From patchwork Wed Dec 23 07:03:17 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346987 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp5970067jai; Tue, 22 Dec 2020 23:04:04 -0800 (PST) X-Google-Smtp-Source: ABdhPJxzl+QLix9DPYJkdiC9cg1w4N7ebuvmg8C+F6X0E2c6pZ1SWf7/+fzAf5MWdE6p+zgecmsi X-Received: by 2002:a17:906:4e45:: with SMTP id g5mr22839014ejw.391.1608707044424; Tue, 22 Dec 2020 23:04:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608707044; cv=none; d=google.com; s=arc-20160816; b=KbfVtNaRpCHY4ZpjiIw2Rd5z2I4HDyASf+yd4PbuZlOJi7dHgrHhF2IZk5BTUrZSx1 g4Ts3+IORb8IqTCcDN/RStRBjYRvkCpg/L2rvlfNWybE+DIfP76ASjiHJat+0lNeKDAz mhGltWEW9M9klzb9XchMYj7sx0tXMJ9ddEYe5ucd8GxxLxCpKZmIILG9g1tWRYZDI3RT EJOZrvEOz87D6LsjQN2qei2vujZK5mNT1G4ClBUusKQMFdI4Mrt7kgeP002vNaOXvu8O EQGrIzzSNNhb7E7A5VF9WK82iOVOS1KbNQAk6j3IA2m+5WVB/1U/3qGeuf12K2dlbv0M 4vjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=UjmGURyf0CDeWpysLNg8ce3uYPgtWil3mJln0BsfHII=; b=hnUFUuo+WAPkLoZpxYvjvwTlLIv173nlD4unIgWKOWjxJFqCWBwxUgBVIBNhwZnHOq 07Id/9akeTcez7cHavH2kMBTr8kd7j3Xp/UgIjKXnpxWAnUsyffVeY+QldfdKV7byNks 5XinKF8xTLSrSNa/smwEQxU2X7LIdY87Y3UUF7fKZPijQYzmItaoDWdoCx/XQwfp0MaY D87g7So2fDpCX0cymvp7B18bBOUNh54O3oEVmXxjzY4nXR11G+fhXd78tg1XI9Yi0H+m JMaAY+uiyJWuK1mKK0IQxTHbyQ7J9CAgojNkAf6Mq0E+s/AC0M0MguB+lnZiVvceqJBI 19TQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id b8si12834126eds.509.2020.12.22.23.04.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Dec 2020 23:04:04 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id C6F4C827DE; Wed, 23 Dec 2020 08:03:53 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 43B2282748; Wed, 23 Dec 2020 08:03:52 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id D22D282748 for ; Wed, 23 Dec 2020 08:03:48 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 017F41042; Tue, 22 Dec 2020 23:03:47 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 27AD23F66E; Tue, 22 Dec 2020 23:03:43 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v3 01/14] mkeficapsule: Add support for embedding public key in a dtb Date: Wed, 23 Dec 2020 12:33:17 +0530 Message-Id: <20201223070330.21361-2-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201223070330.21361-1-sughosh.ganu@linaro.org> References: <20201223070330.21361-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Add options for embedding the public key esl(efi signature list) file to the platform's dtb. The esl file is then retrieved and used for authenticating the capsule to be used for updating firmare components on the platform. The esl file can now be embedded in the dtb by invoking the following command mkeficapsule -K -D In the scenario where the esl file is to be embedded in an overlay, this can be done through the following command mkeficapsule -O -K -D This will create a node named 'signature' in the dtb, and the esl file will be stored as 'capsule-key' Signed-off-by: Sughosh Ganu --- Changes since V2: None tools/Makefile | 1 + tools/mkeficapsule.c | 233 ++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 222 insertions(+), 12 deletions(-) -- 2.17.1 diff --git a/tools/Makefile b/tools/Makefile index 66d9376803..6d7b48fb57 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -218,6 +218,7 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs hostprogs-$(CONFIG_ASN1_COMPILER) += asn1_compiler HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include +mkeficapsule-objs := mkeficapsule.o $(LIBFDT_OBJS) hostprogs-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += mkeficapsule # We build some files with extra pedantic flags to try to minimize things diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 3f8bc7009b..270943fc90 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -4,16 +4,22 @@ * Author: AKASHI Takahiro */ +#include #include #include #include #include #include #include +#include #include + +#include #include #include +#include "fdt_host.h" + typedef __u8 u8; typedef __u16 u16; typedef __u32 u32; @@ -23,6 +29,9 @@ typedef __s32 s32; #define aligned_u64 __aligned_u64 +#define SIGNATURE_NODENAME "signature" +#define OVERLAY_NODENAME "__overlay__" + #ifndef __packed #define __packed __attribute__((packed)) #endif @@ -43,6 +52,9 @@ static struct option options[] = { {"raw", required_argument, NULL, 'r'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, + {"dtb", required_argument, NULL, 'D'}, + {"public key", required_argument, NULL, 'K'}, + {"overlay", no_argument, NULL, 'O'}, {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0}, }; @@ -51,14 +63,183 @@ static void print_usage(void) { printf("Usage: %s [options] \n" "Options:\n" - "\t--fit new FIT image file\n" - "\t--raw new raw image file\n" - "\t--index update image index\n" - "\t--instance update hardware instance\n" - "\t--help print a help message\n", + + "\t--fit new FIT image file\n" + "\t--raw new raw image file\n" + "\t--index update image index\n" + "\t--instance update hardware instance\n" + "\t--public-key public key esl file\n" + "\t--dtb dtb file\n" + "\t--overlay the dtb file is an overlay\n" + "\t--help print a help message\n", tool_name); } +static int fdt_add_pub_key_data(void *sptr, void *dptr, size_t key_size, + bool overlay) +{ + int parent; + int ov_node; + int frag_node; + int ret = 0; + + if (overlay) { + /* + * The signature would be stored in the + * first fragment node of the overlay + */ + frag_node = fdt_first_subnode(dptr, 0); + if (frag_node == -FDT_ERR_NOTFOUND) { + fprintf(stderr, + "Couldn't find the fragment node: %s\n", + fdt_strerror(frag_node)); + goto done; + } + + ov_node = fdt_subnode_offset(dptr, frag_node, OVERLAY_NODENAME); + if (ov_node == -FDT_ERR_NOTFOUND) { + fprintf(stderr, + "Couldn't find the __overlay__ node: %s\n", + fdt_strerror(ov_node)); + goto done; + } + } else { + ov_node = 0; + } + + parent = fdt_subnode_offset(dptr, ov_node, SIGNATURE_NODENAME); + if (parent == -FDT_ERR_NOTFOUND) { + parent = fdt_add_subnode(dptr, ov_node, SIGNATURE_NODENAME); + if (parent < 0) { + ret = parent; + if (ret != -FDT_ERR_NOSPACE) { + fprintf(stderr, + "Couldn't create signature node: %s\n", + fdt_strerror(parent)); + } + } + } + if (ret) + goto done; + + /* Write the key to the FDT node */ + ret = fdt_setprop(dptr, parent, "capsule-key", + sptr, key_size); + +done: + if (ret) + ret = ret == -FDT_ERR_NOSPACE ? -ENOSPC : -EIO; + + return ret; +} + +static int add_public_key(const char *pkey_file, const char *dtb_file, + bool overlay) +{ + int ret; + int srcfd = 0; + int destfd = 0; + void *sptr = NULL; + void *dptr = NULL; + off_t src_size; + struct stat pub_key; + struct stat dtb; + + /* Find out the size of the public key */ + srcfd = open(pkey_file, O_RDONLY); + if (srcfd == -1) { + fprintf(stderr, "%s: Can't open %s: %s\n", + __func__, pkey_file, strerror(errno)); + goto err; + } + + ret = fstat(srcfd, &pub_key); + if (ret == -1) { + fprintf(stderr, "%s: Can't stat %s: %s\n", + __func__, pkey_file, strerror(errno)); + goto err; + } + + src_size = pub_key.st_size; + + /* mmap the public key esl file */ + sptr = mmap(0, src_size, PROT_READ, MAP_SHARED, srcfd, 0); + if ((sptr == MAP_FAILED) || (errno != 0)) { + fprintf(stderr, "%s: Failed to mmap %s:%s\n", + __func__, pkey_file, strerror(errno)); + goto err; + } + + /* Open the dest FDT */ + destfd = open(dtb_file, O_RDWR); + if (destfd == -1) { + fprintf(stderr, "%s: Can't open %s: %s\n", + __func__, dtb_file, strerror(errno)); + goto err; + } + + ret = fstat(destfd, &dtb); + if (ret == -1) { + fprintf(stderr, "%s: Can't stat %s: %s\n", + __func__, dtb_file, strerror(errno)); + goto err; + } + + dtb.st_size += src_size + 0x30; + if (ftruncate(destfd, dtb.st_size)) { + fprintf(stderr, "%s: Can't expand %s: %s\n", + __func__, dtb_file, strerror(errno)); + goto err;; + } + + errno = 0; + /* mmap the dtb file */ + dptr = mmap(0, dtb.st_size, PROT_READ | PROT_WRITE, MAP_SHARED, + destfd, 0); + if ((dptr == MAP_FAILED) || (errno != 0)) { + fprintf(stderr, "%s: Failed to mmap %s:%s\n", + __func__, dtb_file, strerror(errno)); + goto err; + } + + if (fdt_check_header(dptr)) { + fprintf(stderr, "%s: Invalid FDT header\n", __func__); + goto err; + } + + ret = fdt_open_into(dptr, dptr, dtb.st_size); + if (ret) { + fprintf(stderr, "%s: Cannot expand FDT: %s\n", + __func__, fdt_strerror(ret)); + goto err; + } + + /* Copy the esl file to the expanded FDT */ + ret = fdt_add_pub_key_data(sptr, dptr, src_size, overlay); + if (ret < 0) { + fprintf(stderr, "%s: Unable to add public key to the FDT\n", + __func__); + goto err; + } + + return 0; + +err: + if (sptr) + munmap(sptr, src_size); + + if (dptr) + munmap(dptr, dtb.st_size); + + if (srcfd >= 0) + close(srcfd); + + if (destfd >= 0) + close(destfd); + + return -1; +} + static int create_fwbin(char *path, char *bin, efi_guid_t *guid, unsigned long index, unsigned long instance) { @@ -173,16 +354,22 @@ err_1: int main(int argc, char **argv) { char *file; + char *pkey_file; + char *dtb_file; efi_guid_t *guid; unsigned long index, instance; int c, idx; + int ret; + bool overlay = false; file = NULL; + pkey_file = NULL; + dtb_file = NULL; guid = NULL; index = 0; instance = 0; for (;;) { - c = getopt_long(argc, argv, "f:r:i:I:v:h", options, &idx); + c = getopt_long(argc, argv, "f:r:i:I:v:D:K:Oh", options, &idx); if (c == -1) break; @@ -209,22 +396,44 @@ int main(int argc, char **argv) case 'I': instance = strtoul(optarg, NULL, 0); break; + case 'K': + if (pkey_file) { + printf("Public Key already specified\n"); + return -1; + } + pkey_file = optarg; + break; + case 'D': + if (dtb_file) { + printf("DTB file already specified\n"); + return -1; + } + dtb_file = optarg; + break; + case 'O': + overlay = true; + break; case 'h': print_usage(); return 0; } } - /* need a output file */ - if (argc != optind + 1) { + /* need a fit image file or raw image file */ + if (!file && !pkey_file && !dtb_file) { + printf("%s: %d\n", __func__, __LINE__); print_usage(); return -1; } - /* need a fit image file or raw image file */ - if (!file) { - print_usage(); - return -1; + if (pkey_file && dtb_file) { + ret = add_public_key(pkey_file, dtb_file, overlay); + if (ret == -1) { + printf("Adding public key to the dtb failed\n"); + return -1; + } else { + return 0; + } } if (create_fwbin(argv[optind], file, guid, index, instance) From patchwork Wed Dec 23 07:03:18 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346988 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp5970175jai; Tue, 22 Dec 2020 23:04:16 -0800 (PST) X-Google-Smtp-Source: ABdhPJwLB64rwzQeX9jKuFdv46pjd2TAzxaqrW/1eVTqwDYy15nqnnoRGPR8msKgTxqgzcCVPpZV X-Received: by 2002:a17:906:6449:: with SMTP id l9mr17421071ejn.320.1608707056350; Tue, 22 Dec 2020 23:04:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608707056; cv=none; d=google.com; s=arc-20160816; b=TINq6vU1OdYs6fXnZpvrnFo73vHMv0zBBdHO81yB68GmNQzojk9C6bFnc305YZ95dn HJtDseeUN6l+SuZGHav8QG9kHeTfybPEDuwd2jlgAIFjccIIrkMpZdDePPzO+/iJEd53 EIDzPqy8M99oWlzAN/Rt6pIiW4lTCq8IiHJmRQ9mEpZQBIFVB5QwrxohqR2f1gQdHkee VC+wfpXcP3XCABfd35IARB5odCcGltIoQuyR6hFLV1GyfFwTHJdOabmPS1/uI5dAGjVw likWp3VqiZxaC9tXAfZFyczLrils+vIW9PibRZ8npU9ucAutHmLbw379IpbcVTgafq4h mUKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=d6JHnUixnSmwWv8R5SBKEfjiqQhMJQBUaHrap+cX6qk=; b=BbeFNhdNwGR/qKX94U39+vHcjXliQIESIagx8DD767kxhDdfl+thdemthzi1fIweVS EC8C2fBST9zyF4jmHBm+Jfo4WXJ+nsDLHBQQv0Zdd2Qblswx+iXXT5OXQWspvv9vurae Jp7fzh+RHRFxmuxL+ABu2uUmOp8VFE5OAeD9/abhFcYlZHZacbUaYiqUVfYkAemnuyXk Xx1jmNDcThPXdGFKaWeu3LybGbqaA8bw4XSaddsjPyvEdlh/1A/BBDz7//QR/XEFtWAd zstBj6eWwnKvmdzaV8vPTd9O+K/sQUMFKaMR/xvlhELMImArQkAjPgCnEOde9Xl0WPNu fLuw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id h19si6550347edt.159.2020.12.22.23.04.