From patchwork Thu Oct 7 06:23:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 515427 Delivered-To: patch@linaro.org Received: by 2002:ac0:b5cc:0:0:0:0:0 with SMTP id x12csp1003837ime; Wed, 6 Oct 2021 23:24:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxrIDrohIu87wSJVfEduZb6MLtM8mHM97QRlFnHKAAO/8NHFPyofzjiw8NjtPTJ1Rnn+s7F X-Received: by 2002:a17:906:d1d6:: with SMTP id bs22mr3420362ejb.554.1633587886136; Wed, 06 Oct 2021 23:24:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633587886; cv=none; d=google.com; s=arc-20160816; b=Wqaf6fBduJvJ6ANO1M1ylVCnThSkGifEeP3RBMF0vSxM6y/uHEHZrRVq/5JUjaF1Uw IkZZRNEFVVSF3xJ8tPE6ShhzQyOngQ57oCvUmY0DrTPTmmf5ShB4hv+l1QwMOe6A1bHy kSbJTLhk0GTAK9fi41uVASvITJcsOqMUkIw9lBB+drwck2cJkoI+A8izaMzb7x8BUSul IjXbyjFc4JBBCfDxCa9KZfVAUFWO2tV1lSLf4f7IZDe3RPRLxC4N0gmLEmgkFOGe48jm afDJvMuV5nr9HRGa6ASunck97sXm77mHuD79sWBBd5hfZV7LDduf/t4nrkKaj4No8729 oh1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=/PlKSx96P4f7w1GPBHCz9Q5A9AGmvUiveAJikOqp7Js=; b=FqsC7lBhqfs0MQ/gchcV1gr057xvRpFarApBRjd/+HXT7VDFbfqGWi2JlapX21/b0O cOlsnNR1pWLwUE5QgSbTzELpzvd/bOAvvx6veeZea/pFFw7S5BTZWnOW8glCLh7v+sc4 57nxSM7NYTFwdDD9wR9l2w5YsiqPnw9xLCXTe2ffuzERhXV0tn9kLnbyfBZHqBoV+ze3 5TSecf1zAFFM374cTTmahEgyVJGPmEU7s/97loD1IxMcRUlEHDdk8lZ64AsgFmxttJaE iWfCwYuVTtox7URLMDw5raONC8HHTH16o/1ZxBBIg7/s4Sxc9EaoUsuFNlRq+ngy/ppN 3/Hw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="bAtd/+Um"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id t25si5603792edr.81.2021.10.06.23.24.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:24:46 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="bAtd/+Um"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 12C4583476; Thu, 7 Oct 2021 08:24:45 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="bAtd/+Um"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 4FC3C83484; Thu, 7 Oct 2021 08:24:42 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 198F883474 for ; Thu, 7 Oct 2021 08:24:36 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1029.google.com with SMTP id oa4so3324066pjb.2 for ; Wed, 06 Oct 2021 23:24:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=/PlKSx96P4f7w1GPBHCz9Q5A9AGmvUiveAJikOqp7Js=; b=bAtd/+UmcPfX0RFB5FUDq8lVMKK7+7aWpk3mcW4wYkLqZzGmmPPK0F3EGRAOVDZXJN 2epbOQY0ROrJ4B6VNSVrOpa71N/ntZAW18WqukDWhjAxCxg2AEU03Qe8HXPKqrqj+r/N cXG0P7nSXfiyIusxet/G+guM1Hy1iZCsIaEgXVnJS5oXIrON8AGkX6PhJq+9t8IluE8f qe1WPpeXDgFyOB9NIOyrU8I9/l+pZPoLA8JG2eLqmrl4Aim9R4L0MI+Rx6lUOLKxBabm 8T2Nvn5Nv8DOtK9gNCRIwghuMaEVL6Gtdd9vZ/GgQdhFmZ91LYsdosHpjeRNGWBfGdiE ED3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/PlKSx96P4f7w1GPBHCz9Q5A9AGmvUiveAJikOqp7Js=; b=uSGMUS3/ywTOpDrfneFfujunFUm6wLOfaxI65yAqaD4We6l0P8rg9+/4B/YpAChALm Lk1FRuxYXTvv8U1dMY6982AlPx7yAh12NW6gFqk5iqbR3iBd0V1kPvSvU3QIy8cFgVry xn0jlUo56jUAYVyxqjgBpvYuK2oAmi9kmoMFKR7BwHSJ+XEEcr9F8mAi4vHYMgCctc5Y xRiImaAh77IAr5yUSG20uj9n7Jg9yGdnCg3+FAHfl57lPA4h8A8EMgdrUTF1FA+R325p uS1HKtxGBady9oWiUTPv/b4VXEWImp3wUfpaGMPQ9cIJ/SOnSKqzmBMGuREgicQZv8dG HHhw== X-Gm-Message-State: AOAM530qQhOtoPiG+uwiFyBy9Xb5qp621Fwn7dquEAQ/kPEN+RmSWTuW oPd5GMPqT0dZmp3zwXEnvi4tNg== X-Received: by 2002:a17:90b:4a48:: with SMTP id lb8mr2850763pjb.236.1633587874342; Wed, 06 Oct 2021 23:24:34 -0700 (PDT) Received: from localhost.localdomain (122-100-26-39m5.mineo.jp. [122.100.26.39]) by smtp.gmail.com with ESMTPSA id b17sm22131859pgl.61.2021.10.06.23.24.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:24:33 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v4 01/11] Revert "Revert "mkeficapsule: Remove dtb related options"" Date: Thu, 7 Oct 2021 15:23:30 +0900 Message-Id: <20211007062340.72207-2-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211007062340.72207-1-takahiro.akashi@linaro.org> References: <20211007062340.72207-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean This reverts commit d428e81266a59974ade74c1ba019af39f23304ab. We have agreed with removing dtb-related stuff from mkeficapsule command even if the commit 47a25e81d35c ("Revert "efi_capsule: Move signature from DTB to .rodata"") was applied. Signed-off-by: AKASHI Takahiro --- tools/mkeficapsule.c | 229 ++----------------------------------------- 1 file changed, 7 insertions(+), 222 deletions(-) -- 2.33.0 Reviewed-by: Ilias Apalodimas diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index de0a62898886..4995ba4e0c2a 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -4,22 +4,17 @@ * Author: AKASHI Takahiro */ -#include #include #include #include #include #include #include -#include #include -#include #include #include -#include "fdt_host.h" - typedef __u8 u8; typedef __u16 u16; typedef __u32 u32; @@ -29,9 +24,6 @@ typedef __s32 s32; #define aligned_u64 __aligned_u64 -#define SIGNATURE_NODENAME "signature" -#define OVERLAY_NODENAME "__overlay__" - #ifndef __packed #define __packed __attribute__((packed)) #endif @@ -52,9 +44,6 @@ static struct option options[] = { {"raw", required_argument, NULL, 'r'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, - {"dtb", required_argument, NULL, 'D'}, - {"public key", required_argument, NULL, 'K'}, - {"overlay", no_argument, NULL, 'O'}, {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0}, }; @@ -68,187 +57,10 @@ static void print_usage(void) "\t-r, --raw new raw image file\n" "\t-i, --index update image index\n" "\t-I, --instance update hardware instance\n" - "\t-K, --public-key public key esl file\n" - "\t-D, --dtb dtb file\n" - "\t-O, --overlay the dtb file is an overlay\n" "\t-h, --help print a help message\n", tool_name); } -static int fdt_add_pub_key_data(void *sptr, void *dptr, size_t key_size, - bool overlay) -{ - int parent; - int ov_node; - int frag_node; - int ret = 0; - - if (overlay) { - /* - * The signature would be stored in the - * first fragment node of the overlay - */ - frag_node = fdt_first_subnode(dptr, 0); - if (frag_node == -FDT_ERR_NOTFOUND) { - fprintf(stderr, - "Couldn't find the fragment node: %s\n", - fdt_strerror(frag_node)); - goto done; - } - - ov_node = fdt_subnode_offset(dptr, frag_node, OVERLAY_NODENAME); - if (ov_node == -FDT_ERR_NOTFOUND) { - fprintf(stderr, - "Couldn't find the __overlay__ node: %s\n", - fdt_strerror(ov_node)); - goto done; - } - } else { - ov_node = 0; - } - - parent = fdt_subnode_offset(dptr, ov_node, SIGNATURE_NODENAME); - if (parent == -FDT_ERR_NOTFOUND) { - parent = fdt_add_subnode(dptr, ov_node, SIGNATURE_NODENAME); - if (parent < 0) { - ret = parent; - if (ret != -FDT_ERR_NOSPACE) { - fprintf(stderr, - "Couldn't create signature node: %s\n", - fdt_strerror(parent)); - } - } - } - if (ret) - goto done; - - /* Write the key to the FDT node */ - ret = fdt_setprop(dptr, parent, "capsule-key", - sptr, key_size); - -done: - if (ret) - ret = ret == -FDT_ERR_NOSPACE ? -ENOSPC : -EIO; - - return ret; -} - -static int add_public_key(const char *pkey_file, const char *dtb_file, - bool overlay) -{ - int ret; - int srcfd = -1; - int destfd = -1; - void *sptr = NULL; - void *dptr = NULL; - off_t src_size; - struct stat pub_key; - struct stat dtb; - - /* Find out the size of the public key */ - srcfd = open(pkey_file, O_RDONLY); - if (srcfd == -1) { - fprintf(stderr, "%s: Can't open %s: %s\n", - __func__, pkey_file, strerror(errno)); - ret = -1; - goto err; - } - - ret = fstat(srcfd, &pub_key); - if (ret == -1) { - fprintf(stderr, "%s: Can't stat %s: %s\n", - __func__, pkey_file, strerror(errno)); - ret = -1; - goto err; - } - - src_size = pub_key.st_size; - - /* mmap the public key esl file */ - sptr = mmap(0, src_size, PROT_READ, MAP_SHARED, srcfd, 0); - if (sptr == MAP_FAILED) { - fprintf(stderr, "%s: Failed to mmap %s:%s\n", - __func__, pkey_file, strerror(errno)); - ret = -1; - goto err; - } - - /* Open the dest FDT */ - destfd = open(dtb_file, O_RDWR); - if (destfd == -1) { - fprintf(stderr, "%s: Can't open %s: %s\n", - __func__, dtb_file, strerror(errno)); - ret = -1; - goto err; - } - - ret = fstat(destfd, &dtb); - if (ret == -1) { - fprintf(stderr, "%s: Can't stat %s: %s\n", - __func__, dtb_file, strerror(errno)); - goto err; - } - - dtb.st_size += src_size + 0x30; - if (ftruncate(destfd, dtb.st_size)) { - fprintf(stderr, "%s: Can't expand %s: %s\n", - __func__, dtb_file, strerror(errno)); - ret = -1; - goto err; - } - - errno = 0; - /* mmap the dtb file */ - dptr = mmap(0, dtb.st_size, PROT_READ | PROT_WRITE, MAP_SHARED, - destfd, 0); - if (dptr == MAP_FAILED) { - fprintf(stderr, "%s: Failed to mmap %s:%s\n", - __func__, dtb_file, strerror(errno)); - ret = -1; - goto err; - } - - if (fdt_check_header(dptr)) { - fprintf(stderr, "%s: Invalid FDT header\n", __func__); - ret = -1; - goto err; - } - - ret = fdt_open_into(dptr, dptr, dtb.st_size); - if (ret) { - fprintf(stderr, "%s: Cannot expand FDT: %s\n", - __func__, fdt_strerror(ret)); - ret = -1; - goto err; - } - - /* Copy the esl file to the expanded FDT */ - ret = fdt_add_pub_key_data(sptr, dptr, src_size, overlay); - if (ret < 0) { - fprintf(stderr, "%s: Unable to add public key to the FDT\n", - __func__); - ret = -1; - goto err; - } - - ret = 0; - -err: - if (sptr) - munmap(sptr, src_size); - - if (dptr) - munmap(dptr, dtb.st_size); - - if (srcfd != -1) - close(srcfd); - - if (destfd != -1) - close(destfd); - - return ret; -} - static int create_fwbin(char *path, char *bin, efi_guid_t *guid, unsigned long index, unsigned long instance) { @@ -366,22 +178,16 @@ err_1: int main(int argc, char **argv) { char *file; - char *pkey_file; - char *dtb_file; efi_guid_t *guid; unsigned long index, instance; int c, idx; - int ret; - bool overlay = false; file = NULL; - pkey_file = NULL; - dtb_file = NULL; guid = NULL; index = 0; instance = 0; for (;;) { - c = getopt_long(argc, argv, "f:r:i:I:v:D:K:Oh", options, &idx); + c = getopt_long(argc, argv, "f:r:i:I:v:h", options, &idx); if (c == -1) break; @@ -408,43 +214,22 @@ int main(int argc, char **argv) case 'I': instance = strtoul(optarg, NULL, 0); break; - case 'K': - if (pkey_file) { - printf("Public Key already specified\n"); - return -1; - } - pkey_file = optarg; - break; - case 'D': - if (dtb_file) { - printf("DTB file already specified\n"); - return -1; - } - dtb_file = optarg; - break; - case 'O': - overlay = true; - break; case 'h': print_usage(); return 0; } } - /* need a fit image file or raw image file */ - if (!file && !pkey_file && !dtb_file) { + /* need an output file */ + if (argc != optind + 1) { print_usage(); exit(EXIT_FAILURE); } - if (pkey_file && dtb_file) { - ret = add_public_key(pkey_file, dtb_file, overlay); - if (ret == -1) { - printf("Adding public key to the dtb failed\n"); - exit(EXIT_FAILURE); - } else { - exit(EXIT_SUCCESS); - } + /* need a fit image file or raw image file */ + if (!file) { + print_usage(); + exit(EXIT_SUCCESS); } if (create_fwbin(argv[optind], file, guid, index, instance) From patchwork Thu Oct 7 06:23:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 515428 Delivered-To: patch@linaro.org Received: by 2002:ac0:b5cc:0:0:0:0:0 with SMTP id x12csp1004050ime; Wed, 6 Oct 2021 23:25:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwnfJ8noiuZPMMMG3u28AjaA8RHiFAxqkeYPocEgtNsAVbpUzZf4/2FeKGFL2b0fgMRDS5M X-Received: by 2002:a17:906:5e17:: with SMTP id n23mr3446977eju.258.1633587918064; Wed, 06 Oct 2021 23:25:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633587918; cv=none; d=google.com; s=arc-20160816; b=SHIz0ZmuBb9ZVwHRFx6jbK/Obawst6Yck3d4HHXCGDAUMe+3ET/Ys/TGLyCrpuHgtx UbGwFYiHebx9fCJP6DYvTAYEcQPAkj5RzTmlnkbzBFCZffNFTTvflMJ2UJKPnpaNJSI6 CthyFuHRFuwOvywfGFWKay1ToG6Y/7NE4OoJjOzabWQhsUQ7AZZNeNOCH31OwI4dVf1G Rq9/kekdNSZPYlgbI9A2ZqBxNojkieOYom5VO9CIs3GPd4OAgI8uDRCrTY2/hHCWTnY8 MUiHYG7gtapZXCpmZ2J/mn1o7s+6Pa7Tejt2fteckAwWb5GNKR61VudAifFePMRxNMb+ 6VVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=q9r2xfRTPyIG+YiIB8V07jeJk31N2I1BkpSCJej4Vxg=; b=aNyvXdVdUwMHgc0sFS9GhVwo6mWCWEYuIHDyZRN3cIp18gqr1C/aYlq024SlJ48C6v 7Rhp/i73N2Z6/Lqx75bsiU1MEtQMC8pRStrprQ/QNGZoLFJfrytX3bWybQ3mgz6Pbmtc Oq8JNbocMvCqDrnQ+UKmq8Uhmqlg5snvoXsr+W9ZRvnvDdteE4YECq5M2sBFrC+K+p7M hg1g8rRSLJkjcBClZ60dIQUkHt7gAS7SfIh0InAvrWuOd1OalvRH3Wu5imy0F4UdfCtb JT25IUD7qPRxkBsI/oi1nv0s7Hh1xGW81s/Af3Y3y0fgYKcifvdizEAXUYDjk0AlVN9M h+BA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Z7rqXbtI; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id j19si2493883edw.476.2021.10.06.23.25.