From patchwork Tue Nov 16 04:32:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 519163 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp6618387imj; Mon, 15 Nov 2021 20:33:35 -0800 (PST) X-Google-Smtp-Source: ABdhPJwYS7XCHkzEOCa84I5Fx8KId1ra3+9HolbjseWDb0wkyT0fBVji+lkGK22qbICon3mitVj1 X-Received: by 2002:a05:6402:35ce:: with SMTP id z14mr4202563edc.197.1637037215402; Mon, 15 Nov 2021 20:33:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637037215; cv=none; d=google.com; s=arc-20160816; b=zx/T4gZwqqpuA1Qk4XjNIORxXLjrQqbf8a35mpjaQWYilKkLiLCMBuXQcBMB0/gs5g QLEy0CRFZzfs76ZUjBcsvKynNNUZDa8uEQvsbWjNDssqZmkIKqSfShE031w92Tg6c0bO 1euq4pP5bDUYrqWxCeArrJElBuo+QfyDdjc3z3WYdZCMpR3nF3KWLI7d0IDuVcXXc24+ lF+AiqK0uXyxzCJpmb4Lvv0w6ryHNJUCb+OugcV/NyauPQ0upahsYEVaGMDZ3QujEsie LB2TenUUD/QXt9tW4yH4Abzu78dwXQ2qmv+OGzN69wr0th7Dus3dMY3O6i88w0EBu0Tc qOWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=iFw8sEaVsjbOh3WtyITOeJPHF+YFN0n1B1UBG80ctW4=; b=EwEWZ3LmXDZ/MVwIyQxa9y2ljoQ3lCPyHIq56v2IBUnVGWuFB2FtNFreF2Oc/d7qI+ oGuhC4+JLPqNEZE21tOyQ4GhzluMGeMU3ktE2sQQrX6k1HmgPj2IAtQ+XYG4xFH1GoWN MUjayGkRx2ZJCZ9EXoa+xSNABLLu618L0jcTznB+vL25ADunKj/5G7yAWmT7xtWW+KjG cx6EgUWxHN6FIbx8K/ac+BmlAzQcKhYMC/SYb0S0uiZORko0DyC9+gQ8nlhf7gyFtjtZ s/yW9ybOVS1tlZAs8JXYXTjfm0EmYfALXNYrqSRBD+jZyXFEWIGwcOwKl+LKg3LqkQlf 81WA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=tZm2RMBW; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id nb23si41675307ejc.384.2021.11.15.20.33.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:33:35 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=tZm2RMBW; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 21124837E0; Tue, 16 Nov 2021 05:33:34 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="tZm2RMBW"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 848C9837D7; Tue, 16 Nov 2021 05:33:30 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id C0C2A837D4 for ; Tue, 16 Nov 2021 05:33:19 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x635.google.com with SMTP id q17so16265640plr.11 for ; Mon, 15 Nov 2021 20:33:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=iFw8sEaVsjbOh3WtyITOeJPHF+YFN0n1B1UBG80ctW4=; b=tZm2RMBWHhEEznoUDj2L98iGXV+37JEg0xXPxaCSuwzTrqsNYySuaSIS75S8w+EoTZ J7MrrSEkxXJxq1Npj816+uA14q3c8py4mRtZP7YIdKtM/zPjDPBe3hLlqMsUgtG+ZoBH jx9zoKA0i/n/2SF8lTy1mdcGav1bTwRnpCLdLjUEX4HItHpsqKPYBPsGX3KeIkRwoPOr YCYxnMlBAVPM6Si7lc/7BxrOx/cqRoR1335CqRQHn2/rkt+FLZY1SI8uvRnGFdHNuREI XFO05SKyEE9tcO5kWtQOINXwkp9hzFBFz79URi+eif+4rolwbqrd4zMQ7bKCd0jbp0+E +Mvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=iFw8sEaVsjbOh3WtyITOeJPHF+YFN0n1B1UBG80ctW4=; b=xV+/uIjEFIqd9FXUU4p+IYyn9i3fc8HeNbaNwxgZkVL93iELssQ0lSCe4EZahb1Z2y 1UBU8cykkdQd7uiHLQi4A8AI41jwGUekDVKHhL9sorfNnSdrKMVMF7bXH5HVRm3SDDW/ FkpSqYvcdeKhZf2PiINY5zj8ws/GwNTIoGOSO8d625T5qQtUQTGL59fdIxtZIfiLrVS+ 2cPKGAC8+OxLnQHzjqGGpk0I775jbhoQ8wQwMF4PHVOdc2I9998uNoGvTUD5nAUjBH0M nZEmkFq7TVBLNjp9On4+IuaGnPTA3TlcYmbuyQ9j+WGABAc/LVrGwOnp6wtfnOxQC7CR v20w== X-Gm-Message-State: AOAM533GJA+j17turSQ/B+2RmPW8FR/anILEZHj1JiMXy8U9U2S6PU4f iXT9RAv6OnAzcjn8GIRZGSGxWQ== X-Received: by 2002:a17:90b:4a83:: with SMTP id lp3mr72055071pjb.34.1637037197820; Mon, 15 Nov 2021 20:33:17 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:d07c:c772:1ab9:a9e0]) by smtp.gmail.com with ESMTPSA id lt5sm782914pjb.43.2021.11.15.20.33.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:33:17 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v7 01/12] tools: mkeficapsule: rework the code a little bit Date: Tue, 16 Nov 2021 13:32:27 +0900 Message-Id: <20211116043238.67226-2-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211116043238.67226-1-takahiro.akashi@linaro.org> References: <20211116043238.67226-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.35 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Abstract common routines to make the code easily understandable. No functional change. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- tools/mkeficapsule.c | 223 ++++++++++++++++++++++++++++++------------- 1 file changed, 159 insertions(+), 64 deletions(-) diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 4995ba4e0c2a..afdcaf7e7933 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -61,17 +61,122 @@ static void print_usage(void) tool_name); } +/** + * read_bin_file - read a firmware binary file + * @bin: Path to a firmware binary file + * @data: Pointer to pointer of allocated buffer + * @bin_size: Size of allocated buffer + * + * Read out a content of binary, @bin, into @data. + * A caller should free @data. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int read_bin_file(char *bin, void **data, off_t *bin_size) +{ + FILE *g; + struct stat bin_stat; + void *buf; + size_t size; + int ret = 0; + + g = fopen(bin, "r"); + if (!g) { + printf("cannot open %s\n", bin); + return -1; + } + if (stat(bin, &bin_stat) < 0) { + printf("cannot determine the size of %s\n", bin); + ret = -1; + goto err; + } + if (bin_stat.st_size > (u32)~0U) { + printf("file size is too large: %s\n", bin); + ret = -1; + goto err; + } + buf = malloc(bin_stat.st_size); + if (!buf) { + printf("cannot allocate memory: %zx\n", + (size_t)bin_stat.st_size); + ret = -1; + goto err; + } + + size = fread(buf, 1, bin_stat.st_size, g); + if (size < bin_stat.st_size) { + printf("read failed (%zx)\n", size); + ret = -1; + goto err; + } + + *data = buf; + *bin_size = bin_stat.st_size; +err: + fclose(g); + + return ret; +} + +/** + * write_capsule_file - write a capsule file + * @bin: FILE stream + * @data: Pointer to data + * @bin_size: Size of data + * + * Write out data, @data, with the size @bin_size. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg) +{ + size_t size_written; + + size_written = fwrite(data, 1, size, f); + if (size_written < size) { + printf("%s: write failed (%zx != %zx)\n", msg, + size_written, size); + return -1; + } + + return 0; +} + +/** + * create_fwbin - create an uefi capsule file + * @path: Path to a created capsule file + * @bin: Path to a firmware binary to encapsulate + * @guid: GUID of related FMP driver + * @index: Index number in capsule + * @instance: Instance number in capsule + * @mcount: Monotonic count in authentication information + * @private_file: Path to a private key file + * @cert_file: Path to a certificate file + * + * This function actually does the job of creating an uefi capsule file. + * All the arguments must be supplied. + * If either @private_file ror @cert_file is NULL, the capsule file + * won't be signed. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, unsigned long index, unsigned long instance) { struct efi_capsule_header header; struct efi_firmware_management_capsule_header capsule; struct efi_firmware_management_capsule_image_header image; - FILE *f, *g; - struct stat bin_stat; - u8 *data; - size_t size; + FILE *f; + void *data; + off_t bin_size; u64 offset; + int ret; #ifdef DEBUG printf("For output: %s\n", path); @@ -79,25 +184,28 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, printf("\tindex: %ld\n\tinstance: %ld\n", index, instance); #endif - g = fopen(bin, "r"); - if (!g) { - printf("cannot open %s\n", bin); - return -1; - } - if (stat(bin, &bin_stat) < 0) { - printf("cannot determine the size of %s\n", bin); - goto err_1; - } - data = malloc(bin_stat.st_size); - if (!data) { - printf("cannot allocate memory: %zx\n", (size_t)bin_stat.st_size); - goto err_1; - } + f = NULL; + data = NULL; + ret = -1; + + /* + * read a firmware binary + */ + if (read_bin_file(bin, &data, &bin_size)) + goto err; + + /* + * write a capsule file + */ f = fopen(path, "w"); if (!f) { printf("cannot open %s\n", path); - goto err_2; + goto err; } + + /* + * capsule file header + */ header.capsule_guid = efi_guid_fm_capsule; header.header_size = sizeof(header); /* TODO: The current implementation ignores flags */ @@ -105,70 +213,57 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, header.capsule_image_size = sizeof(header) + sizeof(capsule) + sizeof(u64) + sizeof(image) - + bin_stat.st_size; - - size = fwrite(&header, 1, sizeof(header), f); - if (size < sizeof(header)) { - printf("write failed (%zx)\n", size); - goto err_3; - } + + bin_size; + if (write_capsule_file(f, &header, sizeof(header), + "Capsule header")) + goto err; + /* + * firmware capsule header + * This capsule has only one firmware capsule image. + */ capsule.version = 0x00000001; capsule.embedded_driver_count = 0; capsule.payload_item_count = 1; - size = fwrite(&capsule, 1, sizeof(capsule), f); - if (size < (sizeof(capsule))) { - printf("write failed (%zx)\n", size); - goto err_3; - } + if (write_capsule_file(f, &capsule, sizeof(capsule), + "Firmware capsule header")) + goto err; + offset = sizeof(capsule) + sizeof(u64); - size = fwrite(&offset, 1, sizeof(offset), f); - if (size < sizeof(offset)) { - printf("write failed (%zx)\n", size); - goto err_3; - } + if (write_capsule_file(f, &offset, sizeof(offset), + "Offset to capsule image")) + goto err; + /* + * firmware capsule image header + */ image.version = 0x00000003; memcpy(&image.update_image_type_id, guid, sizeof(*guid)); image.update_image_index = index; image.reserved[0] = 0; image.reserved[1] = 0; image.reserved[2] = 0; - image.update_image_size = bin_stat.st_size; + image.update_image_size = bin_size; image.update_vendor_code_size = 0; /* none */ image.update_hardware_instance = instance; image.image_capsule_support = 0; + if (write_capsule_file(f, &image, sizeof(image), + "Firmware capsule image header")) + goto err; - size = fwrite(&image, 1, sizeof(image), f); - if (size < sizeof(image)) { - printf("write failed (%zx)\n", size); - goto err_3; - } - size = fread(data, 1, bin_stat.st_size, g); - if (size < bin_stat.st_size) { - printf("read failed (%zx)\n", size); - goto err_3; - } - size = fwrite(data, 1, bin_stat.st_size, f); - if (size < bin_stat.st_size) { - printf("write failed (%zx)\n", size); - goto err_3; - } - - fclose(f); - fclose(g); - free(data); - - return 0; + /* + * firmware binary + */ + if (write_capsule_file(f, data, bin_size, "Firmware binary")) + goto err; -err_3: - fclose(f); -err_2: + ret = 0; +err: + if (f) + fclose(f); free(data); -err_1: - fclose(g); - return -1; + return ret; } /* From patchwork Tue Nov 16 04:32:28 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 519164 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp6618581imj; Mon, 15 Nov 2021 20:33:49 -0800 (PST) X-Google-Smtp-Source: ABdhPJyb7HAsyzMhRzUnFD5f/YwIVWstmabUtU7n6zARtP+3ZvO9utZLIiDHh10SsqSKjM6VPfs0 X-Received: by 2002:a05:6402:1ca2:: with SMTP id cz2mr6086158edb.302.1637037228937; Mon, 15 Nov 2021 20:33:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637037228; cv=none; d=google.com; s=arc-20160816; b=OUCET1ipbe7v0p8iAu3rvZ6MsEyzZ+uGCVxfNuuOuBhlzcwL+pPdk6cQKBY9vJ1d2q HeSuvOVxAhHhpMWEhWHIh1G1IZn2eC2NjgtE2lBmH1qrcKGh8lyvEOIYtWsE109shlpc BxtjUHpfTX7+Zz5g0TY9qFWOqBYK8CkgPh7Hz0Cb3Q9dE9XOdcqlmY3G2D14LZzsDyg1 hVKSdylUT2fh1nOSwQH3cF+fKlZYpHH/tcT6apadyS5gH8QcCu/78LbWkFvXOpVXJgBn 0K+3CEr4ykK4jdM+9d/onMYABkeYSPCWD+HT1fHEwcBer6yebGR/58SKB6WhVUSyyynx uMNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=VyZg3wVo1gRjL34tdauElticqDzeyDcob8y8cDA947Q=; b=0EpffhyWi3OArhZOSHR/v9skTFVYGDWmxuaLUyN8ot3WuieAxsvJ+O89QOlOO5ar25 kuhh6bwGO4iG2c0jv2+pB+oCWm67QpK/2PCFrs/g5r+A4RJnG6rg8HA5FmjSKrzJKxWw O0Be49BeAKteo9+e0inBMOGgeJFiT/CKrCxsYKCuq3+05VDtO4IYg3FbedhZfohxpyJ+ UL+gSxr9ZQSEk1bR8+Fw64xxp6bhyHmWSOFY/h7UJocTa/tmH24m0IbRfT53k8WJU5EK Dcu51Aam/p7KqufUDwoziSXyLomTDwJYa/JsmZqrcfk0+FIAGWTx4D0RpJp1hIUUOmj/ zSZA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YXnm1XVM; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id eb7si45063650edb.474.2021.11.15.20.33.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:33:48 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YXnm1XVM; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 40DB9837DD; Tue, 16 Nov 2021 05:33:46 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="YXnm1XVM"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 610C2837DD; Tue, 16 Nov 2021 05:33:34 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id D0710837E2 for ; Tue, 16 Nov 2021 05:33:22 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x102a.google.com with SMTP id gb13-20020a17090b060d00b001a674e2c4a8so1710086pjb.4 for ; Mon, 15 Nov 2021 20:33:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=VyZg3wVo1gRjL34tdauElticqDzeyDcob8y8cDA947Q=; b=YXnm1XVMc9DEs3eRRCop7FED/SKCVk5dfkJn1R1HeQIheIVikft8Y3HoGrCv3iEqu7 PBbzdCEBlgfWAdRnUoTqQHPR/dti3i3EJFBxzLRfoHGbnbFeLYkI0Sa8zUUKwqzRYm5N qw1/QrBqqRCBgIRPizum0LyW3DcswDg3DhUqCYVG1HS2imrI1LOiUmBGqqSR2wJstfTD 03VxWmCFwXUrwEvqkJjnZI2p7FtHp3uf4PIuURouidNvM2QWIrsUpCIE9NQBXmESB+dG 75qbHD8e8efEU7bgLEu+Ckc2+68N1JAd0SsljkrJ+YnKsqpXnCbD9p9QfqFshIi1+6ft I9ug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=VyZg3wVo1gRjL34tdauElticqDzeyDcob8y8cDA947Q=; b=N2uiCmvpLQ3aC7y4KwVtYOjXFcHqGqvfXqoN1cvaoiRAQ+bLonwMXlVSacJj4m36qr Xy0fgoHJdHoanTe/gq9p4vDphaTOH2oyJEo9q7kMkSEZ1jSIUz12W71UEKTpv3lAY+2Y uIBJ7MyTChZ5wcDzsNeANKnerVBGiGBneaV+/ujQ5y6vaNXbBT3XdQaJWLbLGC/87d3M 29alrt/PVZ7K7Sw5yx1eGaPyjwN+loB9lARxfN+Kf9lMyZR6NGusnr/Xc+Y2efWS9KIB ph/E7LTLsxr8PpKvi3pSoww8mOvOahTYra/rOFxRvB1onXA2e7SROjQUmQtJJ41tuSEQ ZnsQ== X-Gm-Message-State: AOAM532WjRmRXBVkqkPR6PRa4X0zK0vT5atcbAWF3RObyb1nT9ohq0GX WWh3sJ1IB4704xbzfuxMhMtR5A== X-Received: by 2002:a17:90a:a389:: with SMTP id x9mr70779802pjp.167.1637037200998; Mon, 15 Nov 2021 20:33:20 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:d07c:c772:1ab9:a9e0]) by smtp.gmail.com with ESMTPSA id lt5sm782914pjb.43.2021.11.15.20.33.