From mboxrd@z Thu Jan 1 00:00:00 1970 From: Takahiro Akashi Date: Tue, 20 Apr 2021 15:16:35 +0900 Subject: [PATCH v2 12/13] doc: qemu: arm64: Fix the documentation of capsule update In-Reply-To: References: <161861622792.298230.15803163505976731363.stgit@localhost> <161861636024.298230.15188986250483737028.stgit@localhost> <20210419003721.GA8702@laputa> Message-ID: <20210420061635.GA16049@laputa> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Heinrich, Sughosh, On Mon, Apr 19, 2021 at 04:35:15AM +0200, Heinrich Schuchardt wrote: > Am 19. April 2021 04:24:37 MESZ schrieb Masami Hiramatsu : > >Hi, > > > >2021?4?19?(?) 9:37 Takahiro Akashi : > >> > >> Sughosh, > >> > >> On Sun, Apr 18, 2021 at 01:37:58PM +0530, Sughosh Ganu wrote: > >> > On Sat, 17 Apr 2021 at 23:51, Heinrich Schuchardt > > > >> > wrote: > >> > > >> > > On 4/17/21 1:39 AM, Masami Hiramatsu wrote: > >> > > > Since the EDK2 GenerateCapsule script is out of date and it > >> > > > doesn't generate the supported version capsule file, the > >document > >> > > > should refer the mkeficapsule in tools. > >> > > > > >> > > > Signed-off-by: Masami Hiramatsu > >> > > > --- > >> > > > doc/board/emulation/qemu_capsule_update.rst | 11 > >++--------- > >> > > > 1 file changed, 2 insertions(+), 9 deletions(-) > >> > > > > >> > > > diff --git a/doc/board/emulation/qemu_capsule_update.rst > >> > > b/doc/board/emulation/qemu_capsule_update.rst > >> > > > index 9fec75f8f1..e2a9f0db71 100644 > >> > > > --- a/c > >> > > > +++ b/doc/board/emulation/qemu_capsule_update.rst > >> > > > @@ -39,16 +39,9 @@ In addition, the following config needs to > >be > >> > > disabled(QEMU ARM specific):: > >> > > > > >> > > > CONFIG_TFABOOT > >> > > > > >> > > > -The capsule file can be generated by using the > >GenerateCapsule.py > >> > > > -script in EDKII:: > >> > > > - > >> > > > - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o > >\ > >> > > > - --fw-version --lsv --guid > >\ > >> > > > - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose > >--update-image-index > >> > > \ > >> > > > - --verbose > >> > > > +The capsule file can be generated by using the > >tools/mkeficapsule:: > >> > > > > >> > > > -The above is a wrapper script(GenerateCapsule) which > >eventually calls > >> > > > -the actual GenerateCapsule.py script. > >> > > > + $ mkeficapsule --raw --index 1 > > > >> > > > >> > > Thanks for the change. > >> > > > >> > > Could you, please, adjust the same in chapter "Enabling Capsule > >> > > Authentication" below. > > > >So as Sughosh said, since currently mkeficapsule doesn't support > >authentication, > >I only changed it for the normal capsule update. Without this change, > >the capsule > >update just failed. > > > > > >> > Currently, we do not have support for adding authentication header > >to the > >> > capsule. This is because I have been using the GenerateCapsule > >script in > >> > edk2 for generation of a capsule with authentication header. I > >think adding > >> > the signature to the capsule is easier when done through a python > >script > >> > rather than C code. > >> > >> Why do you think so? > >> At a quick glance at the script, it internally uses openssl command > >like: > >> openssl smime -sign -binary -outform DER -md sha256 \ > >> -signer <...> -certfile <...> > >> (See PayloadDescriptor.Encode in the script.) > >> > >> The output from the standard output is exactly what you want > >> to use to build a capsule file, that is "AuthInfo". > >> Then you can naturally extend mkeficapsule to insert this signature > >> between the header and the image itself in a capsule file. > > > >Hmm, if it can be done by just calling openssl, I think it is easier > >for me > >to run the tools/mkeficapsule, because I don't need to build EDK2 > >for U-Boot. > > > >If GenerateCapsule becomes a standard implementation and > >independent from the EDK2 project, from the interoperability point > >of view, it is better to use that. But it is a part of EDK2 and the > >GenerateCapsule seems out-of-date and not maintained well > >(why doesn't it support the latest version yet??) > > Sughosh told me that EDK II cannot create a signed capsule that is usable with U-Boot due to an outdated header version used by EDK II. I decided to add a signing feature to mkeficapsule, and actually have finished the coding (half-a-day work). Yet I have to find some time to debug the command as I have never tried capsule authentication. (Hopefully Masami will help here.) The syntax will look like: mkeficapsule -m -P -C -r -Takahiro Akashi > It should be sufficient to describe the steps used by U-Boot's test script here. > > Best regards > > Heinrich > > > > >Thank you, > > > >> Furthermore, I believe, it is fairly straightforward to add a native > >> 'signing' feature to mkeficapsule if you use openssl library. > >> > >> -Takahiro Akashi > >> > >> > >> > I am working on adding support for the latest version > >> > of the EFI_FIRMWARE_MANAGEMENT_CAPSULE_IMAGE_HEADER in the > >GenerateCapsule > >> > script in edk2. Meanwhile, would it be possible to have support for > >the > >> > version 2 of this header in the capsule driver -- it is a minor > >change and > >> > I already have a patch for it. If you are fine, I can submit a > >patch for > >> > the same. > >> > > >> > -sughosh > >> > > >> > > >> > > > >> > > Best regards > >> > > > >> > > Heinrich > >> > > > >> > > > > >> > > > As per the UEFI specification, the capsule file needs to be > >placed on > >> > > > the EFI System Partition, under the \EFI\UpdateCapsule > >directory. The > >> > > > > >> > > > >> > > > > > > > > > >-- > >Masami Hiramatsu >