On 8/31/21 4:46 AM, AKASHI Takahiro wrote:
Now we can use mkeficapsule command instead of EDK-II's script to create a signed capsule file. So update the instruction for capsule authentication.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
doc/develop/uefi/uefi.rst | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 64fe9346c7f2..5ccb455da984 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -347,23 +347,20 @@ and used by the steps highlighted below:: -keyout CRT.key -out CRT.crt -nodes -days 365 $ cert-to-efi-sig-list CRT.crt CRT.esl
$ openssl x509 -in CRT.crt -out CRT.cer -outform DER$ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem$ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt$ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem-The capsule file can be generated by using the GenerateCapsule.py -script in EDKII::
- $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \
<capsule_file_name> --monotonic-count <val> --fw-version \<val> --lsv <val> --guid \e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \--update-image-index <val> --signer-private-cert \/path/to/CRT.pem --trusted-public-cert \/path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \<u-boot.bin>+The signed capsule file can be generated by using tools/mkeficapsule. +To build this tool, enable::
- CONFIG_TOOLS_MKEFICAPSULE=y
- CONFIG_TOOLS_LIBCRYPTO=y
+To generate and sign the capsule file::
- $ mkeficapsule --monotonic-count 1 \
--private-key CRT.key \--certificate CRT.crt \--index 1 --instance 0 \[--fit <FIT image> | --raw <raw image>] \<capsule_file_name>
Patch 1 allows signed and unsigned capsules. So both should be described here.
Best regards
Heinrich
Place the capsule generated in the above step on the EFI System Partition under the EFI/UpdateCapsule directory