From patchwork Sat Jul 15 13:45:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 703192 Delivered-To: patch@linaro.org Received: by 2002:a5d:4e4d:0:b0:314:25da:8dc4 with SMTP id r13csp153831wrt; Sat, 15 Jul 2023 06:46:08 -0700 (PDT) X-Google-Smtp-Source: APBJJlHzwEMb8wE4SdX9ZtwMcRmaqINQqBT/3r9Wz+8d0B8KmLz5ALxDYrD0/syIO0GLQfyosOCW X-Received: by 2002:aa7:d8d4:0:b0:51d:88b2:872e with SMTP id k20-20020aa7d8d4000000b0051d88b2872emr5821993eds.42.1689428768129; Sat, 15 Jul 2023 06:46:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689428768; cv=none; d=google.com; s=arc-20160816; b=0JdKQ+csDnaDI6FtAkTKwbL6UJO3NLQ1Wtw8Gl0BEPMvVNMy9AuypcNh4bMIUKwfRz K2q9+QeNc+0co77uQ+EZUK36Btoe0ejWZzoGAIzsjSJpqAslfhXoG7JLzi9QgSW46vNG V7RVPbYKlSSvzguM0iWNTxPL3nyouAAazaMXDrbMG9FwrI2LFvULN4e8husERKg9uYSd Gdzgsnj5ceuiMACPohA1LjENi/B3kmWIosYPzvo1nrwfNGBmdmWTvKOXu9YU0Oe4q7Cn Yq/5FdoPWmnkjjjiftewtS8rzXkZdmvyw94sJQ2+gjE4ZZLtRGwQkVzH0B2JhyP8SMDE YVCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from; bh=oktjUE/b835MsAu+7CIZpYJEAScO6hpyAO2XWIP/S8o=; fh=+VHZcQFytvjm817rO59VUXPZcjow18EhayO47FzvDvY=; b=SmFlkV635e8QabUIEaoFm8eNMuingyGUO4V2uj+2TY0WYbQ0V6Ije1JucD5VwUhIfT +UPmwDgiDrwyNsx/WGEk4uJsjR82XMk7zxJmnAZzKbjK/Qb49Pb/p8Fn1fFjO3tT+dcW 5KyHkoJiGVXbniCjctfoKp+s4dGOjRbGXyRWAMCh1Z/beIw1RqkBzCYm84SxXCti0TBs cUlvblzViPCC0TkCBwEBL1W/DTasYH7mVwTOD1d68BmvbUSkkQf1VmDDjk47XdVPEzaE Q8+IT+5Pua9X7TflB5qdSoQPUyVsVfQ5n+MVhcacdsFFvGYzNTMpdQeqi26oAmaYgzR9 YTvA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id d12-20020aa7c1cc000000b0051e24097920si11339811edp.559.2023.07.15.06.46.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 15 Jul 2023 06:46:08 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 99EEB860F2; Sat, 15 Jul 2023 15:46:05 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id B34C086154; Sat, 15 Jul 2023 15:46:02 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_SOFTFAIL,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id A9F34857BF for ; Sat, 15 Jul 2023 15:45:59 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id EDC811063; Sat, 15 Jul 2023 06:46:40 -0700 (PDT) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.46.7]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 3626D3F67D; Sat, 15 Jul 2023 06:45:55 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Simon Glass , Takahiro Akashi , Malte Schmidt , Michal Simek , Tom Rini Subject: [PATCH v4 00/12] Integrate EFI capsule tasks into u-boot's build flow Date: Sat, 15 Jul 2023 19:15:21 +0530 Message-Id: <20230715134533.2025893-1-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean This patchset aims to bring two capsule related tasks under the u-boot build flow. One is the embedding of the public key into the platform's dtb. The public key is in the form of an EFI Signature List(ESL) file and is used for capsule authentication. This is being achieved by adding the signature node containing the capsule public key in the architecture's u-boot.dtsi file. Currently, the u-boot.dtsi file has been added for the sandbox and arm architectures. The path to the ESL file is being provided through a Kconfig symbol(CONFIG_EFI_CAPSULE_ESL_FILE). Changes have also been made to the test flow so that the keys used for signing the capsule, and the ESL file, are generated prior to invoking the u-boot's build, which enables embedding the ESL file into the dtb as part of the u-boot build. The other task is related to generation of capsules. Support is being added to generate capsules by specifying the capsule parameters in a config file. Calling the mkeficapsule tool then results in generation of the corresponding capsule files. The capsules can be generated as part of u-boot build, and this is being achieved through binman, by adding a capsule entry type. The capsules can be generated either by specifying the capsule parameters in a config file, or through specifying them as properties under the capsule entry node. If using the config file, the path to the config file is to be specified through a Kconfig symbol(CONFIG_EFI_CAPSULE_CFG_FILE). Changes have also been made to the efi capsule update feature testing setup on the sandbox variants. Currently, the capsule files and the public key ESL file are generated after u-boot has been built. This logic has been changed so that the capsule input files along with the keys needed for capsule signing and authentication are generated prior to initiation of the u-boot build. The placement of all the files needed for generation of capsules, along with the generated capsule files is under the /tmp/capsules/ directory. Currently, the capsule update feature is tested on the sandbox and sandbox_flattree variants in CI. The capsule generation through config file is enabled for the sandbox variant, with the sandbox_flattree variant generating capsules through the command-line parameters. The document has been updated to reflect the above