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:25:18 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Z7rqXbtI; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D60F283484; Thu, 7 Oct 2021 08:25:16 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Z7rqXbtI"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id B7CBA83484; Thu, 7 Oct 2021 08:25:14 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x533.google.com (mail-pg1-x533.google.com [IPv6:2607:f8b0:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id DAEA983474 for ; Thu, 7 Oct 2021 08:25:09 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pg1-x533.google.com with SMTP id v11so4690758pgb.8 for ; Wed, 06 Oct 2021 23:25:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=q9r2xfRTPyIG+YiIB8V07jeJk31N2I1BkpSCJej4Vxg=; b=Z7rqXbtIg8F+aoVgxqIkOhdjy+fiITwme3l/5knZVSh5r/9mYzxRiE63jmdLozWHNz 1wiwkPV85ykbVIidjuHP9drkA8WeqBX5uGwzYadEzU3sK6KiSCBLx+80yrF5OHsmp6Me Sr0dNaBNmKbguisbkI7s32kSl7V74ymDmlkaOfc6HNGPZ7ku5juUEqiTy8teLF1zfTqI rbIWVy4phagFPQyCpMimnOmLraue4F3w1/+JHr9hckxElTyWpiZowrj1sSYAPMaSqsy8 YcB6fC/1gxgG2vqoAgViOLtzRgnhdusQtphukIbNqKTdu1DwvIG3elQCOVnf352ZY41X K03A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=q9r2xfRTPyIG+YiIB8V07jeJk31N2I1BkpSCJej4Vxg=; b=YcK52ZFfbuCGTYe3jn/li4C1venl6SmKPz9Vr/bIRLuX60DfkK4d3KRL48WvzruGex YJqitkyJYjFvYelqVo1Aj8q4XoQGn+3midzeAADPUoF81tCFznFZmR4QT0l+f5ao5M8l akQ0dlzvpnlY2rBe4XpCRBDu5Ae36FEwYCXepioNQt1vkFy1iABTbbylvBUWNjJ3Kd8k LEi4Hn+xRzuc5mewY/8ite6vYrJDb7uayaztLgP/27xJ5ojv6JY7vtZHJbqVqUJY050n HRFIQmWuKI1BrXMpEEm0BEwERinWOndDp6ZnfA7kIwEL9YghB1+3+j57CPvizOh8DEuI BR6Q== X-Gm-Message-State: AOAM530XG1srfZKYJc68bLnX0Tg7EgGxK3H+9sec4a6f6bnydfJ8Rq7X CBzTcpEeo1GUhCvRD9XtluiSOw== X-Received: by 2002:a63:3d0f:: with SMTP id k15mr1927459pga.269.1633587908187; Wed, 06 Oct 2021 23:25:08 -0700 (PDT) Received: from localhost.localdomain (122-100-26-39m5.mineo.jp. [122.100.26.39]) by smtp.gmail.com with ESMTPSA id b17sm22131859pgl.61.2021.10.06.23.25.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:25:07 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v4 02/11] Revert "Revert "doc: Update CapsuleUpdate READMEs"" Date: Thu, 7 Oct 2021 15:23:31 +0900 Message-Id: <20211007062340.72207-3-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211007062340.72207-1-takahiro.akashi@linaro.org> References: <20211007062340.72207-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean This reverts commit a7e4f905d206d5895dab4bd38a8316e4f2fe15fe. The description originally written by Sughosh is still valid even after the commit 47a25e81d35c ("Revert "efi_capsule: Move signature from DTB to .rodata"") was applied. Signed-off-by: AKASHI Takahiro --- doc/develop/uefi/uefi.rst | 124 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 124 insertions(+) -- 2.33.0 diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 4f2b8b036db8..f17138f5c765 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -277,6 +277,130 @@ Enable ``CONFIG_OPTEE``, ``CONFIG_CMD_OPTEE_RPMB`` and ``CONFIG_EFI_MM_COMM_TEE` [1] https://optee.readthedocs.io/en/latest/building/efi_vars/stmm.html +Enabling UEFI Capsule Update feature +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Support has been added for the UEFI capsule update feature which +enables updating the U-Boot image using the UEFI firmware management +protocol (FMP). The capsules are not passed to the firmware through +the UpdateCapsule runtime service. Instead, capsule-on-disk +functionality is used for fetching the capsule from the EFI System +Partition (ESP) by placing the capsule file under the +\EFI\UpdateCapsule directory. + +The directory \EFI\UpdateCapsule is checked for capsules only within the +EFI system partition on the device specified in the active boot option +determined by reference to BootNext variable or BootOrder variable processing. +The active Boot Variable is the variable with highest priority BootNext or +within BootOrder that refers to a device found to be present. Boot variables +in BootOrder but referring to devices not present are ignored when determining +active boot variable. +Before starting a capsule update make sure your capsules are installed in the +correct ESP partition or set BootNext. + +Performing the update +********************* + +Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig +option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable +check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule. + +If that option is disabled, you'll need to set the OsIndications variable with:: + + => setenv -e -nv -bs -rt -v OsIndications =0x04 + +Finally, the capsule update can be initiated either by rebooting the board, +which is the preferred method, or by issuing the following command:: + + => efidebug capsule disk-update + +**The efidebug command is should only be used during debugging/development.** + +Enabling Capsule Authentication +******************************* + +The UEFI specification defines a way of authenticating the capsule to +be updated by verifying the capsule signature. The capsule signature +is computed and prepended to the capsule payload at the time of +capsule generation. This signature is then verified by using the +public key stored as part of the X509 certificate. This certificate is +in the form of an efi signature list (esl) file, which is embedded as +part of U-Boot. + +The capsule authentication feature can be enabled through the +following config, in addition to the configs listed above for capsule +update:: + + CONFIG_EFI_CAPSULE_AUTHENTICATE=y + CONFIG_EFI_CAPSULE_KEY_PATH= + +The public and private keys used for the signing process are generated +and used by the steps highlighted below:: + + 1. Install utility commands on your host + * OPENSSL + * efitools + + 2. Create signing keys and certificate files on your host + + $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ + -keyout CRT.key -out CRT.crt -nodes -days 365 + $ cert-to-efi-sig-list CRT.crt CRT.esl + + $ openssl x509 -in CRT.crt -out CRT.cer -outform DER + $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem + + $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt + $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem + +The capsule file can be generated by using the GenerateCapsule.py +script in EDKII:: + + $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ + --monotonic-count --fw-version \ + --lsv --guid \ + e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ + --update-image-index --signer-private-cert \ + /path/to/CRT.pem --trusted-public-cert \ + /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ + + +Place the capsule generated in the above step on the EFI System +Partition under the EFI/UpdateCapsule directory + +Testing on QEMU +*************** + +Currently, support has been added on the QEMU ARM64 virt platform for +updating the U-Boot binary as a raw image when the platform is booted +in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this +configuration, the QEMU platform needs to be booted with +'secure=off'. The U-Boot binary placed on the first bank of the NOR +flash at offset 0x0. The U-Boot environment is placed on the second +NOR flash bank at offset 0x4000000. + +The capsule update feature is enabled with the following configuration +settings:: + + CONFIG_MTD=y + CONFIG_FLASH_CFI_MTD=y + CONFIG_CMD_MTDPARTS=y + CONFIG_CMD_DFU=y + CONFIG_DFU_MTD=y + CONFIG_PCI_INIT_R=y + CONFIG_EFI_CAPSULE_ON_DISK=y + CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y + CONFIG_EFI_CAPSULE_FIRMWARE=y + CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y + +In addition, the following config needs to be disabled(QEMU ARM specific):: + + CONFIG_TFABOOT + +The capsule file can be generated by using the tools/mkeficapsule:: + + $ mkeficapsule --raw --index 1 + Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~ From patchwork Thu Oct 7 06:23:32 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 515429 Delivered-To: patch@linaro.org Received: by 2002:ac0:b5cc:0:0:0:0:0 with SMTP id x12csp1004095ime; Wed, 6 Oct 2021 23:25:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxw1ErelwqghVUZVVhZTv82/qkjRkNAZBrLm/68AVV2S2/NGHvWuleM/p9CqSn3GEzbNNH4 X-Received: by 2002:a05:6402:40f:: with SMTP id q15mr3664143edv.333.1633587927379; Wed, 06 Oct 2021 23:25:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633587927; cv=none; d=google.com; s=arc-20160816; b=sG4pDM3dOQnJsmA98a+FCHdq5SOQyIn63EgPQUp3f+bHCnzYdnTxFaIBVG3sagiaH3 M/4W6FdCh4e0w6BB4IiAPaWTAI9GtKXiKeCCcG8jQ0wc3lmMR68RcpW7PYARUBCrsV3f t70A64cjVrdVYNjqzeljLctrlwjMtFb7Qj2+F3046mnmXb/7D8UAgEqVfyFrCaeCAcJy DNYcVBRRDStv+WHmqWkjfba5BRj/fYZ9FezlRRReloEZD2cY7HC0n2/LfidGbZYdUEd/ Q6GV+1ZEBOHJPpzT5pJkl1pbOSrDrGQeCDaKvFWc2HHYxvD2uh5XOj6rY44WXwBLPKrR BALw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=2FnSOKDVLTy0sxSHbwmzOhnc/48ayRC3P9f6t3F6nFY=; b=YONOHNJeLDJBcvo90g6ylylix0F3XTbPgEPBTu5uN5bIKG1xi8NKqed0T0Dh4gKgEZ INyYxmRN2yCCJtkueFGcqKZC3J10nBS2RK6yrOvysH/Mhl7ZU2L8NLJ8+J0uyDCmBrU7 eeXuzOrTPnENvZ5P96omPu0twec26X3xNLKwIKEZlKCfEupvRcXf81Qk8g9XKDNVDqLk Z8WvnxGzWtORM242Q5m+dtX+kgM7Bdyxhmq7jsNwT2VDlOh9zO7ZTFdryMZAtgCk37O3 d62MZ7DDMoAi29r5yRJhBJf58BmJxd7tyzCq3g7YTlQsyxVxP1rzVSCbcBMo1JVfy5I1 IZXw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ysXBaGfj; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id i14si27039452eje.121.2021.10.06.23.25.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:25:27 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ysXBaGfj; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 5BE0B834A0; Thu, 7 Oct 2021 08:25:20 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="ysXBaGfj"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 2B50083474; Thu, 7 Oct 2021 08:25:17 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id A71948347F for ; Thu, 7 Oct 2021 08:25:13 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x102e.google.com with SMTP id on6so4011672pjb.5 for ; Wed, 06 Oct 2021 23:25:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=2FnSOKDVLTy0sxSHbwmzOhnc/48ayRC3P9f6t3F6nFY=; b=ysXBaGfjdUky2A18FLYZv8D9XSlDUe2QNecwG26E191yH5bcLU2tXvir+zsU1mymB+ BkGY62/3y47NkO3QGK+3CUyz2ieIaLxFNGMiLnrAvqwFAJYVLoV6cwTvUfpeAtADyzIq 6TQZ11UC0rvR8wOQeIQFuptxfCVbQppFQx7IUAvuQS2DZcpBC1h/XvThx5JPn/yjDWws SZ3H6JVIip5lFiFsWNNYWhlnkXyvBvMUFU1/raDtOuOEADouG7BpFrTlR9rSEKPUqySG WaaG9XYnZSkeBRv9wAVu2UJE8NgAnR6FkP+ZCpRY1VaelIHtnajvSLNQCz8o+/JfDrdb /CbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2FnSOKDVLTy0sxSHbwmzOhnc/48ayRC3P9f6t3F6nFY=; b=3/PretDUCqHpIxcTAzy+XdXfH87p+rU7qCuC2/xOlUEp2AVaOPWiuuAgrqjBF+IoDH +4AY+C8TS6PyT4qLNWCdzm6ZR5VRM5gXJpv3K05ZBIJ1yklYip+A8amzpM2IbBhBbkY2 oJQl7JmY0DpJ/YWNwRs5Fx82rL2eyReLiUeNXeH5q/RMVxHvlNlJ9b84WfUkxcbX/5at tx6DTBnJtNcvzeNVmWT5erEqdJf3NwSqnhRAMSsy/k88bsoaPPtu2WNcO9PorLbzpxPU 1n4v4Phkn1p5bC/JIoRlXh+s2B2cfF2aaHSUSNrpN80yjkdFxge5VSyuSx2LSAlOI9p8 dgVA== X-Gm-Message-State: AOAM532Nn0QKuHBaqWZ/qsOLB0Bazru6KeOuM/myRzkhd+bu9CXLmZla d17mRXisl974+aND4iGHy/VPCg== X-Received: by 2002:a17:90a:8912:: with SMTP id u18mr2730013pjn.69.1633587912011; Wed, 06 Oct 2021 23:25:12 -0700 (PDT) Received: from localhost.localdomain (122-100-26-39m5.mineo.jp. [122.100.26.39]) by smtp.gmail.com with ESMTPSA id b17sm22131859pgl.61.2021.10.06.23.25.