[PATCH] efi_loader: capsule: enforce guid check in api and capsule_on_disk

Michal Simek michal.simek at amd.com
Mon Jul 31 14:10:19 CEST 2023



On 7/28/23 03:55, AKASHI Takahiro wrote:
> Hi Michal,
> 
> On Thu, Jul 27, 2023 at 10:53:44AM +0200, Michal Simek wrote:
>>
>>
>> On 7/27/23 02:38, AKASHI Takahiro wrote:
>>> While UPDATE_CAPSULE api is not fully implemented, this interface and
>>> capsule-on-disk feature should behave in the same way, especially in
>>> handling an empty capsule for fwu multibank, for future enhancement.
>>>
>>> So move the guid check into efi_capsule_update_firmware().
>>>
>>> Fixed: commit a6aafce494ab ("efi_loader: use efi_update_capsule_firmware()
>>> 	for capsule on disk")
>>
>> just fyi: b4 mess this.
>> You should likely put it on the same line and ignore line limit.
>>
>> This is how this ends up.
>>
>> handling an empty capsule for fwu multibank, for future enhancement.
>>
>> So move the guid check into efi_capsule_update_firmware().
>>
>>          for capsule on disk")
>>
>> Fixed: commit a6aafce494ab ("efi_loader: use efi_update_capsule_firmware()
>> Reported-by: Michal Simek <michal.simek at amd.com>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
>> Link: https://lore.kernel.org/r/20230727003800.25105-1-takahiro.akashi@linaro.org
>>
>>
>>
>>
>>> Reported-by: Michal Simek <michal.simek at amd.com>
>>> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
>>> ---
>>>    lib/efi_loader/efi_capsule.c | 17 ++++++++---------
>>>    1 file changed, 8 insertions(+), 9 deletions(-)
>>>
>>> diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c
>>> index 7a6f195cbc02..ddf8153e0982 100644
>>> --- a/lib/efi_loader/efi_capsule.c
>>> +++ b/lib/efi_loader/efi_capsule.c
>>> @@ -581,6 +581,13 @@ static efi_status_t efi_capsule_update_firmware(
>>>    		fw_accept_os = capsule_data->flags & FW_ACCEPT_OS ? 0x1 : 0x0;
>>>    	}
>>> +	if (guidcmp(&capsule_data->capsule_guid,
>>> +		    &efi_guid_firmware_management_capsule_id)) {
>>> +		log_err("Unsupported capsule type: %pUs\n",
>>> +			&capsule_data->capsule_guid);
>>> +		return EFI_UNSUPPORTED;
>>> +	}
>>> +
>>>    	/* sanity check */
>>>    	if (capsule_data->header_size < sizeof(*capsule) ||
>>>    	    capsule_data->header_size >= capsule_data->capsule_image_size)
>>> @@ -751,15 +758,7 @@ efi_status_t EFIAPI efi_update_capsule(
>>>    		log_debug("Capsule[%d] (guid:%pUs)\n",
>>>    			  i, &capsule->capsule_guid);
>>> -		if (!guidcmp(&capsule->capsule_guid,
>>> -			     &efi_guid_firmware_management_capsule_id)) {
>>> -			ret  = efi_capsule_update_firmware(capsule);
>>> -		} else {
>>> -			log_err("Unsupported capsule type: %pUs\n",
>>> -				&capsule->capsule_guid);
>>> -			ret = EFI_UNSUPPORTED;
>>> -		}
>>> -
>>> +		ret  = efi_capsule_update_firmware(capsule);
>>>    		if (ret != EFI_SUCCESS)
>>>    			goto out;
>>>    	}
>>
>> I have no problem with this patch because it works as the previous one. When
>> commit message is fixed feel free to add
>> Tested-by: Michal Simek <michal.simek at amd.com>
> 
> I hope that the maintainer would take care of it when he tries to merge
> the patch.
> 
>> And regarding empty capsule functionality with A/B.
>> I boot from A. Download capsules and run disk-update to get to Image B and
>> trial state and I can download and apply acceptance capsule by hand via
>> efidebug capsule update <addr>. That works fine for acceptance capsule is
>> reflected via fwu in mdata.
>> When I apply revert capsule there is nothing visible in mdata and I think it
>> should. The only visibility is that it resets to A system. Is this the only
>> intention of revert capsules?
>> (keep in mind that I use two images per bank).
>>
>> Empty capsules are just accepted only in trial state which is understandable.
>>
>> And I also see that with latest master branch capsule on disk feature is not
>> working properly. Capsule are not processed at all. Can you please double
>> check it?
> 
> I locally ran the pytest with v2023.10-rc1, and
> - test_capsule_firmware_raw passed
> - test_capsule_firmware_signed_raw failed
> 
> but it seems to me that 'signed_raw' failure is not directly
> related to efi implementation (I didn't dig into details, though).
> 
> Can you describe more about your environment?

