[PATCH v11 0/9] efi_loader: capsule: improve capsule authentication support

[PATCH v11 0/9] efi_loader: capsule: improve capsule authentication support

[AKASHI Takahiro]

# In this version, the crypto library was changed from openssl to
# gnutls to avoid the license issue. So the dockerfile for sandbox
# CI should be updated for necessary packages as well.
# See my patch, "Dockerfile: Add libgnutls package for building
# mkeficapsule command", I have not tested the docker image though.

As I proposed and discussed in [1] and [2], I have made a couple of
improvements on the current implementation of capsule update in this
patch set.

* add signing feature to mkeficapsule
* add "--guid" option to mkeficapsule
* add man page of mkeficapsule
* update uefi document regarding capsule update
* revise pytests

[1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html
[2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html

Prerequisite patches
====================
For azure pipeline (CI),
* "CI: enforce packages upgrade for Msys2 on Windows" [3]

[3] https://lists.denx.de/pipermail/u-boot/2022-February/474701.html

Test
====
* locally passed the pytest which is included in this patch series
  on sandbox built.
  (CONFIG_EFI_CAPSULE_AUTHENTICATE should explicitly be turned on
  in order to exercise the authentication code.)
* passed Azure pipeline

Changes
=======
v11 (Feb 9, 2022)
* fix warnings in "make htmldocs" and revise the text formatting (patch#4)
* fix package dependency for CI on Windows (patch#2,#6)
* fix package dependency for CI on MacOS (patch#6)

v10 (Feb 1, 2022)
* rebased on v2022.04-rc1
* drop already-merge patches
* change crypto library from openssl to gnutls (patch#2)

v9 (Jan 18, 2022)
* rebased on v2022.01
* print the output messages to stderr (patch#1,#2, #4 and #6)
* use SIZE_MAX instead of (u32)!0U (patch#2)
* revise and re-format the man page of mkeficapsule (patch#5)
* add "code-block:: console" directives for command line examples
  in a ReST document (patch#6)
* describe the case when a trailing '/' in EFITOOLS_PATH is needed
  (patch#7)
* describe UUID data as a binary rather than a string (patch#8)
* drop fdtsig.sh-related patches (patch#12,#13 in v8)

v8 (Dec 20, 2021)
* rebase on v2022.01-rc3
* move the definition of CONFIG_TOOLS_MKEFICAPSULE to a proper patch
  (patch#2)

v7 (Nov 16, 2021)
* rebased on pre-v2022.01-rc2
* drop already-merged patch
* check for a size of firmware binary file (patch#1)
* enable mkeficapsule in tools-only_defconfig (patch#2)
* define eficapsule.h and include it from mkeficapsule (patch#3)
  Hopefully, the tool can now compile on non-linux host.

v6 (Nov 02, 2021)
* rebased on pre-v2022.01-rc1
* add patch#2 to rework/refactor the code for better readability (patch#2)
* use exit(EXIT_SUCCESS/FAILURE) (patch#3)
* truncate >80chars lines in pytest scripts (patch#6)

v5 (Oct 27, 2021)
* rebased on pre-v2022.01-rc1 (WIP/26Oct2021)
* drop already-merged patches
* drop __weak from efi_get_public_key_data() (patch#1)
* describe the format of public key node in device tree (patch#4)
* re-order patches by grouping closely-related patches (patch#6-8)
* modify pytest to make the test results correctly verified
  either with or without CONFIG_EFI_CAPSULE_AUTHENTICATE (patch#9)
* add RFCs for embedding public keys during the build process (patch#10,11)

v4 (Oct 7, 2021)
* rebased on v2021.10
* align with "Revert "efi_capsule: Move signature from DTB to .rodata""
* add more missing *revert* commits (patch#1,#2,#3)
* add fdtsig.sh, replacing dtb support in mkeficapsule (patch#4)
* update/revise the man/uefi doc (patch#6,#7)
* fix a bug in parsing guid string (patch#8)
* add a test for "--guid" option (patch#10)
* use dtb-based authentication test as done in v1 (patch#11)

v3 (Aug 31, 2021)
* rebased on v2021.10-rc3
* remove pytest-related patches
* add function descriptions in mkeficapsule.c
* correct format specifiers in printf()
* let main() return 0 or -1 only
* update doc/develop/uefi/uefi.rst for syntax change of mkeficapsule

v2 (July 28, 2021)
* rebased on v2021.10-rc*
* removed dependency on target's configuration
* removed fdtsig.sh and others
* add man page
* update the UEFI document
* add dedicate defconfig for testing on sandbox
* add gitlab CI support
* add "--guid" option to mkeficapsule
  (yet rather RFC)

