Re: [PATCH v7 00/12] efi_loader: capsule: improve capsule authentication support

[AKASHI Takahiro <takahiro.akashi@linaro.org>]

Hi Heinrich

On Tue, Nov 16, 2021 at 01:32:26PM +0900, AKASHI Takahiro wrote:
> As I proposed and discussed in [1] and [2], I have made a couple of
> improvements on the current implementation of capsule update in this
> patch set.

For this version(v7), I have seen your review comments only
on patch#1 and #2.
Please take your time to review the rest (the main part of
commits) as well.
I don't want to respin the patch series and post its new version
which is almost the same as the old one(v7).

-Takahiro Akashi


> * add signing feature to mkeficapsule
> * add "--guid" option to mkeficapsule
> * add man page of mkeficapsule
> * update uefi document regarding capsule update
> * revise pytests
> * (as RFC) add CONFIG_EFI_CAPSULE_KEY_PATH
> 
> # We have had some discussion about fdtsig.sh.
> # So RFCs (patch#11,#12) are still included for further discussion
> # if they are useful or not.
> # For smooth merge, the rest (patch#1-10) should work without them.
> 
> [1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html
> [2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html
> 
> Prerequisite patches
> ====================
> None
> 
> Test
> ====
> * locally passed the pytest which is included in this patch series
>   on sandbox built.
>   (CONFIG_EFI_CAPSULE_AUTHENTICATE should explicitly be turned on
>   in order to exercise the authentication code.)
> 
> Changes
> =======
> v7 (Nov 16, 2021)
> * rebased on pre-v2022.01-rc2
> * drop already-merged patch
> * check for a size of firmware binary file (patch#1)
> * enable mkeficapsule in tools-only_defconfig (patch#2)
> * define eficapsule.h and include it from mkeficapsule (patch#3)
>   Hopefully, the tool can now compile on non-linux host.
> 
> v6 (Nov 02, 2021)
> * rebased on pre-v2022.01-rc1
> * add patch#2 to rework/refactor the code for better readability (patch#2)
> * use exit(EXIT_SUCCESS/FAILURE) (patch#3)
> * truncate >80chars lines in pytest scripts (patch#6)
> 
> v5 (Oct 27, 2021)
> * rebased on pre-v2022.01-rc1 (WIP/26Oct2021)
> * drop already-merged patches
> * drop __weak from efi_get_public_key_data() (patch#1)
> * describe the format of public key node in device tree (patch#4)
> * re-order patches by grouping closely-related patches (patch#6-8)
> * modify pytest to make the test results correctly verified
>   either with or without CONFIG_EFI_CAPSULE_AUTHENTICATE (patch#9)
> * add RFCs for embedding public keys during the build process (patch#10,11)
> 
> v4 (Oct 7, 2021)
> * rebased on v2021.10
> * align with "Revert "efi_capsule: Move signature from DTB to .rodata""
> * add more missing *revert* commits (patch#1,#2,#3)
> * add fdtsig.sh, replacing dtb support in mkeficapsule (patch#4)
> * update/revise the man/uefi doc (patch#6,#7)
> * fix a bug in parsing guid string (patch#8)
> * add a test for "--guid" option (patch#10)
> * use dtb-based authentication test as done in v1 (patch#11)
> 
> v3 (Aug 31, 2021)
> * rebased on v2021.10-rc3
> * remove pytest-related patches
> * add function descriptions in mkeficapsule.c
> * correct format specifiers in printf()
> * let main() return 0 or -1 only
> * update doc/develop/uefi/uefi.rst for syntax change of mkeficapsule
> 
> v2 (July 28, 2021)
> * rebased on v2021.10-rc*
> * removed dependency on target's configuration
> * removed fdtsig.sh and others
> * add man page
> * update the UEFI document
> * add dedicate defconfig for testing on sandbox
> * add gitlab CI support
> * add "--guid" option to mkeficapsule
>   (yet rather RFC)
> 
> Initial release (May 12, 2021)
> * based on v2021.07-rc2
> 
> AKASHI Takahiro (12):
>   tools: mkeficapsule: rework the code a little bit
>   tools: build mkeficapsule with tools-only_defconfig
>   tools: mkeficapsule: add firmwware image signing
>   tools: mkeficapsule: add man page
>   doc: update UEFI document for usage of mkeficapsule
>   test/py: efi_capsule: add image authentication test
>   tools: mkeficapsule: allow for specifying GUID explicitly
>   test/py: efi_capsule: align with the syntax change of mkeficapsule
>   test/py: efi_capsule: add a test for "--guid" option
>   test/py: efi_capsule: check the results in case of
>     CAPSULE_AUTHENTICATE
>   (RFC) tools: add fdtsig.sh
>   (RFC) efi_loader, dts: add public keys for capsules to device tree
> 
>  MAINTAINERS                                   |   2 +
>  configs/tools-only_defconfig                  |   1 +
>  doc/develop/uefi/uefi.rst                     | 143 ++--
>  doc/mkeficapsule.1                            | 107 +++
>  dts/Makefile                                  |  23 +-
>  lib/efi_loader/Kconfig                        |   7 +
>  .../py/tests/test_efi_capsule/capsule_defs.py |   5 +
>  test/py/tests/test_efi_capsule/conftest.py    |  59 +-
>  test/py/tests/test_efi_capsule/signature.dts  |  10 +
>  .../test_efi_capsule/test_capsule_firmware.py |  91 ++-
>  .../test_capsule_firmware_signed.py           | 254 +++++++
>  tools/Kconfig                                 |   8 +
>  tools/Makefile                                |   8 +-
>  tools/eficapsule.h                            | 115 +++
>  tools/fdtsig.sh                               |  40 ++
>  tools/mkeficapsule.c                          | 680 +++++++++++++++---
>  16 files changed, 1360 insertions(+), 193 deletions(-)
>  create mode 100644 doc/mkeficapsule.1
>  create mode 100644 test/py/tests/test_efi_capsule/signature.dts
>  create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
>  create mode 100644 tools/eficapsule.h
>  create mode 100755 tools/fdtsig.sh
> 
> -- 
> 2.33.0
>