Re: [PATCH v3 3/5] doc: update UEFI document for usage of mkeficapsule

public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed

From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org,
	masami.hiramatsu@linaro.org, u-boot@lists.denx.de,
	agraf@csgraf.de
Subject: Re: [PATCH v3 3/5] doc: update UEFI document for usage of mkeficapsule
Date: Thu, 2 Sep 2021 18:22:07 +0900	[thread overview]
Message-ID: <20210902092207.GD71098@laputa> (raw)
In-Reply-To: <77787379-8f94-bba7-4a76-029844cc70d9@gmx.de>

On Tue, Aug 31, 2021 at 08:07:18AM +0200, Heinrich Schuchardt wrote:
> On 8/31/21 4:46 AM, AKASHI Takahiro wrote:
> > Now we can use mkeficapsule command instead of EDK-II's script
> > to create a signed capsule file. So update the instruction for
> > capsule authentication.
> > 
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > ---
> >   doc/develop/uefi/uefi.rst | 31 ++++++++++++++-----------------
> >   1 file changed, 14 insertions(+), 17 deletions(-)
> > 
> > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
> > index 64fe9346c7f2..5ccb455da984 100644
> > --- a/doc/develop/uefi/uefi.rst
> > +++ b/doc/develop/uefi/uefi.rst
> > @@ -347,23 +347,20 @@ and used by the steps highlighted below::
> >               -keyout CRT.key -out CRT.crt -nodes -days 365
> >           $ cert-to-efi-sig-list CRT.crt CRT.esl
> > 
> > -        $ openssl x509 -in CRT.crt -out CRT.cer -outform DER
> > -        $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem
> > -
> > -        $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt
> > -        $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem
> > -
> > -The capsule file can be generated by using the GenerateCapsule.py
> > -script in EDKII::
> > -
> > -    $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \
> > -      <capsule_file_name> --monotonic-count <val> --fw-version \
> > -      <val> --lsv <val> --guid \
> > -      e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \
> > -      --update-image-index <val> --signer-private-cert \
> > -      /path/to/CRT.pem --trusted-public-cert \
> > -      /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \
> > -      <u-boot.bin>
> > +The signed capsule file can be generated by using tools/mkeficapsule.
> > +To build this tool, enable::
> > +
> > +    CONFIG_TOOLS_MKEFICAPSULE=y
> > +    CONFIG_TOOLS_LIBCRYPTO=y
> > +
> > +To generate and sign the capsule file::
> > +
> > +    $ mkeficapsule --monotonic-count 1 \
> > +      --private-key CRT.key \
> > +      --certificate CRT.crt \
> > +      --index 1 --instance 0 \
> > +      [--fit <FIT image> | --raw <raw image>] \
> > +      <capsule_file_name>
> 
> Patch 1 allows signed and unsigned capsules. So both should be described
> here.

Sughosh's original doc doesn't have a description for *unsigned* case,
but adding some is not a big deal.

-Takahiro Akashi

> Best regards
> 
> Heinrich
> 
> > 
> >   Place the capsule generated in the above step on the EFI System
> >   Partition under the EFI/UpdateCapsule directory
> > 
>

next prev parent reply	other threads:[~2021-09-02  9:22 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-31  2:46 [PATCH v3 0/5] efi_loader: capsule: improve capsule authentication support AKASHI Takahiro
2021-08-31  2:46 ` [PATCH v3 1/5] tools: mkeficapsule: add firmwware image signing AKASHI Takahiro
2021-08-31  5:53   ` Heinrich Schuchardt
2021-08-31  2:46 ` [PATCH v3 2/5] tools: mkeficapsule: add man page AKASHI Takahiro
2021-08-31  6:06   ` Heinrich Schuchardt
2021-08-31  2:46 ` [PATCH v3 3/5] doc: update UEFI document for usage of mkeficapsule AKASHI Takahiro
2021-08-31  6:07   ` Heinrich Schuchardt
2021-09-02  9:22     ` AKASHI Takahiro [this message]
2021-08-31  2:46 ` [PATCH v3 4/5] tools: mkeficapsule: allow for specifying GUID explicitly AKASHI Takahiro
2021-08-31  6:08   ` Heinrich Schuchardt
2021-08-31  2:46 ` [PATCH v3 5/5] test/py: efi_capsule: align with the syntax change of mkeficapsule AKASHI Takahiro
2021-08-31  6:10   ` Heinrich Schuchardt
2021-09-02  0:39     ` AKASHI Takahiro
2021-08-31  6:13 ` [PATCH v3 0/5] efi_loader: capsule: improve capsule authentication support Heinrich Schuchardt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210902092207.GD71098@laputa \
    --to=takahiro.akashi@linaro.org \
    --cc=agraf@csgraf.de \
    --cc=ilias.apalodimas@linaro.org \
    --cc=masami.hiramatsu@linaro.org \
    --cc=sughosh.ganu@linaro.org \
    --cc=u-boot@lists.denx.de \
    --cc=xypron.glpk@gmx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox