[PATCH v3 00/14] qemu: arm64: Add support for uefi capsule update on qemu arm platform

Heinrich Schuchardt xypron.glpk at gmx.de
Mon Dec 28 15:39:39 CET 2020 

On 12/23/20 8:03 AM, Sughosh Ganu wrote:
> The capsule update feature is supported on a platform configuration
> booting in a non-secure mode, i.e with -machine virt,secure=off option
> set. This results in the platform booting u-boot directly without
> the presence of trusted firmware(tf-a). Steps that need to be followed
> for using this feature have been provided as part of the documentation.
>
> Support has also been added for enabling the capsule authentication
> feature. Capsule authentication, as defined by the uefi
> specification is very much on similar lines to the logic used for
> variable authentication. As a result, most of the signature
> verification code already in use for variable authentication has been
> used for capsule authentication.
>
> Storage of the public key certificate, needed for the signature
> verification process is in form of the efi signature list(esl)
> structure.  This public key is stored on an overlay which is then
> merged with the platform's base fdt at runtime. The public key esl
> file can be embedded into the overlay dtb using the mkeficapsule
> utility that has been added as part of the capsule update support
> series by Takahiro Akashi. Steps needed for enabling capsule
> authentication have been provided as part of the documentation.
>
> This patch series needs to be applied on top of the capsule update
> support patch series from Takahiro Akashi on the next branch.
>
> Changes since V2:
> * Enable building of board_late_init for both of the Qemu arm and
>    arm64  variants
> * Move the selection the CONFIG_BOARD_LATE_INIT to mach-qemu Kconfig
>    file
> * Move the functions to populate the mtdparts under
>    board/emulation/common for allowing subsequent re-use by other Qemu
>    arch based platforms
> * Move the functions to populate the dfu_alt_info variable under
>    board/emulation/common for allowing subsequent re-use by other Qemu
>    arch based platforms
> * Move the function for fetching the public key certficate from the
>    platform's dtb under board/emulation/common directory.
> * Move the function for checking the capsule_authentication_enabled
>    env variable under board/emulation/common directory.
> * Moved the capsule update related documentation for the Qemu
>    platform to a new file under doc/board/emulation/ directory.
> * Incorporated all typo review comments from Heinrich
> * Put in a skeletal overlay dts file for reference, as was suggested
>    by Heinrich

Hello Sughosh,

I have applied your changes to the next branch in tag

https://gitlab.denx.de/u-boot/custodians/u-boot-efi/-/tags/capsule_update_2020-12-28

Unfortunately it does not build on the sandbox:

/usr/bin/ld: cmd/built-in.o: in function `mtdparts_init':
c/md/mtdparts.c:1739: undefined reference to `board_mtdparts_default'
/usr/bin/ld: drivers/built-in.o: in function `dfu_init_env_entities':
/drivers/dfu/dfu.c:143: undefined reference to `set_dfu_alt_info'
/usr/bin/ld: drivers/built-in.o: in function `mtd_search_alternate_name':
/drivers/mtd/mtd_uboot.c:30: undefined reference to `board_mtdparts_default'
collect2: error: ld returned 1 exit status
make: *** [Makefile:1757: u-boot] Error 1

I assume this is due to selecting SYS_MTDPARTS_RUNTIME in
lib/efi_loader/Kconfig.

Best regards

Heinrich

>
>
> Changes since V1:
> * Added support for embedding the public key cert in an overlay using
>    the -O option
> * The earlier patch was adding a call to pci_init in board_init. Moved
>    the virtio_init call to board_late_init
> * Change MTDPARTS_NOR[01] as config options instead of defining them in
>    the qemu-arm.h config header.
> * Enable CONFIG_SYS_MTDPARTS_RUNTIME with CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT
> * Build set_dfu_alt_info and board_get_alt_info functions only if
>    CONFIG_SET_DFU_ALT_INFO is defined
> * Enable CONFIG_SET_DFU_ALT_INFO with
>    CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT
> * Detect the presence of the FMP Payload header at runtime instead of
>    using a Kconfig option, as was suggested by Heinrich
> * Change the documentation to reflect the usage of overlays for
>    embedding the public key certs at runtime
> * Fix the build for 'make htmldocs'
>
>
> Sughosh Ganu (14):
>    mkeficapsule: Add support for embedding public key in a dtb
>    qemu: arm: Initialise virtio devices in board_late_init
>    crypto: Fix the logic to calculate hash with authattributes set
>    qemu: common: Add support for dynamic mtdparts for the platform
>    qemu: common: Set dfu_alt_info variable for the platform
>    fsp: Move and rename fsp_types.h file
>    efi_loader: Add logic to parse EDKII specific fmp payload header
>    dfu_mtd: Add provision to unlock mtd device
>    efi_loader: Make the pkcs7 header parsing function an extern
>    efi_loader: Re-factor code to build the signature store from efi
>      signature list
>    efi: capsule: Add support for uefi capsule authentication
>    efi_loader: Enable uefi capsule authentication
>    efidebug: capsule: Add a command to update capsule on disk
>    qemu: arm64: Add documentation for capsule update
>
>   arch/arm/mach-qemu/Kconfig                    |   2 +
>   arch/x86/include/asm/fsp/fsp_support.h        |   3 +-
>   board/emulation/common/Kconfig                |  15 ++
>   board/emulation/common/Makefile               |   5 +
>   board/emulation/common/qemu_capsule.c         |  48 ++++
>   board/emulation/common/qemu_dfu.c             |  68 +++++
>   board/emulation/common/qemu_mtdparts.c        |  82 ++++++
>   board/emulation/qemu-arm/Kconfig              |   4 +
>   board/emulation/qemu-arm/qemu-arm.c           |   5 +
>   cmd/efidebug.c                                |  14 ++
>   doc/board/emulation/qemu_capsule_update.rst   | 210 ++++++++++++++++
>   drivers/dfu/dfu_mtd.c                         |  20 +-
>   include/efi_api.h                             |  18 ++
>   include/efi_loader.h                          |  12 +
>   .../fsp/fsp_types.h => include/signatures.h   |   6 +-
>   lib/crypto/pkcs7_verify.c                     |  37 ++-
>   lib/efi_loader/Kconfig                        |  19 ++
>   lib/efi_loader/efi_capsule.c                  | 122 +++++++++
>   lib/efi_loader/efi_firmware.c                 |  77 +++++-
>   lib/efi_loader/efi_signature.c                | 192 +++++++++++----
>   lib/efi_loader/efi_variable.c                 |  93 +------
>   tools/Makefile                                |   1 +
>   tools/mkeficapsule.c                          | 233 +++++++++++++++++-
>   23 files changed, 1122 insertions(+), 164 deletions(-)
>   create mode 100644 board/emulation/common/Kconfig
>   create mode 100644 board/emulation/common/Makefile
>   create mode 100644 board/emulation/common/qemu_capsule.c
>   create mode 100644 board/emulation/common/qemu_dfu.c
>   create mode 100644 board/emulation/common/qemu_mtdparts.c
>   create mode 100644 doc/board/emulation/qemu_capsule_update.rst
>   rename arch/x86/include/asm/fsp/fsp_types.h => include/signatures.h (95%)
>

More information about the U-Boot mailing list