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:25:11 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v4 03/11] efi_loader: capsule: add back efi_get_public_key_data() Date: Thu, 7 Oct 2021 15:23:32 +0900 Message-Id: <20211007062340.72207-4-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211007062340.72207-1-takahiro.akashi@linaro.org> References: <20211007062340.72207-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean The commit 47a25e81d35c ("Revert "efi_capsule: Move signature from DTB to .rodata"") failed to revert the removal of efi_get_public_key_data(). Add back this function and move it under lib/efi_loader so that other platforms can utilize it. It is now declared as a weak function so that it can be replaced with a platform-specific implementation. Fixes: 47a25e81d35c ("Revert "efi_capsule: Move signature from DTB to .rodata"") Signed-off-by: AKASHI Takahiro --- lib/efi_loader/efi_capsule.c | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) -- 2.33.0 Reviewed-by: Ilias Apalodimas diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c index b75e4bcba1a9..44f5da61a9be 100644 --- a/lib/efi_loader/efi_capsule.c +++ b/lib/efi_loader/efi_capsule.c @@ -11,15 +11,20 @@ #include #include #include +#include +#include #include #include #include #include +#include #include #include #include +DECLARE_GLOBAL_DATA_PTR; + const efi_guid_t efi_guid_capsule_report = EFI_CAPSULE_REPORT_GUID; static const efi_guid_t efi_guid_firmware_management_capsule_id = EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID; @@ -251,6 +256,37 @@ out: } #if defined(CONFIG_EFI_CAPSULE_AUTHENTICATE) +int __weak efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) +{ + const void *fdt_blob = gd->fdt_blob; + const void *blob; + const char *cnode_name = "capsule-key"; + const char *snode_name = "signature"; + int sig_node; + int len; + + sig_node = fdt_subnode_offset(fdt_blob, 0, snode_name); + if (sig_node < 0) { + log_err("Unable to get signature node offset\n"); + + return -FDT_ERR_NOTFOUND; + } + + blob = fdt_getprop(fdt_blob, sig_node, cnode_name, &len); + + if (!blob || len < 0) { + log_err("Unable to get capsule-key value\n"); + *pkey = NULL; + *pkey_len = 0; + + return -FDT_ERR_NOTFOUND; + } + + *pkey = (void *)blob; + *pkey_len = len; + + return 0; +} efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size, void **image, efi_uintn_t *image_size) From patchwork Thu Oct 7 06:23:33 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 515430 Delivered-To: patch@linaro.org Received: by 2002:ac0:b5cc:0:0:0:0:0 with SMTP id x12csp1004163ime; Wed, 6 Oct 2021 23:25:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwHPcUg2LIH0MNS7cHSQnDbZstO/jfNXiNC0PpVOo5AsgQsSGefVVDw145BkOpcBV+hZpxn X-Received: by 2002:a17:906:a01:: with SMTP id w1mr3490402ejf.117.1633587938334; Wed, 06 Oct 2021 23:25:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633587938; cv=none; d=google.com; s=arc-20160816; b=wJ/9bH3wxrxFZu2LoAWYUhRjtDndM+pzJVuCK8vF0Gf2kRs7XRfP43sHdTkb5RuLfP HpHmwg2EJRz64Ih2wKteBafickECu/5KdEhzdYqE0iZ1IWPWmXeVXsFTaGEx+OZ1iLqq SYQSs3FAR/YiDz1UvEat+uTbq/xXBVLuCG+eV5v8BiA2MceYbJnqRelxN8i4cqfhIFJc kyzqvBfzTcf6wDDLGvP39yVeUNJ/YgO4b+II4zk3OrD5TZt3aCqEw41I3pGOahkYJjSE CQ7xSXQSgK/aVy7velXovh3g8WioLC6rLYE/GpbgCDKam1vlV7s3lifuRUXVQAn7+WIj 3Z+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=2fR+FH/JMkjIYaH2O1UrXUs6WSCJ6VHMd8CGn+xH3Eg=; b=IN5QQ3j7y9u6eLENe1G1U2/7CUIvLXiTGcquq3GKkOtTOBgAkOVx8Djs4WHKWigazA edm66WQA5phbnzEtbgHIqa0VnzyGA612XhITM//KGjr3vTRLf2d8hB3ANg8m1bwixGet ROgSflYQmRp+z+4dwxoz2P4Gewugay0k+/XTkEQxpFpj4jDUAnZSZUnuZoLtsqKdKbzb Q/n1iJXFeogSWHgdT/NTuRII7XhFjarXb9PEmHoT5NRPGGs6uVzUBmmJgCwhRRksVyAC kglSimrbUjHe9CkyAKdtbDoD/fJxdks4rLxhAvrdqzNydCPdHKA0gYoyPHsRjKgRo8XU dPbg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Kya0vqqa; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id c10si18670124edm.262.2021.10.06.23.25.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:25:38 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Kya0vqqa; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id F36FF834BD; Thu, 7 Oct 2021 08:25:25 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Kya0vqqa"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 89E048348D; Thu, 7 Oct 2021 08:25:22 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 0A6EF8348D for ; Thu, 7 Oct 2021 08:25:18 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1029.google.com with SMTP id k23-20020a17090a591700b001976d2db364so4299569pji.2 for ; Wed, 06 Oct 2021 23:25:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=2fR+FH/JMkjIYaH2O1UrXUs6WSCJ6VHMd8CGn+xH3Eg=; b=Kya0vqqaArTybjVVLTkpGFCrT0N/NdQUptzt82cgYlPKsYQrHX3MyW/0j06gnANBa9 gXMkhdFmYHOugJdDmGVGmKm8BdQe7lS/r9Q9sJafKa2svcQSsDN5tLgT7D/nJf8UG+Ut FpJUywZ59x3p1YgVt0BBsCffdk2Z2QFcybo7LnyGj1R+9ny/zghHnxN/uDJPkKrqZTN6 0mrzCJ0HBenVgorTOpMaiFfzrMyt8iO+PXh0lg4FnGVxFSpnBdSVLEF5W/6/ntd4PbIg cBcxxBzU+xsKEVlSt0GU5avxqyCV7fGm52hABAbacONzk607EUrsKh7iPkDoeAzV1poK 7Ubw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2fR+FH/JMkjIYaH2O1UrXUs6WSCJ6VHMd8CGn+xH3Eg=; b=tcLIjxc6Mqh2DUwPP4Aiau4q5eXhh+xmOTQ4frPBUXVvCmkxWe+5VBl34mn2YBmeED GVJtjBiYrnSyOfPdmPjUKtTHVUfTgDI8wiZeUNortl7oc3b2rzNOmlPUBWzTA6swUoVY vaJCHLEmcxeMQA9IRsiFRXpGwbVPhxUJb4P5ipMEWOOGuvHSfwY8ROfv5dBtQnzJO/xz MapcIvKYN6j0DWUQudZwVPD+F9QUmKfX8cV1lHTbQ17TNC2vUsiZXi/W8B1RYZWuqliW Yg6MYCv/El1Z8E5nCXul2QOxE5ls9foY5amDewkFuvmrHk9Q55UNUEl7uPGcgH0Fq6/v EUOQ== X-Gm-Message-State: AOAM531HQLCrt8ubpYu+Cj9XXujiBBruRnYw1dGzl3nNEWpXonJwDyvD Zi52CbdlHAgqajZScNLSdqI8Kw== X-Received: by 2002:a17:90a:8b82:: with SMTP id z2mr3405877pjn.216.1633587916191; Wed, 06 Oct 2021 23:25:16 -0700 (PDT) Received: from localhost.localdomain (122-100-26-39m5.mineo.jp. [122.100.26.39]) by smtp.gmail.com with ESMTPSA id b17sm22131859pgl.61.2021.10.06.23.25.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:25:15 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v4 04/11] tools: add fdtsig.sh Date: Thu, 7 Oct 2021 15:23:33 +0900 Message-Id: <20211007062340.72207-5-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211007062340.72207-1-takahiro.akashi@linaro.org> References: <20211007062340.72207-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean With this script, a public key is added to a device tree blob as the default efi_get_public_key_data() expects. Signed-off-by: AKASHI Takahiro --- MAINTAINERS | 1 + tools/fdtsig.sh | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100755 tools/fdtsig.sh -- 2.33.0 diff --git a/MAINTAINERS b/MAINTAINERS index 5370b550648e..650e428b6cb4 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -713,6 +713,7 @@ F: cmd/bootefi.c F: cmd/efidebug.c F: cmd/nvedit_efi.c F: tools/efivar.py +F: tools/fdtsig.sh F: tools/file2include.c F: tools/mkeficapsule.c diff --git a/tools/fdtsig.sh b/tools/fdtsig.sh new file mode 100755 index 000000000000..5ce7357614d7 --- /dev/null +++ b/tools/fdtsig.sh @@ -0,0 +1,40 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0+ +# +# script to add a certificate (efi-signature-list) to dtb blob + +usage() { + if [ -n "$*" ]; then + echo "ERROR: $*" + fi + echo "Usage: "$(basename $0) " " +} + +if [ "$#" -ne 2 ]; then + usage "Arguments missing" + exit 1 +fi + +ESL=$1 +DTB=$2 +NEW_DTB=$(basename $DTB)_tmp +SIG=signature + +cat << 'EOF' > $SIG.dts +/dts-v1/; +/plugin/; + +&{/} { + signature { + capsule-key = /incbin/("ESL"); + }; +}; +EOF + +sed -in "s/ESL/$ESL/" $SIG.dts + +dtc -@ -I dts -O dtb -o $SIG.dtbo $SIG.dts +fdtoverlay -i $DTB -o $NEW_DTB -v $SIG.dtbo +mv $NEW_DTB $DTB + +#rm $SIG.dts $SIG.dtbo $NEW_DTB From patchwork Thu Oct 7 06:23:34 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 515431 Delivered-To: patch@linaro.org Received: by 2002:ac0:b5cc:0:0:0:0:0 with SMTP id x12csp1004262ime; Wed, 6 Oct 2021 23:25:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy/Bt9xNL29isn91TwnVfZgUJT9p9/8HnbqKLbbwL3ZOtP21uNgEH0I+1mEJiL2oJ/zrAGb X-Received: by 2002:a50:e183:: with SMTP id k3mr3914017edl.22.1633587950799; Wed, 06 Oct 2021 23:25:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633587950; cv=none; d=google.com; s=arc-20160816; b=xlh2DhzJYDfUFAidQa8oEQLiR77TWWh/34/MeP2dgr7USFNxUfIIQ2IbcU5nXFzLrP 5mC2rXsWcUziPUMRJJxxrsoH1Mk+cloqZHEWNuFtfo5UxJo9Prpdj1fO/H84laXDHT/l oz6OiJPsR4Cr1TUyA9zZ1swBAUwCCp+QaZg2J6UaRIGzCRYNdjmLIqRhEUNf+NWwzA9L qo+QLFvJspzX7b25bFXVC3Bu/+/EYg+wu5z44BKTHmTKgTyyZgTLe2abvbiOUpVEtwBp cUgIZu89NaNlJQMy34nHWStMH8jviZk/ryInwjdKdViHjm7wTrKosknrXfXUSg5OjF2q +MFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=s/URtuRXt41MWsvD+Ugk5V1wufRVb9ZE864hUwLix3I=; b=D4kGnIcQAHpUBv6YBC0i+SyULIqj/GF1pN84dlGRp/h8JpFygvv927Ug/ZnVUU6G0E sDKTaudPpdjoa2nNTOgPePPIWK3Grknz3C4pPByblayTt7l8d1gbltwYvNjGSl4vSiG1 qXeRG9LoXH7TZBpaUYI+qPzOOPgg/BELIgd2xGVh2afljMEGsOH2/xi+1NLcV7TA7r91 7ohLr6Vm+5BI9qPkN1LiZuqtgkw3IYNZJMzUKFoh08vaHE2prp43/IN0z7PruaQqOC4q V24hiQ+XiV/rhkpP5db6ManHQRbVZWEg/IcfQutBNlX4E9UxxNRfYaG4wVdFWDYKPta6 Zv4w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=BmjxRLxe; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id g17si35356520ejm.399.2021.10.06.23.25.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:25:50 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=BmjxRLxe; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D924A834C7; Thu, 7 Oct 2021 08:25:31 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="BmjxRLxe"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 34E2B834A3; Thu, 7 Oct 2021 08:25:29 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id A5A0683474 for ; Thu, 7 Oct 2021 08:25:22 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1032.google.com with SMTP id nn3-20020a17090b38c300b001a03bb6c4ebso1831852pjb.1 for ; Wed, 06 Oct 2021 23:25:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=s/URtuRXt41MWsvD+Ugk5V1wufRVb9ZE864hUwLix3I=; b=BmjxRLxeJVZnpUhFnJIQgrkFSd+s2EagAochhe+90gzpJtiq5Mm+BhRNOXox1+iuaB EQ6X7xw/+kEeMJ8RSSboZXhe2GUet1rOl3A4I2zt+4fdfetf3bc1aMuis4dvpboicugx HXxQJR62JnREr3/3/lt7xGSwfAxBelt9JzTgfzvEK4t9SvilPW3lj7tbkDTtinuRAt5r 8AnfKgoiWxt/D9g5usOViNDQZL/9HrpDSAOs3jR4VOmHoA5hK2RoH8qUc4HLA2WZDFyU h3oTA+QFIYFYkABc9kOdzne1L0tneh6cdVjv5Ydvias+MdvtXuVam7yvwXurzUi291h4 E0Ng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=s/URtuRXt41MWsvD+Ugk5V1wufRVb9ZE864hUwLix3I=; b=lUsLHRZ3f188h8jmx40n1ypYE5C+224639FfRQCc4fplh8CEGYXZlAgRU3hwPb3Abc dD5zxCerIxAphz4r17gqOW+Db+f8kHvsAU8AqXqKaJV1VQHiVWkT2sjRbyteS4t35Fyn yZtS6fKAnfLEbg4mRkKbVQF5mHyFrJsKWL0BdHcCdQWZ8EPqGUuKdYqgzxpus8MycBdp wk/yG9gFyR1sXkArMZ06g4MiEPHAIzPO/HI9LjMh8rvEl+u5Q697fgy8+Ef7kWJlPevJ slnImRPXkGEhSdaygsQUBPgQUsqac0zdkS6qeHNCdir11ebGaBSSg9lXpxc+xvuImAKx ZF1g== X-Gm-Message-State: AOAM530u/vqa/gZ5folicR+xSKf5us2sLF31WqobZXI4G2g7xD6GAP13 2o1kWlX579Vrntl1Kl4TU3A6ug== X-Received: by 2002:a17:903:1ca:b0:13e:f367:9361 with SMTP id e10-20020a17090301ca00b0013ef3679361mr2209213plh.3.1633587920770; Wed, 06 Oct 2021 23:25:20 -0700 (PDT) Received: from localhost.localdomain (122-100-26-39m5.mineo.jp. [122.100.26.39]) by smtp.gmail.com with ESMTPSA id b17sm22131859pgl.61.2021.10.06.23.25.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:25:20 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v4 05/11] tools: mkeficapsule: add firmwware image signing Date: Thu, 7 Oct 2021 15:23:34 +0900 Message-Id: <20211007062340.72207-6-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211007062340.72207-1-takahiro.akashi@linaro.org> References: <20211007062340.72207-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean With this enhancement, mkeficapsule will be able to sign a capsule file when it is created. A signature added will be used later in the verification at FMP's SetImage() call. To do that, We need specify additional command parameters: -monotonic-cout : monotonic count -private-key : private key file -certificate : certificate file Only when all of those parameters are given, a signature will be added to a capsule file. Users are expected to maintain and increment the monotonic count at every time of the update for each firmware image. Signed-off-by: AKASHI Takahiro --- tools/Kconfig | 7 + tools/Makefile | 8 +- tools/mkeficapsule.c | 435 +++++++++++++++++++++++++++++++++++++++---- 3 files changed, 416 insertions(+), 34 deletions(-) -- 2.33.0 diff --git a/tools/Kconfig b/tools/Kconfig index d6f82cd949b5..9a37ed035311 100644 --- a/tools/Kconfig +++ b/tools/Kconfig @@ -20,4 +20,11 @@ config TOOLS_LIBCRYPTO This selection does not affect target features, such as runtime FIT signature verification. +config TOOLS_MKEFICAPSULE + bool "Build efimkcapsule command" + default y if EFI_CAPSULE_ON_DISK + help + This command allows users to create a UEFI capsule file and, + optionally sign that file. If you want to enable UEFI capsule + update feature on your target, you certainly need this. endmenu diff --git a/tools/Makefile b/tools/Makefile index 4a86321f6467..6ea3033dbfb8 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -237,8 +237,12 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs hostprogs-$(CONFIG_ASN1_COMPILER) += asn1_compiler HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include -mkeficapsule-objs := mkeficapsule.o $(LIBFDT_OBJS) -hostprogs-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += mkeficapsule +HOSTLDLIBS_mkeficapsule += -luuid +ifeq ($(CONFIG_TOOLS_LIBCRYPTO),y) +HOSTLDLIBS_mkeficapsule += \ + $(shell pkg-config --libs libssl libcrypto 2> /dev/null || echo "-lssl -lcrypto") +endif +hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule # We build some files with extra pedantic flags to try to minimize things # that won't build on some weird host compiler -- though there are lots of diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 4995ba4e0c2a..5541e4bda894 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -15,6 +15,16 @@ #include #include +#include +#ifdef CONFIG_TOOLS_LIBCRYPTO +#include +#include +#include +#include +#include +#include +#endif + typedef __u8 u8; typedef __u16 u16; typedef __u32 u32; @@ -38,12 +48,25 @@ efi_guid_t efi_guid_image_type_uboot_fit = EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID; efi_guid_t efi_guid_image_type_uboot_raw = EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID; +efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; + +#ifdef CONFIG_TOOLS_LIBCRYPTO +static const char *opts_short = "f:r:i:I:v:p:c:m:dh"; +#else +static const char *opts_short = "f:r:i:I:v:h"; +#endif static struct option