This patchset aims to bring two capsule related tasks under the u-boot build flow.
One is the embedding of the public key into the platform's dtb. The public key is in the form of an EFI Signature List(ESL) file and is used for capsule authentication. This is being achieved through binman, with an entry type added for raw images, and properties added to the binman fit entry type to enable embedding the ESL into all the DTB's that get packaged into the FIT. The path to the ESL file is being provided through a Kconfig symbol(CONFIG_EFI_CAPSULE_ESL_FILE).
Changes have also been made to the test flow so that the keys used for signing the capsule, and the ESL file, are generated prior to invoking the u-boot's build, which enables embedding the ESL file into the dtb as part of the u-boot build flow.
The other task is to add a make target for generating capsules. This is being achieved by adding support for parsing a config file to get the capsule generation parameters. Multiple payloads can be specified, resulting in generation of multiple capsules with a single invocation of the command. The path to the config file is to be specified through a Kconfig symbol(CONFIG_EFI_CAPSULE_CFG_FILE).
Changes have been made to the efi capsule test setup, whereby, with the above config symbol having been populated, the capsule files are generated through the make capsule command. The requisite config file has been placed under the test/py/tests/test_efi_capsule/ directory, which results in generation of the same set of capsule files.
Currently, the capsule authentication feature is tested on the sandbox and sandbox_flattree variants. The capsule generation through config file is enabled for the sandbox variant, with the sandbox_flattree variant generating capsules through the command-line parameters.
The document has been updated to reflect the above changes.
Changes since V1:
At a broad level, this version takes a stab at using binman for embedding the ESL file into the DTB's. This is being done for both raw images and FIT images. I had mentioned the issue of dependency when using binman for generating capsules[1], which is why I have stuck with using the make target for generating capsules.
[1] - https://lists.denx.de/pipermail/u-boot/2023-June/520814.html
* New patch * Use fdt_add_pubkey tool for adding the ESL into the dtb instead of using the shell script used in the earlier version. * Achieve the embedding of the ESL into the DTB through binman * Add an entry type fdt-esl-embed for embedding the ESL for raw images. * Add logic in binman's fit entry type for embedding the ESL into all the DTB's which are part of the FIT image. * Add corresponding documentation entries in binman for the above changes. * Add the logic to generate the keys in the yml files which get used in the CI setup. * Add a fdt-esl-embed node in sandbox's binman node with capsule authentication enabled. * Add a cfg-file parameter to pass the config file to the mkeficapsule tool. This results in generation of the same tool image irrespective of using command-line parameters or config file. * Call the mkeficapsule utility with the cfg-file parameter when building capsules via the config file.
Sughosh Ganu (8): fdt_add_pubkey: Add support for adding ESL public key under signature node capsule: authenticate: Embed capsule public key in platform's dtb test: py: Change capsule authenticate test flow doc: capsule: Document the new mechanism to embed ESL file into dtb tools: mkeficapsule: Add support for parsing capsule params from config file Makefile: Add a target for building capsules test: efi_capsule: Test capsule generation from config file doc: Add documentation to describe capsule config file format
.azure-pipelines.yml | 17 + .gitlab-ci.yml | 15 + Makefile | 9 + arch/sandbox/dts/sandbox.dts | 4 + arch/sandbox/dts/sandbox_capsule.dtsi | 12 + arch/sandbox/dts/test.dts | 4 + configs/sandbox_defconfig | 2 + configs/sandbox_flattree_defconfig | 1 + doc/develop/uefi/uefi.rst | 83 ++++- lib/efi_loader/Kconfig | 11 + test/py/conftest.py | 64 ++++ test/py/tests/test_efi_capsule/conftest.py | 142 ++++--- .../test_efi_capsule/sandbox_capsule_cfg.txt | 75 ++++ test/py/tests/test_efi_capsule/signature.dts | 10 - tools/Kconfig | 9 + tools/Makefile | 3 +- tools/binman/btool/fdt_add_pubkey.py | 73 ++++ tools/binman/entries.rst | 49 +++ tools/binman/etype/fdt_esl_embed.py | 80 ++++ tools/binman/etype/fit.py | 31 ++ tools/eficapsule.h | 110 ++++++ tools/fdt_add_pubkey.c | 16 +- tools/fdt_add_pubkey_esl.c | 98 +++++ tools/mkeficapsule.c | 84 +++-- tools/mkeficapsule_parse.c | 345 ++++++++++++++++++ 25 files changed, 1216 insertions(+), 131 deletions(-) create mode 100644 arch/sandbox/dts/sandbox_capsule.dtsi create mode 100644 test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt delete mode 100644 test/py/tests/test_efi_capsule/signature.dts create mode 100644 tools/binman/btool/fdt_add_pubkey.py create mode 100644 tools/binman/etype/fdt_esl_embed.py create mode 100644 tools/fdt_add_pubkey_esl.c create mode 100644 tools/mkeficapsule_parse.c