[PATCH 14/14] qemu: arm64: Add documentation for capsule update
Sughosh Ganu
sughosh.ganu at linaro.org
Thu Nov 26 19:41:10 CET 2020
Add documentation highlighting the steps for using the uefi capsule
update feature for updating the u-boot firmware image.
Signed-off-by: Sughosh Ganu <sughosh.ganu at linaro.org>
---
doc/board/emulation/qemu-arm.rst | 157 +++++++++++++++++++++++++++++++
1 file changed, 157 insertions(+)
diff --git a/doc/board/emulation/qemu-arm.rst b/doc/board/emulation/qemu-arm.rst
index 8d7fda10f1..3978c13269 100644
--- a/doc/board/emulation/qemu-arm.rst
+++ b/doc/board/emulation/qemu-arm.rst
@@ -90,3 +90,160 @@ The debug UART on the ARM virt board uses these settings::
CONFIG_DEBUG_UART_PL010=y
CONFIG_DEBUG_UART_BASE=0x9000000
CONFIG_DEBUG_UART_CLOCK=0
+
+Enabling Uefi Capsule Update feature
+------------------------------------
+
+Support has been added for the uefi capsule update feature which
+enables updating the u-boot image using the uefi firmware management
+protocol (fmp). The capsules are not passed to the firmware through
+the UpdateCapsule runtime service. Instead, capsule-on-disk
+functionality is used for fetching the capsule from the EFI System
+Partition (ESP).
+
+Currently, support has been added for updating the u-boot binary as a
+raw image when the platform is booted in non-secure mode, i.e with
+CONFIG_TFABOOT disabled. For this configuration, the qemu platform
+needs to be booted with 'secure=off'. The u-boot binary placed on the
+first bank of the Nor Flash at offset 0x0. The u-boot environment is
+placed on the second Nor Flash bank at offset 0x4000000.
+
+The capsule update feature is enabled with the following configs::
+
+ CONFIG_MTD=y
+ CONFIG_FLASH_CFI_MTD=y
+ CONFIG_CMD_MTDPARTS=y
+ CONFIG_CMD_DFU=y
+ CONFIG_DFU_MTD=y
+ CONFIG_EFI_CAPSULE_ON_DISK=y
+ CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y
+ CONFIG_EFI_CAPSULE_FIRMWARE=y
+ CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
+ CONFIG_EFI_CAPSULE_FMP_HEADER=y
+
+In addition, the following config needs to be disabled::
+ CONFIG_TFABOOT
+
+The capsule file can be generated by using the GenerateCapsule.py
+script in edk2::
+
+ $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \
+ <capsule_file_name> --fw-version <val> --lsv <val> --guid \
+ e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index \
+ <val> --verbose <u-boot.bin>
+
+If the above edk2 script is being used for generating the capsule, the
+following additional config needs to be enabled::
+ CONFIG_EFI_CAPSULE_FMP_HEADER=y
+
+As per the uefi specification, the capsule file needs to be placed on
+the EFI System Partition, under the EFI/UpdateCapsule/ directory. The
+EFI System Partition can be a virtio-blk-device.
+
+Before initiating the firmware update, the efi variables BootNext,
+BootXXXX and OsIndications need to be set. The BootXXXX variable needs
+to be pointing to the EFI System Partition which contains the capsule
+file. The BootNext, BootXXXX and OsIndications variables can be set
+using the following commands::
+
+ => efidebug boot add 0 Boot0000 virtio 0:1 <capsule_file_name>
+ => efidebug boot next 0
+ => setenv -e -nv -bs -rt -v OsIndications =0x04
+ => saveenv
+
+Finally, the capsule update can be initiated with the following
+command::
+
+ => efidebug capsule disk-update
+
+The updated u-boot image will be booted on subsequent boot.
+
+Enabling Capsule Authentication
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The uefi specification defines a way of authenticating the capsule to
+be updated by verifying the capsule signature. The capsule signature
+is computed and prepended to the capsule payload at the time of
+capsule generation. This signature is then verified by using the
+public key stored as part of the X509 certificate. This certificate is
+in the form of an efi signature list (esl) file, which is embedded as
+part of the platform's device tree blob using the mkeficapsule
+utility.
+
+The capsule authentication feature can be enabled through the
+following config, in addition to the configs listed above for capsule
+update::
+
+ CONFIG_EFI_CAPSULE_AUTHENTICATE=y
+
+The public key esl file can be embedded in the dtb with the following
+command::
+ ./tools/mkeficapsule -K <pub_key.esl> -D <dtb>
+
+Running the above command results in the creation of a 'signature'
+node in the dtb, under which the public key is stored as a
+'capsule-key' property.
+
+Once the esl file has been embedded as part of the dtb, the platform
+needs to be be booted with this dtb. This can be done by disabling the
+CONFIG_OF_BOARD option, and then, passing the above dtb file to the
+u-boot build.
+
+The capsule update with authentication can be enabled on the platform
+with the following steps
+
+1. Install utility commands on your host
+ * openssl
+ * efitools
+
+2. Create signing keys and certificate files on your host::
+
+ $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \
+ -keyout CRT.key -out CRT.crt -nodes -days 365
+ $ cert-to-efi-sig-list CRT.crt CRT.esl
+
+ $ openssl x509 -in CRT.crt -out CRT.cer -outform DER
+ $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem
+
+ $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt
+ $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem
+
+3. Store the esl file generated above as part of the dtb::
+
+ $ ./tools/mkeficapsule -K <pub_key.esl> -D <dtb>
+
+4. The capsule file can be generated by using the GenerateCapsule.py
+ script in edk2::
+
+ $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \
+ <capsule_file_name> --monotonic-count <val> --fw-version \
+ <val> --lsv <val> --guid \
+ e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \
+ --update-image-index <val> --signer-private-cert \
+ /path/to/CRT.pem --trusted-public-cert \
+ /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \
+ <u-boot.bin>
+
+Once the capsule has been generated, use the same instructions as
+mentioned above for placing the capsule on the EFI System Partition
+
+5. Building u-boot with the following steps::
+
+ $ make qemu_arm64_defconfig
+ $ make menuconfig
+ Disable CONFIG_OF_BOARD and CONFIG_TFABOOT
+ $ make EXT_DTB=<dtb> all
+
+6. Enable capsule authentication by setting the following env
+ variable::
+
+ => setenv capsule_authentication_enabled 1
+ => saveenv
+
+Setting the environment variable capsule_authentication_enabled
+enables the capsule authentication.
+
+Once the capsule has been placed on the EFI System Partition and the
+above env variable has been set, along with the BootXXXX and the
+BootNext variables, the capsule update can be initiated
+using the same command as that shown above.
--
2.17.1
More information about the U-Boot
mailing list