[PATCH v11 2/9] tools: mkeficapsule: add firmware image signing
Simon Glass
sjg at chromium.org
Sun Mar 13 07:05:36 CET 2022
Hi Heinrich,
On Mon, 21 Feb 2022 at 11:59, Heinrich Schuchardt <xypron.glpk at gmx.de> wrote:
>
> On 2/21/22 01:43, AKASHI Takahiro wrote:
> > Hi Simon,
> >
> > On Sat, Feb 19, 2022 at 04:11:08PM -0700, Simon Glass wrote:
> >> Hi,
> >>
> >> On Sun, 13 Feb 2022 at 17:54, AKASHI Takahiro
> >> <takahiro.akashi at linaro.org> wrote:
> >>>
> >>> Heinrich,
> >>>
> >>> On Fri, Feb 11, 2022 at 08:16:34PM +0100, Heinrich Schuchardt wrote:
> >>>> On 2/9/22 11:10, AKASHI Takahiro wrote:
> >>>>> With this enhancement, mkeficapsule will be able to sign a capsule
> >>>>> file when it is created. A signature added will be used later
> >>>>> in the verification at FMP's SetImage() call.
> >>>>>
> >>>>> To do that, we need specify additional command parameters:
> >>>>> -monotonic-cout <count> : monotonic count
> >>>>> -private-key <private key file> : private key file
> >>>>> -certificate <certificate file> : certificate file
> >>>>> Only when all of those parameters are given, a signature will be added
> >>>>> to a capsule file.
> >>>>>
> >>>>> Users are expected to maintain and increment the monotonic count at
> >>>>> every time of the update for each firmware image.
> >>>>>
> >>>>> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
> >>>>> Reviewed-by: Simon Glass <sjg at chromium.org>
> >>>>> Acked-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> >>>>> ---
> >>>>> .azure-pipelines.yml | 2 +-
> >>>>> tools/Makefile | 1 +
> >>>>> tools/eficapsule.h | 115 +++++++++++++
> >>>>> tools/mkeficapsule.c | 380 +++++++++++++++++++++++++++++++++++++++----
> >>>>> 4 files changed, 463 insertions(+), 35 deletions(-)
> >>>>> create mode 100644 tools/eficapsule.h
> >>
> >> I'm not sure if it is this patch or something else, but building is
> >> broken as it needs
> >>
> >> gnutls/gnutls.h
> >>
> >> Please update the docs in doc/build/gcc.rst to fix this.
> >
> > I have not noticed that there is *another* list of package dependency.
> > It is easy to fix against gnutls.h, but gnutls.h (or libgnutls-dev)
> > is NOT the only component missing in the list.
> >
> > Comparing gcc.rst with gitlab-ci.yml, there already exist a lot of
> > such packages:
> >
> > gcc.rst | gitlab-ci.yml
> > ====== ======
> > > automake
> > > autopoint
> > bc bc
> > > binutils-dev
> > bison bison
> > build-essential build-essential
> > coccinelle | clang-10
> > > coreutils
> > > cpio
> > > cppcheck
> > > curl
> > device-tree-compiler device-tree-compiler
> > dfu-util | dosfstools
> > > e2fsprogs
> > efitools efitools
> > > fakeroot
> > flex flex
> > gdisk gdisk
> > > git
> > > gnu-efi
> > graphviz graphviz
> > > grub-efi-amd64-bin
> > > grub-efi-ia32-bin
>
> There are some package that are not needed for building at all like
> these GRUB packages which just serve as test binaries.
>
> > > help2man
> > > iasl
> > imagemagick imagemagick
> > liblz4-tool | iputils-ping
> > libguestfs-tools libguestfs-tools
> > libncurses-dev | libgnutls28-dev
> > libpython3-dev | libgnutls30
> > > libisl15
> > > liblz4-tool
> > > libpixman-1-dev
> > > libpython-dev
We could split the list, but on the other hand, who develops code in
U-Boot without running the tests? Perhaps we could split into things
needed to build sandbox and things needed to run tests?
>
> libpython-dev does not even exist in Ubuntu 22.04. Who cares about
> Python2 package anymore?
Everything in U-Boot is migrated.
Regards,
Simon
>
> Best regards
>
> Heinrich
>
> > > libsdl1.2-dev
> > libsdl2-dev libsdl2-dev
> > libssl-dev libssl-dev
> > lz4 | libudev-dev
> > lzma | libusb-1.0-0-dev
> > lzma-alone lzma-alone
> > > lzop
> > > mount
> > > mtd-utils
> > > mtools
> > openssl openssl
> > > picocom
> > > parted
> > pkg-config pkg-config
> > python3 | python
> > python3-coverage | python-dev
> > python3-pkg-resources | python-pip
> > python3-pycryptodome | python-virtualenv
> > python3-pyelftools | python3-pip
> > python3-pytest | python3-sphinx
> > python3-sphinxcontrib.apidoc | rpm2cpio
> > python3-sphinx-rtd-theme | sbsigntool
> > python3-virtualenv | sloccount
> > > sparse
> > > srecord
> > > sudo
> > swig swig
> > > util-linux
> > > uuid-dev
> > > virtualenv
> > > zip
> >
> > -Takahiro Akashi
>
More information about the U-Boot
mailing list