[PATCH v8 05/12] doc: update UEFI document for usage of mkeficapsule
Heinrich Schuchardt
xypron.glpk at gmx.de
Sun Jan 9 23:36:03 CET 2022
On 1/7/22 03:20, AKASHI Takahiro wrote:
> Heinrich,
>
> Your comments seem inconsistent,
>
> On Sat, Jan 01, 2022 at 11:09:41PM +0100, Heinrich Schuchardt wrote:
>> On 12/20/21 06:02, AKASHI Takahiro wrote:
>>> Now we can use mkeficapsule command instead of EDK-II's script
>>> to create a signed capsule file. So update the instruction for
>>> capsule authentication.
>>>
>>> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
>>> Reviewed-by: Simon Glass <sjg at chromium.org>
>>> Acked-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
>>> ---
>>> doc/develop/uefi/uefi.rst | 143 ++++++++++++++++++--------------------
>>> 1 file changed, 67 insertions(+), 76 deletions(-)
>>>
>>> diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
>>> index f17138f5c765..864d61734bee 100644
>>> --- a/doc/develop/uefi/uefi.rst
>>> +++ b/doc/develop/uefi/uefi.rst
>>> @@ -284,37 +284,52 @@ Support has been added for the UEFI capsule update feature which
>>> enables updating the U-Boot image using the UEFI firmware management
>>> protocol (FMP). The capsules are not passed to the firmware through
>>> the UpdateCapsule runtime service. Instead, capsule-on-disk
>>> -functionality is used for fetching the capsule from the EFI System
>>> -Partition (ESP) by placing the capsule file under the
>>> -\EFI\UpdateCapsule directory.
>>> -
>>> -The directory \EFI\UpdateCapsule is checked for capsules only within the
>>> -EFI system partition on the device specified in the active boot option
>>> -determined by reference to BootNext variable or BootOrder variable processing.
>>> -The active Boot Variable is the variable with highest priority BootNext or
>>> -within BootOrder that refers to a device found to be present. Boot variables
>>> -in BootOrder but referring to devices not present are ignored when determining
>>> -active boot variable.
>>> -Before starting a capsule update make sure your capsules are installed in the
>>> -correct ESP partition or set BootNext.
>>> +functionality is used for fetching capsules from the EFI System
>>> +Partition (ESP) by placing capsule files under the directory::
>>> +
>>> + \EFI\UpdateCapsule
>>> +
>>> +The directory is checked for capsules only within the
>>> +EFI system partition on the device specified in the active boot option,
>>> +which is determined by BootXXXX variable in BootNext, or if not, the highest
>>> +priority one within BootOrder. Any BootXXXX variables referring to devices
>>> +not present are ignored when determining the active boot option.
>>> +
>>> +Please note that capsules will be applied in the alphabetic order of
>>> +capsule file names.
>>> +
>>> +Creating a capsule file
>>> +***********************
>>> +
>>> +A capsule file can be created by using tools/mkeficapsule.
>>> +To build this tool, enable::
>>> +
>>> + CONFIG_TOOLS_MKEFICAPSULE=y
>>> + CONFIG_TOOLS_LIBCRYPTO=y
>>> +
>>> +Run the following command::
>>
>> .. code-block:: bash
>
> OK, but there still exist a number of simple "::" in
> doc/develop/uefi/uefi.rst.
>
>>> +
>>> + $ mkeficapsule \
>>
>> %s/$ //
>
> I would like to say nak here.
> "$" obviously shows that it is an example of command usage.
> This usage can commonly be seen across many docs under doc/ and
> even doc/develop/uefi/uefi.rst has some uses.
>
>>> + --index 1 --instance 0 \
>>> + [--fit <FIT image> | --raw <raw image>] \
>>> + <capsule_file_name>
>>>
>>> Performing the update
>>> *********************
>>>
>>> -Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig
>>> -option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable
>>> -check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule.
>>> -
>>> -If that option is disabled, you'll need to set the OsIndications variable with::
>>> +Put capsule files under the directory mentioned above.
>>> +Then, following the UEFI specification, you'll need to set
>>> +the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED
>>> +bit in OsIndications variable with::
>>
>> ..code-block::
>>
>>>
>>> => setenv -e -nv -bs -rt -v OsIndications =0x04
>>
>> %s/=> //
>
> Nak.
> "=>" indicates that it is an example of U-Boot command line.
> Again, we can see a number of uses across doc/ and even
> doc/develop/uefi/uefi.rst has some.
>
> We should not drop the prompt in this kind of citation.
>
>>>
>>> -Finally, the capsule update can be initiated either by rebooting the board,
>>> -which is the preferred method, or by issuing the following command::
>>> +Since U-boot doesn't currently support SetVariable at runtime, its value
>>> +won't be taken over across the reboot. If this is the case, you can skip
>>> +this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS)
>>> +set.