options[] = { {"fit", required_argument, NULL, 'f'}, {"raw", required_argument, NULL, 'r'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, +#ifdef CONFIG_TOOLS_LIBCRYPTO + {"private-key", required_argument, NULL, 'p'}, + {"certificate", required_argument, NULL, 'c'}, + {"monotonic-count", required_argument, NULL, 'm'}, + {"dump-sig", no_argument, NULL, 'd'}, +#endif {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0}, }; @@ -57,16 +80,280 @@ static void print_usage(void) "\t-r, --raw new raw image file\n" "\t-i, --index update image index\n" "\t-I, --instance update hardware instance\n" +#ifdef CONFIG_TOOLS_LIBCRYPTO + "\t-p, --private-key private key file\n" + "\t-c, --certificate signer's certificate file\n" + "\t-m, --monotonic-count monotonic count\n" + "\t-d, --dump_sig dump signature (*.p7)\n" +#endif "\t-h, --help print a help message\n", tool_name); } +/** + * auth_context - authentication context + * @key_file: Path to a private key file + * @cert_file: Path to a certificate file + * @image_data: Pointer to firmware data + * @image_size: Size of firmware data + * @auth: Authentication header + * @sig_data: Signature data + * @sig_size: Size of signature data + * + * Data structure used in create_auth_data(). @key_file through + * @image_size are input parameters. @auth, @sig_data and @sig_size + * are filled in by create_auth_data(). + */ +struct auth_context { + char *key_file; + char *cert_file; + u8 *image_data; + size_t image_size; + struct efi_firmware_image_authentication auth; + u8 *sig_data; + size_t sig_size; +}; + +static int dump_sig; + +#ifdef CONFIG_TOOLS_LIBCRYPTO +/** + * fileio-read_pkey - read out a private key + * @filename: Path to a private key file + * + * Read out a private key file and parse it into "EVP_PKEY" structure. + * + * Return: + * * Pointer to private key structure - on success + * * NULL - on failure + */ +static EVP_PKEY *fileio_read_pkey(const char *filename) +{ + EVP_PKEY *key = NULL; + BIO *bio; + + bio = BIO_new_file(filename, "r"); + if (!bio) + goto out; + + key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); + +out: + BIO_free_all(bio); + if (!key) { + printf("Can't load key from file '%s'\n", filename); + ERR_print_errors_fp(stderr); + } + + return key; +} + +/** + * fileio-read_cert - read out a certificate + * @filename: Path to a certificate file + * + * Read out a certificate file and parse it into "X509" structure. + * + * Return: + * * Pointer to certificate structure - on success + * * NULL - on failure + */ +static X509 *fileio_read_cert(const char *filename) +{ + X509 *cert = NULL; + BIO *bio; + + bio = BIO_new_file(filename, "r"); + if (!bio) + goto out; + + cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); + +out: + BIO_free_all(bio); + if (!cert) { + printf("Can't load certificate from file '%s'\n", filename); + ERR_print_errors_fp(stderr); + } + + return cert; +} + +/** + * create_auth_data - compose authentication data in capsule + * @auth_context: Pointer to authentication context + * + * Fill up an authentication header (.auth) and signature data (.sig_data) + * in @auth_context, using library functions from openssl. + * All the parameters in @auth_context must be filled in by a caller. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int create_auth_data(struct auth_context *ctx) +{ + EVP_PKEY *key = NULL; + X509 *cert = NULL; + BIO *data_bio = NULL; + const EVP_MD *md; + PKCS7 *p7; + int flags, ret = -1; + + OpenSSL_add_all_digests(); + OpenSSL_add_all_ciphers(); + ERR_load_crypto_strings(); + + key = fileio_read_pkey(ctx->key_file); + if (!key) + goto err; + cert = fileio_read_cert(ctx->cert_file); + if (!cert) + goto err; + + /* + * create a BIO, containing: + * * firmware image + * * monotonic count + * in this order! + * See EDK2's FmpAuthenticatedHandlerRsa2048Sha256() + */ + data_bio = BIO_new(BIO_s_mem()); + BIO_write(data_bio, ctx->image_data, ctx->image_size); + BIO_write(data_bio, &ctx->auth.monotonic_count, + sizeof(ctx->auth.monotonic_count)); + + md = EVP_get_digestbyname("SHA256"); + if (!md) + goto err; + + /* create signature */ + /* TODO: maybe add PKCS7_NOATTR and PKCS7_NOSMIMECAP */ + flags = PKCS7_BINARY | PKCS7_DETACHED; + p7 = PKCS7_sign(NULL, NULL, NULL, data_bio, flags | PKCS7_PARTIAL); + if (!p7) + goto err; + if (!PKCS7_sign_add_signer(p7, cert, key, md, flags)) + goto err; + if (!PKCS7_final(p7, data_bio, flags)) + goto err; + + /* convert pkcs7 into DER */ + ctx->sig_data = NULL; + ctx->sig_size = ASN1_item_i2d((ASN1_VALUE *)p7, &ctx->sig_data, + ASN1_ITEM_rptr(PKCS7)); + if (!ctx->sig_size) + goto err; + + /* fill auth_info */ + ctx->auth.auth_info.hdr.dwLength = sizeof(ctx->auth.auth_info) + + ctx->sig_size; + ctx->auth.auth_info.hdr.wRevision = WIN_CERT_REVISION_2_0; + ctx->auth.auth_info.hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID; + memcpy(&ctx->auth.auth_info.cert_type, &efi_guid_cert_type_pkcs7, + sizeof(efi_guid_cert_type_pkcs7)); + + ret = 0; +err: + BIO_free_all(data_bio); + EVP_PKEY_free(key); + X509_free(cert); + + return ret; +} + +/** + * dump_signature - dump out a signature + * @path: Path to a capsule file + * @signature: Signature data + * @sig_size: Size of signature data + * + * Signature data pointed to by @signature will be saved into + * a file whose file name is @path with ".p7" suffix. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int dump_signature(const char *path, u8 *signature, size_t sig_size) +{ + char *sig_path; + FILE *f; + size_t size; + int ret = -1; + + sig_path = malloc(strlen(path) + 3 + 1); + if (!sig_path) + return ret; + + sprintf(sig_path, "%s.p7", path); + f = fopen(sig_path, "w"); + if (!f) + goto err; + + size = fwrite(signature, 1, sig_size, f); + if (size == sig_size) + ret = 0; + + fclose(f); +err: + free(sig_path); + return ret; +} + +/** + * free_sig_data - free out signature data + * @ctx: Pointer to authentication context + * + * Free signature data allocated in create_auth_data(). + */ +static void free_sig_data(struct auth_context *ctx) +{ + if (ctx->sig_size) + OPENSSL_free(ctx->sig_data); +} +#else +static int create_auth_data(struct auth_context *ctx) +{ + return 0; +} + +static int dump_signature(const char *path, u8 *signature, size_t sig_size) +{ + return 0; +} + +static void free_sig_data(struct auth_context *ctx) {} +#endif + +/** + * create_fwbin - create an uefi capsule file + * @path: Path to a created capsule file + * @bin: Path to a firmware binary to encapsulate + * @guid: GUID of related FMP driver + * @index: Index number in capsule + * @instance: Instance number in capsule + * @mcount: Monotonic count in authentication information + * @private_file: Path to a private key file + * @cert_file: Path to a certificate file + * + * This function actually does the job of creating an uefi capsule file. + * All the arguments must be supplied. + * If either @private_file ror @cert_file is NULL, the capsule file + * won't be signed. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, - unsigned long index, unsigned long instance) + unsigned long index, unsigned long instance, + uint64_t mcount, char *privkey_file, char *cert_file) { struct efi_capsule_header header; struct efi_firmware_management_capsule_header capsule; struct efi_firmware_management_capsule_image_header image; + struct auth_context auth_context; FILE *f, *g; struct stat bin_stat; u8 *data; @@ -76,8 +363,9 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, #ifdef DEBUG printf("For output: %s\n", path); printf("\tbin: %s\n\ttype: %pUl\n", bin, guid); - printf("\tindex: %ld\n\tinstance: %ld\n", index, instance); + printf("\tindex: %lu\n\tinstance: %lu\n", index, instance); #endif + auth_context.sig_size = 0; g = fopen(bin, "r"); if (!g) { @@ -93,11 +381,34 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, printf("cannot allocate memory: %zx\n", (size_t)bin_stat.st_size); goto err_1; } - f = fopen(path, "w"); - if (!f) { - printf("cannot open %s\n", path); + + size = fread(data, 1, bin_stat.st_size, g); + if (size < bin_stat.st_size) { + printf("read failed (%zx)\n", size); goto err_2; } + + /* first, calculate signature to determine its size */ + if (privkey_file && cert_file) { + auth_context.key_file = privkey_file; + auth_context.cert_file = cert_file; + auth_context.auth.monotonic_count = mcount; + auth_context.image_data = data; + auth_context.image_size = bin_stat.st_size; + + if (create_auth_data(&auth_context)) { + printf("Signing firmware image failed\n"); + goto err_3; + } + + if (dump_sig && + dump_signature(path, auth_context.sig_data, + auth_context.sig_size)) { + printf("Creating signature file failed\n"); + goto err_3; + } + } + header.capsule_guid = efi_guid_fm_capsule; header.header_size = sizeof(header); /* TODO: The current implementation ignores flags */ @@ -106,11 +417,20 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, + sizeof(capsule) + sizeof(u64) + sizeof(image) + bin_stat.st_size; + if (auth_context.sig_size) + header.capsule_image_size += sizeof(auth_context.auth) + + auth_context.sig_size; + + f = fopen(path, "w"); + if (!f) { + printf("cannot open %s\n", path); + goto err_3; + } size = fwrite(&header, 1, sizeof(header), f); if (size < sizeof(header)) { printf("write failed (%zx)\n", size); - goto err_3; + goto err_4; } capsule.version = 0x00000001; @@ -119,13 +439,13 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, size = fwrite(&capsule, 1, sizeof(capsule), f); if (size < (sizeof(capsule))) { printf("write failed (%zx)\n", size); - goto err_3; + goto err_4; } offset = sizeof(capsule) + sizeof(u64); size = fwrite(&offset, 1, sizeof(offset), f); if (size < sizeof(offset)) { printf("write failed (%zx)\n", size); - goto err_3; + goto err_4; } image.version = 0x00000003; @@ -135,34 +455,53 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, image.reserved[1] = 0; image.reserved[2] = 0; image.update_image_size = bin_stat.st_size; + if (auth_context.sig_size) + image.update_image_size += sizeof(auth_context.auth) + + auth_context.sig_size; image.update_vendor_code_size = 0; /* none */ image.update_hardware_instance = instance; image.image_capsule_support = 0; + if (auth_context.sig_size) + image.image_capsule_support |= CAPSULE_SUPPORT_AUTHENTICATION; size = fwrite(&image, 1, sizeof(image), f); if (size < sizeof(image)) { printf("write failed (%zx)\n", size); - goto err_3; + goto err_4; } - size = fread(data, 1, bin_stat.st_size, g); - if (size < bin_stat.st_size) { - printf("read failed (%zx)\n", size); - goto err_3; + + if (auth_context.sig_size) { + size = fwrite(&auth_context.auth, 1, + sizeof(auth_context.auth), f); + if (size < sizeof(auth_context.auth)) { + printf("write failed (%zx)\n", size); + goto err_4; + } + size = fwrite(auth_context.sig_data, 1, + auth_context.sig_size, f); + if (size < auth_context.sig_size) { + printf("write failed (%zx)\n", size); + goto err_4; + } } + size = fwrite(data, 1, bin_stat.st_size, f); if (size < bin_stat.st_size) { printf("write failed (%zx)\n", size); - goto err_3; + goto err_4; } fclose(f); fclose(g); free(data); + free_sig_data(&auth_context); return 0; -err_3: +err_4: fclose(f); +err_3: + free_sig_data(&auth_context); err_2: free(data); err_1: @@ -171,23 +510,37 @@ err_1: return -1; } -/* - * Usage: - * $ mkeficapsule -f +/** + * main - main entry function of mkeficapsule + * @argc: Number of arguments + * @argv: Array of pointers to arguments + * + * Create an uefi capsule file, optionally signing it. + * Parse all the arguments and pass them on to create_fwbin(). + * + * Return: + * * 0 - on success + * * -1 - on failure */ int main(int argc, char **argv) { char *file; efi_guid_t *guid; unsigned long index, instance; + uint64_t mcount; + char *privkey_file, *cert_file; int c, idx; file = NULL; guid = NULL; index = 0; instance = 0; + mcount = 0; + privkey_file = NULL; + cert_file = NULL; + dump_sig = 0; for (;;) { - c = getopt_long(argc, argv, "f:r:i:I:v:h", options, &idx); + c = getopt_long(argc, argv, opts_short, options, &idx); if (c == -1) break; @@ -214,29 +567,47 @@ int main(int argc, char **argv) case 'I': instance = strtoul(optarg, NULL, 0); break; +#ifdef CONFIG_TOOLS_LIBCRYPTO + case 'p': + if (privkey_file) { + printf("Private Key already specified\n"); + return -1; + } + privkey_file = optarg; + break; + case 'c': + if (cert_file) { + printf("Certificate file already specified\n"); + return -1; + } + cert_file = optarg; + break; + case 'm': + mcount = strtoul(optarg, NULL, 0); + break; + case 'd': + dump_sig = 1; + break; +#endif /* CONFIG_TOOLS_LIBCRYPTO */ case 'h': print_usage(); return 0; } } - /* need an output