From patchwork Tue Aug 1 17:40:09 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 708737 Delivered-To: patch@linaro.org Received: by 2002:a5d:55c5:0:b0:317:2194:b2bc with SMTP id i5csp472763wrw; Tue, 1 Aug 2023 10:40:44 -0700 (PDT) X-Google-Smtp-Source: APBJJlFTvdjwgnR6dBBi2yApwIJXOclKPZ12Fw60raZgwsoTTB4zex2QVmFU1+tgWKH2SAvbYNSP X-Received: by 2002:a5d:4843:0:b0:313:ee69:fb21 with SMTP id n3-20020a5d4843000000b00313ee69fb21mr2678315wrs.62.1690911644695; Tue, 01 Aug 2023 10:40:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690911644; cv=none; d=google.com; s=arc-20160816; b=PwedSjAwEn3nvvn381OM5GY87G+g/ZCoGEpLuAaOZE49qcu/DWEZ4t22H6zcAZJcG1 nDgSRtCPxhJi7SkWnnUkm/BFpWwpECvQ1E2MwSWPDTtHWZn/3MBxDACCGc+MKCaBm4F3 yp1mFkS/2TiThDPxwUFDsr02AUiUsxC8ZOyvjKrmhn/3QH7Gd5b2tg+NL36c9Dfonr/f Lrw4u92cF75jgw9WUsPi13uQQH2gWNcsms1d9UqdYLT+5/qSofcGX2eJzoksgpudoxVj c7AmXO/0RqyCjyLN8NQkttW/AG1bjDtUXojQWKL/Vf03Pybqfewb4TG1f5xRPx+4iPs6 i44w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from; bh=ynA7nkL3X0Uaok0uQqi9N3PeOiFyQBUx6RbKVMF3rhk=; fh=+VHZcQFytvjm817rO59VUXPZcjow18EhayO47FzvDvY=; b=Cz5LIYocpjfxiVaFu/TqxVxbV/OXuvnqf27KZ2LDZ1PM3r7okxsbyiFmbAJj/w58IQ n6lmAIRPce08bKOQb7wnjv3ZN/YghLEI3jGAnpH0tVTrSDsF1mZODzlVlrWhzaA97dST BqRaBD5ejv2qVt02k9A0FxH5iq8NokiY7Jr07f5PyXX2av2LaV+PsSm2cXdaX+SLpqIP 4rNf7mj0xnxmLNJWESuUFKhF3XVLzRBYMKSIX/PXcw+itNcsWG8HPBauXBQqifiE67f4 l/KltBlURbIWdXStL6sLTQB9LzfG91dBFAF0ju+o0bXnG4x3o2idO18HYGHqw8UhUOMG +A2A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id g16-20020a5d4890000000b00314491422b8si5957335wrq.685.2023.08.01.10.40.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 01 Aug 2023 10:40:44 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 5DBA786C91; Tue, 1 Aug 2023 19:40:43 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 6FD5586C84; Tue, 1 Aug 2023 19:40:41 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_SOFTFAIL,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id D995B86B09 for ; Tue, 1 Aug 2023 19:40:38 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id C1E11D75; Tue, 1 Aug 2023 10:41:21 -0700 (PDT) Received: from a076522.blr.arm.com (unknown [10.162.46.7]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id AD3183F59C; Tue, 1 Aug 2023 10:40:35 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Simon Glass , Takahiro Akashi , Malte Schmidt , Michal Simek , Tom Rini Subject: [PATCH v6 0/9] Integrate EFI capsule tasks into u-boot's build flow Date: Tue, 1 Aug 2023 23:10:09 +0530 Message-Id: <20230801174018.1342555-1-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean This patchset aims to bring two capsule related tasks under the u-boot build flow. One is the embedding of the public key into the platform's dtb. The public key is in the form of an EFI Signature List(ESL) file and is used for capsule authentication. This is being achieved by adding the signature node containing the capsule public key in the architecture's u-boot.dtsi file. Currently, the u-boot.dtsi file has been added for the sandbox and arm architectures. The path to the ESL file is being provided through a Kconfig symbol(CONFIG_EFI_CAPSULE_ESL_FILE). Changes have also been made to the test flow so that the keys used for signing the capsule, and the ESL file, are generated prior to invoking the u-boot's build, which enables embedding the ESL file into the dtb as part of the u-boot build. The other task is related to generation of capsules. The capsules can be generated as part of u-boot build, and this is being achieved through binman, by adding a capsule entry type. The capsules can be generated by specifying the capsule parameters as properties under the capsule entry node. Changes have also been made to the efi capsule update feature testing setup on the sandbox variants. Currently, the capsule files and the public key ESL file are generated after u-boot has been built. This logic has been changed so that the capsule input files along with the keys needed for capsule signing and authentication are generated prior to initiation of the u-boot build. The placement of all the files needed for generation of capsules is under the test/py/tests/test_efi_capsule/test_files/ directory. The document has been updated to reflect the above changes. Changes since V5: This series drops the changes for generating capsules by reading the params from a config file. This was suggested by Simon Glass. The config file changes would be submitted separately once these changes get merged. * Get rid of the logic of keeping the files under the /tmp/capsules/ directory from earlier versions. * New patch which introduces the input files and certs needed for EFI capsule update testing in the tree. * The capsule input files and certs are put under the test/py/tests/test_efi_capsule/test_files/ directory. * Add support for the oemflag parameter used in FWU A/B updates. This was missed in the earlier version. * Use a single function, generate_capsule in the mkeficapsule bintool, instead of the multiple functions in earlier version. * Remove the logic for generating capsules from config file as suggested by Simon. * Use required_props for image index and GUID parameters. * Use a subnode for the capsule payload instead of using a filename for the payload, as suggested by Simon. * Add a capsule generation test with oemflag parameter being passed. * Remove the documentation for generating the capsule through config file, as that functionality is not added through this series. * Use the public key ESL file from the tree instead of the /tmp/capsules/ directory being used in previous version. * Use the public key ESL file and other input files from the tree instead of the /tmp/capsules/ directory being used in previous version. * Use macros for other input files and certs. Sughosh Ganu (9): binman: bintool: Build a tool from a list of commands nuvoton: npcm845-evb: Add a newline at the end of file capsule: authenticate: Add capsule public key in platform's dtb doc: capsule: Document the new mechanism to embed ESL file into dtb test: capsule: Add files needed for testing EFI capsule updates binman: capsule: Add support for generating EFI capsules doc: Add documentation to highlight capsule generation related updates test: capsule: Remove public key embed logic from capsule update test sandbox: capsule: Generate capsule related files through binman arch/arm/dts/nuvoton-npcm845-evb.dts | 2 +- arch/arm/dts/u-boot.dtsi | 14 + arch/sandbox/dts/u-boot.dtsi | 364 ++++++++++++++++++ configs/sandbox_defconfig | 1 + configs/sandbox_flattree_defconfig | 1 + configs/sandbox_spl_defconfig | 1 + doc/develop/uefi/uefi.rst | 40 +- lib/efi_loader/Kconfig | 9 + test/py/tests/test_efi_capsule/conftest.py | 165 +------- test/py/tests/test_efi_capsule/signature.dts | 10 - .../test_efi_capsule/test_files/SIGNER.crt | 19 + .../test_efi_capsule/test_files/SIGNER.esl | Bin 0 -> 829 bytes .../test_efi_capsule/test_files/SIGNER.key | 28 ++ .../test_efi_capsule/test_files/SIGNER2.crt | 19 + .../test_efi_capsule/test_files/SIGNER2.key | 28 ++ .../test_files/u-boot.bin.new | 1 + .../test_files/u-boot.bin.old | 1 + .../test_files/u-boot.env.new | 1 + .../test_files/u-boot.env.old | 1 + .../tests/test_efi_capsule/uboot_bin_env.its | 36 -- tools/binman/bintool.py | 19 +- tools/binman/btool/mkeficapsule.py | 101 +++++ tools/binman/entries.rst | 64 +++ tools/binman/etype/efi_capsule.py | 160 ++++++++ tools/binman/ftest.py | 122 ++++++ tools/binman/test/307_capsule.dts | 21 + tools/binman/test/308_capsule_signed.dts | 23 ++ tools/binman/test/309_capsule_version.dts | 22 ++ tools/binman/test/310_capsule_signed_ver.dts | 24 ++ tools/binman/test/311_capsule_oemflags.dts | 22 ++ tools/binman/test/312_capsule_missing_key.dts | 22 ++ .../binman/test/313_capsule_missing_index.dts | 20 + .../binman/test/314_capsule_missing_guid.dts | 19 + .../test/315_capsule_missing_payload.dts | 17 + 34 files changed, 1172 insertions(+), 225 deletions(-) create mode 100644 arch/arm/dts/u-boot.dtsi create mode 100644 arch/sandbox/dts/u-boot.dtsi delete mode 100644 test/py/tests/test_efi_capsule/signature.dts create mode 100644 test/py/tests/test_efi_capsule/test_files/SIGNER.crt create mode 100644 test/py/tests/test_efi_capsule/test_files/SIGNER.esl create mode 100644 test/py/tests/test_efi_capsule/test_files/SIGNER.key create mode 100644 test/py/tests/test_efi_capsule/test_files/SIGNER2.crt create mode 100644 test/py/tests/test_efi_capsule/test_files/SIGNER2.key create mode 100644 test/py/tests/test_efi_capsule/test_files/u-boot.bin.new create mode 100644 test/py/tests/test_efi_capsule/test_files/u-boot.bin.old create mode 100644 test/py/tests/test_efi_capsule/test_files/u-boot.env.new create mode 100644 test/py/tests/test_efi_capsule/test_files/u-boot.env.old delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its create mode 100644 tools/binman/btool/mkeficapsule.py create mode 100644 tools/binman/etype/efi_capsule.py create mode 100644 tools/binman/test/307_capsule.dts create mode 100644 tools/binman/test/308_capsule_signed.dts create mode 100644 tools/binman/test/309_capsule_version.dts create mode 100644 tools/binman/test/310_capsule_signed_ver.dts create mode 100644 tools/binman/test/311_capsule_oemflags.dts create mode 100644 tools/binman/test/312_capsule_missing_key.dts create mode 100644 tools/binman/test/313_capsule_missing_index.dts create mode 100644 tools/binman/test/314_capsule_missing_guid.dts create mode 100644 tools/binman/test/315_capsule_missing_payload.dts