Hi,
2021年4月19日(月) 9:37 Takahiro Akashi takahiro.akashi@linaro.org:
Sughosh,
On Sun, Apr 18, 2021 at 01:37:58PM +0530, Sughosh Ganu wrote:
On Sat, 17 Apr 2021 at 23:51, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
On 4/17/21 1:39 AM, Masami Hiramatsu wrote:
Since the EDK2 GenerateCapsule script is out of date and it doesn't generate the supported version capsule file, the document should refer the mkeficapsule in tools.
Signed-off-by: Masami Hiramatsu masami.hiramatsu@linaro.org
doc/board/emulation/qemu_capsule_update.rst | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/doc/board/emulation/qemu_capsule_update.rst
b/doc/board/emulation/qemu_capsule_update.rst
index 9fec75f8f1..e2a9f0db71 100644 --- a/c +++ b/doc/board/emulation/qemu_capsule_update.rst @@ -39,16 +39,9 @@ In addition, the following config needs to be
disabled(QEMU ARM specific)::
CONFIG_TFABOOT-The capsule file can be generated by using the GenerateCapsule.py -script in EDKII::
- $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \
- <capsule_file_name> --fw-version <val> --lsv <val> --guid \
- e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index
\
- <val> --verbose <u-boot.bin>
+The capsule file can be generated by using the tools/mkeficapsule::
-The above is a wrapper script(GenerateCapsule) which eventually calls -the actual GenerateCapsule.py script.
- $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name>
Thanks for the change.
Could you, please, adjust the same in chapter "Enabling Capsule Authentication" below.
So as Sughosh said, since currently mkeficapsule doesn't support authentication, I only changed it for the normal capsule update. Without this change, the capsule update just failed.
Currently, we do not have support for adding authentication header to the capsule. This is because I have been using the GenerateCapsule script in edk2 for generation of a capsule with authentication header. I think adding the signature to the capsule is easier when done through a python script rather than C code.
Why do you think so? At a quick glance at the script, it internally uses openssl command like: openssl smime -sign -binary -outform DER -md sha256 \ -signer <...> -certfile <...> (See PayloadDescriptor.Encode in the script.)
The output from the standard output is exactly what you want to use to build a capsule file, that is "AuthInfo". Then you can naturally extend mkeficapsule to insert this signature between the header and the image itself in a capsule file.
Hmm, if it can be done by just calling openssl, I think it is easier for me to run the tools/mkeficapsule, because I don't need to build EDK2 for U-Boot.
If GenerateCapsule becomes a standard implementation and independent from the EDK2 project, from the interoperability point of view, it is better to use that. But it is a part of EDK2 and the GenerateCapsule seems out-of-date and not maintained well (why doesn't it support the latest version yet??)
Thank you,
Furthermore, I believe, it is fairly straightforward to add a native 'signing' feature to mkeficapsule if you use openssl library.
-Takahiro Akashi
I am working on adding support for the latest version of the EFI_FIRMWARE_MANAGEMENT_CAPSULE_IMAGE_HEADER in the GenerateCapsule script in edk2. Meanwhile, would it be possible to have support for the version 2 of this header in the capsule driver -- it is a minor change and I already have a patch for it. If you are fine, I can submit a patch for the same.
-sughosh
Best regards
Heinrich
As per the UEFI specification, the capsule file needs to be placed on the EFI System Partition, under the \EFI\UpdateCapsule directory. The
-- Masami Hiramatsu