From patchwork Wed Dec 23 07:03:17 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346987 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp5970067jai; Tue, 22 Dec 2020 23:04:04 -0800 (PST) X-Google-Smtp-Source: ABdhPJxzl+QLix9DPYJkdiC9cg1w4N7ebuvmg8C+F6X0E2c6pZ1SWf7/+fzAf5MWdE6p+zgecmsi X-Received: by 2002:a17:906:4e45:: with SMTP id g5mr22839014ejw.391.1608707044424; Tue, 22 Dec 2020 23:04:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608707044; cv=none; d=google.com; s=arc-20160816; b=KbfVtNaRpCHY4ZpjiIw2Rd5z2I4HDyASf+yd4PbuZlOJi7dHgrHhF2IZk5BTUrZSx1 g4Ts3+IORb8IqTCcDN/RStRBjYRvkCpg/L2rvlfNWybE+DIfP76ASjiHJat+0lNeKDAz mhGltWEW9M9klzb9XchMYj7sx0tXMJ9ddEYe5ucd8GxxLxCpKZmIILG9g1tWRYZDI3RT EJOZrvEOz87D6LsjQN2qei2vujZK5mNT1G4ClBUusKQMFdI4Mrt7kgeP002vNaOXvu8O EQGrIzzSNNhb7E7A5VF9WK82iOVOS1KbNQAk6j3IA2m+5WVB/1U/3qGeuf12K2dlbv0M 4vjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=UjmGURyf0CDeWpysLNg8ce3uYPgtWil3mJln0BsfHII=; b=hnUFUuo+WAPkLoZpxYvjvwTlLIv173nlD4unIgWKOWjxJFqCWBwxUgBVIBNhwZnHOq 07Id/9akeTcez7cHavH2kMBTr8kd7j3Xp/UgIjKXnpxWAnUsyffVeY+QldfdKV7byNks 5XinKF8xTLSrSNa/smwEQxU2X7LIdY87Y3UUF7fKZPijQYzmItaoDWdoCx/XQwfp0MaY D87g7So2fDpCX0cymvp7B18bBOUNh54O3oEVmXxjzY4nXR11G+fhXd78tg1XI9Yi0H+m JMaAY+uiyJWuK1mKK0IQxTHbyQ7J9CAgojNkAf6Mq0E+s/AC0M0MguB+lnZiVvceqJBI 19TQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id b8si12834126eds.509.2020.12.22.23.04.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Dec 2020 23:04:04 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id C6F4C827DE; Wed, 23 Dec 2020 08:03:53 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 43B2282748; Wed, 23 Dec 2020 08:03:52 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id D22D282748 for ; Wed, 23 Dec 2020 08:03:48 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 017F41042; Tue, 22 Dec 2020 23:03:47 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 27AD23F66E; Tue, 22 Dec 2020 23:03:43 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v3 01/14] mkeficapsule: Add support for embedding public key in a dtb Date: Wed, 23 Dec 2020 12:33:17 +0530 Message-Id: <20201223070330.21361-2-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201223070330.21361-1-sughosh.ganu@linaro.org> References: <20201223070330.21361-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Add options for embedding the public key esl(efi signature list) file to the platform's dtb. The esl file is then retrieved and used for authenticating the capsule to be used for updating firmare components on the platform. The esl file can now be embedded in the dtb by invoking the following command mkeficapsule -K -D In the scenario where the esl file is to be embedded in an overlay, this can be done through the following command mkeficapsule -O -K -D This will create a node named 'signature' in the dtb, and the esl file will be stored as 'capsule-key' Signed-off-by: Sughosh Ganu --- Changes since V2: None tools/Makefile | 1 + tools/mkeficapsule.c | 233 ++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 222 insertions(+), 12 deletions(-) -- 2.17.1 diff --git a/tools/Makefile b/tools/Makefile index 66d9376803..6d7b48fb57 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -218,6 +218,7 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs hostprogs-$(CONFIG_ASN1_COMPILER) += asn1_compiler HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include +mkeficapsule-objs := mkeficapsule.o $(LIBFDT_OBJS) hostprogs-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += mkeficapsule # We build some files with extra pedantic flags to try to minimize things diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 3f8bc7009b..270943fc90 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -4,16 +4,22 @@ * Author: AKASHI Takahiro */ +#include #include #include #include #include #include #include +#include #include + +#include #include #include +#include "fdt_host.h" + typedef __u8 u8; typedef __u16 u16; typedef __u32 u32; @@ -23,6 +29,9 @@ typedef __s32 s32; #define aligned_u64 __aligned_u64 +#define SIGNATURE_NODENAME "signature" +#define OVERLAY_NODENAME "__overlay__" + #ifndef __packed #define __packed __attribute__((packed)) #endif @@ -43,6 +52,9 @@ static struct option options[] = { {"raw", required_argument, NULL, 'r'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, + {"dtb", required_argument, NULL, 'D'}, + {"public key", required_argument, NULL, 'K'}, + {"overlay", no_argument, NULL, 'O'}, {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0}, }; @@ -51,14 +63,183 @@ static void print_usage(void) { printf("Usage: %s [options] \n" "Options:\n" - "\t--fit new FIT image file\n" - "\t--raw new raw image file\n" - "\t--index update image index\n" - "\t--instance update hardware instance\n" - "\t--help print a help message\n", + + "\t--fit new FIT image file\n" + "\t--raw new raw image file\n" + "\t--index update image index\n" + "\t--instance update hardware instance\n" + "\t--public-key public key esl file\n" + "\t--dtb dtb file\n" + "\t--overlay the dtb file is an overlay\n" + "\t--help print a help message\n", tool_name); } +static int fdt_add_pub_key_data(void *sptr, void *dptr, size_t key_size, + bool overlay) +{ + int parent; + int ov_node; + int frag_node; + int ret = 0; + + if (overlay) { + /* + * The signature would be stored in the + * first fragment node of the overlay + */ + frag_node = fdt_first_subnode(dptr, 0); + if (frag_node == -FDT_ERR_NOTFOUND) { + fprintf(stderr, + "Couldn't find the fragment node: %s\n", + fdt_strerror(frag_node)); + goto done; + } + + ov_node = fdt_subnode_offset(dptr, frag_node, OVERLAY_NODENAME); + if (ov_node == -FDT_ERR_NOTFOUND) { + fprintf(stderr, + "Couldn't find the __overlay__ node: %s\n", + fdt_strerror(ov_node)); + goto done; + } + } else { + ov_node = 0; + } + + parent = fdt_subnode_offset(dptr, ov_node, SIGNATURE_NODENAME); + if (parent == -FDT_ERR_NOTFOUND) { + parent = fdt_add_subnode(dptr, ov_node, SIGNATURE_NODENAME); + if (parent < 0) { + ret = parent; + if (ret != -FDT_ERR_NOSPACE) { + fprintf(stderr, + "Couldn't create signature node: %s\n", + fdt_strerror(parent)); + } + } + } + if (ret) + goto done; + + /* Write the key to the FDT node */ + ret = fdt_setprop(dptr, parent, "capsule-key", + sptr, key_size); + +done: + if (ret) + ret = ret == -FDT_ERR_NOSPACE ? -ENOSPC : -EIO; + + return ret; +} + +static int add_public_key(const char *pkey_file, const char *dtb_file, + bool overlay) +{ + int ret; + int srcfd = 0; + int destfd = 0; + void *sptr = NULL; + void *dptr = NULL; + off_t src_size; + struct stat pub_key; + struct stat dtb; + + /* Find out the size of the public key */ + srcfd = open(pkey_file, O_RDONLY); + if (srcfd == -1) { + fprintf(stderr, "%s: Can't open %s: %s\n", + __func__, pkey_file, strerror(errno)); + goto err; + } + + ret = fstat(srcfd, &pub_key); + if (ret == -1) { + fprintf(stderr, "%s: Can't stat %s: %s\n", + __func__, pkey_file, strerror(errno)); + goto err; + } + + src_size = pub_key.st_size; + + /* mmap the public key esl file */ + sptr = mmap(0, src_size, PROT_READ, MAP_SHARED, srcfd, 0); + if ((sptr == MAP_FAILED) || (errno != 0)) { + fprintf(stderr, "%s: Failed to mmap %s:%s\n", + __func__, pkey_file, strerror(errno)); + goto err; + } + + /* Open the dest FDT */ + destfd = open(dtb_file, O_RDWR); + if (destfd == -1) { + fprintf(stderr, "%s: Can't open %s: %s\n", + __func__, dtb_file, strerror(errno)); + goto err; + } + + ret = fstat(destfd, &dtb); + if (ret == -1) { + fprintf(stderr, "%s: Can't stat %s: %s\n", + __func__, dtb_file, strerror(errno)); + goto err; + } + + dtb.st_size += src_size + 0x30; + if (ftruncate(destfd, dtb.st_size)) { + fprintf(stderr, "%s: Can't expand %s: %s\n", + __func__, dtb_file, strerror(errno)); + goto err;; + } + + errno = 0; + /* mmap the dtb file */ + dptr = mmap(0, dtb.st_size, PROT_READ | PROT_WRITE, MAP_SHARED, + destfd, 0); + if ((dptr == MAP_FAILED) || (errno != 0)) { + fprintf(stderr, "%s: Failed to mmap %s:%s\n", + __func__, dtb_file, strerror(errno)); + goto err; + } + + if (fdt_check_header(dptr)) { + fprintf(stderr, "%s: Invalid FDT header\n", __func__); + goto err; + } + + ret = fdt_open_into(dptr, dptr, dtb.st_size); + if (ret) { + fprintf(stderr, "%s: Cannot expand FDT: %s\n", + __func__, fdt_strerror(ret)); + goto err; + } + + /* Copy the esl file to the expanded FDT */ + ret = fdt_add_pub_key_data(sptr, dptr, src_size, overlay); + if (ret < 0) { + fprintf(stderr, "%s: Unable to add public key to the FDT\n", + __func__); + goto err; + } + + return 0; + +err: + if (sptr) + munmap(sptr, src_size); + + if (dptr) + munmap(dptr, dtb.st_size); + + if (srcfd >= 0) + close(srcfd); + + if (destfd >= 0) + close(destfd); + + return -1; +} + static int create_fwbin(char *path, char *bin, efi_guid_t *guid, unsigned long index, unsigned long instance) { @@ -173,16 +354,22 @@ err_1: int main(int argc, char **argv) { char *file; + char *pkey_file; + char *dtb_file; efi_guid_t *guid; unsigned long index, instance; int c, idx; + int ret; + bool overlay = false; file = NULL; + pkey_file = NULL; + dtb_file = NULL; guid = NULL; index = 0; instance = 0; for (;;) { - c = getopt_long(argc, argv, "f:r:i:I:v:h", options, &idx); + c = getopt_long(argc, argv, "f:r:i:I:v:D:K:Oh", options, &idx); if (c == -1) break; @@ -209,22 +396,44 @@ int main(int argc, char **argv) case 'I': instance = strtoul(optarg, NULL, 0); break; + case 'K': + if (pkey_file) { + printf("Public Key already specified\n"); + return -1; + } + pkey_file = optarg; + break; + case 'D': + if (dtb_file) { + printf("DTB file already specified\n"); + return -1; + } + dtb_file = optarg; + break; + case 'O': + overlay = true; + break; case 'h': print_usage(); return 0; } } - /* need a output file */ - if (argc != optind + 1) { + /* need a fit image file or raw image file */ + if (!file && !pkey_file && !dtb_file) { + printf("%s: %d\n", __func__, __LINE__); print_usage(); return -1; } - /* need a fit image file or raw image file */ - if (!file) { - print_usage(); - return -1; + if (pkey_file && dtb_file) { + ret = add_public_key(pkey_file, dtb_file, overlay); + if (ret == -1) { + printf("Adding public key to the dtb failed\n"); + return -1; + } else { + return 0; + } } if (create_fwbin(argv[optind], file, guid, index, instance)