file */ - if (argc != optind + 1) { - print_usage(); - exit(EXIT_FAILURE); - } - - /* need a fit image file or raw image file */ - if (!file) { + /* check necessary parameters */ + if ((argc != optind + 1) || !file || + ((privkey_file && !cert_file) || + (!privkey_file && cert_file))) { print_usage(); - exit(EXIT_SUCCESS); + return -1; } - if (create_fwbin(argv[optind], file, guid, index, instance) - < 0) { + if (create_fwbin(argv[optind], file, guid, index, instance, + mcount, privkey_file, cert_file) < 0) { printf("Creating firmware capsule failed\n"); - exit(EXIT_FAILURE); + return -1; } - exit(EXIT_SUCCESS); + return 0; } From patchwork Thu Oct 7 06:23:35 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 515432 Delivered-To: patch@linaro.org Received: by 2002:ac0:b5cc:0:0:0:0:0 with SMTP id x12csp1004326ime; Wed, 6 Oct 2021 23:26:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJywBHbIy+7I6zlG8TN+Ail3MqHn6+w6Iu192i8W+UFfOvGOhs0XPOgt9CKlW36pwHjdLeIn X-Received: by 2002:a17:906:c014:: with SMTP id e20mr3452650ejz.166.1633587964494; Wed, 06 Oct 2021 23:26:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633587964; cv=none; d=google.com; s=arc-20160816; b=ta2IggW1zJ6YUGBkA4BVbI3yKa0/nrho0zujm2GGWMqrnnoDBioQ4C1QVTd1F5fwoT cGFhwmFgvfMSYR8ojgIp8d2szP2fmfJA/qCxRoTW5NPeUsnBsMh/7d9cpjjmxs22iaJf qrdn8hnmgQn/thVDU70cSYJXMqwAP2aNZDB51ve8WTennEC8NOGumkRe7al/79Lnmxi7 TJR0oJKM0NNkDJpP+t9FjT2DLkwLbHt0aEiuT/HYV6rtFTb3h/LN2zGzAA72bzuWT4Eh XREhEOjC8x2nZgU9i6oJuneVDQbDTS0QFtdJYwkMFywGAtZqbbIWelLj51yr4+TLK1jq sNcg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=M0bJRbOEbNqHhgTVZHwTpCAUUqAzh/fETzYiPCT19dU=; b=agKoTy+/4UiSJOiHUm2O1WFG7oIYNecgCj/LcMVHOnTbq2PFSrZJEiHGjQtnIU/oaw F/UA0+Ce5hU2N+iKBpBhEFHtGn/QIJgRngvgPeE8JlBEZw9M/jGPNsXKS+dgTxFs7JOh +rOp1ePqAexEk+zE7SRElOBcP3DJmJndWbaYnKhqi8TxtpZd4/42aEUKWvDHLqLI0QTK Vg+HGSOc+2pnPsf1aUoSrG0GRFvwaY0KcCJJ5mCmGrFYm1RwthMod+/S2JxCHib3YgBI AzN06vWyeqe/6RZY0v1rilJr68BGG4IOj13Svypd64IJvgd0b+qdkvrTMvuMf6hIBIB+ U5UA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=QNdO50Yl; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id hs4si43429864ejc.266.2021.10.06.23.26.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:26:04 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=QNdO50Yl; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 28D9B834D8; Thu, 7 Oct 2021 08:25:36 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="QNdO50Yl"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 439DE834AD; Thu, 7 Oct 2021 08:25:32 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 688D0834BE for ; Thu, 7 Oct 2021 08:25:26 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x102d.google.com with SMTP id q7-20020a17090a2e0700b001a01027dd88so3495602pjd.1 for ; Wed, 06 Oct 2021 23:25:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=M0bJRbOEbNqHhgTVZHwTpCAUUqAzh/fETzYiPCT19dU=; b=QNdO50YlrRunw3Ql5Hd0dYx/fZGW55Blw+dp2VzQKepiXcSjae+bpj7/H5RmD/23vw 4NmHo2mjJHrZMmV5FvxiWJB01L9ToEJhvknHDKfa8bUbNnVMvl0EDKZrxD9lVR+j/g6q GHzUg7lr90MI0038EvcLdFM6MZ22WK7wmp1HjAgzt2BrNXa3imPA48u/1LAqzDv1P69J VJFzXnMNmF+dEPtdhREa2Tw98HXAmA2RtQQBwHeSC1DCr5qwQyKAtqnhgIGgtqaiBps2 qnajz+6ZvDqcazh0cOPPkrKZfBWDf9FNw21gAIv72UfENE2nGdVdc8Y/hJq0Bx/kmwxP 57Dg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=M0bJRbOEbNqHhgTVZHwTpCAUUqAzh/fETzYiPCT19dU=; b=Vnrisx2F7tWB85khJ6r7mEynEUjsi24p7yDh++813m+z/twvo5ThrqlJmJCESW+MyH Zv3g/gwf8BPbRqX9UBpni97zI6C+Jyxag01YXn9jks5o6tfM6S3IgITjjaFtuzNdSTgi ic4XezQF+ow8kwaIDDrPPbhvj0dQRIjdi1xYvqYSNj880fwVxR2bsI/0aOh0i/IIJTym XyaYhyoJH85CjMUXAAHLl408NvGF2iwRRI5Xpd5D3OP1IApsJErSU+po11fwuNHxvaez 8AB0hxkl/spNTN+/HMknsj1eXb4Zm5fJneUKYwE1SRqK5fKJHfoObMO4QCziH7lxWuHq vxqA== X-Gm-Message-State: AOAM5337Xft8fjNsJZUvLsAdKo5F0c/Zjx2wci3CMYXf85Gr7nJEyiHD fEAoWc51ePP/FQs2Q7WIMo0jeg== X-Received: by 2002:a17:90a:b38c:: with SMTP id e12mr3370376pjr.125.1633587924694; Wed, 06 Oct 2021 23:25:24 -0700 (PDT) Received: from localhost.localdomain (122-100-26-39m5.mineo.jp. [122.100.26.39]) by smtp.gmail.com with ESMTPSA id b17sm22131859pgl.61.2021.10.06.23.25.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:25:24 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v4 06/11] tools: mkeficapsule: add man page Date: Thu, 7 Oct 2021 15:23:35 +0900 Message-Id: <20211007062340.72207-7-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211007062340.72207-1-takahiro.akashi@linaro.org> References: <20211007062340.72207-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Add a man page for mkeficapsule command. Signed-off-by: AKASHI Takahiro --- MAINTAINERS | 1 + doc/mkeficapsule.1 | 95 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 doc/mkeficapsule.1 -- 2.33.0 diff --git a/MAINTAINERS b/MAINTAINERS index 650e428b6cb4..1ef3aae41328 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -694,6 +694,7 @@ S: Maintained T: git https://source.denx.de/u-boot/custodians/u-boot-efi.git F: doc/api/efi.rst F: doc/develop/uefi/* +F: doc/mkeficapsule.1 F: doc/usage/bootefi.rst F: drivers/rtc/emul_rtc.c F: include/capitalization.h diff --git a/doc/mkeficapsule.1 b/doc/mkeficapsule.1 new file mode 100644 index 000000000000..837e09ab451e --- /dev/null +++ b/doc/mkeficapsule.1 @@ -0,0 +1,95 @@ +.TH MAEFICAPSULE 1 "May 2021" + +.SH NAME +mkeficapsule \- Generate EFI capsule file for U-Boot + +.SH SYNOPSIS +.B mkeficapsule +.RB [\fIoptions\fP] " \fIcapsule-file\fP" + +.SH "DESCRIPTION" +The +\fBmkeficapsule\fP +command is used to create an EFI capsule file for use with the U-Boot +EFI capsule update. +A capsule file may contain various type of firmware blobs which +are to be applied to the system and must be placed in the specific +directory on the UEFI system partition. An update will be automatically +executed at next reboot. + +Optionally, a capsule file can be signed with a given private key. +In this case, the update will be authenticated by verifying the signature +before applying. + +\fBmkeficapsule\fP supports two different format of image files: +.TP +.I raw image +format is a single binary blob of any type of firmware. + +.TP +.I FIT (Flattened Image Tree) image +format +is the same as used in the new \fIuImage\fP format and allows for +multiple binary blobs in a single capsule file. +This type of image file can be generated by \fBmkimage\fP. + +.SH "OPTIONS" +One of \fB--fit\fP or \fB--raw\fP option must be specified. + +.TP +.BI "-f, --fit \fIfit-image-file\fP" +Specify a FIT image file + +.TP +.BI "-r, --raw \fIraw-image-file\fP" +Specify a raw image file + +.TP +.BI "-i, --index \fIindex\fP" +Specify an image index + +.TP +.BI "-I, --instance \fIinstance\fP" +Specify a hardware instance + +.TP +.BI "-h, --help" +Print a help message + +.TP 0 +.B With signing: + +\fB--private-key\fP, \fB--certificate\fP and \fB--monotonic-count\fP are +all mandatory. + +.TP +.BI "-p, --private-key \fIprivate-key-file\fP" +Specify signer's private key file in PEM + +.TP +.BI "-c, --certificate \fIcertificate-file\fP" +Specify signer's certificate file in EFI certificate list format + +.TP +.BI "-m, --monotonic-count \fIcount\fP" +Specify a monotonic count which is set to be monotonically incremented +at every firmware update. + +.TP +.BI "-d, --dump_sig" +Dump signature data into *.p7 file + +.PP +.SH FILES +.TP +.BI "\fI/EFI/UpdateCapsule\fP" +The directory in which all capsule files be placed + +.SH SEE ALSO +.B mkimage + +.SH AUTHORS +Written by AKASHI Takahiro + +.SH HOMEPAGE +http://www.denx.de/wiki/U-Boot/WebHome From patchwork Thu Oct 7 06:23:36 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 515433 Delivered-To: patch@linaro.org Received: by 2002:ac0:b5cc:0:0:0:0:0 with SMTP id x12csp1004406ime; Wed, 6 Oct 2021 23:26:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxIp6gA+gtBNr1/AnNsOhe/0QsigO9JlWm86pjS49QuBOEoO1sEC7JJVliU/8Ajw+xo0JLm X-Received: by 2002:a17:906:1553:: with SMTP id c19mr3392157ejd.266.1633587977569; Wed, 06 Oct 2021 23:26:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633587977; cv=none; d=google.com; s=arc-20160816; b=op2PUQwKrE+W/AQBC0JYrra1j2rclCIFbr9V8I7pbK8gJf69PNjaR3uFzriznswI1Z 7uESwVbgPCiVlqA00kWeYH5FIgr4bzDcSJHWBvzjXIT92c5S8P68A9ZG7NzrUKck2B9q bscdmVAyEn2I4LYEbu7wDz9hHzpq3soznzL5+fY0RfiSWtcZedwHkl4heFtozIpHLagc JefW4QrdVlH7E9RktrpQ/NJjy2iCYkHu1zelAWDGVPqNGJb8wtqNLN18lKD8Fmxd1qdV 86MiPw9cdkKixGDqLjaSJbOLjHAQn8fa3v6EYaqo98a1bT5JgG17NKW/6c17pG+pefIZ ru1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=MmgudMx1S5LA/ce0O0uzj23yjaHZFq7L0ZVuN+gKpE4=; b=nEqyOL2CSgj+UFuFhVCVw3lP0ayieU9tqwdEamvGAjqV7K2YUM89abmEVosxqX5N48 KJpXMg+Fcqq7mw5lnOJu+Dy3rkuMmQ9XfU0Bpfal1RVEyPllaaNHkfOwsexWacsHAOsx F5DoZAtJDvDgvqLaScGovy9ioJZGd4dRr6lGZXoO4hww40FMRLjzY3QfECWvoryNzgVL fDaefD7roXdVBiHk06uGMx6a/lhyTXx3TjVkpTLDWDyzGwYD1MDOpW8CXbAPCmI3Edkq 8LLSSq5TNAMdccQW/aop1C+XcG79/taUbQi/ApkSxInLUsu169ItQBaAPN+ZENvbgc70 P2AQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=CrmgXLkv; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id gq12si10124998ejb.168.2021.10.06.23.26.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:26:17 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=CrmgXLkv; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 66D1D834B9; Thu, 7 Oct 2021 08:25:40 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="CrmgXLkv"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 11731834B0; Thu, 7 Oct 2021 08:25:38 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 881FD834A3 for ; Thu, 7 Oct 2021 08:25:30 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x42c.google.com with SMTP id g14so4471749pfm.1 for ; Wed, 06 Oct 2021 23:25:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=MmgudMx1S5LA/ce0O0uzj23yjaHZFq7L0ZVuN+gKpE4=; b=CrmgXLkvOb0j0myHM4avRQBVPbtqrjJ9BpsorWkW6SSVs7WnSZYVygleODKgznA108 rmk04ntVN5hOC3MeC7ObVnhF/ODzLrFkNoWhX7ox7Lt9kexUT2DodtdGEx28Z+uXYcRN cwOUGO+2K0zSNB3xBDYc7BYdGSyPv3FLojt1Frgy4I4Kx5LG6vVH/26CqqEhO4KNq0mI tM1Oh8sfIx4hW1KKRLR23H0kFIshA2btYyMKgfy67SymdMlRwwku4m2qxb07kH0Cb8z1 HTakNJScdrEdRXeb9TM1Tk/ebYznU5GN28p6bp6aPW+4oY89tr2w3emjWmZRDX2FZIyY JKJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=MmgudMx1S5LA/ce0O0uzj23yjaHZFq7L0ZVuN+gKpE4=; b=U2ouNCWShCexrH/iOwaXtTFptvnYLwyhAsYKEO3+u42CJ782pv/k6bnUagr2OAuCD7 IPSI4nifU8Vyzkb3Fl7cON5J6CEWMhMksyZettdjXzkUKOm5vJCXHo1S6c7qr73FC97T NHf81WLzp86SUGhICzWAOk8mqCtKtaJURXFzg8DYFTf2xN/q/pMYr9VlMjA1+48GnNpR s0l6h7mXj6j9A67Tczqsgr9dnXehU7omXTCadwhKgp67T+l6MAGfg1NA6YznOEsX5pkR IKX8FVz8XdYFyCRvE4c2BhGps862w8tt2nxE1ccoY0ujP7EGiL2lT1mEuZgyp/VUD4lC 9wvg== X-Gm-Message-State: AOAM530g5MmdAVsUeiCsOi1xAw0kRpOYvDu2eyUYNSo7G182BzPHG3vq s6zgagFwoxVsg/e2AkBbM9tdRw== X-Received: by 2002:a63:6f42:: with SMTP id k63mr1967885pgc.358.1633587928707; Wed, 06 Oct 2021 23:25:28 -0700 (PDT) Received: from localhost.localdomain (122-100-26-39m5.mineo.jp. [122.100.26.39]) by smtp.gmail.com with ESMTPSA id b17sm22131859pgl.61.2021.10.06.23.25.