Initial release (May 12, 2021)
* based on v2021.07-rc2

AKASHI Takahiro (9):
  tools: build mkeficapsule with tools-only_defconfig
  tools: mkeficapsule: add firmware image signing
  tools: mkeficapsule: add man page
  doc: update UEFI document for usage of mkeficapsule
  test/py: efi_capsule: add image authentication test
  tools: mkeficapsule: allow for specifying GUID explicitly
  test/py: efi_capsule: align with the syntax change of mkeficapsule
  test/py: efi_capsule: add a test for "--guid" option
  test/py: efi_capsule: check the results in case of
    CAPSULE_AUTHENTICATE

 .azure-pipelines.yml                          |   4 +-
 MAINTAINERS                                   |   1 +
 configs/tools-only_defconfig                  |   1 +
 doc/develop/uefi/uefi.rst                     | 151 +++---
 doc/mkeficapsule.1                            | 111 +++++
 .../py/tests/test_efi_capsule/capsule_defs.py |   5 +
 test/py/tests/test_efi_capsule/conftest.py    |  59 ++-
 test/py/tests/test_efi_capsule/signature.dts  |  10 +
 .../test_efi_capsule/test_capsule_firmware.py |  91 +++-
 .../test_capsule_firmware_signed.py           | 254 ++++++++++
 tools/Kconfig                                 |   8 +
 tools/Makefile                                |   4 +-
 tools/eficapsule.h                            | 115 +++++
 tools/mkeficapsule.c                          | 459 +++++++++++++++---
 14 files changed, 1132 insertions(+), 141 deletions(-)
 create mode 100644 doc/mkeficapsule.1
 create mode 100644 test/py/tests/test_efi_capsule/signature.dts
 create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
 create mode 100644 tools/eficapsule.h

-- 
2.33.0

[PATCH v11 1/9] tools: build mkeficapsule with tools-only_defconfig

[AKASHI Takahiro]

Add CONFIG_TOOLS_MKEFICAPSULE. Then we want to always build mkeficapsule
if tools-only_defconfig is used.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 configs/tools-only_defconfig | 1 +
 tools/Kconfig                | 8 ++++++++
 tools/Makefile               | 3 +--
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/configs/tools-only_defconfig b/configs/tools-only_defconfig
index 1f8e90a69f53..2246b3c660a6 100644
--- a/configs/tools-only_defconfig
+++ b/configs/tools-only_defconfig
@@ -34,3 +34,4 @@ CONFIG_I2C_EDID=y
 # CONFIG_VIRTIO_SANDBOX is not set
 # CONFIG_GENERATE_ACPI_TABLE is not set
 # CONFIG_EFI_LOADER is not set
+CONFIG_TOOLS_MKEFICAPSULE=y
diff --git a/tools/Kconfig b/tools/Kconfig
index 91ce8ae3e516..117c921da3fe 100644
--- a/tools/Kconfig
+++ b/tools/Kconfig
@@ -90,4 +90,12 @@ config TOOLS_SHA512
 	help
 	  Enable SHA512 support in the tools builds
 
+config TOOLS_MKEFICAPSULE
+	bool "Build efimkcapsule command"
+	default y if EFI_CAPSULE_ON_DISK
+	help
+	  This command allows users to create a UEFI capsule file and,
+	  optionally sign that file. If you want to enable UEFI capsule
+	  update feature on your target, you certainly need this.
+
 endmenu
diff --git a/tools/Makefile b/tools/Makefile
index 1763f44cac43..766c0674f4a0 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -238,8 +238,7 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs
 hostprogs-$(CONFIG_ASN1_COMPILER)	+= asn1_compiler
 HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include
 
-mkeficapsule-objs	:= mkeficapsule.o $(LIBFDT_OBJS)
-hostprogs-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += mkeficapsule
+hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
 
 # We build some files with extra pedantic flags to try to minimize things
 # that won't build on some weird host compiler -- though there are lots of
-- 
2.33.0

[PATCH v11 2/9] tools: mkeficapsule: add firmware image signing

[AKASHI Takahiro]

With this enhancement, mkeficapsule will be able to sign a capsule
file when it is created. A signature added will be used later
in the verification at FMP's SetImage() call.

