This patchset aims to bring two capsule related tasks under the u-boot build flow.
One is the embedding of the public key into the platform's dtb. The public key is in the form of an EFI Signature List(ESL) file and is used for capsule authentication. This is being achieved by adding the signature node containing the capsule public key in the architecture's u-boot.dtsi file. Currently, the u-boot.dtsi file has been added for the sandbox and arm architectures. The path to the ESL file is being provided through a Kconfig symbol(CONFIG_EFI_CAPSULE_ESL_FILE).
Changes have also been made to the test flow so that the keys used for signing the capsule, and the ESL file, are generated prior to invoking the u-boot's build, which enables embedding the ESL file into the dtb as part of the u-boot build.
The other task is related to generation of capsules. The capsules can be generated as part of u-boot build, and this is being achieved through binman, by adding a capsule entry type. The capsules can be generated by specifying the capsule parameters as properties under the capsule entry node.
Changes have also been made to the efi capsule update feature testing setup on the sandbox variants. Currently, the capsule files and the public key ESL file are generated after u-boot has been built. This logic has been changed so that the capsule input files along with the keys needed for capsule signing and authentication are generated prior to initiation of the u-boot build. The placement of all the files needed for generation of capsules is under the test/py/tests/test_efi_capsule/test_files/ directory.
The document has been updated to reflect the above changes.
Changes since V5: This series drops the changes for generating capsules by reading the params from a config file. This was suggested by Simon Glass. The config file changes would be submitted separately once these changes get merged.
* Get rid of the logic of keeping the files under the /tmp/capsules/ directory from earlier versions. * New patch which introduces the input files and certs needed for EFI capsule update testing in the tree. * The capsule input files and certs are put under the test/py/tests/test_efi_capsule/test_files/ directory. * Add support for the oemflag parameter used in FWU A/B updates. This was missed in the earlier version. * Use a single function, generate_capsule in the mkeficapsule bintool, instead of the multiple functions in earlier version. * Remove the logic for generating capsules from config file as suggested by Simon. * Use required_props for image index and GUID parameters. * Use a subnode for the capsule payload instead of using a filename for the payload, as suggested by Simon. * Add a capsule generation test with oemflag parameter being passed. * Remove the documentation for generating the capsule through config file, as that functionality is not added through this series. * Use the public key ESL file from the tree instead of the /tmp/capsules/ directory being used in previous version. * Use the public key ESL file and other input files from the tree instead of the /tmp/capsules/ directory being used in previous version. * Use macros for other input files and certs.
Sughosh Ganu (9): binman: bintool: Build a tool from a list of commands nuvoton: npcm845-evb: Add a newline at the end of file capsule: authenticate: Add capsule public key in platform's dtb doc: capsule: Document the new mechanism to embed ESL file into dtb test: capsule: Add files needed for testing EFI capsule updates binman: capsule: Add support for generating EFI capsules doc: Add documentation to highlight capsule generation related updates test: capsule: Remove public key embed logic from capsule update test sandbox: capsule: Generate capsule related files through binman
arch/arm/dts/nuvoton-npcm845-evb.dts | 2 +- arch/arm/dts/u-boot.dtsi | 14 + arch/sandbox/dts/u-boot.dtsi | 364 ++++++++++++++++++ configs/sandbox_defconfig | 1 + configs/sandbox_flattree_defconfig | 1 + configs/sandbox_spl_defconfig | 1 + doc/develop/uefi/uefi.rst | 40 +- lib/efi_loader/Kconfig | 9 + test/py/tests/test_efi_capsule/conftest.py | 165 +------- test/py/tests/test_efi_capsule/signature.dts | 10 - .../test_efi_capsule/test_files/SIGNER.crt | 19 + .../test_efi_capsule/test_files/SIGNER.esl | Bin 0 -> 829 bytes .../test_efi_capsule/test_files/SIGNER.key | 28 ++ .../test_efi_capsule/test_files/SIGNER2.crt | 19 + .../test_efi_capsule/test_files/SIGNER2.key | 28 ++ .../test_files/u-boot.bin.new | 1 + .../test_files/u-boot.bin.old | 1 + .../test_files/u-boot.env.new | 1 + .../test_files/u-boot.env.old | 1 + .../tests/test_efi_capsule/uboot_bin_env.its | 36 -- tools/binman/bintool.py | 19 +- tools/binman/btool/mkeficapsule.py | 101 +++++ tools/binman/entries.rst | 64 +++ tools/binman/etype/efi_capsule.py | 160 ++++++++ tools/binman/ftest.py | 122 ++++++ tools/binman/test/307_capsule.dts | 21 + tools/binman/test/308_capsule_signed.dts | 23 ++ tools/binman/test/309_capsule_version.dts | 22 ++ tools/binman/test/310_capsule_signed_ver.dts | 24 ++ tools/binman/test/311_capsule_oemflags.dts | 22 ++ tools/binman/test/312_capsule_missing_key.dts | 22 ++ .../binman/test/313_capsule_missing_index.dts | 20 + .../binman/test/314_capsule_missing_guid.dts | 19 + .../test/315_capsule_missing_payload.dts | 17 + 34 files changed, 1172 insertions(+), 225 deletions(-) create mode 100644 arch/arm/dts/u-boot.dtsi create mode 100644 arch/sandbox/dts/u-boot.dtsi delete mode 100644 test/py/tests/test_efi_capsule/signature.dts create mode 100644 test/py/tests/test_efi_capsule/test_files/SIGNER.crt create mode 100644 test/py/tests/test_efi_capsule/test_files/SIGNER.esl create mode 100644 test/py/tests/test_efi_capsule/test_files/SIGNER.key create mode 100644 test/py/tests/test_efi_capsule/test_files/SIGNER2.crt create mode 100644 test/py/tests/test_efi_capsule/test_files/SIGNER2.key create mode 100644 test/py/tests/test_efi_capsule/test_files/u-boot.bin.new create mode 100644 test/py/tests/test_efi_capsule/test_files/u-boot.bin.old create mode 100644 test/py/tests/test_efi_capsule/test_files/u-boot.env.new create mode 100644 test/py/tests/test_efi_capsule/test_files/u-boot.env.old delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its create mode 100644 tools/binman/btool/mkeficapsule.py create mode 100644 tools/binman/etype/efi_capsule.py create mode 100644 tools/binman/test/307_capsule.dts create mode 100644 tools/binman/test/308_capsule_signed.dts create mode 100644 tools/binman/test/309_capsule_version.dts create mode 100644 tools/binman/test/310_capsule_signed_ver.dts create mode 100644 tools/binman/test/311_capsule_oemflags.dts create mode 100644 tools/binman/test/312_capsule_missing_key.dts create mode 100644 tools/binman/test/313_capsule_missing_index.dts create mode 100644 tools/binman/test/314_capsule_missing_guid.dts create mode 100644 tools/binman/test/315_capsule_missing_payload.dts