Sughosh,
On Sun, Apr 18, 2021 at 01:37:58PM +0530, Sughosh Ganu wrote:
On Sat, 17 Apr 2021 at 23:51, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
On 4/17/21 1:39 AM, Masami Hiramatsu wrote:
Since the EDK2 GenerateCapsule script is out of date and it doesn't generate the supported version capsule file, the document should refer the mkeficapsule in tools.
Signed-off-by: Masami Hiramatsu masami.hiramatsu@linaro.org
doc/board/emulation/qemu_capsule_update.rst | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/doc/board/emulation/qemu_capsule_update.rst
b/doc/board/emulation/qemu_capsule_update.rst
index 9fec75f8f1..e2a9f0db71 100644 --- a/c +++ b/doc/board/emulation/qemu_capsule_update.rst @@ -39,16 +39,9 @@ In addition, the following config needs to be
disabled(QEMU ARM specific)::
CONFIG_TFABOOT-The capsule file can be generated by using the GenerateCapsule.py -script in EDKII::
- $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \
- <capsule_file_name> --fw-version <val> --lsv <val> --guid \
- e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index
\
- <val> --verbose <u-boot.bin>
+The capsule file can be generated by using the tools/mkeficapsule::
-The above is a wrapper script(GenerateCapsule) which eventually calls -the actual GenerateCapsule.py script.
- $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name>
Thanks for the change.
Could you, please, adjust the same in chapter "Enabling Capsule Authentication" below.
Currently, we do not have support for adding authentication header to the capsule. This is because I have been using the GenerateCapsule script in edk2 for generation of a capsule with authentication header. I think adding the signature to the capsule is easier when done through a python script rather than C code.
Why do you think so? At a quick glance at the script, it internally uses openssl command like: openssl smime -sign -binary -outform DER -md sha256 \ -signer <...> -certfile <...> (See PayloadDescriptor.Encode in the script.)
The output from the standard output is exactly what you want to use to build a capsule file, that is "AuthInfo". Then you can naturally extend mkeficapsule to insert this signature between the header and the image itself in a capsule file.
Furthermore, I believe, it is fairly straightforward to add a native 'signing' feature to mkeficapsule if you use openssl library.
-Takahiro Akashi
I am working on adding support for the latest version of the EFI_FIRMWARE_MANAGEMENT_CAPSULE_IMAGE_HEADER in the GenerateCapsule script in edk2. Meanwhile, would it be possible to have support for the version 2 of this header in the capsule driver -- it is a minor change and I already have a patch for it. If you are fine, I can submit a patch for the same.
-sughosh
Best regards
Heinrich
As per the UEFI specification, the capsule file needs to be placed on the EFI System Partition, under the \EFI\UpdateCapsule directory. The