changes. Changes since V3: * New patch to support passing multiple commands to the build_from_git * Put the two ifdef statements together in arm architecture's u-boot.dtsi file. * Remove the extra blank line in the Kconfig. function to build the tool. * Add support for firmware versioning, needed after rebasing on current master. * Add test cases for covering the various capsule generation scenarios. * Add function comments in the mkeficapsule bintool. * Fix the fetch method of the mkeficapsule bintool to enable building the tool. * Add more details about the capsule parameters in the documentation as well as the code. * Fix order of module imports, and addition of blank lines in the capsule.py file. * Use SetContents in the ObtainContents method. * Move the paragraph on version support under a separate subsection. * Move the description on generating capsules through config file under the section to describe capsule generation. * Add a subsection highlighting generation of capsules through binman. * Remove whitespace in the command to generate capsule keys. * Use fstrings for format specifiers. * Rebase on top of current master to work with test configuration for version support in capsule updates. * Use fstrings for format specifiers. * Add entries for generating capsules with version parameter. * Use blob nodes instead of incbin for including the binaries in FIT image. * Enable generation of capsules with versioning support. Sughosh Ganu (12): binman: bintool: Build a tool from a list of commands nuvoton: npcm845-evb: Add a newline at the end of file capsule: authenticate: Add capsule public key in platform's dtb doc: capsule: Document the new mechanism to embed ESL file into dtb tools: mkeficapsule: Add support for parsing capsule params from config file binman: capsule: Add support for generating capsules doc: Add documentation to highlight capsule generation related updates CI: capsule: Setup the files needed for capsule update testing test: py: Setup capsule files for testing test: capsule: Remove public key embed logic from capsule update test sandbox: capsule: Add a config file for generating capsules sandbox: capsule: Generate capsule related files through binman .azure-pipelines.yml | 26 ++ .gitlab-ci.yml | 24 ++ arch/arm/dts/nuvoton-npcm845-evb.dts | 2 +- arch/arm/dts/u-boot.dtsi | 17 + arch/sandbox/dts/u-boot.dtsi | 282 ++++++++++++++ configs/sandbox_defconfig | 3 + configs/sandbox_flattree_defconfig | 1 + configs/sandbox_spl_defconfig | 1 + doc/develop/uefi/uefi.rst | 106 +++++- lib/efi_loader/Kconfig | 10 + lib/efi_loader/Makefile | 7 + test/py/conftest.py | 89 +++++ test/py/tests/test_efi_capsule/conftest.py | 164 +------- .../test_efi_capsule/sandbox_capsule_cfg.txt | 162 ++++++++ test/py/tests/test_efi_capsule/signature.dts | 10 - .../tests/test_efi_capsule/uboot_bin_env.its | 36 -- tools/Kconfig | 16 + tools/Makefile | 1 + tools/binman/bintool.py | 19 +- tools/binman/btool/_testing.py | 3 +- tools/binman/btool/fiptool.py | 4 +- tools/binman/btool/futility.py | 4 +- tools/binman/btool/mkeficapsule.py | 158 ++++++++ tools/binman/entries.rst | 37 ++ tools/binman/etype/capsule.py | 132 +++++++ tools/binman/ftest.py | 127 +++++++ tools/binman/test/282_capsule.dts | 18 + tools/binman/test/283_capsule_signed.dts | 20 + tools/binman/test/284_capsule_conf.dts | 14 + tools/binman/test/285_capsule_missing_key.dts | 19 + .../binman/test/286_capsule_missing_index.dts | 17 + .../binman/test/287_capsule_missing_guid.dts | 17 + .../test/288_capsule_missing_payload.dts | 17 + tools/binman/test/289_capsule_missing.dts | 17 + tools/binman/test/290_capsule_version.dts | 19 + tools/binman/test/capsule_cfg.txt | 6 + tools/eficapsule.h | 115 ++++++ tools/mkeficapsule.c | 87 +++-- tools/mkeficapsule_parse.c | 352 ++++++++++++++++++ 39 files changed, 1900 insertions(+), 259 deletions(-) create mode 100644 arch/arm/dts/u-boot.dtsi create mode 100644 arch/sandbox/dts/u-boot.dtsi create mode 100644 test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt delete mode 100644 test/py/tests/test_efi_capsule/signature.dts delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its create mode 100644 tools/binman/btool/mkeficapsule.py create mode 100644 tools/binman/etype/capsule.py create mode 100644 tools/binman/test/282_capsule.dts create mode 100644 tools/binman/test/283_capsule_signed.dts create mode 100644 tools/binman/test/284_capsule_conf.dts create mode 100644 tools/binman/test/285_capsule_missing_key.dts create mode 100644 tools/binman/test/286_capsule_missing_index.dts create mode 100644 tools/binman/test/287_capsule_missing_guid.dts create mode 100644 tools/binman/test/288_capsule_missing_payload.dts create mode 100644 tools/binman/test/289_capsule_missing.dts create mode 100644 tools/binman/test/290_capsule_version.dts create mode 100644 tools/binman/test/capsule_cfg.txt create mode 100644 tools/mkeficapsule_parse.c