From patchwork Mon Dec 21 11:43:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346413 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp4385380jai; Mon, 21 Dec 2020 03:45:54 -0800 (PST) X-Google-Smtp-Source: ABdhPJxO6qXBmkaKi3zp0qr+UlKkb0v3los0sUQRk32+7Dl2LoZOpPOJdTP3g6xQytEf1uFsmXH9 X-Received: by 2002:a17:906:fb0e:: with SMTP id lz14mr15330953ejb.232.1608551153975; Mon, 21 Dec 2020 03:45:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608551153; cv=none; d=google.com; s=arc-20160816; b=AkTX+OQUIJ1JpWriXPsPmJRvclgMkoMSLeCdqpkHcVepCgRifZ+8/ASqiycjDvByHf tgOuD+3YvibuohISaH3x4nrJqVryd4HtTV86hVxlkG6SGLoa7lfiHqJxSyXJhpuYArfw Tar51sGySPo3pDJP5jeeH/ePYTC7LWKtJ2iasReMOtRLVmdp9dt8v0kJwOCnjV5qqu27 LyiVBLn5sDTHdZVbYSkGZQQRE8r2kN6ks9TnHafS8mdfHXgqqdjbn7pGt7HqHW50YY6p XBGYia5e7R1q1s+V2xPDblRead8VjUa0ohlByd2t04uWJOkGwpoPvwv3CqMftPugCnAr E3Qg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=jD12VWG730AF1zML5/6+KijZ5cnIkooE8KVojC/wQkg=; b=ySIWDlRg0vHq+/41XlKGoTHhzuzABB0FbLSFMsqHLt2d1WkVOHRCst++raBsb/dttF BNxPTzaMkZzjC/LMF/AKjhkMVZgQ/hHuIA/NmyC/67sttah1/V5yNXDBi/94w52E6oYc YntaW5EeLH5BgVwZ3kQQ3NeHuMvWZsaS3f+ub4lx099yxKaEPojSzcULybxCAKzm/AAo cZ6DQLuo8JaQzwn02/r+4rDS1VwzhUpb5bG/7y24/A2BC2jRrGKoPDjiF7FsrpMfu3EY 9yMGxQvRAMkArEwWs4PPpGS9NAU8I76bHiN7qgqi0uGEThLVG3Tzca4uGH3Uz4BP/43a +BLw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id dd19si10565539edb.502.2020.12.21.03.45.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Dec 2020 03:45:53 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id CF5CD8291B; Mon, 21 Dec 2020 12:44:20 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 37A678291E; Mon, 21 Dec 2020 12:44:14 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id A5CD9828E6 for ; Mon, 21 Dec 2020 12:44:10 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id E82A3113E; Mon, 21 Dec 2020 03:44:09 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 5213A3F718; Mon, 21 Dec 2020 03:44:07 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v2 14/14] qemu: arm64: Add documentation for capsule update Date: Mon, 21 Dec 2020 17:13:14 +0530 Message-Id: <20201221114314.25588-15-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201221114314.25588-1-sughosh.ganu@linaro.org> References: <20201221114314.25588-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Add documentation highlighting the steps for using the uefi capsule update feature for updating the u-boot firmware image. Signed-off-by: Sughosh Ganu --- Changes since V1: * Change the documentation to reflect the usage of overlays for embedding the public key certs at runtime * Fix the build for 'make htmldocs' doc/board/emulation/qemu-arm.rst | 188 +++++++++++++++++++++++++++++++ 1 file changed, 188 insertions(+) -- 2.17.1 diff --git a/doc/board/emulation/qemu-arm.rst b/doc/board/emulation/qemu-arm.rst index 8d7fda10f1..11d91811b3 100644 --- a/doc/board/emulation/qemu-arm.rst +++ b/doc/board/emulation/qemu-arm.rst @@ -90,3 +90,191 @@ The debug UART on the ARM virt board uses these settings:: CONFIG_DEBUG_UART_PL010=y CONFIG_DEBUG_UART_BASE=0x9000000 CONFIG_DEBUG_UART_CLOCK=0 + +Enabling Uefi Capsule Update feature +------------------------------------ + +Support has been added for the uefi capsule update feature which +enables updating the u-boot image using the uefi firmware management +protocol (fmp). The capsules are not passed to the firmware through +the UpdateCapsule runtime service. Instead, capsule-on-disk +functionality is used for fetching the capsule from the EFI System +Partition (ESP). + +Currently, support has been added for updating the u-boot binary as a +raw image when the platform is booted in non-secure mode, i.e with +CONFIG_TFABOOT disabled. For this configuration, the qemu platform +needs to be booted with 'secure=off'. The u-boot binary placed on the +first bank of the Nor Flash at offset 0x0. The u-boot environment is +placed on the second Nor Flash bank at offset 0x4000000. + +The capsule update feature is enabled with the following configs:: + + CONFIG_MTD=y + CONFIG_FLASH_CFI_MTD=y + CONFIG_CMD_MTDPARTS=y + CONFIG_CMD_DFU=y + CONFIG_DFU_MTD=y + CONFIG_PCI_INIT_R=y + CONFIG_EFI_CAPSULE_ON_DISK=y + CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y + CONFIG_EFI_CAPSULE_FIRMWARE=y + CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y + CONFIG_EFI_CAPSULE_FMP_HEADER=y + +In addition, the following config needs to be disabled:: + + CONFIG_TFABOOT + +The capsule file can be generated by using the GenerateCapsule.py +script in edk2:: + + $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ + --fw-version --lsv --guid \ + e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index \ + --verbose + +As per the uefi specification, the capsule file needs to be placed on +the EFI System Partition, under the EFI/UpdateCapsule/ directory. The +EFI System Partition can be a virtio-blk-device. + +Before