Let me c&p log to see what I do. 2023.07-rc6 saving capsules on SD card and 
initiating capsule update on disk. Reset is called automatically. Checking 
status and downloading empty acceptance capsules and applying them by hand.
Calling reset to get out of TrialState. Downloading the same capsules as before 
and placing them to SD card. Calling disk update by hand - nothing happens, 
checking location. Capsules are present. Resetting to B image to check if u-boot 
picks them up after reset and nothing happened.

Thanks,
Michal

<debug_uart>

U-Boot SPL 2023.07-rc6-00347-g4b54c7a398e5 (Jul 14 2023 - 10:28:29 +0200)
Loading new PMUFW cfg obj (2032 bytes)
PMUFW:	v1.1
Silicon version:	3
EL Level:	EL3
Secure Boot:	not authenticated, not encrypted
Multiboot:	64
Trying to boot from SPI
spl_spi_get_uboot_offs: Offset of u-boot.itb should be at 0x280000
NOTICE:  BL31: Non secure code at 0x8000000
NOTICE:  BL31: v2.9(debug):v2.9.0-337-g37561ae1e640
NOTICE:  BL31: Built : 13:08:28, Jul 13 2023
INFO:    ARM GICv2 driver initialized
INFO:    BL31: Initializing runtime services
INFO:    BL31: PM Service Init Complete: API v1.1
INFO:    BL31: cortex_a53: CPU workaround for 855873 was applied
INFO:    BL31: cortex_a53: CPU workaround for 1530924 was applied
INFO:    BL31: Preparing for EL3 exit to normal world
INFO:    Entry point address = 0x8000000

U-Boot 2023.07-rc6-00347-g4b54c7a398e5 (Jul 14 2023 - 10:28:29 +0200)

CPU:   ZynqMP
Silicon: v3
Chip:  xck26
Detected name: zynqmp-sm-k26-xcl2gc-ed-revB-sck-kv-g-revB
Model: ZynqMP KV260 revB
Board: Xilinx ZynqMP
DRAM:  2 GiB (effective 4 GiB)
PMUFW:	v1.1
Xilinx I2C FRU format at nvmem0:
  Manufacturer Name: XILINX
  Product Name: SM-K26-XCL2GC-ED
  Serial No: 50572B111F2H
  Part Number: 5057-02ED
  File ID: 0x0
  Revision Number: B
Xilinx I2C FRU format at nvmem1:
  Manufacturer Name: XILINX
  Product Name: SCK-KV-G
  Serial No: 50582B112M07
  Part Number: 5058-02
  File ID: 0x0
  Revision Number: B
EL Level:	EL2
Secure Boot:	not authenticated, not encrypted
zynq_serial_setbrg: CLK 99999999
zynq_serial_setbrg: CLK 99999999
Core:  90 devices, 33 uclasses, devicetree: fit
NAND:  0 MiB
MMC:   mmc at ff160000: 0, mmc at ff170000: 1
Loading Environment from SPIFlash... SF: Detected mt25qu512a with page size 256 
Bytes, erase size 64 KiB, total 64 MiB
OK
In:    serial
Out:   serial
Err:   serial
Net:   PHY reset timed out

ZYNQ GEM: ff0e0000, mdio bus ff0e0000, phyaddr 1, interface rgmii-id
eth0: ethernet at ff0e0000
fwu_plat_get_bootidx: boot_idx: 0, active_idx: 1
Boot idx 0 is not matching active idx 1, changing active_idx
tpm_tis_spi_probe: missing reset GPIO
gpio: pin gpio at ff0a000038 (gpio 38) value is 0
gpio: pin gpio at ff0a000038 (gpio 38) value is 1
starting USB...
No working controllers found

Reset SCSI
scanning bus for devices...
Hit any key to stop autoboot:  0
ZynqMP>
ZynqMP> dhcp
ethernet at ff0e0000 Waiting for PHY auto negotiation to complete.... done
BOOTP broadcast 1
DHCP client bound to address 192.168.0.155 (6 ms)
ZynqMP>   tftpboot 0x100000 192.168.0.105:capsule1.bin && save mmc 1 0x100000 
/EFI/UpdateCapsule/capsule1.bin ${filesize}
Using ethernet at ff0e0000 device
TFTP from server 192.168.0.105; our IP address is 192.168.0.155
Filename 'capsule1.bin'.
Load address: 0x100000
Loading: ########################################################
	 2.9 MiB/s
done
Bytes transferred = 283160 (45218 hex)
283160 bytes written in 793 ms (348.6 KiB/s)
ZynqMP>   tftpboot 0x100000 192.168.0.105:capsule2.bin && save mmc 1 0x100000 
/EFI/UpdateCapsule/capsule2.bin ${filesize}
Using ethernet at ff0e0000 device
TFTP from server 192.168.0.105; our IP address is 192.168.0.155
Filename 'capsule2.bin'.
Load address: 0x100000
Loading: #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #########################################################
	 3.3 MiB/s
done
Bytes transferred = 1952940 (1dccac hex)
1952940 bytes written in 996 ms (1.9 MiB/s)
ZynqMP>     efidebug capsule disk-update
#####
Applying capsule capsule1.bin succeeded.
##############################
Applying capsule capsule2.bin succeeded.
Reboot after firmware update.
Rebooting to index 1
<debug_uart>

U-Boot SPL 2023.10-rc1-00119-g0ede489f8903 (Jul 31 2023 - 13:53:44 +0200)
Loading new PMUFW cfg obj (2032 bytes)
PMUFW:	v1.1
Silicon version:	3
EL Level:	EL3
Secure Boot:	not authenticated, not encrypted
Multiboot:	496
Trying to boot from SPI
spl_spi_get_uboot_offs: Offset of u-boot.itb should be at 0x1000000
NOTICE:  BL31: Non secure code at 0x8000000
NOTICE:  BL31: v2.9(debug):v2.9.0-368-ge7045288cfdc
NOTICE:  BL31: Built : 12:37:06, Jul 27 2023
INFO:    ARM GICv2 driver initialized
INFO:    BL31: Initializing runtime services
INFO:    BL31: PM Service Init Complete: API v1.1
INFO:    BL31: cortex_a53: CPU workaround for 855873 was applied
INFO:    BL31: cortex_a53: CPU workaround for 1530924 was applied
INFO:    BL31: Preparing for EL3 exit to normal world
INFO:    Entry point address = 0x8000000
j��"��՝}Յ���jR� 0x3c9

U-Boot 2023.10-rc1-00119-g0ede489f8903 (Jul 31 2023 - 13:53:44 +0200)

CPU:   ZynqMP
Silicon: v3
Chip:  xck26
Detected name: zynqmp-sm-k26-xcl2gc-ed-revB-sck-kv-g-revB
Model: ZynqMP KV260 revB
Board: Xilinx ZynqMP
DRAM:  2 GiB (effective 4 GiB)
PMUFW:	v1.1
Xilinx I2C FRU format at nvmem0:
  Manufacturer Name: XILINX
  Product Name: SM-K26-XCL2GC-ED
  Serial No: 50572B111F2H
  Part Number: 5057-02ED
  File ID: 0x0
  Revision Number: B
Xilinx I2C FRU format at nvmem1:
  Manufacturer Name: XILINX
  Product Name: SCK-KV-G
  Serial No: 50582B112M07
  Part Number: 5058-02
  File ID: 0x0
  Revision Number: B
EL Level:	EL2
Secure Boot:	not authenticated, not encrypted
Core:  90 devices, 33 uclasses, devicetree: fit
NAND:  0 MiB
MMC:   mmc at ff160000: 0, mmc at ff170000: 1
Loading Environment from SPIFlash... SF: Detected mt25qu512a with page size 256 
Bytes, erase size 64 KiB, total 64 MiB
OK
In:    serial
Out:   serial
Err:   serial
Net:   PHY reset timed out

ZYNQ GEM: ff0e0000, mdio bus ff0e0000, phyaddr 1, interface rgmii-id
eth0: ethernet at ff0e0000
fwu_plat_get_bootidx: boot_idx: 1, active_idx: 1
tpm_tis_spi_probe: missing reset GPIO
System booting in Trial State
Trial State count: attempt 1 out of 3
gpio: pin gpio at ff0a000038 (gpio 38) value is 0
gpio: pin gpio at ff0a000038 (gpio 38) value is 1
starting USB...
No working controllers found

Reset SCSI
scanning bus for devices...
Hit any key to stop autoboot:  0
ZynqMP> fwu
	FWU Metadata
crc32: 0xe1ea1858
version: 0x1
active_index: 0x1
previous_active_index: 0x0
	Image Info

Image Type Guid: DE6066E8-0256-4FAD-8238-E406E274C4CF
Location Guid: D7CE8A58-CE2C-11ED-81CD-D324E93AC223
Image Guid:  F64A0548-2CCE-ED11-8F66-7BC4531CFE6B
Image Acceptance: yes
Image Guid:  3E9C814B-2CCE-ED11-BEC8-23DE4C6D2CF2
Image Acceptance: no

Image Type Guid: CF9ECFD4-938B-41C5-8551-1F883AB7DC18
Location Guid: D7CE8A58-CE2C-11ED-81CD-D324E93AC223
Image Guid:  52DA04FB-9D0E-EE11-A57F-637805837C3F
Image Acceptance: yes
Image Guid:  46926007-9E0E-EE11-A23A-A38980B779A1
Image Acceptance: no
ZynqMP> dhcp
BOOTP broadcast 1
DHCP client bound to address 192.168.0.155 (6 ms)
ZynqMP>   tftpboot 0x100000 192.168.0.105:capsule1-accept.bin && efidebug 
capsule update -v 0x100000
Using ethernet at ff0e0000 device
TFTP from server 192.168.0.105; our IP address is 192.168.0.155
Filename 'capsule1-accept.bin'.
Load address: 0x100000
Loading: #
	 7.8 KiB/s
done
Bytes transferred = 44 (2c hex)
Capsule guid: 0c996046-bcc0-4d04-85ec-e1fcedf1c6f8
Capsule flags: 0x0
Capsule header size: 0x1c
Capsule image size: 0x2c
ZynqMP>   tftpboot 0x100000 192.168.0.105:capsule2-accept.bin && efidebug 
capsule update -v 0x100000
Using ethernet at ff0e0000 device
TFTP from server 192.168.0.105; our IP address is 192.168.0.155
Filename 'capsule2-accept.bin'.
Load address: 0x100000
Loading: #
	 10.7 KiB/s
done
Bytes transferred = 44 (2c hex)
Capsule guid: 0c996046-bcc0-4d04-85ec-e1fcedf1c6f8
Capsule flags: 0x0
Capsule header size: 0x1c
Capsule image size: 0x2c
ZynqMP> reset
resetting ...
Rebooting to index 1
<debug_uart>

