The following series adds support for the uefi capsule update feature on the qemu arm64 platform, along with adding support for the capsule authentication feature.
The capsule update feature is supported on a platform configuration booting in a non-secure mode, i.e with -machine virt,secure=off option set. This results in the platform booting u-boot directly without the presence of trusted firmware(tf-a). Steps that need to be followed for using this feature have been provided as part of the documentation.
Support has also been added for enabling the capsule authentication feature. Capsule authentication, as defined by the uefi specification is very much on similar lines to the logic used for variable authentication. As a result, most of the signature verification code already in use for variable authentication has been used for capsule authentication.
Storage of the public key certificate, needed for the signature verification process is in form of the efi signature list(esl) structure. This public key is stored on the platform's device tree blob. The public key esl file can be embedded into the dtb using the mkeficapsule utility that has been added as part of the capsule update support series[1]. Steps needed for enabling capsule authentication have been provided as part of the documentation.
This patch series needs to be applied on top of the capsule update support patch series from Takahiro Akashi[1]
[1] - https://patchwork.ozlabs.org/project/uboot/cover/20201117002805.13902-1-taka...
Sughosh Ganu (14): qemu: arm: Use the generated DTB only when CONGIG_OF_BOARD is defined mkeficapsule: Add support for embedding public key in a dtb qemu: arm: Scan the pci bus in board_init crypto: Fix the logic to calculate hash with authattributes set qemu: arm64: Add support for dynamic mtdparts for the platform qemu: arm64: Set dfu_alt_info variable for the platform efi_loader: Add config option to indicate fmp header presence dfu_mtd: Add provision to unlock mtd device efi_loader: Make the pkcs7 header parsing function an extern efi_loader: Re-factor code to build the signature store from efi signature list efi: capsule: Add support for uefi capsule authentication efi_loader: Enable uefi capsule authentication efidebug: capsule: Add a command to update capsule on disk qemu: arm64: Add documentation for capsule update
board/emulation/qemu-arm/qemu-arm.c | 170 ++++++++++++++++++++++++ cmd/efidebug.c | 14 ++ doc/board/emulation/qemu-arm.rst | 157 ++++++++++++++++++++++ drivers/dfu/dfu_mtd.c | 20 ++- include/configs/qemu-arm.h | 8 ++ include/efi_api.h | 18 +++ include/efi_loader.h | 12 ++ lib/crypto/pkcs7_verify.c | 37 ++++-- lib/efi_loader/Kconfig | 24 ++++ lib/efi_loader/efi_capsule.c | 122 +++++++++++++++++ lib/efi_loader/efi_firmware.c | 49 ++++++- lib/efi_loader/efi_signature.c | 192 ++++++++++++++++++++------- lib/efi_loader/efi_variable.c | 93 +------------ tools/Makefile | 1 + tools/mkeficapsule.c | 198 ++++++++++++++++++++++++++-- 15 files changed, 954 insertions(+), 161 deletions(-)