From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D2E3EC4338F for ; Mon, 2 Aug 2021 05:00:23 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id E0D9360FC1 for ; Mon, 2 Aug 2021 05:00:22 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org E0D9360FC1 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2A91583304; Mon, 2 Aug 2021 07:00:21 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="yfKK0WH+"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 5F20382E3F; Mon, 2 Aug 2021 07:00:19 +0200 (CEST) Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 36BF782E3F for ; Mon, 2 Aug 2021 07:00:15 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1032.google.com with SMTP id u9-20020a17090a1f09b029017554809f35so29754839pja.5 for ; Sun, 01 Aug 2021 22:00:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to; bh=doBiKQ2eXmFKbXzeZ5PiwdUWs2QadomRi+0fv6iSLKw=; b=yfKK0WH+s/XlM2kKV4VU8HajfJifQmQsi6JZFOiJxvc7CRRDEA9545tX0ZnYvLJ0xs 2cao3duqIE/KV9OMo5E+lMWy5nlzqgnRPijD2xVqXY96IlxAi8IWW5TFa83wTcv2IH9g EVFbKmWInn014xSXmgmicj+1nTH+rTB75fAiwz8BeCJDeTOoQoWOxGAf9LX7SZljbYyc IF0NZgxXG53BORXzC/K9N796rhw45t05GdGuPHGzvzQHebZi405FaklLCZQOL3441Pu5 lpRlI5DbmyCZXksnlkRRcUSue+n/HXb7pIau6w4el1vgxOn1jubFQGcIXQnKM+/KZJaL bkpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to; bh=doBiKQ2eXmFKbXzeZ5PiwdUWs2QadomRi+0fv6iSLKw=; b=gduhlqH66VlEEna2BHXEr1nKADMZQgJFQbvySngA2tbWgYZy8Q5Ii7IyqxhJ+XlJAV BlYv8BY43LqDqv8c/CfeejV3/VXZ5q6cva0kIdtsSUh80r//Y7GGJnX6GEhfOBNGAiaN 33jg39p6gO6nIq65mX8wrL50Gvl9q4t326KFw0jvHTwgfaxp/6d0Rqxavn1r8yex2xvm WXoU5O2A65+CUCohay3kb+V09KbJpWA2vCPha9S1UU987OuF3nN/Z86jRmna8Gt2zrMp 9f8mlh3UNl+IIo5IgOPT1rYHnwQFF1+xMhKET+DDNxszJbU4LeR0KeMeUtc/TJrSXk5U ZqOw== X-Gm-Message-State: AOAM530t9OTAYwJjg4d/gH28s7dnu2jHBzbaWZjFaEAlhXngEfNxmEXW ANLSoC0ML6MHMHdk6zJKpVBkeA== X-Google-Smtp-Source: ABdhPJxUhCkPcm4lv2Tpxg5bveDFoZQperBYz1ekQHj382RMsOcs3BqWlYk8B1Pd1nsQj+Bft8E9Ug== X-Received: by 2002:a17:90a:1d44:: with SMTP id u4mr6257951pju.119.1627880413449; Sun, 01 Aug 2021 22:00:13 -0700 (PDT) Received: from laputa (pdb6272b1.tkyea130.ap.so-net.ne.jp. [219.98.114.177]) by smtp.gmail.com with ESMTPSA id l126sm870389pgl.14.2021.08.01.22.00.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 01 Aug 2021 22:00:12 -0700 (PDT) Date: Mon, 2 Aug 2021 14:00:05 +0900 From: AKASHI Takahiro To: Heinrich Schuchardt Cc: agraf@csgraf.de, trini@konsulko.com, sjg@chromium.org, ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de Subject: Re: [PATCH v2 0/9] efi_loader: capsule: improve capsule authentication support Message-ID: <20210802050005.GE7965@laputa> Mail-Followup-To: AKASHI Takahiro , Heinrich Schuchardt , agraf@csgraf.de, trini@konsulko.com, sjg@chromium.org, ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de References: <20210727091054.512050-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Heinrich, On Sun, Aug 01, 2021 at 11:40:14AM +0200, Heinrich Schuchardt wrote: > On 7/27/21 11:10 AM, AKASHI Takahiro wrote: > > As I proposed and discussed in [1] and [2], I have made a couple of > > improvements on the current implementation of capsule update in this > > patch set. > > > > * add signing feature to mkeficapsule > > * add "--guid" option to mkeficapsule > > * add man page of mkeficapsule > > * add pytest for capsule authentication (on sandbox) > > > > NOTE: > > Due to Ilias's commit[3], we need to