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Dec 2020 23:04:16 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D37A582A19; Wed, 23 Dec 2020 08:03:58 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id B99B5827DF; Wed, 23 Dec 2020 08:03:54 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id A23F2827DF for ; Wed, 23 Dec 2020 08:03:51 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 156C911D4; Tue, 22 Dec 2020 23:03:50 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 729753F66E; Tue, 22 Dec 2020 23:03:47 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v3 02/14] qemu: arm: Initialise virtio devices in board_late_init Date: Wed, 23 Dec 2020 12:33:18 +0530 Message-Id: <20201223070330.21361-3-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201223070330.21361-1-sughosh.ganu@linaro.org> References: <20201223070330.21361-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean On the qemu arm platform, the virtio devices are initialised in the board_init function, which gets called before the initr_pci. With this sequence, the virtio block devices on the pci bus are not initialised. Move the initialisation of the virtio devices to board_late_init which gets called after the call to initr_pci. Signed-off-by: Sughosh Ganu --- Changes since V2: * Enable building of board_late_init for both of the Qemu arm and arm64 variants * Move the selection the CONFIG_BOARD_LATE_INIT to mach-qemu Kconfig file arch/arm/mach-qemu/Kconfig | 2 ++ board/emulation/qemu-arm/qemu-arm.c | 5 +++++ 2 files changed, 7 insertions(+) -- 2.17.1 diff --git a/arch/arm/mach-qemu/Kconfig b/arch/arm/mach-qemu/Kconfig index 588d2d3102..186c3582eb 100644 --- a/arch/arm/mach-qemu/Kconfig +++ b/arch/arm/mach-qemu/Kconfig @@ -16,12 +16,14 @@ choice config TARGET_QEMU_ARM_32BIT bool "ARMv7-A, 32bit" select ARCH_SUPPORT_PSCI + select BOARD_LATE_INIT select CPU_V7A select SYS_ARCH_TIMER config TARGET_QEMU_ARM_64BIT bool "ARMv8, 64bit" select ARM64 + select BOARD_LATE_INIT endchoice diff --git a/board/emulation/qemu-arm/qemu-arm.c b/board/emulation/qemu-arm/qemu-arm.c index f18f2ed7da..aa68bef469 100644 --- a/board/emulation/qemu-arm/qemu-arm.c +++ b/board/emulation/qemu-arm/qemu-arm.c @@ -64,6 +64,11 @@ struct mm_region *mem_map = qemu_arm64_mem_map; #endif int board_init(void) +{ + return 0; +} + +int board_late_init(void) { /* * Make sure virtio bus is enumerated so that peripherals From patchwork Wed Dec 23 07:03:19 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346989 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp5970311jai; Tue, 22 Dec 2020 23:04:27 -0800 (PST) X-Google-Smtp-Source: ABdhPJx4oVes6l/9+eCJxc6LTuPECMtptHuSFGrzsRtAQ1QJaECvtGpzVpnqhPfpqFnqYRxG6eAR X-Received: by 2002:a05:6402:95c:: with SMTP id h28mr23418693edz.26.1608707067649; Tue, 22 Dec 2020 23:04:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608707067; cv=none; d=google.com; s=arc-20160816; b=IitOXzSo6ZCeLujhl5XVWsHLh7LmpGQkMuk41M/wZ7VdrLP5t0T4OAfXMYwimcUeMf 5lZr2S7hUdW0k2YCQ9fMSOu6tjEqxqIP9zwpmIXt5d7TP20WPRH8OEue44CITWWZB9Jx g/J4zqmogDL+mawMR8E0ZZW6yHZa595OhJ7SR/DlhDCoAIT1lZmYMCtlczW6FLvmAKtg JTCl0x+NbS1BAastnquon8D5pjNj8LPukwkRNUu4f1pQvdejCR1APcG6IFOohMf3en7L y8ICs0grBPGLQ3j3lNCRj70wUdzSV6TjYA3DbUcwCRwhoI0i6SN+8YK0VCNg6VCuSIUB LUEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=QtyDF/ICHxxCZUr8HO7pFHR9PmUdy3Cp8IlDomR6XNI=; b=p7zbeDfNWAWtY8GqhpQwjNQQ0l29PyEgyOtnoXJGoy6WYClskOBmVHtM2rJocYyifm DbPjrqt6pSEcggM1kvYH0le9ogY07CDaPORXgvIdYRp1NdJwxLMWb8s1LSWrusbBMZ3L qw/tLUc0mtdYJ/KpuFoWM1qCSTqve4EZ6WPaxXGP5gOvs/GSGW1h6S+RrekVBbRJKnWD 4qU8IX3DBA+GW0mwSXr4ihUIDE5xYHVj1LUriRASGXqRs8v9WD5TQKmXe9z64Hkk8eXh V51rLq90FW+3KgXZKkjmzPHwsOIHSG7wX13bfPaNF11yGhKVYzwAgURWo6VRTQo978JM tEKQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id d14si13784986edp.294.2020.12.22.23.04.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Dec 2020 23:04:27 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id C491C829B7; Wed, 23 Dec 2020 08:04:01 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 7152882A38; Wed, 23 Dec 2020 08:03:57 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 86764827EE for ; Wed, 23 Dec 2020 08:03:54 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 26FB41396; Tue, 22 Dec 2020 23:03:53 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 86B013F66E; Tue, 22 Dec 2020 23:03:50 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v3 03/14] crypto: Fix the logic to calculate hash with authattributes set Date: Wed, 23 Dec 2020 12:33:19 +0530 Message-Id: <20201223070330.21361-4-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201223070330.21361-1-sughosh.ganu@linaro.org> References: <20201223070330.21361-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean RFC 2315 Section 9.3 describes the message digesting process. The digest calculated depends on whether the authenticated attributes are present. In case of a scenario where the authenticated attributes are present, the message digest that gets signed and is part of the pkcs7 message is computed from the auth attributes rather than the contents field. Check if the auth attributes are present, and if set, use the auth attributes to compute the hash that would be compared with the encrypted hash on the pkcs7 message. Signed-off-by: Sughosh Ganu --- Changes since V2: None lib/crypto/pkcs7_verify.c | 37 ++++++++++++++++++++++++++----------- 1 file changed, 26 insertions(+), 11 deletions(-) -- 2.17.1 diff --git a/lib/crypto/pkcs7_verify.c b/lib/crypto/pkcs7_verify.c index 320ba49f79..58683ef614 100644 --- a/lib/crypto/pkcs7_verify.c +++ b/lib/crypto/pkcs7_verify.c @@ -50,8 +50,15 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, struct image_region regions[2]; int ret = 0; - /* The digest was calculated already. */ - if (sig->digest) + /* + * [RFC2315 9.3] + * If the authenticated attributes are present, + * the message-digest is calculated on the + * attributes present in the + * authenticatedAttributes field and not just + * the contents field + */ + if (!sinfo->authattrs && sig->digest) return 0; if (!sinfo->sig->hash_algo) @@ -63,17 +70,25 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, else return -ENOPKG; - sig->digest = calloc(1, sig->digest_size); - if (!sig->digest) { - pr_warn("Sig %u: Out of memory\n", sinfo->index); - return -ENOMEM; - } + /* + * Calculate the hash only if the data is present. + * In case of authenticated variable and capsule, + * the hash has already been calculated on the + * efi_image_regions and populated + */ + if (pkcs7->data) { + sig->digest = calloc(1, sig->digest_size); + if (!sig->digest) { + pr_warn("Sig %u: Out of memory\n", sinfo->index); + return -ENOMEM; + } - regions[0].data = pkcs7->data; - regions[0].size = pkcs7->data_len; + regions[0].data = pkcs7->data; + regions[0].size = pkcs7->data_len; - /* Digest the message [RFC2315 9.3] */ - hash_calculate(sinfo->sig->hash_algo, regions, 1, sig->digest); + /* Digest the message [RFC2315 9.3] */ + hash_calculate(sinfo->sig->hash_algo, regions, 1, sig->digest); + } /* However, if there are authenticated attributes, there must be a * message digest attribute amongst them which corresponds to the From patchwork Wed Dec 23 07:03:20 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346990 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp5970434jai; Tue, 22 Dec 2020 23:04:39 -0800 (PST) X-Google-Smtp-Source: ABdhPJwKw4qkQc13UqLoB+xik8ZFalfL7JKYI2uM5bteLBBLC4PWDBJfjjPWd1WtR4snMI1bVrUX X-Received: by 2002:a17:906:74e:: with SMTP id z14mr22329563ejb.362.1608707079852; Tue, 22 Dec 2020 23:04:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608707079; cv=none; d=google.com; s=arc-20160816; b=jDzS7WT57Extf0Hj6uso2dexYpcRLgOOqVBWlLA9gIDh3r7xIOKXt3gWjm97vI3sYc CWPKc59Zs/E7m8tPXYhlN+DhiXu+XPA4C+SnY9hGosOkzrOjgPAebVs0iSrFsUwMkCk/ bLdR8HPHLeZAEv3k5HBwmqMqAutS+QGBMZE5oAOV5srLljRngyyabuSbTkX25NvgwBQH XclTXefndeNYaGWkdpgtapeDGXwBXUdRWHkgrpJa4T2c+kPzSgQZLi/mSLT7NgLZ5edq eFXdQNrTWn4a+/iO3yQLrAfqgdxuFTDGGGGc0WGeO1VZIibTOJQJrcu+zw54xWdylg4y gcXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=KGxStMFKCHVdpew93sTtiI8BPRX1/1Mf3vvyyzT0Zcs=; b=JizH/BXD6uvSDkm7aAKSYsjFIyQUV2xEkiynJSlAMbAqeufKuRyoBdce96T2DGyv+o 3dY+Coj9SWZsepEzapFztYTUX+rB9sbkcEaY3EUHNGEVFFFbA7RslePq+vmKKMqCyBpY 2w82ebX0EWzce8FIRcWqP7/VMuJNmh1qYatttJsqbkwjeaTzOjQc9a6hC2smOFjWOL+B lEfIVydd92dsJKsWKdhOyDyP94uOxCXzdGxfIbMX4VM0IdqX/lSeO7OLEHLGW5vYYzdo /zoVpvexflxAIPaIazDi2bdTNX87s2iHWG56w7WnsF9XGm4o+dv+ECYbptEV/PgxphCX +RJA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id pv8si11281134ejb.638.2020.12.22.23.04.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Dec 2020 23:04:39 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 6E07682B0E; Wed, 23 Dec 2020 08:04:10 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 442A282AAB; Wed, 23 Dec 2020 08:04:03 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id CD626827DF for ; Wed, 23 Dec 2020 08:03:56 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 3A2BD143D; Tue, 22 Dec 2020 23:03:56 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 97E8A3F66E; Tue, 22 Dec 2020 23:03:53 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v3 04/14] qemu: common: Add support for dynamic mtdparts for the platform Date: Wed, 23 Dec 2020 12:33:20 +0530 Message-Id: <20201223070330.21361-5-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201223070330.21361-1-sughosh.ganu@linaro.org> References: <20201223070330.21361-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Add support for setting the default values for mtd partitions on the platform. This would be used for updating the firmware image using uefi capsule update with the dfu mtd backend driver. Currently, values have been defined for the qemu arm64 platform, with default values defined for the mtd partitions based on the NOR flash. This can be subsequently extended for other qemu architectures which need mtdparts set. Signed-off-by: Sughosh Ganu --- Changes since V2: * Move the functions to populate the mtdparts under board/emulation/common for allowing subsequent re-use by other Qemu arch based platforms board/emulation/common/Kconfig | 15 +++++ board/emulation/common/Makefile | 3 + board/emulation/common/qemu_mtdparts.c | 82 ++++++++++++++++++++++++++ board/emulation/qemu-arm/Kconfig | 4 ++ lib/efi_loader/Kconfig | 1 + 5 files changed, 105 insertions(+) create mode 100644 board/emulation/common/Kconfig create mode 100644 board/emulation/common/Makefile create mode 100644 board/emulation/common/qemu_mtdparts.c -- 2.17.1 diff --git a/board/emulation/common/Kconfig b/board/emulation/common/Kconfig new file mode 100644 index 0000000000..4c15c8bcb8 --- /dev/null +++ b/board/emulation/common/Kconfig @@ -0,0 +1,15 @@ +config MTDPARTS_NOR0 + string "mtd boot partition for nor0" + default "64m(u-boot)" if TARGET_QEMU_ARM_64BIT && !TFABOOT + depends on SYS_MTDPARTS_RUNTIME + help + This define the partition of nor0 used to build mtparts dynamically + for boot from nor0. + +config MTDPARTS_NOR1 + string "mtd u-boot env partition for nor1" + default "64m(u-boot-env)" if TARGET_QEMU_ARM_64BIT && !TFABOOT + depends on SYS_MTDPARTS_RUNTIME + help + This define the partition of nor1 used to build mtparts dynamically + for the u-boot env stored on nor1. diff --git a/board/emulation/common/Makefile