From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 2A8C1C433EF for ; Thu, 25 Nov 2021 06:02:51 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id BD618811D2; Thu, 25 Nov 2021 07:02:48 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="MiKMMdx0"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 6203380646; Thu, 25 Nov 2021 07:02:46 +0100 (CET) Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 470C180646 for ; Thu, 25 Nov 2021 07:02:42 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1030.google.com with SMTP id iq11so4392932pjb.3 for ; Wed, 24 Nov 2021 22:02:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to; bh=0lJHf804QWyEpkhjAU40RZMUp4bkokv4lkhB3gy8IK0=; b=MiKMMdx0NvDpbdXwGY0b4xkLCpDTQ+n2lfULAOIN+OB6DDX14nOagzePLJEUmd6jbd EI12jEiSm6agAU3wVK36v0/x3GpLAz3tH/M5kEJBSIusUzOF0bszaBzDPolZSc4WUCTa 92OvH+Mwz5ovqkuXA5W2kJmLcRSpiMhUU2ISlVX05W27ze0aworPwQc8ZKej1lEv8K35 am0tH5NmzBWijHRgtuVs5Ls2vtSRAbO2chCTyavlwXkL8WXD+I0daT3OiErKvyI2A/D6 IK/PnSzOku8eQoPNOK3VHs+6YeWfzYhkTl6MWT6TfJW6mNMD2R7Cn0mAmzToOtKJc7ZO g7Yw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to; bh=0lJHf804QWyEpkhjAU40RZMUp4bkokv4lkhB3gy8IK0=; b=4AdwiSXXpUX8TWGVg/uoL7N5mXCkNY8P2HLeXOCPwj0wxac3m4uRay9U8/ti0YhO0Z lRvBDN75ASeU4iev2mM9PmW6fghQuR2MjP52/bBKc7YkmsC7rh4R9MjccYCsXLTTOCSP jmgi3fLHHOMYlJuxQOMZEtExJ+GNLMu9swQMqr4iDe6SSeM/GvU1HVPWW5Nf1kh1d21b LqSh/j9dzDEnTPcq1S0xwdcpahVk/KHKldDZI33/Rxyyqz8mMAVkAqx+tKVtR5bupOVZ Mq1WgL+FcLeW1nAzOAh/sE3sHfDvR+hnyOj8aOZ509cLJLv4hCEjwB/xwgW0B96K5CYi yNAg== X-Gm-Message-State: AOAM531eaGeB/b0R6+Tlp7rkpSyDxR9YFXv9eZosK6GsRKUYhb+0kMlg ii2apl2CKp5TWsfR3tQbgxEkBA== X-Google-Smtp-Source: ABdhPJyqaD5tRngbaQkWAATwpaXUnkFMg+Hp7BfKJMNJOjgUuExcnUZIpgMnLizGPzp0A6DOFhlu2Q== X-Received: by 2002:a17:90b:1b04:: with SMTP id nu4mr4197442pjb.72.1637820160327; Wed, 24 Nov 2021 22:02:40 -0800 (PST) Received: from laputa ([2400:4050:c3e1:100:9d66:8551:f924:19ea]) by smtp.gmail.com with ESMTPSA id f7sm1686026pfv.89.2021.11.24.22.02.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Nov 2021 22:02:39 -0800 (PST) Date: Thu, 25 Nov 2021 15:02:35 +0900 From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de Subject: Re: [PATCH v7 00/12] efi_loader: capsule: improve capsule authentication support Message-ID: <20211125060235.GD41281@laputa> Mail-Followup-To: AKASHI Takahiro , xypron.glpk@gmx.de, agraf@csgraf.de, sjg@chromium.org, ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de References: <20211116043238.67226-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20211116043238.67226-1-takahiro.akashi@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.37 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Hi Heinrich On Tue, Nov 16, 2021 at 01:32:26PM +0900, AKASHI Takahiro wrote: > As I proposed and discussed in [1] and [2], I have made a couple of > improvements on the current implementation of capsule update in this > patch set. For this version(v7), I have seen your review comments only on patch#1 and #2. Please take your time to review the rest (the main part of commits) as well. I don't want to respin the patch series and post its new version which is almost the same as the old one(v7). -Takahiro Akashi > * add signing feature to mkeficapsule > * add "--guid" option to mkeficapsule > * add man page of mkeficapsule > * update uefi document regarding capsule update > * revise pytests > * (as RFC) add CONFIG_EFI_CAPSULE_KEY_PATH > > # We have had some discussion about fdtsig.sh. > # So RFCs (patch#11,#12) are still included for further discussion > # if they are useful or not. > # For smooth merge, the rest (patch#1-10) should work without them. > > [1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html > [2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html > > Prerequisite patches > ==================== > None > > Test > ==== > * locally passed the pytest which is included in this patch series > on sandbox