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:25:28 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v4 07/11] doc: update UEFI document for usage of mkeficapsule Date: Thu, 7 Oct 2021 15:23:36 +0900 Message-Id: <20211007062340.72207-8-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211007062340.72207-1-takahiro.akashi@linaro.org> References: <20211007062340.72207-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Now we can use mkeficapsule command instead of EDK-II's script to create a signed capsule file. So update the instruction for capsule authentication. Signed-off-by: AKASHI Takahiro --- doc/develop/uefi/uefi.rst | 122 ++++++++++++++------------------------ 1 file changed, 46 insertions(+), 76 deletions(-) -- 2.33.0 diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index f17138f5c765..6ae517e92c44 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -284,37 +284,52 @@ Support has been added for the UEFI capsule update feature which enables updating the U-Boot image using the UEFI firmware management protocol (FMP). The capsules are not passed to the firmware through the UpdateCapsule runtime service. Instead, capsule-on-disk -functionality is used for fetching the capsule from the EFI System -Partition (ESP) by placing the capsule file under the -\EFI\UpdateCapsule directory. - -The directory \EFI\UpdateCapsule is checked for capsules only within the -EFI system partition on the device specified in the active boot option -determined by reference to BootNext variable or BootOrder variable processing. -The active Boot Variable is the variable with highest priority BootNext or -within BootOrder that refers to a device found to be present. Boot variables -in BootOrder but referring to devices not present are ignored when determining -active boot variable. -Before starting a capsule update make sure your capsules are installed in the -correct ESP partition or set BootNext. +functionality is used for fetching capsules from the EFI System +Partition (ESP) by placing capsule files under the directory:: + + \EFI\UpdateCapsule + +The directory is checked for capsules only within the +EFI system partition on the device specified in the active boot option, +which is determined by BootXXXX variable in BootNext, or if not, the highest +priority one within BootOrder. Any BootXXXX variables referring to devices +not present are ignored when determining the active boot option. + +Please note that capsules will be applied in the alphabetic order of +capsule file names. + +Creating a capsule file +*********************** + +A capsule file can be created by using tools/mkeficapsule. +To build this tool, enable:: + + CONFIG_TOOLS_MKEFICAPSULE=y + CONFIG_TOOLS_LIBCRYPTO=y + +Run the following command:: + + $ mkeficapsule \ + --index 1 --instance 0 \ + [--fit | --raw ] \ + Performing the update ********************* -Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig -option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable -check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule. - -If that option is disabled, you'll need to set the OsIndications variable with:: +Put capsule files under the directory mentioned above. +Then, following the UEFI specification, you'll need to set +the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED +bit in OsIndications variable with:: => setenv -e -nv -bs -rt -v OsIndications =0x04 -Finally, the capsule update can be initiated either by rebooting the board, -which is the preferred method, or by issuing the following command:: - - => efidebug capsule disk-update +Since U-boot doesn't currently support SetVariable at runtime, its value +won't be taken over across the reboot. If this is the case, you can skip +this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS) +set. -**The efidebug command is should only be used during debugging/development.** +Finally, the capsule update can be initiated by rebooting the board. Enabling Capsule Authentication ******************************* @@ -338,7 +353,7 @@ The public and private keys used for the signing process are generated and used by the steps highlighted below:: 1. Install utility commands on your host - * OPENSSL + * openssl * efitools 2. Create signing keys and certificate files on your host @@ -347,59 +362,14 @@ and used by the steps highlighted below:: -keyout CRT.key -out CRT.crt -nodes -days 365 $ cert-to-efi-sig-list CRT.crt CRT.esl - $ openssl x509 -in CRT.crt -out CRT.cer -outform DER - $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem - - $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt - $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem - -The capsule file can be generated by using the GenerateCapsule.py -script in EDKII:: - - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ - --monotonic-count --fw-version \ - --lsv --guid \ - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ - --update-image-index --signer-private-cert \ - /path/to/CRT.pem --trusted-public-cert \ - /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ - - -Place the capsule generated in the above step on the EFI System -Partition under the EFI/UpdateCapsule directory - -Testing on QEMU -*************** - -Currently, support has been added on the QEMU ARM64 virt platform for -updating the U-Boot binary as a raw image when the platform is booted -in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this -configuration, the QEMU platform needs to be booted with -'secure=off'. The U-Boot binary placed on the first bank of the NOR -flash at offset 0x0. The U-Boot environment is placed on the second -NOR flash bank at offset 0x4000000. - -The capsule update feature is enabled with the following configuration -settings:: - - CONFIG_MTD=y - CONFIG_FLASH_CFI_MTD=y - CONFIG_CMD_MTDPARTS=y - CONFIG_CMD_DFU=y - CONFIG_DFU_MTD=y - CONFIG_PCI_INIT_R=y - CONFIG_EFI_CAPSULE_ON_DISK=y - CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y - CONFIG_EFI_CAPSULE_FIRMWARE=y - CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y - -In addition, the following config needs to be disabled(QEMU ARM specific):: - - CONFIG_TFABOOT - -The capsule file can be generated by using the tools/mkeficapsule:: +Run the following command to create and sign the capsule file:: - $ mkeficapsule --raw --index 1 + $ mkeficapsule --monotonic-count 1 \ + --private-key CRT.key \ + --certificate CRT.crt \ + --index 1 --instance 0 \ + [--fit | --raw ] \ + Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~ From patchwork Thu Oct 7 06:23:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 515434 Delivered-To: patch@linaro.org Received: by 2002:ac0:b5cc:0:0:0:0:0 with SMTP id x12csp1004502ime; Wed, 6 Oct 2021 23:26:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzRvKbL+vDrnVzyYwlZOJJyYh4nIadWgakrfUP1+4NUB7yI+yQnUpMxf89vMMAZEwa8DJMm X-Received: by 2002:a17:906:784:: with SMTP id l4mr3302337ejc.469.1633587989158; Wed, 06 Oct 2021 23:26:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633587989; cv=none; d=google.com; s=arc-20160816; b=HuaiCS301aziZOnweKXo8g7Ux3QtBoKZTNdliMDRkYOqMyzQIzmrgkYNWOXFaNi/zT 3se+vyNscY99w/W4nP8T5UBnyqIa9jscsbTpWyqGA0EzFJEUs6bqWaeTRl9l16e2oB6V AiDSEeWMMTF0sRFzAiQsFrUfHkBSR0IcKM9odtlZYAscfnaKSC2+Aw7WmCVtPitIrFQO vMMjLLEaA46WrqKsWkRemUfJMZH33OkMSDleVt6is+0YtlWzFTbPLq27jHYVMXNUY54m C31RioUoMD/NZrQjSG2UggGlOMU2a7Qsjvdxetpq0xJQlhzjEXpQkLQlXjbbAnQe/xzI mAHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=KYGTtGqfbs7PIK2/gnUErRfDavlHvvHven6h8g4MDmk=; b=Xtqr/cTsElCEy52RKDuch/evW/WRApBPwB3U+DLuj6atRXQsATFyDfkbwWaHoDRO3g p0ihfVdkVdXQCa5tHCB4RaeoX8H9hyFIhWgfs9VsyWgyCDnnODySlStach/sfen5+wjH qHtEm9ZayhHDIrrkxARr+6unMFJBat03xfxJWZD6J/v3U9qey2LqfCxbVSlWjZswZarn 1HIsDeRHf8/50NekdtuEY9umxWTrAyB6wzILEG9/jCcV+HpBMDQBtSWjPAX11arUTFTW j6jwvT6o/S/CssGx0knZ9YLGnKwOaQMLc3avmQ84dF60tNUYp2oq8CWzGFgy85SImB0K imjw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=M8uEsitK; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id h11si5808297edw.409.2021.10.06.23.26.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:26:29 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=M8uEsitK; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B2AF283499; Thu, 7 Oct 2021 08:25:44 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="M8uEsitK"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id D734A83499; Thu, 7 Oct 2021 08:25:38 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 4D55683483 for ; Thu, 7 Oct 2021 08:25:34 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1032.google.com with SMTP id oa6-20020a17090b1bc600b0019ffc4b9c51so6109362pjb.2 for ; Wed, 06 Oct 2021 23:25:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=KYGTtGqfbs7PIK2/gnUErRfDavlHvvHven6h8g4MDmk=; b=M8uEsitKUo5+GSdNL25SHp9tr6foXdtsyRHF1++tcNwWD/E3CBCashs21vdDwRur/h EuklHfE3cNadrYvKImggzVwDgXOIIZN2ImgRk3umJDHGj9LwxliGmIEutYrI+oO0aA8k xG94S9cOw7mUgqReRSYaD9qmmu2GZJnxeebBeU2IQiHjAZzgjd7J8718i6MbpQtjsYK7 3HpXDqLj+X2i0TUHMIOrfeIA5AR803AQlS3nvoIPxYax2SL7FLlapiSHlG6t87ftyjKb WifPSfBqtjlw5hb7VCLEPamxeQXH4Q5CaEfoxLUKcRMWaHIHpJtYOVlPjP8ujNL4IkMV HWLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=KYGTtGqfbs7PIK2/gnUErRfDavlHvvHven6h8g4MDmk=; b=RpGNHC6E0zPQwRiZDJrkezmfFe0i1Xqa3cG2fYJytHHFeJd8B6S2cK1LGd6KjL53mx WoEohxudj+l6EEc8fD4eDH1APqTLRBsgHqGPZ++OXmV77tNrbNPPpg6ODb6H+hTjnZ24 RkvcXXNetryOgj4aJDXmCsBPlUmyByHpE4CFf+6fKpSXvtaeDUoJUZ+q1VDVtx6Msho7 BDsUcd3qNsNpzVHylehQi+2GMMY3DPF4kNinQqYJlyewgCA0Wll7S4q1AoFL9wBbOUK0 b8nod+LPqDYib5YrO8wzV0VRbTQj9DIpUh2ncD2spcZ7cfg5ZYlEtQVT9iabcWAoQ3GH QIeQ== X-Gm-Message-State: AOAM531bq5ekUFGJQ4wmweoEhoeVeYoaCQmc1UHo97AOfD/xxWfApYmF FZhJElmkDUooJe191Qo1sW9NJQ== X-Received: by 2002:a17:902:c401:b0:13e:f5f2:f852 with SMTP id k1-20020a170902c40100b0013ef5f2f852mr2071454plk.29.1633587932509; Wed, 06 Oct 2021 23:25:32 -0700 (PDT) Received: from localhost.localdomain (122-100-26-39m5.mineo.jp. [122.100.26.39]) by smtp.gmail.com with ESMTPSA id b17sm22131859pgl.61.2021.10.06.23.25.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:25:32 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v4 08/11] tools: mkeficapsule: allow for specifying GUID explicitly Date: Thu, 7 Oct 2021 15:23:37 +0900 Message-Id: <20211007062340.72207-9-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211007062340.72207-1-takahiro.akashi@linaro.org> References: <20211007062340.72207-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean The existing options, "--fit" and "--raw," are only used to put a proper GUID in a capsule header, where GUID identifies a particular FMP (Firmware Management Protocol) driver which then would handle the firmware binary in a capsule. In fact, mkeficapsule does the exact same job in creating a capsule file whatever the firmware binary type is. To prepare for the future extension, the command syntax will be a bit modified to allow users to specify arbitrary GUID for their own FMP driver. OLD: [--fit | --raw ] NEW: [--fit | --raw | --guid ] Signed-off-by: AKASHI Takahiro --- doc/develop/uefi/uefi.rst | 4 +- doc/mkeficapsule.1 | 26 +++++++++---- tools/mkeficapsule.c | 78 ++++++++++++++++++++++++++++++--------- 3 files changed, 81 insertions(+), 27 deletions(-) -- 2.33.0 diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 6ae517e92c44..7319f52d27be 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -368,8 +368,8 @@ Run the following command to create and sign the capsule file:: --private-key CRT.key \ --certificate CRT.crt \ --index 1 --instance 0 \ - [--fit | --raw ] \ - + [--fit | --raw | --guid Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/doc/mkeficapsule.1 b/doc/mkeficapsule.1 index 837e09ab451e..312e8a8b3188 100644 --- a/doc/mkeficapsule.1 +++ b/doc/mkeficapsule.1 @@ -5,7 +5,7 @@ mkeficapsule \- Generate EFI capsule file for U-Boot .SH SYNOPSIS .B mkeficapsule -.RB [\fIoptions\fP] " \fIcapsule-file\fP" +.RB [\fIoptions\fP] " \fIimage-blob\fP \fIcapsule-file\fP" .SH "DESCRIPTION" The @@ -21,7 +21,7 @@ Optionally, a capsule file can be signed with a given private key. In this case, the update will be authenticated by verifying the signature before applying. -\fBmkeficapsule\fP supports two different format of image files: +\fBmkeficapsule\fP takes any type of image files, including: .TP .I raw image format is a single binary blob of any type of firmware. @@ -33,16 +33,28 @@ is the same as used in the new \fIuImage\fP format and allows for multiple binary blobs in a single capsule file. This type of image file can be generated by \fBmkimage\fP. +.PP +If you want to use other types than above two, you should explicitly +specify a guid for the FMP driver. + .SH "OPTIONS" -One of \fB--fit\fP or \fB--raw\fP option must be specified. +One of \fB--fit\fP, \fB--raw\fP or \fB--guid\fP option must be specified. .TP -.BI "-f, --fit \fIfit-image-file\fP" -Specify a FIT image file +.BI "-f, --fit +Indicate that the blob is a FIT image file .TP -.BI "-r, --raw \fIraw-image-file\fP" -Specify a raw image file +.BI "-r, --raw +Indicate that the blob is a raw image file + +.TP +.BI "-g, --guid \fIguid-string\fP" +Specify guid for image blob type. The format is: + xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx + +The first three elements are in little endian, while the rest +is in big endian. .TP .BI "-i, --index \fIindex\fP" diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 5541e4bda894..2e61ee196caf 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -14,7 +14,7 @@ #include #include - +#include #include #ifdef CONFIG_TOOLS_LIBCRYPTO #include @@ -51,14 +51,15 @@ efi_guid_t efi_guid_image_type_uboot_raw = efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; #ifdef CONFIG_TOOLS_LIBCRYPTO -static const char *opts_short = "f:r:i:I:v:p:c:m:dh"; +static const char *opts_short = "frg:i:I:v:p:c:m:dh"; #else -static const char *opts_short = "f:r:i:I:v:h"; +static const char *opts_short = "frg:i:I:v:h"; #endif static struct option options[] = { - {"fit", required_argument, NULL, 'f'}, - {"raw", required_argument, NULL, 'r'}, + {"fit", no_argument, NULL, 'f'}, + {"raw", no_argument, NULL, 'r'}, + {"guid", required_argument, NULL, 'g'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, #ifdef CONFIG_TOOLS_LIBCRYPTO @@ -73,11 +74,12 @@ static struct option options[] = { static void print_usage(void) { - printf("Usage: %s [options] \n" + printf("Usage: %s [options] \n" "Options:\n" - "\t-f, --fit new FIT image file\n" - "\t-r, --raw new raw image file\n" + "\t-f, --fit