| Message ID | 20201126184110.30521-15-sughosh.ganu@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | qemu: arm64: Add support for uefi capsule update on qemu arm64 platform | expand |
On 11/26/20 7:41 PM, Sughosh Ganu wrote: > Add documentation highlighting the steps for using the uefi capsule > update feature for updating the u-boot firmware image. > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > --- > doc/board/emulation/qemu-arm.rst | 157 +++++++++++++++++++++++++++++++ Thank you for carefully documenting your enhancement. Unfortunately this does not build with 'make htmldocs'. (You will need python3-sphinx with a version < 3 for building due to incompatible changes in python3-sphinx.) Warning, treated as error: doc/board/emulation/qemu-arm.rst:137:Unexpected indentation. make[1]: *** [doc/Makefile:69: htmldocs] Error 2 make: *** [Makefile:2167: htmldocs] Error 2 Please, run your series through Travis CI before resubmitting. Takahiro's patches have been added to origin/next. So this is what your series should be based on until the next is merged into master in January. I am missing a documentation for mkeficapsule. Could you, please, try to set one up together with Takahiro. I guess we should create a new directory doc/tools/. Best regards Heinrich > 1 file changed, 157 insertions(+) > > diff --git a/doc/board/emulation/qemu-arm.rst b/doc/board/emulation/qemu-arm.rst > index 8d7fda10f1..3978c13269 100644 > --- a/doc/board/emulation/qemu-arm.rst > +++ b/doc/board/emulation/qemu-arm.rst > @@ -90,3 +90,160 @@ The debug UART on the ARM virt board uses these settings:: > CONFIG_DEBUG_UART_PL010=y > CONFIG_DEBUG_UART_BASE=0x9000000 > CONFIG_DEBUG_UART_CLOCK=0 > + > +Enabling Uefi Capsule Update feature > +------------------------------------ > + > +Support has been added for the uefi capsule update feature which > +enables updating the u-boot image using the uefi firmware management > +protocol (fmp). The capsules are not passed to the firmware through > +the UpdateCapsule runtime service. Instead, capsule-on-disk > +functionality is used for fetching the capsule from the EFI System > +Partition (ESP). > + > +Currently, support has been added for updating the u-boot binary as a > +raw image when the platform is booted in non-secure mode, i.e with > +CONFIG_TFABOOT disabled. For this configuration, the qemu platform > +needs to be booted with 'secure=off'. The u-boot binary placed on the > +first bank of the Nor Flash at offset 0x0. The u-boot environment is > +placed on the second Nor Flash bank at offset 0x4000000. > + > +The capsule update feature is enabled with the following configs:: > + > + CONFIG_MTD=y > + CONFIG_FLASH_CFI_MTD=y > + CONFIG_CMD_MTDPARTS=y > + CONFIG_CMD_DFU=y > + CONFIG_DFU_MTD=y > + CONFIG_EFI_CAPSULE_ON_DISK=y > + CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y > + CONFIG_EFI_CAPSULE_FIRMWARE=y > + CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y > + CONFIG_EFI_CAPSULE_FMP_HEADER=y > + > +In addition, the following config needs to be disabled:: > + CONFIG_TFABOOT > + > +The capsule file can be generated by using the GenerateCapsule.py > +script in edk2:: > + > + $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ > + <capsule_file_name> --fw-version <val> --lsv <val> --guid \ > + e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index \ > + <val> --verbose <u-boot.bin> > + > +If the above edk2 script is being used for generating the capsule, the > +following additional config needs to be enabled:: > + CONFIG_EFI_CAPSULE_FMP_HEADER=y > + > +As per the uefi specification, the capsule file needs to be placed on > +the EFI System Partition, under the EFI/UpdateCapsule/ directory. The > +EFI System Partition can be a virtio-blk-device. > + > +Before initiating the firmware update, the efi variables BootNext, > +BootXXXX and OsIndications need to be set. The BootXXXX variable needs > +to be pointing to the EFI System Partition which contains the capsule > +file. The BootNext, BootXXXX and OsIndications variables can be set > +using the following commands:: > + > + => efidebug boot add 0 Boot0000 virtio 0:1 <capsule_file_name> > + => efidebug boot next 0 > + => setenv -e -nv -bs -rt -v OsIndications =0x04 > + => saveenv > + > +Finally, the capsule update can be initiated with the following > +command:: > + > + => efidebug capsule disk-update > + > +The updated u-boot image will be booted on subsequent boot. > + > +Enabling Capsule Authentication > +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > + > +The uefi specification defines a way of authenticating the capsule to > +be updated by verifying the capsule signature. The capsule signature > +is computed and prepended to the capsule payload at the time of > +capsule generation. This signature is then verified