mbox series

[v6,0/9] Integrate EFI capsule tasks into u-boot's build flow

Message ID 20230801174018.1342555-1-sughosh.ganu@linaro.org
Headers show
Series Integrate EFI capsule tasks into u-boot's build flow | expand

Message

Sughosh Ganu Aug. 1, 2023, 5:40 p.m. UTC 
This patchset aims to bring two capsule related tasks under the u-boot
build flow.

One is the embedding of the public key into the platform's dtb. The
public key is in the form of an EFI Signature List(ESL) file and is
used for capsule authentication. This is being achieved by adding the
signature node containing the capsule public key in the architecture's
u-boot.dtsi file. Currently, the u-boot.dtsi file has been added for
the sandbox and arm architectures. The path to the ESL file is being
provided through a Kconfig symbol(CONFIG_EFI_CAPSULE_ESL_FILE).

Changes have also been made to the test flow so that the keys used for
signing the capsule, and the ESL file, are generated prior to invoking
the u-boot's build, which enables embedding the ESL file into the dtb
as part of the u-boot build.

The other task is related to generation of capsules. The capsules can
be generated as part of u-boot build, and this is being achieved
through binman, by adding a capsule entry type. The capsules can be
generated by specifying the capsule parameters as properties under the
capsule entry node.

Changes have also been made to the efi capsule update feature testing
setup on the sandbox variants. Currently, the capsule files and the
public key ESL file are generated after u-boot has been built. This
logic has been changed so that the capsule input files along with the
keys needed for capsule signing and authentication are generated prior
to initiation of the u-boot build. The placement of all the files
needed for generation of capsules is under the
test/py/tests/test_efi_capsule/test_files/ directory.

The document has been updated to reflect the above changes.

Changes since V5:
This series drops the changes for generating capsules by reading the
params from a config file. This was suggested by Simon Glass. The
config file changes would be submitted separately once these changes
get merged.

* Get rid of the logic of keeping the files under the /tmp/capsules/
  directory from earlier versions.
* New patch which introduces the input files and certs needed for EFI
  capsule update testing in the tree.
* The capsule input files and certs are put under the
  test/py/tests/test_efi_capsule/test_files/ directory.
* Add support for the oemflag parameter used in FWU A/B updates. This
  was missed in the earlier version.
* Use a single function, generate_capsule in the mkeficapsule bintool,
  instead of the multiple functions in earlier version.
* Remove the logic for generating capsules from config file as
  suggested by Simon.
* Use required_props for image index and GUID parameters.
* Use a subnode for the capsule payload instead of using a filename
  for the payload, as suggested by Simon.
* Add a capsule generation test with oemflag parameter being passed.
* Remove the documentation for generating the capsule through config
  file, as that functionality is not added through this series.
* Use the public key ESL file from the tree instead of the
  /tmp/capsules/ directory being used in previous version.
* Use the public key ESL file and other input files from the tree
  instead of the /tmp/capsules/ directory being used in previous
  version.
* Use macros for other input files and certs. 


Sughosh Ganu (9):
  binman: bintool: Build a tool from a list of commands
  nuvoton: npcm845-evb: Add a newline at the end of file
  capsule: authenticate: Add capsule public key in platform's dtb
  doc: capsule: Document the new mechanism to embed ESL file into dtb
  test: capsule: Add files needed for testing EFI capsule updates
  binman: capsule: Add support for generating EFI capsules
  doc: Add documentation to highlight capsule generation related updates
  test: capsule: Remove public key embed logic from capsule update test
  sandbox: capsule: Generate capsule related files through binman

