From: Sughosh Ganu <sughosh.ganu@linaro.org>
To: u-boot@lists.denx.de
Subject: [PATCH v2 00/14] qemu: arm64: Add support for uefi capsule update on qemu arm platform
Date: Mon, 21 Dec 2020 17:13:00 +0530 [thread overview]
Message-ID: <20201221114314.25588-1-sughosh.ganu@linaro.org> (raw)
The capsule update feature is supported on a platform configuration
booting in a non-secure mode, i.e with -machine virt,secure=off option
set. This results in the platform booting u-boot directly without
the presence of trusted firmware(tf-a). Steps that need to be followed
for using this feature have been provided as part of the documentation.
Support has also been added for enabling the capsule authentication
feature. Capsule authentication, as defined by the uefi
specification is very much on similar lines to the logic used for
variable authentication. As a result, most of the signature
verification code already in use for variable authentication has been
used for capsule authentication.
Storage of the public key certificate, needed for the signature
verification process is in form of the efi signature list(esl)
structure. This public key is stored on an overlay which is then
merged with the platform's base fdt at runtime. The public key esl
file can be embedded into the overlay dtb using the mkeficapsule
utility that has been added as part of the capsule update support
series by Takahiro Akashi. Steps needed for enabling capsule
authentication have been provided as part of the documentation.
This patch series needs to be applied on top of the capsule update
support patch series from Takahiro Akashi on the next branch.
Changes since V1:
* Added support for embedding the public key cert in an overlay using
the -O option
* The earlier patch was adding a call to pci_init in board_init. Moved
the virtio_init call to board_late_init
* Change MTDPARTS_NOR[01] as config options instead of defining them in
the qemu-arm.h config header.
* Enable CONFIG_SYS_MTDPARTS_RUNTIME with CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT
* Build set_dfu_alt_info and board_get_alt_info functions only if
CONFIG_SET_DFU_ALT_INFO is defined
* Enable CONFIG_SET_DFU_ALT_INFO with
CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT
* Detect the presence of the FMP Payload header at runtime instead of
using a Kconfig option, as was suggested by Heinrich
* Change the documentation to reflect the usage of overlays for
embedding the public key certs at runtime
* Fix the build for 'make htmldocs'
Sughosh Ganu (14):
mkeficapsule: Add support for embedding public key in a dtb
qemu: arm: Initialise virtio in board_late_init
crypto: Fix the logic to calculate hash with authattributes set
qemu: arm64: Add support for dynamic mtdparts for the platform
qemu: arm64: Set dfu_alt_info variable for the platform
fsp: Move and rename fsp_types.h file
efi_loader: Add logic to parse EDKII specific fmp payload header
dfu_mtd: Add provision to unlock mtd device
efi_loader: Make the pkcs7 header parsing function an extern
efi_loader: Re-factor code to build the signature store from efi
signature list
efi: capsule: Add support for uefi capsule authentication
efi_loader: Enable uefi capsule authentication
efidebug: capsule: Add a command to update capsule on disk
qemu: arm64: Add documentation for capsule update
arch/x86/include/asm/fsp/fsp_support.h | 3 +-
board/emulation/qemu-arm/Kconfig | 20 ++
board/emulation/qemu-arm/qemu-arm.c | 168 +++++++++++++
cmd/efidebug.c | 14 ++
configs/qemu_arm64_defconfig | 1 +
doc/board/emulation/qemu-arm.rst | 188 ++++++++++++++
drivers/dfu/dfu_mtd.c | 20 +-
include/efi_api.h | 18 ++
include/efi_loader.h | 12 +
.../fsp/fsp_types.h => include/signatures.h | 6 +-
lib/crypto/pkcs7_verify.c | 37 ++-
lib/efi_loader/Kconfig | 19 ++
lib/efi_loader/efi_capsule.c | 122 +++++++++
lib/efi_loader/efi_firmware.c | 77 +++++-
lib/efi_loader/efi_signature.c | 192 +++++++++++----
lib/efi_loader/efi_variable.c | 93 +------
tools/Makefile | 1 +
tools/mkeficapsule.c | 233 +++++++++++++++++-
18 files changed, 1060 insertions(+), 164 deletions(-)
rename arch/x86/include/asm/fsp/fsp_types.h => include/signatures.h (95%)
--
2.17.1
next reply other threads:[~2020-12-21 11:43 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-21 11:43 Sughosh Ganu [this message]
2020-12-21 11:43 ` [PATCH v2 01/14] mkeficapsule: Add support for embedding public key in a dtb Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 02/14] qemu: arm: Initialise virtio in board_late_init Sughosh Ganu
2020-12-21 12:19 ` Heinrich Schuchardt
2020-12-21 12:51 ` Heinrich Schuchardt
2020-12-21 17:18 ` Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 03/14] crypto: Fix the logic to calculate hash with authattributes set Sughosh Ganu
2020-12-21 12:54 ` Heinrich Schuchardt
2020-12-21 11:43 ` [PATCH v2 04/14] qemu: arm64: Add support for dynamic mtdparts for the platform Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 05/14] qemu: arm64: Set dfu_alt_info variable " Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 06/14] fsp: Move and rename fsp_types.h file Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 07/14] efi_loader: Add logic to parse EDKII specific fmp payload header Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 08/14] dfu_mtd: Add provision to unlock mtd device Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 09/14] efi_loader: Make the pkcs7 header parsing function an extern Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 10/14] efi_loader: Re-factor code to build the signature store from efi signature list Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 11/14] efi: capsule: Add support for uefi capsule authentication Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 12/14] efi_loader: Enable " Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 13/14] efidebug: capsule: Add a command to update capsule on disk Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 14/14] qemu: arm64: Add documentation for capsule update Sughosh Ganu
2020-12-21 12:58 ` Heinrich Schuchardt
2020-12-21 17:12 ` Sughosh Ganu
2020-12-21 17:51 ` Heinrich Schuchardt
2020-12-22 6:10 ` Sughosh Ganu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201221114314.25588-1-sughosh.ganu@linaro.org \
--to=sughosh.ganu@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.