by using the > +public key stored as part of the X509 certificate. This certificate is > +in the form of an efi signature list (esl) file, which is embedded as > +part of the platform's device tree blob using the mkeficapsule > +utility. > + > +The capsule authentication feature can be enabled through the > +following config, in addition to the configs listed above for capsule > +update:: > + > + CONFIG_EFI_CAPSULE_AUTHENTICATE=y > + > +The public key esl file can be embedded in the dtb with the following > +command:: > + ./tools/mkeficapsule -K <pub_key.esl> -D <dtb> > + > +Running the above command results in the creation of a 'signature' > +node in the dtb, under which the public key is stored as a > +'capsule-key' property. > + > +Once the esl file has been embedded as part of the dtb, the platform > +needs to be be booted with this dtb. This can be done by disabling the > +CONFIG_OF_BOARD option, and then, passing the above dtb file to the > +u-boot build. > + > +The capsule update with authentication can be enabled on the platform > +with the following steps > + > +1. Install utility commands on your host > + * openssl > + * efitools > + > +2. Create signing keys and certificate files on your host:: > + > + $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ > + -keyout CRT.key -out CRT.crt -nodes -days 365 > + $ cert-to-efi-sig-list CRT.crt CRT.esl > + > + $ openssl x509 -in CRT.crt -out CRT.cer -outform DER > + $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem > + > + $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt > + $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem > + > +3. Store the esl file generated above as part of the dtb:: > + > + $ ./tools/mkeficapsule -K <pub_key.esl> -D <dtb> > + > +4. The capsule file can be generated by using the GenerateCapsule.py > + script in edk2:: > + > + $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ > + <capsule_file_name> --monotonic-count <val> --fw-version \ > + <val> --lsv <val> --guid \ > + e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ > + --update-image-index <val> --signer-private-cert \ > + /path/to/CRT.pem --trusted-public-cert \ > + /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ > + <u-boot.bin> > + > +Once the capsule has been generated, use the same instructions as > +mentioned above for placing the capsule on the EFI System Partition > + > +5. Building u-boot with the following steps:: > + > + $ make qemu_arm64_defconfig > + $ make menuconfig > + Disable CONFIG_OF_BOARD and CONFIG_TFABOOT > + $ make EXT_DTB=<dtb> all > + > +6. Enable capsule authentication by setting the following env > + variable:: > + > + => setenv capsule_authentication_enabled 1 > + => saveenv > + > +Setting the environment variable capsule_authentication_enabled > +enables the capsule authentication. > + > +Once the capsule has been placed on the EFI System Partition and the > +above env variable has been set, along with the BootXXXX and the > +BootNext variables, the capsule update can be initiated > +using the same command as that shown above. >
diff --git a/doc/board/emulation/qemu-arm.rst b/doc/board/emulation/qemu-arm.rst index 8d7fda10f1..3978c13269 100644 --- a/doc/board/emulation/qemu-arm.rst +++ b/doc/board/emulation/qemu-arm.rst @@ -90,3 +90,160 @@ The debug UART on the ARM virt board uses these settings:: CONFIG_DEBUG_UART_PL010=y CONFIG_DEBUG_UART_BASE=0x9000000 CONFIG_DEBUG_UART_CLOCK=0 + +Enabling Uefi Capsule Update feature +------------------------------------ + +Support has been added for the uefi capsule update feature which +enables updating the u-boot image using the uefi firmware management +protocol (fmp). The capsules are not passed to the firmware through +the UpdateCapsule runtime service. Instead, capsule-on-disk +functionality is used for fetching the capsule from the EFI System +Partition (ESP). + +Currently, support has been added for updating the u-boot binary as a +raw image when the platform is booted in non-secure mode, i.e with +CONFIG_TFABOOT disabled. For this configuration, the qemu platform +needs to be booted with 'secure=off'. The u-boot binary placed on the +first bank of the Nor Flash at offset 0x0. The u-boot environment is +placed on the second Nor Flash bank at offset 0x4000000. + +The capsule update feature is enabled with the following configs:: + + CONFIG_MTD=y + CONFIG_FLASH_CFI_MTD=y + CONFIG_CMD_MTDPARTS=y + CONFIG_CMD_DFU=y + CONFIG_DFU_MTD=y + CONFIG_EFI_CAPSULE_ON_DISK=y + CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y + CONFIG_EFI_CAPSULE_FIRMWARE=y + CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y + CONFIG_EFI_CAPSULE_FMP_HEADER=y + +In addition, the following config needs to be disabled:: + CONFIG_TFABOOT + +The capsule file can be generated by using the GenerateCapsule.py +script in edk2:: + + $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ + <capsule_file_name> --fw-version <val> --lsv <val> --guid \ + e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index \ + <val> --verbose <u-boot.bin> + +If the above edk2 script is being used for generating the capsule, the +following additional config needs to be enabled:: + CONFIG_EFI_CAPSULE_FMP_HEADER=y + +As per the uefi specification, the capsule file needs to be placed on +the EFI System Partition, under the EFI/UpdateCapsule/ directory. The +EFI System Partition can be a virtio-blk-device. + +Before initiating the firmware update, the efi variables BootNext, +BootXXXX and OsIndications need to be set. The BootXXXX variable needs +to be pointing to the EFI System Partition which contains the capsule +file. The BootNext, BootXXXX and OsIndications variables can be set +using the following commands:: + + => efidebug boot add 0 Boot0000 virtio 0:1 <capsule_file_name> + => efidebug boot next 0 + => setenv -e -nv -bs -rt -v OsIndications =0x04 + => saveenv + +Finally, the capsule update can be initiated with the following +command:: + + => efidebug capsule disk-update + +The updated u-boot image will be booted on subsequent boot. + +Enabling Capsule Authentication +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The uefi specification defines a way of authenticating the capsule to +be updated by verifying the capsule signature. The capsule signature +is computed and prepended to the capsule payload at the time of +capsule generation. This signature is then verified by using the +public key stored as part of the X509 certificate. This certificate is +in the form of an efi signature list (esl) file, which is embedded as +part of the platform's device tree blob using the mkeficapsule +utility. + +The capsule authentication feature can be enabled through the +following config, in addition to the configs listed above for capsule +update:: + + CONFIG_EFI_CAPSULE_AUTHENTICATE=y + +The public key esl file can be embedded in the dtb with the following +command:: + ./tools/mkeficapsule -K <pub_key.esl> -D <dtb> + +Running the above command results in the creation of a 'signature' +node in the dtb, under which the public key is stored as a +'capsule-key' property. + +Once the esl file has been embedded as part of the dtb, the platform +needs to be be booted with this dtb. This can be done by disabling the +CONFIG_OF_BOARD option, and then, passing the above dtb file to the +u-boot build. + +The capsule update with authentication can be enabled on the platform +with the following steps + +1. Install utility commands on your host + * openssl + * efitools + +2. Create signing keys and certificate files on your host:: + + $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ + -keyout CRT.key -out CRT.crt -nodes -days 365 + $ cert-to-efi-sig-list CRT.crt CRT.esl + + $ openssl x509 -in CRT.crt -out CRT.cer -outform DER + $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem + + $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt + $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem + +3. Store the esl file generated above as part of the dtb:: + + $ ./tools/mkeficapsule -K <pub_key.esl> -D <dtb> + +4. The capsule file can be generated by using the GenerateCapsule.py + script in edk2:: + + $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ + <capsule_file_name> --monotonic-count <val> --fw-version \ + <val> --lsv <val> --guid \ + e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ + --update-image-index <val> --signer-private-cert \ + /path/to/CRT.pem --trusted-public-cert \ + /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ + <u-boot.bin> + +Once the capsule has been generated, use the same instructions as +mentioned above for placing the capsule on the EFI System Partition + +5. Building u-boot with the following steps:: + + $ make qemu_arm64_defconfig + $ make menuconfig + Disable CONFIG_OF_BOARD and CONFIG_TFABOOT + $ make EXT_DTB=<dtb> all + +6. Enable capsule authentication by setting the following env + variable:: + + => setenv capsule_authentication_enabled 1 + => saveenv + +Setting the environment variable capsule_authentication_enabled +enables the capsule authentication. + +Once the capsule has been placed on the EFI System Partition and the +above env variable has been set, along with the BootXXXX and the +BootNext variables, the capsule update can be initiated +using the same command as that shown above.
Add documentation highlighting the steps for using the uefi capsule update feature for updating the u-boot firmware image. Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> --- doc/board/emulation/qemu-arm.rst | 157 +++++++++++++++++++++++++++++++ 1 file changed, 157 insertions(+) -- 2.17.1