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:33:20 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v7 02/12] tools: build mkeficapsule with tools-only_defconfig Date: Tue, 16 Nov 2021 13:32:28 +0900 Message-Id: <20211116043238.67226-3-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211116043238.67226-1-takahiro.akashi@linaro.org> References: <20211116043238.67226-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.35 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean We want to always build mkeficapsule if tools-only_defconfig is used. Signed-off-by: AKASHI Takahiro Reviewed-by: Heinrich Schuchardt --- configs/tools-only_defconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/configs/tools-only_defconfig b/configs/tools-only_defconfig index f482c9a1c1b0..5427797dd4c3 100644 --- a/configs/tools-only_defconfig +++ b/configs/tools-only_defconfig @@ -31,3 +31,4 @@ CONFIG_I2C_EDID=y # CONFIG_VIRTIO_MMIO is not set # CONFIG_VIRTIO_PCI is not set # CONFIG_VIRTIO_SANDBOX is not set +CONFIG_TOOLS_MKEFICAPSULE=y From patchwork Tue Nov 16 04:32:29 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 519166 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp6618930imj; Mon, 15 Nov 2021 20:34:16 -0800 (PST) X-Google-Smtp-Source: ABdhPJzb5wDzFWTBVT6O4wkByWyoe8/6xdNkvTjR2WoBU11nmU/SSz6tP53nqW+g9eyxJVxRWYeb X-Received: by 2002:a17:907:9256:: with SMTP id kb22mr5972273ejb.423.1637037256125; Mon, 15 Nov 2021 20:34:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637037256; cv=none; d=google.com; s=arc-20160816; b=nBmXDLrvDtAf4ANKwUst1R94IJCkHCi+0NBXNdmUOGaqvuhpHc5MaMjczOf/kHuZ3o JqbzSB89rJk9x/SDOIf7YnIU/R78A+VCICC4JhsRl/CtOHpOsVxpo+iQDzGqnp8ptYTG z1DtKi/pog8tvI/AxhjPCs2pdePKLdkCBaPZb+ya3MzfXdvAkDNTcL7zt3huFj+kfBpl ZQsTyLN0aC5G6hFQSoUII6LVgAEZWDlC3f061kVMRhiAb6yL/WqcusOhRy38PZJXH5WQ 70FiAxy+ev688B7omFLAbzyIOcvpL/sF5mYn6XB6V9vYN8uB7lWLIH/0i4DpB/juRL3k bnPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=43EmciZOGhwH0O1M29V2n/BFptd2vkkmBfF7WgCgtW0=; b=TP0+daVFGRGyFX2jbO7BtQQnKlG26PkCpGxq/CZlJ++QUmcMQ8Zi5/ODqYcxQtQAhH tvh5xwaGrYQzH+g0XFbH6mCz/omD9Al7jphN2xbu+a87zUtzhjq9qdxsTbTdMcl/Z5lH m6lmCCTlejT//NgdyKoCVe56/gsKXmiNO4wwP1K9IEC991YPhmebUoDPiG/HGvlBRDFc KgUtO2XEh+w6Ii/8M45It/wa41LgegfBMhm+AgeIePvKUocymlbWjAtbt2Qei6irE585 omvJYQmo6qdUFOefTxhIwGgNSx3igbIHtnmUe3HE5SukDuAhqXAkqcdA4ukuaJaZqPhu dKsg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=epQ74jyd; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id u9si37087455edp.507.2021.11.15.20.34.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:34:16 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=epQ74jyd; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B3878837E7; Tue, 16 Nov 2021 05:34:14 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="epQ74jyd"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id AE2CD837D9; Tue, 16 Nov 2021 05:33:40 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 3DD3B837E4 for ; Tue, 16 Nov 2021 05:33:26 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1035.google.com with SMTP id j6-20020a17090a588600b001a78a5ce46aso1150086pji.0 for ; Mon, 15 Nov 2021 20:33:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=43EmciZOGhwH0O1M29V2n/BFptd2vkkmBfF7WgCgtW0=; b=epQ74jydVy9X0HLVb+lgpkW3mok3aHF7i8j50PQ19AY9E2Q77+FaZicnz/xqkx7Acd ++aFmDg9Qm0UtpdKITZOhhjikIt6Xppp6XjU0OtcujlI4pGeGtZoL6ib+OLwCyQK4sx9 uugvpmi7cmN2braekzcnLys+TigU+LEbicZlI9i0g35+cs3ZFAYzn4EIabWYP0CxONH4 xX4f+689jL//0Lhb0hQf5opqI6P0QjNyFsx8uEGQdYsOjlFGJbO0JqGIYbPelswSYnZc ArvEQhk4y3UK7ULmuQXO5oCWx9jvtJT4iKIkCgBxEPdmyazLB3in3bqK7trZPXA42JZS /BNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=43EmciZOGhwH0O1M29V2n/BFptd2vkkmBfF7WgCgtW0=; b=YXFd5wmmOzfu0sPsLY5b9/aiD6yj4+TB9FY5T5gHb5D/eIQ29iNiHXG5FNpRfSWTaS a/gylv4eUluBm7f1GRr4I9EUF7kjLcEZEpH4bU9I9EhYbQMjNWadKIGpV1/F27Rsusst vADAvZnFUS/FRHQgYPWZW6wWGvt7IT5tKTW8Qz9na3AhWy/hnlByTV82/as1XXbD8pYw wdEr4uCN8nmZSRn9+wZojqwVC71f2NfnVhXbaBXxi/Fs82lz7uS7ZMNXJuPx8oWYgW1M wZ9Td6aQ3RcUVR26j/a5Kj+gBAN1siEZVWxNewNf3iCW5c6O9+KlCYpMe3kyYuR4xHh6 MzLA== X-Gm-Message-State: AOAM533gbgX/wbUZ7pbtTb+kkTGyP4PeLL5c4sIBP5Q8oQHnCNvRPF2l Gqb+i46yX3dYGQm+gCwVlhLNvQ== X-Received: by 2002:a17:90a:6e0c:: with SMTP id b12mr17743456pjk.41.1637037204342; Mon, 15 Nov 2021 20:33:24 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:d07c:c772:1ab9:a9e0]) by smtp.gmail.com with ESMTPSA id lt5sm782914pjb.43.2021.11.15.20.33.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:33:23 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v7 03/12] tools: mkeficapsule: add firmwware image signing Date: Tue, 16 Nov 2021 13:32:29 +0900 Message-Id: <20211116043238.67226-4-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211116043238.67226-1-takahiro.akashi@linaro.org> References: <20211116043238.67226-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.35 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean With this enhancement, mkeficapsule will be able to sign a capsule file when it is created. A signature added will be used later in the verification at FMP's SetImage() call. To do that, We need specify additional command parameters: -monotonic-cout : monotonic count -private-key : private key file -certificate : certificate file Only when all of those parameters are given, a signature will be added to a capsule file. Users are expected to maintain and increment the monotonic count at every time of the update for each firmware image. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass Acked-by: Ilias Apalodimas --- tools/Kconfig | 8 + tools/Makefile | 8 +- tools/eficapsule.h | 115 +++++++++++++ tools/mkeficapsule.c | 401 +++++++++++++++++++++++++++++++++++++++---- 4 files changed, 494 insertions(+), 38 deletions(-) create mode 100644 tools/eficapsule.h diff --git a/tools/Kconfig b/tools/Kconfig index 91ce8ae3e516..117c921da3fe 100644 --- a/tools/Kconfig +++ b/tools/Kconfig @@ -90,4 +90,12 @@ config TOOLS_SHA512 help Enable SHA512 support in the tools builds +config TOOLS_MKEFICAPSULE + bool "Build efimkcapsule command" + default y if EFI_CAPSULE_ON_DISK + help + This command allows users to create a UEFI capsule file and, + optionally sign that file. If you want to enable UEFI capsule + update feature on your target, you certainly need this. + endmenu diff --git a/tools/Makefile b/tools/Makefile index 1763f44cac43..a10aa091021f 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -238,8 +238,12 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs hostprogs-$(CONFIG_ASN1_COMPILER) += asn1_compiler HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include -mkeficapsule-objs := mkeficapsule.o $(LIBFDT_OBJS) -hostprogs-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += mkeficapsule +HOSTLDLIBS_mkeficapsule += -luuid +ifeq ($(CONFIG_TOOLS_LIBCRYPTO),y) +HOSTLDLIBS_mkeficapsule += \ + $(shell pkg-config --libs libssl libcrypto 2> /dev/null || echo "-lssl -lcrypto") +endif +hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule # We build some files with extra pedantic flags to try to minimize things # that won't build on some weird host compiler -- though there are lots of diff --git a/tools/eficapsule.h b/tools/eficapsule.h new file mode 100644 index 000000000000..8c1560bb0671 --- /dev/null +++ b/tools/eficapsule.h @@ -0,0 +1,115 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright 2021 Linaro Limited + * Author: AKASHI Takahiro + * + * derived from efi.h and efi_api.h to make the file POSIX-compliant + */ + +#ifndef _EFI_CAPSULE_H +#define _EFI_CAPSULE_H + +#include +#include /* WIN_CERTIFICATE */ + +/* + * Gcc's predefined attributes are not recognized by clang. + */ +#ifndef __packed +#define __packed __attribute__((__packed__)) +#endif + +#ifndef __aligned +#define __aligned(x) __attribute__((__aligned__(x))) +#endif + +typedef struct { + uint8_t b[16]; +} efi_guid_t __aligned(8); + +#define EFI_GUID(a, b, c, d0, d1, d2, d3, d4, d5, d6, d7) \ + {{ (a) & 0xff, ((a) >> 8) & 0xff, ((a) >> 16) & 0xff, \ + ((a) >> 24) & 0xff, \ + (b) & 0xff, ((b) >> 8) & 0xff, \ + (c) & 0xff, ((c) >> 8) & 0xff, \ + (d0), (d1), (d2), (d3), (d4), (d5), (d6), (d7) } } + +#define EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID \ + EFI_GUID(0x6dcbd5ed, 0xe82d, 0x4c44, 0xbd, 0xa1, \ + 0x71, 0x94, 0x19, 0x9a, 0xd9, 0x2a) + +#define EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID \ + EFI_GUID(0xae13ff2d, 0x9ad4, 0x4e25, 0x9a, 0xc8, \ + 0x6d, 0x80, 0xb3, 0xb2, 0x21, 0x47) + +#define EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID \ + EFI_GUID(0xe2bb9c06, 0x70e9, 0x4b14, 0x97, 0xa3, \ + 0x5a, 0x79, 0x13, 0x17, 0x6e, 0x3f) + +#define EFI_CERT_TYPE_PKCS7_GUID \ + EFI_GUID(0x4aafd29d, 0x68df, 0x49ee, 0x8a, 0xa9, \ + 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7) + +/* flags */ +#define CAPSULE_FLAGS_PERSIST_ACROSS_RESET 0x00010000 + +struct efi_capsule_header { + efi_guid_t capsule_guid; + uint32_t header_size; + uint32_t flags; + uint32_t capsule_image_size; +} __packed; + +struct efi_firmware_management_capsule_header { + uint32_t version; + uint16_t embedded_driver_count; + uint16_t payload_item_count; + uint32_t item_offset_list[]; +} __packed; + +/* image_capsule_support */ +#define CAPSULE_SUPPORT_AUTHENTICATION 0x0000000000000001 + +struct efi_firmware_management_capsule_image_header { + uint32_t version; + efi_guid_t update_image_type_id; + uint8_t update_image_index; + uint8_t reserved[3]; + uint32_t update_image_size; + uint32_t update_vendor_code_size; + uint64_t update_hardware_instance; + uint64_t image_capsule_support; +} __packed; + +/** + * win_certificate_uefi_guid - A certificate that encapsulates + * a GUID-specific signature + * + * @hdr: Windows certificate header + * @cert_type: Certificate type + * @cert_data: Certificate data + */ +struct win_certificate_uefi_guid { + WIN_CERTIFICATE hdr; + efi_guid_t cert_type; + uint8_t cert_data[]; +} __packed; + +/** + * efi_firmware_image_authentication - Capsule authentication method + * descriptor + * + * This structure describes an authentication information for + * a capsule with IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED set + * and should be included as part of the capsule. + * Only EFI_CERT_TYPE_PKCS7_GUID is accepted. + * + * @monotonic_count: Count to prevent replay + * @auth_info: Authentication info + */ +struct efi_firmware_image_authentication { + uint64_t monotonic_count; + struct win_certificate_uefi_guid auth_info; +} __packed; + +#endif /* _EFI_CAPSULE_H */ diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index afdcaf7e7933..3e6f36430d74 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -15,21 +15,17 @@ #include #include -typedef __u8 u8; -typedef __u16 u16; -typedef __u32 u32; -typedef __u64 u64; -typedef __s16 s16; -typedef __s32 s32; - -#define aligned_u64 __aligned_u64 - -#ifndef __packed -#define __packed __attribute__((packed)) +#include +#ifdef CONFIG_TOOLS_LIBCRYPTO +#include +#include +#include +#include +#include +#include #endif -#include -#include +#include "eficapsule.h" static const char *tool_name = "mkeficapsule"; @@ -38,12 +34,25 @@ efi_guid_t efi_guid_image_type_uboot_fit = EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID; efi_guid_t efi_guid_image_type_uboot_raw = EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID; +efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; + +#ifdef CONFIG_TOOLS_LIBCRYPTO +static const char *opts_short = "f:r:i:I:v:p:c:m:dh"; +#else +static const char *opts_short = "f:r:i:I:v:h"; +#endif static struct option options[] = { {"fit", required_argument, NULL, 'f'}, {"raw", required_argument, NULL, 'r'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, +#ifdef CONFIG_TOOLS_LIBCRYPTO + {"private-key", required_argument, NULL, 'p'}, + {"certificate", required_argument, NULL, 'c'}, + {"monotonic-count", required_argument, NULL, 'm'}, + {"dump-sig", no_argument, NULL, 'd'}, +#endif {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0}, }; @@ -57,10 +66,252 @@ static void print_usage(void) "\t-r, --raw new raw image file\n" "\t-i, --index update image index\n" "\t-I, --instance update hardware instance\n" +#ifdef CONFIG_TOOLS_LIBCRYPTO + "\t-p, --private-key private key file\n" + "\t-c, --certificate signer's certificate file\n" + "\t-m, --monotonic-count monotonic count\n" + "\t-d, --dump_sig dump signature (*.p7)\n" +#endif "\t-h, --help print a help message\n", tool_name); } +/** + * auth_context - authentication context + * @key_file: Path to a private key file + * @cert_file: Path to a certificate file + * @image_data: Pointer to firmware data + * @image_size: Size of firmware data + * @auth: Authentication header + * @sig_data: Signature data + * @sig_size: Size of signature data + * + * Data structure used in create_auth_data(). @key_file through + * @image_size are input parameters. @auth, @sig_data and @sig_size + * are filled in by create_auth_data(). + */ +struct auth_context { + char *key_file; + char *cert_file; + uint8_t *image_data; + size_t image_size; + struct efi_firmware_image_authentication auth; + uint8_t *sig_data; + size_t sig_size; +}; + +static int dump_sig; + +#ifdef CONFIG_TOOLS_LIBCRYPTO +/** + * fileio-read_pkey - read out a private key + * @filename: Path to a private key file + * + * Read out a private key file and parse it into "EVP_PKEY" structure. + * + * Return: + * * Pointer to private key structure - on success + * * NULL - on failure + */ +static EVP_PKEY *fileio_read_pkey(const char *filename) +{ + EVP_PKEY *key = NULL; + BIO *bio; + + bio = BIO_new_file(filename, "r"); + if (!bio) + goto out; + + key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); + +out: + BIO_free_all(bio); + if (!key) { + printf("Can't load key from file '%s'\n", filename); + ERR_print_errors_fp(stderr); + } + + return key; +} + +/** + * fileio-read_cert - read out a certificate + * @filename: Path to a certificate file + * + * Read out a certificate file and parse it into "X509" structure. + * + * Return: + * * Pointer to certificate structure - on success + * * NULL - on failure + */ +static X509 *fileio_read_cert(const char *filename) +{ + X509 *cert = NULL; + BIO *bio; + + bio = BIO_new_file(filename, "r"); + if (!bio) + goto out; + + cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); + +out: + BIO_free_all(bio); + if (!cert) { + printf("Can't load certificate from file '%s'\n", filename); + ERR_print_errors_fp(stderr); + } + + return cert; +} + +/** + * create_auth_data - compose authentication data in capsule + * @auth_context: Pointer to authentication context + * + * Fill up an authentication header (.auth) and signature data (.sig_data) + * in @auth_context, using library functions from openssl. + * All the parameters in @auth_context must be filled in by a caller. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int create_auth_data(struct auth_context *ctx) +{ + EVP_PKEY *key = NULL; + X509 *cert = NULL; + BIO *data_bio = NULL; + const EVP_MD *md; + PKCS7 *p7; + int flags, ret = -1; + + OpenSSL_add_all_digests(); + OpenSSL_add_all_ciphers(); + ERR_load_crypto_strings(); + + key = fileio_read_pkey(ctx->key_file); + if (!key) + goto err; + cert = fileio_read_cert(ctx->cert_file); + if (!cert) + goto err; + + /* + * create a BIO, containing: + * * firmware image + * * monotonic count + * in this order! + * See EDK2's FmpAuthenticatedHandlerRsa2048Sha256() + */ + data_bio = BIO_new(BIO_s_mem()); + BIO_write(data_bio, ctx->image_data, ctx->image_size); + BIO_write(data_bio, &ctx->auth.monotonic_count, + sizeof(ctx->auth.monotonic_count)); + + md = EVP_get_digestbyname("SHA256"); + if (!md) + goto err; + + /* create signature */ + /* TODO: maybe add PKCS7_NOATTR and PKCS7_NOSMIMECAP */ + flags = PKCS7_BINARY | PKCS7_DETACHED; + p7 = PKCS7_sign(NULL, NULL, NULL, data_bio, flags | PKCS7_PARTIAL); + if (!p7) + goto err; + if (!PKCS7_sign_add_signer(p7, cert, key, md, flags)) + goto err; + if (!PKCS7_final(p7, data_bio, flags)) + goto err; + + /* convert pkcs7 into DER */ + ctx->sig_data = NULL; + ctx->sig_size = ASN1_item_i2d((ASN1_VALUE *)p7, &ctx->sig_data, + ASN1_ITEM_rptr(PKCS7)); + if (!ctx->sig_size) + goto err; + + /* fill auth_info */ + ctx->auth.auth_info.hdr.dwLength = sizeof(ctx->auth.auth_info) + + ctx->sig_size; + ctx->auth.auth_info.hdr.wRevision = WIN_CERT_REVISION_2_0; + ctx->auth.auth_info.hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID; + memcpy(&ctx->auth.auth_info.cert_type, &efi_guid_cert_type_pkcs7, + sizeof(efi_guid_cert_type_pkcs7)); + + ret = 0; +err: + BIO_free_all(data_bio); + EVP_PKEY_free(key); + X509_free(cert); + + return ret; +} + +/** + * dump_signature - dump out a signature + * @path: Path to a capsule file + * @signature: Signature data + * @sig_size: Size of signature data + * + * Signature data pointed to by @signature will be saved into + * a file whose file name is @path with ".p7" suffix. + * + * Return: + * * 0 - on success + * * -1 - on failure + */ +static int dump_signature(const char *path, uint8_t *signature, size_t sig_size) +{ + char *sig_path; + FILE *f; + size_t size; + int ret = -1; + + sig_path = malloc(strlen(path) + 3 + 1); + if (!sig_path) + return ret; + + sprintf(sig_path, "%s.p7", path); + f = fopen(sig_path, "w"); + if (!f) + goto err; + + size = fwrite(signature, 1, sig_size, f); + if (size == sig_size) + ret = 0; + + fclose(f); +err: + free(sig_path); + return ret; +} + +/** + * free_sig_data - free out signature data + * @ctx: Pointer to authentication context + * + * Free signature data allocated in create_auth_data(). + */ +static void free_sig_data(struct auth_context *ctx) +{ + if (ctx->sig_size) + OPENSSL_free(ctx->sig_data); +} +#else +static int create_auth_data(struct auth_context *ctx) +{ + return 0; +} + +static int dump_signature(const char *path, uint8_t *signature, size_t sig_size) +{ + return 0; +} + +static void free_sig_data(struct auth_context *ctx) {} +#endif + /** * read_bin_file - read a firmware binary file * @bin: Path to a firmware binary file @@ -167,23 +418,25 @@ static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg) * * -1 - on failure */ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, - unsigned long index, unsigned long instance) + unsigned long index, unsigned long instance, + uint64_t mcount, char *privkey_file, char *cert_file) { struct efi_capsule_header header; struct efi_firmware_management_capsule_header capsule; struct efi_firmware_management_capsule_image_header image; + struct auth_context auth_context; FILE *f; void *data; off_t bin_size; - u64 offset; + uint64_t offset; int ret; #ifdef DEBUG printf("For output: %s\n", path); printf("\tbin: %s\n\ttype: %pUl\n", bin, guid); - printf("\tindex: %ld\n\tinstance: %ld\n", index, instance); + printf("\tindex: %lu\n\tinstance: %lu\n", index, instance); #endif - + auth_context.sig_size = 0; f = NULL; data = NULL; ret = -1; @@ -194,6 +447,27 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, if (read_bin_file(bin, &data, &bin_size)) goto err; + /* first, calculate signature to determine its size */ + if (privkey_file && cert_file) { + auth_context.key_file = privkey_file; + auth_context.cert_file = cert_file; + auth_context.auth.monotonic_count = mcount; + auth_context.image_data = data; + auth_context.image_size = bin_size; + + if (create_auth_data(&auth_context)) { + printf("Signing firmware image failed\n"); + goto err; + } + + if (dump_sig && + dump_signature(path, auth_context.sig_data, + auth_context.sig_size)) { + printf("Creating signature file failed\n"); + goto err; + } + } + /* * write a capsule file */ @@ -211,9 +485,12 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, /* TODO: The current implementation ignores flags */ header.flags = CAPSULE_FLAGS_PERSIST_ACROSS_RESET; header.capsule_image_size = sizeof(header) - + sizeof(capsule) + sizeof(u64) + + sizeof(capsule) + sizeof(uint64_t) + sizeof(image) + bin_size; + if (auth_context.sig_size) + header.capsule_image_size += sizeof(auth_context.auth) + + auth_context.sig_size; if (write_capsule_file(f, &header, sizeof(header), "Capsule header")) goto err; @@ -229,7 +506,7 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, "Firmware capsule header")) goto err; - offset = sizeof(capsule) + sizeof(u64); + offset = sizeof(capsule) + sizeof(uint64_t); if (write_capsule_file(f, &offset, sizeof(offset), "Offset to capsule image")) goto err; @@ -244,13 +521,32 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, image.reserved[1] = 0; image.reserved[2] = 0; image.update_image_size = bin_size; + if (auth_context.sig_size) + image.update_image_size += sizeof(auth_context.auth) + + auth_context.sig_size; image.update_vendor_code_size = 0; /* none */ image.update_hardware_instance = instance; image.image_capsule_support = 0; + if (auth_context.sig_size) + image.image_capsule_support |= CAPSULE_SUPPORT_AUTHENTICATION; if (write_capsule_file(f, &image, sizeof(image), "Firmware capsule image header")) goto err; + /* + * signature + */ + if (auth_context.sig_size) { + if (write_capsule_file(f, &auth_context.auth, + sizeof(auth_context.auth), + "Authentication header")) + goto err; + + if (write_capsule_file(f, auth_context.sig_data, + auth_context.sig_size, "Signature")) + goto err; + } + /* * firmware binary */ @@ -261,28 +557,43 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid, err: if (f) fclose(f); + free_sig_data(&auth_context); free(data); return ret; } -/* - * Usage: - * $ mkeficapsule -f +/** + * main - main entry function of mkeficapsule + * @argc: Number of arguments + * @argv: Array of pointers to arguments + * + * Create an uefi capsule file, optionally signing it. + * Parse all the arguments and pass them on to create_fwbin(). + * + * Return: + * * 0 - on success + * * -1 - on failure */ int main(int argc, char **argv) { char *file; efi_guid_t *guid; unsigned long index, instance; + uint64_t mcount; + char *privkey_file, *cert_file; int c, idx; file = NULL; guid = NULL; index = 0; instance = 0; + mcount = 0; + privkey_file = NULL; + cert_file = NULL; + dump_sig = 0; for (;;) { - c = getopt_long(argc, argv, "f:r:i:I:v:h", options, &idx); + c = getopt_long(argc, argv, opts_short, options, &idx); if (c == -1) break; @@ -290,7 +601,7 @@ int main(int argc, char **argv) case 'f': if (file) { printf("Image already specified\n"); - return -1; + exit(EXIT_FAILURE); } file = optarg; guid = &efi_guid_image_type_uboot_fit; @@ -298,7 +609,7 @@ int main(int argc, char **argv) case 'r': if (file) { printf("Image already specified\n"); - return -1; + exit(EXIT_FAILURE); } file = optarg; guid = &efi_guid_image_type_uboot_raw; @@ -309,26 +620,44 @@ int main(int argc, char **argv) case 'I': instance = strtoul(optarg, NULL, 0); break; +#ifdef CONFIG_TOOLS_LIBCRYPTO + case 'p': + if (privkey_file) { + printf("Private Key already specified\n"); + exit(EXIT_FAILURE); + } + privkey_file = optarg; + break; + case 'c': + if (cert_file) { + printf("Certificate file already specified\n"); + exit(EXIT_FAILURE); + } + cert_file = optarg; + break; + case 'm': + mcount = strtoul(optarg, NULL, 0); + break; + case 'd': + dump_sig = 1; + break; +#endif /* CONFIG_TOOLS_LIBCRYPTO */ case 'h': print_usage(); - return 0; + exit(EXIT_SUCCESS); } } - /* need an output file */ - if (argc != optind + 1) { + /* check necessary parameters */ + if ((argc != optind + 1) || !file || + ((privkey_file && !cert_file) || + (!privkey_file && cert_file))) { print_usage(); exit(EXIT_FAILURE); } - /* need a fit image file or raw image file */ - if (!file) { - print_usage(); - exit(EXIT_SUCCESS); - } - - if (create_fwbin(argv[optind], file, guid, index, instance) - < 0) { + if (create_fwbin(argv[optind], file, guid, index, instance, + mcount, privkey_file, cert_file) < 0) { printf("Creating firmware capsule failed\n"); exit(EXIT_FAILURE); } From patchwork Tue Nov 16 04:32:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 519167 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp6619078imj; Mon, 15 Nov 2021 20:34:27 -0800 (PST) X-Google-Smtp-Source: ABdhPJySFZ2iL65z8oR4qco0xOxs4+9QM/6CjQUakLqCWp0vjtoka9Ka/7M9ab830KkrBNPtazFW X-Received: by 2002:a17:907:1614:: with SMTP id hb20mr5752185ejc.299.1637037266927; Mon, 15 Nov 2021 20:34:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637037266; cv=none; d=google.com; s=arc-20160816; b=IKPlvptnEE4xTZNHtsve+tGs9vWDhaw6w5RXxicHOpKQIhxA2jVICN+pvx4KhmBBj+ ip+nUyT/4oZxe33sYMoOvi31MrOa5pNAj3B3mi7NBQvGn8FDpbGwxQ5FyDYZTLvjRSLi EeEf9uQC+huyLbT7zES1aq/+QyJ73n0aceLHY/7CDSVxmWd0tjzBNe5v4qiAfiF40TVp +p8sjrcKlakeXorF51ZUFBWzceXdZtqucn3Fyhz9zK992MQIdTKLhwF/t+fbjoligW6D Y9xC89DykNMGLpvpVPMGryuA7diZnoq1QfAz6TDXYc54cuyyI3RfA2Fe0XGzwzRVm6YE H15g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=s3MzrpP/K+kejEhxzs86PQLQ42LtcMP97N5PMTMgqv4=; b=H4lbroLLv1tMrYHcqkzT1gNCc5HoTwuMn6lsaDcFEhVCMOdVORHdSuy6VcWBEq+g/t b0lzKwIxg9JW0OCj550bF4xY2vZBYDmTU/YT72WWa6rQSDzrCXNbySsquy6v0ncK3L+k BU1hW2bhpIldRKBRwD/VmmgfzHujpi0gEf8SsuO9P4VaYG9INrtbQCXIW1ktZui6ZyT9 Qsg8zu81kjo8jGp4cUgOHJ8zYzqOwoYG5ilUoon3B9WorCUcpBIZT3Cq4KLb+04diTQ4 5WwT+nxquMVvrukU8O4saOYm/3lqlrW2hjdnYV9JfW8FJ6h2XCemDImKVk5JW8RjZUYt osBA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="danQZqm/"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id cr1si42475539ejc.534.2021.11.15.20.34.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:34:26 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="danQZqm/"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 87081837EF; Tue, 16 Nov 2021 05:34:19 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="danQZqm/"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 27A5A837E4; Tue, 16 Nov 2021 05:33:42 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 2C019837E6 for ; Tue, 16 Nov 2021 05:33:29 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pg1-x530.google.com with SMTP id q12so4785127pgh.5 for ; Mon, 15 Nov 2021 20:33:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=s3MzrpP/K+kejEhxzs86PQLQ42LtcMP97N5PMTMgqv4=; b=danQZqm/9kp2Pi2Y7v+6a3DGSN1MfdO+toVZsFKnyMOM21CwJnGfQb+ovumBrFyhpE jNzl9ROs4REuM2bK9R9lNAWdA5wsamps9lj04zNKqDvSU5jHyG7POlSbV2wcePnFnyrJ EgHE0xDJzDrnGGZWnTZ/LZucawK3IlXbmO6j9oFoBT16aJ4Q4/epT37omei7A2QevrPl q/tnzusz8Ac/uUiw79Eydw+nL5szuS11riBiLkq7tP753FZfLKwJNBA91isazWfgpfFf Gfso6GUhLbqg6+5sF8tR6Qco6/j9jKMzGOnFnP13eYB2XtWD2HtIei6JfAq6ACmD6x6e M5ZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=s3MzrpP/K+kejEhxzs86PQLQ42LtcMP97N5PMTMgqv4=; b=ttofM51gvR5Ml+daQPD/zAHtL+pXbYkGLrqu1+0R1pMPxtX5iy/5DC6MC6m76tV95N YCRbmhuvJQ2Vt0pk0+ctPX0qDjRzqMnQVYnXrrvGtwYafb1TW2pcZL5zrWE97h581V0B 9GyBuMMHHkHA2ab5yJfrdhB+FFB+3EwFa4ZHYez5W3F7tOV2wGZLy5RcJUvO3udwB+wz TFMYFVd1z4ak8mBp5x7sL3CFTCiSP9MzJ0nVZYChpaowfEMPJjiVqrewup0YN8SYiLEq NXGk+0ki+AatZ+ZNJneIvcI0EiM2LlBNShgB9AN6gwQF2jKnSJjVaxCIfmQOcL6bq6qn xBJw== X-Gm-Message-State: AOAM531me9t9AcV92fk4WHlB2waSish36LItvKzWSkxj/nyX/7Toxr3V cEp9MApIqCxGx0EhXQBKkIsLhQ== X-Received: by 2002:a63:64d:: with SMTP id 74mr2886882pgg.153.1637037207431; Mon, 15 Nov 2021 20:33:27 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:d07c:c772:1ab9:a9e0]) by smtp.gmail.com with ESMTPSA id lt5sm782914pjb.43.2021.11.15.20.33.