Re: [PATCH v5 04/11] doc: update UEFI document for usage of mkeficapsule

[AKASHI Takahiro <takahiro.akashi@linaro.org>]

On Thu, Nov 04, 2021 at 09:11:51AM -0600, Simon Glass wrote:
> Hi Takahiro,
> 
> On Wed, 3 Nov 2021 at 19:49, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:
> >
> > On Tue, Nov 02, 2021 at 08:57:48AM -0600, Simon Glass wrote:
> > > Hi Takahiro,
> > >
> > > On Thu, 28 Oct 2021 at 23:20, AKASHI Takahiro
> > > <takahiro.akashi@linaro.org> wrote:
> > > >
> > > > On Thu, Oct 28, 2021 at 09:17:48PM -0600, Simon Glass wrote:
> > > > > Hi Takahiro,
> > > > >
> > > > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro
> > > > > <takahiro.akashi@linaro.org> wrote:
> > > > > >
> > > > > > Now we can use mkeficapsule command instead of EDK-II's script
> > > > > > to create a signed capsule file. So update the instruction for
> > > > > > capsule authentication.
> > > > > >
> > > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > > > > > ---
> > > > > >  doc/develop/uefi/uefi.rst | 143 ++++++++++++++++++--------------------
> > > > > >  1 file changed, 67 insertions(+), 76 deletions(-)
> > > > >
> > > > > Reviewed-by: Simon Glass <sjg@chromium.org>
> > > > >
> > > > > thoughts below
> > > > >
> > > > > >
> > > > > > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
> > > > > > index f17138f5c765..864d61734bee 100644
> > > > > > --- a/doc/develop/uefi/uefi.rst
> > > > > > +++ b/doc/develop/uefi/uefi.rst
> > > > > > @@ -284,37 +284,52 @@ Support has been added for the UEFI capsule update feature which
> > > > > >  enables updating the U-Boot image using the UEFI firmware management
> > > > > >  protocol (FMP). The capsules are not passed to the firmware through
> > > > > >  the UpdateCapsule runtime service. Instead, capsule-on-disk
> > > > > > -functionality is used for fetching the capsule from the EFI System
> > > > > > -Partition (ESP) by placing the capsule file under the
> > > > > > -\EFI\UpdateCapsule directory.
> > > > > > -
> > > > > > -The directory \EFI\UpdateCapsule is checked for capsules only within the
> > > > > > -EFI system partition on the device specified in the active boot option
> > > > > > -determined by reference to BootNext variable or BootOrder variable processing.
> > > > > > -The active Boot Variable is the variable with highest priority BootNext or
> > > > > > -within BootOrder that refers to a device found to be present. Boot variables
> > > > > > -in BootOrder but referring to devices not present are ignored when determining
> > > > > > -active boot variable.
> > > > > > -Before starting a capsule update make sure your capsules are installed in the
> > > > > > -correct ESP partition or set BootNext.
> > > > > > +functionality is used for fetching capsules from the EFI System
> > > > > > +Partition (ESP) by placing capsule files under the directory::
> > > > > > +
> > > > > > +    \EFI\UpdateCapsule
> > > > >
> > > > > Can we use forward slashes please?
> > > > >
> > > > > What is a backslash, even? DOS? Windows?
> > > >
> > > > UEFI specification.
> > > > In this document, all the file paths are presented with backslashes.
> > > > (See section 8.5.5 in version 2.9)
> > > >
> > > > Anyhow U-Boot UEFI internally converts the path with slashes.
> > >
> > > So do we need to use backslashes in U-Boot and in the docs? Can we use
> > > a forward slash instead? I had hoped those days were behind us. The
> > > backslash is used for C escapes, after all.
> >
> > I'd defer to the maintainer, Heinrich here.
> >
> > > >
> > > > > > +
> > > > > > +The directory is checked for capsules only within the
> > > > > > +EFI system partition on the device specified in the active boot option,
> > > > > > +which is determined by BootXXXX variable in BootNext, or if not, the highest
> > > > > > +priority one within BootOrder. Any BootXXXX variables referring to devices
> > > > > > +not present are ignored when determining the active boot option.
> > > > > > +
> > > > > > +Please note that capsules will be applied in the alphabetic order of
> > > > > > +capsule file names.
> > > > > > +
> > > > > > +Creating a capsule file
> > > > > > +***********************
> > > > > > +
> > > > > > +A capsule file can be created by using tools/mkeficapsule.
> > > > > > +To build this tool, enable::
> > > > > > +
> > > > > > +    CONFIG_TOOLS_MKEFICAPSULE=y
> > > > > > +    CONFIG_TOOLS_LIBCRYPTO=y
> > > > > > +
> > > > > > +Run the following command::
> > > > > > +
> > > > > > +    $ mkeficapsule \
> > > > > > +      --index 1 --instance 0 \
> > > > > > +      [--fit <FIT image> | --raw <raw image>] \
> > > > > > +      <capsule_file_name>
> > > > > >
