[PATCH v7 05/12] doc: update UEFI document for usage of mkeficapsule

Ilias Apalodimas ilias.apalodimas at linaro.org
Thu Nov 25 12:15:23 CET 2021


Akashi-san,

[...]
>
> -Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig
> -option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable
> -check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule.
> -
> -If that option is disabled, you'll need to set the OsIndications variable with::
> +Put capsule files under the directory mentioned above.
> +Then, following the UEFI specification, you'll need to set
> +the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED
> +bit in OsIndications variable with::
>
>      => setenv -e -nv -bs -rt -v OsIndications =0x04
>
> -Finally, the capsule update can be initiated either by rebooting the board,
> -which is the preferred method, or by issuing the following command::
> +Since U-boot doesn't currently support SetVariable at runtime, its value
> +won't be taken over across the reboot. If this is the case, you can skip
> +this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS)
> +set.
>
> -    => efidebug capsule disk-update
> -
> -**The efidebug command is should only be used during debugging/development.**
> +Finally, the capsule update can be initiated by rebooting the board.
>
>  Enabling Capsule Authentication
>  *******************************
> @@ -324,82 +339,58 @@ be updated by verifying the capsule signature. The capsule signature
>  is computed and prepended to the capsule payload at the time of
>  capsule generation. This signature is then verified by using the
>  public key stored as part of the X509 certificate. This certificate is
> -in the form of an efi signature list (esl) file, which is embedded as
> -part of U-Boot.
> +in the form of an efi signature list (esl) file, which is embedded in
> +a device tree.
>
>  The capsule authentication feature can be enabled through the
>  following config, in addition to the configs listed above for capsule
>  update::
>
>      CONFIG_EFI_CAPSULE_AUTHENTICATE=y
> -    CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert>
>
>  The public and private keys used for the signing process are generated
> -and used by the steps highlighted below::
> +and used by the steps highlighted below.
>
> -    1. Install utility commands on your host
> -       * OPENSSL
> +1. Install utility commands on your host
> +       * openssl
>         * efitools
>
> -    2. Create signing keys and certificate files on your host
> +2. Create signing keys and certificate files on your host::
>
>          $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \
>              -keyout CRT.key -out CRT.crt -nodes -days 365
>          $ cert-to-efi-sig-list CRT.crt CRT.esl
>
> -        $ openssl x509 -in CRT.crt -out CRT.cer -outform DER
> -        $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem
> -
> -        $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt
> -        $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem
> -
> -The capsule file can be generated by using the GenerateCapsule.py
> -script in EDKII::
> -
> -    $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \
> -      <capsule_file_name> --monotonic-count <val> --fw-version \
> -      <val> --lsv <val> --guid \
> -      e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \
> -      --update-image-index <val> --signer-private-cert \
> -      /path/to/CRT.pem --trusted-public-cert \
> -      /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \
> -      <u-boot.bin>
> -
> -Place the capsule generated in the above step on the EFI System
> -Partition under the EFI/UpdateCapsule directory
> -
> -Testing on QEMU
> -***************
> +3. Run the following command to create and sign the capsule file::
>
> -Currently, support has been added on the QEMU ARM64 virt platform for
> -updating the U-Boot binary as a raw image when the platform is booted
> -in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this
> -configuration, the QEMU platform needs to be booted with
> -'secure=off'. The U-Boot binary placed on the first bank of the NOR
> -flash at offset 0x0. The U-Boot environment is placed on the second
> -NOR flash bank at offset 0x4000000.
> +    $ mkeficapsule --monotonic-count 1 \
> +      --private-key CRT.key \
> +      --certificate CRT.crt \
> +      --index 1 --instance 0 \
> +      [--fit <FIT image> | --raw <raw image>] \
> +      <capsule_file_name>
>
> -The capsule update feature is enabled with the following configuration
> -settings::
> +4. Insert the signature list into a device tree in the following format::
>
> -    CONFIG_MTD=y
> -    CONFIG_FLASH_CFI_MTD=y
> -    CONFIG_CMD_MTDPARTS=y
> -    CONFIG_CMD_DFU=y
> -    CONFIG_DFU_MTD=y
> -    CONFIG_PCI_INIT_R=y
> -    CONFIG_EFI_CAPSULE_ON_DISK=y
> -    CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y
> -    CONFIG_EFI_CAPSULE_FIRMWARE=y
> -    CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
> +        {
> +                signature {
> +                        capsule-key = [ <binary of signature list> ];
> +                }
> +                ...
> +        }
>
> -In addition, the following config needs to be disabled(QEMU ARM specific)::
> +   You can do this manually with::
>
> -    CONFIG_TFABOOT
> +    $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts
> +    $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo
>
> -The capsule file can be generated by using the tools/mkeficapsule::
> +   where signature.dts looks like::
>
> -    $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name>
> +        &{/} {
> +                signature {
> +                        capsule-key = /incbin/("CRT.esl");
> +                };
> +        };
>
>  Executing the boot manager
>  ~~~~~~~~~~~~~~~~~~~~~~~~~~
> --
> 2.33.0
>

Acked-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>


More information about the U-Boot mailing list