>>>
>>> - => efidebug capsule disk-update
>>> -
>>> -**The efidebug command is should only be used during debugging/development.**
>>> +Finally, the capsule update can be initiated by rebooting the board.
>>>
>>> Enabling Capsule Authentication
>>> *******************************
>>> @@ -324,82 +339,58 @@ be updated by verifying the capsule signature. The capsule signature
>>> is computed and prepended to the capsule payload at the time of
>>> capsule generation. This signature is then verified by using the
>>> public key stored as part of the X509 certificate. This certificate is
>>> -in the form of an efi signature list (esl) file, which is embedded as
>>> -part of U-Boot.
>>> +in the form of an efi signature list (esl) file, which is embedded in
>>> +a device tree.
>>>
>>> The capsule authentication feature can be enabled through the
>>> following config, in addition to the configs listed above for capsule
>>> update::
>>>
>>> CONFIG_EFI_CAPSULE_AUTHENTICATE=y
>>> - CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert>
>>>
>>> The public and private keys used for the signing process are generated
>>> -and used by the steps highlighted below::
>>> +and used by the steps highlighted below.
>>>
>>> - 1. Install utility commands on your host
>>> - * OPENSSL
>>> +1. Install utility commands on your host
>>> + * openssl
>>> * efitools
>>>
>>> - 2. Create signing keys and certificate files on your host
>>> +2. Create signing keys and certificate files on your host::
>>
>> ..code-block:: bash
>>
>>>
>>> $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \
>>
>> %s/$ //
>
> ditto
Without those $ signs I could simply copy and paste the whole paragraph
to the console and I would be done. The prompt is messing it up. This is
why I don't want any prompts for code examples.
Best regards
Heinrich
>
>>> -keyout CRT.key -out CRT.crt -nodes -days 365
>>> $ cert-to-efi-sig-list CRT.crt CRT.esl
>>>
>>> - $ openssl x509 -in CRT.crt -out CRT.cer -outform DER
>>> - $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem
>>> -
>>> - $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt
>>> - $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem
>>> -
>>> -The capsule file can be generated by using the GenerateCapsule.py
>>> -script in EDKII::
>>> -
>>> - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \
>>> - <capsule_file_name> --monotonic-count <val> --fw-version \
>>> - <val> --lsv <val> --guid \
>>> - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \
>>> - --update-image-index <val> --signer-private-cert \
>>> - /path/to/CRT.pem --trusted-public-cert \
>>> - /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \
>>> - <u-boot.bin>
>>> -
>>> -Place the capsule generated in the above step on the EFI System
>>> -Partition under the EFI/UpdateCapsule directory
>>> -
>>> -Testing on QEMU
>>> -***************
>>> +3. Run the following command to create and sign the capsule file::
>>>
>>> -Currently, support has been added on the QEMU ARM64 virt platform for
>>> -updating the U-Boot binary as a raw image when the platform is booted
>>> -in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this
>>> -configuration, the QEMU platform needs to be booted with
>>> -'secure=off'. The U-Boot binary placed on the first bank of the NOR
>>> -flash at offset 0x0. The U-Boot environment is placed on the second
>>> -NOR flash bank at offset 0x4000000.
>>
>> ..code-block:: bash
>>
>>> + $ mkeficapsule --monotonic-count 1 \
>>
>> %s/$ //
>
> ditto
>
> -Takahiro Akashi
>
>> Best regards
>>
>> Heinrich
>>
>>> + --private-key CRT.key \
>>> + --certificate CRT.crt \
>>> + --index 1 --instance 0 \
>>> + [--fit <FIT image> | --raw <raw image>] \
>>> + <capsule_file_name>
>>>
>>> -The capsule update feature is enabled with the following configuration
>>> -settings::
>>> +4. Insert the signature list into a device tree in the following format::
>>>
>>> - CONFIG_MTD=y
>>> - CONFIG_FLASH_CFI_MTD=y
>>> - CONFIG_CMD_MTDPARTS=y
>>> - CONFIG_CMD_DFU=y
>>> - CONFIG_DFU_MTD=y
>>> - CONFIG_PCI_INIT_R=y
>>> - CONFIG_EFI_CAPSULE_ON_DISK=y
>>> - CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y
>>> - CONFIG_EFI_CAPSULE_FIRMWARE=y
>>> - CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
>>> + {
>>> + signature {
>>> + capsule-key = [ <binary of signature list> ];
>>> + }
>>> + ...
>>> + }
>>>
>>> -In addition, the following config needs to be disabled(QEMU ARM specific)::
>>> + You can do this manually with::
>>>
>>> - CONFIG_TFABOOT
>>> + $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts
>>> + $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo
>>>
>>> -The capsule file can be generated by using the tools/mkeficapsule::
>>> + where signature.dts looks like::
>>>
>>> - $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name>
>>> + &{/} {
>>> + signature {
>>> + capsule-key = /incbin/("CRT.esl");
>>> + };
>>> + };
>>>
>>> Executing the boot manager
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
More information about the U-Boot
mailing list