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:33:26 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v7 04/12] tools: mkeficapsule: add man page Date: Tue, 16 Nov 2021 13:32:30 +0900 Message-Id: <20211116043238.67226-5-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211116043238.67226-1-takahiro.akashi@linaro.org> References: <20211116043238.67226-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.35 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Add a man page for mkeficapsule command. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass Acked-by: Ilias Apalodimas --- MAINTAINERS | 1 + doc/mkeficapsule.1 | 95 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 doc/mkeficapsule.1 diff --git a/MAINTAINERS b/MAINTAINERS index 6db5354322fe..813674eb2898 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -722,6 +722,7 @@ S: Maintained T: git https://source.denx.de/u-boot/custodians/u-boot-efi.git F: doc/api/efi.rst F: doc/develop/uefi/* +F: doc/mkeficapsule.1 F: doc/usage/bootefi.rst F: drivers/rtc/emul_rtc.c F: include/capitalization.h diff --git a/doc/mkeficapsule.1 b/doc/mkeficapsule.1 new file mode 100644 index 000000000000..837e09ab451e --- /dev/null +++ b/doc/mkeficapsule.1 @@ -0,0 +1,95 @@ +.TH MAEFICAPSULE 1 "May 2021" + +.SH NAME +mkeficapsule \- Generate EFI capsule file for U-Boot + +.SH SYNOPSIS +.B mkeficapsule +.RB [\fIoptions\fP] " \fIcapsule-file\fP" + +.SH "DESCRIPTION" +The +\fBmkeficapsule\fP +command is used to create an EFI capsule file for use with the U-Boot +EFI capsule update. +A capsule file may contain various type of firmware blobs which +are to be applied to the system and must be placed in the specific +directory on the UEFI system partition. An update will be automatically +executed at next reboot. + +Optionally, a capsule file can be signed with a given private key. +In this case, the update will be authenticated by verifying the signature +before applying. + +\fBmkeficapsule\fP supports two different format of image files: +.TP +.I raw image +format is a single binary blob of any type of firmware. + +.TP +.I FIT (Flattened Image Tree) image +format +is the same as used in the new \fIuImage\fP format and allows for +multiple binary blobs in a single capsule file. +This type of image file can be generated by \fBmkimage\fP. + +.SH "OPTIONS" +One of \fB--fit\fP or \fB--raw\fP option must be specified. + +.TP +.BI "-f, --fit \fIfit-image-file\fP" +Specify a FIT image file + +.TP +.BI "-r, --raw \fIraw-image-file\fP" +Specify a raw image file + +.TP +.BI "-i, --index \fIindex\fP" +Specify an image index + +.TP +.BI "-I, --instance \fIinstance\fP" +Specify a hardware instance + +.TP +.BI "-h, --help" +Print a help message + +.TP 0 +.B With signing: + +\fB--private-key\fP, \fB--certificate\fP and \fB--monotonic-count\fP are +all mandatory. + +.TP +.BI "-p, --private-key \fIprivate-key-file\fP" +Specify signer's private key file in PEM + +.TP +.BI "-c, --certificate \fIcertificate-file\fP" +Specify signer's certificate file in EFI certificate list format + +.TP +.BI "-m, --monotonic-count \fIcount\fP" +Specify a monotonic count which is set to be monotonically incremented +at every firmware update. + +.TP +.BI "-d, --dump_sig" +Dump signature data into *.p7 file + +.PP +.SH FILES +.TP +.BI "\fI/EFI/UpdateCapsule\fP" +The directory in which all capsule files be placed + +.SH SEE ALSO +.B mkimage + +.SH AUTHORS +Written by AKASHI Takahiro + +.SH HOMEPAGE +http://www.denx.de/wiki/U-Boot/WebHome From patchwork Tue Nov 16 04:32:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 519165 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp6618787imj; Mon, 15 Nov 2021 20:34:04 -0800 (PST) X-Google-Smtp-Source: ABdhPJxnh5FqtqHiVww8idy8Y9v/1QeDZQJI1QqY2GSkXUIYiwJ84ubkwcbwz2Iw0vSW3B9baqx9 X-Received: by 2002:aa7:c719:: with SMTP id i25mr6018287edq.157.1637037243769; Mon, 15 Nov 2021 20:34:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637037243; cv=none; d=google.com; s=arc-20160816; b=MmqxSQcun1dhq3kz8njet6Rs8ho3j67uK2Ah8fJer2rUB4iQYjIuN2C1tvMIFdRdt+ 2KBCBG1F8cjl1Pp+Dc/0QeEuXAmgdz5XpLgAoLIEZ3DPGHnR+faZx8+Nx6qIlJUknSWD f5vLP8PrMwbbKtMAAPe6JMDp6KZDJJLbwr/A5WMpXC0ikZXu5ka5JH7oPiUpwXnkmZs6 JepB0WzSv2CaBOc3n+Gt73E8vKyQKBI2skvaativcodkoEdf39FSzqKg0uDYbu+2cy8u UxyT53HDI7A4Ac3ysQz7m/+m62spE+in7cnwhS1+99x77sEM95hK6u4Jnadu+tF6/H7I 5rKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=/Uu1VeJl3GAWSfSPlMJ8B3n41+ALV5vnQE+UqWBAFV4=; b=lsVSxWAy/6SwQZcKk71azHQ5ofzstHRnuXCVvTNHqsqWuvU7cFOLr0n/mfOrLi6I1l 5Mrfg55i1PI2EwUVNqrt0T2nogYryME+WpWfyLyjdmb0AxVZld/+nk6Nmgb3rCAG5rUX jCJyd0h8KPKxm1gJwJy9P5S161/OBHEoeTQOel/vRAvZy7Bp/4nuX7wCt/5hjFAsCzUy DjcN+broqH84+0p3y6XH6X4pQptAB0Rbiul2+GT//KIFl3SfUOROzWDCbLCDIAOTQsu8 5TKvCt+uf43PAe30vfpjPxNOTTlI1XQDCplecG+v8b0fGrqkXcx3t4H3tKkXeaZOqefP +tAg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=I88yRiHx; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id x16si31716573ejo.765.2021.11.15.20.34.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:34:03 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=I88yRiHx; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 78A19837D9; Tue, 16 Nov 2021 05:34:00 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="I88yRiHx"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 407CF837E3; Tue, 16 Nov 2021 05:33:45 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 209A0837D6 for ; Tue, 16 Nov 2021 05:33:32 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x102c.google.com with SMTP id iq11so14691912pjb.3 for ; Mon, 15 Nov 2021 20:33:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=/Uu1VeJl3GAWSfSPlMJ8B3n41+ALV5vnQE+UqWBAFV4=; b=I88yRiHxnBspHJpwAIp6lvVboA7ZKv+8ZtwA4gEE9kWmK6BjxjdgGsiu3eAL4sMAUz IUVBUFxWaMcsLUW0YmO5AFSyzinGZj2CpHkiuNpV+J4UHCh288/EIWJSgnAg3CpZzZIM grnTRdAvWBolGtcwpY+PR2LFIhxrxPS8gSt9tlssw1086u58AqEZqiCmykiiF0poEXVG fQ0nZiVKf/ukpL4PJSbKC0OjnI/FvQdtocEC7M1UmnAE4jIsm7Q39f07VL5AYFs37ZyL jH6+zcGxTIFb9NVQK/+8KeEA7FhByBNgcdrLOlhWICd0R6wKtL/fwz5pi/OcHxBIHeec 6RfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/Uu1VeJl3GAWSfSPlMJ8B3n41+ALV5vnQE+UqWBAFV4=; b=NzLXEugIV/p0fibffio2bhcy88+RbXXLVJknsCJID7T10Pkh7DaVxhx01chS8CSPtv jC2B4z/Oylcl4+Lo2iZGx33AoN8PsNjgFeb+jHmu4xcriKkmVHZ3f3/r5BpvP76zxhia mWnxUlwXKoarbcn2PUJZvYNHjAagsl2pq6xJbrinOH0ZyeGKoKO7Fm0cX6zy4fBR89Cl ax4ZOUZ8Bwi50lNsmwOAxUJcyU1VatJdNhazTzanVqjD4W4hTRnjfWfayqJuVj2uJ9qx z3jU002NgQ4Mv2s+gMGz0QWhAPoYeftNBp8AIPtb6Ylcsu4rZlvsOFa8sC9zmzwr8ca0 pP4Q== X-Gm-Message-State: AOAM530FLD1DAZnuI/4SZ/HI3qkMPmbJjVtul93L5+dJIyuwxXp+hV/0 J2/6mcCc/ai+gFGY+KvDg4QP0g== X-Received: by 2002:a17:90a:7004:: with SMTP id f4mr22717807pjk.156.1637037210405; Mon, 15 Nov 2021 20:33:30 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:d07c:c772:1ab9:a9e0]) by smtp.gmail.com with ESMTPSA id lt5sm782914pjb.43.2021.11.15.20.33.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:33:29 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v7 05/12] doc: update UEFI document for usage of mkeficapsule Date: Tue, 16 Nov 2021 13:32:31 +0900 Message-Id: <20211116043238.67226-6-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211116043238.67226-1-takahiro.akashi@linaro.org> References: <20211116043238.67226-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.35 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Now we can use mkeficapsule command instead of EDK-II's script to create a signed capsule file. So update the instruction for capsule authentication. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass Acked-by: Ilias Apalodimas --- doc/develop/uefi/uefi.rst | 143 ++++++++++++++++++-------------------- 1 file changed, 67 insertions(+), 76 deletions(-) diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index f17138f5c765..864d61734bee 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -284,37 +284,52 @@ Support has been added for the UEFI capsule update feature which enables updating the U-Boot image using the UEFI firmware management protocol (FMP). The capsules are not passed to the firmware through the UpdateCapsule runtime service. Instead, capsule-on-disk -functionality is used for fetching the capsule from the EFI System -Partition (ESP) by placing the capsule file under the -\EFI\UpdateCapsule directory. - -The directory \EFI\UpdateCapsule is checked for capsules only within the -EFI system partition on the device specified in the active boot option -determined by reference to BootNext variable or BootOrder variable processing. -The active Boot Variable is the variable with highest priority BootNext or -within BootOrder that refers to a device found to be present. Boot variables -in BootOrder but referring to devices not present are ignored when determining -active boot variable. -Before starting a capsule update make sure your capsules are installed in the -correct ESP partition or set BootNext. +functionality is used for fetching capsules from the EFI System +Partition (ESP) by placing capsule files under the directory:: + + \EFI\UpdateCapsule + +The directory is checked for capsules only within the +EFI system partition on the device specified in the active boot option, +which is determined by BootXXXX variable in BootNext, or if not, the highest +priority one within BootOrder. Any BootXXXX variables referring to devices +not present are ignored when determining the active boot option. + +Please note that capsules will be applied in the alphabetic order of +capsule file names. + +Creating a capsule file +*********************** + +A capsule file can be created by using tools/mkeficapsule. +To build this tool, enable:: + + CONFIG_TOOLS_MKEFICAPSULE=y + CONFIG_TOOLS_LIBCRYPTO=y + +Run the following command:: + + $ mkeficapsule \ + --index 1 --instance 0 \ + [--fit | --raw ] \ + Performing the update ********************* -Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig -option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable -check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule. - -If that option is disabled, you'll need to set the OsIndications variable with:: +Put capsule files under the directory mentioned above. +Then, following the UEFI specification, you'll need to set +the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED +bit in OsIndications variable with:: => setenv -e -nv -bs -rt -v OsIndications =0x04 -Finally, the capsule update can be initiated either by rebooting the board, -which is the preferred method, or by issuing the following command:: +Since U-boot doesn't currently support SetVariable at runtime, its value +won't be taken over across the reboot. If this is the case, you can skip +this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS) +set. - => efidebug capsule disk-update - -**The efidebug command is should only be used during debugging/development.** +Finally, the capsule update can be initiated by rebooting the board. Enabling Capsule Authentication ******************************* @@ -324,82 +339,58 @@ be updated by verifying the capsule signature. The capsule signature is computed and prepended to the capsule payload at the time of capsule generation. This signature is then verified by using the public key stored as part of the X509 certificate. This certificate is -in the form of an efi signature list (esl) file, which is embedded as -part of U-Boot. +in the form of an efi signature list (esl) file, which is embedded in +a device tree. The capsule authentication feature can be enabled through the following config, in addition to the configs listed above for capsule update:: CONFIG_EFI_CAPSULE_AUTHENTICATE=y - CONFIG_EFI_CAPSULE_KEY_PATH= The public and private keys used for the signing process are generated -and used by the steps highlighted below:: +and used by the steps highlighted below. - 1. Install utility commands on your host - * OPENSSL +1. Install utility commands on your host + * openssl * efitools - 2. Create signing keys and certificate files on your host +2. Create signing keys and certificate files on your host:: $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ -keyout CRT.key -out CRT.crt -nodes -days 365 $ cert-to-efi-sig-list CRT.crt CRT.esl - $ openssl x509 -in CRT.crt -out CRT.cer -outform DER - $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem - - $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt - $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem - -The capsule file can be generated by using the GenerateCapsule.py -script in EDKII:: - - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ - --monotonic-count --fw-version \ - --lsv --guid \ - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ - --update-image-index --signer-private-cert \ - /path/to/CRT.pem --trusted-public-cert \ - /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ - - -Place the capsule generated in the above step on the EFI System -Partition under the EFI/UpdateCapsule directory - -Testing on QEMU -*************** +3. Run the following command to create and sign the capsule file:: -Currently, support has been added on the QEMU ARM64 virt platform for -updating the U-Boot binary as a raw image when the platform is booted -in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this -configuration, the QEMU platform needs to be booted with -'secure=off'. The U-Boot binary placed on the first bank of the NOR -flash at offset 0x0. The U-Boot environment is placed on the second -NOR flash bank at offset 0x4000000. + $ mkeficapsule --monotonic-count 1 \ + --private-key CRT.key \ + --certificate CRT.crt \ + --index 1 --instance 0 \ + [--fit | --raw ] \ + -The