[PATCH 00/14] qemu: arm64: Add support for uefi capsule update on qemu arm64 platform

Sughosh Ganu sughosh.ganu at linaro.org
Thu Nov 26 19:40:56 CET 2020


The following series adds support for the uefi capsule update feature
on the qemu arm64 platform, along with adding support for the capsule
authentication feature.

The capsule update feature is supported on a platform configuration
booting in a non-secure mode, i.e with -machine virt,secure=off option
set. This results in the platform booting u-boot directly without
the presence of trusted firmware(tf-a). Steps that need to be followed
for using this feature have been provided as part of the documentation.

Support has also been added for enabling the capsule authentication
feature. Capsule authentication, as defined by the uefi
specification is very much on similar lines to the logic used for
variable authentication. As a result, most of the signature
verification code already in use for variable authentication has been
used for capsule authentication.

Storage of the public key certificate, needed for the signature
verification process is in form of the efi signature list(esl)
structure.  This public key is stored on the platform's device tree
blob. The public key esl file can be embedded into the dtb using the
mkeficapsule utility that has been added as part of the capsule update
support series[1]. Steps needed for enabling capsule authentication
have been provided as part of the documentation.

This patch series needs to be applied on top of the capsule update
support patch series from Takahiro Akashi[1]


[1] -
https://patchwork.ozlabs.org/project/uboot/cover/20201117002805.13902-1-takahiro.akashi@linaro.org/


Sughosh Ganu (14):
  qemu: arm: Use the generated DTB only when CONGIG_OF_BOARD is defined
  mkeficapsule: Add support for embedding public key in a dtb
  qemu: arm: Scan the pci bus in board_init
  crypto: Fix the logic to calculate hash with authattributes set
  qemu: arm64: Add support for dynamic mtdparts for the platform
  qemu: arm64: Set dfu_alt_info variable for the platform
  efi_loader: Add config option to indicate fmp header presence
  dfu_mtd: Add provision to unlock mtd device
  efi_loader: Make the pkcs7 header parsing function an extern
  efi_loader: Re-factor code to build the signature store from efi
    signature list
  efi: capsule: Add support for uefi capsule authentication
  efi_loader: Enable uefi capsule authentication
  efidebug: capsule: Add a command to update capsule on disk
  qemu: arm64: Add documentation for capsule update

 board/emulation/qemu-arm/qemu-arm.c | 170 ++++++++++++++++++++++++
 cmd/efidebug.c                      |  14 ++
 doc/board/emulation/qemu-arm.rst    | 157 ++++++++++++++++++++++
 drivers/dfu/dfu_mtd.c               |  20 ++-
 include/configs/qemu-arm.h          |   8 ++
 include/efi_api.h                   |  18 +++
 include/efi_loader.h                |  12 ++
 lib/crypto/pkcs7_verify.c           |  37 ++++--
 lib/efi_loader/Kconfig              |  24 ++++
 lib/efi_loader/efi_capsule.c        | 122 +++++++++++++++++
 lib/efi_loader/efi_firmware.c       |  49 ++++++-
 lib/efi_loader/efi_signature.c      | 192 ++++++++++++++++++++-------
 lib/efi_loader/efi_variable.c       |  93 +------------
 tools/Makefile                      |   1 +
 tools/mkeficapsule.c                | 198 ++++++++++++++++++++++++++--
 15 files changed, 954 insertions(+), 161 deletions(-)

-- 
2.17.1




More information about the U-Boot mailing list