FIT image type\n" + "\t-r, --raw raw image type\n" + "\t-g, --guid guid for image blob type\n" "\t-i, --index update image index\n" "\t-I, --instance update hardware instance\n" #ifdef CONFIG_TOOLS_LIBCRYPTO @@ -510,6 +512,37 @@ err_1: return -1; } +/** + * convert_uuid_to_guid() - convert uuid string to guid string + * @buf: String for UUID + * + * UUID and GUID have the same data structure, but their string + * formats are different due to the endianness. See lib/uuid.c. + * Since uuid_parse() can handle only UUID, this function must + * be called to get correct data for GUID when parsing a string. + * + * The correct data will be returned in @buf. + */ +void convert_uuid_to_guid(unsigned char *buf) +{ + unsigned char c; + + c = buf[0]; + buf[0] = buf[3]; + buf[3] = c; + c = buf[1]; + buf[1] = buf[2]; + buf[2] = c; + + c = buf[4]; + buf[4] = buf[5]; + buf[5] = c; + + c = buf[6]; + buf[6] = buf[7]; + buf[7] = c; +} + /** * main - main entry function of mkeficapsule * @argc: Number of arguments @@ -524,14 +557,13 @@ err_1: */ int main(int argc, char **argv) { - char *file; efi_guid_t *guid; + unsigned char uuid_buf[16]; unsigned long index, instance; uint64_t mcount; char *privkey_file, *cert_file; int c, idx; - file = NULL; guid = NULL; index = 0; instance = 0; @@ -546,21 +578,31 @@ int main(int argc, char **argv) switch (c) { case 'f': - if (file) { - printf("Image already specified\n"); + if (guid) { + printf("Image type already specified\n"); return -1; } - file = optarg; guid = &efi_guid_image_type_uboot_fit; break; case 'r': - if (file) { - printf("Image already specified\n"); + if (guid) { + printf("Image type already specified\n"); return -1; } - file = optarg; guid = &efi_guid_image_type_uboot_raw; break; + case 'g': + if (guid) { + printf("Image type already specified\n"); + return -1; + } + if (uuid_parse(optarg, uuid_buf)) { + printf("Wrong guid format\n"); + return -1; + } + convert_uuid_to_guid(uuid_buf); + guid = (efi_guid_t *)uuid_buf; + break; case 'i': index = strtoul(optarg, NULL, 0); break; @@ -596,14 +638,14 @@ int main(int argc, char **argv) } /* check necessary parameters */ - if ((argc != optind + 1) || !file || + if ((argc != optind + 2) || !guid || ((privkey_file && !cert_file) || (!privkey_file && cert_file))) { print_usage(); return -1; } - if (create_fwbin(argv[optind], file, guid, index, instance, + if (create_fwbin(argv[argc - 1], argv[argc - 2], guid, index, instance, mcount, privkey_file, cert_file) < 0) { printf("Creating firmware capsule failed\n"); return -1; From patchwork Thu Oct 7 06:23:38 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 515435 Delivered-To: patch@linaro.org Received: by 2002:ac0:b5cc:0:0:0:0:0 with SMTP id x12csp1004602ime; Wed, 6 Oct 2021 23:26:40 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzTP1Rj942AuActM6SXuRA1Ihk2yh5re0zrm2MjEGfQBqh/WLODgenpJ26MF/3hJfVfS5+p X-Received: by 2002:a17:906:a2c9:: with SMTP id by9mr3337875ejb.305.1633588000320; Wed, 06 Oct 2021 23:26:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633588000; cv=none; d=google.com; s=arc-20160816; b=O2NJzuZY44bZiMNkGs/CP6b621BHGGqS4i3hfjNu9qBjBW27Be/bvwr+ATSXzdkhFm ZXGWX/7Q9mls9iIljhy4j5k96pGKfkokCsodQG/jbNPoN6Wj+fNNlJERFdsWO6Am6I+H 3Kube4VjvGaoXI2I3vmsPZjkUQFXRqDtUiaZmLrObinsdiDleMW7LYd9i0dlW3/WSd+A TEAmx0vR/7kt+2PoZFfwCWI/1lKY5W0LDy3GuLXXUTH7LxkRGgPUCTm4eUMVdNW13qXp VhTyEqlkWsFhb8LamAshHVnB7LaEMiGKLPbkRX53eJG9cLSjow2M7VzobUewQAZXxHEN MgEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=mLIjifAeO5Om+pjlquybHV9L7bo4FSETJ8hvTMksiuU=; b=w9MmySwOMr801V8+q2qqi+IU2MCnYjstz3FaWy0Oap6HzbGlG2n3TXVzfQ/XuBFj0G O6mfDoxrtKadxL27hnfKPnMjHlJ40Wg8/NDYcuEggawIT7WGN0C9YK2TZvjV7hdtS4W0 oYnU3FaBgNFnWNVZ4eZK6s7VI7xQMgViRBEMu5NgDLd25+htUMMUZRGSYJqr3CTEhXTG 1nbALDwu+rNYpNobleqYoYiOea07ljo69/F4/5g/TV5IEzd3C2J8AsohR4twvMzylbR9 YvC6vuvXubjH2kWdw7e2xhwu4FsD4Mu+QsrZtddEdhIYA+9/HWt0cIJCu2OWbvvOtI/q MVXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=D60SWVm5; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id 6si27513385ejk.125.2021.10.06.23.26.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:26:40 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=D60SWVm5; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 009D9834E7; Thu, 7 Oct 2021 08:25:47 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="D60SWVm5"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 8367D834EC; Thu, 7 Oct 2021 08:25:44 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 705D683483 for ; Thu, 7 Oct 2021 08:25:39 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x429.google.com with SMTP id i65so1496421pfe.12 for ; Wed, 06 Oct 2021 23:25:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=mLIjifAeO5Om+pjlquybHV9L7bo4FSETJ8hvTMksiuU=; b=D60SWVm5cZSHtrq62DTLRVrFrEXSCNJqcpYMMIt6tHhG5ujQqhUIa++VY/HCwQZZW2 IfC3rjqHRJzkgJiwTAAKuI+cGhm1kP8GnqHpALh0TBlF3ZpDNGJnB99s/gukJID7f4Wk 5hLD6MCRBGPhUFG6hCnbNhVfpdcaNlwj2lxMUGuPxCE2bEnddIuGpnP8S7Hbq02ZGWIO K1AXZpwgkzIR9R+PsvA9zvZtnOfR8vbdky+fBJzJBFqhvro6bjefLGAvsQG23TV1GncL YRppKATwkSr8s9UlY2YoQ9WyvC24pjWKrFdShJ2M8loWTxc7WcNq4S59ERCkZTv/lcFk H+Eg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mLIjifAeO5Om+pjlquybHV9L7bo4FSETJ8hvTMksiuU=; b=1+Q6YIYmI0RTRfzDwVfSwGrFSUuoVO5PaxiGfuZlmtTNw+2Dep2D50Jm2AoexlDZyV 25stXmJdyr6/XE6+KOK6MxkNWQ596P3syubEb9PJUceyGe6rkgXLkBkcYy4wo9mo7x2g uNtIljTE8xu/LGeq4TwPwjIPZkOdLnnIYSYdAjgi8wzSuW1FOWpSkdsfvmWVwZ8VyWlt ZCvODYJM2r4CM4fjW6SmE7EAAmHj9xbeXXacumKqsetUbNGs1lM4ecTw5fXQsATm/LM0 ac6QWA7PcouWgI5nKeqMrbEVDvfu6SPdqrd8FagMu0VZhmU9CgaGlN9E821sS4LZSGbk nMyg== X-Gm-Message-State: AOAM531ZaGEfZBRyyDOveG9CcrqouI4D8NA0DvOpL+KhqOyjbCoWKtqC HTIINCYrcejo3alu0+W7Au0hQKJ3QXs2Zw== X-Received: by 2002:a63:4c0e:: with SMTP id z14mr1936223pga.427.1633587937844; Wed, 06 Oct 2021 23:25:37 -0700 (PDT) Received: from localhost.localdomain (122-100-26-39m5.mineo.jp. [122.100.26.39]) by smtp.gmail.com with ESMTPSA id b17sm22131859pgl.61.2021.10.06.23.25.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:25:37 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v4 09/11] test/py: efi_capsule: align with the syntax change of mkeficapsule Date: Thu, 7 Oct 2021 15:23:38 +0900 Message-Id: <20211007062340.72207-10-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211007062340.72207-1-takahiro.akashi@linaro.org> References: <20211007062340.72207-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Since the syntax of mkeficapsule was changed in the previous commit, we need to modify command line arguments in a pytest script and added one more test case, Case 4, for verifying the new "--guid" option. Signed-off-by: AKASHI Takahiro --- test/py/tests/test_efi_capsule/conftest.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.33.0 diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index 6ad5608cd71c..8b5368c11abc 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -50,10 +50,10 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkimage -f uboot_bin_env.its uboot_bin_env.itb' % (data_dir, u_boot_config.build_dir), shell=True) - check_call('cd %s; %s/tools/mkeficapsule --fit uboot_bin_env.itb --index 1 Test01' % + check_call('cd %s; %s/tools/mkeficapsule --index 1 --fit uboot_bin_env.itb Test01' % (data_dir, u_boot_config.build_dir), shell=True) - check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' % + check_call('cd %s; %s/tools/mkeficapsule --index 1 --raw u-boot.bin.new Test02' % (data_dir, u_boot_config.build_dir), shell=True) From patchwork Thu Oct 7 06:23:39 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 515436 Delivered-To: patch@linaro.org Received: by 2002:ac0:b5cc:0:0:0:0:0 with SMTP id x12csp1004743ime; Wed, 6 Oct 2021 23:26:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwEuSlokw5QjbBHKvFxqiosRtLrk1MLEDjLKAq8POJOtpmrnP8Y9TPkt6bwIU/etzUftdCh X-Received: by 2002:a17:906:2a0d:: with SMTP id j13mr3184329eje.545.1633588011649; Wed, 06 Oct 2021 23:26:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633588011; cv=none; d=google.com; s=arc-20160816; b=udWF95W67R3zDtuGs1HIuAw+LfWXWWGoSPq6sk4Suv6UQu3mMuNvWiQrhCqZB0Z/gd 9WdjQHqMmLEx6psJqnb+Kwd5KG0xHBFp1jUAubKOyn9RPkhj21Zfd2jkWKETrOXgrmeR JLcW/aC7DA4ZmAqWQS+2Quknj8XHN2QbobhVBwjpVhm/rPBaMkkRRg7EipbYCwO2Pjf2 L8TFJGrvfE/b1uhK6muv968AcegPenXk7+hvfFYyB0tG9WhhVNU7JIIi8xa7CY2gBQV+ PHNqMw9lnqFy7BhvvrT4sFRcqSutbYRM33yXxv1MKXijO4xRkhs6s04qTPaIV08UqwfA bGDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=l5K7bZA1xCRJEeBfnbGKk5pon0Oo+koRPhH/3diNvjk=; b=0yDJa/1I26PRVkYEl1qVsmw07OPXhHlWOO3qldqQEhGhJfjA3WyupSpQijPftfiSRn B7S6t1XDxbwxy6wGbIfguwDCp76GbOzQP9zahzFZAYiWy1U3i2We8bDfIYqHVD2xfjvI eViO0aJbEe7JxUw+3I/TF46a507wQ4NIXEpOtr0m28ovl52pe4fxCMzCDkxIF+kcT/gS uq92eu+IWgUason71bzKSzR2iFCO8+oh/TVjlFc0+EMHUo7jyKh4LiAnKPCWj1E1KYRX BSiskn/e1lkOLY1yDM6zUUxYDK4j1BnJoDnOKQmnQQjq7oHlp+rLc/4guRxd/EmFGws4 zXTw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YIni2OGz; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id f13si42222208edf.345.2021.10.06.23.26.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:26:51 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YIni2OGz; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 5D1E083462; Thu, 7 Oct 2021 08:25:52 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="YIni2OGz"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id D8739834DA; Thu, 7 Oct 2021 08:25:49 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 8A6CB834D1 for ; Thu, 7 Oct 2021 08:25:42 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x42b.google.com with SMTP id m14so4441553pfc.9 for ; Wed, 06 Oct 2021 23:25:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=l5K7bZA1xCRJEeBfnbGKk5pon0Oo+koRPhH/3diNvjk=; b=YIni2OGzhkiSB+i2meKFJIySHMlJbEyWpKjzj/6KWFml/dFze0YGi7v2nCwRKFO8+T K7xyzjXnflfebtCii0Z4peLAoUI9puWjtOiKYkeC4mVPDuOzN1uFNGShAy7ifuQuSCUu MtzOteQ9CL0kF5DIHvDDZotZt8K8nyQwKTflEIKTMcSnfKcvv48g4qXkpnKdSOAA9R14 lp+4zixlLCnRtVyPd5QgQ/PmbX2JfLbB85H/gPEG1T6m/jY1Rv/zG1+o9Oah4061JcLE YJbxeM3U1+0T1g6gIF042Tgfc7tRSUc83Mo51lWlWB2iaOb8YqHWTMilbScM4hJmG/SX GqbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=l5K7bZA1xCRJEeBfnbGKk5pon0Oo+koRPhH/3diNvjk=; b=BTHU4Eez1zW+0xJig3pUmg8fWqQCe4sGuMUnxgvSM2S7NMw8zMtWuHoZgJ02Lo31la SkeUuUHt4hzb4PB9Y+TvPU95zYi/mCAr5X2+g062bgzbvYZCste6Uk5zewbpIblX2C12 NcnmM9SKZ1FjJfuRO/xCm0p4zvgfToqnRXA2c5VEF2GC2/NOtZcZFJ6Ijvh6AunckYcM nA7RmMzSc6gR5UCRpAnrfPVy3OU3fbVs/7wWB9b+U/oUuLORiwRWneb5oQ60vWeQuBAx jL02SnRACu0Vg3mplQrd2y9YCXSP7hO/oaGDquVfNK9DRePhYdVmX11KOM4Kvds2cr9E cUfg== X-Gm-Message-State: AOAM531UdXyPwK1PsI23pTv5KI/rn+0YPm5W76m47yFNpYXg0m8zSmzW ShaRIVhksRpEE+l5ZcZSsXg0lQ== X-Received: by 2002:a62:b50d:0:b0:44c:7488:e593 with SMTP id y13-20020a62b50d000000b0044c7488e593mr2565456pfe.59.1633587940865; Wed, 06 Oct 2021 23:25:40 -0700 (PDT) Received: from localhost.localdomain (122-100-26-39m5.mineo.jp. [122.100.26.39]) by smtp.gmail.com with ESMTPSA id b17sm22131859pgl.61.2021.10.06.23.25.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:25:40 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v4 10/11] test/py: efi_capsule: add a test for "--guid" option Date: Thu, 7 Oct 2021 15:23:39 +0900 Message-Id: <20211007062340.72207-11-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211007062340.72207-1-takahiro.akashi@linaro.org> References: <20211007062340.72207-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean This test scenario tests a new feature of mkeficapsule, "--guid" option, which allows us to specify FMP driver's guid explicitly at the command line. Signed-off-by: AKASHI Takahiro --- test/py/tests/test_efi_capsule/conftest.py | 3 + .../test_efi_capsule/test_capsule_firmware.py | 67 +++++++++++++++++++ 2 files changed, 70 insertions(+) -- 2.33.0 diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index 8b5368c11abc..cd750347879e 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -56,6 +56,9 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkeficapsule --index 1 --raw u-boot.bin.new Test02' % (data_dir, u_boot_config.build_dir), shell=True) + check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid E2BB9C06-70E9-4B14-97A3-5A7913176E3F u-boot.bin.new Test03' % + (data_dir, u_boot_config.build_dir), + shell=True) # Create a disk image with EFI system partition check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' % diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware.py b/test/py/tests/test_efi_capsule/test_capsule_firmware.py index 9eeaae27d626..9cc973560fa1 100644 --- a/test/py/tests/test_efi_capsule/test_capsule_firmware.py +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware.py @@ -247,3 +247,70 @@ class TestEfiCapsuleFirmwareFit(object): 'sf read 4000000 100000 10', 'md.b 4000000 10']) assert 'u-boot:New' in ''.join(output) + + def test_efi_capsule_fw4( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 4 - Test "--guid" option of mkeficapsule + The test scenario is the same as Case 3. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 4-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi -s ""', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test03' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test03 $filesize' % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' in ''.join(output) + + # reboot + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 4-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + output = u_boot_console.run_command_list(['efidebug capsule esrt']) + + # ensure that EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID is in the ESRT. + assert 'E2BB9C06-70E9-4B14-97A3-5A7913176E3F' in ''.join(output) + + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' not in ''.join(output) + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:New' in ''.join(output) From patchwork Thu Oct 7 06:23:40 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 515437 Delivered-To: patch@linaro.org Received: by 2002:ac0:b5cc:0:0:0:0:0 with SMTP id x12csp1004856ime; Wed, 6 Oct 2021 23:27:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyHQ/1+DsL55g2qCnB3AVYkOzGVGl5bNj12hrN8E8kQKft02rHE0e2xx/LeVsR+nZr/Kny+ X-Received: by 2002:a17:906:d0ca:: with SMTP id bq10mr3442953ejb.25.1633588022933; Wed, 06 Oct 2021 23:27:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633588022; cv=none; d=google.com; s=arc-20160816; b=PjyJjfHMpXRts7+kq6ubMN2C8lnGThRI2o+ZdtIyX4DY/qSATRvDxFcPRx8vdVJmHX 1MIF6nLLNYj9NvPRFFTHV1hzU9Ib5xbPMLDyN2lppap9ni2hxvE1HRhhQSyGbw1RgGSe W0y68yiWvGra66zWxInw+lygQrrqFXcG1BARNRUOScJG3Pg+xEnH/za5f7PrmWbvtGUq L+ZoJEF74MpGf/z3uTnXNzGYPjzCAtwoEOuliekO+ZPWWKe9CmF+6xvjpS3AUCr58g18 IYp6BCD8SNu3vU+RUI+ZheUpSKb+otTq6Bmygs8dx9Z4GmfWXRPpeIMG6pYCSsVF/K3T hqdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=j9wwq5onLmC3qLiUzEtYu5McCIXj9eQsi970PjuJWjM=; b=KL+8yG9JRSa4GptlYzz32OWAPWSleoKOfBCC7xo2BX0dW4Cg6p3SiLosNEyFnHvB4U p8+MtPAEVViYcaYl4YwLDFoDZX0QL4TPL567WjZFB19CSJmZ6h12X5FjBxAZAS9hGMNG keJBZM8x5VdDQ2XFpZwHc7eLixDIASDBE8wJG//cC9Nv0YtMZZxOjmqPL5BQQWakkovt 4UcJbYOfE6CTU8M2tYseH9v28VsbEhEHPAYkZPRiC73o6yTiHLka4wig7VsYCGAIMfvx iepdOPnvWb1bU2l7A+OrLlMDYutF+/5OO09Ojiv/NSnfiXyMAu99bM9f8yGK3cCMcwFR NIVg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="Pl+s1rQ/"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id u1si6660358edp.348.2021.10.06.23.27.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:27:02 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="Pl+s1rQ/"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 17199834EB; Thu, 7 Oct 2021 08:25:56 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Pl+s1rQ/"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 1D3DC8347F; Thu, 7 Oct 2021 08:25:54 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 3958783507 for ; Thu, 7 Oct 2021 08:25:46 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x430.google.com with SMTP id 145so4432401pfz.11 for ; Wed, 06 Oct 2021 23:25:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=j9wwq5onLmC3qLiUzEtYu5McCIXj9eQsi970PjuJWjM=; b=Pl+s1rQ/skJzW4pMPwMP78fJWBw+5E3olMmuAhNkfy5Hc85GYZ+I1yaKDskThB8H0Q oUvz4jvBtjYSsrgHwiOuoLxETX60ANrXwBhgS68k29lgtpLxvQ6GKfrgOlKA3P3TJH5k IyjIWyPVXxR+UqrjiAwMw+/gJ5R991yk4cPWCdRLvo0Y4TyIBYi2kvowW5FM9qltRmCJ N7AfS2xGHkUse9fF28+IMjuZcC+GH5l1bT7bVkB1z6Scc6cI0WYE8gMt+cFGVswoXBmV 9+boLpeSl3pIcCtwWhijXfOxnmZqM77aJLqpZRUBJOq5JyImZ63uoQU7ljnSjOmaN83V WZmg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=j9wwq5onLmC3qLiUzEtYu5McCIXj9eQsi970PjuJWjM=; b=1Nq2mFeGZEzw+AEiKXku4I3abW8VYT9nqm5V0CTrm7QM/CaOrY92OzHxikYyqzjbYl SFRl7ytTdHvKchnSwcX0TnhF3xKHm37M3f7uhNUij/TdUIVm5hi8V4m8ja4nt/tDIq+U iWkbRZLE/g0yikVokC9GbjrxASJqBTjbthERS2WoloIc4u7gYN12wOSqf2ea/zQFpQDp Epzi8/hKFjCtVhVqAqz05tbZGfjDjMiD5zzMopO/o5+LiGgYPKJ6v5CC1W2yy7OcJuQq NnFyxbGOp+6KveYhlSLfoZiwXD53/jqUACcid7tYNZTc8Qvw7IGOVJw7kJJe+iukvOg6 nc2A== X-Gm-Message-State: AOAM531uR3xzkF7OCHbFAj8C2IDJZXqjYR+TjiQPjGGvKttV5qIV4k/G KONNPErlMEZeqWGOx1XPD2sngg== X-Received: by 2002:a62:8141:0:b0:447:96be:ac2 with SMTP id t62-20020a628141000000b0044796be0ac2mr2286712pfd.61.1633587944456; Wed, 06 Oct 2021 23:25:44 -0700 (PDT) Received: from localhost.localdomain (122-100-26-39m5.mineo.jp. [122.100.26.39]) by smtp.gmail.com with ESMTPSA id b17sm22131859pgl.61.2021.10.06.23.25.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 23:25:43 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v4 11/11] test/py: efi_capsule: add image authentication test Date: Thu, 7 Oct 2021 15:23:40 +0900 Message-Id: <20211007062340.72207-12-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211007062340.72207-1-takahiro.akashi@linaro.org> References: <20211007062340.72207-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Add a couple of test cases against capsule image authentication for capsule-on-disk, where only a signed capsule file with the verified signature will be applied to the system. Due to the difficulty of embedding a public key (esl file) in U-Boot binary during pytest setup time, all the keys/certificates are pre-created. Signed-off-by: AKASHI Takahiro --- .../py/tests/test_efi_capsule/capsule_defs.py | 5 + test/py/tests/test_efi_capsule/conftest.py | 35 ++- test/py/tests/test_efi_capsule/signature.dts | 10 + .../test_capsule_firmware_signed.py | 233 ++++++++++++++++++ 4 files changed, 280 insertions(+), 3 deletions(-) create mode 100644 test/py/tests/test_efi_capsule/signature.dts create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py -- 2.33.0 diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py index 4fd6353c2040..aa9bf5eee3aa 100644 --- a/test/py/tests/test_efi_capsule/capsule_defs.py +++ b/test/py/tests/test_efi_capsule/capsule_defs.py @@ -3,3 +3,8 @@ # Directories CAPSULE_DATA_DIR = '/EFI/CapsuleTestData' CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule' + +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and +# you need build a newer version on your own. +# The path must terminate with '/'. +EFITOOLS_PATH = '' diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index cd750347879e..ab4787c4d26c 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -10,13 +10,13 @@ import pytest from capsule_defs import * # -# Fixture for UEFI secure boot test +# Fixture for UEFI capsule test # - @pytest.fixture(scope='session') def efi_capsule_data(request, u_boot_config): - """Set up a file system to be used in UEFI capsule test. + """Set up a file system to be used in UEFI capsule and + authentication test. Args: request: Pytest request object. @@ -40,6 +40,26 @@ def efi_capsule_data(request, u_boot_config): check_call('mkdir -p %s' % data_dir, shell=True) check_call('mkdir -p %s' % install_dir, shell=True) + capsule_auth_enabled = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') + if capsule_auth_enabled: + # Create private key (SIGNER.key) and certificate (SIGNER.crt) + check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365' + % data_dir, shell=True) + check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl' + % (data_dir, EFITOOLS_PATH), shell=True) + + # Update dtb adding capsule certificate + check_call('cd %s; cp %s/test/py/tests/test_efi_capsule/signature.dts .' + % (data_dir, u_boot_config.source_dir), shell=True) + check_call('cd %s; dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; fdtoverlay -i %s/arch/sandbox/dts/test.dtb -o test_sig.dtb signature.dtbo' + % (data_dir, u_boot_config.build_dir), shell=True) + + # Create *malicious* private key (SIGNER2.key) and certificate + # (SIGNER2.crt) + check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER2.key -out SIGNER2.crt -nodes -days 365' + % data_dir, shell=True) + # Create capsule files # two regions: one for u-boot.bin and the other for u-boot.env check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old -> u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir, @@ -59,6 +79,15 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid E2BB9C06-70E9-4B14-97A3-5A7913176E3F u-boot.bin.new Test03' % (data_dir, u_boot_config.build_dir), shell=True) + if capsule_auth_enabled: + # firmware signed with proper key + check_call('cd %s; %s/tools/mkeficapsule --index 1 --monotonic-count 1 --private-key SIGNER.key --certificate SIGNER.crt --raw u-boot.bin.new Test04' % + (data_dir, u_boot_config.build_dir), + shell=True) + # firmware signed with *mal* key + check_call('cd %s; %s/tools/mkeficapsule --index 1 --monotonic-count 1 --private-key SIGNER2.key --certificate SIGNER2.crt --raw u-boot.bin.new Test05' % + (data_dir, u_boot_config.build_dir), + shell=True) # Create a disk image with EFI system partition check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' % diff --git a/test/py/tests/test_efi_capsule/signature.dts b/test/py/tests/test_efi_capsule/signature.dts new file mode 100644 index 000000000000..078cfc76c93c --- /dev/null +++ b/test/py/tests/test_efi_capsule/signature.dts @@ -0,0 +1,10 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; +/plugin/; + +&{/} { + signature { + capsule-key = /incbin/("SIGNER.esl"); + }; +}; diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py new file mode 100644 index 000000000000..9230d14a1871 --- /dev/null +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py @@ -0,0 +1,233 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright (c) 2021, Linaro Limited +# Author: AKASHI Takahiro +# +# U-Boot UEFI: Firmware Update (Signed capsule) Test + +""" +This test verifies capsule-on-disk firmware update +with signed capsule files +""" + +import pytest +from capsule_defs import CAPSULE_DATA_DIR, CAPSULE_INSTALL_DIR + +@pytest.mark.boardspec('sandbox') +@pytest.mark.buildconfigspec('efi_capsule_firmware_raw') +@pytest.mark.buildconfigspec('efi_capsule_authenticate') +@pytest.mark.buildconfigspec('dfu') +@pytest.mark.buildconfigspec('dfu_sf') +@pytest.mark.buildconfigspec('cmd_efidebug') +@pytest.mark.buildconfigspec('cmd_fat') +@pytest.mark.buildconfigspec('cmd_memory') +@pytest.mark.buildconfigspec('cmd_nvedit_efi') +@pytest.mark.buildconfigspec('cmd_sf') +@pytest.mark.slow +class TestEfiCapsuleFirmwareSigned(object): + def test_efi_capsule_auth1( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 1 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is properly signed, the authentication + should pass and the firmware be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 1-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test04' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test04 $filesize' % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test04' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 1-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test04' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test04' not in ''.join(output) + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:New' in ''.join(output) + + def test_efi_capsule_auth2( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 2 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is signed but with an invalid key, + the authentication should fail and the firmware + not be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 2-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test05' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test05 $filesize' % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test05' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 2-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test05' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + # deleted any way + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test05' not in ''.join(output) + + # TODO: check CapsuleStatus in CapsuleXXXX + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:Old' in ''.join(output) + + def test_efi_capsule_auth3( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 3 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is not signed, the authentication + should fail and the firmware not be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 3-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test02' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test02 $filesize' % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 3-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + # deleted any way + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' not in ''.join(output) + + # TODO: check CapsuleStatus in CapsuleXXXX + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:Old' in ''.join(output)