Heinrich, Sughosh,
On Mon, Apr 19, 2021 at 04:35:15AM +0200, Heinrich Schuchardt wrote:
Am 19. April 2021 04:24:37 MESZ schrieb Masami Hiramatsu masami.hiramatsu@linaro.org:
Hi,
2021年4月19日(月) 9:37 Takahiro Akashi takahiro.akashi@linaro.org:
Sughosh,
On Sun, Apr 18, 2021 at 01:37:58PM +0530, Sughosh Ganu wrote:
On Sat, 17 Apr 2021 at 23:51, Heinrich Schuchardt
wrote:
On 4/17/21 1:39 AM, Masami Hiramatsu wrote:
Since the EDK2 GenerateCapsule script is out of date and it doesn't generate the supported version capsule file, the
document
should refer the mkeficapsule in tools.
Signed-off-by: Masami Hiramatsu masami.hiramatsu@linaro.org
doc/board/emulation/qemu_capsule_update.rst | 11
++---------
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/doc/board/emulation/qemu_capsule_update.rst
b/doc/board/emulation/qemu_capsule_update.rst
index 9fec75f8f1..e2a9f0db71 100644 --- a/c +++ b/doc/board/emulation/qemu_capsule_update.rst @@ -39,16 +39,9 @@ In addition, the following config needs to
be
disabled(QEMU ARM specific)::
CONFIG_TFABOOT-The capsule file can be generated by using the
GenerateCapsule.py
-script in EDKII::
- $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o
\
- <capsule_file_name> --fw-version <val> --lsv <val> --guid
\
- e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose
--update-image-index
\
- <val> --verbose <u-boot.bin>
+The capsule file can be generated by using the
tools/mkeficapsule::
-The above is a wrapper script(GenerateCapsule) which
eventually calls
-the actual GenerateCapsule.py script.
- $ mkeficapsule --raw <u-boot.bin> --index 1
<capsule_file_name> > > > > > > Thanks for the change. > > > > > > Could you, please, adjust the same in chapter "Enabling Capsule > > > Authentication" below.
So as Sughosh said, since currently mkeficapsule doesn't support authentication, I only changed it for the normal capsule update. Without this change, the capsule update just failed.
Currently, we do not have support for adding authentication header
to the
capsule. This is because I have been using the GenerateCapsule
script in
edk2 for generation of a capsule with authentication header. I
think adding
the signature to the capsule is easier when done through a python
script
rather than C code.
Why do you think so? At a quick glance at the script, it internally uses openssl command
like:
openssl smime -sign -binary -outform DER -md sha256 \ -signer <...> -certfile <...>(See PayloadDescriptor.Encode in the script.)
The output from the standard output is exactly what you want to use to build a capsule file, that is "AuthInfo". Then you can naturally extend mkeficapsule to insert this signature between the header and the image itself in a capsule file.
Hmm, if it can be done by just calling openssl, I think it is easier for me to run the tools/mkeficapsule, because I don't need to build EDK2 for U-Boot.
If GenerateCapsule becomes a standard implementation and independent from the EDK2 project, from the interoperability point of view, it is better to use that. But it is a part of EDK2 and the GenerateCapsule seems out-of-date and not maintained well (why doesn't it support the latest version yet??)
Sughosh told me that EDK II cannot create a signed capsule that is usable with U-Boot due to an outdated header version used by EDK II.
I decided to add a signing feature to mkeficapsule, and actually have finished the coding (half-a-day work). Yet I have to find some time to debug the command as I have never tried capsule authentication. (Hopefully Masami will help here.)
The syntax will look like: mkeficapsule -m <mono count> -P <private key> -C <certificate file> -r <firmware image> <capsule file>
-Takahiro Akashi
It should be sufficient to describe the steps used by U-Boot's test script here.
Best regards
Heinrich
Thank you,
Furthermore, I believe, it is fairly straightforward to add a native 'signing' feature to mkeficapsule if you use openssl library.
-Takahiro Akashi
I am working on adding support for the latest version of the EFI_FIRMWARE_MANAGEMENT_CAPSULE_IMAGE_HEADER in the
GenerateCapsule
script in edk2. Meanwhile, would it be possible to have support for
the
version 2 of this header in the capsule driver -- it is a minor
change and
I already have a patch for it. If you are fine, I can submit a
patch for
the same.
-sughosh
Best regards
Heinrich
As per the UEFI specification, the capsule file needs to be
placed on
the EFI System Partition, under the \EFI\UpdateCapsule
directory. The
-- Masami Hiramatsu