U-Boot SPL 2023.10-rc1-00119-g0ede489f8903 (Jul 31 2023 - 13:53:44 +0200)
Loading new PMUFW cfg obj (2032 bytes)
PMUFW:	v1.1
Silicon version:	3
EL Level:	EL3
Secure Boot:	not authenticated, not encrypted
Multiboot:	496
Trying to boot from SPI
spl_spi_get_uboot_offs: Offset of u-boot.itb should be at 0x1000000
NOTICE:  BL31: Non secure code at 0x8000000
NOTICE:  BL31: v2.9(debug):v2.9.0-368-ge7045288cfdc
NOTICE:  BL31: Built : 12:37:06, Jul 27 2023
INFO:    ARM GICv2 driver initialized
INFO:    BL31: Initializing runtime services
INFO:    BL31: PM Service Init Complete: API v1.1
INFO:    BL31: cortex_a53: CPU workaround for 855873 was applied
INFO:    BL31: cortex_a53: CPU workaround for 1530924 was applied
INFO:    BL31: Preparing for EL3 exit to normal world
INFO:    Entry point address = 0x8000000
j��"��՝}Յ���jR� 0x3c9

U-Boot 2023.10-rc1-00119-g0ede489f8903 (Jul 31 2023 - 13:53:44 +0200)

CPU:   ZynqMP
Silicon: v3
Chip:  xck26
Detected name: zynqmp-sm-k26-xcl2gc-ed-revB-sck-kv-g-revB
Model: ZynqMP KV260 revB
Board: Xilinx ZynqMP
DRAM:  2 GiB (effective 4 GiB)
PMUFW:	v1.1
Xilinx I2C FRU format at nvmem0:
  Manufacturer Name: XILINX
  Product Name: SM-K26-XCL2GC-ED
  Serial No: 50572B111F2H
  Part Number: 5057-02ED
  File ID: 0x0
  Revision Number: B
Xilinx I2C FRU format at nvmem1:
  Manufacturer Name: XILINX
  Product Name: SCK-KV-G
  Serial No: 50582B112M07
  Part Number: 5058-02
  File ID: 0x0
  Revision Number: B
EL Level:	EL2
Secure Boot:	not authenticated, not encrypted
Core:  90 devices, 33 uclasses, devicetree: fit
NAND:  0 MiB
MMC:   mmc at ff160000: 0, mmc at ff170000: 1
Loading Environment from SPIFlash... SF: Detected mt25qu512a with page size 256 
Bytes, erase size 64 KiB, total 64 MiB
OK
In:    serial
Out:   serial
Err:   serial
Net:   PHY reset timed out

ZYNQ GEM: ff0e0000, mdio bus ff0e0000, phyaddr 1, interface rgmii-id
eth0: ethernet at ff0e0000
fwu_plat_get_bootidx: boot_idx: 1, active_idx: 1
tpm_tis_spi_probe: missing reset GPIO
gpio: pin gpio at ff0a000038 (gpio 38) value is 0
gpio: pin gpio at ff0a000038 (gpio 38) value is 1
starting USB...
No working controllers found

Reset SCSI
scanning bus for devices...
Hit any key to stop autoboot:  0
ZynqMP> dhcp
ethernet at ff0e0000 Waiting for PHY auto negotiation to complete... done
BOOTP broadcast 1
DHCP client bound to address 192.168.0.155 (7 ms)
ZynqMP>   tftpboot 0x100000 192.168.0.105:capsule1.bin && save mmc 1 0x100000 
/EFI/UpdateCapsule/capsule1.bin ${filesize}
Using ethernet at ff0e0000 device
TFTP from server 192.168.0.105; our IP address is 192.168.0.155
Filename 'capsule1.bin'.
Load address: 0x100000
Loading: ########################################################
	 2.8 MiB/s
done
Bytes transferred = 283160 (45218 hex)
283160 bytes written in 787 ms (350.6 KiB/s)
ZynqMP>   tftpboot 0x100000 192.168.0.105:capsule2.bin && save mmc 1 0x100000 
/EFI/UpdateCapsule/capsule2.bin ${filesize}
Using ethernet at ff0e0000 device
TFTP from server 192.168.0.105; our IP address is 192.168.0.155
Filename 'capsule2.bin'.
Load address: 0x100000
Loading: #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #########################################################
	 3.5 MiB/s
done
Bytes transferred = 1952940 (1dccac hex)
1952940 bytes written in 997 ms (1.9 MiB/s)
ZynqMP>     efidebug capsule disk-update
ZynqMP> ls mmc 1:1 EFI/UpdateCapsule
             ./
             ../
    283160   capsule1.bin
   1952940   capsule2.bin

