| Message ID | 20210727091054.512050-1-takahiro.akashi@linaro.org |
|---|---|
| Headers | show |
| Series | efi_loader: capsule: improve capsule authentication support | expand |
On 7/27/21 11:10 AM, AKASHI Takahiro wrote: > As I proposed and discussed in [1] and [2], I have made a couple of > improvements on the current implementation of capsule update in this > patch set. > > * add signing feature to mkeficapsule > * add "--guid" option to mkeficapsule > * add man page of mkeficapsule > * add pytest for capsule authentication (on sandbox) > > NOTE: > Due to Ilias's commit[3], we need to have a customized configuration > for sandbox to properly set up and run capsule authentication test. > See patch#5,#6 and #7. > > [1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html > [2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html > [3] commit ddf67daac39d ("efi_capsule: Move signature from DTB to > .rodata") Dear Takahiro, thanks for driving this topic. I have finished with my review and will be waiting for v2. Best regards Heinrich > > Prerequisite patches > ==================== > None > > Test > ==== > * locally passed the pytest which is included in this patch series > on sandbox built. > > Todo > ==== > * Confirm that the change in .gitlab-ci.yml works. > * Azure support(?) > > Changes > ======= > v2 (July 28, 2021) > * rebased on v2021.10-rc* > * removed dependency on target's configuration > * removed fdtsig.sh and others > * add man page > * update the UEFI document > * add dedicate defconfig for testing on sandbox > * add gitlab CI support > * add "--guid" option to mkeficapsule > (yet rather RFC) > > Initial release (May 12, 2021) > * based on v2021.07-rc2 > > AKASHI Takahiro (9): > tools: mkeficapsule: add firmwware image signing > tools: mkeficapsule: add man page > doc: update UEFI document for usage of mkeficapsule > efi_loader: ease the file path check for public key > test/py: efi_capsule: add image authentication test > sandbox: add config for efi capsule authentication test > GitLab: add a test rule for efi capsule authentication test > tools: mkeficapsule: allow for specifying GUID explicitly > test/py: efi_capsule: align with the syntax change of mkeficapsule > > .gitlab-ci.yml | 6 + > MAINTAINERS | 1 + > configs/sandbox_capsule_auth_defconfig | 307 +++++++++++++++ > doc/develop/uefi/uefi.rst | 31 +- > doc/mkeficapsule.1 | 98 +++++ > lib/efi_loader/Makefile | 5 +- > test/py/tests/test_efi_capsule/SIGNER.crt | 19 + > test/py/tests/test_efi_capsule/SIGNER.esl | Bin 0 -> 829 bytes > test/py/tests/test_efi_capsule/SIGNER.key | 28 ++ > test/py/tests/test_efi_capsule/SIGNER2.crt | 19 + > test/py/tests/test_efi_capsule/SIGNER2.key | 28 ++ > .../py/tests/test_efi_capsule/capsule_defs.py | 5 + > test/py/tests/test_efi_capsule/conftest.py | 39 +- > .../test_capsule_firmware_signed.py | 228 +++++++++++ > tools/Kconfig | 7 + > tools/Makefile | 8 +- > tools/mkeficapsule.c | 368 ++++++++++++++++-- > 17 files changed, 1129 insertions(+), 68 deletions(-) > create mode 100644 configs/sandbox_capsule_auth_defconfig > create mode 100644 doc/mkeficapsule.1 > create mode 100644 test/py/tests/test_efi_capsule/SIGNER.crt > create mode 100644 test/py/tests/test_efi_capsule/SIGNER.esl > create mode 100644 test/py/tests/test_efi_capsule/SIGNER.key > create mode 100644 test/py/tests/test_efi_capsule/SIGNER2.crt > create mode 100644 test/py/tests/test_efi_capsule/SIGNER2.key > create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py >
Heinrich, On Sun, Aug 01, 2021 at 11:40:14AM +0200, Heinrich Schuchardt wrote: > On 7/27/21 11:10 AM, AKASHI Takahiro wrote: > > As I proposed and discussed in [1] and [2], I have made a couple of > > improvements on the current implementation of capsule update in this > > patch set. > > > > * add signing feature to mkeficapsule > > * add "--guid" option to mkeficapsule > > * add man page of mkeficapsule > > * add pytest for capsule authentication (on sandbox) > > > > NOTE: > > Due to Ilias's commit[3], we need to have a customized configuration > > for sandbox to properly set up and run capsule authentication test. > > See patch#5,#6 and #7. > > > > [1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html > > [2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html > > [3] commit ddf67daac39d ("efi_capsule: Move signature from DTB to > > .rodata") > > > Dear Takahiro, > > thanks for driving this topic. I have finished with my review and will > be waiting for v2. Thanks for your review comments. I'd like to know what's your thought on Patch#8 (and #9) as I have not seen your comment at [2] above. It is more or less an RFC since it breaks the compatibility of command syntax although I believe that the change is quite useful. -Takahiro Akashi > Best regards > > Heinrich > > > > > Prerequisite patches > > ==================== > > None > > > > Test > > ==== > > * locally passed the pytest which is included in this patch series > > on sandbox built. > > > > Todo > > ==== > > * Confirm that the change in .gitlab-ci.yml works. > > * Azure support(?) > > > > Changes > > ======= > > v2 (July 28, 2021) > > * rebased on v2021.10-rc* > > * removed dependency on target's configuration > > * removed fdtsig.sh and others > > * add man page > > * update the UEFI document > > * add dedicate defconfig for testing on sandbox > > * add gitlab CI support > > * add "--guid" option to mkeficapsule > > (yet rather RFC) > > > > Initial release (May 12, 2021) > > * based on v2021.07-rc2 > > > > AKASHI Takahiro (9): > > tools: mkeficapsule: add firmwware image signing > > tools: mkeficapsule: add man page > > doc: update UEFI document for usage of mkeficapsule > > efi_loader: ease the file path check for public key > > test/py: efi_capsule: add image authentication test > > sandbox: add config for efi capsule authentication test > > GitLab: add a test rule for efi capsule authentication test > > tools: mkeficapsule: allow for specifying GUID explicitly > > test/py: efi_capsule: align with the syntax change of mkeficapsule > > > > .gitlab-ci.yml | 6 + > > MAINTAINERS | 1 + > > configs/sandbox_capsule_auth_defconfig | 307 +++++++++++++++ > > doc/develop/uefi/uefi.rst | 31 +- > > doc/mkeficapsule.1 | 98 +++++ > > lib/efi_loader/Makefile | 5 +- > > test/py/tests/test_efi_capsule/SIGNER.crt | 19 + > > test/py/tests/test_efi_capsule/SIGNER.esl | Bin 0 -> 829 bytes > > test/py/tests/test_efi_capsule/SIGNER.key | 28 ++ > > test/py/tests/test_efi_capsule/SIGNER2.crt | 19 + > > test/py/tests/test_efi_capsule/SIGNER2.key | 28 ++ > > .../py/tests/test_efi_capsule/capsule_defs.py | 5 + > > test/py/tests/test_efi_capsule/conftest.py | 39 +- > > .../test_capsule_firmware_signed.py | 228 +++++++++++ > > tools/Kconfig | 7 + > > tools/Makefile | 8 +- > > tools/mkeficapsule.c | 368 ++++++++++++++++-- > > 17 files changed, 1129 insertions(+), 68 deletions(-) > > create mode 100644 configs/sandbox_capsule_auth_defconfig > > create mode 100644 doc/mkeficapsule.1 > > create mode 100644 test/py/tests/test_efi_capsule/SIGNER.crt > > create mode 100644 test/py/tests/test_efi_capsule/SIGNER.esl > > create mode 100644 test/py/tests/test_efi_capsule/SIGNER.key > > create mode 100644 test/py/tests/test_efi_capsule/SIGNER2.crt > > create mode 100644 test/py/tests/test_efi_capsule/SIGNER2.key > > create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py > > >
As I proposed and discussed in [1] and [2], I have made a couple of improvements on the current implementation of capsule update in this patch set. * add signing feature to mkeficapsule * add "--guid" option to mkeficapsule * add man page of mkeficapsule * add pytest for capsule authentication (on sandbox) NOTE: Due to Ilias's commit[3], we need to have a customized configuration for sandbox to properly set up and run capsule authentication test. See patch#5,#6 and #7. [1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html [2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html [3] commit ddf67daac39d ("efi_capsule: Move signature from DTB to .rodata") Prerequisite patches ==================== None Test ==== * locally passed the pytest which is included in this patch series on sandbox built. Todo ==== * Confirm that the change in .gitlab-ci.yml works. * Azure support(?) Changes ======= v2 (July 28, 2021) * rebased on v2021.10-rc* * removed dependency on target's configuration * removed fdtsig.sh and others * add man page * update the UEFI document * add dedicate defconfig for testing on sandbox * add gitlab CI support * add "--guid" option to mkeficapsule (yet rather RFC) Initial release (May 12, 2021) * based on v2021.07-rc2 AKASHI Takahiro (9): tools: mkeficapsule: add firmwware image signing tools: mkeficapsule: add man page doc: update UEFI document for usage of mkeficapsule efi_loader: ease the file path check for public key test/py: efi_capsule: add image authentication test sandbox: add config for efi capsule authentication test GitLab: add a test rule for efi capsule authentication test tools: mkeficapsule: allow for specifying GUID explicitly test/py: efi_capsule: align with the syntax change of mkeficapsule .gitlab-ci.yml | 6 + MAINTAINERS | 1 + configs/sandbox_capsule_auth_defconfig | 307 +++++++++++++++ doc/develop/uefi/uefi.rst | 31 +- doc/mkeficapsule.1 | 98 +++++ lib/efi_loader/Makefile | 5 +- test/py/tests/test_efi_capsule/SIGNER.crt | 19 + test/py/tests/test_efi_capsule/SIGNER.esl | Bin 0 -> 829 bytes test/py/tests/test_efi_capsule/SIGNER.key | 28 ++ test/py/tests/test_efi_capsule/SIGNER2.crt | 19 + test/py/tests/test_efi_capsule/SIGNER2.key | 28 ++ .../py/tests/test_efi_capsule/capsule_defs.py | 5 + test/py/tests/test_efi_capsule/conftest.py | 39 +- .../test_capsule_firmware_signed.py | 228 +++++++++++ tools/Kconfig | 7 + tools/Makefile | 8 +- tools/mkeficapsule.c | 368 ++++++++++++++++-- 17 files changed, 1129 insertions(+), 68 deletions(-) create mode 100644 configs/sandbox_capsule_auth_defconfig create mode 100644 doc/mkeficapsule.1 create mode 100644 test/py/tests/test_efi_capsule/SIGNER.crt create mode 100644 test/py/tests/test_efi_capsule/SIGNER.esl create mode 100644 test/py/tests/test_efi_capsule/SIGNER.key create mode 100644 test/py/tests/test_efi_capsule/SIGNER2.crt create mode 100644 test/py/tests/test_efi_capsule/SIGNER2.key create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py -- 2.31.0