[PATCH v3 00/14] qemu: arm64: Add support for uefi capsule update on qemu arm platform

Sughosh Ganu sughosh.ganu at linaro.org
Tue Dec 29 05:42:54 CET 2020 

hello Heinrich,

On Mon, 28 Dec 2020 at 20:09, Heinrich Schuchardt <xypron.glpk at gmx.de>
wrote:

> On 12/23/20 8:03 AM, Sughosh Ganu wrote:
> > The capsule update feature is supported on a platform configuration
> > booting in a non-secure mode, i.e with -machine virt,secure=off option
> > set. This results in the platform booting u-boot directly without
> > the presence of trusted firmware(tf-a). Steps that need to be followed
> > for using this feature have been provided as part of the documentation.
> >
> > Support has also been added for enabling the capsule authentication
> > feature. Capsule authentication, as defined by the uefi
> > specification is very much on similar lines to the logic used for
> > variable authentication. As a result, most of the signature
> > verification code already in use for variable authentication has been
> > used for capsule authentication.
> >
> > Storage of the public key certificate, needed for the signature
> > verification process is in form of the efi signature list(esl)
> > structure.  This public key is stored on an overlay which is then
> > merged with the platform's base fdt at runtime. The public key esl
> > file can be embedded into the overlay dtb using the mkeficapsule
> > utility that has been added as part of the capsule update support
> > series by Takahiro Akashi. Steps needed for enabling capsule
> > authentication have been provided as part of the documentation.
> >
> > This patch series needs to be applied on top of the capsule update
> > support patch series from Takahiro Akashi on the next branch.
> >
> > Changes since V2:
> > * Enable building of board_late_init for both of the Qemu arm and
> >    arm64  variants
> > * Move the selection the CONFIG_BOARD_LATE_INIT to mach-qemu Kconfig
> >    file
> > * Move the functions to populate the mtdparts under
> >    board/emulation/common for allowing subsequent re-use by other Qemu
> >    arch based platforms
> > * Move the functions to populate the dfu_alt_info variable under
> >    board/emulation/common for allowing subsequent re-use by other Qemu
> >    arch based platforms
> > * Move the function for fetching the public key certficate from the
> >    platform's dtb under board/emulation/common directory.
> > * Move the function for checking the capsule_authentication_enabled
> >    env variable under board/emulation/common directory.
> > * Moved the capsule update related documentation for the Qemu
> >    platform to a new file under doc/board/emulation/ directory.
> > * Incorporated all typo review comments from Heinrich
> > * Put in a skeletal overlay dts file for reference, as was suggested
> >    by Heinrich
>
> Hello Sughosh,
>
> I have applied your changes to the next branch in tag
>
>
> https://gitlab.denx.de/u-boot/custodians/u-boot-efi/-/tags/capsule_update_2020-12-28
>
> Unfortunately it does not build on the sandbox:
>
> /usr/bin/ld: cmd/built-in.o: in function `mtdparts_init':
> c/md/mtdparts.c:1739: undefined reference to `board_mtdparts_default'
> /usr/bin/ld: drivers/built-in.o: in function `dfu_init_env_entities':
> /drivers/dfu/dfu.c:143: undefined reference to `set_dfu_alt_info'
> /usr/bin/ld: drivers/built-in.o: in function `mtd_search_alternate_name':
> /drivers/mtd/mtd_uboot.c:30: undefined reference to
> `board_mtdparts_default'
> collect2: error: ld returned 1 exit status
> make: *** [Makefile:1757: u-boot] Error 1
>
> I assume this is due to selecting SYS_MTDPARTS_RUNTIME in
> lib/efi_loader/Kconfig.
>

Will fix it. Thanks.