2 file(s), 2 dir(s)

ZynqMP> reset
resetting ...
Rebooting to index 1
<debug_uart>

U-Boot SPL 2023.10-rc1-00119-g0ede489f8903 (Jul 31 2023 - 13:53:44 +0200)
Loading new PMUFW cfg obj (2032 bytes)
PMUFW:	v1.1
Silicon version:	3
EL Level:	EL3
Secure Boot:	not authenticated, not encrypted
Multiboot:	496
Trying to boot from SPI
spl_spi_get_uboot_offs: Offset of u-boot.itb should be at 0x1000000
NOTICE:  BL31: Non secure code at 0x8000000
NOTICE:  BL31: v2.9(debug):v2.9.0-368-ge7045288cfdc
NOTICE:  BL31: Built : 12:37:06, Jul 27 2023
INFO:    ARM GICv2 driver initialized
INFO:    BL31: Initializing runtime services
INFO:    BL31: PM Service Init Complete: API v1.1
INFO:    BL31: cortex_a53: CPU workaround for 855873 was applied
INFO:    BL31: cortex_a53: CPU workaround for 1530924 was applied
INFO:    BL31: Preparing for EL3 exit to normal world
INFO:    Entry point address = 0x8000000
�H�"��՝}Յ���jR� 0x3c9

U-Boot 2023.10-rc1-00119-g0ede489f8903 (Jul 31 2023 - 13:53:44 +0200)

CPU:   ZynqMP
Silicon: v3
Chip:  xck26
Detected name: zynqmp-sm-k26-xcl2gc-ed-revB-sck-kv-g-revB
Model: ZynqMP KV260 revB
Board: Xilinx ZynqMP
DRAM:  2 GiB (effective 4 GiB)
PMUFW:	v1.1
Xilinx I2C FRU format at nvmem0:
  Manufacturer Name: XILINX
  Product Name: SM-K26-XCL2GC-ED
  Serial No: 50572B111F2H
  Part Number: 5057-02ED
  File ID: 0x0
  Revision Number: B
Xilinx I2C FRU format at nvmem1:
  Manufacturer Name: XILINX
  Product Name: SCK-KV-G
  Serial No: 50582B112M07
  Part Number: 5058-02
  File ID: 0x0
  Revision Number: B
EL Level:	EL2
Secure Boot:	not authenticated, not encrypted
Core:  90 devices, 33 uclasses, devicetree: fit
NAND:  0 MiB
MMC:   mmc at ff160000: 0, mmc at ff170000: 1
Loading Environment from SPIFlash... SF: Detected mt25qu512a with page size 256 
Bytes, erase size 64 KiB, total 64 MiB
OK
In:    serial
Out:   serial
Err:   serial
Net:   PHY reset timed out

ZYNQ GEM: ff0e0000, mdio bus ff0e0000, phyaddr 1, interface rgmii-id
eth0: ethernet at ff0e0000
fwu_plat_get_bootidx: boot_idx: 1, active_idx: 1
tpm_tis_spi_probe: missing reset GPIO
gpio: pin gpio at ff0a000038 (gpio 38) value is 0
gpio: pin gpio at ff0a000038 (gpio 38) value is 1
starting USB...
No working controllers found

Reset SCSI
scanning bus for devices...
Hit any key to stop autoboot:  0
ZynqMP>
ZynqMP>




More information about the U-Boot mailing list