To do that, we need specify additional command parameters:
  -monotonic-cout <count> : monotonic count
  -private-key <private key file> : private key file
  -certificate <certificate file> : certificate file
Only when all of those parameters are given, a signature will be added
to a capsule file.

Users are expected to maintain and increment the monotonic count at
every time of the update for each firmware image.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
 .azure-pipelines.yml |   2 +-
 tools/Makefile       |   1 +
 tools/eficapsule.h   | 115 +++++++++++++
 tools/mkeficapsule.c | 380 +++++++++++++++++++++++++++++++++++++++----
 4 files changed, 463 insertions(+), 35 deletions(-)
 create mode 100644 tools/eficapsule.h

diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
index f2aa332be5cc..aecc9cb88441 100644
--- a/.azure-pipelines.yml
+++ b/.azure-pipelines.yml
@@ -25,7 +25,7 @@ stages:
           %CD:~0,2%\msys64\usr\bin\bash -lc "pacman --noconfirm -Syyuu"
         displayName: 'Update MSYS2'
       - script: |
-          %CD:~0,2%\msys64\usr\bin\bash -lc "pacman --noconfirm --needed -Sy make gcc bison flex diffutils openssl-devel"
+          %CD:~0,2%\msys64\usr\bin\bash -lc "pacman --noconfirm --needed -Sy make gcc bison flex diffutils openssl-devel libgnutls-devel"
         displayName: 'Install Toolchain'
       - script: |
           echo make tools-only_defconfig tools-only NO_SDL=1 > build-tools.sh
diff --git a/tools/Makefile b/tools/Makefile
index 766c0674f4a0..8da07d60a755 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -238,6 +238,7 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs
 hostprogs-$(CONFIG_ASN1_COMPILER)	+= asn1_compiler
 HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include
 
+HOSTLDLIBS_mkeficapsule += -lgnutls
 hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
 
