From patchwork Thu Oct 7 06:23:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 515428 Delivered-To: patch@linaro.org Received: by 2002:ac0:b5cc:0:0:0:0:0 with SMTP id x12csp1004050ime; Wed, 6 Oct 2021 23:25:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwnfJ8noiuZPMMMG3u28AjaA8RHiFAxqkeYPocEgtNsAVbpUzZf4/2FeKGFL2b0fgMRDS5M X-Received: by 2002:a17:906:5e17:: with SMTP id n23mr3446977eju.258.1633587918064; Wed, 06 Oct 2021 23:25:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633587918; cv=none; d=google.com; s=arc-20160816; b=SHIz0ZmuBb9ZVwHRFx6jbK/Obawst6Yck3d4HHXCGDAUMe+3ET/Ys/TGLyCrpuHgtx UbGwFYiHebx9fCJP6DYvTAYEcQPAkj5RzTmlnkbzBFCZffNFTTvflMJ2UJKPnpaNJSI6 CthyFuHRFuwOvywfGFWKay1ToG6Y/7NE4OoJjOzabWQhsUQ7AZZNeNOCH31OwI4dVf1G Rq9/kekdNSZPYlgbI9A2ZqBxNojkieOYom5VO9CIs3GPd4OAgI8uDRCrTY2/hHCWTnY8 MUiHYG7gtapZXCpmZ2J/mn1o7s+6Pa7Tejt2fteckAwWb5GNKR61VudAifFePMRxNMb+ 6VVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=q9r2xfRTPyIG+YiIB8V07jeJk31N2I1BkpSCJej4Vxg=; b=aNyvXdVdUwMHgc0sFS9GhVwo6mWCWEYuIHDyZRN3cIp18gqr1C/aYlq024SlJ48C6v 7Rhp/i73N2Z6/Lqx75bsiU1MEtQMC8pRStrprQ/QNGZoLFJfrytX3bWybQ3mgz6Pbmtc Oq8JNbocMvCqDrnQ+UKmq8Uhmqlg5snvoXsr+W9ZRvnvDdteE4YECq5M2sBFrC+K+p7M hg1g8rRSLJkjcBClZ60dIQUkHt7gAS7SfIh0InAvrWuOd1OalvRH3Wu5imy0F4UdfCtb JT25IUD7qPRxkBsI/oi1nv0s7Hh1xGW81s/Af3Y3y0fgYKcifvdizEAXUYDjk0AlVN9M h+BA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Z7rqXbtI; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id j19si2493883edw.476.2021.10.06.23.25.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:25:18 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Z7rqXbtI; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D60F283484; Thu, 7 Oct 2021 08:25:16 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Z7rqXbtI"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id B7CBA83484; Thu, 7 Oct 2021 08:25:14 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x533.google.com (mail-pg1-x533.google.com [IPv6:2607:f8b0:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id DAEA983474 for ; Thu, 7 Oct 2021 08:25:09 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pg1-x533.google.com with SMTP id v11so4690758pgb.8 for ; Wed, 06 Oct 2021 23:25:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=q9r2xfRTPyIG+YiIB8V07jeJk31N2I1BkpSCJej4Vxg=; b=Z7rqXbtIg8F+aoVgxqIkOhdjy+fiITwme3l/5knZVSh5r/9mYzxRiE63jmdLozWHNz 1wiwkPV85ykbVIidjuHP9drkA8WeqBX5uGwzYadEzU3sK6KiSCBLx+80yrF5OHsmp6Me Sr0dNaBNmKbguisbkI7s32kSl7V74ymDmlkaOfc6HNGPZ7ku5juUEqiTy8teLF1zfTqI rbIWVy4phagFPQyCpMimnOmLraue4F3w1/+JHr9hckxElTyWpiZowrj1sSYAPMaSqsy8 YcB6fC/1gxgG2vqoAgViOLtzRgnhdusQtphukIbNqKTdu1DwvIG3elQCOVnf352ZY41X K03A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=q9r2xfRTPyIG+YiIB8V07jeJk31N2I1BkpSCJej4Vxg=; b=YcK52ZFfbuCGTYe3jn/li4C1venl6SmKPz9Vr/bIRLuX60DfkK4d3KRL48WvzruGex YJqitkyJYjFvYelqVo1Aj8q4XoQGn+3midzeAADPUoF81tCFznFZmR4QT0l+f5ao5M8l akQ0dlzvpnlY2rBe4XpCRBDu5Ae36FEwYCXepioNQt1vkFy1iABTbbylvBUWNjJ3Kd8k LEi4Hn+xRzuc5mewY/8ite6vYrJDb7uayaztLgP/27xJ5ojv6JY7vtZHJbqVqUJY050n HRFIQmWuKI1BrXMpEEm0BEwERinWOndDp6ZnfA7kIwEL9YghB1+3+j57CPvizOh8DEuI BR6Q== X-Gm-Message-State: AOAM530XG1srfZKYJc68bLnX0Tg7EgGxK3H+9sec4a6f6bnydfJ8Rq7X CBzTcpEeo1GUhCvRD9XtluiSOw== X-Received: by 2002:a63:3d0f:: with SMTP id k15mr1927459pga.269.1633587908187; Wed, 06 Oct 2021 23:25:08 -0700 (PDT) Received: from localhost.localdomain (122-100-26-39m5.mineo.jp. [122.100.26.39]) by smtp.gmail.com with ESMTPSA id b17sm22131859pgl.61.2021.10.06.23.25.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:25:07 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v4 02/11] Revert "Revert "doc: Update CapsuleUpdate READMEs"" Date: Thu, 7 Oct 2021 15:23:31 +0900 Message-Id: <20211007062340.72207-3-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211007062340.72207-1-takahiro.akashi@linaro.org> References: <20211007062340.72207-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean This reverts commit a7e4f905d206d5895dab4bd38a8316e4f2fe15fe. The description originally written by Sughosh is still valid even after the commit 47a25e81d35c ("Revert "efi_capsule: Move signature from DTB to .rodata"") was applied. Signed-off-by: AKASHI Takahiro --- doc/develop/uefi/uefi.rst | 124 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 124 insertions(+) -- 2.33.0 diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 4f2b8b036db8..f17138f5c765 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -277,6 +277,130 @@ Enable ``CONFIG_OPTEE``, ``CONFIG_CMD_OPTEE_RPMB`` and ``CONFIG_EFI_MM_COMM_TEE` [1] https://optee.readthedocs.io/en/latest/building/efi_vars/stmm.html +Enabling UEFI Capsule Update feature +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Support has been added for the UEFI capsule update feature which +enables updating the U-Boot image using the UEFI firmware management +protocol (FMP). The capsules are not passed to the firmware through +the UpdateCapsule runtime service. Instead, capsule-on-disk +functionality is used for fetching the capsule from the EFI System +Partition (ESP) by placing the capsule file under the +\EFI\UpdateCapsule directory. + +The directory \EFI\UpdateCapsule is checked for capsules only within the +EFI system partition on the device specified in the active boot option +determined by reference to BootNext variable or BootOrder variable processing. +The active Boot Variable is the variable with highest priority BootNext or +within BootOrder that refers to a device found to be present. Boot variables +in BootOrder but referring to devices not present are ignored when determining +active boot variable. +Before starting a capsule update make sure your capsules are installed in the +correct ESP partition or set BootNext. + +Performing the update +********************* + +Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig +option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable +check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule. + +If that option is disabled, you'll need to set the OsIndications variable with:: + + => setenv -e -nv -bs -rt -v OsIndications =0x04 + +Finally, the capsule update can be initiated either by rebooting the board, +which is the preferred method, or by issuing the following command:: + + => efidebug capsule disk-update + +**The efidebug command is should only be used during debugging/development.** + +Enabling Capsule Authentication +******************************* + +The UEFI specification defines a way of authenticating the capsule to +be updated by verifying the capsule signature. The capsule signature +is computed and prepended to the capsule payload at the time of +capsule generation. This signature is then verified by using the +public key stored as part of the X509 certificate. This certificate is +in the form of an efi signature list (esl) file, which is embedded as +part of U-Boot. + +The capsule authentication feature can be enabled through the +following config, in addition to the configs listed above for capsule +update:: + + CONFIG_EFI_CAPSULE_AUTHENTICATE=y + CONFIG_EFI_CAPSULE_KEY_PATH= + +The public and private keys used for the signing process are generated +and used by the steps highlighted below:: + + 1. Install utility commands on your host + * OPENSSL + * efitools + + 2. Create signing keys and certificate files on your host + + $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ + -keyout CRT.key -out CRT.crt -nodes -days 365 + $ cert-to-efi-sig-list CRT.crt CRT.esl + + $ openssl x509 -in CRT.crt -out CRT.cer -outform DER + $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem + + $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt + $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem + +The capsule file can be generated by using the GenerateCapsule.py +script in EDKII:: + + $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ + --monotonic-count --fw-version \ + --lsv --guid \ + e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ + --update-image-index --signer-private-cert \ + /path/to/CRT.pem --trusted-public-cert \ + /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ + + +Place the capsule generated in the above step on the EFI System +Partition under the EFI/UpdateCapsule directory + +Testing on QEMU +*************** + +Currently, support has been added on the QEMU ARM64 virt platform for +updating the U-Boot binary as a raw image when the platform is booted +in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this +configuration, the QEMU platform needs to be booted with +'secure=off'. The U-Boot binary placed on the first bank of the NOR +flash at offset 0x0. The U-Boot environment is placed on the second +NOR flash bank at offset 0x4000000. + +The capsule update feature is enabled with the following configuration +settings:: + + CONFIG_MTD=y + CONFIG_FLASH_CFI_MTD=y + CONFIG_CMD_MTDPARTS=y + CONFIG_CMD_DFU=y + CONFIG_DFU_MTD=y + CONFIG_PCI_INIT_R=y + CONFIG_EFI_CAPSULE_ON_DISK=y + CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y + CONFIG_EFI_CAPSULE_FIRMWARE=y + CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y + +In addition, the following config needs to be disabled(QEMU ARM specific):: + + CONFIG_TFABOOT + +The capsule file can be generated by using the tools/mkeficapsule:: + + $ mkeficapsule --raw --index 1 + Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~