[PATCH v2 12/13] doc: qemu: arm64: Fix the documentation of capsule update

[Takahiro Akashi <takahiro.akashi@linaro.org>]

Heinrich, Sughosh,

On Mon, Apr 19, 2021 at 04:35:15AM +0200, Heinrich Schuchardt wrote:
> Am 19. April 2021 04:24:37 MESZ schrieb Masami Hiramatsu <masami.hiramatsu@linaro.org>:
> >Hi,
> >
> >2021?4?19?(?) 9:37 Takahiro Akashi <takahiro.akashi@linaro.org>:
> >>
> >> Sughosh,
> >>
> >> On Sun, Apr 18, 2021 at 01:37:58PM +0530, Sughosh Ganu wrote:
> >> > On Sat, 17 Apr 2021 at 23:51, Heinrich Schuchardt
> ><xypron.glpk@gmx.de>
> >> > wrote:
> >> >
> >> > > On 4/17/21 1:39 AM, Masami Hiramatsu wrote:
> >> > > > Since the EDK2 GenerateCapsule script is out of date and it
> >> > > > doesn't generate the supported version capsule file, the
> >document
> >> > > > should refer the mkeficapsule in tools.
> >> > > >
> >> > > > Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
> >> > > > ---
> >> > > >   doc/board/emulation/qemu_capsule_update.rst |   11
> >++---------
> >> > > >   1 file changed, 2 insertions(+), 9 deletions(-)
> >> > > >
> >> > > > diff --git a/doc/board/emulation/qemu_capsule_update.rst
> >> > > b/doc/board/emulation/qemu_capsule_update.rst
> >> > > > index 9fec75f8f1..e2a9f0db71 100644
> >> > > > --- a/c
> >> > > > +++ b/doc/board/emulation/qemu_capsule_update.rst
> >> > > > @@ -39,16 +39,9 @@ In addition, the following config needs to
> >be
> >> > > disabled(QEMU ARM specific)::
> >> > > >
> >> > > >       CONFIG_TFABOOT
> >> > > >
> >> > > > -The capsule file can be generated by using the
> >GenerateCapsule.py
> >> > > > -script in EDKII::
> >> > > > -
> >> > > > -    $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o
> >\
> >> > > > -    <capsule_file_name> --fw-version <val> --lsv <val> --guid
> >\
> >> > > > -    e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose
> >--update-image-index
> >> > > \
> >> > > > -    <val> --verbose <u-boot.bin>
> >> > > > +The capsule file can be generated by using the
> >tools/mkeficapsule::
> >> > > >
> >> > > > -The above is a wrapper script(GenerateCapsule) which
> >eventually calls
> >> > > > -the actual GenerateCapsule.py script.
> >> > > > +    $ mkeficapsule --raw <u-boot.bin> --index 1
> ><capsule_file_name>
> >> > >
> >> > > Thanks for the change.
> >> > >
> >> > > Could you, please, adjust the same in chapter "Enabling Capsule
> >> > > Authentication" below.
> >
> >So as Sughosh said, since currently mkeficapsule doesn't support
> >authentication,
> >I only changed it for the normal capsule update. Without this change,
> >the capsule
> >update just failed.
> >
> >
> >> > Currently, we do not have support for adding authentication header
> >to the
> >> > capsule. This is because I have been using the GenerateCapsule
> >script in
> >> > edk2 for generation of a capsule with authentication header. I
> >think adding
> >> > the signature to the capsule is easier when done through a python
> >script
> >> > rather than C code.
> >>
> >> Why do you think so?
> >> At a quick glance at the script, it internally uses openssl command
> >like:
> >>     openssl smime -sign -binary -outform DER -md sha256 \
> >>         -signer <...> -certfile <...>
> >> (See PayloadDescriptor.Encode in the script.)
> >>
> >> The output from the standard output is exactly what you want
> >> to use to build a capsule file, that is "AuthInfo".
> >> Then you can naturally extend mkeficapsule to insert this signature
> >> between the header and the image itself in a capsule file.
> >
> >Hmm, if it can be done by just calling openssl, I think it is easier
> >for me
> >to run the tools/mkeficapsule, because I don't need to build EDK2
> >for U-Boot.
> >
> >If GenerateCapsule becomes a standard implementation and
> >independent from the EDK2 project, from the interoperability point
> >of view, it is better to use that. But it is a part of EDK2 and the
> >GenerateCapsule seems out-of-date and not maintained well
> >(why doesn't it support the latest version yet??)
> 
> Sughosh told me that EDK II cannot create a signed capsule that is usable with U-Boot due to an outdated header version used by EDK II.

I decided to add a signing feature to mkeficapsule, and actually
have finished the coding (half-a-day work). Yet I have to find some time
to debug the command as I have never tried capsule authentication.
(Hopefully Masami will help here.)

The syntax will look like:
  mkeficapsule -m <mono count> -P <private key> -C <certificate file>
    -r <firmware image> <capsule file>

-Takahiro Akashi

> It should be sufficient to describe the steps used by U-Boot's test script here.
> 
> Best regards
> 
> Heinrich
> 
> >
> >Thank you,
> >
> >> Furthermore, I believe, it is fairly straightforward to add a native
> >> 'signing' feature to mkeficapsule if you use openssl library.
> >>
> >> -Takahiro Akashi
> >>
> >>
> >> > I am working on adding support for the latest version
> >> > of the EFI_FIRMWARE_MANAGEMENT_CAPSULE_IMAGE_HEADER in the
> >GenerateCapsule
> >> > script in edk2. Meanwhile, would it be possible to have support for
> >the
> >> > version 2 of this header in the capsule driver -- it is a minor
> >change and
> >> > I already have a patch for it. If you are fine, I can submit a
> >patch for
> >> > the same.
> >> >
> >> > -sughosh
> >> >
> >> >
> >> > >
> >> > > Best regards
> >> > >
> >> > > Heinrich
> >> > >
> >> > > >
> >> > > >   As per the UEFI specification, the capsule file needs to be
> >placed on
> >> > > >   the EFI System Partition, under the \EFI\UpdateCapsule
> >directory. The
> >> > > >
> >> > >
> >> > >
> >
> >
> >
> >--
> >Masami Hiramatsu
>