Re: [PATCH v2 0/9] efi_loader: capsule: improve capsule authentication support

2 Aug 2021

      Heinrich,
On Sun, Aug 01, 2021 at 11:40:14AM +0200, Heinrich Schuchardt wrote:
...
On 7/27/21 11:10 AM, AKASHI Takahiro wrote:
...
As I proposed and discussed in [1] and [2], I have made a couple of
improvements on the current implementation of capsule update in this
patch set.

add signing feature to mkeficapsule
add "--guid" option to mkeficapsule
add man page of mkeficapsule
add pytest for capsule authentication (on sandbox)

NOTE:
Due to Ilias's commit[3], we need to have a customized configuration
for sandbox to properly set up and run capsule authentication test.
See patch#5,#6 and #7.
[1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html
[2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html
[3] commit ddf67daac39d ("efi_capsule: Move signature from DTB to
     .rodata")
Dear Takahiro,
thanks for driving this topic. I have finished with my review and will
be waiting for v2.
Thanks for your review comments.
I'd like to know what's your thought on Patch#8 (and #9)
as I have not seen your comment at [2] above.
It is more or less an RFC since it breaks the compatibility
of command syntax although I believe that the change is
quite useful.
-Takahiro Akashi
...
Best regards
Heinrich
...
Prerequisite patches
None
Test

locally passed the pytest which is included in this patch series
 on sandbox built.

Todo

Confirm that the change in .gitlab-ci.yml works.
Azure support(?)

Changes
v2 (July 28, 2021)

rebased on v2021.10-rc*
removed dependency on target's configuration
removed fdtsig.sh and others
add man page
update the UEFI document
add dedicate defconfig for testing on sandbox
add gitlab CI support
add "--guid" option to mkeficapsule
 (yet rather RFC)

Initial release (May 12, 2021)

based on v2021.07-rc2

AKASHI Takahiro (9):
   tools: mkeficapsule: add firmwware image signing
   tools: mkeficapsule: add man page
   doc: update UEFI document for usage of mkeficapsule
   efi_loader: ease the file path check for public key
   test/py: efi_capsule: add image authentication test
   sandbox: add config for efi capsule authentication test
   GitLab: add a test rule for efi capsule authentication test
   tools: mkeficapsule: allow for specifying GUID explicitly
   test/py: efi_capsule: align with the syntax change of mkeficapsule
.gitlab-ci.yml                                |   6 +
  MAINTAINERS                                   |   1 +
  configs/sandbox_capsule_auth_defconfig        | 307 +++++++++++++++
  doc/develop/uefi/uefi.rst                     |  31 +-
  doc/mkeficapsule.1                            |  98 +++++
  lib/efi_loader/Makefile                       |   5 +-
  test/py/tests/test_efi_capsule/SIGNER.crt     |  19 +
  test/py/tests/test_efi_capsule/SIGNER.esl     | Bin 0 -> 829 bytes
  test/py/tests/test_efi_capsule/SIGNER.key     |  28 ++
  test/py/tests/test_efi_capsule/SIGNER2.crt    |  19 +
  test/py/tests/test_efi_capsule/SIGNER2.key    |  28 ++
  .../py/tests/test_efi_capsule/capsule_defs.py |   5 +
  test/py/tests/test_efi_capsule/conftest.py    |  39 +-
  .../test_capsule_firmware_signed.py           | 228 +++++++++++
  tools/Kconfig                                 |   7 +
  tools/Makefile                                |   8 +-
  tools/mkeficapsule.c                          | 368 ++++++++++++++++--
  17 files changed, 1129 insertions(+), 68 deletions(-)
  create mode 100644 configs/sandbox_capsule_auth_defconfig
  create mode 100644 doc/mkeficapsule.1
  create mode 100644 test/py/tests/test_efi_capsule/SIGNER.crt
  create mode 100644 test/py/tests/test_efi_capsule/SIGNER.esl
  create mode 100644 test/py/tests/test_efi_capsule/SIGNER.key
  create mode 100644 test/py/tests/test_efi_capsule/SIGNER2.crt
  create mode 100644 test/py/tests/test_efi_capsule/SIGNER2.key
  create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py