From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: Simon Glass <sjg@chromium.org>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>,
Alex Graf <agraf@csgraf.de>,
Ilias Apalodimas <ilias.apalodimas@linaro.org>,
Sughosh Ganu <sughosh.ganu@linaro.org>,
Masami Hiramatsu <masami.hiramatsu@linaro.org>,
U-Boot Mailing List <u-boot@lists.denx.de>
Subject: Re: [PATCH v5 02/11] tools: mkeficapsule: add firmwware image signing
Date: Thu, 4 Nov 2021 11:59:45 +0900 [thread overview]
Message-ID: <20211104025945.GE46422@laputa> (raw)
In-Reply-To: <CAPnjgZ0F4B-3y-9kmJ1bZBqAZH0+Az3JDNj9nzqPFPJYJLHAag@mail.gmail.com>
On Tue, Nov 02, 2021 at 08:56:50AM -0600, Simon Glass wrote:
> Hi Takahiro,
>
> On Thu, 28 Oct 2021 at 22:56, AKASHI Takahiro
> <takahiro.akashi@linaro.org> wrote:
> >
> > On Thu, Oct 28, 2021 at 09:17:45PM -0600, Simon Glass wrote:
> > > Hi Takahiro,
> > >
> > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro
> > > <takahiro.akashi@linaro.org> wrote:
> > > >
> > > > With this enhancement, mkeficapsule will be able to sign a capsule
> > > > file when it is created. A signature added will be used later
> > > > in the verification at FMP's SetImage() call.
> > > >
> > > > To do that, We need specify additional command parameters:
> > > > -monotonic-cout <count> : monotonic count
> > > > -private-key <private key file> : private key file
> > > > -certificate <certificate file> : certificate file
> > > > Only when all of those parameters are given, a signature will be added
> > > > to a capsule file.
> > > >
> > > > Users are expected to maintain and increment the monotonic count at
> > > > every time of the update for each firmware image.
> > > >
> > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > > > ---
> > > > tools/Kconfig | 8 +
> > > > tools/Makefile | 8 +-
> > > > tools/mkeficapsule.c | 435 +++++++++++++++++++++++++++++++++++++++----
> > > > 3 files changed, 417 insertions(+), 34 deletions(-)
> > >
> > > Reviewed-by: Simon Glass <sjg@chromium.org>
> >
> > Thank you for your reviewing.
> >
> > > This looks OK but I have some suggestions
> > >
> > > - I don't think you should return -1 from main
> >
> > exit(EXIT_FAILURE)?
> > Yeah, but when I first wrote this tool (without authentication support),
> > 'return -1' was used everywhere. So I didn't want to have mixed styles
> > in this patch.
> > I will make a change with the tweak below.
>
> OK. I just mean that I think the return code is supposed to be 1 or 2
> or maybe 3 on error, not 255.
>
> >
> > > - could you split up your create_fwbin() to return the number of gotos?
> >
> > Yeah, lots of gotos are messy.
> >
> > > - could we have a man page for the tool?
> >
> > Patch#3
>
> OK
>
> >
> > > - should the files be opened in binary mode?
> >
> > Well, the man page of fopen() says,
> > This is strictly for compatibility with C89 and has no effect;
> > the 'b' is ignored on all POSIX conforming sys- tems, including Linux.
> >
> > U-Boot now requires C11, and so no need?
>
> Ah OK. I suppose no one builds this on Windows.
>
> >
> > > - can we just build the tool always?
> >
> > This is one of my questions.
> > Why do you want to do so while there are bunch of tools that are
> > not always built.
>
> Because I think all tools should be built always. It is fine if that
> happens due to CONFIG options but we should try to avoid making it
> complicated.
>
> >
> > # I saw some discussion in another topic thread, and some distro guy said
> > # that they used sandbox_defconfig for tool packaging.
>
> What about tools-only ?
>
> So long as the options are enabled it is fine to have options for the
> tools. But I think we should try to build all the tools.
I forgot to add CMD_MKEFITOOL in tools-only_defconfig in v6.
If I need to send v7, I will include it, otherwise send it in a separate patch.
