[PATCH 00/14] qemu: arm64: Add support for uefi capsule update on qemu arm64 platform
Sughosh Ganu
sughosh.ganu at linaro.org
Thu Nov 26 19:40:56 CET 2020
The following series adds support for the uefi capsule update feature
on the qemu arm64 platform, along with adding support for the capsule
authentication feature.
The capsule update feature is supported on a platform configuration
booting in a non-secure mode, i.e with -machine virt,secure=off option
set. This results in the platform booting u-boot directly without
the presence of trusted firmware(tf-a). Steps that need to be followed
for using this feature have been provided as part of the documentation.
Support has also been added for enabling the capsule authentication
feature. Capsule authentication, as defined by the uefi
specification is very much on similar lines to the logic used for
variable authentication. As a result, most of the signature
verification code already in use for variable authentication has been
used for capsule authentication.
Storage of the public key certificate, needed for the signature
verification process is in form of the efi signature list(esl)
structure. This public key is stored on the platform's device tree
blob. The public key esl file can be embedded into the dtb using the
mkeficapsule utility that has been added as part of the capsule update
support series[1]. Steps needed for enabling capsule authentication
have been provided as part of the documentation.
This patch series needs to be applied on top of the capsule update
support patch series from Takahiro Akashi[1]
[1] -
https://patchwork.ozlabs.org/project/uboot/cover/20201117002805.13902-1-takahiro.akashi@linaro.org/
Sughosh Ganu (14):
qemu: arm: Use the generated DTB only when CONGIG_OF_BOARD is defined
mkeficapsule: Add support for embedding public key in a dtb
qemu: arm: Scan the pci bus in board_init
crypto: Fix the logic to calculate hash with authattributes set
qemu: arm64: Add support for dynamic mtdparts for the platform
qemu: arm64: Set dfu_alt_info variable for the platform
efi_loader: Add config option to indicate fmp header presence
dfu_mtd: Add provision to unlock mtd device
efi_loader: Make the pkcs7 header parsing function an extern
efi_loader: Re-factor code to build the signature store from efi
signature list
efi: capsule: Add support for uefi capsule authentication
efi_loader: Enable uefi capsule authentication
efidebug: capsule: Add a command to update capsule on disk
qemu: arm64: Add documentation for capsule update
board/emulation/qemu-arm/qemu-arm.c | 170 ++++++++++++++++++++++++
cmd/efidebug.c | 14 ++
doc/board/emulation/qemu-arm.rst | 157 ++++++++++++++++++++++
drivers/dfu/dfu_mtd.c | 20 ++-
include/configs/qemu-arm.h | 8 ++
include/efi_api.h | 18 +++
include/efi_loader.h | 12 ++
lib/crypto/pkcs7_verify.c | 37 ++++--
lib/efi_loader/Kconfig | 24 ++++
lib/efi_loader/efi_capsule.c | 122 +++++++++++++++++
lib/efi_loader/efi_firmware.c | 49 ++++++-
lib/efi_loader/efi_signature.c | 192 ++++++++++++++++++++-------
lib/efi_loader/efi_variable.c | 93 +------------
tools/Makefile | 1 +
tools/mkeficapsule.c | 198 ++++++++++++++++++++++++++--
15 files changed, 954 insertions(+), 161 deletions(-)
--
2.17.1
More information about the U-Boot
mailing list