b/board/emulation/common/Makefile new file mode 100644 index 0000000000..de5c8d0c2a --- /dev/null +++ b/board/emulation/common/Makefile @@ -0,0 +1,3 @@ +# SPDX-License-Identifier: GPL-2.0+ + +obj-$(CONFIG_SYS_MTDPARTS_RUNTIME) += qemu_mtdparts.o diff --git a/board/emulation/common/qemu_mtdparts.c b/board/emulation/common/qemu_mtdparts.c new file mode 100644 index 0000000000..60212e97ac --- /dev/null +++ b/board/emulation/common/qemu_mtdparts.c @@ -0,0 +1,82 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Copyright (c) 2020 Linaro Limited + */ + +#include +#include +#include + +#include + +#define MTDPARTS_LEN 256 +#define MTDIDS_LEN 128 + +static void board_get_mtdparts(const char *dev, const char *partition, + char *mtdids, char *mtdparts) +{ + /* mtdids: "=, ...." */ + if (mtdids[0] != '\0') + strcat(mtdids, ","); + strcat(mtdids, dev); + strcat(mtdids, "="); + strcat(mtdids, dev); + + /* mtdparts: "mtdparts=:>;..." */ + if (mtdparts[0] != '\0') + strncat(mtdparts, ";", MTDPARTS_LEN); + else + strcat(mtdparts, "mtdparts="); + + strncat(mtdparts, dev, MTDPARTS_LEN); + strncat(mtdparts, ":", MTDPARTS_LEN); + strncat(mtdparts, partition, MTDPARTS_LEN); +} + +void board_mtdparts_default(const char **mtdids, const char **mtdparts) +{ + struct mtd_info *mtd; + struct udevice *dev; + const char *mtd_partition; + static char parts[3 * MTDPARTS_LEN + 1]; + static char ids[MTDIDS_LEN + 1]; + static bool mtd_initialized; + + if (mtd_initialized) { + *mtdids = ids; + *mtdparts = parts; + return; + } + + memset(parts, 0, sizeof(parts)); + memset(ids, 0, sizeof(ids)); + + /* Currently mtdparts is needed on Qemu ARM64 for capsule updates */ + if (IS_ENABLED(CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT) && + IS_ENABLED(CONFIG_TARGET_QEMU_ARM_64BIT)) { + /* probe all MTD devices */ + for (uclass_first_device(UCLASS_MTD, &dev); dev; + uclass_next_device(&dev)) { + debug("mtd device = %s\n", dev->name); + } + + mtd = get_mtd_device_nm("nor0"); + if (!IS_ERR_OR_NULL(mtd)) { + mtd_partition = CONFIG_MTDPARTS_NOR0; + board_get_mtdparts("nor0", mtd_partition, ids, parts); + put_mtd_device(mtd); + } + + mtd = get_mtd_device_nm("nor1"); + if (!IS_ERR_OR_NULL(mtd)) { + mtd_partition = CONFIG_MTDPARTS_NOR1; + board_get_mtdparts("nor1", mtd_partition, ids, parts); + put_mtd_device(mtd); + } + } + + mtd_initialized = true; + *mtdids = ids; + *mtdparts = parts; + debug("%s:mtdids=%s & mtdparts=%s\n", __func__, ids, parts); +} diff --git a/board/emulation/qemu-arm/Kconfig b/board/emulation/qemu-arm/Kconfig index 02ae4d9884..8b902487b3 100644 --- a/board/emulation/qemu-arm/Kconfig +++ b/board/emulation/qemu-arm/Kconfig @@ -11,3 +11,7 @@ config BOARD_SPECIFIC_OPTIONS # dummy imply VIRTIO_BLK endif + +if TARGET_QEMU_ARM_64BIT && !TFABOOT +source "board/emulation/common/Kconfig" +endif diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 8746e10032..2cb0a6e399 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -135,6 +135,7 @@ config EFI_CAPSULE_FIRMWARE_MANAGEMENT bool "Capsule: Firmware Management Protocol" depends on EFI_HAVE_CAPSULE_SUPPORT default y + select SYS_MTDPARTS_RUNTIME help Select this option if you want to enable capsule-based firmware update using Firmware Management Protocol. From patchwork Wed Dec 23 07:03:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346992 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp5970710jai; Tue, 22 Dec 2020 23:05:04 -0800 (PST) X-Google-Smtp-Source: ABdhPJwt95WsYVZDWFYhatoZlIUcLpv+jwJBpmeVk8v5HqVmrNxiwmrYxNPOrt0O8vX2xn2XZKIZ X-Received: by 2002:a17:906:417:: with SMTP id d23mr22910447eja.19.1608707103985; Tue, 22 Dec 2020 23:05:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608707103; cv=none; d=google.com; s=arc-20160816; b=ieR/1J69IBpR24GfQlew9YYnESUxbKJCBEVUzGitggi+61kn0+8AXTCUHStQuaZifQ ymT1Wt+I/3MvXhjmrUDq3d0eFHU7VP7JJlnoitDRQE797bEh9QhbeNFx+MVDdtCYOkgn 1bdSGMKNPWPoe6fB8QuTUJwmbXyXlCAlEIYFl/O6wstIj+aSwht9B/h5mOf2ZUTp+ipc LcCu1y6NWkQ6WWOqYNhfU1B9t5iMyOs9WXNnanfSAv7wze1CCNEGzz5UGRDtRbg4Z0cL Nx30G3pzEFoO4g2dklGDBspBXjxQEGCFompV1UiZ0POfbzZk+JkXjxPaWuJ1yXZVufuO phcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=B4QqmjWhmBPxvDNUwT4qNvBJZ5SvddsFt+dZgCXmbz4=; b=n8eMyW8ZZt/7wr8QHNYA9pmUqlzprxza/A0tTKrNdqDMnYijrElREEajO2YyMKEhAQ FKd/kqN6DyX710T6x5MbKgbKQiHYHa5TYowyt26t3xicDnvtX/lnvrVK25A+H09a7ckn YQGQ+jcZMJe1NP4Ur2+yAjgSGvQDs5m/ijVCRdtFfAoXT68uGtOWWgThIrCLwQQda52T 637ImJQunBaah3UmMw+64ZS29f1UwG7GD6q2M1EZ3ecnVrBGS1rPZuG8EDXN8nfu+MFv C3mftvFKzuZITDq+GTejo3KkQOrN+6qemXAaGxoFMT3lTonsdzAoRi/pAmEWRHxdA8k5 OJVw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id q18si11726615ejt.469.2020.12.22.23.05.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Dec 2020 23:05:03 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B96AA82B12; Wed, 23 Dec 2020 08:04:14 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id F0D4A82B10; Wed, 23 Dec 2020 08:04:07 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 8216582A92 for ; Wed, 23 Dec 2020 08:04:00 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 4880E1042; Tue, 22 Dec 2020 23:03:59 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id A8C613F73B; Tue, 22 Dec 2020 23:03:56 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v3 05/14] qemu: common: Set dfu_alt_info variable for the platform Date: Wed, 23 Dec 2020 12:33:21 +0530 Message-Id: <20201223070330.21361-6-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201223070330.21361-1-sughosh.ganu@linaro.org> References: <20201223070330.21361-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean The dfu framework uses the dfu_alt_info environment variable to get information that is needed for performing the firmware update. Add logic to set the dfu_alt_info for the qemu arm64 platform to reflect the two mtd partitions created for the u-boot env and the firmware image. This can be subsequently extended for other qemu architectures which need this variable set. Signed-off-by: Sughosh Ganu --- Changes since V2: * Move the functions to populate the dfu_alt_info variable under board/emulation/common for allowing subsequent re-use by other Qemu arch based platforms board/emulation/common/Makefile | 1 + board/emulation/common/qemu_dfu.c | 68 +++++++++++++++++++++++++++++++ lib/efi_loader/Kconfig | 1 + 3 files changed, 70 insertions(+) create mode 100644 board/emulation/common/qemu_dfu.c -- 2.17.1 diff --git a/board/emulation/common/Makefile b/board/emulation/common/Makefile index de5c8d0c2a..c5b452e7e3 100644 --- a/board/emulation/common/Makefile +++ b/board/emulation/common/Makefile @@ -1,3 +1,4 @@ # SPDX-License-Identifier: GPL-2.0+ obj-$(CONFIG_SYS_MTDPARTS_RUNTIME) += qemu_mtdparts.o +obj-$(CONFIG_SET_DFU_ALT_INFO) += qemu_dfu.o diff --git a/board/emulation/common/qemu_dfu.c b/board/emulation/common/qemu_dfu.c new file mode 100644 index 0000000000..62234a7647 --- /dev/null +++ b/board/emulation/common/qemu_dfu.c @@ -0,0 +1,68 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Copyright (c) 2020 Linaro Limited + */ + +#include +#include +#include +#include +#include + +#define DFU_ALT_BUF_LEN SZ_1K + +static void board_get_alt_info(struct mtd_info *mtd, char *buf) +{ + struct mtd_info *part; + bool first = true; + const char *name; + int len, partnum = 0; + + name = mtd->name; + len = strlen(buf); + + if (buf[0] != '\0') + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, "&"); + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, + "mtd %s=", name); + + list_for_each_entry(part, &mtd->partitions, node) { + partnum++; + if (!first) + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, ";"); + first = false; + + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, + "%s part %d", + part->name, partnum); + } +} + +void set_dfu_alt_info(char *interface, char *devstr) +{ + struct mtd_info *mtd; + + ALLOC_CACHE_ALIGN_BUFFER(char, buf, DFU_ALT_BUF_LEN); + + if (env_get("dfu_alt_info")) + return; + + memset(buf, 0, sizeof(buf)); + + /* + * Currently dfu_alt_info is needed on Qemu ARM64 for + * capsule updates + */ + if (IS_ENABLED(CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT) && + IS_ENABLED(CONFIG_TARGET_QEMU_ARM_64BIT)) { + /* probe all MTD devices */ + mtd_probe_devices(); + + mtd = get_mtd_device_nm("nor0"); + if (!IS_ERR_OR_NULL(mtd)) + board_get_alt_info(mtd, buf); + } + + env_set("dfu_alt_info", buf); + printf("dfu_alt_info set\n"); +} diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 2cb0a6e399..bc47e7fe76 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -136,6 +136,7 @@ config EFI_CAPSULE_FIRMWARE_MANAGEMENT depends on EFI_HAVE_CAPSULE_SUPPORT default y select SYS_MTDPARTS_RUNTIME + select SET_DFU_ALT_INFO help Select this option if you want to enable capsule-based firmware update using Firmware Management Protocol. From patchwork Wed Dec 23 07:03:22 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346991 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp5970560jai; Tue, 22 Dec 2020 23:04:51 -0800 (PST) X-Google-Smtp-Source: ABdhPJy5B2UKHJPcON6y2NMks/WuoR6Gg9nWrQxnETiOp5Xx2HSCKjzBYvaDvZ+2uV6OcOFTU/23 X-Received: by 2002:a17:906:7a46:: with SMTP id i6mr22216607ejo.257.1608707091374; Tue, 22 Dec 2020 23:04:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608707091; cv=none; d=google.com; s=arc-20160816; b=LgVNwGf8KJ+CEdhe1t79wYpcRSE4zc1ArtW+hMER6nOrUqckUDPhETQL32rLC6Ktoh 6ZidmmmQZ3f+9RDYadZ3XTNea06TfGclf+/6o06M8R2qx/XB0kJmaiEkLIDWVQBHZh5+ DhNX5gYdHAKw7BfOgZbtLPWqDEqttewd170zOmsYlu23FKvMEGu42tDImXQj+/cC/gwW Qppcj9xZTFdcmRW7SkV7d46d+q69gGJxw6wc/LxlnkjVTNpKIqOHncD0bb2OAwIOCBza IIyptFguxw0eRxu4VuzBU1POXe3r5HRRQsjLP0k3llvmo35vQ+sgnVyaIbPqixlLWZoM A9Zw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=BM1HEJcaIOoy4TTkt0yM3gSbQiXoPbq2AgFIB0dsyrk=; b=rsNzmBfws5zfZ7e+VQJYBgvRBd+OOAbYPkArDH5KauBiwoH/1mbYuCSOpd29WP43wd dmGAHjKnddSgDneQ6bTLpH/5Ow4O1N4zqar6n/85eId/pHQqnhJWpfvWOpMIzQxBq6qF fN/jIlOivZejAfnzUar+QCnWmpRlpcxHQOlFaYOk44FjebgP/lkSCqnOyKcJio9L7Yeb hDv2ozpALE+vd4j9gULXM4/xbrkt6v3e1yFKGzTCqwaveezTboQ2VpVHBKpGMCeCCBnK 5hgsMNiRgI27YbvIcV8w/gJ3cw459B9vPbXJQ1dJuWcBi0Rd5jIzkjOQHCubbhHIklcf nRzg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id p10si11520272eji.254.2020.12.22.23.04.