[PATCH v2 0/9] efi_loader: capsule: improve capsule authentication support

AKASHI Takahiro takahiro.akashi at linaro.org
Tue Jul 27 11:10:45 CEST 2021 

As I proposed and discussed in [1] and [2], I have made a couple of
improvements on the current implementation of capsule update in this
patch set.

* add signing feature to mkeficapsule
* add "--guid" option to mkeficapsule
* add man page of mkeficapsule
* add pytest for capsule authentication (on sandbox)

NOTE:
Due to Ilias's commit[3], we need to have a customized configuration
for sandbox to properly set up and run capsule authentication test.
See patch#5,#6 and #7.

[1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html
[2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html
[3] commit ddf67daac39d ("efi_capsule: Move signature from DTB to
    .rodata")

Prerequisite patches
====================
None

Test
====
* locally passed the pytest which is included in this patch series
  on sandbox built.

Todo
====
* Confirm that the change in .gitlab-ci.yml works.
* Azure support(?)

Changes
=======
v2 (July 28, 2021)
* rebased on v2021.10-rc*
* removed dependency on target's configuration
* removed fdtsig.sh and others
* add man page
* update the UEFI document
* add dedicate defconfig for testing on sandbox
* add gitlab CI support
* add "--guid" option to mkeficapsule
  (yet rather RFC)

Initial release (May 12, 2021)
* based on v2021.07-rc2

AKASHI Takahiro (9):
  tools: mkeficapsule: add firmwware image signing
  tools: mkeficapsule: add man page
  doc: update UEFI document for usage of mkeficapsule
  efi_loader: ease the file path check for public key
  test/py: efi_capsule: add image authentication test
  sandbox: add config for efi capsule authentication test
  GitLab: add a test rule for efi capsule authentication test
  tools: mkeficapsule: allow for specifying GUID explicitly
  test/py: efi_capsule: align with the syntax change of mkeficapsule

 .gitlab-ci.yml                                |   6 +
 MAINTAINERS                                   |   1 +
 configs/sandbox_capsule_auth_defconfig        | 307 +++++++++++++++
 doc/develop/uefi/uefi.rst                     |  31 +-
 doc/mkeficapsule.1                            |  98 +++++
 lib/efi_loader/Makefile                       |   5 +-
 test/py/tests/test_efi_capsule/SIGNER.crt     |  19 +
 test/py/tests/test_efi_capsule/SIGNER.esl     | Bin 0 -> 829 bytes
 test/py/tests/test_efi_capsule/SIGNER.key     |  28 ++
 test/py/tests/test_efi_capsule/SIGNER2.crt    |  19 +
 test/py/tests/test_efi_capsule/SIGNER2.key    |  28 ++
 .../py/tests/test_efi_capsule/capsule_defs.py |   5 +
 test/py/tests/test_efi_capsule/conftest.py    |  39 +-
 .../test_capsule_firmware_signed.py           | 228 +++++++++++
 tools/Kconfig                                 |   7 +
 tools/Makefile                                |   8 +-
 tools/mkeficapsule.c                          | 368 ++++++++++++++++--
 17 files changed, 1129 insertions(+), 68 deletions(-)
 create mode 100644 configs/sandbox_capsule_auth_defconfig
 create mode 100644 doc/mkeficapsule.1
 create mode 100644 test/py/tests/test_efi_capsule/SIGNER.crt
 create mode 100644 test/py/tests/test_efi_capsule/SIGNER.esl
 create mode 100644 test/py/tests/test_efi_capsule/SIGNER.key
 create mode 100644 test/py/tests/test_efi_capsule/SIGNER2.crt
 create mode 100644 test/py/tests/test_efi_capsule/SIGNER2.key
 create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py

-- 
2.31.0

More information about the U-Boot mailing list