 arch/arm/dts/nuvoton-npcm845-evb.dts          |   2 +-
 arch/arm/dts/u-boot.dtsi                      |  14 +
 arch/sandbox/dts/u-boot.dtsi                  | 364 ++++++++++++++++++
 configs/sandbox_defconfig                     |   1 +
 configs/sandbox_flattree_defconfig            |   1 +
 configs/sandbox_spl_defconfig                 |   1 +
 doc/develop/uefi/uefi.rst                     |  40 +-
 lib/efi_loader/Kconfig                        |   9 +
 test/py/tests/test_efi_capsule/conftest.py    | 165 +-------
 test/py/tests/test_efi_capsule/signature.dts  |  10 -
 .../test_efi_capsule/test_files/SIGNER.crt    |  19 +
 .../test_efi_capsule/test_files/SIGNER.esl    | Bin 0 -> 829 bytes
 .../test_efi_capsule/test_files/SIGNER.key    |  28 ++
 .../test_efi_capsule/test_files/SIGNER2.crt   |  19 +
 .../test_efi_capsule/test_files/SIGNER2.key   |  28 ++
 .../test_files/u-boot.bin.new                 |   1 +
 .../test_files/u-boot.bin.old                 |   1 +
 .../test_files/u-boot.env.new                 |   1 +
 .../test_files/u-boot.env.old                 |   1 +
 .../tests/test_efi_capsule/uboot_bin_env.its  |  36 --
 tools/binman/bintool.py                       |  19 +-
 tools/binman/btool/mkeficapsule.py            | 101 +++++
 tools/binman/entries.rst                      |  64 +++
 tools/binman/etype/efi_capsule.py             | 160 ++++++++
 tools/binman/ftest.py                         | 122 ++++++
 tools/binman/test/307_capsule.dts             |  21 +
 tools/binman/test/308_capsule_signed.dts      |  23 ++
 tools/binman/test/309_capsule_version.dts     |  22 ++
 tools/binman/test/310_capsule_signed_ver.dts  |  24 ++
 tools/binman/test/311_capsule_oemflags.dts    |  22 ++
 tools/binman/test/312_capsule_missing_key.dts |  22 ++
 .../binman/test/313_capsule_missing_index.dts |  20 +
 .../binman/test/314_capsule_missing_guid.dts  |  19 +
 .../test/315_capsule_missing_payload.dts      |  17 +
 34 files changed, 1172 insertions(+), 225 deletions(-)
 create mode 100644 arch/arm/dts/u-boot.dtsi
 create mode 100644 arch/sandbox/dts/u-boot.dtsi
 delete mode 100644 test/py/tests/test_efi_capsule/signature.dts
 create mode 100644 test/py/tests/test_efi_capsule/test_files/SIGNER.crt
 create mode 100644 test/py/tests/test_efi_capsule/test_files/SIGNER.esl
 create mode 100644 test/py/tests/test_efi_capsule/test_files/SIGNER.key
 create mode 100644 test/py/tests/test_efi_capsule/test_files/SIGNER2.crt
 create mode 100644 test/py/tests/test_efi_capsule/test_files/SIGNER2.key
 create mode 100644 test/py/tests/test_efi_capsule/test_files/u-boot.bin.new
 create mode 100644 test/py/tests/test_efi_capsule/test_files/u-boot.bin.old
 create mode 100644 test/py/tests/test_efi_capsule/test_files/u-boot.env.new
 create mode 100644 test/py/tests/test_efi_capsule/test_files/u-boot.env.old
 delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its
 create mode 100644 tools/binman/btool/mkeficapsule.py
 create mode 100644 tools/binman/etype/efi_capsule.py
 create mode 100644 tools/binman/test/307_capsule.dts
 create mode 100644 tools/binman/test/308_capsule_signed.dts
 create mode 100644 tools/binman/test/309_capsule_version.dts
 create mode 100644 tools/binman/test/310_capsule_signed_ver.dts
 create mode 100644 tools/binman/test/311_capsule_oemflags.dts
 create mode 100644 tools/binman/test/312_capsule_missing_key.dts
 create mode 100644 tools/binman/test/313_capsule_missing_index.dts
 create mode 100644 tools/binman/test/314_capsule_missing_guid.dts
 create mode 100644 tools/binman/test/315_capsule_missing_payload.dts