have a customized configuration > > for sandbox to properly set up and run capsule authentication test. > > See patch#5,#6 and #7. > > > > [1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html > > [2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html > > [3] commit ddf67daac39d ("efi_capsule: Move signature from DTB to > > .rodata") > > > Dear Takahiro, > > thanks for driving this topic. I have finished with my review and will > be waiting for v2. Thanks for your review comments. I'd like to know what's your thought on Patch#8 (and #9) as I have not seen your comment at [2] above. It is more or less an RFC since it breaks the compatibility of command syntax although I believe that the change is quite useful. -Takahiro Akashi > Best regards > > Heinrich > > > > > Prerequisite patches > > ==================== > > None > > > > Test > > ==== > > * locally passed the pytest which is included in this patch series > > on sandbox built. > > > > Todo > > ==== > > * Confirm that the change in .gitlab-ci.yml works. > > * Azure support(?) > > > > Changes > > ======= > > v2 (July 28, 2021) > > * rebased on v2021.10-rc* > > * removed dependency on target's configuration > > * removed fdtsig.sh and others > > * add man page > > * update the UEFI document > > * add dedicate defconfig for testing on sandbox > > * add gitlab CI support > > * add "--guid" option to mkeficapsule > > (yet rather RFC) > > > > Initial release (May 12, 2021) > > * based on v2021.07-rc2 > > > > AKASHI Takahiro (9): > > tools: mkeficapsule: add firmwware image signing > > tools: mkeficapsule: add man page > > doc: update UEFI document for usage of mkeficapsule > > efi_loader: ease the file path check for public key > > test/py: efi_capsule: add image authentication test > > sandbox: add config for efi capsule authentication test > > GitLab: add a test rule for efi capsule authentication test > > tools: mkeficapsule: allow for specifying GUID explicitly > > test/py: efi_capsule: align with the syntax change of mkeficapsule > > > > .gitlab-ci.yml | 6 + > > MAINTAINERS | 1 + > > configs/sandbox_capsule_auth_defconfig | 307 +++++++++++++++ > > doc/develop/uefi/uefi.rst | 31 +- > > doc/mkeficapsule.1 | 98 +++++ > > lib/efi_loader/Makefile | 5 +- > > test/py/tests/test_efi_capsule/SIGNER.crt | 19 + > > test/py/tests/test_efi_capsule/SIGNER.esl | Bin 0 -> 829 bytes > > test/py/tests/test_efi_capsule/SIGNER.key | 28 ++ > > test/py/tests/test_efi_capsule/SIGNER2.crt | 19 + > > test/py/tests/test_efi_capsule/SIGNER2.key | 28 ++ > > .../py/tests/test_efi_capsule/capsule_defs.py | 5 + > > test/py/tests/test_efi_capsule/conftest.py | 39 +- > > .../test_capsule_firmware_signed.py | 228 +++++++++++ > > tools/Kconfig | 7 + > > tools/Makefile | 8 +- > > tools/mkeficapsule.c | 368 ++++++++++++++++-- > > 17 files changed, 1129 insertions(+), 68 deletions(-) > > create mode 100644 configs/sandbox_capsule_auth_defconfig > > create mode 100644 doc/mkeficapsule.1 > > create mode 100644 test/py/tests/test_efi_capsule/SIGNER.crt > > create mode 100644 test/py/tests/test_efi_capsule/SIGNER.esl > > create mode 100644 test/py/tests/test_efi_capsule/SIGNER.key > > create mode 100644 test/py/tests/test_efi_capsule/SIGNER2.crt > > create mode 100644 test/py/tests/test_efi_capsule/SIGNER2.key > > create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py > > >