From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 4E8B1C433F5 for ; Fri, 7 Jan 2022 02:21:00 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 544E4833CD; Fri, 7 Jan 2022 03:20:57 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="R9yvdja6"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id B6B6083065; Fri, 7 Jan 2022 03:20:55 +0100 (CET) Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id EAEE5834A3 for ; Fri, 7 Jan 2022 03:20:51 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pg1-x52d.google.com with SMTP id t32so4192011pgm.7 for ; Thu, 06 Jan 2022 18:20:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to; bh=Udrdk1H0ECIZdqskRUT9BJqCljJuOx0PKh7ZvAVO9QI=; b=R9yvdja6zm6rGirBnWzP33dfOjOlKfqmByCwHzbOaItwrSukCuTSVpbdWWr2MIZ+MB fo+2XqJf9UShpOHPtjDcO/aow6/OC90DQcPWv1FUwyIcLuKXXOAY/E7ZwN141dcK2Ml4 /MMhpEdvMheQYCV6m0pSJ5vknEjsZmq+IBSGWjOepmbr5/ejPnCaU0d8ZdqPrc9gYOH/ MiQfv+1G8DL7QQUqbt+aBcGHMXlNJvwTtWgUvAceKTKPTwTRvANTQC6UQ5m7T1qWbE5S MU52npvgeyAAIjkCuSeDPK76ombPoukKEm2sOdIOB+AV4ezhQo/fBKchfINiWlUD4d5q 0/Fw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to; bh=Udrdk1H0ECIZdqskRUT9BJqCljJuOx0PKh7ZvAVO9QI=; b=h45js1nyxUfzcojRrD9bpTNmSsUqR0YE0kdfZiiZHmTfDobsneLjcWb6Vj84Ts2rr/ vOjyUu2BS2UeTpS65D3c8R7FMeRqvwQv4bwBjXUx7uHjxxvD2Ehv4AnbNfIGGeX+VB+b G8NNvAnoe3ARARWjTxHtsAqkvxwf9J5I1LwuJs5UpcMoNCWMfm5c3Q7fiI0pKmVSoa5K ZDZliiHbgpx7RIs9aqGXY0ABOGSh92uHwa2BgyIdCpFzyywdTy6hXuFZ0XGlMFzQO+fn hVyAdRO+6ho57FIR7X3wmKVwCL6eI4D2xMm8Bd56U5aFGA6rqxKYXxz80r2oJ8CMgm29 TFgA== X-Gm-Message-State: AOAM531SPwxxZTl3Yfoa3wCVCIiCVE+krf2vhMiDum7Ly4vVq0WTMdFD i+m22huJKX0Plc8R/AqSzgNEmg== X-Google-Smtp-Source: ABdhPJxRW8XemhrnI0StrPLrioC7K5rJuQ1VHeCe1bemGRbuW21TzUSaUS9cXMRTHLCQ8U0t4O3YzA== X-Received: by 2002:a62:7813:0:b0:4ba:7afa:3786 with SMTP id t19-20020a627813000000b004ba7afa3786mr62470317pfc.55.1641522049824; Thu, 06 Jan 2022 18:20:49 -0800 (PST) Received: from laputa ([2400:4050:c3e1:100:3d0f:e67a:8677:2ac8]) by smtp.gmail.com with ESMTPSA id il18sm7589580pjb.37.2022.01.06.18.20.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 06 Jan 2022 18:20:49 -0800 (PST) Date: Fri, 7 Jan 2022 11:20:45 +0900 From: AKASHI Takahiro To: Heinrich Schuchardt Cc: agraf@csgraf.de, sjg@chromium.org, ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de Subject: Re: [PATCH v8 05/12] doc: update UEFI document for usage of mkeficapsule Message-ID: <20220107022045.GA11812@laputa> Mail-Followup-To: AKASHI Takahiro , Heinrich Schuchardt , agraf@csgraf.de, sjg@chromium.org, ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, mark.kettenis@xs4all.nl, u-boot@lists.denx.de References: <20211220050253.31163-1-takahiro.akashi@linaro.org> <20211220050253.31163-6-takahiro.akashi@linaro.org> <21e620e5-257d-8637-c1c2-00cfb9b05ba7@gmx.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <21e620e5-257d-8637-c1c2-00cfb9b05ba7@gmx.de> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.38 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Heinrich, Your comments seem inconsistent, On Sat, Jan 01, 2022 at 11:09:41PM +0100, Heinrich Schuchardt wrote: > On 12/20/21 06:02, AKASHI Takahiro wrote: > > Now we can use mkeficapsule command instead of EDK-II's script > > to create a signed capsule file. So update the instruction for > > capsule authentication. > > > > Signed-off-by: AKASHI Takahiro > > Reviewed-by: Simon Glass > > Acked-by: Ilias Apalodimas > > --- > > doc/develop/uefi/uefi.rst | 143 ++++++++++++++++++-------------------- > > 1 file changed, 67 insertions(+), 76 deletions(-) > > > > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst > > index f17138f5c765..864d61734bee 100644 > > --- a/doc/develop/uefi/uefi.rst > > +++ b/doc/develop/uefi/uefi.rst > > @@ -284,37 +284,52 @@ Support has been added for the UEFI capsule update feature which > > enables updating the U-Boot image using the UEFI firmware management > > protocol (FMP). The capsules are not passed to the firmware through > > the UpdateCapsule runtime service. Instead, capsule-on-disk > > -functionality is used for fetching the capsule from the EFI System > > -Partition (ESP) by placing the capsule file under the > > -\EFI\UpdateCapsule directory. > > - > > -The directory \EFI\UpdateCapsule is checked for capsules only within the > > -EFI system partition on the device specified in the active boot option > > -determined by reference to BootNext variable or BootOrder variable processing. > > -The active Boot Variable is the variable with highest priority BootNext or > > -within BootOrder that refers to a device found to be present. Boot variables > > -in BootOrder but referring to devices not present are ignored when determining > > -active boot variable. > > -Before starting a capsule update make sure your capsules are installed in the > > -correct ESP partition or set BootNext. > > +functionality is used for fetching capsules from the EFI System > > +Partition (ESP) by placing capsule files under the directory:: > > + > > + \EFI\UpdateCapsule > > + > > +The directory is checked for capsules only within the > > +EFI system partition on the device specified in the active boot option, > > +which is determined by BootXXXX variable in BootNext, or if not, the highest > > +priority one within BootOrder. Any BootXXXX variables referring to devices > > +not present are ignored when determining the active boot option. > > + > > +Please note that capsules will be applied in the alphabetic order of > > +capsule file names. > > + > > +Creating a capsule file > > +*********************** > > + > > +A capsule file can be created by using tools/mkeficapsule. > > +To build this tool, enable:: > > + > > + CONFIG_TOOLS_MKEFICAPSULE=y > > + CONFIG_TOOLS_LIBCRYPTO=y > > + > > +Run the following command:: > > .. code-block:: bash OK, but there still exist a number of simple "::" in doc/develop/uefi/uefi.rst. > > + > > + $ mkeficapsule \ > > %s/$ // I would like to say nak here. "$" obviously shows that it is an example of command usage. This usage can commonly be seen across many docs under doc/ and even doc/develop/uefi/uefi.rst has some uses. > > + --index 1 --instance 0 \ > > + [--fit | --raw ] \ > > + > > > > Performing the update > > ********************* > > > > -Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig > > -option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable > > -check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule. > > - > > -If that option is disabled, you'll need to set the OsIndications variable with:: > > +Put capsule files under the directory mentioned above. > > +Then, following the UEFI specification, you'll need to set > > +the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED > > +bit in OsIndications variable with:: > > ..code-block:: > > > > > => setenv -e -nv -bs -rt -v OsIndications =0x04 > > %s/=> // Nak. "=>" indicates that it is an example of U-Boot command line. Again, we can see a number of uses across doc/ and even doc/develop/uefi/uefi.rst has some. We should not drop the prompt in this kind of citation. > > > > -Finally, the capsule update can be initiated either by rebooting the board, > > -which is the preferred method, or by issuing the following command:: > > +Since U-boot doesn't currently support SetVariable at runtime, its value > > +won't be taken over across the reboot. If this is the case, you can skip > > +this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS) > > +set. > > > > - => efidebug capsule disk-update > > - > > -**The efidebug command is should only be used during debugging/development.