[PATCH v4 00/12] Integrate EFI capsule tasks into u-boot's build flow
Sughosh Ganu
sughosh.ganu at linaro.org
Sat Jul 15 15:45:21 CEST 2023
This patchset aims to bring two capsule related tasks under the u-boot
build flow.
One is the embedding of the public key into the platform's dtb. The
public key is in the form of an EFI Signature List(ESL) file and is
used for capsule authentication. This is being achieved by adding the
signature node containing the capsule public key in the architecture's
u-boot.dtsi file. Currently, the u-boot.dtsi file has been added for
the sandbox and arm architectures. The path to the ESL file is being
provided through a Kconfig symbol(CONFIG_EFI_CAPSULE_ESL_FILE).
Changes have also been made to the test flow so that the keys used for
signing the capsule, and the ESL file, are generated prior to invoking
the u-boot's build, which enables embedding the ESL file into the dtb
as part of the u-boot build.
The other task is related to generation of capsules. Support is being
added to generate capsules by specifying the capsule parameters in a
config file. Calling the mkeficapsule tool then results in generation
of the corresponding capsule files. The capsules can be generated as
part of u-boot build, and this is being achieved through binman, by
adding a capsule entry type. The capsules can be generated either by
specifying the capsule parameters in a config file, or through
specifying them as properties under the capsule entry node. If using
the config file, the path to the config file is to be specified
through a Kconfig symbol(CONFIG_EFI_CAPSULE_CFG_FILE).
Changes have also been made to the efi capsule update feature testing
setup on the sandbox variants. Currently, the capsule files and the
public key ESL file are generated after u-boot has been built. This
logic has been changed so that the capsule input files along with the
keys needed for capsule signing and authentication are generated prior
to initiation of the u-boot build. The placement of all the files
needed for generation of capsules, along with the generated capsule
files is under the /tmp/capsules/ directory.
Currently, the capsule update feature is tested on the sandbox
and sandbox_flattree variants in CI. The capsule generation through
config file is enabled for the sandbox variant, with the
sandbox_flattree variant generating capsules through the command-line
parameters.
The document has been updated to reflect the above changes.
Changes since V3:
* New patch to support passing multiple commands to the build_from_git
* Put the two ifdef statements together in arm architecture's
u-boot.dtsi file.
* Remove the extra blank line in the Kconfig.
function to build the tool.
* Add support for firmware versioning, needed after rebasing on
current master.
* Add test cases for covering the various capsule generation
scenarios.
* Add function comments in the mkeficapsule bintool.
* Fix the fetch method of the mkeficapsule bintool to enable building
the tool.
* Add more details about the capsule parameters in the documentation
as well as the code.
* Fix order of module imports, and addition of blank lines in the
capsule.py file.
* Use SetContents in the ObtainContents method.
* Move the paragraph on version support under a separate subsection.
* Move the description on generating capsules through config file
under the section to describe capsule generation.
* Add a subsection highlighting generation of capsules through
binman.
* Remove whitespace in the command to generate capsule keys.
* Use fstrings for format specifiers.
* Rebase on top of current master to work with test configuration for
version support in capsule updates.
* Use fstrings for format specifiers.
* Add entries for generating capsules with version parameter.
* Use blob nodes instead of incbin for including the binaries in FIT
image.
* Enable generation of capsules with versioning support.
Sughosh Ganu (12):
binman: bintool: Build a tool from a list of commands
nuvoton: npcm845-evb: Add a newline at the end of file
capsule: authenticate: Add capsule public key in platform's dtb
doc: capsule: Document the new mechanism to embed ESL file into dtb
tools: mkeficapsule: Add support for parsing capsule params from
config file
binman: capsule: Add support for generating capsules
doc: Add documentation to highlight capsule generation related updates
CI: capsule: Setup the files needed for capsule update testing
test: py: Setup capsule files for testing
test: capsule: Remove public key embed logic from capsule update test
sandbox: capsule: Add a config file for generating capsules
sandbox: capsule: Generate capsule related files through binman
.azure-pipelines.yml | 26 ++
.gitlab-ci.yml | 24 ++
arch/arm/dts/nuvoton-npcm845-evb.dts | 2 +-
arch/arm/dts/u-boot.dtsi | 17 +
arch/sandbox/dts/u-boot.dtsi | 282 ++++++++++++++
configs/sandbox_defconfig | 3 +
configs/sandbox_flattree_defconfig | 1 +
configs/sandbox_spl_defconfig | 1 +
doc/develop/uefi/uefi.rst | 106 +++++-
lib/efi_loader/Kconfig | 10 +
lib/efi_loader/Makefile | 7 +
test/py/conftest.py | 89 +++++
test/py/tests/test_efi_capsule/conftest.py | 164 +-------
.../test_efi_capsule/sandbox_capsule_cfg.txt | 162 ++++++++
test/py/tests/test_efi_capsule/signature.dts | 10 -
.../tests/test_efi_capsule/uboot_bin_env.its | 36 --
tools/Kconfig | 16 +
tools/Makefile | 1 +
tools/binman/bintool.py | 19 +-
tools/binman/btool/_testing.py | 3 +-
tools/binman/btool/fiptool.py | 4 +-
tools/binman/btool/futility.py | 4 +-
tools/binman/btool/mkeficapsule.py | 158 ++++++++
tools/binman/entries.rst | 37 ++
tools/binman/etype/capsule.py | 132 +++++++
tools/binman/ftest.py | 127 +++++++
tools/binman/test/282_capsule.dts | 18 +
tools/binman/test/283_capsule_signed.dts | 20 +
tools/binman/test/284_capsule_conf.dts | 14 +
tools/binman/test/285_capsule_missing_key.dts | 19 +
.../binman/test/286_capsule_missing_index.dts | 17 +
.../binman/test/287_capsule_missing_guid.dts | 17 +
.../test/288_capsule_missing_payload.dts | 17 +
tools/binman/test/289_capsule_missing.dts | 17 +
tools/binman/test/290_capsule_version.dts | 19 +
tools/binman/test/capsule_cfg.txt | 6 +
tools/eficapsule.h | 115 ++++++
tools/mkeficapsule.c | 87 +++--
tools/mkeficapsule_parse.c | 352 ++++++++++++++++++
39 files changed, 1900 insertions(+), 259 deletions(-)
create mode 100644 arch/arm/dts/u-boot.dtsi
create mode 100644 arch/sandbox/dts/u-boot.dtsi
create mode 100644 test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
delete mode 100644 test/py/tests/test_efi_capsule/signature.dts
delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its
create mode 100644 tools/binman/btool/mkeficapsule.py
create mode 100644 tools/binman/etype/capsule.py
create mode 100644 tools/binman/test/282_capsule.dts
create mode 100644 tools/binman/test/283_capsule_signed.dts
create mode 100644 tools/binman/test/284_capsule_conf.dts
create mode 100644 tools/binman/test/285_capsule_missing_key.dts
create mode 100644 tools/binman/test/286_capsule_missing_index.dts
create mode 100644 tools/binman/test/287_capsule_missing_guid.dts
create mode 100644 tools/binman/test/288_capsule_missing_payload.dts
create mode 100644 tools/binman/test/289_capsule_missing.dts
create mode 100644 tools/binman/test/290_capsule_version.dts
create mode 100644 tools/binman/test/capsule_cfg.txt
create mode 100644 tools/mkeficapsule_parse.c
--
2.34.1
More information about the U-Boot
mailing list