> > > > > >  Performing the update
> > > > > >  *********************
> > > > > >
> > > > > > -Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig
> > > > > > -option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable
> > > > > > -check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule.
> > > > > > -
> > > > > > -If that option is disabled, you'll need to set the OsIndications variable with::
> > > > > > +Put capsule files under the directory mentioned above.
> > > > > > +Then, following the UEFI specification, you'll need to set
> > > > > > +the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED
> > > > > > +bit in OsIndications variable with::
> > > > > >
> > > > > >      => setenv -e -nv -bs -rt -v OsIndications =0x04
> > > > > >
> > > > > > -Finally, the capsule update can be initiated either by rebooting the board,
> > > > > > -which is the preferred method, or by issuing the following command::
> > > > > > +Since U-boot doesn't currently support SetVariable at runtime, its value
> > > > > > +won't be taken over across the reboot. If this is the case, you can skip
> > > > > > +this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS)
> > > > > > +set.
> > > > > >
> > > > > > -    => efidebug capsule disk-update
> > > > > > -
> > > > > > -**The efidebug command is should only be used during debugging/development.**
> > > > > > +Finally, the capsule update can be initiated by rebooting the board.
> > > > > >
> > > > > >  Enabling Capsule Authentication
> > > > > >  *******************************
> > > > > > @@ -324,82 +339,58 @@ be updated by verifying the capsule signature. The capsule signature
> > > > > >  is computed and prepended to the capsule payload at the time of
> > > > > >  capsule generation. This signature is then verified by using the
> > > > > >  public key stored as part of the X509 certificate. This certificate is
> > > > > > -in the form of an efi signature list (esl) file, which is embedded as
> > > > > > -part of U-Boot.
> > > > > > +in the form of an efi signature list (esl) file, which is embedded in
> > > > > > +a device tree.
> > > > > >
> > > > > >  The capsule authentication feature can be enabled through the
> > > > > >  following config, in addition to the configs listed above for capsule
> > > > > >  update::
> > > > > >
> > > > > >      CONFIG_EFI_CAPSULE_AUTHENTICATE=y
> > > > > > -    CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert>
> > > > > >
> > > > > >  The public and private keys used for the signing process are generated
> > > > > > -and used by the steps highlighted below::
> > > > > > +and used by the steps highlighted below.
> > > > > >
> > > > > > -    1. Install utility commands on your host
> > > > > > -       * OPENSSL
> > > > > > +1. Install utility commands on your host
> > > > > > +       * openssl
> > > > > >         * efitools
> > > > > >
> > > > > > -    2. Create signing keys and certificate files on your host
> > > > > > +2. Create signing keys and certificate files on your host::
> > > > > >
> > > > > >          $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \
> > > > > >              -keyout CRT.key -out CRT.crt -nodes -days 365
> > > > > >          $ cert-to-efi-sig-list CRT.crt CRT.esl
> > > > > >
> > > > > > -        $ openssl x509 -in CRT.crt -out CRT.cer -outform DER
> > > > > > -        $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem
> > > > > > -
> > > > > > -        $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt
> > > > > > -        $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem
> > > > > > -
> > > > > > -The capsule file can be generated by using the GenerateCapsule.py
> > > > > > -script in EDKII::
> > > > > > -
> > > > > > -    $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \
> > > > > > -      <capsule_file_name> --monotonic-count <val> --fw-version \
> > > > > > -      <val> --lsv <val> --guid \
> > > > > > -      e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \
> > > > > > -      --update-image-index <val> --signer-private-cert \
> > > > > > -      /path/to/CRT.pem --trusted-public-cert \
> > > > > > -      /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \
> > > > > > -      <u-boot.bin>
> > > > > > -
> > > > > > -Place the capsule generated in the above step on the EFI System
> > > > > > -Partition under the EFI/UpdateCapsule directory
> > > > > > -
> > > > > > -Testing on QEMU
> > > > > > -***************
> > > > > > +3. Run the following command to create and sign the capsule file::
> > > > > >
> > > > > > -Currently, support has been added on the QEMU ARM64 virt platform for
> > > > > > -updating the U-Boot binary as a raw image when the platform is booted
