| Message ID | 20211116043238.67226-1-takahiro.akashi@linaro.org |
|---|---|
| Headers | show |
| Series | efi_loader: capsule: improve capsule authentication support | expand |
Hi Heinrich On Tue, Nov 16, 2021 at 01:32:26PM +0900, AKASHI Takahiro wrote: > As I proposed and discussed in [1] and [2], I have made a couple of > improvements on the current implementation of capsule update in this > patch set. For this version(v7), I have seen your review comments only on patch#1 and #2. Please take your time to review the rest (the main part of commits) as well. I don't want to respin the patch series and post its new version which is almost the same as the old one(v7). -Takahiro Akashi > * add signing feature to mkeficapsule > * add "--guid" option to mkeficapsule > * add man page of mkeficapsule > * update uefi document regarding capsule update > * revise pytests > * (as RFC) add CONFIG_EFI_CAPSULE_KEY_PATH > > # We have had some discussion about fdtsig.sh. > # So RFCs (patch#11,#12) are still included for further discussion > # if they are useful or not. > # For smooth merge, the rest (patch#1-10) should work without them. > > [1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html > [2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html > > Prerequisite patches > ==================== > None > > Test > ==== > * locally passed the pytest which is included in this patch series > on sandbox built. > (CONFIG_EFI_CAPSULE_AUTHENTICATE should explicitly be turned on > in order to exercise the authentication code.) > > Changes > ======= > v7 (Nov 16, 2021) > * rebased on pre-v2022.01-rc2 > * drop already-merged patch > * check for a size of firmware binary file (patch#1) > * enable mkeficapsule in tools-only_defconfig (patch#2) > * define eficapsule.h and include it from mkeficapsule (patch#3) > Hopefully, the tool can now compile on non-linux host. > > v6 (Nov 02, 2021) > * rebased on pre-v2022.01-rc1 > * add patch#2 to rework/refactor the code for better readability (patch#2) > * use exit(EXIT_SUCCESS/FAILURE) (patch#3) > * truncate >80chars lines in pytest scripts (patch#6) > > v5 (Oct 27, 2021) > * rebased on pre-v2022.01-rc1 (WIP/26Oct2021) > * drop already-merged patches > * drop __weak from efi_get_public_key_data() (patch#1) > * describe the format of public key node in device tree (patch#4) > * re-order patches by grouping closely-related patches (patch#6-8) > * modify pytest to make the test results correctly verified > either with or without CONFIG_EFI_CAPSULE_AUTHENTICATE (patch#9) > * add RFCs for embedding public keys during the build process (patch#10,11) > > v4 (Oct 7, 2021) > * rebased on v2021.10 > * align with "Revert "efi_capsule: Move signature from DTB to .rodata"" > * add more missing *revert* commits (patch#1,#2,#3) > * add fdtsig.sh, replacing dtb support in mkeficapsule (patch#4) > * update/revise the man/uefi doc (patch#6,#7) > * fix a bug in parsing guid string (patch#8) > * add a test for "--guid" option (patch#10) > * use dtb-based authentication test as done in v1 (patch#11) > > v3 (Aug 31, 2021) > * rebased on v2021.10-rc3 > * remove pytest-related patches > * add function descriptions in mkeficapsule.c > * correct format specifiers in printf() > * let main() return 0 or -1 only > * update doc/develop/uefi/uefi.rst for syntax change of mkeficapsule > > v2 (July 28, 2021) > * rebased on v2021.10-rc* > * removed dependency on target's configuration > * removed fdtsig.sh and others > * add man page > * update the UEFI document > * add dedicate defconfig for testing on sandbox > * add gitlab CI support > * add "--guid" option to mkeficapsule > (yet rather RFC) > > Initial release (May 12, 2021) > * based on v2021.07-rc2 > > AKASHI Takahiro (12): > tools: mkeficapsule: rework the code a little bit > tools: build mkeficapsule with tools-only_defconfig > tools: mkeficapsule: add firmwware image signing > tools: mkeficapsule: add man page > doc: update UEFI document for usage of mkeficapsule > test/py: efi_capsule: add image authentication test > tools: mkeficapsule: allow for specifying GUID explicitly > test/py: efi_capsule: align with the syntax change of mkeficapsule > test/py: efi_capsule: add a test for "--guid" option > test/py: efi_capsule: check the results in case