From mboxrd@z Thu Jan 1 00:00:00 1970 From: Takahiro Akashi Date: Mon, 19 Apr 2021 09:37:21 +0900 Subject: [PATCH v2 12/13] doc: qemu: arm64: Fix the documentation of capsule update In-Reply-To: References: <161861622792.298230.15803163505976731363.stgit@localhost> <161861636024.298230.15188986250483737028.stgit@localhost> Message-ID: <20210419003721.GA8702@laputa> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Sughosh, On Sun, Apr 18, 2021 at 01:37:58PM +0530, Sughosh Ganu wrote: > On Sat, 17 Apr 2021 at 23:51, Heinrich Schuchardt > wrote: > > > On 4/17/21 1:39 AM, Masami Hiramatsu wrote: > > > Since the EDK2 GenerateCapsule script is out of date and it > > > doesn't generate the supported version capsule file, the document > > > should refer the mkeficapsule in tools. > > > > > > Signed-off-by: Masami Hiramatsu > > > --- > > > doc/board/emulation/qemu_capsule_update.rst | 11 ++--------- > > > 1 file changed, 2 insertions(+), 9 deletions(-) > > > > > > diff --git a/doc/board/emulation/qemu_capsule_update.rst > > b/doc/board/emulation/qemu_capsule_update.rst > > > index 9fec75f8f1..e2a9f0db71 100644 > > > --- a/c > > > +++ b/doc/board/emulation/qemu_capsule_update.rst > > > @@ -39,16 +39,9 @@ In addition, the following config needs to be > > disabled(QEMU ARM specific):: > > > > > > CONFIG_TFABOOT > > > > > > -The capsule file can be generated by using the GenerateCapsule.py > > > -script in EDKII:: > > > - > > > - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ > > > - --fw-version --lsv --guid \ > > > - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index > > \ > > > - --verbose > > > +The capsule file can be generated by using the tools/mkeficapsule:: > > > > > > -The above is a wrapper script(GenerateCapsule) which eventually calls > > > -the actual GenerateCapsule.py script. > > > + $ mkeficapsule --raw --index 1 > > > > Thanks for the change. > > > > Could you, please, adjust the same in chapter "Enabling Capsule > > Authentication" below. > > > > Currently, we do not have support for adding authentication header to the > capsule. This is because I have been using the GenerateCapsule script in > edk2 for generation of a capsule with authentication header. I think adding > the signature to the capsule is easier when done through a python script > rather than C code. Why do you think so? At a quick glance at the script, it internally uses openssl command like: openssl smime -sign -binary -outform DER -md sha256 \ -signer <...> -certfile <...> (See PayloadDescriptor.Encode in the script.) The output from the standard output is exactly what you want to use to build a capsule file, that is "AuthInfo". Then you can naturally extend mkeficapsule to insert this signature between the header and the image itself in a capsule file. Furthermore, I believe, it is fairly straightforward to add a native 'signing' feature to mkeficapsule if you use openssl library. -Takahiro Akashi > I am working on adding support for the latest version > of the EFI_FIRMWARE_MANAGEMENT_CAPSULE_IMAGE_HEADER in the GenerateCapsule > script in edk2. Meanwhile, would it be possible to have support for the > version 2 of this header in the capsule driver -- it is a minor change and > I already have a patch for it. If you are fine, I can submit a patch for > the same. > > -sughosh > > > > > > Best regards > > > > Heinrich > > > > > > > > As per the UEFI specification, the capsule file needs to be placed on > > > the EFI System Partition, under the \EFI\UpdateCapsule directory. The > > > > > > >