[PATCH v2 0/9] efi_loader: capsule: improve capsule authentication support

AKASHI Takahiro takahiro.akashi at linaro.org
Mon Aug 2 07:00:05 CEST 2021


Heinrich,

On Sun, Aug 01, 2021 at 11:40:14AM +0200, Heinrich Schuchardt wrote:
> On 7/27/21 11:10 AM, AKASHI Takahiro wrote:
> > As I proposed and discussed in [1] and [2], I have made a couple of
> > improvements on the current implementation of capsule update in this
> > patch set.
> > 
> > * add signing feature to mkeficapsule
> > * add "--guid" option to mkeficapsule
> > * add man page of mkeficapsule
> > * add pytest for capsule authentication (on sandbox)
> > 
> > NOTE:
> > Due to Ilias's commit[3], we need to have a customized configuration
> > for sandbox to properly set up and run capsule authentication test.
> > See patch#5,#6 and #7.
> > 
> > [1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html
> > [2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html
> > [3] commit ddf67daac39d ("efi_capsule: Move signature from DTB to
> >      .rodata")
> 
> 
> Dear Takahiro,
> 
> thanks for driving this topic. I have finished with my review and will
> be waiting for v2.

Thanks for your review comments.

I'd like to know what's your thought on Patch#8 (and #9)
as I have not seen your comment at [2] above.
It is more or less an RFC since it breaks the compatibility
of command syntax although I believe that the change is
quite useful.

-Takahiro Akashi

> Best regards
> 
> Heinrich
> 
> > 
> > Prerequisite patches
> > ====================
> > None
> > 
> > Test
> > ====
> > * locally passed the pytest which is included in this patch series
> >    on sandbox built.
> > 
> > Todo
> > ====
> > * Confirm that the change in .gitlab-ci.yml works.
> > * Azure support(?)
> > 
> > Changes
> > =======
> > v2 (July 28, 2021)
> > * rebased on v2021.10-rc*
> > * removed dependency on target's configuration
> > * removed fdtsig.sh and others
> > * add man page
> > * update the UEFI document
> > * add dedicate defconfig for testing on sandbox
> > * add gitlab CI support
> > * add "--guid" option to mkeficapsule
> >    (yet rather RFC)
> > 
> > Initial release (May 12, 2021)
> > * based on v2021.07-rc2
> > 
> > AKASHI Takahiro (9):
> >    tools: mkeficapsule: add firmwware image signing
> >    tools: mkeficapsule: add man page
> >    doc: update UEFI document for usage of mkeficapsule
> >    efi_loader: ease the file path check for public key
> >    test/py: efi_capsule: add image authentication test
> >    sandbox: add config for efi capsule authentication test
> >    GitLab: add a test rule for efi capsule authentication test
> >    tools: mkeficapsule: allow for specifying GUID explicitly
> >    test/py: efi_capsule: align with the syntax change of mkeficapsule
> > 
> >   .gitlab-ci.yml                                |   6 +
> >   MAINTAINERS                                   |   1 +
> >   configs/sandbox_capsule_auth_defconfig        | 307 +++++++++++++++
> >   doc/develop/uefi/uefi.rst                     |  31 +-
> >   doc/mkeficapsule.1                            |  98 +++++
> >   lib/efi_loader/Makefile                       |   5 +-
> >   test/py/tests/test_efi_capsule/SIGNER.crt     |  19 +
> >   test/py/tests/test_efi_capsule/SIGNER.esl     | Bin 0 -> 829 bytes
> >   test/py/tests/test_efi_capsule/SIGNER.key     |  28 ++
> >   test/py/tests/test_efi_capsule/SIGNER2.crt    |  19 +
> >   test/py/tests/test_efi_capsule/SIGNER2.key    |  28 ++
> >   .../py/tests/test_efi_capsule/capsule_defs.py |   5 +
> >   test/py/tests/test_efi_capsule/conftest.py    |  39 +-
> >   .../test_capsule_firmware_signed.py           | 228 +++++++++++
> >   tools/Kconfig                                 |   7 +
> >   tools/Makefile                                |   8 +-
> >   tools/mkeficapsule.c                          | 368 ++++++++++++++++--
> >   17 files changed, 1129 insertions(+), 68 deletions(-)
> >   create mode 100644 configs/sandbox_capsule_auth_defconfig
> >   create mode 100644 doc/mkeficapsule.1
> >   create mode 100644 test/py/tests/test_efi_capsule/SIGNER.crt
> >   create mode 100644 test/py/tests/test_efi_capsule/SIGNER.esl
> >   create mode 100644 test/py/tests/test_efi_capsule/SIGNER.key
> >   create mode 100644 test/py/tests/test_efi_capsule/SIGNER2.crt
> >   create mode 100644 test/py/tests/test_efi_capsule/SIGNER2.key
> >   create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
> > 
> 


More information about the U-Boot mailing list