-Takahiro Akashi
> Regards,
> Simon
next prev parent reply other threads:[~2021-11-04 2:59 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-28 6:23 [PATCH v5 00/11] efi_loader: capsule: improve capsule authentication support AKASHI Takahiro
2021-10-28 6:23 ` [PATCH v5 01/11] efi_loader: capsule: drop __weak from efi_get_public_key_data() AKASHI Takahiro
2021-10-29 3:17 ` Simon Glass
2021-10-28 6:23 ` [PATCH v5 02/11] tools: mkeficapsule: add firmwware image signing AKASHI Takahiro
2021-10-29 3:17 ` Simon Glass
2021-10-29 4:56 ` AKASHI Takahiro
2021-11-02 14:56 ` Simon Glass
2021-11-02 15:13 ` Mark Kettenis
2021-11-04 2:51 ` Simon Glass
2021-11-04 14:31 ` Mark Kettenis
2021-11-04 15:11 ` Simon Glass
2021-11-04 16:51 ` Mark Kettenis
2021-11-05 2:02 ` Simon Glass
2021-11-05 8:36 ` Mark Kettenis
2021-11-05 1:04 ` AKASHI Takahiro
2021-11-05 2:02 ` Simon Glass
2021-11-05 2:35 ` AKASHI Takahiro
2021-11-05 9:35 ` AKASHI Takahiro
2021-11-08 4:55 ` AKASHI Takahiro
2021-11-15 7:50 ` AKASHI Takahiro
2021-11-08 8:46 ` AKASHI Takahiro
2021-11-04 2:59 ` AKASHI Takahiro [this message]
2021-10-28 6:23 ` [PATCH v5 03/11] tools: mkeficapsule: add man page AKASHI Takahiro
2021-10-29 3:17 ` Simon Glass
2021-10-28 6:23 ` [PATCH v5 04/11] doc: update UEFI document for usage of mkeficapsule AKASHI Takahiro
2021-10-29 3:17 ` Simon Glass
2021-10-29 5:20 ` AKASHI Takahiro
2021-11-02 14:57 ` Simon Glass
2021-11-04 1:49 ` AKASHI Takahiro
2021-11-04 15:11 ` Simon Glass
2021-11-05 3:15 ` AKASHI Takahiro
2021-11-05 16:12 ` Simon Glass
2021-10-28 6:23 ` [PATCH v5 05/11] test/py: efi_capsule: add image authentication test AKASHI Takahiro
2021-10-29 3:17 ` Simon Glass
2021-10-29 5:25 ` AKASHI Takahiro
2021-11-02 14:58 ` Simon Glass
2021-11-04 2:04 ` AKASHI Takahiro
2021-11-04 2:49 ` Simon Glass
2021-11-05 1:21 ` AKASHI Takahiro
2021-11-05 2:02 ` Simon Glass
2021-11-05 3:24 ` AKASHI Takahiro
2021-11-05 16:12 ` Simon Glass
2021-11-08 4:15 ` AKASHI Takahiro
2021-11-08 15:58 ` Simon Glass
2021-10-28 6:23 ` [PATCH v5 06/11] tools: mkeficapsule: allow for specifying GUID explicitly AKASHI Takahiro
2021-10-28 6:23 ` [PATCH v5 07/11] test/py: efi_capsule: align with the syntax change of mkeficapsule AKASHI Takahiro
2021-10-28 6:23 ` [PATCH v5 08/11] test/py: efi_capsule: add a test for "--guid" option AKASHI Takahiro
2021-10-28 6:23 ` [PATCH v5 09/11] test/py: efi_capsule: check the results in case of CAPSULE_AUTHENTICATE AKASHI Takahiro
2021-10-28 6:23 ` [PATCH v5 10/11] (RFC) tools: add fdtsig.sh AKASHI Takahiro
2021-10-28 6:23 ` [PATCH v5 11/11] (RFC) efi_loader, dts: add public keys for capsules to device tree AKASHI Takahiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211104025945.GE46422@laputa \
--to=takahiro.akashi@linaro.org \
--cc=agraf@csgraf.de \
--cc=ilias.apalodimas@linaro.org \
--cc=masami.hiramatsu@linaro.org \
--cc=sjg@chromium.org \
--cc=sughosh.ganu@linaro.org \
--cc=u-boot@lists.denx.de \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox