Re: [PATCH v3 3/5] doc: update UEFI document for usage of mkeficapsule

All of lore.kernel.org
 help / color / mirror / Atom feed

From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org,
	masami.hiramatsu@linaro.org, u-boot@lists.denx.de,
	agraf@csgraf.de
Subject: Re: [PATCH v3 3/5] doc: update UEFI document for usage of mkeficapsule
Date: Thu, 2 Sep 2021 18:22:07 +0900	[thread overview]
Message-ID: <20210902092207.GD71098@laputa> (raw)
In-Reply-To: <77787379-8f94-bba7-4a76-029844cc70d9@gmx.de>

On Tue, Aug 31, 2021 at 08:07:18AM +0200, Heinrich Schuchardt wrote:
> On 8/31/21 4:46 AM, AKASHI Takahiro wrote:
> > Now we can use mkeficapsule command instead of EDK-II's script
> > to create a signed capsule file. So update the instruction for
> > capsule authentication.
> > 
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > ---
> >   doc/develop/uefi/uefi.rst | 31 ++++++++++++++-----------------
> >   1 file changed, 14 insertions(+), 17 deletions(-)
> > 
> > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
> > index 64fe9346c7f2..5ccb455da984 100644
> > --- a/doc/develop/uefi/uefi.rst
> > +++ b/doc/develop/uefi/uefi.rst
> > @@ -347,23 +347,20 @@ and used by the steps highlighted below::
> >               -keyout CRT.key -out CRT.crt -nodes -days 365
> >           $ cert-to-efi-sig-list CRT.crt CRT.esl
> > 
> > -        $ openssl x509 -in CRT.crt -out CRT.cer -outform DER
> > -        $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem
> > -
> > -        $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt
> > -        $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem
> > -
> > -The capsule file can be generated by using the GenerateCapsule.py
> > -script in EDKII::
> > -
> > -    $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \
> > -      <capsule_file_name> --monotonic-count <val> --fw-version \
> > -      <val> --lsv <val> --guid \
> > -      e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \
> > -      --update-image-index <val> --signer-private-cert \
> > -      /path/to/CRT.pem --trusted-public-cert \
> > -      /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \
> > -      <u-boot.bin>
> > +The signed capsule file can be generated by using tools/mkeficapsule.
> > +To build this tool, enable::
> > +
> > +    CONFIG_TOOLS_MKEFICAPSULE=y
> > +    CONFIG_TOOLS_LIBCRYPTO=y
> > +
> > +To generate and sign the capsule file::
> > +
> > +    $ mkeficapsule --monotonic-count 1 \
> > +      --private-key CRT.key \
> > +      --certificate CRT.crt \
> > +      --index 1 --instance 0 \
> > +      [--fit <FIT image> | --raw <raw image>] \
> > +      <capsule_file_name>
> 
> Patch 1 allows signed and unsigned capsules. So both should be described
> here.

Sughosh's original doc doesn't have a description for *unsigned* case,
but adding some is not a big deal.

-Takahiro Akashi

> Best regards
> 
> Heinrich
> 
> > 
> >   Place the capsule generated in the above step on the EFI System
> >   Partition under the EFI/UpdateCapsule directory
> > 
>

next prev parent reply	other threads:[~2021-09-02  9:22 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-31  2:46 [PATCH v3 0/5] efi_loader: capsule: improve capsule authentication support AKASHI Takahiro
2021-08-31  2:46 ` [PATCH v3 1/5] tools: mkeficapsule: add firmwware image signing AKASHI Takahiro
2021-08-31  5:53   ` Heinrich Schuchardt
2021-08-31  2:46 ` [PATCH v3 2/5] tools: mkeficapsule: add man page AKASHI Takahiro
2021-08-31  6:06   ` Heinrich Schuchardt
2021-08-31  2:46 ` [PATCH v3 3/5] doc: update UEFI document for usage of mkeficapsule AKASHI Takahiro
2021-08-31  6:07   ` Heinrich Schuchardt
2021-09-02  9:22     ` AKASHI Takahiro [this message]
2021-08-31  2:46 ` [PATCH v3 4/5] tools: mkeficapsule: allow for specifying GUID explicitly AKASHI Takahiro
2021-08-31  6:08   ` Heinrich Schuchardt
2021-08-31  2:46 ` [PATCH v3 5/5] test/py: efi_capsule: align with the syntax change of mkeficapsule AKASHI Takahiro
2021-08-31  6:10   ` Heinrich Schuchardt
2021-09-02  0:39     ` AKASHI Takahiro
2021-08-31  6:13 ` [PATCH v3 0/5] efi_loader: capsule: improve capsule authentication support Heinrich Schuchardt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210902092207.GD71098@laputa \
    --to=takahiro.akashi@linaro.org \
    --cc=agraf@csgraf.de \
    --cc=ilias.apalodimas@linaro.org \
    --cc=masami.hiramatsu@linaro.org \
    --cc=sughosh.ganu@linaro.org \
    --cc=u-boot@lists.denx.de \
    --cc=xypron.glpk@gmx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.