[PATCH v2 12/13] doc: qemu: arm64: Fix the documentation of capsule update

[Takahiro Akashi <takahiro.akashi@linaro.org>]

Sughosh,

On Sun, Apr 18, 2021 at 01:37:58PM +0530, Sughosh Ganu wrote:
> On Sat, 17 Apr 2021 at 23:51, Heinrich Schuchardt <xypron.glpk@gmx.de>
> wrote:
> 
> > On 4/17/21 1:39 AM, Masami Hiramatsu wrote:
> > > Since the EDK2 GenerateCapsule script is out of date and it
> > > doesn't generate the supported version capsule file, the document
> > > should refer the mkeficapsule in tools.
> > >
> > > Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
> > > ---
> > >   doc/board/emulation/qemu_capsule_update.rst |   11 ++---------
> > >   1 file changed, 2 insertions(+), 9 deletions(-)
> > >
> > > diff --git a/doc/board/emulation/qemu_capsule_update.rst
> > b/doc/board/emulation/qemu_capsule_update.rst
> > > index 9fec75f8f1..e2a9f0db71 100644
> > > --- a/c
> > > +++ b/doc/board/emulation/qemu_capsule_update.rst
> > > @@ -39,16 +39,9 @@ In addition, the following config needs to be
> > disabled(QEMU ARM specific)::
> > >
> > >       CONFIG_TFABOOT
> > >
> > > -The capsule file can be generated by using the GenerateCapsule.py
> > > -script in EDKII::
> > > -
> > > -    $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \
> > > -    <capsule_file_name> --fw-version <val> --lsv <val> --guid \
> > > -    e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index
> > \
> > > -    <val> --verbose <u-boot.bin>
> > > +The capsule file can be generated by using the tools/mkeficapsule::
> > >
> > > -The above is a wrapper script(GenerateCapsule) which eventually calls
> > > -the actual GenerateCapsule.py script.
> > > +    $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name>
> >
> > Thanks for the change.
> >
> > Could you, please, adjust the same in chapter "Enabling Capsule
> > Authentication" below.
> >
> 
> Currently, we do not have support for adding authentication header to the
> capsule. This is because I have been using the GenerateCapsule script in
> edk2 for generation of a capsule with authentication header. I think adding
> the signature to the capsule is easier when done through a python script
> rather than C code.

Why do you think so?
At a quick glance at the script, it internally uses openssl command like:
    openssl smime -sign -binary -outform DER -md sha256 \
        -signer <...> -certfile <...>
(See PayloadDescriptor.Encode in the script.)

The output from the standard output is exactly what you want
to use to build a capsule file, that is "AuthInfo".
Then you can naturally extend mkeficapsule to insert this signature
between the header and the image itself in a capsule file.

Furthermore, I believe, it is fairly straightforward to add a native
'signing' feature to mkeficapsule if you use openssl library.

-Takahiro Akashi


> I am working on adding support for the latest version
> of the EFI_FIRMWARE_MANAGEMENT_CAPSULE_IMAGE_HEADER in the GenerateCapsule
> script in edk2. Meanwhile, would it be possible to have support for the
> version 2 of this header in the capsule driver -- it is a minor change and
> I already have a patch for it. If you are fine, I can submit a patch for
> the same.
> 
> -sughosh
> 
> 
> >
> > Best regards
> >
> > Heinrich
> >
> > >
> > >   As per the UEFI specification, the capsule file needs to be placed on
> > >   the EFI System Partition, under the \EFI\UpdateCapsule directory. The
> > >
> >
> >