capsule update feature is enabled with the following configuration -settings:: +4. Insert the signature list into a device tree in the following format:: - CONFIG_MTD=y - CONFIG_FLASH_CFI_MTD=y - CONFIG_CMD_MTDPARTS=y - CONFIG_CMD_DFU=y - CONFIG_DFU_MTD=y - CONFIG_PCI_INIT_R=y - CONFIG_EFI_CAPSULE_ON_DISK=y - CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y - CONFIG_EFI_CAPSULE_FIRMWARE=y - CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y + { + signature { + capsule-key = [ ]; + } + ... + } -In addition, the following config needs to be disabled(QEMU ARM specific):: + You can do this manually with:: - CONFIG_TFABOOT + $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts + $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo -The capsule file can be generated by using the tools/mkeficapsule:: + where signature.dts looks like:: - $ mkeficapsule --raw --index 1 + &{/} { + signature { + capsule-key = /incbin/("CRT.esl"); + }; + }; Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~ From patchwork Tue Nov 16 04:32:32 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 519169 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp6619326imj; Mon, 15 Nov 2021 20:34:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJxRRpCayPVcSW2H1ZD4L7Az4bBZF46R3iYq4s64OGk2NXeK1+rLbj3pLX6P0Gd49FCFLM05 X-Received: by 2002:a17:907:961e:: with SMTP id gb30mr5747245ejc.436.1637037287814; Mon, 15 Nov 2021 20:34:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637037287; cv=none; d=google.com; s=arc-20160816; b=OIQ7LmDd1DTWU5H8AdIe9YPJRMCafJQY24rtmB8CUJ4N+fjpI/K1AwWl5KXhqbpvy1 DXF1rI7EdR4UhUAcNdE0weH4+QzdOn8wZmBbjIab/b8xeBFJN0Z/I9O6lVW3EaWFY8+P iAnjvsb5glWkpUMkx8NxfZgBQwE0fNcIISEhwZ1/Q08kTfa5ilSzGU3p5Z6UXl2YnlDy M4UZ6QnJCVGY9IDBSwi6gVVu8OyPz+AtWAU0EswJ5MqupVpof19EhczQIS3GUe2kmgXe dycXOWLAWLb2KU3SkZ/o9sFyAK4NMfKLe9dD+kg6BivERRV0/eWUub9kTMWoNVqHNLbm yXbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=hThpDIDhnTPiFu0B6tzelfYSKk9191NqjEliSsuGqcY=; b=cTeK2QsmFcT2NSmlMnMJch0ahh35xPYP/NpcY171uTuiRH41F2v1rn+qMMSwj+LPfk hayFJsmzTKIU8F85mFH4fjkXh5NGasSr3PH8TfzCxLCbquSubeB/T0KpWdPJpJmmYbbL bB9vFHpzRViGl/b1fqXmj492E+FbjlySpTZkAQ9mw+ZoFpTjkWo8OB88ostCWM1YkN5C +5VbHbaeiZOkc5+9EOjgNsJHxFQNkmCH9GVV1Vj7QxeE5jn8uH9pYMRC+bpzIiCXD/8C DYplbNOXzadLkhutj60eJ8zI2kAg/mqrsIekzUUAn6o269iG0Nl3eVp9nKrVRB8wu52N FRtA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="x/fpujMK"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id h19si3856050ede.214.2021.11.15.20.34.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:34:47 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="x/fpujMK"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 71C8283811; Tue, 16 Nov 2021 05:34:39 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="x/fpujMK"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 2473F83618; Tue, 16 Nov 2021 05:33:58 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 6E3848364A for ; Tue, 16 Nov 2021 05:33:35 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1036.google.com with SMTP id nh10-20020a17090b364a00b001a69adad5ebso1718161pjb.2 for ; Mon, 15 Nov 2021 20:33:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=hThpDIDhnTPiFu0B6tzelfYSKk9191NqjEliSsuGqcY=; b=x/fpujMK2KN6sEZ2ch1SOOQ9ZWZq76hAk8820EwgNDsb0N+ly5KGLwGG9SYcu4SpTl b5gc4kjrmlrFQn/B6VnbJ+QWQMrdKSu+W2viI8sd420dncEKWN4UTXjGXsZDJOHtTDy4 bnW/dtR2umjpCgTyPBudK85sR/Hu+IF6VIBRhlpvk8BwxcFLBEBikI+9I7N0HWOWcOzl xkmvXD0JiQ5BiAyRnjm05LdlfNNwYWFUgKFz2ZqF9CdH7uwSwVt0/4dIpgbx79KVMNOh Xf3LGd+JTpPPMIJimLOidJ6byBd1vfGa6xlvbOnVobzMPAyrlMqSi2OKqgkl0QaqVFET Zzag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=hThpDIDhnTPiFu0B6tzelfYSKk9191NqjEliSsuGqcY=; b=tpEwVbeHcJPFEMiE3VYRxNA2ce9Idly3iiOevBGrLEDnQkGiNhoeJeKheqLtPEDIwg J4MtVOMhoi8lOlTeHIhdhWz+rI1+6X4IQW9QEovk999tRp0PGDSy67ETpIDU0TW2ciy/ a6pvbbvAQZu9QKd6PBKoUfYNv9aDaQbwPFB9K49Mqxn6ontgYw4Pq7j/yohtGYurEOyR 6t/PnFJZ2eTrIk4ZHNanZ7ECjAJq4gcQFXJTg5ny5ISPLlW5zxv6/LvwrFBri7ejOfiE pnSsTG9AR5ISNt9PBHPoWiljTQfxMg8hMReMNI0TXQz/PDA8sAnCl1Q8O/eo8+JOuxNk Ih7A== X-Gm-Message-State: AOAM532be51sU4Bt+Whn1U76RV/kFAl8gM6qkPDWWxGZZThRQPyj2yPQ Ozc2mO6zHbsBUFCImjumwsYmMw== X-Received: by 2002:a17:902:6acb:b0:142:76c3:d35f with SMTP id i11-20020a1709026acb00b0014276c3d35fmr41490845plt.89.1637037213592; Mon, 15 Nov 2021 20:33:33 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:d07c:c772:1ab9:a9e0]) by smtp.gmail.com with ESMTPSA id lt5sm782914pjb.43.2021.11.15.20.33.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:33:33 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v7 06/12] test/py: efi_capsule: add image authentication test Date: Tue, 16 Nov 2021 13:32:32 +0900 Message-Id: <20211116043238.67226-7-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211116043238.67226-1-takahiro.akashi@linaro.org> References: <20211116043238.67226-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.35 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Add a couple of test cases against capsule image authentication for capsule-on-disk, where only a signed capsule file with the verified signature will be applied to the system. Due to the difficulty of embedding a public key (esl file) in U-Boot binary during pytest setup time, all the keys/certificates are pre-created. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass Acked-by: Ilias Apalodimas --- .../py/tests/test_efi_capsule/capsule_defs.py | 5 + test/py/tests/test_efi_capsule/conftest.py | 52 +++- test/py/tests/test_efi_capsule/signature.dts | 10 + .../test_capsule_firmware_signed.py | 254 ++++++++++++++++++ 4 files changed, 318 insertions(+), 3 deletions(-) create mode 100644 test/py/tests/test_efi_capsule/signature.dts create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py index 4fd6353c2040..aa9bf5eee3aa 100644 --- a/test/py/tests/test_efi_capsule/capsule_defs.py +++ b/test/py/tests/test_efi_capsule/capsule_defs.py @@ -3,3 +3,8 @@ # Directories CAPSULE_DATA_DIR = '/EFI/CapsuleTestData' CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule' + +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and +# you need build a newer version on your own. +# The path must terminate with '/'. +EFITOOLS_PATH = '' diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index 6ad5608cd71c..27c05971ca32 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -10,13 +10,13 @@ import pytest from capsule_defs import * # -# Fixture for UEFI secure boot test +# Fixture for UEFI capsule test # - @pytest.fixture(scope='session') def efi_capsule_data(request, u_boot_config): - """Set up a file system to be used in UEFI capsule test. + """Set up a file system to be used in UEFI capsule and + authentication test. Args: request: Pytest request object. @@ -40,6 +40,36 @@ def efi_capsule_data(request, u_boot_config): check_call('mkdir -p %s' % data_dir, shell=True) check_call('mkdir -p %s' % install_dir, shell=True) + capsule_auth_enabled = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') + if capsule_auth_enabled: + # Create private key (SIGNER.key) and certificate (SIGNER.crt) + check_call('cd %s; ' + 'openssl req -x509 -sha256 -newkey rsa:2048 ' + '-subj /CN=TEST_SIGNER/ -keyout SIGNER.key ' + '-out SIGNER.crt -nodes -days 365' + % data_dir, shell=True) + check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl' + % (data_dir, EFITOOLS_PATH), shell=True) + + # Update dtb adding capsule certificate + check_call('cd %s; ' + 'cp %s/test/py/tests/test_efi_capsule/signature.dts .' + % (data_dir, u_boot_config.source_dir), shell=True) + check_call('cd %s; ' + 'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; ' + 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb ' + '-o test_sig.dtb signature.dtbo' + % (data_dir, u_boot_config.build_dir), shell=True) + + # Create *malicious* private key (SIGNER2.key) and certificate + # (SIGNER2.crt) + check_call('cd %s; ' + 'openssl req -x509 -sha256 -newkey rsa:2048 ' + '-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key ' + '-out SIGNER2.crt -nodes -days 365' + % data_dir, shell=True) + # Create capsule files # two regions: one for u-boot.bin and the other for u-boot.env check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old -> u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir, @@ -56,6 +86,22 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' % (data_dir, u_boot_config.build_dir), shell=True) + if capsule_auth_enabled: + # firmware signed with proper key + check_call('cd %s; ' + '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' + '--private-key SIGNER.key --certificate SIGNER.crt ' + '--raw u-boot.bin.new Test11' + % (data_dir, u_boot_config.build_dir), + shell=True) + # firmware signed with *mal* key + check_call('cd %s; ' + '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' + '--private-key SIGNER2.key ' + '--certificate SIGNER2.crt ' + '--raw u-boot.bin.new Test12' + % (data_dir, u_boot_config.build_dir), + shell=True) # Create a disk image with EFI system partition check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' % diff --git a/test/py/tests/test_efi_capsule/signature.dts b/test/py/tests/test_efi_capsule/signature.dts new file mode 100644 index 000000000000..078cfc76c93c --- /dev/null +++ b/test/py/tests/test_efi_capsule/signature.dts @@ -0,0 +1,10 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; +/plugin/; + +&{/} { + signature { + capsule-key = /incbin/("SIGNER.esl"); + }; +}; diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py new file mode 100644 index 000000000000..593b032e9015 --- /dev/null +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py @@ -0,0 +1,254 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright (c) 2021, Linaro Limited +# Author: AKASHI Takahiro +# +# U-Boot UEFI: Firmware Update (Signed capsule) Test + +""" +This test verifies capsule-on-disk firmware update +with signed capsule files +""" + +import pytest +from capsule_defs import CAPSULE_DATA_DIR, CAPSULE_INSTALL_DIR + +@pytest.mark.boardspec('sandbox') +@pytest.mark.buildconfigspec('efi_capsule_firmware_raw') +@pytest.mark.buildconfigspec('efi_capsule_authenticate') +@pytest.mark.buildconfigspec('dfu') +@pytest.mark.buildconfigspec('dfu_sf') +@pytest.mark.buildconfigspec('cmd_efidebug') +@pytest.mark.buildconfigspec('cmd_fat') +@pytest.mark.buildconfigspec('cmd_memory') +@pytest.mark.buildconfigspec('cmd_nvedit_efi') +@pytest.mark.buildconfigspec('cmd_sf') +@pytest.mark.slow +class TestEfiCapsuleFirmwareSigned(object): + def test_efi_capsule_auth1( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 1 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is properly signed, the authentication + should pass and the firmware be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 1-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' + % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test11' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test11 $filesize' + % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test11' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \ + + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 1-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test11' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test11' not in ''.join(output) + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:New' in ''.join(output) + + def test_efi_capsule_auth2( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 2 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is signed but with an invalid key, + the authentication should fail and the firmware + not be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 2-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' + % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test12' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test12 $filesize' + % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test12' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \ + + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 2-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test12' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + # deleted any way + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test12' not in ''.join(output) + + # TODO: check CapsuleStatus in CapsuleXXXX + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:Old' in ''.join(output) + + def test_efi_capsule_auth3( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 3 - Update U-Boot on SPI Flash, raw image format + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is not signed, the authentication + should fail and the firmware not be updated. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 3-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' + % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test02' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test02 $filesize' + % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' in ''.join(output) + + # reboot + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule' + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \ + + '/test_sig.dtb' + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 3-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info ' + '"sf 0:0=u-boot-bin raw 0x100000 ' + '0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + # deleted any way + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test02' not in ''.join(output) + + # TODO: check CapsuleStatus in CapsuleXXXX + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:Old' in ''.join(output) From patchwork Tue Nov 16 04:32:33 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 519170 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp6619470imj; Mon, 15 Nov 2021 20:34:59 -0800 (PST) X-Google-Smtp-Source: ABdhPJz+vx9FA/EXqJrSYf+S71vXxYNpVEqAHoFVtGagGBHPV/qr9oyaIX+cOqeaBPw7/OfjlVxx X-Received: by 2002:a17:907:7e91:: with SMTP id qb17mr5930444ejc.449.1637037299273; Mon, 15 Nov 2021 20:34:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637037299; cv=none; d=google.com; s=arc-20160816; b=HpKqxOxcLJRHARgE3c9jblbkwaok+G1B8/1ULyEE5q8ukVh10NWar4e6qUB5G1G1gN qYUudU4ALRGjsQk3DiXsj204WmNSJcMGCyWCbQmSFP0IszZdw7Oaf7/i8KuzvMGHVtKx ZMkYNyR/luGTOd6xjiM09kQzssj+jk9IiIUz3Cjd9jWqmbVytpx4NPruJ0dFeiLkBZVM AN8jIsCZjRhhHdFQW6PrnLwIdTX1+YWNm6MEZ8jY3EmSt/ZZmllL/F81aq3nrc+D27mx TX9D0ntJs/A88qY6ZKRppSaHpdLv/v+645ef3dz2FlfsNYIpnrTn/mahj9w+z8CWrt7Y ugbw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=+HkrlZE8dI1asmR3ZYPZaIV5iFWOQuejIHO50/vEQgQ=; b=UBxGdmc9RDAcHgrIWaq5yU0s4F2iEWdSdylOMAAT86q+qj606TOhMMwvQEqJUROH0F UyHsr3PyKzZmJWkD5aYQs1TuFXCCfRwg/Oyy3YfW1no1UmJdoXkzIsm8XmhVxoeg1mZn AaxyLcwo5hwuNJFMz472tGUIGiMITFKnGQEJAOT70UNoJFObffNA7fkdvWojfzWvOBiX 4ZsF1o+5Z56xz0ST/KTGPPVyUyyQTDg8iS+A6hBKTKyCuoqKBor/1B/67qJlSscAeFcq WptABxRSEebKrmApM5cBzyqfDL8jkOFDTz/+L+n5kX301aaOZ9B93RASuYyY1uLnX0ju /RZg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=vHS2vVfr; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id hv15si42150397ejc.237.2021.11.15.20.34.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:34:59 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=vHS2vVfr; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 1561C83809; Tue, 16 Nov 2021 05:34:48 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="vHS2vVfr"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E3EED837F0; Tue, 16 Nov 2021 05:33:51 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 6188D837EE for ; Tue, 16 Nov 2021 05:33:38 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x629.google.com with SMTP id b13so16359137plg.2 for ; Mon, 15 Nov 2021 20:33:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=+HkrlZE8dI1asmR3ZYPZaIV5iFWOQuejIHO50/vEQgQ=; b=vHS2vVfrII/t/QIVBAi3tRhFKH8fClWU3dEVDBxMpFEJj5uVVXZhXWKkxGKVpZ8sh0 PTO7b8mO7GApodCcB+J6c9YRHxv6/N8wdFjPv7w/EtLEeGedhv6KDEyvf+r90rPR1nbE Vgw3zplj1ttRP96oum9M3VbcQ6BYzQgCH3SsiqvjZYIjU0eGzIq/Rr+2t8TSPAeL3Hk6 2RB7Ov4PxKCjrbo8Nrva+fFk4QMLWyKyzeyegdpnAQkD9KLUqpM0aqxw8NKtPwoB5L7T canbzI02zMfz63cn9MwMZNds10X2yUcqlYLeRhBNtkWVDFBWt/BlhxYUVioqk2LJfvom nvNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=+HkrlZE8dI1asmR3ZYPZaIV5iFWOQuejIHO50/vEQgQ=; b=fNjROVkom/Jc8IxyQOmeDrHTHtD6OghrcrUMl8S+2D66+6z/2M2GtkYBrBEe2caC9l F0lv3fUY5+6D/cG9HRHlCWTh6Y7TnJxm+iEskrSFHKR41WujRG94hoKNEiVlPRZXKlcy U9wai0kjlxEDfpRdOo9pfyvI46AtfgEzbB51nb2YOFjGrVrtNkf1kYLcvg+mF4lV1aVw yFgvszWCOp+Jk5bdP9vImsJpXGl2K1ic1J8tm/PACA6OC8XvPRGb8/obwad6uVyf2d1T K79RKgzPDAECHf67Nh+4wi3HBTfI3x/H4tQaqE6IbliHhvvI4Y9q191c+4WTTDi9fCvb SxeA== X-Gm-Message-State: AOAM533mtaJ5kbjSAzz5r2Tmn2tHIrkPWBNm5E0D7W0Io3uu4oHGWsf1 CoKqqjcSVuNeaegWnMFSE5n/lQ== X-Received: by 2002:a17:90b:4a05:: with SMTP id kk5mr5158317pjb.232.1637037216675; Mon, 15 Nov 2021 20:33:36 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:d07c:c772:1ab9:a9e0]) by smtp.gmail.com with ESMTPSA id lt5sm782914pjb.43.2021.11.15.20.33.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:33:36 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v7 07/12] tools: mkeficapsule: allow for specifying GUID explicitly Date: Tue, 16 Nov 2021 13:32:33 +0900 Message-Id: <20211116043238.67226-8-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211116043238.67226-1-takahiro.akashi@linaro.org> References: <20211116043238.67226-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.35 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean The existing options, "--fit" and "--raw," are only used to put a proper GUID in a capsule header, where GUID identifies a particular FMP (Firmware Management Protocol) driver which then would handle the firmware binary in a capsule. In fact, mkeficapsule does the exact same job in creating a capsule file whatever the firmware binary type is. To prepare for the future extension, the command syntax will be a bit modified to allow users to specify arbitrary GUID for their own FMP driver. OLD: [--fit | --raw ] NEW: [--fit | --raw | --guid ] Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- doc/develop/uefi/uefi.rst | 4 +- doc/mkeficapsule.1 | 26 +++++++++---- tools/mkeficapsule.c | 78 ++++++++++++++++++++++++++++++--------- 3 files changed, 81 insertions(+), 27 deletions(-) diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 864d61734bee..54fefd76f0f5 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -367,8 +367,8 @@ and used by the steps highlighted below. --private-key CRT.key \ --certificate CRT.crt \ --index 1 --instance 0 \ - [--fit | --raw ] \ - + [--fit | --raw | --guid 4. Insert the signature list into a device tree in the following format:: diff --git a/doc/mkeficapsule.1 b/doc/mkeficapsule.1 index 837e09ab451e..312e8a8b3188 100644 --- a/doc/mkeficapsule.1 +++ b/doc/mkeficapsule.1 @@ -5,7 +5,7 @@ mkeficapsule \- Generate EFI capsule file for U-Boot .SH SYNOPSIS .B mkeficapsule -.RB [\fIoptions\fP] " \fIcapsule-file\fP" +.RB [\fIoptions\fP] " \fIimage-blob\fP \fIcapsule-file\fP" .SH "DESCRIPTION" The @@ -21,7 +21,7 @@ Optionally, a capsule file can be signed with a given private key. In this case, the update will be authenticated by verifying the signature before applying. -\fBmkeficapsule\fP supports two different format of image files: +\fBmkeficapsule\fP takes any type of image files, including: .TP .I raw image format is a single binary blob of any type of firmware. @@ -33,16 +33,28 @@ is the same as used in the new \fIuImage\fP format and allows for multiple binary blobs in a single capsule file. This type of image file can be generated by \fBmkimage\fP. +.PP +If you want to use other types than above two, you should explicitly +specify a guid for the FMP driver. + .SH "OPTIONS" -One of \fB--fit\fP or \fB--raw\fP option must be specified. +One of \fB--fit\fP, \fB--raw\fP or \fB--guid\fP option must be specified. .TP -.BI "-f, --fit \fIfit-image-file\fP" -Specify a FIT image file +.BI "-f, --fit +Indicate that the blob is a FIT image file .TP -.BI "-r, --raw \fIraw-image-file\fP" -Specify a raw image file +.BI "-r, --raw +Indicate that the blob is a raw image file + +.TP +.BI "-g, --guid \fIguid-string\fP" +Specify guid for image blob type. The format is: + xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx + +The first three elements are in little endian, while the rest +is in big endian. .TP .BI "-i, --index \fIindex\fP" diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 3e6f36430d74..8891496d1564 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -14,7 +14,7 @@ #include #include - +#include #include #ifdef CONFIG_TOOLS_LIBCRYPTO #include @@ -37,14 +37,15 @@ efi_guid_t efi_guid_image_type_uboot_raw = efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; #ifdef CONFIG_TOOLS_LIBCRYPTO -static const char *opts_short = "f:r:i:I:v:p:c:m:dh"; +static const char *opts_short = "frg:i:I:v:p:c:m:dh"; #else -static const char *opts_short = "f:r:i:I:v:h"; +static const char *opts_short = "frg:i:I:v:h"; #endif static struct option options[] = { - {"fit", required_argument, NULL, 'f'}, - {"raw", required_argument, NULL, 'r'}, + {"fit", no_argument, NULL, 'f'}, + {"raw", no_argument, NULL, 'r'}, + {"guid", required_argument, NULL, 'g'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, #ifdef CONFIG_TOOLS_LIBCRYPTO @@ -59,11 +60,12 @@ static struct option options[] = { static void print_usage(void) { - printf("Usage: %s [options] \n" + printf("Usage: %s [options] \n" "Options:\n" - "\t-f, --fit new FIT image file\n" - "\t-r, --raw new raw image file\n" + "\t-f, --fit FIT image type\n" + "\t-r, --raw raw image type\n" + "\t-g, --guid guid for image blob type\n" "\t-i, --index update image index\n" "\t-I, --instance update hardware instance\n" #ifdef CONFIG_TOOLS_LIBCRYPTO @@ -563,6 +565,37 @@ err: return ret; } +/** + * convert_uuid_to_guid() - convert uuid string to guid string + * @buf: String for UUID + * + * UUID and GUID have the same data structure, but their string + * formats are different due to the endianness. See lib/uuid.c. + * Since uuid_parse() can handle only UUID, this function must + * be called to get correct data for GUID when parsing a string. + * + * The correct data will be returned in @buf. + */ +void convert_uuid_to_guid(unsigned char *buf) +{ + unsigned char c; + + c = buf[0]; + buf[0] = buf[3]; + buf[3] = c; + c = buf[1]; + buf[1] = buf[2]; + buf[2] = c; + + c = buf[4]; + buf[4] = buf[5]; + buf[5] = c; + + c = buf[6]; + buf[6] = buf[7]; + buf[7] = c; +} + /** * main - main entry function of mkeficapsule * @argc: Number of arguments @@ -577,14 +610,13 @@ err: */ int main(int argc, char **argv) { - char *file; efi_guid_t *guid; + unsigned char uuid_buf[16]; unsigned long index, instance; uint64_t mcount; char *privkey_file, *cert_file; int c, idx; - file = NULL; guid = NULL; index = 0; instance = 0; @@ -599,21 +631,31 @@ int main(int argc, char **argv) switch (c) { case 'f': - if (file) { - printf("Image already specified\n"); + if (guid) { + printf("Image type already specified\n"); exit(EXIT_FAILURE); } - file = optarg; guid = &efi_guid_image_type_uboot_fit; break; case 'r': - if (file) { - printf("Image already specified\n"); + if (guid) { + printf("Image type already specified\n"); exit(EXIT_FAILURE); } - file = optarg; guid = &efi_guid_image_type_uboot_raw; break; + case 'g': + if (guid) { + printf("Image type already specified\n"); + exit(EXIT_FAILURE); + } + if (uuid_parse(optarg, uuid_buf)) { + printf("Wrong guid format\n"); + exit(EXIT_FAILURE); + } + convert_uuid_to_guid(uuid_buf); + guid = (efi_guid_t *)uuid_buf; + break; case 'i': index = strtoul(optarg, NULL, 0); break; @@ -649,14 +691,14 @@ int main(int argc, char **argv) } /* check necessary parameters */ - if ((argc != optind + 1) || !file || + if ((argc != optind + 2) || !guid || ((privkey_file && !cert_file) || (!privkey_file && cert_file))) { print_usage(); exit(EXIT_FAILURE); } - if (create_fwbin(argv[optind], file, guid, index, instance, + if (create_fwbin(argv[argc - 1], argv[argc - 2], guid, index, instance, mcount, privkey_file, cert_file) < 0) { printf("Creating firmware capsule failed\n"); exit(EXIT_FAILURE); From patchwork Tue Nov 16 04:32:34 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 519168 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp6619208imj; Mon, 15 Nov 2021 20:34:37 -0800 (PST) X-Google-Smtp-Source: ABdhPJwVOiZwPBPTSEvB/vClhrtvwV3DPzPvs/goC/2JpTMd6RlAH1GZe/IOVk1e7GBW5v/Nab3D X-Received: by 2002:a17:907:6e8e:: with SMTP id sh14mr6013335ejc.536.1637037277427; Mon, 15 Nov 2021 20:34:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637037277; cv=none; d=google.com; s=arc-20160816; b=xqHW+DEPW/oUBuiORVes2oR6RCoT31KyYI0iTKUCtnl+7ADpH1FKquEeIOT4/RhnsA 9nbCBuZksddOM5xMpJ6vfHllETLfHUnt/wb4GyGfwjDz6YLoZIWWgI9iJW5sk1/is4gZ kUGm8oU88VTwvQzvCjM6cp2cQb6HWLaN2lfbtiuWerTBcuR13I/40luZ1cm73TPx4Mnb DrUhxmQDYCU2pSN55l4+8wEyekGB21aULQ5BBuc0HHEHGbQX1CjRAuY7P/wMRlU/6TPJ i/3xG65mdmiQCkJGtoNkzLWw76WvmJoVzVufO48SFrY9q2boea2jcKZ0/BSTn8pJFJvE QPqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=dRz+pYre7G66GxmnD4c+PKAAw7SxJFLHJCc2sklu4uM=; b=bxoKy6A0lSCX94jwtVmA5T7Pok7BA6l7W2pC2Z85+GjGZrQqF9Hrx+nUSdEUDXxPAf 1K1M4A5KTkswkyXEjgQ+cOPMZW18BPC2ZnMAk18aBESH0ne6aRkc1vSTV+opsN/MFhED 7FRdzyVQFUGgf75NjBPE6EceuKHeDYNW8ZAKFTUcB02WsR4z2U/hwzB4FcDZz1dm4j32 dePeDpAJwQyyAErGrrYELpNUjhjwbSmgAYVj+AAIeE4nSzPqMvcQPzHYY8GpAD6zhrOl Q0+3tPd3FLENUV3GWgSovNHnkaP8kYU+AnUarU0R1eRa96DcnjDOt8WANFQ5Z+JHdJB9 iX2A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="m/xzjbhx"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id m6si14698049edc.499.2021.11.15.20.34.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:34:37 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="m/xzjbhx"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id DB8A683800; Tue, 16 Nov 2021 05:34:28 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="m/xzjbhx"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 8D174837E4; Tue, 16 Nov 2021 05:33:49 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7673A837E2 for ; Tue, 16 Nov 2021 05:33:41 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x632.google.com with SMTP id n8so16315437plf.4 for ; Mon, 15 Nov 2021 20:33:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=dRz+pYre7G66GxmnD4c+PKAAw7SxJFLHJCc2sklu4uM=; b=m/xzjbhxZZyxh1fTaSxHjMho6NzOf3DeJTv/B/AYyVm0VxbmwNH8EIc3k+Vk+BFpCU P6IdSQDVDYIfZaiwTmzqZexFHuxk5PbLkqJjF/wSKwU1YgTUDS9KzpB2Pndl65VfpQND 53r81SUu5RUfFNVCAidhVtALtZipRVJyx+wPMeO6eRMPpJn6Eu2u01UT08WuLOGFdWXW yLlwD6pJviv+Tds5otZcE7daNXGjm81rdFabbxae7tSFJcuri7afvAKosSoOFr/TTbPg 1Ni4rv3pvs14HJIJGlNVUdyldJDDeje7OfsSAPbT1BwUbuay0zHGnI3KbDj1p5E7VGRr 1gTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=dRz+pYre7G66GxmnD4c+PKAAw7SxJFLHJCc2sklu4uM=; b=fGlkXrbM5BVhJBR612kuiO28R6kzhK7pb8+9Qu/a4067m+6FJQ1NAG+v3gXoOpp8jt UBgfFGYJcenp0sa4gNCc89D2eZojiAFqWtKJq0sVUJkq8J0kgvnxy8TOh+Qh8LGoZTvF eZuqOhUUsdN/sj4qw+cjWTjhl9IMWpae5U0iVobeiX3o09krwBzeQSKRP25jVmAg0WJJ v308nn6jAZ/mHQRdTequ5NUTUsrqJccBsURO0hmZCCDmkG6XiccCva7Ek0PMWjOiRhdI Z2HOXbWgjcxYH/DQWLrAZFUYXJ2SKft/xxHKveIEhrpbGfgqFjdcH0W7SoDtogkBLdPG P4Kw== X-Gm-Message-State: AOAM531wtPrS17mJLRJ1JKoNnvQx5pcJgtjbBMqXXpJWDrDKgNy6LIZb gR5uuIfbTTBz1HueY1k3GQTnWg== X-Received: by 2002:a17:903:11cc:b0:143:a48a:2f2a with SMTP id q12-20020a17090311cc00b00143a48a2f2amr40169863plh.79.1637037219879; Mon, 15 Nov 2021 20:33:39 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:d07c:c772:1ab9:a9e0]) by smtp.gmail.com with ESMTPSA id lt5sm782914pjb.43.2021.11.15.20.33.