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Dec 2020 23:04:51 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 8C89F82B10; Wed, 23 Dec 2020 08:04:12 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 4B7EE82B02; Wed, 23 Dec 2020 08:04:07 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 5D584827DF for ; Wed, 23 Dec 2020 08:04:03 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5988B30E; Tue, 22 Dec 2020 23:04:02 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id B9DE03F66E; Tue, 22 Dec 2020 23:03:59 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v3 06/14] fsp: Move and rename fsp_types.h file Date: Wed, 23 Dec 2020 12:33:22 +0530 Message-Id: <20201223070330.21361-7-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201223070330.21361-1-sughosh.ganu@linaro.org> References: <20201223070330.21361-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean The fsp_types.h header file contains macros for building signatures of different widths. These signature macros are architecture agnostic, and can be used in all places which use signatures in a data structure. Move and rename the fsp_types.h under the common include header. Signed-off-by: Sughosh Ganu --- Changes since V2: None This patch had been sent to the mailing list separately[1] and has been reviewed by Simon Glass and Bin Meng and merged on the x86 tree. [1] - https://lists.denx.de/pipermail/u-boot/2020-December/434849.html arch/x86/include/asm/fsp/fsp_support.h | 3 ++- .../x86/include/asm/fsp/fsp_types.h => include/signatures.h | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) rename arch/x86/include/asm/fsp/fsp_types.h => include/signatures.h (95%) -- 2.17.1 diff --git a/arch/x86/include/asm/fsp/fsp_support.h b/arch/x86/include/asm/fsp/fsp_support.h index 29e511415c..3cd3e4fcf5 100644 --- a/arch/x86/include/asm/fsp/fsp_support.h +++ b/arch/x86/include/asm/fsp/fsp_support.h @@ -7,11 +7,12 @@ #ifndef __FSP_SUPPORT_H__ #define __FSP_SUPPORT_H__ +#include + #include #include #include #include -#include #include #include diff --git a/arch/x86/include/asm/fsp/fsp_types.h b/include/signatures.h similarity index 95% rename from arch/x86/include/asm/fsp/fsp_types.h rename to include/signatures.h index 3d5b17ecf1..4042db1e00 100644 --- a/arch/x86/include/asm/fsp/fsp_types.h +++ b/include/signatures.h @@ -4,8 +4,8 @@ * Copyright (C) 2014, Bin Meng */ -#ifndef __FSP_TYPES_H__ -#define __FSP_TYPES_H__ +#ifndef __SIGNATURES_H__ +#define __SIGNATURES_H__ /** * Returns a 16-bit signature built from 2 ASCII characters. @@ -59,4 +59,4 @@ #define SIGNATURE_64(A, B, C, D, E, F, G, H) \ (SIGNATURE_32(A, B, C, D) | ((u64)(SIGNATURE_32(E, F, G, H)) << 32)) -#endif +#endif /* __SIGNATURES_H__ */ From patchwork Wed Dec 23 07:03:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346993 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp5970845jai; Tue, 22 Dec 2020 23:05:17 -0800 (PST) X-Google-Smtp-Source: ABdhPJxoaSMQHJ7y2SD3a0W7xcXAQV6sVkt0Oxvdli6TyYtgACqWm+tOm00K5+evcZ2ukpmKgjc8 X-Received: by 2002:a17:906:958e:: with SMTP id r14mr23478889ejx.319.1608707117098; Tue, 22 Dec 2020 23:05:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608707117; cv=none; d=google.com; s=arc-20160816; b=odb8/0RH0qDXroB2xRhja21sqsZ+6t26IFazaCzeyq+8Qclc19gUdUMccya2e15VWE PtPnPiPYBQm/oLKUodkZMqZNPdYj36xQg4VH5GWqZlkBwtnVfqynJV1JoSuzFSz/9wEa KA3Jue0D//OWtav5+MiRAytWHmZiI4mP1JbuJOp2WvVB6rEyYAyYSy31LO/CrhaGsDT/ blBpAcGtZ+lC0FUoXHmUaaIt0zYK7yMzyjGKEk2iviqCQUlG4jXVfWhJwpsyvxJzIoC5 Vb5DjMRVw58QGg5Sc2ZlQjDAULUT/3UdaESX4Fx14E4fwXu0UauWr/aFQLCn+oN2yHqP U69g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=CmWt8zWHBsVY45JtpwYMhCWfKc27BaQYw2hyObKkw38=; b=r4DhYXj6uR6uSsYt23NmK2+mPFcfFvX7hEWTtMLOc6HYP+KHHEhgUaa9qKT6ht3kp9 zPxyaMXqZjM9plySN8PCN9Q4aTrMZv0RNuskaPLEFDs+SD43lV7awUyDNlOx3W56IB0C YdudVQgUkvwYXak8meXnzK7vxGQRCdff3G7sHB+hReu+a8dRQmmwgIjDK81dWvzog0xm W4EH4kO+yoCks6Tao42aMAhoEmeSyJZejD72iUZaA1e8be/DAWjtwi3hcn6Gm+K9RmY4 GhIQCl+3p1CfYLSOWZOUz1BeER7/l0GcnV1SrXFQbb3k+HHnmPnQaRkcK/x2OKtrcc1c bzUw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id o12si11331000ejg.407.2020.12.22.23.05.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Dec 2020 23:05:17 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 9F64782B1C; Wed, 23 Dec 2020 08:04:21 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 5413682B02; Wed, 23 Dec 2020 08:04:09 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id E502882AAB for ; Wed, 23 Dec 2020 08:04:05 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 6A0501042; Tue, 22 Dec 2020 23:04:05 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id CA2653F66E; Tue, 22 Dec 2020 23:04:02 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v3 07/14] efi_loader: Add logic to parse EDKII specific fmp payload header Date: Wed, 23 Dec 2020 12:33:23 +0530 Message-Id: <20201223070330.21361-8-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201223070330.21361-1-sughosh.ganu@linaro.org> References: <20201223070330.21361-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean When building the capsule using scripts in edk2, a fmp header is added on top of the binary payload. Add logic to detect presence of the header. When present, the pointer to the image needs to be adjusted as per the size of the header to point to the actual binary payload. Signed-off-by: Sughosh Ganu --- Changes since V2: None lib/efi_loader/efi_firmware.c | 41 +++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) -- 2.17.1 diff --git a/lib/efi_loader/efi_firmware.c b/lib/efi_loader/efi_firmware.c index 72c560dbc2..5d2ecde2f1 100644 --- a/lib/efi_loader/efi_firmware.c +++ b/lib/efi_loader/efi_firmware.c @@ -11,8 +11,30 @@ #include #include #include +#include + #include +#define FMP_PAYLOAD_HDR_SIGNATURE SIGNATURE_32('M', 'S', 'S', '1') + +/** + * struct fmp_payload_header - EDK2 header for the FMP payload + * + * This structure describes the header which is preprended to the + * FMP payload by the edk2 capsule generation scripts. + * + * @signature: Header signature used to identify the header + * @header_size: Size of the structure + * @fw_version: Firmware versions used + * @lowest_supported_version: Lowest supported version + */ +struct fmp_payload_header { + u32 signature; + u32 header_size; + u32 fw_version; + u32 lowest_supported_version; +}; + /* Place holder; not supported */ static efi_status_t EFIAPI efi_firmware_get_image_unsupported( @@ -379,12 +401,31 @@ efi_status_t EFIAPI efi_firmware_raw_set_image( efi_status_t (*progress)(efi_uintn_t completion), u16 **abort_reason) { + u32 fmp_hdr_signature; + struct fmp_payload_header *header; + EFI_ENTRY("%p %d %p %ld %p %p %p\n", this, image_index, image, image_size, vendor_code, progress, abort_reason); if (!image) return EFI_EXIT(EFI_INVALID_PARAMETER); + fmp_hdr_signature = FMP_PAYLOAD_HDR_SIGNATURE; + header = (void *)image; + + if (!memcmp(&header->signature, &fmp_hdr_signature, + sizeof(fmp_hdr_signature))) { + /* + * When building the capsule with the scripts in + * edk2, a FMP header is inserted above the capsule + * payload. Compensate for this header to get the + * actual payload that is to be updated. + */ + image += header->header_size; + image_size -= header->header_size; + + } + if (dfu_write_by_alt(image_index - 1, (void *)image, image_size, NULL, NULL)) return EFI_EXIT(EFI_DEVICE_ERROR); From patchwork Wed Dec 23 07:03:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346994 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp5970974jai; Tue, 22 Dec 2020 23:05:29 -0800 (PST) X-Google-Smtp-Source: ABdhPJze/RvEhfv07mrWQi4hkzDFOhYxKRcKrLUkgVd4VxW315XvlryMmKdwQvW+4SxCQ7MGuBJY X-Received: by 2002:a17:907:3e06:: with SMTP id hp6mr22214784ejc.306.1608707129101; Tue, 22 Dec 2020 23:05:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608707129; cv=none; d=google.com; s=arc-20160816; b=Ky0wcLik8wWM5oLdwCnnOfyLIgbw14sK+ZGfNIcUYcZDBIa8R7RpS5+aW5uK2QprKy 0RBOKkHySn1S1KZZHoY6OqrYp3I++FgItj8ndf2LYupy3IXSveulQBbbFOPTzG1AJaH+ CiSU1GbsRLTX/KzV3HqMdhvkEu/Sfsl4oXLMN6rZsYILzxpWQVbHR1bI8yTJ9wIndAO3 ljNyA+euHtYcvNlOx4IhD3VuATvsXX86Aw4GeCGrXP2gPYN/NzbPCnva8VGUll/fa1ss 8FWAOjarqh21QaW296mi0mSYJhwP1b6taxJNezvZNUABcsWRQt3+sdKJET1HR8n4TD1X IckQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=ckn/a9eZXjfyuGzU0cGZ1RyhuPszJFPi0YW8ccHuAmE=; b=bm+gIvMpDVzSgA45W7CJp1PJCUat73SBM4CAVbdYrruKYn7Mb0TCVFZer/rKshlx09 uxyi7uJNLyQCANr/itPygCKpa5Vod7enyeqm9zIK0CXeP7ZRQpOdO1dIpRsD4FOl1QqO m8p+Yo6Jmvi1FtwqxXIHu2wfNIrMBBV+gzDgP3ENl9+DAJselCncnDaQO7koZ1uLMj3L FWNqFNCGI6MJrEFF77b7wao/5Cc71rZapq+Tnw+L5lnjsE02+awcsqiQB1u7S+LKa4qJ InocQono/m+ar2yAtkXCfpQ8qfLGRQTWHTQu1M9IHuZWQGD64TXZHFJbff+YKZrVwrIU uDUA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id g11si5888135edt.456.2020.12.22.23.05.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Dec 2020 23:05:29 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 61A5082B1B; Wed, 23 Dec 2020 08:04:24 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 1F0C682B12; Wed, 23 Dec 2020 08:04:13 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id BEAF082AAB for ; Wed, 23 Dec 2020 08:04:09 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 7CE9111D4; Tue, 22 Dec 2020 23:04:08 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id DB06E3F66E; Tue, 22 Dec 2020 23:04:05 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v3 08/14] dfu_mtd: Add provision to unlock mtd device Date: Wed, 23 Dec 2020 12:33:24 +0530 Message-Id: <20201223070330.21361-9-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201223070330.21361-1-sughosh.ganu@linaro.org> References: <20201223070330.21361-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Prior to writing to an mtd device, mtd_erase is called. This call fails in case the sector being erased is locked. Call mtd_unlock to unlock the region which is to be erased and later written to. Lock the region once the write to the region has completed. Signed-off-by: Sughosh Ganu --- Changes since V2: None drivers/dfu/dfu_mtd.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) -- 2.17.1 diff --git a/drivers/dfu/dfu_mtd.c b/drivers/dfu/dfu_mtd.c index 36cd4e945b..b34975dbb0 100644 --- a/drivers/dfu/dfu_mtd.c +++ b/drivers/dfu/dfu_mtd.c @@ -21,7 +21,7 @@ static bool mtd_is_aligned_with_block_size(struct mtd_info *mtd, u64 size) static int mtd_block_op(enum dfu_op op, struct dfu_entity *dfu, u64 offset, void *buf, long *len) { - u64 off, lim, remaining; + u64 off, lim, remaining, lock_ofs, lock_len; struct mtd_info *mtd = dfu->data.mtd.info; struct mtd_oob_ops io_op = {}; int ret = 0; @@ -34,7 +34,7 @@ static int mtd_block_op(enum dfu_op op, struct dfu_entity *dfu, return 0; } - off = dfu->data.mtd.start + offset + dfu->bad_skip; + off = lock_ofs = dfu->data.mtd.start + offset + dfu->bad_skip; lim = dfu->data.mtd.start + dfu->data.mtd.size; if (off >= lim) { @@ -56,12 +56,19 @@ static int mtd_block_op(enum dfu_op op, struct dfu_entity *dfu, if (op == DFU_OP_WRITE) { struct erase_info erase_op = {}; - remaining = round_up(*len, mtd->erasesize); + remaining = lock_len = round_up(*len, mtd->erasesize); erase_op.mtd = mtd; erase_op.addr = off; erase_op.len = mtd->erasesize; erase_op.scrub = 0; + debug("Unlocking the mtd device\n"); + ret = mtd_unlock(mtd, lock_ofs, lock_len); + if (ret && ret != -EOPNOTSUPP) { + printf("MTD device unlock failed\n"); + return 0; + } + while (remaining) { if (erase_op.addr + remaining > lim) { printf("Limit reached 0x%llx while erasing at offset 0x%llx\n", @@ -139,6 +146,13 @@ static int mtd_block_op(enum dfu_op op, struct dfu_entity *dfu, io_op.len = mtd->writesize; } + if (op == DFU_OP_WRITE) { + /* Write done, lock again */ + debug("Locking the mtd device\n"); + ret = mtd_lock(mtd, lock_ofs, lock_len); + if (ret && ret != -EOPNOTSUPP) + printf("MTD device lock failed\n"); + } return ret; } From patchwork Wed Dec 23 07:03:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346995 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp5971039jai; Tue, 22 Dec 2020 23:05:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJxqPiL8XAii54ckqWDLcBJ7YBdwCyJEMB+TjQK+WeUq5ggEcW8k0zc3LJkFk7qO1Mrv4UNP X-Received: by 2002:a17:906:d1cb:: with SMTP id bs11mr4500029ejb.535.1608707140202; Tue, 22 Dec 2020 23:05:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608707140; cv=none; d=google.com; s=arc-20160816; b=Ju8DBJFwAyuWi+INBHMhGzQyYcfEwTYrB+zxe4AhYiyOze3oRNmHV5+NvcszWTAMGd qiDxEjK+gsMnCUgOTfV1vTgIj4nDygmiszVZc7jZxhu37jvuIS6wROl5AW4U2e98NQmR WdVLC3oEh7vLmCCcP2VIz4JQWUWR+h/HXUrp5FuEr1cvo+dcPpozenA+SG+QAi1DvZ3/ 8+WjmbiWo0+XJyvsQJpH2uTiLJNbxHM0gSkJg8pKRS4W/TgDYH6VJJsforK9osnNHjhQ NhecLgKFvtmz8R5lNyRPap+X2jgNDd2x28Rj/V8zPW+R3roITuNTWYyNRnZ7HaTbT60I V7Mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=qfzvnqPMOhGfeUTnS6Km/3jsAA+paly5MnUrCEMeGaY=; b=Rvp4kMZ47jjqoHh+3YUujJEKGjyzt/4yb/RRH2yp//3iYzEIX7qjN3BYd/oSEQ389+ 1yJrmtJoinXsMIaNwdp3Xdvyu8Sqg9WDK8/U6Z5xjt8xylpmzQgJNFxUBQE6uvqIINyy Kz8salUs/3slDGuf0LfY4cmfVGcpdrgem26BcxVywlOLaSqjXrbL1DECYAvfM1+iVSoi yJylm+Yo0KPjJvZO12lKBYSMTqsXO4tSeQyjohitkkHxDP+1niPrK/+ASIQwV1h5JR2G dIdJuTTDpOH+tjg2u5R18k3det1DLRqW6onTZ0F4rZWXKI0WePAz1lMk1L6U37JdhBN9 XSVQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id h24si12592708ejt.583.2020.12.22.23.05.