsule tasks into u-boot's build flow Date: Tue, 25 Jul 2023 14:27:13 +0530 Message-Id: <20230725085725.350917-1-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean This patchset aims to bring two capsule related tasks under the u-boot build flow. One is the embedding of the public key into the platform's dtb. The public key is in the form of an EFI Signature List(ESL) file and is used for capsule authentication. This is being achieved by adding the signature node containing the capsule public key in the architecture's u-boot.dtsi file. Currently, the u-boot.dtsi file has been added for the sandbox and arm architectures. The path to the ESL file is being provided through a Kconfig symbol(CONFIG_EFI_CAPSULE_ESL_FILE). Changes have also been made to the test flow so that the keys used for signing the capsule, and the ESL file, are generated prior to invoking the u-boot's build, which enables embedding the ESL file into the dtb as part of the u-boot build. The other task is related to generation of capsules. Support is being added to generate capsules by specifying the capsule parameters in a config file. Calling the mkeficapsule tool then results in generation of the corresponding capsule files. The capsules can be generated as part of u-boot build, and this is being achieved through binman, by adding a capsule entry type. The capsules can be generated either by specifying the capsule parameters in a config file, or through specifying them as properties under the capsule entry node. If using the config file, the path to the config file is to be specified through a Kconfig symbol(CONFIG_EFI_CAPSULE_CFG_FILE). Changes have also been made to the efi capsule update feature testing setup on the sandbox variants. Currently, the capsule files and the public key ESL file are generated after u-boot has been built. This logic has been changed so that the capsule input files along with the keys needed for capsule signing and authentication are generated prior to initiation of the u-boot build. The placement of all the files needed for generation of capsules, along with the generated capsule files is under the /tmp/capsules/ directory. Currently, the capsule update feature is tested on the sandbox and sandbox_flattree variants in CI. The capsule generation through config file is enabled for the sandbox variant, with the sandbox_flattree variant generating capsules through the command-line parameters. The document has been updated to reflect the above changes. Changes since V4: * Rebase on top of current HEAD. * Pass the single command target names directly to the function instead of putting them in a separate list. * Fix multi line comment format. * Drop additional blank line. * Remove the check for CONFIG_EFI_HAVE_CAPSULE_SUPPORT from arm's u-boot.dtsi. * Wrap the help text in the EFI_CAPSULE_ESL_FILE config at 72 chars. * New patch which moves the setting up of the files needed for testing the EFI capsule update feature to the Dockerfile. * Remove blank lines after function comments. * Fix a couple of typos. * Use single quotes for strings. * Put the GUIDs in variables with relevant names. * Declare certain values in local variables instead of member values. * Add comments for explaning the payload offsets in the capsule file. * Drop the test case for generating the capsule from the config file. * Define payload data for the capsule tests. * Add logic to find input and output files in capsule generation in the indir and outdir directories when absolute path is not passed. * Use a relative path for CONFIG_EFI_CAPSULE_CFG_FILE. * Remove logic to copy capsule config file to /tmp/capsules/ directory, as the capsule entry can handle relative paths. * Add a comment in the capsule config file for the image GUIDs being used. * Use lower case for image GUIDs. * Define macros for the image GUIDs being used for generating the capsules. * Use lower case for image GUIDs. Sughosh Ganu (12): binman: bintool: Build a tool from a list of commands nuvoton: npcm845-evb: Add a newline at the end of file capsule: authenticate: Add capsule public key in platform's dtb doc: capsule: Document the new mechanism to embed ESL file into dtb tools: mkeficapsule: Add support for parsing capsule params from config file Dockerfile: capsule: Setup the files needed for capsule update testing binman: capsule: Add support for generating capsules doc: Add documentation to highlight capsule generation related updates test: py: Setup capsule files for testing test: capsule: Remove public key embed logic from capsule update test sandbox: capsule: Add a config file for generating capsules sandbox: capsule: Generate capsule related files through binman arch/arm/dts/nuvoton-npcm845-evb.dts | 2 +- arch/arm/dts/u-boot.dtsi | 14 + arch/sandbox/dts/u-boot.dtsi | 288 ++++++++++++++ configs/sandbox_defconfig | 3 + configs/sandbox_flattree_defconfig | 1 + configs/sandbox_spl_defconfig | 1 + doc/develop/uefi/uefi.rst | 106 +++++- lib/efi_loader/Kconfig | 9 + lib/efi_loader/Makefile | 7 + test/py/conftest.py | 84 +++++ test/py/tests/test_efi_capsule/conftest.py | 164 +------- .../test_efi_capsule/sandbox_capsule_cfg.txt | 175 +++++++++ test/py/tests/test_efi_capsule/signature.dts | 10 - .../tests/test_efi_capsule/uboot_bin_env.its | 36 -- tools/Kconfig | 16 + tools/Makefile | 1 + tools/binman/bintool.py | 19 +- tools/binman/btool/mkeficapsule.py | 153 ++++++++ tools/binman/entries.rst | 42 +++ tools/binman/etype/capsule.py | 132 +++++++ tools/binman/ftest.py | 115 ++++++ tools/binman/test/307_capsule.dts | 19 + tools/binman/test/308_capsule_signed.dts | 21 ++ tools/binman/test/309_capsule_version.dts | 20 + tools/binman/test/310_capsule_missing_key.dts | 20 + .../binman/test/311_capsule_missing_index.dts | 18 + .../binman/test/312_capsule_missing_guid.dts | 17 + .../test/313_capsule_missing_payload.dts | 18 + tools/binman/test/314_capsule_missing.dts | 18 + tools/binman/test/files/capsule_cfg.txt | 6 + tools/docker/Dockerfile | 12 + tools/eficapsule.h | 115 ++++++ tools/mkeficapsule.c | 87 +++-- tools/mkeficapsule_parse.c | 352 ++++++++++++++++++ 34 files changed, 1845 insertions(+), 256 deletions(-) create mode 100644 arch/arm/dts/u-boot.dtsi create mode 100644 arch/sandbox/dts/u-boot.dtsi create mode 100644 test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt delete mode 100644 test/py/tests/test_efi_capsule/signature.dts delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its create mode 100644 tools/binman/btool/mkeficapsule.py create mode 100644 tools/binman/etype/capsule.py create mode 100644 tools/binman/test/307_capsule.dts create mode 100644 tools/binman/test/308_capsule_signed.dts create mode 100644 tools/binman/test/309_capsule_version.dts create mode 100644 tools/binman/test/310_capsule_missing_key.dts create mode 100644 tools/binman/test/311_capsule_missing_index.dts create mode 100644 tools/binman/test/312_capsule_missing_guid.dts create mode 100644 tools/binman/test/313_capsule_missing_payload.dts create mode 100644 tools/binman/test/314_capsule_missing.dts create mode 100644 tools/binman/test/files/capsule_cfg.txt create mode 100644 tools/mkeficapsule_parse.c