This patchset aims to bring two capsule related tasks under the u-boot build flow.
One is the embedding of the public key into the platform's dtb. The public key is in the form of an EFI Signature List(ESL) file and is used for capsule authentication. This is being achieved by adding the signature node containing the capsule public key in the architecture's u-boot.dtsi file. Currently, the u-boot.dtsi file has been added for the sandbox and arm architectures. The path to the ESL file is being provided through a Kconfig symbol(CONFIG_EFI_CAPSULE_ESL_FILE).
Changes have also been made to the test flow so that the keys used for signing the capsule, and the ESL file, are generated prior to invoking the u-boot's build, which enables embedding the ESL file into the dtb as part of the u-boot build.
The other task is related to generation of capsules. The capsules can be generated as part of u-boot build, and this is being achieved through binman, by adding a capsule entry type. The capsules can be generated by specifying the capsule parameters as properties under the capsule entry node.
Changes have also been made to the efi capsule update feature testing setup on the sandbox variants. Currently, the capsule files and the public key ESL file are generated after u-boot has been built. This logic has been changed so that the capsule input files along with the keys needed for capsule signing and authentication are generated prior to initiation of the u-boot build. The placement of all the keys and public key certificates needed for signing and authenticating capsules is under the board/sandbox/ directory. The other input files needed for testing the EFI capsule update feature are being generated through binman for the sandbox platform.
The document has been updated to reflect the above changes.
Changes since V6:
After discussing with Simon and Tom over irc, this series puts only the keys and cert files under the board/sandbox/ directory. The other set of capsule input files needed for capsule update feature testing are being generated through binman.
The other patch specific changes are as under.
* New patch that puts the keys and cert files under board/sandbox/ directory as suggested Simon Glass. * Populate the CONFIG_EFI_CAPSULE_ESL_FILE symbol for sandbox and sandbox_flattree which enable capsule authentication. * New patch which has been split up from the binman capsule entry support patch from earlier version, as suggested by Simon Glass. * Enables mkeficapsule tool for all sandbox variants, instead of only for sandbox_spl variant. * Split the changes for mkeficapsule btool into a separate patch, as suggested by Simon Glass. * Use the word commandline consistently, as suggested by Simon Glass. * Add macros for the GUID strings in sandbox_efi_capsule.h * Highlight that the private and public keys are mandatory for capsule signing. * Add a URL link to the UEFI spec, as used in the rst files. * Use local vars for private and public keys in BuildSectionData() * Use local vars for input payload and capsule filenames in BuildSectionData(). * Drop the ProcessContents() and SetImagePos() as the superclass functions suffice. * Use GUID macro names in the capsule test dts files. * Rename efi_capsule_payload.bin to capsule_input.bin. * Use macros defined in sandbox_efi_capsule for GUIDs and capsule input filenames. * Generate the capsule input files through binman text entries. * New patch for fixing CI trace test failure.
Sughosh Ganu (11): binman: bintool: Build a tool from a list of commands nuvoton: npcm845-evb: Add a newline at the end of file sandbox: capsule: Add keys and certificates needed for capsule update testing capsule: authenticate: Add capsule public key in platform's dtb doc: capsule: Document the new mechanism to embed ESL file into dtb sandbox: Build the mkeficapsule tool for the sandbox variants btool: mkeficapsule: Add a bintool for EFI capsule generation binman: capsule: Add support for generating EFI capsules sandbox: capsule: Generate capsule related files through binman doc: Add documentation to highlight capsule generation related updates sandbox: trace: Increase trace buffer size
.azure-pipelines.yml | 2 +- .gitlab-ci.yml | 2 +- arch/arm/dts/nuvoton-npcm845-evb.dts | 2 +- arch/arm/dts/u-boot.dtsi | 14 + arch/sandbox/dts/u-boot.dtsi | 380 ++++++++++++++++++ board/sandbox/SIGNER.crt | 19 + board/sandbox/SIGNER.esl | Bin 0 -> 831 bytes board/sandbox/SIGNER.key | 28 ++ board/sandbox/SIGNER2.crt | 19 + board/sandbox/SIGNER2.key | 28 ++ configs/sandbox_defconfig | 1 + configs/sandbox_flattree_defconfig | 1 + doc/develop/uefi/uefi.rst | 40 +- include/sandbox_efi_capsule.h | 25 ++ lib/efi_loader/Kconfig | 9 + test/py/tests/test_efi_capsule/conftest.py | 168 +------- test/py/tests/test_efi_capsule/signature.dts | 10 - .../tests/test_efi_capsule/uboot_bin_env.its | 36 -- test/py/tests/test_trace.py | 2 +- tools/Kconfig | 6 +- tools/binman/bintool.py | 19 +- tools/binman/btool/mkeficapsule.py | 101 +++++ tools/binman/entries.rst | 62 +++ tools/binman/etype/efi_capsule.py | 143 +++++++ tools/binman/ftest.py | 121 ++++++ tools/binman/test/307_capsule.dts | 23 ++ tools/binman/test/308_capsule_signed.dts | 25 ++ tools/binman/test/309_capsule_version.dts | 24 ++ tools/binman/test/310_capsule_signed_ver.dts | 26 ++ tools/binman/test/311_capsule_oemflags.dts | 24 ++ tools/binman/test/312_capsule_missing_key.dts | 24 ++ .../binman/test/313_capsule_missing_index.dts | 22 + .../binman/test/314_capsule_missing_guid.dts | 19 + .../test/315_capsule_missing_payload.dts | 19 + 34 files changed, 1213 insertions(+), 231 deletions(-) create mode 100644 arch/arm/dts/u-boot.dtsi create mode 100644 arch/sandbox/dts/u-boot.dtsi create mode 100644 board/sandbox/SIGNER.crt create mode 100644 board/sandbox/SIGNER.esl create mode 100644 board/sandbox/SIGNER.key create mode 100644 board/sandbox/SIGNER2.crt create mode 100644 board/sandbox/SIGNER2.key create mode 100644 include/sandbox_efi_capsule.h delete mode 100644 test/py/tests/test_efi_capsule/signature.dts delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its create mode 100644 tools/binman/btool/mkeficapsule.py create mode 100644 tools/binman/etype/efi_capsule.py create mode 100644 tools/binman/test/307_capsule.dts create mode 100644 tools/binman/test/308_capsule_signed.dts create mode 100644 tools/binman/test/309_capsule_version.dts create mode 100644 tools/binman/test/310_capsule_signed_ver.dts create mode 100644 tools/binman/test/311_capsule_oemflags.dts create mode 100644 tools/binman/test/312_capsule_missing_key.dts create mode 100644 tools/binman/test/313_capsule_missing_index.dts create mode 100644 tools/binman/test/314_capsule_missing_guid.dts create mode 100644 tools/binman/test/315_capsule_missing_payload.dts