built. > (CONFIG_EFI_CAPSULE_AUTHENTICATE should explicitly be turned on > in order to exercise the authentication code.) > > Changes > ======= > v7 (Nov 16, 2021) > * rebased on pre-v2022.01-rc2 > * drop already-merged patch > * check for a size of firmware binary file (patch#1) > * enable mkeficapsule in tools-only_defconfig (patch#2) > * define eficapsule.h and include it from mkeficapsule (patch#3) > Hopefully, the tool can now compile on non-linux host. > > v6 (Nov 02, 2021) > * rebased on pre-v2022.01-rc1 > * add patch#2 to rework/refactor the code for better readability (patch#2) > * use exit(EXIT_SUCCESS/FAILURE) (patch#3) > * truncate >80chars lines in pytest scripts (patch#6) > > v5 (Oct 27, 2021) > * rebased on pre-v2022.01-rc1 (WIP/26Oct2021) > * drop already-merged patches > * drop __weak from efi_get_public_key_data() (patch#1) > * describe the format of public key node in device tree (patch#4) > * re-order patches by grouping closely-related patches (patch#6-8) > * modify pytest to make the test results correctly verified > either with or without CONFIG_EFI_CAPSULE_AUTHENTICATE (patch#9) > * add RFCs for embedding public keys during the build process (patch#10,11) > > v4 (Oct 7, 2021) > * rebased on v2021.10 > * align with "Revert "efi_capsule: Move signature from DTB to .rodata"" > * add more missing *revert* commits (patch#1,#2,#3) > * add fdtsig.sh, replacing dtb support in mkeficapsule (patch#4) > * update/revise the man/uefi doc (patch#6,#7) > * fix a bug in parsing guid string (patch#8) > * add a test for "--guid" option (patch#10) > * use dtb-based authentication test as done in v1 (patch#11) > > v3 (Aug 31, 2021) > * rebased on v2021.10-rc3 > * remove pytest-related patches > * add function descriptions in mkeficapsule.c > * correct format specifiers in printf() > * let main() return 0 or -1 only > * update doc/develop/uefi/uefi.rst for syntax change of mkeficapsule > > v2 (July 28, 2021) > * rebased on v2021.10-rc* > * removed dependency on target's configuration > * removed fdtsig.sh and others > * add man page > * update the UEFI document > * add dedicate defconfig for testing on sandbox > * add gitlab CI support > * add "--guid" option to mkeficapsule > (yet rather RFC) > > Initial release (May 12, 2021) > * based on v2021.07-rc2 > > AKASHI Takahiro (12): > tools: mkeficapsule: rework the code a little bit > tools: build mkeficapsule with tools-only_defconfig > tools: mkeficapsule: add firmwware image signing > tools: mkeficapsule: add man page > doc: update UEFI document for usage of mkeficapsule > test/py: efi_capsule: add image authentication test > tools: mkeficapsule: allow for specifying GUID explicitly > test/py: efi_capsule: align with the syntax change of mkeficapsule > test/py: efi_capsule: add a test for "--guid" option > test/py: efi_capsule: check the results in case of > CAPSULE_AUTHENTICATE > (RFC) tools: add fdtsig.sh > (RFC) efi_loader, dts: add public keys for capsules to device tree > > MAINTAINERS | 2 + > configs/tools-only_defconfig | 1 + > doc/develop/uefi/uefi.rst | 143 ++-- > doc/mkeficapsule.1 | 107 +++ > dts/Makefile | 23 +- > lib/efi_loader/Kconfig | 7 + > .../py/tests/test_efi_capsule/capsule_defs.py | 5 + > test/py/tests/test_efi_capsule/conftest.py | 59 +- > test/py/tests/test_efi_capsule/signature.dts | 10 + > .../test_efi_capsule/test_capsule_firmware.py | 91 ++- > .../test_capsule_firmware_signed.py | 254 +++++++ > tools/Kconfig | 8 + > tools/Makefile | 8 +- > tools/eficapsule.h | 115 +++ > tools/fdtsig.sh | 40 ++ > tools/mkeficapsule.c | 680 +++++++++++++++--- > 16 files changed, 1360 insertions(+), 193 deletions(-) > create mode 100644 doc/mkeficapsule.1 > create mode 100644 test/py/tests/test_efi_capsule/signature.dts > create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py > create mode 100644 tools/eficapsule.h > create mode 100755 tools/fdtsig.sh > > -- > 2.33.0 >