[PATCH v7 00/12] efi_loader: capsule: improve capsule authentication support
AKASHI Takahiro
takahiro.akashi at linaro.org
Fri Dec 3 08:09:58 CET 2021
Heinrich,
On Thu, Nov 25, 2021 at 03:02:35PM +0900, AKASHI Takahiro wrote:
> Hi Heinrich
>
> On Tue, Nov 16, 2021 at 01:32:26PM +0900, AKASHI Takahiro wrote:
> > As I proposed and discussed in [1] and [2], I have made a couple of
> > improvements on the current implementation of capsule update in this
> > patch set.
>
> For this version(v7), I have seen your review comments only
> on patch#1 and #2.
> Please take your time to review the rest (the main part of
> commits) as well.
> I don't want to respin the patch series and post its new version
> which is almost the same as the old one(v7).
Ping.
-Takahiro Akashi
> -Takahiro Akashi
>
>
> > * add signing feature to mkeficapsule
> > * add "--guid" option to mkeficapsule
> > * add man page of mkeficapsule
> > * update uefi document regarding capsule update
> > * revise pytests
> > * (as RFC) add CONFIG_EFI_CAPSULE_KEY_PATH
> >
> > # We have had some discussion about fdtsig.sh.
> > # So RFCs (patch#11,#12) are still included for further discussion
> > # if they are useful or not.
> > # For smooth merge, the rest (patch#1-10) should work without them.
> >
> > [1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html
> > [2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html
> >
> > Prerequisite patches
> > ====================
> > None
> >
> > Test
> > ====
> > * locally passed the pytest which is included in this patch series
> > on sandbox built.
> > (CONFIG_EFI_CAPSULE_AUTHENTICATE should explicitly be turned on
> > in order to exercise the authentication code.)
> >
> > Changes
> > =======
> > v7 (Nov 16, 2021)
> > * rebased on pre-v2022.01-rc2
> > * drop already-merged patch
> > * check for a size of firmware binary file (patch#1)
> > * enable mkeficapsule in tools-only_defconfig (patch#2)
> > * define eficapsule.h and include it from mkeficapsule (patch#3)
> > Hopefully, the tool can now compile on non-linux host.
> >
> > v6 (Nov 02, 2021)
> > * rebased on pre-v2022.01-rc1
> > * add patch#2 to rework/refactor the code for better readability (patch#2)
> > * use exit(EXIT_SUCCESS/FAILURE) (patch#3)
> > * truncate >80chars lines in pytest scripts (patch#6)
> >
> > v5 (Oct 27, 2021)
> > * rebased on pre-v2022.01-rc1 (WIP/26Oct2021)
> > * drop already-merged patches
> > * drop __weak from efi_get_public_key_data() (patch#1)
> > * describe the format of public key node in device tree (patch#4)
> > * re-order patches by grouping closely-related patches (patch#6-8)
> > * modify pytest to make the test results correctly verified
> > either with or without CONFIG_EFI_CAPSULE_AUTHENTICATE (patch#9)
> > * add RFCs for embedding public keys during the build process (patch#10,11)
> >
> > v4 (Oct 7, 2021)
> > * rebased on v2021.10
> > * align with "Revert "efi_capsule: Move signature from DTB to .rodata""
> > * add more missing *revert* commits (patch#1,#2,#3)
> > * add fdtsig.sh, replacing dtb support in mkeficapsule (patch#4)
> > * update/revise the man/uefi doc (patch#6,#7)
> > * fix a bug in parsing guid string (patch#8)
> > * add a test for "--guid" option (patch#10)
> > * use dtb-based authentication test as done in v1 (patch#11)
> >
> > v3 (Aug 31, 2021)
> > * rebased on v2021.10-rc3
> > * remove pytest-related patches
> > * add function descriptions in mkeficapsule.c
> > * correct format specifiers in printf()
> > * let main() return 0 or -1 only
> > * update doc/develop/uefi/uefi.rst for syntax change of mkeficapsule
> >
> > v2 (July 28, 2021)
> > * rebased on v2021.10-rc*
> > * removed dependency on target's configuration
> > * removed fdtsig.sh and others
> > * add man page
> > * update the UEFI document
> > * add dedicate defconfig for testing on sandbox
> > * add gitlab CI support
> > * add "--guid" option to mkeficapsule
> > (yet rather RFC)
> >
> > Initial release (May 12, 2021)
> > * based on v2021.07-rc2
> >
> > AKASHI Takahiro (12):
> > tools: mkeficapsule: rework the code a little bit
> > tools: build mkeficapsule with tools-only_defconfig
> > tools: mkeficapsule: add firmwware image signing
> > tools: mkeficapsule: add man page
> > doc: update UEFI document for usage of mkeficapsule
> > test/py: efi_capsule: add image authentication test
> > tools: mkeficapsule: allow for specifying GUID explicitly
> > test/py: efi_capsule: align with the syntax change of mkeficapsule
> > test/py: efi_capsule: add a test for "--guid" option
> > test/py: efi_capsule: check the results in case of
> > CAPSULE_AUTHENTICATE
> > (RFC) tools: add fdtsig.sh
> > (RFC) efi_loader, dts: add public keys for capsules to device tree
> >
> > MAINTAINERS | 2 +
> > configs/tools-only_defconfig | 1 +
> > doc/develop/uefi/uefi.rst | 143 ++--
> > doc/mkeficapsule.1 | 107 +++
> > dts/Makefile | 23 +-
> > lib/efi_loader/Kconfig | 7 +
> > .../py/tests/test_efi_capsule/capsule_defs.py | 5 +
> > test/py/tests/test_efi_capsule/conftest.py | 59 +-
> > test/py/tests/test_efi_capsule/signature.dts | 10 +
> > .../test_efi_capsule/test_capsule_firmware.py | 91 ++-
> > .../test_capsule_firmware_signed.py | 254 +++++++
> > tools/Kconfig | 8 +
> > tools/Makefile | 8 +-
> > tools/eficapsule.h | 115 +++
> > tools/fdtsig.sh | 40 ++
> > tools/mkeficapsule.c | 680 +++++++++++++++---
> > 16 files changed, 1360 insertions(+), 193 deletions(-)
> > create mode 100644 doc/mkeficapsule.1
> > create mode 100644 test/py/tests/test_efi_capsule/signature.dts
> > create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
> > create mode 100644 tools/eficapsule.h
> > create mode 100755 tools/fdtsig.sh
> >
> > --
> > 2.33.0
> >
More information about the U-Boot
mailing list