[PATCH v2 12/13] doc: qemu: arm64: Fix the documentation of capsule update

From: Heinrich Schuchardt <xypron.glpk@gmx.de>
To: u-boot@lists.denx.de
Subject: [PATCH v2 12/13] doc: qemu: arm64: Fix the documentation of capsule update
Date: Mon, 19 Apr 2021 04:35:15 +0200	[thread overview]
Message-ID: <CAC82C0B-07E2-4C4F-B6D9-4C754C4BB102@gmx.de> (raw)
In-Reply-To: <CAA93ih0KTTq_sVR8QkOF+_B3yZ_N0KZbvSE48-N2vpcpeRN4sA@mail.gmail.com>

Am 19. April 2021 04:24:37 MESZ schrieb Masami Hiramatsu <masami.hiramatsu@linaro.org>:
>Hi,
>
>2021?4?19?(?) 9:37 Takahiro Akashi <takahiro.akashi@linaro.org>:
>>
>> Sughosh,
>>
>> On Sun, Apr 18, 2021 at 01:37:58PM +0530, Sughosh Ganu wrote:
>> > On Sat, 17 Apr 2021 at 23:51, Heinrich Schuchardt
><xypron.glpk@gmx.de>
>> > wrote:
>> >
>> > > On 4/17/21 1:39 AM, Masami Hiramatsu wrote:
>> > > > Since the EDK2 GenerateCapsule script is out of date and it
>> > > > doesn't generate the supported version capsule file, the
>document
>> > > > should refer the mkeficapsule in tools.
>> > > >
>> > > > Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
>> > > > ---
>> > > >   doc/board/emulation/qemu_capsule_update.rst |   11
>++---------
>> > > >   1 file changed, 2 insertions(+), 9 deletions(-)
>> > > >
>> > > > diff --git a/doc/board/emulation/qemu_capsule_update.rst
>> > > b/doc/board/emulation/qemu_capsule_update.rst
>> > > > index 9fec75f8f1..e2a9f0db71 100644
>> > > > --- a/c
>> > > > +++ b/doc/board/emulation/qemu_capsule_update.rst
>> > > > @@ -39,16 +39,9 @@ In addition, the following config needs to
>be
>> > > disabled(QEMU ARM specific)::
>> > > >
>> > > >       CONFIG_TFABOOT
>> > > >
>> > > > -The capsule file can be generated by using the
>GenerateCapsule.py
>> > > > -script in EDKII::
>> > > > -
>> > > > -    $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o
>\
>> > > > -    <capsule_file_name> --fw-version <val> --lsv <val> --guid
>\
>> > > > -    e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose
>--update-image-index
>> > > \
>> > > > -    <val> --verbose <u-boot.bin>
>> > > > +The capsule file can be generated by using the
>tools/mkeficapsule::
>> > > >
>> > > > -The above is a wrapper script(GenerateCapsule) which
>eventually calls
>> > > > -the actual GenerateCapsule.py script.
>> > > > +    $ mkeficapsule --raw <u-boot.bin> --index 1
><capsule_file_name>
>> > >
>> > > Thanks for the change.
>> > >
>> > > Could you, please, adjust the same in chapter "Enabling Capsule
>> > > Authentication" below.
>
>So as Sughosh said, since currently mkeficapsule doesn't support
>authentication,
>I only changed it for the normal capsule update. Without this change,
>the capsule
>update just failed.
>
>
>> > Currently, we do not have support for adding authentication header
>to the
>> > capsule. This is because I have been using the GenerateCapsule
>script in
>> > edk2 for generation of a capsule with authentication header. I
>think adding
>> > the signature to the capsule is easier when done through a python
>script
>> > rather than C code.
>>
>> Why do you think so?
>> At a quick glance at the script, it internally uses openssl command
>like:
>>     openssl smime -sign -binary -outform DER -md sha256 \
>>         -signer <...> -certfile <...>
>> (See PayloadDescriptor.Encode in the script.)
>>
>> The output from the standard output is exactly what you want
>> to use to build a capsule file, that is "AuthInfo".
>> Then you can naturally extend mkeficapsule to insert this signature
>> between the header and the image itself in a capsule file.
>
>Hmm, if it can be done by just calling openssl, I think it is easier
>for me
>to run the tools/mkeficapsule, because I don't need to build EDK2
>for U-Boot.
>
>If GenerateCapsule becomes a standard implementation and
>independent from the EDK2 project, from the interoperability point
>of view, it is better to use that. But it is a part of EDK2 and the
>GenerateCapsule seems out-of-date and not maintained well
>(why doesn't it support the latest version yet??)

Sughosh told me that EDK II cannot create a signed capsule that is usable with U-Boot due to an outdated header version used by EDK II.

It should be sufficient to describe the steps used by U-Boot's test script here.

Best regards

Heinrich

>
>Thank you,
>
>> Furthermore, I believe, it is fairly straightforward to add a native
>> 'signing' feature to mkeficapsule if you use openssl library.
>>
>> -Takahiro Akashi
>>
>>
>> > I am working on adding support for the latest version
>> > of the EFI_FIRMWARE_MANAGEMENT_CAPSULE_IMAGE_HEADER in the
>GenerateCapsule
>> > script in edk2. Meanwhile, would it be possible to have support for
>the
>> > version 2 of this header in the capsule driver -- it is a minor
>change and
>> > I already have a patch for it. If you are fine, I can submit a
>patch for
>> > the same.
>> >
>> > -sughosh
>> >
>> >
>> > >
>> > > Best regards
>> > >
>> > > Heinrich
>> > >
>> > > >
>> > > >   As per the UEFI specification, the capsule file needs to be
>placed on
>> > > >   the EFI System Partition, under the \EFI\UpdateCapsule
>directory. The
>> > > >
>> > >
>> > >
>
>
>
>--
>Masami Hiramatsu