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Dec 2020 23:05:40 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 0BF8582B21; Wed, 23 Dec 2020 08:04:27 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 4509282B1A; Wed, 23 Dec 2020 08:04:16 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 315AC82A92 for ; Wed, 23 Dec 2020 08:04:12 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 8E5DD30E; Tue, 22 Dec 2020 23:04:11 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id EE5673F66E; Tue, 22 Dec 2020 23:04:08 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v3 09/14] efi_loader: Make the pkcs7 header parsing function an extern Date: Wed, 23 Dec 2020 12:33:25 +0530 Message-Id: <20201223070330.21361-10-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201223070330.21361-1-sughosh.ganu@linaro.org> References: <20201223070330.21361-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean The pkcs7 header parsing functionality is pretty generic, and can be used by other features like capsule authentication. Make the function an extern, also changing it's name to efi_parse_pkcs7_header Signed-off-by: Sughosh Ganu --- Changes since V2: None include/efi_loader.h | 4 ++ lib/efi_loader/efi_signature.c | 85 +++++++++++++++++++++++++++++++ lib/efi_loader/efi_variable.c | 93 ++-------------------------------- 3 files changed, 93 insertions(+), 89 deletions(-) -- 2.17.1 diff --git a/include/efi_loader.h b/include/efi_loader.h index 365f3d01dc..8807fcd913 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -818,6 +818,10 @@ bool efi_secure_boot_enabled(void); bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp, WIN_CERTIFICATE **auth, size_t *auth_len); +struct pkcs7_message *efi_parse_pkcs7_header(const void *buf, + size_t buflen, + u8 **tmpbuf); + /* runtime implementation of memcpy() */ void efi_memcpy_runtime(void *dest, const void *src, size_t n); diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 79dee27421..9ab071b611 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -27,6 +27,91 @@ const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID; const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; #ifdef CONFIG_EFI_SECURE_BOOT +static u8 pkcs7_hdr[] = { + /* SEQUENCE */ + 0x30, 0x82, 0x05, 0xc7, + /* OID: pkcs7-signedData */ + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, + /* Context Structured? */ + 0xa0, 0x82, 0x05, 0xb8, +}; + +/** + * efi_parse_pkcs7_header - parse a signature in payload + * @buf: Pointer to payload's value + * @buflen: Length of @buf + * @tmpbuf: Pointer to temporary buffer + * + * Parse a signature embedded in payload's value and instantiate + * a pkcs7_message structure. Since pkcs7_parse_message() accepts only + * pkcs7's signedData, some header needed be prepended for correctly + * parsing authentication data + * A temporary buffer will be allocated if needed, and it should be + * kept valid during the authentication because some data in the buffer + * will be referenced by efi_signature_verify(). + * + * Return: Pointer to pkcs7_message structure on success, NULL on error + */ +struct pkcs7_message *efi_parse_pkcs7_header(const void *buf, + size_t buflen, + u8 **tmpbuf) +{ + u8 *ebuf; + size_t ebuflen, len; + struct pkcs7_message *msg; + + /* + * This is the best assumption to check if the binary is + * already in a form of pkcs7's signedData. + */ + if (buflen > sizeof(pkcs7_hdr) && + !memcmp(&((u8 *)buf)[4], &pkcs7_hdr[4], 11)) { + msg = pkcs7_parse_message(buf, buflen); + if (IS_ERR(msg)) + return NULL; + return msg; + } + + /* + * Otherwise, we should add a dummy prefix sequence for pkcs7 + * message parser to be able to process. + * NOTE: EDK2 also uses similar hack in WrapPkcs7Data() + * in CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c + * TODO: + * The header should be composed in a more refined manner. + */ + EFI_PRINT("Makeshift prefix added to authentication data\n"); + ebuflen = sizeof(pkcs7_hdr) + buflen; + if (ebuflen <= 0x7f) { + EFI_PRINT("Data is too short\n"); + return NULL; + } + + ebuf = malloc(ebuflen); + if (!ebuf) { + EFI_PRINT("Out of memory\n"); + return NULL; + } + + memcpy(ebuf, pkcs7_hdr, sizeof(pkcs7_hdr)); + memcpy(ebuf + sizeof(pkcs7_hdr), buf, buflen); + len = ebuflen - 4; + ebuf[2] = (len >> 8) & 0xff; + ebuf[3] = len & 0xff; + len = ebuflen - 0x13; + ebuf[0x11] = (len >> 8) & 0xff; + ebuf[0x12] = len & 0xff; + + msg = pkcs7_parse_message(ebuf, ebuflen); + + if (IS_ERR(msg)) { + free(ebuf); + return NULL; + } + + *tmpbuf = ebuf; + return msg; +} /** * efi_hash_regions - calculate a hash value diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index 0c689cfb47..ba0874e9e7 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -24,91 +24,6 @@ #include #ifdef CONFIG_EFI_SECURE_BOOT -static u8 pkcs7_hdr[] = { - /* SEQUENCE */ - 0x30, 0x82, 0x05, 0xc7, - /* OID: pkcs7-signedData */ - 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, - /* Context Structured? */ - 0xa0, 0x82, 0x05, 0xb8, -}; - -/** - * efi_variable_parse_signature - parse a signature in variable - * @buf: Pointer to variable's value - * @buflen: Length of @buf - * @tmpbuf: Pointer to temporary buffer - * - * Parse a signature embedded in variable's value and instantiate - * a pkcs7_message structure. Since pkcs7_parse_message() accepts only - * pkcs7's signedData, some header needed be prepended for correctly - * parsing authentication data, particularly for variable's. - * A temporary buffer will be allocated if needed, and it should be - * kept valid during the authentication because some data in the buffer - * will be referenced by efi_signature_verify(). - * - * Return: Pointer to pkcs7_message structure on success, NULL on error - */ -static struct pkcs7_message *efi_variable_parse_signature(const void *buf, - size_t buflen, - u8 **tmpbuf) -{ - u8 *ebuf; - size_t ebuflen, len; - struct pkcs7_message *msg; - - /* - * This is the best assumption to check if the binary is - * already in a form of pkcs7's signedData. - */ - if (buflen > sizeof(pkcs7_hdr) && - !memcmp(&((u8 *)buf)[4], &pkcs7_hdr[4], 11)) { - msg = pkcs7_parse_message(buf, buflen); - if (IS_ERR(msg)) - return NULL; - return msg; - } - - /* - * Otherwise, we should add a dummy prefix sequence for pkcs7 - * message parser to be able to process. - * NOTE: EDK2 also uses similar hack in WrapPkcs7Data() - * in CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c - * TODO: - * The header should be composed in a more refined manner. - */ - EFI_PRINT("Makeshift prefix added to authentication data\n"); - ebuflen = sizeof(pkcs7_hdr) + buflen; - if (ebuflen <= 0x7f) { - EFI_PRINT("Data is too short\n"); - return NULL; - } - - ebuf = malloc(ebuflen); - if (!ebuf) { - EFI_PRINT("Out of memory\n"); - return NULL; - } - - memcpy(ebuf, pkcs7_hdr, sizeof(pkcs7_hdr)); - memcpy(ebuf + sizeof(pkcs7_hdr), buf, buflen); - len = ebuflen - 4; - ebuf[2] = (len >> 8) & 0xff; - ebuf[3] = len & 0xff; - len = ebuflen - 0x13; - ebuf[0x11] = (len >> 8) & 0xff; - ebuf[0x12] = len & 0xff; - - msg = pkcs7_parse_message(ebuf, ebuflen); - - if (IS_ERR(msg)) { - free(ebuf); - return NULL; - } - - *tmpbuf = ebuf; - return msg; -} /** * efi_variable_authenticate - authenticate a variable @@ -215,10 +130,10 @@ static efi_status_t efi_variable_authenticate(u16 *variable, goto err; /* ebuf should be kept valid during the authentication */ - var_sig = efi_variable_parse_signature(auth->auth_info.cert_data, - auth->auth_info.hdr.dwLength - - sizeof(auth->auth_info), - &ebuf); + var_sig = efi_parse_pkcs7_header(auth->auth_info.cert_data, + auth->auth_info.hdr.dwLength + - sizeof(auth->auth_info), + &ebuf); if (!var_sig) { EFI_PRINT("Parsing variable's signature failed\n"); goto err; From patchwork Wed Dec 23 07:03:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346996 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp5971128jai; Tue, 22 Dec 2020 23:05:49 -0800 (PST) X-Google-Smtp-Source: ABdhPJyXfy+KRn4oCql5hweFz5P74BgyOr04DYBb6thKMcmdj+hvcgjljOh2b1vVcMUdYmJ9UON7 X-Received: by 2002:a17:907:111c:: with SMTP id qu28mr22744947ejb.540.1608707149588; Tue, 22 Dec 2020 23:05:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608707149; cv=none; d=google.com; s=arc-20160816; b=KJxZegczFhAK8/7B9ZscTgbrtgiID1cgKL96RGNo75gFfL5IQfIKfcmhk8aRi7ATkf fNhCpWCDmUpyuA7Oagi3cS5/6ilNLqjtM07cz9jxnVJs+VhU+TkLnu5/eR1sf5mgheVl tSKzUK8CLJH1BGHpnqJzKgatvSKIBKulURlROpaL9kcPENmyKOtZii5Yx9GQO3r2vazz 26nTIokANO2QLJUgQnrtej/GvXGjLFpFpRjtGy4e0AhA9ZusrZxaiMya9E/YDjo8k9Z0 oQ71QcDR4PPljAAtNG1UG3dIiczcnuAOsXpZlE7kYU+klBCAaCNm7RiyTbrur+Vwzwcp srjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=XlEHWtJRuOSn8BDE9hemkQQ3yM2p/lDKgnf2E+nRWe8=; b=tK/YdBtMyIA2TQ4nGGLWY2yK5QoqL7mkopLxI2QNFv9gb9j8ZRsjeVkP7Ce78ZyV5i uGQn5gQlKagr1uRgnKWfnj4aEqU+52TX5Jd6+sPwsoExfnDiXgtCbOUR/Yg7WyHqlDfO zG2HLRS3QsT4XH4SBmLskfBYx3YrGLhdNb/8pSV6jCoz38T39dYR7tZz/BnJYN9uwid3 zMZMIrSgaX7NA3+HMUXY5HXYH/TgrT8EbTajLc7h+OWXkBPK+II4Pb5b9Tq1rWsMR1mB CMzPLEek+LE+zWB0adlgPwaPIWjUDvmHQJrnnfuBiuL8tsrf5R/bLChzvgSl2xRa0MnQ vfuw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id g9si10995892ejj.456.2020.12.22.23.05.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Dec 2020 23:05:49 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 6503F82B27; Wed, 23 Dec 2020 08:04:29 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 3611782B1C; Wed, 23 Dec 2020 08:04:19 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 2754482B17 for ; Wed, 23 Dec 2020 08:04:15 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id A0BEA1042; Tue, 22 Dec 2020 23:04:14 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 0C8403F66E; Tue, 22 Dec 2020 23:04:11 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v3 10/14] efi_loader: Re-factor code to build the signature store from efi signature list Date: Wed, 23 Dec 2020 12:33:26 +0530 Message-Id: <20201223070330.21361-11-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201223070330.21361-1-sughosh.ganu@linaro.org> References: <20201223070330.21361-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean The efi_sigstore_parse_sigdb function reads the uefi authenticated variable, stored in the signature database format and builds the signature store structure. Factor out the code for building the signature store. This can then be used by the capsule authentication routine to build the signature store even when the signature database is not stored as an uefi authenticated variable Signed-off-by: Sughosh Ganu --- Changes since V2: None include/efi_loader.h | 2 + lib/efi_loader/efi_signature.c | 103 +++++++++++++++++++-------------- 2 files changed, 63 insertions(+), 42 deletions(-) -- 2.17.1 diff --git a/include/efi_loader.h b/include/efi_loader.h index 8807fcd913..73c3c4b85a 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -811,6 +811,8 @@ efi_status_t efi_image_region_add(struct efi_image_regions *regs, int nocheck); void efi_sigstore_free(struct efi_signature_store *sigstore); +struct efi_signature_store *efi_build_signature_store(void *sig_list, + efi_uintn_t size); struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name); bool