 # We build some files with extra pedantic flags to try to minimize things
diff --git a/tools/eficapsule.h b/tools/eficapsule.h
new file mode 100644
index 000000000000..8c1560bb0671
--- /dev/null
+++ b/tools/eficapsule.h
@@ -0,0 +1,115 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright 2021 Linaro Limited
+ *		Author: AKASHI Takahiro
+ *
+ * derived from efi.h and efi_api.h to make the file POSIX-compliant
+ */
+
+#ifndef _EFI_CAPSULE_H
+#define _EFI_CAPSULE_H
+
+#include <stdint.h>
+#include <pe.h> /* WIN_CERTIFICATE */
+
+/*
+ * Gcc's predefined attributes are not recognized by clang.
+ */
+#ifndef __packed
+#define __packed	__attribute__((__packed__))
+#endif
+
+#ifndef __aligned
+#define __aligned(x)	__attribute__((__aligned__(x)))
+#endif
+
+typedef struct {
+	uint8_t b[16];
+} efi_guid_t __aligned(8);
+
+#define EFI_GUID(a, b, c, d0, d1, d2, d3, d4, d5, d6, d7) \
+	{{ (a) & 0xff, ((a) >> 8) & 0xff, ((a) >> 16) & 0xff, \
+		((a) >> 24) & 0xff, \
+		(b) & 0xff, ((b) >> 8) & 0xff, \
+		(c) & 0xff, ((c) >> 8) & 0xff, \
+		(d0), (d1), (d2), (d3), (d4), (d5), (d6), (d7) } }
+
+#define EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID \
+	EFI_GUID(0x6dcbd5ed, 0xe82d, 0x4c44, 0xbd, 0xa1, \
+		 0x71, 0x94, 0x19, 0x9a, 0xd9, 0x2a)
+
+#define EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID \
+	EFI_GUID(0xae13ff2d, 0x9ad4, 0x4e25, 0x9a, 0xc8, \
+		 0x6d, 0x80, 0xb3, 0xb2, 0x21, 0x47)
+
+#define EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID \
+	EFI_GUID(0xe2bb9c06, 0x70e9, 0x4b14, 0x97, 0xa3, \
+		 0x5a, 0x79, 0x13, 0x17, 0x6e, 0x3f)
+
+#define EFI_CERT_TYPE_PKCS7_GUID \
+	EFI_GUID(0x4aafd29d, 0x68df, 0x49ee, 0x8a, 0xa9, \
+		 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7)
+
+/* flags */
+#define CAPSULE_FLAGS_PERSIST_ACROSS_RESET      0x00010000
+
+struct efi_capsule_header {
+	efi_guid_t capsule_guid;
+	uint32_t header_size;
+	uint32_t flags;
+	uint32_t capsule_image_size;
+} __packed;
+
+struct efi_firmware_management_capsule_header {
+	uint32_t version;
+	uint16_t embedded_driver_count;
+	uint16_t payload_item_count;
+	uint32_t item_offset_list[];
+} __packed;
+
+/* image_capsule_support */
+#define CAPSULE_SUPPORT_AUTHENTICATION          0x0000000000000001
+
+struct efi_firmware_management_capsule_image_header {
+	uint32_t version;
+	efi_guid_t update_image_type_id;
+	uint8_t update_image_index;
+	uint8_t reserved[3];
+	uint32_t update_image_size;
+	uint32_t update_vendor_code_size;
+	uint64_t update_hardware_instance;
+	uint64_t image_capsule_support;
+} __packed;
+
+/**
+ * win_certificate_uefi_guid - A certificate that encapsulates
+ * a GUID-specific signature
+ *
+ * @hdr:	Windows certificate header
+ * @cert_type:	Certificate type
+ * @cert_data:	Certificate data
+ */
+struct win_certificate_uefi_guid {
+	WIN_CERTIFICATE	hdr;
+	efi_guid_t cert_type;
+	uint8_t cert_data[];
+} __packed;
+
+/**
+ * efi_firmware_image_authentication - Capsule authentication method
+ * descriptor
+ *
+ * This structure describes an authentication information for
+ * a capsule with IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED set
+ * and should be included as part of the capsule.
+ * Only EFI_CERT_TYPE_PKCS7_GUID is accepted.
+ *
+ * @monotonic_count: Count to prevent replay
+ * @auth_info: Authentication info
+ */
+struct efi_firmware_image_authentication {
+	uint64_t monotonic_count;
+	struct win_certificate_uefi_guid auth_info;
+} __packed;
+
+#endif /* _EFI_CAPSULE_H */
diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
index 243fd6e48370..b996c66ad26a 100644
--- a/tools/mkeficapsule.c
+++ b/tools/mkeficapsule.c
@@ -16,21 +16,13 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 
-typedef __u8 u8;
-typedef __u16 u16;
-typedef __u32 u32;
-typedef __u64 u64;
-typedef __s16 s16;
-typedef __s32 s32;
+#include <linux/kconfig.h>
 
-#define aligned_u64 __aligned_u64
+#include <gnutls/gnutls.h>
+#include <gnutls/pkcs7.h>
+#include <gnutls/abstract.h>
 
-#ifndef __packed
-#define __packed __attribute__((packed))
-#endif
-
-#include <efi.h>
-#include <efi_api.h>
+#include "eficapsule.h"
 
 static const char *tool_name = "mkeficapsule";
 
@@ -39,12 +31,19 @@ efi_guid_t efi_guid_image_type_uboot_fit =
 		EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID;
 efi_guid_t efi_guid_image_type_uboot_raw =
 		EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID;
+efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID;
+
+static const char *opts_short = "f:r:i:I:v:p:c:m:dh";
 
 static struct option options[] = {
 	{"fit", required_argument, NULL, 'f'},
 	{"raw", required_argument, NULL, 'r'},
 	{"index", required_argument, NULL, 'i'},
 	{"instance", required_argument, NULL, 'I'},
+	{"private-key", required_argument, NULL, 'p'},
+	{"certificate", required_argument, NULL, 'c'},
+	{"monotonic-count", required_argument, NULL, 'm'},
+	{"dump-sig", no_argument, NULL, 'd'},
 	{"help", no_argument, NULL, 'h'},
 	{NULL, 0, NULL, 0},
 };
@@ -58,10 +57,40 @@ static void print_usage(void)
 		"\t-r, --raw <raw image>       new raw image file\n"
 		"\t-i, --index <index>         update image index\n"
 		"\t-I, --instance <instance>   update hardware instance\n"
+		"\t-p, --private-key <privkey file>  private key file\n"
+		"\t-c, --certificate <cert file>     signer's certificate file\n"
+		"\t-m, --monotonic-count <count>     monotonic count\n"
+		"\t-d, --dump_sig              dump signature (*.p7)\n"
 		"\t-h, --help                  print a help message\n",
 		tool_name);
 }
 
+/**
+ * auth_context - authentication context
+ * @key_file:	Path to a private key file
+ * @cert_file:	Path to a certificate file
+ * @image_data:	Pointer to firmware data
+ * @image_size:	Size of firmware data
+ * @auth:	Authentication header
+ * @sig_data:	Signature data
+ * @sig_size:	Size of signature data
+ *
+ * Data structure used in create_auth_data(). @key_file through
+ * @image_size are input parameters. @auth, @sig_data and @sig_size
+ * are filled in by create_auth_data().
+ */
+struct auth_context {
+	char *key_file;
+	char *cert_file;
+	uint8_t *image_data;
+	size_t image_size;
+	struct efi_firmware_image_authentication auth;
+	uint8_t *sig_data;
+	size_t sig_size;
+};
+
+static int dump_sig;
+
 /**
  * read_bin_file - read a firmware binary file
  * @bin:	Path to a firmware binary file
@@ -75,7 +104,7 @@ static void print_usage(void)
  * * 0  - on success
  * * -1 - on failure
  */
-static int read_bin_file(char *bin, void **data, off_t *bin_size)
+static int read_bin_file(char *bin, uint8_t **data, off_t *bin_size)
 {
 	FILE *g;
 	struct stat bin_stat;
@@ -147,6 +176,205 @@ static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg)
 	return 0;
 }
 
+/**
+ * create_auth_data - compose authentication data in capsule
+ * @auth_context:	Pointer to authentication context
+ *
+ * Fill up an authentication header (.auth) and signature data (.sig_data)
+ * in @auth_context, using library functions from openssl.
+ * All the parameters in @auth_context must be filled in by a caller.
+ *
+ * Return:
+ * * 0  - on success
+ * * -1 - on failure
+ */
+static int create_auth_data(struct auth_context *ctx)
+{
+	gnutls_datum_t cert;
+	gnutls_datum_t key;
+	off_t file_size;
+	gnutls_privkey_t pkey;
+	gnutls_x509_crt_t x509;
+	gnutls_pkcs7_t pkcs7;
+	gnutls_datum_t data;
+	gnutls_datum_t signature;
+	int ret;
+
+	ret = read_bin_file(ctx->cert_file, &cert.data, &file_size);
+	if (ret < 0)
+		return -1;
+	if (file_size > UINT_MAX)
+		return -1;
+	cert.size = file_size;
+
+	ret = read_bin_file(ctx->key_file, &key.data, &file_size);
+	if (ret < 0)
+		return -1;
+	if (ret < 0)
+		return -1;
+	if (file_size > UINT_MAX)
+		return -1;
+	key.size = file_size;
+
+	/*
+	 * For debugging,
+	 * gnutls_global_set_time_function(mytime);
+	 * gnutls_global_set_log_function(tls_log_func);
+	 * gnutls_global_set_log_level(6);
+	 */
+
+	ret = gnutls_privkey_init(&pkey);
+	if (ret < 0) {
+		fprintf(stderr, "error in gnutls_privkey_init(): %s\n",
+			gnutls_strerror(ret));
+		return -1;
+	}
+
+	ret = gnutls_x509_crt_init(&x509);
+	if (ret < 0) {
+		fprintf(stderr, "error in gnutls_x509_crt_init(): %s\n",
+			gnutls_strerror(ret));
+		return -1;
+	}
+
+	/* load a private key */
+	ret = gnutls_privkey_import_x509_raw(pkey, &key, GNUTLS_X509_FMT_PEM,
+					     0, 0);
+	if (ret < 0) {
+		fprintf(stderr,
+			"error in gnutls_privkey_import_x509_raw(): %s\n",
+			gnutls_strerror(ret));
+		return -1;
+	}
+
+	/* load x509 certificate */
+	ret = gnutls_x509_crt_import(x509, &cert, GNUTLS_X509_FMT_PEM);
+	if (ret < 0) {
+		fprintf(stderr, "error in gnutls_x509_crt_import(): %s\n",
+			gnutls_strerror(ret));
+		return -1;
+	}
+
+	/* generate a PKCS #7 structure */
+	ret = gnutls_pkcs7_init(&pkcs7);
+	if (ret < 0) {
+		fprintf(stderr, "error in gnutls_pkcs7_init(): %s\n",
+			gnutls_strerror(ret));
+		return -1;
+	}
+
+	/* sign */
+	/*
+	 * Data should have
+	 *  * firmware image
+	 *  * monotonic count
+	 * in this order!
+	 * See EDK2's FmpAuthenticatedHandlerRsa2048Sha256()
+	 */
+	data.size = ctx->image_size + sizeof(ctx->auth.monotonic_count);
+	data.data = malloc(data.size);
+	if (!data.data) {
+		fprintf(stderr, "allocating memory (0x%x) failed\n", data.size);
+		return -1;
+	}
+	memcpy(data.data, ctx->image_data, ctx->image_size);
+	memcpy(data.data + ctx->image_size, &ctx->auth.monotonic_count,
+	       sizeof(ctx->auth.monotonic_count));
+
+	ret = gnutls_pkcs7_sign(pkcs7, x509, pkey, &data, NULL, NULL,
+				GNUTLS_DIG_SHA256,
+				/* GNUTLS_PKCS7_EMBED_DATA? */
+				GNUTLS_PKCS7_INCLUDE_CERT |
+				GNUTLS_PKCS7_INCLUDE_TIME);
+	if (ret < 0) {
+		fprintf(stderr, "error in gnutls_pkcs7)sign(): %s\n",
+			gnutls_strerror(ret));
+		return -1;
+	}
+
+	/* export */
+	ret = gnutls_pkcs7_export2(pkcs7, GNUTLS_X509_FMT_DER, &signature);
+	if (ret < 0) {
+		fprintf(stderr, "error in gnutls_pkcs7_export2: %s\n",
+			gnutls_strerror(ret));
+		return -1;
+	}
+	ctx->sig_data = signature.data;
+	ctx->sig_size = signature.size;
+
+	/* fill auth_info */
+	ctx->auth.auth_info.hdr.dwLength = sizeof(ctx->auth.auth_info)
+						+ ctx->sig_size;
+	ctx->auth.auth_info.hdr.wRevision = WIN_CERT_REVISION_2_0;
+	ctx->auth.auth_info.hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
+	memcpy(&ctx->auth.auth_info.cert_type, &efi_guid_cert_type_pkcs7,
+	       sizeof(efi_guid_cert_type_pkcs7));
+
+	/*
+	 * For better clean-ups,
+	 * gnutls_pkcs7_deinit(pkcs7);
+	 * gnutls_privkey_deinit(pkey);
+	 * gnutls_x509_crt_deinit(x509);
+	 * free(cert.data);
+	 * free(key.data);
+	 * if error
+	 *   gnutls_free(signature.data);
+	 */
+
+	return 0;
+}
+
+/**
+ * dump_signature - dump out a signature
+ * @path:	Path to a capsule file
+ * @signature:	Signature data
+ * @sig_size:	Size of signature data
+ *
+ * Signature data pointed to by @signature will be saved into
+ * a file whose file name is @path with ".p7" suffix.
+ *
+ * Return:
+ * * 0  - on success
+ * * -1 - on failure
+ */
+static int dump_signature(const char *path, uint8_t *signature, size_t sig_size)
+{
+	char *sig_path;
+	FILE *f;
+	size_t size;
+	int ret = -1;
+
+	sig_path = malloc(strlen(path) + 3 + 1);
+	if (!sig_path)
+		return ret;
+
+	sprintf(sig_path, "%s.p7", path);
+	f = fopen(sig_path, "w");
+	if (!f)
+		goto err;
+
+	size = fwrite(signature, 1, sig_size, f);
+	if (size == sig_size)
+		ret = 0;
+
+	fclose(f);
+err:
+	free(sig_path);
+	return ret;
+}
+
+/**
+ * free_sig_data - free out signature data
+ * @ctx:	Pointer to authentication context
+ *
+ * Free signature data allocated in create_auth_data().
+ */
+static void free_sig_data(struct auth_context *ctx)
+{
+	if (ctx->sig_size)
+		gnutls_free(ctx->sig_data);
+}
+
 /**
  * create_fwbin - create an uefi capsule file
  * @path:	Path to a created capsule file
@@ -168,23 +396,25 @@ static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg)
  * * -1 - on failure
  */
 static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
-			unsigned long index, unsigned long instance)
+			unsigned long index, unsigned long instance,
+			uint64_t mcount, char *privkey_file, char *cert_file)
 {
 	struct efi_capsule_header header;
 	struct efi_firmware_management_capsule_header capsule;
 	struct efi_firmware_management_capsule_image_header image;
+	struct auth_context auth_context;
 	FILE *f;
-	void *data;
+	uint8_t *data;
 	off_t bin_size;
-	u64 offset;
+	uint64_t offset;
 	int ret;
 
 #ifdef DEBUG
-	printf("For output: %s\n", path);
-	printf("\tbin: %s\n\ttype: %pUl\n", bin, guid);
-	printf("\tindex: %ld\n\tinstance: %ld\n", index, instance);
+	fprintf(stderr, "For output: %s\n", path);
+	fprintf(stderr, "\tbin: %s\n\ttype: %pUl\n", bin, guid);
+	fprintf(stderr, "\tindex: %lu\n\tinstance: %lu\n", index, instance);
 #endif
-
+	auth_context.sig_size = 0;
 	f = NULL;
 	data = NULL;
 	ret = -1;
@@ -195,6 +425,27 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
 	if (read_bin_file(bin, &data, &bin_size))
 		goto err;
 
+	/* first, calculate signature to determine its size */
+	if (privkey_file && cert_file) {
+		auth_context.key_file = privkey_file;
+		auth_context.cert_file = cert_file;
+		auth_context.auth.monotonic_count = mcount;
+		auth_context.image_data = data;
+		auth_context.image_size = bin_size;
+
+		if (create_auth_data(&auth_context)) {
+			fprintf(stderr, "Signing firmware image failed\n");
+			goto err;
+		}
+
+		if (dump_sig &&
+		    dump_signature(path, auth_context.sig_data,
+				   auth_context.sig_size)) {
+			fprintf(stderr, "Creating signature file failed\n");
+			goto err;
+		}
+	}
+
 	/*
 	 * write a capsule file
 	 */
@@ -212,9 +463,12 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
 	/* TODO: The current implementation ignores flags */
 	header.flags = CAPSULE_FLAGS_PERSIST_ACROSS_RESET;
 	header.capsule_image_size = sizeof(header)
-					+ sizeof(capsule) + sizeof(u64)
+					+ sizeof(capsule) + sizeof(uint64_t)
 					+ sizeof(image)
 					+ bin_size;
+	if (auth_context.sig_size)
+		header.capsule_image_size += sizeof(auth_context.auth)
+				+ auth_context.sig_size;
 	if (write_capsule_file(f, &header, sizeof(header),
 			       "Capsule header"))
 		goto err;
@@ -230,7 +484,7 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
 			       "Firmware capsule header"))
 		goto err;
 
-	offset = sizeof(capsule) + sizeof(u64);
+	offset = sizeof(capsule) + sizeof(uint64_t);
 	if (write_capsule_file(f, &offset, sizeof(offset),
 			       "Offset to capsule image"))
 		goto err;
@@ -245,13 +499,32 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
 	image.reserved[1] = 0;
 	image.reserved[2] = 0;
 	image.update_image_size = bin_size;
+	if (auth_context.sig_size)
+		image.update_image_size += sizeof(auth_context.auth)
+				+ auth_context.sig_size;
 	image.update_vendor_code_size = 0; /* none */
 	image.update_hardware_instance = instance;
 	image.image_capsule_support = 0;
+	if (auth_context.sig_size)
+		image.image_capsule_support |= CAPSULE_SUPPORT_AUTHENTICATION;
 	if (write_capsule_file(f, &image, sizeof(image),
 			       "Firmware capsule image header"))
 		goto err;
 