** > > +Finally, the capsule update can be initiated by rebooting the board. > > > > Enabling Capsule Authentication > > ******************************* > > @@ -324,82 +339,58 @@ be updated by verifying the capsule signature. The capsule signature > > is computed and prepended to the capsule payload at the time of > > capsule generation. This signature is then verified by using the > > public key stored as part of the X509 certificate. This certificate is > > -in the form of an efi signature list (esl) file, which is embedded as > > -part of U-Boot. > > +in the form of an efi signature list (esl) file, which is embedded in > > +a device tree. > > > > The capsule authentication feature can be enabled through the > > following config, in addition to the configs listed above for capsule > > update:: > > > > CONFIG_EFI_CAPSULE_AUTHENTICATE=y > > - CONFIG_EFI_CAPSULE_KEY_PATH= > > > > The public and private keys used for the signing process are generated > > -and used by the steps highlighted below:: > > +and used by the steps highlighted below. > > > > - 1. Install utility commands on your host > > - * OPENSSL > > +1. Install utility commands on your host > > + * openssl > > * efitools > > > > - 2. Create signing keys and certificate files on your host > > +2. Create signing keys and certificate files on your host:: > > ..code-block:: bash > > > > > $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ > > %s/$ // ditto > > -keyout CRT.key -out CRT.crt -nodes -days 365 > > $ cert-to-efi-sig-list CRT.crt CRT.esl > > > > - $ openssl x509 -in CRT.crt -out CRT.cer -outform DER > > - $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem > > - > > - $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt > > - $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem > > - > > -The capsule file can be generated by using the GenerateCapsule.py > > -script in EDKII:: > > - > > - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ > > - --monotonic-count --fw-version \ > > - --lsv --guid \ > > - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ > > - --update-image-index --signer-private-cert \ > > - /path/to/CRT.pem --trusted-public-cert \ > > - /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ > > - > > - > > -Place the capsule generated in the above step on the EFI System > > -Partition under the EFI/UpdateCapsule directory > > - > > -Testing on QEMU > > -*************** > > +3. Run the following command to create and sign the capsule file:: > > > > -Currently, support has been added on the QEMU ARM64 virt platform for > > -updating the U-Boot binary as a raw image when the platform is booted > > -in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this > > -configuration, the QEMU platform needs to be booted with > > -'secure=off'. The U-Boot binary placed on the first bank of the NOR > > -flash at offset 0x0. The U-Boot environment is placed on the second > > -NOR flash bank at offset 0x4000000. > > ..code-block:: bash > > > + $ mkeficapsule --monotonic-count 1 \ > > %s/$ // ditto -Takahiro Akashi > Best regards > > Heinrich > > > + --private-key CRT.key \ > > + --certificate CRT.crt \ > > + --index 1 --instance 0 \ > > + [--fit | --raw ] \ > > + > > > > -The capsule update feature is enabled with the following configuration > > -settings:: > > +4. Insert the signature list into a device tree in the following format:: > > > > - CONFIG_MTD=y > > - CONFIG_FLASH_CFI_MTD=y > > - CONFIG_CMD_MTDPARTS=y > > - CONFIG_CMD_DFU=y > > - CONFIG_DFU_MTD=y > > - CONFIG_PCI_INIT_R=y > > - CONFIG_EFI_CAPSULE_ON_DISK=y > > - CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y > > - CONFIG_EFI_CAPSULE_FIRMWARE=y > > - CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y > > + { > > + signature { > > + capsule-key = [ ]; > > + } > > + ... > > + } > > > > -In addition, the following config needs to be disabled(QEMU ARM specific):: > > + You can do this manually with:: > > > > - CONFIG_TFABOOT > > + $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts > > + $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo > > > > -The capsule file can be generated by using the tools/mkeficapsule:: > > + where signature.dts looks like:: > > > > - $ mkeficapsule --raw --index 1 > > + &{/} { > > + signature { > > + capsule-key = /incbin/("CRT.esl"); > > + }; > > + }; > > > > Executing the boot manager > > ~~~~~~~~~~~~~~~~~~~~~~~~~~ >