efi_secure_boot_enabled(void); diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 9ab071b611..87525bdc80 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -736,6 +736,63 @@ err: return NULL; } +/** + * efi_sigstore_parse_sigdb - parse the signature list and populate + * the signature store + * + * @sig_list: Pointer to the signature list + * @size: Size of the signature list + * + * Parse the efi signature list and instantiate a signature store + * structure. + * + * Return: Pointer to signature store on success, NULL on error + */ +struct efi_signature_store *efi_build_signature_store(void *sig_list, + efi_uintn_t size) +{ + struct efi_signature_list *esl; + struct efi_signature_store *sigstore = NULL, *siglist; + + esl = sig_list; + while (size > 0) { + /* List must exist if there is remaining data. */ + if (size < sizeof(*esl)) { + EFI_PRINT("Signature list in wrong format\n"); + goto err; + } + + if (size < esl->signature_list_size) { + EFI_PRINT("Signature list in wrong format\n"); + goto err; + } + + /* Parse a single siglist. */ + siglist = efi_sigstore_parse_siglist(esl); + if (!siglist) { + EFI_PRINT("Parsing of signature list of failed\n"); + goto err; + } + + /* Append siglist */ + siglist->next = sigstore; + sigstore = siglist; + + /* Next */ + size -= esl->signature_list_size; + esl = (void *)esl + esl->signature_list_size; + } + free(sig_list); + + return sigstore; + +err: + efi_sigstore_free(sigstore); + free(sig_list); + + return NULL; +} + /** * efi_sigstore_parse_sigdb - parse a signature database variable * @name: Variable's name @@ -747,8 +804,7 @@ err: */ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name) { - struct efi_signature_store *sigstore = NULL, *siglist; - struct efi_signature_list *esl; + struct efi_signature_store *sigstore = NULL; const efi_guid_t *vendor; void *db; efi_uintn_t db_size; @@ -784,47 +840,10 @@ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name) ret = EFI_CALL(efi_get_variable(name, vendor, NULL, &db_size, db)); if (ret != EFI_SUCCESS) { EFI_PRINT("Getting variable, %ls, failed\n", name); - goto err; - } - - /* Parse siglist list */ - esl = db; - while (db_size > 0) { - /* List must exist if there is remaining data. */ - if (db_size < sizeof(*esl)) { - EFI_PRINT("variable, %ls, in wrong format\n", name); - goto err; - } - - if (db_size < esl->signature_list_size) { - EFI_PRINT("variable, %ls, in wrong format\n", name); - goto err; - } - - /* Parse a single siglist. */ - siglist = efi_sigstore_parse_siglist(esl); - if (!siglist) { - EFI_PRINT("Parsing signature list of %ls failed\n", - name); - goto err; - } - - /* Append siglist */ - siglist->next = sigstore; - sigstore = siglist; - - /* Next */ - db_size -= esl->signature_list_size; - esl = (void *)esl + esl->signature_list_size; + free(db); + return NULL; } - free(db); - - return sigstore; -err: - efi_sigstore_free(sigstore); - free(db); - - return NULL; + return efi_build_signature_store(db, db_size); } #endif /* CONFIG_EFI_SECURE_BOOT */ From patchwork Wed Dec 23 07:03:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346997 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp5971214jai; Tue, 22 Dec 2020 23:05:58 -0800 (PST) X-Google-Smtp-Source: ABdhPJzEDFtofPhtmYlt49KcGP5/uk8pOyTDBiPtgd9goAGPVwszYF4o0ZYKXGcJxVqc+G6x2X2h X-Received: by 2002:a17:906:b24c:: with SMTP id ce12mr22716188ejb.89.1608707158472; Tue, 22 Dec 2020 23:05:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608707158; cv=none; d=google.com; s=arc-20160816; b=bf/vsyxk25qFjsBzMdT0ys21c8cSNPAZU3Jyd4iA79B4GKtBr95xhFqaO1WR6vyiid wofTs2/EsHK1ZBdquX58lc2cshMYqr5n7vquvk0A9+c6ZIsoAKCKZmMx5nQhvPxHOc8T yrkmDIZ/tVwBymUM4CXW/5h74Wn8toXAWRWHlV4tTqE0174BkwGX6Oma7tWvk3/yOtOY arQILBTpFb2Asx9Q6+Tyx56tUkkxbGIXSKb+UmkPfe5stu8KdowqJ19anHk8pvqFl79v JRQjQyBSqpFlBvmxsGA1gSQa9n9SsV0G+Vh6Qnw9Z+PQ59nBthYova+Jms7tks6rQGjM xCPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=tRUAWA3PAdfnL0IgTd94DQlKQR9soCMx1IkmzgY4Mzc=; b=S/5tXwUbbbUk39h5zs/T0YVzzc7wrB4ia3tBPvxeLSwbJqTaMuBdq2FU7yu99lBrkz z6L4b9Zz7ijEqdBFzKh6poma4eLtVCikZBLkH6+sPdy93EyiZ7eJGJvqqAGvC/EWvN+J MG/0ZSxLW/3d1fPzK08eUXs2ofIYvvQ624qdz78+9oUxxwHJYXmDRvyxhVs55FjDanb7 b4f3rD83T2OGZhdDvMN02Di+cBogPPI3k0dVamdJd9pK6LkbqxMWgz9ik3IAg/DXovXZ n4s91Fcxb1+cKPgHYUuOvzcj7FjaW48Ao+F+AjN4GC5CsnrdE8Hou0XIr+nT+Dk0pA4w gkaw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id hk16si10442711ejb.8.2020.12.22.23.05.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Dec 2020 23:05:58 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B18CE82B2A; Wed, 23 Dec 2020 08:04:36 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 5C99682B1B; Wed, 23 Dec 2020 08:04:23 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 710D182B1A for ; Wed, 23 Dec 2020 08:04:18 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id B267D1042; Tue, 22 Dec 2020 23:04:17 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 1DE8B3F66E; Tue, 22 Dec 2020 23:04:14 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v3 11/14] efi: capsule: Add support for uefi capsule authentication Date: Wed, 23 Dec 2020 12:33:27 +0530 Message-Id: <20201223070330.21361-12-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201223070330.21361-1-sughosh.ganu@linaro.org> References: <20201223070330.21361-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Add support for authenticating uefi capsules. Most of the signature verification functionality is shared with the uefi secure boot feature. The root certificate containing the public key used for the signature verification is stored as part of the device tree blob. The root certificate is stored as an efi signature list(esl) file -- this file contains the x509 certificate which is the root certificate. Signed-off-by: Sughosh Ganu --- Changes since V2: * Move the function for fetching the public key certficate from the platform's dtb under board/emulation/common directory. * Move the function for checking the capsule_authentication_enabled env variable under board/emulation/common directory. board/emulation/common/Makefile | 1 + board/emulation/common/qemu_capsule.c | 48 ++++++++++ include/efi_api.h | 18 ++++ include/efi_loader.h | 6 ++ lib/efi_loader/Kconfig | 17 ++++ lib/efi_loader/efi_capsule.c | 122 ++++++++++++++++++++++++++ lib/efi_loader/efi_signature.c | 4 +- 7 files changed, 214 insertions(+), 2 deletions(-) create mode 100644 board/emulation/common/qemu_capsule.c -- 2.17.1 diff --git a/board/emulation/common/Makefile b/board/emulation/common/Makefile index c5b452e7e3..7ed447a69d 100644 --- a/board/emulation/common/Makefile +++ b/board/emulation/common/Makefile @@ -2,3 +2,4 @@ obj-$(CONFIG_SYS_MTDPARTS_RUNTIME) += qemu_mtdparts.o obj-$(CONFIG_SET_DFU_ALT_INFO) += qemu_dfu.o +obj-$(CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT) += qemu_capsule.o diff --git a/board/emulation/common/qemu_capsule.c b/board/emulation/common/qemu_capsule.c new file mode 100644 index 0000000000..f1d403501a --- /dev/null +++ b/board/emulation/common/qemu_capsule.c @@ -0,0 +1,48 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Copyright (c) 2020 Linaro Limited + */ + +#include +#include +#include +#include +#include + +DECLARE_GLOBAL_DATA_PTR; + +int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) +{ + const void *fdt_blob = gd->fdt_blob; + const void *blob; + const char *cnode_name = "capsule-key"; + const char *snode_name = "signature"; + int sig_node; + int len; + + sig_node = fdt_subnode_offset(fdt_blob, 0, snode_name); + if (sig_node < 0) { + EFI_PRINT("Unable to get signature node offset\n"); + return -FDT_ERR_NOTFOUND; + } + + blob = fdt_getprop(fdt_blob, sig_node, cnode_name, &len); + + if (!blob || len < 0) { + EFI_PRINT("Unable to get capsule-key value\n"); + *pkey = NULL; + *pkey_len = 0; + return -FDT_ERR_NOTFOUND; + } + + *pkey = (void *)blob; + *pkey_len = len; + + return 0; +} + +bool efi_capsule_auth_enabled(void) +{ + return env_get("capsule_authentication_enabled") != NULL ? + true : false; +} diff --git a/include/efi_api.h b/include/efi_api.h index e82d4ca9ff..ecb43a0607 100644 --- a/include/efi_api.h +++ b/include/efi_api.h @@ -1812,6 +1812,24 @@ struct efi_variable_authentication_2 { struct win_certificate_uefi_guid auth_info; } __attribute__((__packed__)); +/** + * efi_firmware_image_authentication - Capsule authentication method + * descriptor + * + * This structure describes an authentication information for + * a capsule with IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED set + * and should be included as part of the capsule. + * Only EFI_CERT_TYPE_PKCS7_GUID is accepted. + * + * @monotonic_count: Count to prevent replay + * @auth_info: Authentication info + */ +struct efi_firmware_image_authentication { + uint64_t monotonic_count; + struct win_certificate_uefi_guid auth_info; +} __attribute__((__packed__)); + + /** * efi_signature_data - A format of signature * diff --git a/include/efi_loader.h b/include/efi_loader.h index 73c3c4b85a..fb3e974aa1 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -817,6 +817,8 @@ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name); bool efi_secure_boot_enabled(void); +bool efi_capsule_auth_enabled(void); + bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp, WIN_CERTIFICATE **auth, size_t *auth_len); @@ -844,6 +846,10 @@ efi_status_t EFIAPI efi_query_capsule_caps( u64 *maximum_capsule_size, u32 *reset_type); +efi_status_t efi_capsule_authenticate(const void *capsule, + efi_uintn_t capsule_size, + void **image, efi_uintn_t *image_size); + #define EFI_CAPSULE_DIR L"\\EFI\\UpdateCapsule\\" /* Hook at initialization */ diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index bc47e7fe76..3e8533c430 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -141,6 +141,23 @@ config EFI_CAPSULE_FIRMWARE_MANAGEMENT Select this option if you want to enable capsule-based firmware update using Firmware Management Protocol. +config EFI_CAPSULE_AUTHENTICATE + bool "Update Capsule authentication" + depends on EFI_CAPSULE_FIRMWARE + depends on EFI_CAPSULE_ON_DISK + depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT + select SHA256 + select RSA + select RSA_VERIFY + select RSA_VERIFY_WITH_PKEY + select X509_CERTIFICATE_PARSER + select PKCS7_MESSAGE_PARSER + select PKCS7_VERIFY + default n + help + Select this option if you want to enable capsule + authentication + config EFI_CAPSULE_FIRMWARE_FIT bool "FMP driver for FIT image" depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c index ea22ee7968..d9a7bbd509 100644 --- a/lib/efi_loader/efi_capsule.c +++ b/lib/efi_loader/efi_capsule.c @@ -14,6 +14,10 @@ #include #include +#include +#include +#include + const efi_guid_t efi_guid_capsule_report = EFI_CAPSULE_REPORT_GUID; static const efi_guid_t efi_guid_firmware_management_capsule_id = EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID; @@ -191,6 +195,124 @@ skip: return NULL; } +#if defined(CONFIG_EFI_CAPSULE_AUTHENTICATE) + +const efi_guid_t efi_guid_capsule_root_cert_guid = + EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID; + +__weak int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) +{ + /* The platform is supposed to provide + * a method for getting the public key + * stored in the form of efi signature + * list + */ + return 0; +} + +efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size, + void **image, efi_uintn_t *image_size) +{ + u8 *buf; + int ret; + void *fdt_pkey, *pkey; + efi_uintn_t pkey_len; + uint64_t