> > > > > > -in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this
> > > > > > -configuration, the QEMU platform needs to be booted with
> > > > > > -'secure=off'. The U-Boot binary placed on the first bank of the NOR
> > > > > > -flash at offset 0x0. The U-Boot environment is placed on the second
> > > > > > -NOR flash bank at offset 0x4000000.
> > > > > > +    $ mkeficapsule --monotonic-count 1 \
> > > > > > +      --private-key CRT.key \
> > > > > > +      --certificate CRT.crt \
> > > > > > +      --index 1 --instance 0 \
> > > > > > +      [--fit <FIT image> | --raw <raw image>] \
> > > > > > +      <capsule_file_name>
> > > > > >
> > > > > > -The capsule update feature is enabled with the following configuration
> > > > > > -settings::
> > > > > > +4. Insert the signature list into a device tree in the following format::
> > > > > >
> > > > > > -    CONFIG_MTD=y
> > > > > > -    CONFIG_FLASH_CFI_MTD=y
> > > > > > -    CONFIG_CMD_MTDPARTS=y
> > > > > > -    CONFIG_CMD_DFU=y
> > > > > > -    CONFIG_DFU_MTD=y
> > > > > > -    CONFIG_PCI_INIT_R=y
> > > > > > -    CONFIG_EFI_CAPSULE_ON_DISK=y
> > > > > > -    CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y
> > > > > > -    CONFIG_EFI_CAPSULE_FIRMWARE=y
> > > > > > -    CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
> > > > > > +        {
> > > > > > +                signature {
> > > > > > +                        capsule-key = [ <binary of signature list> ];
> > > > > > +                }
> > > > >
> > >
> > > > > Can you add this feature to binman? A new entry type that takes the
> > > > > capsule key could do it. We need some way of handling this a bit
> > > > > better.
> > > >
> > > > As I said in the previous version, I don't know yet if binman
> > > > is the best place.
> > > > Can you give me a pointer where a similar feature is implemented
> > > > in binman, please?
> > >
> > > See tools/binman/etype/vblock.py
> >
> > I'll check it out.
> >
> > > >
> > > >
> > > > > > +                ...
> > > > > > +        }
> > > > > >
> > > > > > -In addition, the following config needs to be disabled(QEMU ARM specific)::
> > > > > > +   You can do this manually with::
> > > > > >
> > > > > > -    CONFIG_TFABOOT
> > > > > > +    $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts
> > > > > > +    $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo
> > > > > >
> > > > > > -The capsule file can be generated by using the tools/mkeficapsule::
> > > > > > +   where signature.dts looks like::
> > > > > >
> > > > > > -    $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name>
> > > > > > +        &{/} {
> > > > > > +                signature {
> > > > > > +                        capsule-key = /incbin/("CRT.esl");
> > > > > > +                };
> > > > > > +        };
> > > > >
> > > > > Ick. I think your tool should just support adding the signature.
> > > >
> > > > # I may misunderstand your point.
> > > >
> > > > The whole purpose of this tool is to create a capsule file.
> > > > Adding the signature to that file is simply an optional behavior.
> > > > I don't see any reason that we should have those features in
> > > > separate tools.
> > > >
> > > > On the other hand, step.4 mentioned above is to add public keys (x509
> > > > certificate list or signature list in UEFI terminology) to a device tree.
> > > > This is a separate step.
> > > > Clear?
> > >
> > > It just seems a pain to create a DT overlay to add the signature.
> >
> > Pain in what sense?
> > I have provided fdtsig.sh to avoid bothering users.
> >
> > > I hope Binman can help here if you don't want to put it in your tool.
> > > I can write something if it would help.
> >
> > I think it's up to you to add the feature to binman,
> > but also believe we should not and don't have to impose always
> > using binman for this purpose on everyone, thinking of
> > various situations that users may have.
> 
> I am reading TLOTR at present so this came to mind...
> 
> https://www.youtube.com/watch?v=wcASKPX1Ot8

OK, you don't rob me of my mkeficapsule, but help me :)

-Takahiro Akashi


> What I would like is a simple way to build an image automatically,
> with as few steps as possible and have it work. For U-Boot we are
> trying to use binman internally, but binman can also be used for the
> 'final step'.
> 
> See this talk. There is also a video somewhere.
> 
> https://2019.osfc.io/talks/binman-a-data-controlled-firmware-packer-for-u-boot.html
> 
> Let's try to collaborate on the firmware packaging. It is the wild
> west at present and the series you have here shows some of the
> challenges.
> 
> Regards,
> Simon