of > CAPSULE_AUTHENTICATE > (RFC) tools: add fdtsig.sh > (RFC) efi_loader, dts: add public keys for capsules to device tree > > MAINTAINERS | 2 + > configs/tools-only_defconfig | 1 + > doc/develop/uefi/uefi.rst | 143 ++-- > doc/mkeficapsule.1 | 107 +++ > dts/Makefile | 23 +- > lib/efi_loader/Kconfig | 7 + > .../py/tests/test_efi_capsule/capsule_defs.py | 5 + > test/py/tests/test_efi_capsule/conftest.py | 59 +- > test/py/tests/test_efi_capsule/signature.dts | 10 + > .../test_efi_capsule/test_capsule_firmware.py | 91 ++- > .../test_capsule_firmware_signed.py | 254 +++++++ > tools/Kconfig | 8 + > tools/Makefile | 8 +- > tools/eficapsule.h | 115 +++ > tools/fdtsig.sh | 40 ++ > tools/mkeficapsule.c | 680 +++++++++++++++--- > 16 files changed, 1360 insertions(+), 193 deletions(-) > create mode 100644 doc/mkeficapsule.1 > create mode 100644 test/py/tests/test_efi_capsule/signature.dts > create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py > create mode 100644 tools/eficapsule.h > create mode 100755 tools/fdtsig.sh > > -- > 2.33.0 >
Heinrich, On Thu, Nov 25, 2021 at 03:02:35PM +0900, AKASHI Takahiro wrote: > Hi Heinrich > > On Tue, Nov 16, 2021 at 01:32:26PM +0900, AKASHI Takahiro wrote: > > As I proposed and discussed in [1] and [2], I have made a couple of > > improvements on the current implementation of capsule update in this > > patch set. > > For this version(v7), I have seen your review comments only > on patch#1 and #2. > Please take your time to review the rest (the main part of > commits) as well. > I don't want to respin the patch series and post its new version > which is almost the same as the old one(v7). Ping. -Takahiro Akashi > -Takahiro Akashi > > > > * add signing feature to mkeficapsule > > * add "--guid" option to mkeficapsule > > * add man page of mkeficapsule > > * update uefi document regarding capsule update > > * revise pytests > > * (as RFC) add CONFIG_EFI_CAPSULE_KEY_PATH > > > > # We have had some discussion about fdtsig.sh. > > # So RFCs (patch#11,#12) are still included for further discussion > > # if they are useful or not. > > # For smooth merge, the rest (patch#1-10) should work without them. > > > > [1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html > > [2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html > > > > Prerequisite patches > > ==================== > > None > > > > Test > > ==== > > * locally passed the pytest which is included in this patch series > > on sandbox built. > > (CONFIG_EFI_CAPSULE_AUTHENTICATE should explicitly be turned on > > in order to exercise the authentication code.) > > > > Changes > > ======= > > v7 (Nov 16, 2021) > > * rebased on pre-v2022.01-rc2 > > * drop already-merged patch > > * check for a size of firmware binary file (patch#1) > > * enable mkeficapsule in tools-only_defconfig (patch#2) > > * define eficapsule.h and include it from mkeficapsule (patch#3) > > Hopefully, the tool can now compile on non-linux host. > > > > v6 (Nov 02, 2021) > > * rebased on pre-v2022.01-rc1 > > * add patch#2 to rework/refactor the code for better readability (patch#2) > > * use exit(EXIT_SUCCESS/FAILURE) (patch#3) > > * truncate >80chars lines in pytest scripts (patch#6) > > > > v5 (Oct 27, 2021) > > * rebased on pre-v2022.01-rc1 (WIP/26Oct2021) > > * drop already-merged patches > > * drop __weak from efi_get_public_key_data() (patch#1) > > * describe the format of public key node in device tree (patch#4) > > * re-order patches by grouping closely-related patches (patch#6-8) > > * modify pytest to make the test results correctly verified > > either with or without CONFIG_EFI_CAPSULE_AUTHENTICATE (patch#9) > > * add RFCs for embedding public keys during the build process (patch#10,11) > > > > v4 (Oct 7, 2021) > > * rebased on v2021.10 > > * align with "Revert "efi_capsule: Move signature from DTB to .rodata"" > > * add more missing *revert* commits (patch#1,#2,#3) > > * add fdtsig.sh, replacing dtb support in mkeficapsule (patch#4) > > * update/revise the man/uefi doc (patch#6,#7) > > * fix a bug in parsing guid string (patch#8) > > * add a test for "--guid" option (patch#10) > > * use dtb-based authentication test as done in v1 (patch#11) > > > > v3 (Aug 31, 2021) > > * rebased on v2021.10-rc3 > > * remove pytest-related patches > > * add function descriptions in mkeficapsule.c > > * correct format specifiers in printf() > > * let main() return 0 or -1 only > > * update doc/develop/uefi/uefi.rst for syntax change of mkeficapsule > > > > v2 (July 28, 2021) > > * rebased on v2021.10-rc* > > * removed dependency on target's configuration > > * removed fdtsig.sh and others > > * add man page > > * update the UEFI document > > * add dedicate defconfig for testing on sandbox > > * add gitlab CI support > > * add "--guid" option to mkeficapsule > > (yet rather RFC) > > > > Initial release (May 12, 2021) > > * based on v2021.07-rc2 > > > > AKASHI Takahiro (12): > > tools: mkeficapsule: rework the code a little bit > > tools: build mkeficapsule with tools-only_defconfig > > tools: mkeficapsule: add firmwware image signing > > tools: mkeficapsule: add man page > > doc: update UEFI document for usage of mkeficapsule > > test/py: efi_capsule: add image authentication test > > tools: mkeficapsule: allow for specifying GUID explicitly > > test/py: efi_capsule: align with the syntax change of mkeficapsule > > test/py: efi_capsule: add a test for "--guid" option > > test/py: efi_capsule: check the results in case of > > CAPSULE_AUTHENTICATE > > (RFC) tools: add fdtsig.sh > > (RFC) efi_loader, dts: add public keys for capsules to device tree > > > > MAINTAINERS | 2 + > > configs/tools-only_defconfig | 1 + > > doc/develop/uefi/uefi.rst | 143 ++-- > > doc/mkeficapsule.1 | 107 +++ > > dts/Makefile | 23 +- > > lib/efi_loader/Kconfig | 7 + > > .../py/tests/test_efi_capsule/capsule_defs.py | 5 + > > test/py/tests/test_efi_capsule/conftest.py | 59 +- > > test/py/tests/test_efi_capsule/signature.dts | 10 + > > .../test_efi_capsule/test_capsule_firmware.py | 91 ++- > > .../test_capsule_firmware_signed.py | 254 +++++++ > > tools/Kconfig | 8 + > > tools/Makefile | 8 +- > > tools/eficapsule.h | 115 +++ > > tools/fdtsig.sh | 40 ++ > > tools/mkeficapsule.c | 680 +++++++++++++++--- > > 16 files changed, 1360 insertions(+), 193 deletions(-) > > create mode 100644 doc/mkeficapsule.1 > > create mode 100644 test/py/tests/test_efi_capsule/signature.dts > > create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py > > create mode 100644 tools/eficapsule.h > > create mode 100755 tools/fdtsig.sh > > > > -- > > 2.33.0 > >
Heinrich, On Fri, Dec 03, 2021 at 04:09:58PM +0900, AKASHI Takahiro wrote: > Heinrich, > > On Thu, Nov 25, 2021 at 03:02:35PM +0900, AKASHI Takahiro wrote: > > Hi Heinrich > > > > On Tue, Nov 16, 2021 at 01:32:26PM +0900, AKASHI Takahiro wrote: > > > As I proposed and discussed in [1] and [2], I have made a couple of > > > improvements on the current implementation of capsule update in this > > > patch set. > > > > For this version(v7), I have seen your review comments only > > on patch#1 and #2. > > Please take your time to review the rest (the main part of > > commits) as well. > > I don't want to respin the patch series and post its new version > > which is almost the same as the old one(v7). > > Ping. Ping, again. Can you reivew the *main* part of this patch series in any time soon? -Takahiro Akashi > -Takahiro Akashi > > > -Takahiro Akashi > > > > > > > * add signing feature to mkeficapsule > > > * add "--guid" option to mkeficapsule > > > * add man page of mkeficapsule > > > * update uefi document regarding capsule update > > > * revise pytests > > > * (as RFC) add CONFIG_EFI_CAPSULE_KEY_PATH > > > > > > # We have had some discussion about fdtsig.sh. > > > # So RFCs (patch#11,#12) are still included for further discussion > > > # if they are useful or not. > > > # For smooth merge, the rest (patch#1-10) should work without them. > > > > > > [1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html > > > [2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html > > > > > > Prerequisite patches > > > ==================== > > > None > > > > > > Test > > > ==== > > > * locally passed the pytest which is included in this patch series > > > on sandbox built. > > > (CONFIG_EFI_CAPSULE_AUTHENTICATE should explicitly be turned on > > > in order to exercise the authentication code.) > > > > > > Changes > > > ======= > > > v7 (Nov 16, 2021) > > > * rebased on pre-v2022.01-rc2 > > > * drop already-merged patch > > > * check for a size of firmware binary file (patch#1) > > > * enable mkeficapsule in tools-only_defconfig (patch#2) > > > * define eficapsule.h and include it from mkeficapsule (patch#3) > > > Hopefully, the tool can now compile on non-linux host. > > > > > > v6 (Nov 02, 2021) > > > * rebased on pre-v2022.01-rc1 > > > * add patch#2 to rework/refactor the code for better readability (patch#2) > > > * use exit(EXIT_SUCCESS/FAILURE) (patch#3) > > > * truncate >80chars lines in pytest scripts (patch#6) > > > > > > v5 (Oct 27, 2021) > > > * rebased on pre-v2022.01-rc1 (WIP/26Oct2021) > > > * drop already-merged patches > > > * drop __weak from efi_get_public_key_data() (patch#1) > > > * describe the format of public key node in device tree (patch#4) > > > * re-order patches by grouping closely-related patches (patch#6-8) > > > * modify pytest to make the test results correctly verified > > > either with or without CONFIG_EFI_CAPSULE_AUTHENTICATE (patch#9) > > > * add RFCs for embedding public keys during the build process (patch#10,11) > > > > > > v4 (Oct 7, 2021) > > > * rebased on v2021.10 > > > * align with "Revert "efi_capsule: Move signature from DTB to .rodata"" > > > * add more missing *revert* commits (patch#1,#2,#3) > > > * add fdtsig.sh, replacing dtb support in mkeficapsule (patch#4) > > > * update/revise the man/uefi doc (patch#6,#7) > > > * fix a bug in parsing guid string (patch#8) > > > * add a test for "--guid" option (patch#10) > > > * use dtb-based authentication test as done in v1 (patch#11) > > > > > > v3 (Aug 31, 2021) > > > * rebased on v2021.10-rc3 > > > * remove pytest-related patches > > > * add function descriptions in mkeficapsule.c > > > * correct format specifiers in printf() > > > * let main() return 0 or -1 only > > > * update doc/develop/uefi/uefi.rst for syntax change of mkeficapsule > > > > > > v2 (July 28, 2021) > > > * rebased on v2021.10-rc* > > > * removed dependency on target's configuration > > > * removed fdtsig.sh and others > > > * add man page > > > * update the UEFI document > > > * add dedicate defconfig for testing on sandbox > > > * add gitlab CI support > > > * add "--guid" option to mkeficapsule > > > (yet rather RFC) > > > > > > Initial release (May 12, 2021) > > > * based on v2021.07-rc2 > > > > > > AKASHI Takahiro (12): > > > tools: mkeficapsule: rework the code a little bit > > > tools: build mkeficapsule with tools-only_defconfig > > > tools: mkeficapsule: add firmwware image signing > > > tools: mkeficapsule: add man page > > > doc: update UEFI document for usage of mkeficapsule > > > test/py: efi_capsule: add image authentication test > > > tools: mkeficapsule: allow for specifying GUID explicitly > > > test/py: efi_capsule: align with the syntax change of mkeficapsule > > > test/py: efi_capsule: add a test for "--guid" option > > > test/py: efi_capsule: check the results in case of > > > CAPSULE_AUTHENTICATE > > > (RFC) tools: add fdtsig.sh > > > (RFC) efi_loader, dts: add public keys for capsules to device tree > > > > > > MAINTAINERS | 2 + > > > configs/tools-only_defconfig | 1 + > > > doc/develop/uefi/uefi.rst | 143 ++-- > > > doc/mkeficapsule.1 | 107 +++ > > > dts/Makefile | 23 +- > > > lib/efi_loader/Kconfig | 7 + > > > .../py/tests/test_efi_capsule/capsule_defs.py | 5 + > > > test/py/tests/test_efi_capsule/conftest.py | 59 +- > > > test/py/tests/test_efi_capsule/signature.dts | 10 + > > > .../test_efi_capsule/test_capsule_firmware.py | 91 ++- > > > .../test_capsule_firmware_signed.py | 254 +++++++ > > > tools/Kconfig | 8 + > > > tools/Makefile | 8 +- > > > tools/eficapsule.h | 115 +++ > > > tools/fdtsig.sh | 40 ++ > > > tools/mkeficapsule.c | 680 +++++++++++++++--- > > > 16 files changed, 1360 insertions(+), 193 deletions(-) > > > create mode 100644 doc/mkeficapsule.1 > > > create mode 100644 test/py/tests/test_efi_capsule/signature.dts > > > create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py > > > create mode 100644 tools/eficapsule.h > > > create mode 100755 tools/fdtsig.sh > > > > > > -- > > > 2.33.0 > > >