monotonic_count; + struct efi_signature_store *truststore; + struct pkcs7_message *capsule_sig; + struct efi_image_regions *regs; + struct efi_firmware_image_authentication *auth_hdr; + efi_status_t status; + + status = EFI_SECURITY_VIOLATION; + capsule_sig = NULL; + truststore = NULL; + regs = NULL; + + /* Sanity checks */ + if (capsule == NULL || capsule_size == 0) + goto out; + + auth_hdr = (struct efi_firmware_image_authentication *)capsule; + if (capsule_size < sizeof(*auth_hdr)) + goto out; + + if (auth_hdr->auth_info.hdr.dwLength <= + offsetof(struct win_certificate_uefi_guid, cert_data)) + goto out; + + if (guidcmp(&auth_hdr->auth_info.cert_type, &efi_guid_cert_type_pkcs7)) + goto out; + + *image = (uint8_t *)capsule + sizeof(auth_hdr->monotonic_count) + + auth_hdr->auth_info.hdr.dwLength; + *image_size = capsule_size - auth_hdr->auth_info.hdr.dwLength - + sizeof(auth_hdr->monotonic_count); + memcpy(&monotonic_count, &auth_hdr->monotonic_count, + sizeof(monotonic_count)); + + /* data to be digested */ + regs = calloc(sizeof(*regs) + sizeof(struct image_region) * 2, 1); + if (!regs) + goto out; + + regs->max = 2; + efi_image_region_add(regs, (uint8_t *)*image, + (uint8_t *)*image + *image_size, 1); + + efi_image_region_add(regs, (uint8_t *)&monotonic_count, + (uint8_t *)&monotonic_count + sizeof(monotonic_count), + 1); + + capsule_sig = efi_parse_pkcs7_header(auth_hdr->auth_info.cert_data, + auth_hdr->auth_info.hdr.dwLength + - sizeof(auth_hdr->auth_info), + &buf); + if (IS_ERR(capsule_sig)) { + debug("Parsing variable's pkcs7 header failed\n"); + capsule_sig = NULL; + goto out; + } + + ret = efi_get_public_key_data(&fdt_pkey, &pkey_len); + if (ret < 0) + goto out; + + pkey = malloc(pkey_len); + if (!pkey) + goto out; + + memcpy(pkey, fdt_pkey, pkey_len); + truststore = efi_build_signature_store(pkey, pkey_len); + if (!truststore) + goto out; + + /* verify signature */ + if (efi_signature_verify(regs, capsule_sig, truststore, NULL)) { + debug("Verified\n"); + } else { + debug("Verifying variable's signature failed\n"); + goto out; + } + + status = EFI_SUCCESS; + +out: + efi_sigstore_free(truststore); + pkcs7_free_message(capsule_sig); + free(regs); + + return status; +} +#else +efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size, + void **image, efi_uintn_t *image_size) +{ + return EFI_UNSUPPORTED; +} +#endif /* CONFIG_EFI_CAPSULE_AUTHENTICATE */ + + /** * efi_capsule_update_firmware - update firmware from capsule * @capsule_data: Capsule diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 87525bdc80..c7ec275414 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -26,7 +26,7 @@ const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID; const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID; const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; -#ifdef CONFIG_EFI_SECURE_BOOT +#if defined(CONFIG_EFI_SECURE_BOOT) || defined(CONFIG_EFI_CAPSULE_AUTHENTICATE) static u8 pkcs7_hdr[] = { /* SEQUENCE */ 0x30, 0x82, 0x05, 0xc7, @@ -846,4 +846,4 @@ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name) return efi_build_signature_store(db, db_size); } -#endif /* CONFIG_EFI_SECURE_BOOT */ +#endif /* CONFIG_EFI_SECURE_BOOT || CONFIG_EFI_CAPSULE_AUTHENTICATE */ From patchwork Wed Dec 23 07:03:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346998 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp5971302jai; Tue, 22 Dec 2020 23:06:08 -0800 (PST) X-Google-Smtp-Source: ABdhPJzrdocnZ40DbmL7Ty7hY90kwy+BjqVUN7ut+c6ZNjyDfGsVA2Zu8KWvre6uv46PXrXZ/i6i X-Received: by 2002:a17:906:eca9:: with SMTP id qh9mr5883862ejb.188.1608707168368; Tue, 22 Dec 2020 23:06:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608707168; cv=none; d=google.com; s=arc-20160816; b=N8XXVC250KJXK5UtW/6UDsaQ6zNVImSxfox+F5DShz2BFW54qxgzJpovhFcAWNluJN 06fQptEkGw1itHDF7E2/mh6O20CBrF1N4JckslfHGyZEhYfbRa5PFy1pFkh38WoJXXcH iMqZ87fvYrgTDn5ohQr9v24IiU1z7BXytlzb2QzZ8vc4TR+YQrzf9WjEQL6cUt22GoNt 8VY0VUp7TsPP2wXgTSCiscmBRnmpD2RnylH+euGy3Oviu67IL2rPTUpI+TyW+xwu/1yJ kJ5L/Y2Ox8L0fQunA0SMtQInL2oHEvJSHy34r8qEREIWmJBZKrWGp00uZt/0F9ysqjuX GFVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=GJIEDPW+8u17Srhfm7wdHa6981XeHEF4DQCbCQh21Eg=; b=nx/e5Lb9bWebSMrEmQZwJNnKxZvS6/YStaXfNWVoKpfGO9xhtgvALR0Cvt1kvMaDr9 PyTYIqnWbZCw49WZZImLkymn6rn3K0DxqoyP4bpg/CsYQCSHHCCmlClR3T+yn/1hG2aA lrVKrblTLLwc+2V5yuM+a6Q0TzbDsyY2EOKenUMHLUZvf29D1736oqSPBwSlFy1Rhu8c 2tE/bn1Nsuu700EWFQ2kwTtYA1WS4j4W58BkbFu6g2g4GUs9+18nl6N03fcKOV2/sHf3 6sBwoaqshhwNhgVRFrSdcTpx9YKTaCaJqeyplwrXk+stm0znqnAhAg38EEMzrzaoL2U3 qSGg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id op2si12239525ejb.484.2020.12.22.23.06.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Dec 2020 23:06:08 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B514E82B30; Wed, 23 Dec 2020 08:04:38 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 0C0BF82B23; Wed, 23 Dec 2020 08:04:26 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 8577682B19 for ; Wed, 23 Dec 2020 08:04:21 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id C303A30E; Tue, 22 Dec 2020 23:04:20 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 2FA603F66E; Tue, 22 Dec 2020 23:04:17 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v3 12/14] efi_loader: Enable uefi capsule authentication Date: Wed, 23 Dec 2020 12:33:28 +0530 Message-Id: <20201223070330.21361-13-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201223070330.21361-1-sughosh.ganu@linaro.org> References: <20201223070330.21361-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Add support for enabling uefi capsule authentication. This feature is enabled by setting the environment variable "capsule_authentication_enabled". The following configs are needed for enabling uefi capsule update and capsule authentication features on the platform. CONFIG_EFI_HAVE_CAPSULE_SUPPORT=y CONFIG_EFI_CAPSULE_ON_DISK=y CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y CONFIG_EFI_CAPSULE_FIRMWARE=y CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y CONFIG_EFI_CAPSULE_AUTHENTICATE=y Signed-off-by: Sughosh Ganu --- Changes since V2: None lib/efi_loader/efi_firmware.c | 36 ++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) -- 2.17.1 diff --git a/lib/efi_loader/efi_firmware.c b/lib/efi_loader/efi_firmware.c index 5d2ecde2f1..5e401bbca2 100644 --- a/lib/efi_loader/efi_firmware.c +++ b/lib/efi_loader/efi_firmware.c @@ -184,9 +184,16 @@ static efi_status_t efi_get_dfu_info( image_info[i].version_name = NULL; /* not supported */ image_info[i].size = 0; image_info[i].attributes_supported = - IMAGE_ATTRIBUTE_IMAGE_UPDATABLE; + IMAGE_ATTRIBUTE_IMAGE_UPDATABLE | + IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED; image_info[i].attributes_setting = IMAGE_ATTRIBUTE_IMAGE_UPDATABLE; + + /* Check if the capsule authentication is enabled */ + if (env_get("capsule_authentication_enabled")) + image_info[0].attributes_setting |= + IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED; + image_info[i].lowest_supported_image_version = 0; image_info[i].last_attempt_version = 0; image_info[i].last_attempt_status = LAST_ATTEMPT_STATUS_SUCCESS; @@ -403,6 +410,9 @@ efi_status_t EFIAPI efi_firmware_raw_set_image( { u32 fmp_hdr_signature; struct fmp_payload_header *header; + void *capsule_payload; + efi_status_t status; + efi_uintn_t capsule_payload_size; EFI_ENTRY("%p %d %p %ld %p %p %p\n", this, image_index, image, image_size, vendor_code, progress, abort_reason); @@ -410,6 +420,30 @@ efi_status_t EFIAPI efi_firmware_raw_set_image( if (!image) return EFI_EXIT(EFI_INVALID_PARAMETER); + /* Authenticate the capsule if authentication enabled */ + if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) && + env_get("capsule_authentication_enabled")) { + capsule_payload = NULL; + capsule_payload_size = 0; + status = efi_capsule_authenticate(image, image_size, + &capsule_payload, + &capsule_payload_size); + + if (status == EFI_SECURITY_VIOLATION) { + printf("Capsule authentication check failed. Aborting update\n"); + return EFI_EXIT(status); + } else if (status != EFI_SUCCESS) { + return EFI_EXIT(status); + } + + debug("Capsule authentication successfull\n"); + image = capsule_payload; + image_size = capsule_payload_size; + } else { + debug("Capsule authentication disabled. "); + debug("Updating capsule without authenticating.\n"); + } + fmp_hdr_signature = FMP_PAYLOAD_HDR_SIGNATURE; header = (void *)image; From patchwork Wed Dec 23 07:03:29 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346999 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp5971392jai; Tue, 22 Dec 2020 23:06:18 -0800 (PST) X-Google-Smtp-Source: ABdhPJxR22aQamRf+Ew2RaIyLjuvVDU/0AU6t8E2ZNQLZxNYvEC2/A1zKDlRkLu0okHKSFIgU/gH X-Received: by 2002:a17:906:aac1:: with SMTP id kt1mr21954647ejb.329.1608707178195; Tue, 22 Dec 2020 23:06:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608707178; cv=none; d=google.com; s=arc-20160816; b=s4OenzNtNJrlc1VghI/8LCNwqGiS4Nm1hBQcCh8tIZbbNxTEm6sgMxPUct0YQDVXGr cY9qKeoqv4gpYoYv9MMCm4fLV1JLBaPE13h5aOrz6+aOMoC14HZ9zNVYj6gMLvbaWzOv fK+cQ3T6SseYwrbuwHdO16xZuXk8cR4uN2JRb2RMpgac1aTliAP3O1G5C0snGHATG7pE Ezdg/+o/NNfERdwJ9lpSEHg7B3i6w1WFeM+BBuTxstPY8mbdAlEJzPwziVwOR/V8nPiI i7wN7fCnA5nmvQQftUoqu4HTCiUdKLWOt0+5fmwAE+GIQM5bGIVjI0f0L5eR1EnD5PU9 UR9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=2lw6t9UCuE3y3RN3AvK42a/aBvFSFlwNJ7GdUg1OcS0=; b=EXH9DWtyZLvl7JuQy3Ihg0Y6e+Nascar+Pup+/lpZc79pBhm1ozQEsBBC+RvhxwzqX XEh5CRztMJXAn5/rQ9r9DZ2C5MKkXmcg8KBP0ylNdwO4AI1VLHxf8Rfd0lmmRYirvxjJ hFFY9AeLXSgli9zc6LtNYxTFt2NDsy+TzYoUArSauoL7yaggEAa7fvSyQxy+OQ9QqK/I 21CQBhVoXTg5YV0SbajD2mRdu8ELNbAar7g1BYAFM34BW0gTkEHsD5kayiTLFfrMbFNG G9CMAsAvC6vBajFzZ+ifLMJatCEqni9xI8uiB79Flzn9XoMk7YYSlTsDtmAhi/vdA2OZ IMIg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id n17si11548133ejs.423.2020.12.22.23.06.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Dec 2020 23:06:18 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id AAA8782B35; Wed, 23 Dec 2020 08:04:40 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id F29D582B27; Wed, 23 Dec 2020 08:04:27 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 72F8482B1E for ; Wed, 23 Dec 2020 08:04:24 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id D3EA030E; Tue, 22 Dec 2020 23:04:23 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 404563F66E; Tue, 22 Dec 2020 23:04:21 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v3 13/14] efidebug: capsule: Add a command to update capsule on disk Date: Wed, 23 Dec 2020 12:33:29 +0530 Message-Id: <20201223070330.21361-14-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201223070330.21361-1-sughosh.ganu@linaro.org> References: <20201223070330.21361-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Add a efidebug subcommand to initiate a firmware update using the efi firmware management protocol(fmp) set_image routine. The firmware update can be initiated through 'efidebug capsule disk-update' This would locate the efi capsule file on the efi system partition, and call the platform's set_image fmp routine to initiate the firmware update. Signed-off-by: Sughosh Ganu --- Changes since V2: None cmd/efidebug.