-sughosh


>
> Best regards
>
> Heinrich
>
> >
> >
> > Changes since V1:
> > * Added support for embedding the public key cert in an overlay using
> >    the -O option
> > * The earlier patch was adding a call to pci_init in board_init. Moved
> >    the virtio_init call to board_late_init
> > * Change MTDPARTS_NOR[01] as config options instead of defining them in
> >    the qemu-arm.h config header.
> > * Enable CONFIG_SYS_MTDPARTS_RUNTIME with
> CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT
> > * Build set_dfu_alt_info and board_get_alt_info functions only if
> >    CONFIG_SET_DFU_ALT_INFO is defined
> > * Enable CONFIG_SET_DFU_ALT_INFO with
> >    CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT
> > * Detect the presence of the FMP Payload header at runtime instead of
> >    using a Kconfig option, as was suggested by Heinrich
> > * Change the documentation to reflect the usage of overlays for
> >    embedding the public key certs at runtime
> > * Fix the build for 'make htmldocs'
> >
> >
> > Sughosh Ganu (14):
> >    mkeficapsule: Add support for embedding public key in a dtb
> >    qemu: arm: Initialise virtio devices in board_late_init
> >    crypto: Fix the logic to calculate hash with authattributes set
> >    qemu: common: Add support for dynamic mtdparts for the platform
> >    qemu: common: Set dfu_alt_info variable for the platform
> >    fsp: Move and rename fsp_types.h file
> >    efi_loader: Add logic to parse EDKII specific fmp payload header
> >    dfu_mtd: Add provision to unlock mtd device
> >    efi_loader: Make the pkcs7 header parsing function an extern
> >    efi_loader: Re-factor code to build the signature store from efi
> >      signature list
> >    efi: capsule: Add support for uefi capsule authentication
> >    efi_loader: Enable uefi capsule authentication
> >    efidebug: capsule: Add a command to update capsule on disk
> >    qemu: arm64: Add documentation for capsule update
> >
> >   arch/arm/mach-qemu/Kconfig                    |   2 +
> >   arch/x86/include/asm/fsp/fsp_support.h        |   3 +-
> >   board/emulation/common/Kconfig                |  15 ++
> >   board/emulation/common/Makefile               |   5 +
> >   board/emulation/common/qemu_capsule.c         |  48 ++++
> >   board/emulation/common/qemu_dfu.c             |  68 +++++
> >   board/emulation/common/qemu_mtdparts.c        |  82 ++++++
> >   board/emulation/qemu-arm/Kconfig              |   4 +
> >   board/emulation/qemu-arm/qemu-arm.c           |   5 +
> >   cmd/efidebug.c                                |  14 ++
> >   doc/board/emulation/qemu_capsule_update.rst   | 210 ++++++++++++++++
> >   drivers/dfu/dfu_mtd.c                         |  20 +-
> >   include/efi_api.h                             |  18 ++
> >   include/efi_loader.h                          |  12 +
> >   .../fsp/fsp_types.h => include/signatures.h   |   6 +-
> >   lib/crypto/pkcs7_verify.c                     |  37 ++-
> >   lib/efi_loader/Kconfig                        |  19 ++
> >   lib/efi_loader/efi_capsule.c                  | 122 +++++++++
> >   lib/efi_loader/efi_firmware.c                 |  77 +++++-
> >   lib/efi_loader/efi_signature.c                | 192 +++++++++++----
> >   lib/efi_loader/efi_variable.c                 |  93 +------
> >   tools/Makefile                                |   1 +
> >   tools/mkeficapsule.c                          | 233 +++++++++++++++++-
> >   23 files changed, 1122 insertions(+), 164 deletions(-)
> >   create mode 100644 board/emulation/common/Kconfig
> >   create mode 100644 board/emulation/common/Makefile
> >   create mode 100644 board/emulation/common/qemu_capsule.c
> >   create mode 100644 board/emulation/common/qemu_dfu.c
> >   create mode 100644 board/emulation/common/qemu_mtdparts.c
> >   create mode 100644 doc/board/emulation/qemu_capsule_update.rst
> >   rename arch/x86/include/asm/fsp/fsp_types.h => include/signatures.h
> (95%)
> >
>
>

More information about the U-Boot mailing list