As I proposed and discussed in [1] and [2], I have made a couple of improvements on the current implementation of capsule update in this patch set. * add signing feature to mkeficapsule * add "--guid" option to mkeficapsule * add man page of mkeficapsule * update uefi document regarding capsule update * revise pytests * (as RFC) add CONFIG_EFI_CAPSULE_KEY_PATH # We have had some discussion about fdtsig.sh. # So RFCs (patch#11,#12) are still included for further discussion # if they are useful or not. # For smooth merge, the rest (patch#1-10) should work without them. [1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html [2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html Prerequisite patches ==================== None Test ==== * locally passed the pytest which is included in this patch series on sandbox built. (CONFIG_EFI_CAPSULE_AUTHENTICATE should explicitly be turned on in order to exercise the authentication code.) Changes ======= v7 (Nov 16, 2021) * rebased on pre-v2022.01-rc2 * drop already-merged patch * check for a size of firmware binary file (patch#1) * enable mkeficapsule in tools-only_defconfig (patch#2) * define eficapsule.h and include it from mkeficapsule (patch#3) Hopefully, the tool can now compile on non-linux host. v6 (Nov 02, 2021) * rebased on pre-v2022.01-rc1 * add patch#2 to rework/refactor the code for better readability (patch#2) * use exit(EXIT_SUCCESS/FAILURE) (patch#3) * truncate >80chars lines in pytest scripts (patch#6) v5 (Oct 27, 2021) * rebased on pre-v2022.01-rc1 (WIP/26Oct2021) * drop already-merged patches * drop __weak from efi_get_public_key_data() (patch#1) * describe the format of public key node in device tree (patch#4) * re-order patches by grouping closely-related patches (patch#6-8) * modify pytest to make the test results correctly verified either with or without CONFIG_EFI_CAPSULE_AUTHENTICATE (patch#9) * add RFCs for embedding public keys during the build process (patch#10,11) v4 (Oct 7, 2021) * rebased on v2021.10 * align with "Revert "efi_capsule: Move signature from DTB to .rodata"" * add more missing *revert* commits (patch#1,#2,#3) * add fdtsig.sh, replacing dtb support in mkeficapsule (patch#4) * update/revise the man/uefi doc (patch#6,#7) * fix a bug in parsing guid string (patch#8) * add a test for "--guid" option (patch#10) * use dtb-based authentication test as done in v1 (patch#11) v3 (Aug 31, 2021) * rebased on v2021.10-rc3 * remove pytest-related patches * add function descriptions in mkeficapsule.c * correct format specifiers in printf() * let main() return 0 or -1 only * update doc/develop/uefi/uefi.rst for syntax change of mkeficapsule v2 (July 28, 2021) * rebased on v2021.10-rc* * removed dependency on target's configuration * removed fdtsig.sh and others * add man page * update the UEFI document * add dedicate defconfig for testing on sandbox * add gitlab CI support * add "--guid" option to mkeficapsule (yet rather RFC) Initial release (May 12, 2021) * based on v2021.07-rc2 AKASHI Takahiro (12): tools: mkeficapsule: rework the code a little bit tools: build mkeficapsule with tools-only_defconfig tools: mkeficapsule: add firmwware image signing tools: mkeficapsule: add man page doc: update UEFI document for usage of mkeficapsule test/py: efi_capsule: add image authentication test tools: mkeficapsule: allow for specifying GUID explicitly test/py: efi_capsule: align with the syntax change of mkeficapsule test/py: efi_capsule: add a test for "--guid" option test/py: efi_capsule: check the results in case of CAPSULE_AUTHENTICATE (RFC) tools: add fdtsig.sh (RFC) efi_loader, dts: add public keys for capsules to device tree MAINTAINERS | 2 + configs/tools-only_defconfig | 1 + doc/develop/uefi/uefi.rst | 143 ++-- doc/mkeficapsule.1 | 107 +++ dts/Makefile | 23 +- lib/efi_loader/Kconfig | 7 + .../py/tests/test_efi_capsule/capsule_defs.py | 5 + test/py/tests/test_efi_capsule/conftest.py | 59 +- test/py/tests/test_efi_capsule/signature.dts | 10 + .../test_efi_capsule/test_capsule_firmware.py | 91 ++- .../test_capsule_firmware_signed.py | 254 +++++++ tools/Kconfig | 8 + tools/Makefile | 8 +- tools/eficapsule.h | 115 +++ tools/fdtsig.sh | 40 ++ tools/mkeficapsule.c | 680 +++++++++++++++--- 16 files changed, 1360 insertions(+), 193 deletions(-) create mode 100644 doc/mkeficapsule.1 create mode 100644 test/py/tests/test_efi_capsule/signature.dts create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py create mode 100644 tools/eficapsule.h create mode 100755 tools/fdtsig.sh