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) -- 2.17.1 diff --git a/cmd/efidebug.c b/cmd/efidebug.c index fa9d7fe757..5fb7b1e3c6 100644 --- a/cmd/efidebug.c +++ b/cmd/efidebug.c @@ -79,6 +79,16 @@ static int do_efi_capsule_update(struct cmd_tbl *cmdtp, int flag, return CMD_RET_SUCCESS; } +static int do_efi_capsule_on_disk_update(struct cmd_tbl *cmdtp, int flag, + int argc, char * const argv[]) +{ + efi_status_t ret; + + ret = efi_launch_capsules(); + + return ret == EFI_SUCCESS ? CMD_RET_SUCCESS : CMD_RET_FAILURE; +} + /** * do_efi_capsule_show() - show capsule information * @@ -207,6 +217,8 @@ static struct cmd_tbl cmd_efidebug_capsule_sub[] = { "", ""), U_BOOT_CMD_MKENT(show, CONFIG_SYS_MAXARGS, 1, do_efi_capsule_show, "", ""), + U_BOOT_CMD_MKENT(disk-update, 0, 0, do_efi_capsule_on_disk_update, + "", ""), U_BOOT_CMD_MKENT(result, CONFIG_SYS_MAXARGS, 1, do_efi_capsule_res, "", ""), }; @@ -1544,6 +1556,8 @@ static char efidebug_help_text[] = #ifdef CONFIG_EFI_HAVE_CAPSULE_SUPPORT "efidebug capsule update [-v] \n" " - process a capsule\n" + "efidebug capsule disk-update\n" + " - update a capsule from disk\n" "efidebug capsule show \n" " - show capsule information\n" "efidebug capsule result []\n" From patchwork Wed Dec 23 07:03:30 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 347000 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp5971487jai; Tue, 22 Dec 2020 23:06:28 -0800 (PST) X-Google-Smtp-Source: ABdhPJwbtewFsswPX6ko5GNPX951B7dEKRRo1Ys4p5OtRI7QzxuTB/2Lv0j/mz2kZhznBq+zClQn X-Received: by 2002:a17:906:4717:: with SMTP id y23mr22625626ejq.6.1608707188501; Tue, 22 Dec 2020 23:06:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608707188; cv=none; d=google.com; s=arc-20160816; b=XhBNSRIzu9q+3cRK2l0BgopUZL9L3i/sN0kpPwdYyZFbTAAAaxjcJ+zWvtHOVQs6ah YUZ9XbvM0oYWnABslJx4Yf9a4rRYj+bPWfkptT5eeUk/e55N5nb/aLNK2CfbbNbpA7Sa 077IAdVQblQpFqs5fxLyxBt06u01Pabn7jlTF3vGa7WqHRegLrncotOOZakcfDSFIktq flBbEp1V9yL2EOOaZBJCLuSg0SrviILX1HvOJexNVxGWu9AmPvItgqO+w8Ha1auzce+A QeKtcUWiR8d+MsR7+lsd3k9Ur58VWFLwqfrPmLsDxO/IYbqukHAD8rRZQYPb7TpOx3JG 5pZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=4eKx2xfcCVsa3J3nu4LVoGXcYjcgb6ySLT1WoPyapz0=; b=pOlwzV+3p3NTzmW4Q815VoxXuqqEBa9zsrEdRLlc+TiBxmJdxRyRZkplYAkvpPCQcF cmHmxzMcoZiv67wMfGTC9up8cOJn2l00W9Hh1U8JAAa5SccwLr8UofR+dwcKvFLUOwBb 6QnNePi4hd1WE6mbIep05ANXL6Yx4bmAbw0/tp2Jq9/WiYQUmeWEeXrHeGBLmAdoOaU4 uJwtsZt1wdM35rCnCo0WBRsJv4mIFNJdklgxQ6x+PHaeFrA4iwOGcoivE0t+Q2xczrBX W5IdVv1e/CHjhioKmzepsRUcx75Jbcj+PAHFGz02IPjRoAiOlr9RGpmjvueJChWqaa6H +c6Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id j18si14501286edj.99.2020.12.22.23.06.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Dec 2020 23:06:28 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 0839C82B3D; Wed, 23 Dec 2020 08:04:43 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 1EB6982B30; Wed, 23 Dec 2020 08:04:31 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 8730B82B24 for ; Wed, 23 Dec 2020 08:04:27 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id E645B30E; Tue, 22 Dec 2020 23:04:26 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 520D23F66E; Tue, 22 Dec 2020 23:04:24 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v3 14/14] qemu: arm64: Add documentation for capsule update Date: Wed, 23 Dec 2020 12:33:30 +0530 Message-Id: <20201223070330.21361-15-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201223070330.21361-1-sughosh.ganu@linaro.org> References: <20201223070330.21361-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Add documentation highlighting the steps for using the uefi capsule update feature for updating the u-boot firmware image. Signed-off-by: Sughosh Ganu --- Changes since V2: * Moved the capsule update related documentation for the Qemu platform to a new file under doc/board/emulation/ directory. * Incorporated all typo review comments from Heinrich * Put in a skeletal overlay dts file for reference, as was suggested by Heinrich doc/board/emulation/index.rst | 1 + doc/board/emulation/qemu_capsule_update.rst | 210 ++++++++++++++++++++ 2 files changed, 211 insertions(+) create mode 100644 doc/board/emulation/qemu_capsule_update.rst -- 2.17.1 diff --git a/doc/board/emulation/index.rst b/doc/board/emulation/index.rst index 1adefee155..a09ead1c35 100644 --- a/doc/board/emulation/index.rst +++ b/doc/board/emulation/index.rst @@ -10,3 +10,4 @@ Emulation qemu-mips qemu-riscv qemu-x86 + qemu_capsule_update diff --git a/doc/board/emulation/qemu_capsule_update.rst b/doc/board/emulation/qemu_capsule_update.rst new file mode 100644 index 0000000000..9fec75f8f1 --- /dev/null +++ b/doc/board/emulation/qemu_capsule_update.rst @@ -0,0 +1,210 @@ +.. SPDX-License-Identifier: GPL-2.0+ +.. Copyright (C) 2020, Linaro Limited + +Enabling UEFI Capsule Update feature +------------------------------------ + +Support has been added for the UEFI capsule update feature which +enables updating the U-Boot image using the UEFI firmware management +protocol (fmp). The capsules are not passed to the firmware through +the UpdateCapsule runtime service. Instead, capsule-on-disk +functionality is used for fetching the capsule from the EFI System +Partition (ESP) by placing the capsule file under the +\EFI\UpdateCapsule directory. + +Currently, support has been added on the QEMU ARM64 virt platform for +updating the U-Boot binary as a raw image when the platform is booted +in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this +configuration, the QEMU platform needs to be booted with +'secure=off'. The U-Boot binary placed on the first bank of the NOR +flash at offset 0x0. The U-Boot environment is placed on the second +NOR flash bank at offset 0x4000000. + +The capsule update feature is enabled with the following configuration +settings:: + + CONFIG_MTD=y + CONFIG_FLASH_CFI_MTD=y + CONFIG_CMD_MTDPARTS=y + CONFIG_CMD_DFU=y + CONFIG_DFU_MTD=y + CONFIG_PCI_INIT_R=y + CONFIG_EFI_CAPSULE_ON_DISK=y + CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y + CONFIG_EFI_CAPSULE_FIRMWARE=y + CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y + CONFIG_EFI_CAPSULE_FMP_HEADER=y + +In addition, the following config needs to be disabled(QEMU ARM specific):: + + CONFIG_TFABOOT + +The capsule file can be generated by using the GenerateCapsule.py +script in EDKII:: + + $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ + --fw-version --lsv --guid \ + e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index \ + --verbose + +The above is a wrapper script(GenerateCapsule) which eventually calls +the actual GenerateCapsule.py script. + +As per the UEFI specification, the capsule file needs to be placed on +the EFI System Partition, under the \EFI\UpdateCapsule directory. The +EFI System Partition can be a virtio-blk-device. + +Before initiating the firmware update, the efi variables BootNext, +BootXXXX and OsIndications need to be set. The BootXXXX variable needs +to be pointing to the EFI System Partition which contains the capsule +file. The BootNext, BootXXXX and OsIndications variables can be set +using the following commands:: + + => efidebug boot add 0 Boot0000 virtio 0:1 + => efidebug boot next 0 + => setenv -e -nv -bs -rt -v OsIndications =0x04 + => saveenv + +Finally, the capsule update can be initiated with the following +command:: + + => efidebug capsule disk-update + +The updated U-Boot image will be booted on subsequent boot. + +Enabling Capsule Authentication +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The UEFI specification defines a way of authenticating the capsule to +be updated by verifying the capsule signature. The capsule signature +is computed and prepended to the capsule payload at the time of +capsule generation. This signature is then verified by using the +public key stored as part of the X509 certificate. This certificate is +in the form of an efi signature list (esl) file, which is embedded as +part of the platform's device tree blob using the mkeficapsule +utility. + +On the QEMU virt platforms, the device-tree is generated on the fly +based on the devices configured. This device tree is then passed on to +the various software components booting on the platform, including +U-Boot. Therefore, on the QEMU virt platform, the signatute is +embedded on an overlay. This overlay is then applied at runtime to the +base platform device-tree. Steps needed for embedding the esl file in +the overlay are highlighted below. + +The capsule authentication feature can be enabled through the +following config, in addition to the configs listed above for capsule +update:: + + CONFIG_EFI_CAPSULE_AUTHENTICATE=y + +The public and private keys used for the signing process are generated +and used by the steps highlighted below:: + + 1. Install utility commands on your host + * OPENSSL + * efitools + + 2. Create signing keys and certificate files on your host + + $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ + -keyout CRT.key -out CRT.crt -nodes -days 365 + $ cert-to-efi-sig-list CRT.crt CRT.esl + + $ openssl x509 -in CRT.crt -out CRT.cer -outform DER + $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem + + $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt + $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem + +The capsule file can be generated by using the GenerateCapsule.py +script in EDKII:: + + $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ + --monotonic-count --fw-version \ + --lsv --guid \ + e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ + --update-image-index --signer-private-cert \ + /path/to/CRT.pem --trusted-public-cert \ + /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ + + +Place the capsule generated in the above step on the EFI System +Partition under the EFI/UpdateCapsule directory + +For embedding the public key certificate, the following steps need to +be followed:: + + 1. Generate a skeleton overlay dts file, with a single fragment + node and an empty __overlay__ node + + A typical skeleton overlay file will look like this + + /dts-v1/; + /plugin/; + + / { + fragment@0 { + target-path = "/"; + __overlay__ { + }; + }; + }; + + + 2. Convert the dts to a corresponding dtb with the following + command + ./scripts/dtc/dtc -@ -I dts -O dtb -o \ + + + 3. Run the dtb file generated above through the mkeficapsule tool + in U-Boot + ./tools/mkeficapsule -O -D + +Running the above command results in the creation of a 'signature' +node in the dtb, under which the public key is stored as a +'capsule-key' property. The '-O' option is to be used since the +public key certificate(esl) file is being embedded in an overlay. + +The dtb file embedded with the certificate is now to be placed on an +EFI System Partition. This would then be loaded and "merged" with the +base platform flattened device-tree(dtb) at runtime. + +Build U-Boot with the following steps(QEMU ARM64):: + + $ make qemu_arm64_defconfig + $ make menuconfig + Disable CONFIG_TFABOOT + Enable CONFIG_EFI_CAPSULE_AUTHENTICATE + Enable all configs needed for capsule update(listed above) + $ make all + +Boot the platform and perform the following steps on the U-Boot +command line:: + + 1. Enable capsule authentication by setting the following env + variable + + => setenv capsule_authentication_enabled 1 + => saveenv + + 2. Load the overlay dtb to memory and merge it with the base fdt + + => fatload virtio 0:1 <$fdtovaddr> EFI/ + => fdt addr $fdtcontroladdr + => fdt resize + => fdt apply <$fdtovaddr> + + 3. Set the following environment and UEFI boot variables + + => setenv -e -nv -bs -rt -v OsIndications =0x04 + => efidebug boot add 0 Boot0000 virtio 0:1 + => efidebug boot next 0 + => saveenv + + 4. Finally, the capsule update can be initiated with the following + command + + => efidebug capsule disk-update + +On subsequent reboot, the platform should boot the updated U-Boot binary.