[PATCH v2 12/13] doc: qemu: arm64: Fix the documentation of capsule update

Masami Hiramatsu masami.hiramatsu at linaro.org
Mon Apr 19 04:24:37 CEST 2021 

Hi,

2021年4月19日(月) 9:37 Takahiro Akashi <takahiro.akashi at linaro.org>:
>
> Sughosh,
>
> On Sun, Apr 18, 2021 at 01:37:58PM +0530, Sughosh Ganu wrote:
> > On Sat, 17 Apr 2021 at 23:51, Heinrich Schuchardt <xypron.glpk at gmx.de>
> > wrote:
> >
> > > On 4/17/21 1:39 AM, Masami Hiramatsu wrote:
> > > > Since the EDK2 GenerateCapsule script is out of date and it
> > > > doesn't generate the supported version capsule file, the document
> > > > should refer the mkeficapsule in tools.
> > > >
> > > > Signed-off-by: Masami Hiramatsu <masami.hiramatsu at linaro.org>
> > > > ---
> > > >   doc/board/emulation/qemu_capsule_update.rst |   11 ++---------
> > > >   1 file changed, 2 insertions(+), 9 deletions(-)
> > > >
> > > > diff --git a/doc/board/emulation/qemu_capsule_update.rst
> > > b/doc/board/emulation/qemu_capsule_update.rst
> > > > index 9fec75f8f1..e2a9f0db71 100644
> > > > --- a/c
> > > > +++ b/doc/board/emulation/qemu_capsule_update.rst
> > > > @@ -39,16 +39,9 @@ In addition, the following config needs to be
> > > disabled(QEMU ARM specific)::
> > > >
> > > >       CONFIG_TFABOOT
> > > >
> > > > -The capsule file can be generated by using the GenerateCapsule.py
> > > > -script in EDKII::
> > > > -
> > > > -    $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \
> > > > -    <capsule_file_name> --fw-version <val> --lsv <val> --guid \
> > > > -    e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index
> > > \
> > > > -    <val> --verbose <u-boot.bin>
> > > > +The capsule file can be generated by using the tools/mkeficapsule::
> > > >
> > > > -The above is a wrapper script(GenerateCapsule) which eventually calls
> > > > -the actual GenerateCapsule.py script.
> > > > +    $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name>
> > >
> > > Thanks for the change.
> > >
> > > Could you, please, adjust the same in chapter "Enabling Capsule
> > > Authentication" below.

So as Sughosh said, since currently mkeficapsule doesn't support authentication,
I only changed it for the normal capsule update. Without this change,
the capsule
update just failed.


> > Currently, we do not have support for adding authentication header to the
> > capsule. This is because I have been using the GenerateCapsule script in
> > edk2 for generation of a capsule with authentication header. I think adding
> > the signature to the capsule is easier when done through a python script
> > rather than C code.
>
> Why do you think so?
> At a quick glance at the script, it internally uses openssl command like:
>     openssl smime -sign -binary -outform DER -md sha256 \
>         -signer <...> -certfile <...>
> (See PayloadDescriptor.Encode in the script.)
>
> The output from the standard output is exactly what you want
> to use to build a capsule file, that is "AuthInfo".
> Then you can naturally extend mkeficapsule to insert this signature
> between the header and the image itself in a capsule file.

Hmm, if it can be done by just calling openssl, I think it is easier for me
to run the tools/mkeficapsule, because I don't need to build EDK2
for U-Boot.

If GenerateCapsule becomes a standard implementation and
independent from the EDK2 project, from the interoperability point
of view, it is better to use that. But it is a part of EDK2 and the
GenerateCapsule seems out-of-date and not maintained well
(why doesn't it support the latest version yet??)

Thank you,

> Furthermore, I believe, it is fairly straightforward to add a native
> 'signing' feature to mkeficapsule if you use openssl library.
>
> -Takahiro Akashi
>
>
> > I am working on adding support for the latest version
> > of the EFI_FIRMWARE_MANAGEMENT_CAPSULE_IMAGE_HEADER in the GenerateCapsule
> > script in edk2. Meanwhile, would it be possible to have support for the
> > version 2 of this header in the capsule driver -- it is a minor change and
> > I already have a patch for it. If you are fine, I can submit a patch for
> > the same.
> >
> > -sughosh
> >
> >
> > >
> > > Best regards
> > >
> > > Heinrich
> > >
> > > >
> > > >   As per the UEFI specification, the capsule file needs to be placed on
> > > >   the EFI System Partition, under the \EFI\UpdateCapsule directory. The
> > > >
> > >
> > >



--
Masami Hiramatsu

More information about the U-Boot mailing list