[PATCH v3 3/5] doc: update UEFI document for usage of mkeficapsule

AKASHI Takahiro takahiro.akashi at linaro.org
Thu Sep 2 11:22:07 CEST 2021 

On Tue, Aug 31, 2021 at 08:07:18AM +0200, Heinrich Schuchardt wrote:
> On 8/31/21 4:46 AM, AKASHI Takahiro wrote:
> > Now we can use mkeficapsule command instead of EDK-II's script
> > to create a signed capsule file. So update the instruction for
> > capsule authentication.
> > 
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
> > ---
> >   doc/develop/uefi/uefi.rst | 31 ++++++++++++++-----------------
> >   1 file changed, 14 insertions(+), 17 deletions(-)
> > 
> > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
> > index 64fe9346c7f2..5ccb455da984 100644
> > --- a/doc/develop/uefi/uefi.rst
> > +++ b/doc/develop/uefi/uefi.rst
> > @@ -347,23 +347,20 @@ and used by the steps highlighted below::
> >               -keyout CRT.key -out CRT.crt -nodes -days 365
> >           $ cert-to-efi-sig-list CRT.crt CRT.esl
> > 
> > -        $ openssl x509 -in CRT.crt -out CRT.cer -outform DER
> > -        $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem
> > -
> > -        $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt
> > -        $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem
> > -
> > -The capsule file can be generated by using the GenerateCapsule.py
> > -script in EDKII::
> > -
> > -    $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \
> > -      <capsule_file_name> --monotonic-count <val> --fw-version \
> > -      <val> --lsv <val> --guid \
> > -      e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \
> > -      --update-image-index <val> --signer-private-cert \
> > -      /path/to/CRT.pem --trusted-public-cert \
> > -      /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \
> > -      <u-boot.bin>
> > +The signed capsule file can be generated by using tools/mkeficapsule.
> > +To build this tool, enable::
> > +
> > +    CONFIG_TOOLS_MKEFICAPSULE=y
> > +    CONFIG_TOOLS_LIBCRYPTO=y
> > +
> > +To generate and sign the capsule file::
> > +
> > +    $ mkeficapsule --monotonic-count 1 \
> > +      --private-key CRT.key \
> > +      --certificate CRT.crt \
> > +      --index 1 --instance 0 \
> > +      [--fit <FIT image> | --raw <raw image>] \
> > +      <capsule_file_name>
> 
> Patch 1 allows signed and unsigned capsules. So both should be described
> here.

Sughosh's original doc doesn't have a description for *unsigned* case,
but adding some is not a big deal.

-Takahiro Akashi

> Best regards
> 
> Heinrich
> 
> > 
> >   Place the capsule generated in the above step on the EFI System
> >   Partition under the EFI/UpdateCapsule directory
> > 
>

More information about the U-Boot mailing list