initiating the firmware update, the efi variables BootNext, +BootXXXX and OsIndications need to be set. The BootXXXX variable needs +to be pointing to the EFI System Partition which contains the capsule +file. The BootNext, BootXXXX and OsIndications variables can be set +using the following commands:: + + => efidebug boot add 0 Boot0000 virtio 0:1 + => efidebug boot next 0 + => setenv -e -nv -bs -rt -v OsIndications =0x04 + => saveenv + +Finally, the capsule update can be initiated with the following +command:: + + => efidebug capsule disk-update + +The updated u-boot image will be booted on subsequent boot. + +Enabling Capsule Authentication +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The uefi specification defines a way of authenticating the capsule to +be updated by verifying the capsule signature. The capsule signature +is computed and prepended to the capsule payload at the time of +capsule generation. This signature is then verified by using the +public key stored as part of the X509 certificate. This certificate is +in the form of an efi signature list (esl) file, which is embedded as +part of the platform's device tree blob using the mkeficapsule +utility. + +On the qemu virt platforms, the device-tree is generated on the fly +based on the devices configured. This device tree is then passed on to +the various software components booting on the platform, including +u-boot. Therefore, on the qemu virt platform, the signatute is +embedded on an overlay. This overlay is then applied at runtime to the +base platform device-tree. Steps needed for embedding the esl file in +the overlay are highlighted below. + +The capsule authentication feature can be enabled through the +following config, in addition to the configs listed above for capsule +update:: + + CONFIG_EFI_CAPSULE_AUTHENTICATE=y + +The public and private keys used for the signing process are generated +and used by the steps highlighted below:: + + 1. Install utility commands on your host + * openssl + * efitools + + 2. Create signing keys and certificate files on your host + + $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ + -keyout CRT.key -out CRT.crt -nodes -days 365 + $ cert-to-efi-sig-list CRT.crt CRT.esl + + $ openssl x509 -in CRT.crt -out CRT.cer -outform DER + $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem + + $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt + $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem + +The capsule file can be generated by using the GenerateCapsule.py +script in edk2:: + + $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ + --monotonic-count --fw-version \ + --lsv --guid \ + e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ + --update-image-index --signer-private-cert \ + /path/to/CRT.pem --trusted-public-cert \ + /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ + + +Place the capsule generated in the above step on the EFI System +Partition under the EFI/UpdateCapsule directory + +For embedding the public key certificate, the following steps need to +be followed:: + + 1. Generate a skeleton overlay dts file, with a single fragment + node and an empty __overlay__ node + + 2. Convert the dts to a corresponding dtb with the following + command + ./scripts/dtc/dtc -@ -I dts -O dtb -o \ + + + 3. Run the dtb file generated above through the mkeficapsule tool + in u-boot + ./tools/mkeficapsule -O -D + +Running the above command results in the creation of a 'signature' +node in the dtb, under which the public key is stored as a +'capsule-key' property. The '-O' option is to be used since the +public key certificate(esl) file is being embedded in an overlay. + +The dtb file embedded with the certificate is now to be placed on an +EFI System Partition. This would then be loaded and "merged" with the +base platform fdt at runtime. + +Build u-boot with the following steps:: + + $ make qemu_arm64_defconfig + $ make menuconfig + Disable CONFIG_TFABOOT + Enable CONFIG_EFI_CAPSULE_AUTHENTICATE + Enable all configs needed for capsule update(listed above) + $ make all + +Boot the platform and perform the following steps on the u-boot +command line:: + + 1. Enable capsule authentication by setting the following env + variable + + => setenv capsule_authentication_enabled 1 + => saveenv + + 2. Load the overlay dtb to memory and merge it with the base fdt + + => fatload virtio 0:1 <$fdtovaddr> EFI/ + => fdt addr $fdtcontroladdr + => fdt resize + => fdt apply <$fdtovaddr> + + 3. Set the following env and efi Boot variables + + => setenv -e -nv -bs -rt -v OsIndications =0x04 + => efidebug boot add 0 Boot0000 virtio 0:1 + => efidebug boot next 0 + => saveenv + + 4. Finally, the capsule update can be initiated with the following + command + + => efidebug capsule disk-update + +On subsequent reboot, the platform should boot the updated u-boot binary.