[PATCH v5 00/11] efi_loader: capsule: improve capsule authentication support
AKASHI Takahiro
takahiro.akashi at linaro.org
Thu Oct 28 08:23:45 CEST 2021
As I proposed and discussed in [1] and [2], I have made a couple of
improvements on the current implementation of capsule update in this
patch set.
* add signing feature to mkeficapsule
* add "--guid" option to mkeficapsule
* add man page of mkeficapsule
* update uefi document regarding capsule update
* revise pytests
* (as RFC) add CONFIG_EFI_CAPSULE_KEY_PATH
# We have had some discussion about fdtsig.sh.
# So RFCs (patch#10,#11) are still included for further discussion
# if they are useful or not.
# For smooth merge, the rest (patch#1-9) should work without them.
[1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html
[2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html
Prerequisite patches
====================
None
Test
====
* locally passed the pytest which is included in this patch series
on sandbox built.
(CONFIG_EFI_CAPSULE_AUTHENTICATE should explicitly be turned on
in order to exercise the authentication code.)
Changes
=======
v5 (Oct 27, 2021)
* rebased on pre-v2022.01-rc1 (WIP/26Oct2021)
* drop already-merged patches
* drop __weak from efi_get_public_key_data() (patch#1)
* describe the format of public key node in device tree (patch#4)
* re-order patches by grouping closely-related patches (patch#6-8)
* modify pytest to make the test results correctly verified
either with or without CONFIG_EFI_CAPSULE_AUTHENTICATE (patch#9)
* add RFCs for embedding public keys during the build process (patch#10,11)
v4 (Oct 7, 2021)
* rebased on v2021.10
* align with "Revert "efi_capsule: Move signature from DTB to .rodata""
* add more missing *revert* commits (patch#1,#2,#3)
* add fdtsig.sh, replacing dtb support in mkeficapsule (patch#4)
* update/revise the man/uefi doc (patch#6,#7)
* fix a bug in parsing guid string (patch#8)
* add a test for "--guid" option (patch#10)
* use dtb-based authentication test as done in v1 (patch#11)
v3 (Aug 31, 2021)
* rebased on v2021.10-rc3
* remove pytest-related patches
* add function descriptions in mkeficapsule.c
* correct format specifiers in printf()
* let main() return 0 or -1 only
* update doc/develop/uefi/uefi.rst for syntax change of mkeficapsule
v2 (July 28, 2021)
* rebased on v2021.10-rc*
* removed dependency on target's configuration
* removed fdtsig.sh and others
* add man page
* update the UEFI document
* add dedicate defconfig for testing on sandbox
* add gitlab CI support
* add "--guid" option to mkeficapsule
(yet rather RFC)
Initial release (May 12, 2021)
* based on v2021.07-rc2
AKASHI Takahiro (11):
efi_loader: capsule: drop __weak from efi_get_public_key_data()
tools: mkeficapsule: add firmwware image signing
tools: mkeficapsule: add man page
doc: update UEFI document for usage of mkeficapsule
test/py: efi_capsule: add image authentication test
tools: mkeficapsule: allow for specifying GUID explicitly
test/py: efi_capsule: align with the syntax change of mkeficapsule
test/py: efi_capsule: add a test for "--guid" option
test/py: efi_capsule: check the results in case of
CAPSULE_AUTHENTICATE
(RFC) tools: add fdtsig.sh
(RFC) efi_loader, dts: add public keys for capsules to device tree
MAINTAINERS | 2 +
doc/develop/uefi/uefi.rst | 143 +++--
doc/mkeficapsule.1 | 107 ++++
dts/Makefile | 23 +-
lib/efi_loader/Kconfig | 7 +
lib/efi_loader/efi_capsule.c | 2 +-
.../py/tests/test_efi_capsule/capsule_defs.py | 5 +
test/py/tests/test_efi_capsule/conftest.py | 42 +-
test/py/tests/test_efi_capsule/signature.dts | 10 +
.../test_efi_capsule/test_capsule_firmware.py | 91 +++-
.../test_capsule_firmware_signed.py | 233 ++++++++
tools/Kconfig | 8 +
tools/Makefile | 8 +-
tools/fdtsig.sh | 40 ++
tools/mkeficapsule.c | 503 ++++++++++++++++--
15 files changed, 1092 insertions(+), 132 deletions(-)
create mode 100644 doc/mkeficapsule.1
create mode 100644 test/py/tests/test_efi_capsule/signature.dts
create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
create mode 100755 tools/fdtsig.sh
--
2.33.0
More information about the U-Boot
mailing list