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:33:39 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v7 08/12] test/py: efi_capsule: align with the syntax change of mkeficapsule Date: Tue, 16 Nov 2021 13:32:34 +0900 Message-Id: <20211116043238.67226-9-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211116043238.67226-1-takahiro.akashi@linaro.org> References: <20211116043238.67226-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.35 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Since the syntax of mkeficapsule was changed in the previous commit, we need to modify command line arguments in a pytest script. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- test/py/tests/test_efi_capsule/conftest.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index 27c05971ca32..a5a25c53dcb4 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -80,10 +80,10 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkimage -f uboot_bin_env.its uboot_bin_env.itb' % (data_dir, u_boot_config.build_dir), shell=True) - check_call('cd %s; %s/tools/mkeficapsule --fit uboot_bin_env.itb --index 1 Test01' % + check_call('cd %s; %s/tools/mkeficapsule --index 1 --fit uboot_bin_env.itb Test01' % (data_dir, u_boot_config.build_dir), shell=True) - check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' % + check_call('cd %s; %s/tools/mkeficapsule --index 1 --raw u-boot.bin.new Test02' % (data_dir, u_boot_config.build_dir), shell=True) if capsule_auth_enabled: From patchwork Tue Nov 16 04:32:35 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 519171 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp6619701imj; Mon, 15 Nov 2021 20:35:14 -0800 (PST) X-Google-Smtp-Source: ABdhPJwnK2h/J9L0h5rk3GRIT4JaHYefLiwwsOWfJaOgI9yPPRJBd3U7hU+AgBLZzSL/IdaqAHA9 X-Received: by 2002:a05:6402:354f:: with SMTP id f15mr6250925edd.390.1637037313940; Mon, 15 Nov 2021 20:35:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637037313; cv=none; d=google.com; s=arc-20160816; b=aQuwZ01yFR0V8FxYQFZ4bYbva30D3DM1Y9jq/4aeiookoJ1V2TpJXDXvbDck8x/809 IFz9CgxuQNZcxsPFM1V3Ih/BF2/ehXMh5yNXBMe+3xJSxK3VEzHFebd44BFN3YroXWaA gNS4QJYxNXCJdO3CfwZPXaXYaDjCLHS6t1/SGROlOjJdCSui3FlVAuY5vrgdKbV7emGm uz7UOEXrA4+czdd8n42qHWo2as+T7cHVtwsBNFRsY93Xhd85H1i01An0C+CZJpaF8yJ2 4ossMDEibVmXdaNrFb+UskBdtuo81wA5cnBNbYOO275anHYOxRkGugXXA4pDz0GYojhc 9IKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=37b4CbGVq2vXfUQd07BoRyvPsjDtxkfVdV+ImREOVoM=; b=0aVeonVylNzzXSgQy0ge1PLjhGik3UMy61U++VMhnL0oe5ThqBi+sT5dTf4FSydol9 WkEUw+qx9koi8LizVRxahFSDLeamAJE7yWX2cZrAyiIqhpe5ZVMwck6zYfcD3sNnl3rt O7Om8ptsfL0CI+dxx3v7+8AVQmOCyy0yKmqaLAr7Lh8plGQq6dPkt4FbAdVLj1khtG5S qQ+aZTf598POJneilSyL+onKqLbpa2IzsUVMtwupeFv68ECgeu8Tk2/Dcd+09FH/jq7K xSXD+AlU9EWOHMsvWcklC4VmwkgxNd5vWDatKfCsl0KDItjQSZesUqwJ4Ki14Z7Hkh1d Tj9Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=mhb17GCf; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id y8si36417670edw.205.2021.11.15.20.35.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:35:13 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=mhb17GCf; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D478E83816; Tue, 16 Nov 2021 05:34:55 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="mhb17GCf"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 76255837E2; Tue, 16 Nov 2021 05:33:56 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id BF227837F9 for ; Tue, 16 Nov 2021 05:33:44 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1033.google.com with SMTP id x7so14634113pjn.0 for ; Mon, 15 Nov 2021 20:33:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=37b4CbGVq2vXfUQd07BoRyvPsjDtxkfVdV+ImREOVoM=; b=mhb17GCfySjrQ9qoYZ28PU6JoQTqIu3EtrdRnkqp1uxuy6nUCaf5syF1nWQ0MybxfA N7hSF796c9cQ1LKJ4FqbTyDEfTdTtQW3Og8jd2UFv/aOpc16xs/AFx0NOA8IigfMjdeO VdIxJPA6/I1W0yVYEA6WRWWIDOVNISrljXtgNWcAt/PckCy9czC3CmvCmsvxumlDwHrN rndswK1FiKn7IVdVDb0YVDWZJXOUSw4twTZ7o8g9HYv+/9NjIvUGlFe+9JSbu54uDqqE UHQ+hEUWmIytHIXMFN9nY9R7u44sYQa6hTiffZBEnY38Kvtzv0QWMP9UnKd5elLnvo5W i2KQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=37b4CbGVq2vXfUQd07BoRyvPsjDtxkfVdV+ImREOVoM=; b=mf4NaJ+TJd1PQTZ4LfL9nSSQt5+I2EBjd7hQZkswzkUveX/kM6NYG4TcoFWenu/2kQ /zYvUBBkTHW8WuEDCr78qlN5zq6vrzdjsOMttw/VSYMYkSR6irF+tEB6zXhk+bEHZN9O jvw0H1wJ3uRzNZ7fXMZnEB4AHTTK4f3B8+8SJw9JW3s6tja6d+fVcn165yfymZD4wAgg Ic/T03ZluSkCzKTAIjzgfD4O7MJO43D3dUc2N+7kvYfat6rABrcSjyKYX7mjOsatWh6M kgqS7+GDpkPLcol0XbFVAWI2vS762/4zt/k0wgmINo3/pYOHtAfzMOvtYb4XsHkVSKL0 88Ow== X-Gm-Message-State: AOAM532+3iKkPpwm0U3hD8jUhCcTMt69h4B5zEey7MM1mnYRl+gTbRbS EtZWRiu+5v1fpT2MnOyHFt7QSA== X-Received: by 2002:a17:903:1109:b0:143:85f3:af29 with SMTP id n9-20020a170903110900b0014385f3af29mr41818190plh.47.1637037223125; Mon, 15 Nov 2021 20:33:43 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:d07c:c772:1ab9:a9e0]) by smtp.gmail.com with ESMTPSA id lt5sm782914pjb.43.2021.11.15.20.33.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:33:42 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v7 09/12] test/py: efi_capsule: add a test for "--guid" option Date: Tue, 16 Nov 2021 13:32:35 +0900 Message-Id: <20211116043238.67226-10-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211116043238.67226-1-takahiro.akashi@linaro.org> References: <20211116043238.67226-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.35 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean This test scenario tests a new feature of mkeficapsule, "--guid" option, which allows us to specify FMP driver's guid explicitly at the command line. Signed-off-by: AKASHI Takahiro --- test/py/tests/test_efi_capsule/conftest.py | 3 + .../test_efi_capsule/test_capsule_firmware.py | 67 +++++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index a5a25c53dcb4..9076087a12b7 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -86,6 +86,9 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkeficapsule --index 1 --raw u-boot.bin.new Test02' % (data_dir, u_boot_config.build_dir), shell=True) + check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid E2BB9C06-70E9-4B14-97A3-5A7913176E3F u-boot.bin.new Test03' % + (data_dir, u_boot_config.build_dir), + shell=True) if capsule_auth_enabled: # firmware signed with proper key check_call('cd %s; ' diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware.py b/test/py/tests/test_efi_capsule/test_capsule_firmware.py index 9eeaae27d626..9cc973560fa1 100644 --- a/test/py/tests/test_efi_capsule/test_capsule_firmware.py +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware.py @@ -247,3 +247,70 @@ class TestEfiCapsuleFirmwareFit(object): 'sf read 4000000 100000 10', 'md.b 4000000 10']) assert 'u-boot:New' in ''.join(output) + + def test_efi_capsule_fw4( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ + Test Case 4 - Test "--guid" option of mkeficapsule + The test scenario is the same as Case 3. + """ + disk_img = efi_capsule_data + with u_boot_console.log.section('Test Case 4-a, before reboot'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi -s ""', + 'efidebug boot order 1', + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004', + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'env save']) + + # initialize content + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'fatload host 0:1 4000000 %s/u-boot.bin.old' % CAPSULE_DATA_DIR, + 'sf write 4000000 100000 10', + 'sf read 5000000 100000 10', + 'md.b 5000000 10']) + assert 'Old' in ''.join(output) + + # place a capsule file + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 %s/Test03' % CAPSULE_DATA_DIR, + 'fatwrite host 0:1 4000000 %s/Test03 $filesize' % CAPSULE_INSTALL_DIR, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' in ''.join(output) + + # reboot + u_boot_console.restart_uboot() + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 4-b, after reboot'): + if not capsule_early: + # make sure that dfu_alt_info exists even persistent variables + # are not available. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' in ''.join(output) + + # need to run uefi command to initiate capsule handling + output = u_boot_console.run_command( + 'env print -e Capsule0000') + + output = u_boot_console.run_command_list(['efidebug capsule esrt']) + + # ensure that EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID is in the ESRT. + assert 'E2BB9C06-70E9-4B14-97A3-5A7913176E3F' in ''.join(output) + + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR]) + assert 'Test03' not in ''.join(output) + + output = u_boot_console.run_command_list([ + 'sf probe 0:0', + 'sf read 4000000 100000 10', + 'md.b 4000000 10']) + assert 'u-boot:New' in ''.join(output) From patchwork Tue Nov 16 04:32:36 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 519172 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp6619836imj; Mon, 15 Nov 2021 20:35:24 -0800 (PST) X-Google-Smtp-Source: ABdhPJwlMXYEC1q9OL9YH+Czr4ERiOr7riW8jpdgfWFL7cKXLgf2Ng2rMxUFPJLu9fuiNUjsBD5o X-Received: by 2002:a05:6402:d05:: with SMTP id eb5mr5148291edb.345.1637037323866; Mon, 15 Nov 2021 20:35:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637037323; cv=none; d=google.com; s=arc-20160816; b=PV89B78e7bsMwUqf7FTEshkZVHX51depHaZ4R3GGx7FixvNRUtajyylEdejdmnfI5V 8BzKgZuqcvJYR7NwRhFy0LkQiMP6bzxrYYhP8SJF93XvjX6UK8pCjdLxE8w+Ju1jEUal Ej1KbKmPIVJ4vQnyhjCkzGhpcZOIlRln4u2TOQrjUea8jfDkWCRXh46VRtA7JPjO8MQu Wg8M1Nq/8R+0gcoWv1YAvq0dhF5/R7BPuLYgjeIRNGHX9lPv8GKKmRDFB7jWyhQn5tHt ZyhQnRoWp5DHU8mQnJYhy1/tdlzC3RkcQtKYYlpB8hyJHjSXDhX3+wr0jgen21zVapCC bFxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=IWerVfIYQG4PYlCT6/iZD5GfRSLOO0VoGD6nCIjvwMk=; b=Bg685LRpSHO6EkdvSIv64ke+uwZ3CQOKsj3dGRr4HdLuOXiUEoplcRRciVdZFrj75S ckBcUyLiK7aUYi0a0It/6DLJZFHZYqXoiVYk3t+ZXo+KOdtLU+hg+/6bhRhUuO9v3/eZ 9VhxllTKZdXFuDadI8CIAzE3AcH7r+LAOdOs0I7NZS6Z2MDntKUkv5hz78hSj8nYlevW gG23NKPJij2+6vl79Ejzzg8ruhmZdDO4O6XAaGzNcQmptMnsMvAgdgWG2mYqq0iiDZQy sSsfGL50sNMbhkywVcTB91Z4kF+J9EdY6g7VN963FpuUlIWaMRbDxu8n2dZN6MDrYuh4 gGUQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="W1W/uDw8"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id h19si35170008edt.391.2021.11.15.20.35.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:35:23 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="W1W/uDw8"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 3D8158381D; Tue, 16 Nov 2021 05:35:04 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="W1W/uDw8"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 96B8F8364A; Tue, 16 Nov 2021 05:33:58 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x529.google.com (mail-pg1-x529.google.com [IPv6:2607:f8b0:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id F30CA837D9 for ; Tue, 16 Nov 2021 05:33:47 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pg1-x529.google.com with SMTP id 136so11826549pgc.0 for ; Mon, 15 Nov 2021 20:33:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=IWerVfIYQG4PYlCT6/iZD5GfRSLOO0VoGD6nCIjvwMk=; b=W1W/uDw849nuMSszdX/HSqNK0efID0/VM2h84x69q1YlM4LqQBxcwC6PtgDSGVMGYo /WafmM26EajS/kTQHugr1m+Vh1pT8KfTXLNcBRZxQWtGqQaLd527QRZq+vsVYl6+X9sp +ajByLs3Z5sPEKLGrILafVdYdc7/GQy0Tkguev7+xjy4aC+ajx/1fLSm5ov5f7cDnMZj 2mA5LWEEj9AzyKputxbrmwsM72O5ftH8ee6Z8xKkCINs+D5aN4w5btZC8w1zw6WOorXL Tei5xlg33DZBakLs4I85q5g6e/2a6xSLKEH4zegtSAyq4U2yOwFJsJre8rurs6gETXnr gmIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=IWerVfIYQG4PYlCT6/iZD5GfRSLOO0VoGD6nCIjvwMk=; b=ARaPpUMJq+8a3EnozEeFSbjz5BNZh+AfZRsKEW7rvq1AeHiQ9upEkTsdDqMsTMu1lR SS04AMIdoP0f3esDp17MYPkQ0B/o8+0SV61280vp7FVUhXlKTwPAjMUUXfazOS61sU68 shbPYRHQKgXTmGCZGonq8wYU5JBjDXWMmI7hIzUybpokkvf7XyRQVjw9lQZ056vj2hwJ NKtcwUz5uWPo3B5CD8tMfqidyP3YiU9UV7CiurRpPrhplVrhrGFpgRyh7tVz8C050h8L te+wMIPUYDTFHaWan8G1ZZiVb4uW/RqFSeU7sYoeS1W0mF5Lo7yLiC2jsncUtXsRu6ZH eMdw== X-Gm-Message-State: AOAM531IYRW+C9v8KLIV4GcbhY5TT0mr4fB2o8nPtRX75Gj727oqOvfU WRkI4CODkFR3q0udciyneAv2uA== X-Received: by 2002:a63:1441:: with SMTP id 1mr3023995pgu.66.1637037226303; Mon, 15 Nov 2021 20:33:46 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:d07c:c772:1ab9:a9e0]) by smtp.gmail.com with ESMTPSA id lt5sm782914pjb.43.2021.11.15.20.33.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:33:45 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v7 10/12] test/py: efi_capsule: check the results in case of CAPSULE_AUTHENTICATE Date: Tue, 16 Nov 2021 13:32:36 +0900 Message-Id: <20211116043238.67226-11-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211116043238.67226-1-takahiro.akashi@linaro.org> References: <20211116043238.67226-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.35 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Before the capsule authentication is supported, this test script works correctly, but with the feature enabled, most tests will fail due to unsigned capsules. So check the results depending on CAPSULE_AUTHENTICATE or not. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- .../test_efi_capsule/test_capsule_firmware.py | 26 ++++++++++++++++--- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware.py b/test/py/tests/test_efi_capsule/test_capsule_firmware.py index 9cc973560fa1..6e803f699f2f 100644 --- a/test/py/tests/test_efi_capsule/test_capsule_firmware.py +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware.py @@ -148,6 +148,8 @@ class TestEfiCapsuleFirmwareFit(object): capsule_early = u_boot_config.buildconfig.get( 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') with u_boot_console.log.section('Test Case 2-b, after reboot'): if not capsule_early: # make sure that dfu_alt_info exists even persistent variables @@ -171,12 +173,18 @@ class TestEfiCapsuleFirmwareFit(object): 'sf probe 0:0', 'sf read 4000000 100000 10', 'md.b 4000000 10']) - assert 'u-boot:New' in ''.join(output) + if capsule_auth: + assert 'u-boot:Old' in ''.join(output) + else: + assert 'u-boot:New' in ''.join(output) output = u_boot_console.run_command_list([ 'sf read 4000000 150000 10', 'md.b 4000000 10']) - assert 'u-boot-env:New' in ''.join(output) + if capsule_auth: + assert 'u-boot-env:Old' in ''.join(output) + else: + assert 'u-boot-env:New' in ''.join(output) def test_efi_capsule_fw3( self, u_boot_config, u_boot_console, efi_capsule_data): @@ -215,6 +223,8 @@ class TestEfiCapsuleFirmwareFit(object): capsule_early = u_boot_config.buildconfig.get( 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') with u_boot_console.log.section('Test Case 3-b, after reboot'): if not capsule_early: # make sure that dfu_alt_info exists even persistent variables @@ -246,7 +256,10 @@ class TestEfiCapsuleFirmwareFit(object): 'sf probe 0:0', 'sf read 4000000 100000 10', 'md.b 4000000 10']) - assert 'u-boot:New' in ''.join(output) + if capsule_auth: + assert 'u-boot:Old' in ''.join(output) + else: + assert 'u-boot:New' in ''.join(output) def test_efi_capsule_fw4( self, u_boot_config, u_boot_console, efi_capsule_data): @@ -285,6 +298,8 @@ class TestEfiCapsuleFirmwareFit(object): capsule_early = u_boot_config.buildconfig.get( 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') with u_boot_console.log.section('Test Case 4-b, after reboot'): if not capsule_early: # make sure that dfu_alt_info exists even persistent variables @@ -313,4 +328,7 @@ class TestEfiCapsuleFirmwareFit(object): 'sf probe 0:0', 'sf read 4000000 100000 10', 'md.b 4000000 10']) - assert 'u-boot:New' in ''.join(output) + if capsule_auth: + assert 'u-boot:Old' in ''.join(output) + else: + assert 'u-boot:New' in ''.join(output) From patchwork Tue Nov 16 04:32:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 519173 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp6619936imj; Mon, 15 Nov 2021 20:35:34 -0800 (PST) X-Google-Smtp-Source: ABdhPJyEVhaC6BcNxO7T5NCXQuUiolg5pBqVaTK9kHrXpNMgaQxUAOjMEVEGtbgHLTFe0irkPMfp X-Received: by 2002:a17:907:7d89:: with SMTP id oz9mr5732859ejc.450.1637037334457; Mon, 15 Nov 2021 20:35:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637037334; cv=none; d=google.com; s=arc-20160816; b=ggJ/ixTnrqDxTyJPei3g/aBnj1MmndQ6NL8NXKxv2eZimTXAd5bggZ+wJPDhOgc9NB /TakgRaLLrpm/uVynIq+mMVboi1MnoX8bi3TArkT8ttfhnlAzgkzzY0OUNEM1gDId5tM XAKBodF737r7LHfFAzMDbpEiUvqANzKalZDO4CJE0lKO0OUq5eKulHuhV94dZPjfCj/T X6+MtDQYWtI6UM4WUD5JbAmkkNK8D370GIyr20zAAEEao4YacRyToYeb29QFgAVySoM8 6sF622+f8nXRjVj4puLhEXEgLz0lOo5dieHbnvz1F2BfgbDUPXSj6ZsowSVB9aBJsIs3 M5CQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=rYuYsY1CHK5N10vJQnPljYwrrzsxsuZoNwthGvpXAYo=; b=rQmW//fDHpZIStTn0pp0m6N3jh03Gg4PAjvlx4xkCBbPJiG7QZn/LH6fSF/+qNT05C 6dmn3w1RxYPcYznTFeWyaD8gCppjoq8FBrqv0tRJMVWKPm245EkQyGWGRdtIMlyLrtdu 26B/dyrJhnsqcNAwFnnYywwcjhq+mFMrv57K3ZSBvSqo8/s+R3lOJbvZ7CyUm0jVDEzb yxjav6WosQnjWnOHSLbJwlutSYN+tbNMSj3uMZaJ7jW8DJ2Zq/xXyg4gTOAhRemzKuRx vlYlc19vkLuPRHLa8fmelplORtiv05bDGYniGbBHFDugR3LVQu8qhqOt5or3d2kU7G8p Y/ng== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=x19raZ+I; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id dt5si43090445ejc.402.2021.11.15.20.35.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:35:34 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=x19raZ+I; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 898B4837E9; Tue, 16 Nov 2021 05:35:22 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="x19raZ+I"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 09FA183618; Tue, 16 Nov 2021 05:34:03 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 8B31083800 for ; Tue, 16 Nov 2021 05:33:51 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x102a.google.com with SMTP id v23so14681454pjr.5 for ; Mon, 15 Nov 2021 20:33:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=rYuYsY1CHK5N10vJQnPljYwrrzsxsuZoNwthGvpXAYo=; b=x19raZ+IWNCcLKhoEwgOnysKWNrc+laTS6XIFy1Yl3HpiBx3EGhQ9uXb1hfPL1Zjs0 h6qf8VAmmIpVDCIOHIUh/fVE96iz+aUnrYUWnGg+TNQiG4xcSeZ03FJ4EiCZZzNdbGte Unki8Tc8aBkPAOLaRk/7oimbXHS9gSjbwZB9zdricfMqJaAgQe7XrB+iKvd73xo97XAW s777dPduuwETCfC/BZPvR+oicxzIzDwZepXM6kDQ6GbS3xYg7Q73z4aCTNgJrkuHsmCZ jRU9m3tDD5PWz2INPemwEjfGFaD7SfcVjhHJb8rts/N55OukXgM8pUnk66sKmnaXt9zz LGcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rYuYsY1CHK5N10vJQnPljYwrrzsxsuZoNwthGvpXAYo=; b=F8mY396BxdwRp8g9eWrp6WKoRVCUgymAeWJFJneQOCtXV7fd8lKyM2rmc9PUqcnktG fKV/AVaPJ7QHMlv0gvf+MpyNQi5m+T6sidi4aY06lYiVfSBlIfbk8WxzB7cluM8vwnEV dXsvfTzniGO/u0pQ4aEVx1yRRuFBXJRSU7hbwfjCFB+GEop9N+rtm4dRtgcaGxcJ9D47 ge+RiMEDZku7bIMbYfEFZPtBkgwZEihgbaMgb4CpsmhYkaCXsfeClOVXESy7FN4DEK6b Sz+nUmqY1TmXPYPPxf+oIDAk1lOCT7jGWp0fHhz0uxhf35RTInAgjydq7iHzXHsT45zR XNjw== X-Gm-Message-State: AOAM530wSop2W07iy3km48hQJTvtudzjZoO8elW1JwrQRogs6csIi7q9 NnWMXJisOZxpq4Ztaye/EBDpVg== X-Received: by 2002:a17:90b:3a89:: with SMTP id om9mr71773960pjb.29.1637037229673; Mon, 15 Nov 2021 20:33:49 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:d07c:c772:1ab9:a9e0]) by smtp.gmail.com with ESMTPSA id lt5sm782914pjb.43.2021.11.15.20.33.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:33:49 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v7 11/12] (RFC) tools: add fdtsig.sh Date: Tue, 16 Nov 2021 13:32:37 +0900 Message-Id: <20211116043238.67226-12-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211116043238.67226-1-takahiro.akashi@linaro.org> References: <20211116043238.67226-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.35 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean With this script, a public key is added to a device tree blob as the default efi_get_public_key_data() expects. Signed-off-by: AKASHI Takahiro --- MAINTAINERS | 1 + tools/fdtsig.sh | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100755 tools/fdtsig.sh diff --git a/MAINTAINERS b/MAINTAINERS index 813674eb2898..8233a53c29dc 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -742,6 +742,7 @@ F: cmd/bootefi.c F: cmd/efidebug.c F: cmd/nvedit_efi.c F: tools/efivar.py +F: tools/fdtsig.sh F: tools/file2include.c F: tools/mkeficapsule.c diff --git a/tools/fdtsig.sh b/tools/fdtsig.sh new file mode 100755 index 000000000000..c2b2a6dc5ec8 --- /dev/null +++ b/tools/fdtsig.sh @@ -0,0 +1,40 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0+ +# +# script to add a certificate (efi-signature-list) to dtb blob + +usage() { + if [ -n "$*" ]; then + echo "ERROR: $*" + fi + echo "Usage: "$(basename $0) " " +} + +if [ "$#" -ne 2 ]; then + usage "Arguments missing" + exit 1 +fi + +ESL=$1 +DTB=$2 +NEW_DTB=$(basename $DTB)_tmp +SIG=signature + +cat << 'EOF' > $SIG.dts +/dts-v1/; +/plugin/; + +&{/} { + signature { +EOF +echo "capsule-key = /incbin/(\"$ESL\");" >> $SIG.dts +cat << 'EOF' >> $SIG.dts + }; +}; +EOF + +dtc -@ -I dts -O dtb -o $SIG.dtbo $SIG.dts +fdtoverlay -i $DTB -o $NEW_DTB $SIG.dtbo +mv $NEW_DTB $DTB + +rm $SIG.dts $SIG.dtsn $SIG.dtbo From patchwork Tue Nov 16 04:32:38 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 519174 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp6620094imj; Mon, 15 Nov 2021 20:35:45 -0800 (PST) X-Google-Smtp-Source: ABdhPJwP+NKn4D+tWQzJC1eKAaH9B0hpq79NvNL12Npp2h3zmBxwWOHgyv7o6I66VmBFFLRqLDDW X-Received: by 2002:a17:906:8256:: with SMTP id f22mr5830997ejx.207.1637037345589; Mon, 15 Nov 2021 20:35:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637037345; cv=none; d=google.com; s=arc-20160816; b=ibE1p6MHFd/Ek91Xht8DoM1TiI7t3hmoJNMV9HmZ8etR8EtFe1uxWEhXoXJbbjU6qP fvD4N2xsdD1slaGD0n1/3NmqOqWFOOwY0a6gZvaFZHK1+XvZ7ZEPx/MwWzJuMT0PwmD/ h1O253YyWGhNjcTO4aQrqwUyuv+U7W1IpHZOUe8yo2Oo3VKlWkGVkWgwlcJkp2qgIQ/C 6hv/Y5zU55Ny315hNeMPQv/gE7nlau+AxdpPPVJcz9oNqcvl3iPCppi49nPAgl9CcPr0 JAdOjGcGD/362KLtcjMk44UfjPd8Pq3qbwflMJkq6wJZUooW1OJTPw98unDO7qoGKpq8 a4qQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6Y6an3FgR2IWazNWCp6oy4xutrkKfynM74K7uqDogxY=; b=lzGqxKtdPvEjH0+bZbJL5t2huljRp2Rq5t0lD87cc1q/2oKmo7gqz8c3bX+gUjXWqU XB8YQbik0dmqRjUX4RpmU8GM80Vzu0YaWGRTP9Tx0t/QBUu0nkTj8sQwrXxiYIyO0wX6 XkFiYCJGhusBaGjs1DswIgCzVbBaDQg0NtQdqSp+kSCZ3VDARorUS135TakingfG0Bfo Pz8gWjeF3GVtdl8yVhENPGUujsRfj6Se8RHxAHbpAys7T7RZsAOwr73Yi9WFtKdo4wDm Ihm7L8oRhahj+TfW0JXD3NDfXQxH4Rd97uBSkVoXlEvhffQVcigveF3XLhXIqleKC5yX 9v5A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=t1vLXCkH; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id jz8si32708272ejb.160.2021.11.15.20.35.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:35:45 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=t1vLXCkH; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 8371783824; Tue, 16 Nov 2021 05:35:29 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="t1vLXCkH"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 314DB837EC; Tue, 16 Nov 2021 05:34:04 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 57AFC83809 for ; Tue, 16 Nov 2021 05:33:54 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1034.google.com with SMTP id np6-20020a17090b4c4600b001a90b011e06so1706262pjb.5 for ; Mon, 15 Nov 2021 20:33:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=6Y6an3FgR2IWazNWCp6oy4xutrkKfynM74K7uqDogxY=; b=t1vLXCkHB0mFkqjb9hFw1Y9C4OMXzJd9DmxVhobFbn6mDztZMtzS2FyZ7z8eLjsXQ5 XSj9+mMKIFAXb7CdGtuDe7BWT5ocFSfOiWB+StlK9ZSG2mgKwve2bGASBjnKoqtJYOQ2 QnXLedTv3yG0p26D3ZeJwOmifF9XJwZ6jOkpkHyT9Czom6VlGftWb8IsDX9dq5t70hPO tOw0MO25qqyO+OW3uZxZRy8OAZlXeH+6SKGXdV9L8RUHVq1ks9r5Cvgrp5O7KBtRZPok Zm88/R0HCFaHFZic6kHeh2PpJ6ZsMJXV91CG+G0jhSY3hxnz5/7t7MmTM+x+Iqal+E8F azMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=6Y6an3FgR2IWazNWCp6oy4xutrkKfynM74K7uqDogxY=; b=sySi7L2LGVD3QhbHXYu4LmcEpTmCd3PybtIEUTImgzg8uAXB7CS/+0PBZU+Mhi4LMp 0W1mZleCHECsKxw6KbSCobS4POR+fG3ohXokTyTNSLkHdYJjASxpNifS/uU0LQwcKSqh 8bDeBWX/JnEQDycNcBMNATRXtodT1IJOmxc3U0pa/A5iP9lrOz8JWEJdU+E/CN/MCSaR OloI5zP4gI+3ZGOEVro7GA2D+czkI4SsSSfPmoYdXZjjJf74ZqP09MFoJoFJFpNoJTxi 5/dC3fJdXbDlBCQa+XtSdXMR5odW2aZLMKOHwU+/sPykNvd6ag4QJwoP4wo2sEOXdWbG E0xw== X-Gm-Message-State: AOAM533Q2vD0Xp8r+5bPRcwDvWGXorkTiK1D3tQs7YGbZnAa/hRR7pwC +iaxzXaoxHNte19UKxzLrhwbpg== X-Received: by 2002:a17:90a:a513:: with SMTP id a19mr72795097pjq.26.1637037232650; Mon, 15 Nov 2021 20:33:52 -0800 (PST) Received: from localhost.localdomain ([2400:4050:c3e1:100:d07c:c772:1ab9:a9e0]) by smtp.gmail.com with ESMTPSA id lt5sm782914pjb.43.2021.11.15.20.33.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 20:33:52 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v7 12/12] (RFC) efi_loader, dts: add public keys for capsules to device tree Date: Tue, 16 Nov 2021 13:32:38 +0900 Message-Id: <20211116043238.67226-13-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211116043238.67226-1-takahiro.akashi@linaro.org> References: <20211116043238.67226-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.35 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean By specifying CONFIG_EFI_CAPSULE_KEY_PATH, the build process will automatically insert the given key into the device tree. Otherwise, users are required to do so manually, possibly, with the utility script, fdtsig.sh. Signed-off-by: AKASHI Takahiro --- doc/develop/uefi/uefi.rst | 4 ++++ dts/Makefile | 23 +++++++++++++++++++++-- lib/efi_loader/Kconfig | 7 +++++++ 3 files changed, 32 insertions(+), 2 deletions(-) diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 54fefd76f0f5..7f85b9e5a4a6 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -347,6 +347,7 @@ following config, in addition to the configs listed above for capsule update:: CONFIG_EFI_CAPSULE_AUTHENTICATE=y + CONFIG_EFI_CAPSULE_KEY_PATH= The public and private keys used for the signing process are generated and used by the steps highlighted below. @@ -392,6 +393,9 @@ and used by the steps highlighted below. }; }; + If CONFIG_EFI_CAPSULE_KEY_PATH is specified, the build process will + take care of it for you. + Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/dts/Makefile b/dts/Makefile index cb3111382959..6c5486719ecd 100644 --- a/dts/Makefile +++ b/dts/Makefile @@ -20,11 +20,30 @@ $(obj)/dt-$(SPL_NAME).dtb: dts/dt.dtb $(objtree)/tools/fdtgrep FORCE mkdir -p $(dir $@) $(call if_changed,fdtgrep) +quiet_cmd_fdtsig = FDTSIG $@ + cmd_fdtsig = \ + cat $< > $@; \ + $(srctree)/tools/fdtsig.sh \ + $(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)) $@ + +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y) +ifneq ($(patsubst "%",%,$(CONFIG_EFI_CAPSULE_KEY_PATH)),) +DTB_ov := $(obj)/dt.dtb_ov + +$(obj)/dt.dtb_ov: $(DTB) FORCE + $(call if_changed,fdtsig) +else +DTB_ov := $(DTB) +endif +else +DTB_ov := $(DTB) +endif + ifeq ($(CONFIG_OF_DTB_PROPS_REMOVE),y) -$(obj)/dt.dtb: $(DTB) $(objtree)/tools/fdtgrep FORCE +$(obj)/dt.dtb: $(DTB_ov) $(objtree)/tools/fdtgrep FORCE $(call if_changed,fdt_rm_props) else -$(obj)/dt.dtb: $(DTB) FORCE +$(obj)/dt.dtb: $(DTB_ov) FORCE $(call if_changed,shipped) endif diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 700dc838ddb9..8c8d14d46433 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -209,6 +209,13 @@ config EFI_CAPSULE_AUTHENTICATE Select this option if you want to enable capsule authentication +config EFI_CAPSULE_KEY_PATH + string "Path to .esl cert for capsule authentication" + depends on EFI_CAPSULE_AUTHENTICATE + help + Provide the EFI signature list (esl) certificate used for capsule + authentication + config EFI_DEVICE_PATH_TO_TEXT bool "Device path to text protocol" default y