All of lore.kernel.org
 help / color / mirror / Atom feed
From: Sughosh Ganu <sughosh.ganu@linaro.org>
To: u-boot@lists.denx.de
Subject: [PATCH v2 00/14] qemu: arm64: Add support for uefi capsule update on qemu arm platform
Date: Mon, 21 Dec 2020 17:13:00 +0530	[thread overview]
Message-ID: <20201221114314.25588-1-sughosh.ganu@linaro.org> (raw)

The capsule update feature is supported on a platform configuration
booting in a non-secure mode, i.e with -machine virt,secure=off option
set. This results in the platform booting u-boot directly without
the presence of trusted firmware(tf-a). Steps that need to be followed
for using this feature have been provided as part of the documentation.

Support has also been added for enabling the capsule authentication
feature. Capsule authentication, as defined by the uefi
specification is very much on similar lines to the logic used for
variable authentication. As a result, most of the signature
verification code already in use for variable authentication has been
used for capsule authentication.

Storage of the public key certificate, needed for the signature
verification process is in form of the efi signature list(esl)
structure.  This public key is stored on an overlay which is then
merged with the platform's base fdt at runtime. The public key esl
file can be embedded into the overlay dtb using the mkeficapsule
utility that has been added as part of the capsule update support
series by Takahiro Akashi. Steps needed for enabling capsule
authentication have been provided as part of the documentation.

This patch series needs to be applied on top of the capsule update
support patch series from Takahiro Akashi on the next branch.

Changes since V1:
* Added support for embedding the public key cert in an overlay using
  the -O option
* The earlier patch was adding a call to pci_init in board_init. Moved
  the virtio_init call to board_late_init
* Change MTDPARTS_NOR[01] as config options instead of defining them in
  the qemu-arm.h config header.
* Enable CONFIG_SYS_MTDPARTS_RUNTIME with CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT
* Build set_dfu_alt_info and board_get_alt_info functions only if
  CONFIG_SET_DFU_ALT_INFO is defined
* Enable CONFIG_SET_DFU_ALT_INFO with
  CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT
* Detect the presence of the FMP Payload header at runtime instead of
  using a Kconfig option, as was suggested by Heinrich
* Change the documentation to reflect the usage of overlays for
  embedding the public key certs at runtime
* Fix the build for 'make htmldocs'


Sughosh Ganu (14):
  mkeficapsule: Add support for embedding public key in a dtb
  qemu: arm: Initialise virtio in board_late_init
  crypto: Fix the logic to calculate hash with authattributes set
  qemu: arm64: Add support for dynamic mtdparts for the platform
  qemu: arm64: Set dfu_alt_info variable for the platform
  fsp: Move and rename fsp_types.h file
  efi_loader: Add logic to parse EDKII specific fmp payload header
  dfu_mtd: Add provision to unlock mtd device
  efi_loader: Make the pkcs7 header parsing function an extern
  efi_loader: Re-factor code to build the signature store from efi
    signature list
  efi: capsule: Add support for uefi capsule authentication
  efi_loader: Enable uefi capsule authentication
  efidebug: capsule: Add a command to update capsule on disk
  qemu: arm64: Add documentation for capsule update

 arch/x86/include/asm/fsp/fsp_support.h        |   3 +-
 board/emulation/qemu-arm/Kconfig              |  20 ++
 board/emulation/qemu-arm/qemu-arm.c           | 168 +++++++++++++
 cmd/efidebug.c                                |  14 ++
 configs/qemu_arm64_defconfig                  |   1 +
 doc/board/emulation/qemu-arm.rst              | 188 ++++++++++++++
 drivers/dfu/dfu_mtd.c                         |  20 +-
 include/efi_api.h                             |  18 ++
 include/efi_loader.h                          |  12 +
 .../fsp/fsp_types.h => include/signatures.h   |   6 +-
 lib/crypto/pkcs7_verify.c                     |  37 ++-
 lib/efi_loader/Kconfig                        |  19 ++
 lib/efi_loader/efi_capsule.c                  | 122 +++++++++
 lib/efi_loader/efi_firmware.c                 |  77 +++++-
 lib/efi_loader/efi_signature.c                | 192 +++++++++++----
 lib/efi_loader/efi_variable.c                 |  93 +------
 tools/Makefile                                |   1 +
 tools/mkeficapsule.c                          | 233 +++++++++++++++++-
 18 files changed, 1060 insertions(+), 164 deletions(-)
 rename arch/x86/include/asm/fsp/fsp_types.h => include/signatures.h (95%)

-- 
2.17.1

             reply	other threads:[~2020-12-21 11:43 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-21 11:43 Sughosh Ganu [this message]
2020-12-21 11:43 ` [PATCH v2 01/14] mkeficapsule: Add support for embedding public key in a dtb Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 02/14] qemu: arm: Initialise virtio in board_late_init Sughosh Ganu
2020-12-21 12:19   ` Heinrich Schuchardt
2020-12-21 12:51     ` Heinrich Schuchardt
2020-12-21 17:18       ` Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 03/14] crypto: Fix the logic to calculate hash with authattributes set Sughosh Ganu
2020-12-21 12:54   ` Heinrich Schuchardt
2020-12-21 11:43 ` [PATCH v2 04/14] qemu: arm64: Add support for dynamic mtdparts for the platform Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 05/14] qemu: arm64: Set dfu_alt_info variable " Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 06/14] fsp: Move and rename fsp_types.h file Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 07/14] efi_loader: Add logic to parse EDKII specific fmp payload header Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 08/14] dfu_mtd: Add provision to unlock mtd device Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 09/14] efi_loader: Make the pkcs7 header parsing function an extern Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 10/14] efi_loader: Re-factor code to build the signature store from efi signature list Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 11/14] efi: capsule: Add support for uefi capsule authentication Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 12/14] efi_loader: Enable " Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 13/14] efidebug: capsule: Add a command to update capsule on disk Sughosh Ganu
2020-12-21 11:43 ` [PATCH v2 14/14] qemu: arm64: Add documentation for capsule update Sughosh Ganu
2020-12-21 12:58   ` Heinrich Schuchardt
2020-12-21 17:12     ` Sughosh Ganu
2020-12-21 17:51       ` Heinrich Schuchardt
2020-12-22  6:10         ` Sughosh Ganu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201221114314.25588-1-sughosh.ganu@linaro.org \
    --to=sughosh.ganu@linaro.org \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.