+	/*
+	 * signature
+	 */
+	if (auth_context.sig_size) {
+		if (write_capsule_file(f, &auth_context.auth,
+				       sizeof(auth_context.auth),
+				       "Authentication header"))
+			goto err;
+
+		if (write_capsule_file(f, auth_context.sig_data,
+				       auth_context.sig_size, "Signature"))
+			goto err;
+	}
+
 	/*
 	 * firmware binary
 	 */
@@ -262,28 +535,43 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
 err:
 	if (f)
 		fclose(f);
+	free_sig_data(&auth_context);
 	free(data);
 
 	return ret;
 }
 
-/*
- * Usage:
- *   $ mkeficapsule -f <firmware binary> <output file>
+/**
+ * main - main entry function of mkeficapsule
+ * @argc:	Number of arguments
+ * @argv:	Array of pointers to arguments
+ *
+ * Create an uefi capsule file, optionally signing it.
+ * Parse all the arguments and pass them on to create_fwbin().
+ *
+ * Return:
+ * * 0  - on success
+ * * -1 - on failure
  */
 int main(int argc, char **argv)
 {
 	char *file;
 	efi_guid_t *guid;
 	unsigned long index, instance;
+	uint64_t mcount;
+	char *privkey_file, *cert_file;
 	int c, idx;
 
 	file = NULL;
 	guid = NULL;
 	index = 0;
 	instance = 0;
+	mcount = 0;
+	privkey_file = NULL;
+	cert_file = NULL;
+	dump_sig = 0;
 	for (;;) {
-		c = getopt_long(argc, argv, "f:r:i:I:v:h", options, &idx);
+		c = getopt_long(argc, argv, opts_short, options, &idx);
 		if (c == -1)
 			break;
 
@@ -291,7 +579,7 @@ int main(int argc, char **argv)
 		case 'f':
 			if (file) {
 				fprintf(stderr, "Image already specified\n");
-				return -1;
+				exit(EXIT_FAILURE);
 			}
 			file = optarg;
 			guid = &efi_guid_image_type_uboot_fit;
@@ -299,7 +587,7 @@ int main(int argc, char **argv)
 		case 'r':
 			if (file) {
 				fprintf(stderr, "Image already specified\n");
-				return -1;
+				exit(EXIT_FAILURE);
 			}
 			file = optarg;
 			guid = &efi_guid_image_type_uboot_raw;
@@ -310,14 +598,38 @@ int main(int argc, char **argv)
 		case 'I':
 			instance = strtoul(optarg, NULL, 0);
 			break;
+		case 'p':
+			if (privkey_file) {
+				fprintf(stderr,
+					"Private Key already specified\n");
+				exit(EXIT_FAILURE);
+			}
+			privkey_file = optarg;
+			break;
+		case 'c':
+			if (cert_file) {
+				fprintf(stderr,
+					"Certificate file already specified\n");
+				exit(EXIT_FAILURE);
+			}
+			cert_file = optarg;
+			break;
+		case 'm':
+			mcount = strtoul(optarg, NULL, 0);
+			break;
+		case 'd':
+			dump_sig = 1;
+			break;
 		case 'h':
 			print_usage();
-			return 0;
+			exit(EXIT_SUCCESS);
 		}
 	}
 
-	/* need an output file */
-	if (argc != optind + 1) {
+	/* check necessary parameters */
+	if ((argc != optind + 1) || !file ||
+	    ((privkey_file && !cert_file) ||
+	     (!privkey_file && cert_file))) {
 		print_usage();
 		exit(EXIT_FAILURE);
 	}
@@ -328,8 +640,8 @@ int main(int argc, char **argv)
 		exit(EXIT_SUCCESS);
 	}
 
-	if (create_fwbin(argv[optind], file, guid, index, instance)
-			< 0) {
+	if (create_fwbin(argv[optind], file, guid, index, instance,
+			 mcount, privkey_file, cert_file) < 0) {
 		fprintf(stderr, "Creating firmware capsule failed\n");
 		exit(EXIT_FAILURE);
 	}
-- 
2.33.0

Re: [PATCH v11 2/9] tools: mkeficapsule: add firmware image signing

[Heinrich Schuchardt]

On 2/9/22 11:10, AKASHI Takahiro wrote:
> With this enhancement, mkeficapsule will be able to sign a capsule
> file when it is created. A signature added will be used later
> in the verification at FMP's SetImage() call.
>
> To do that, we need specify additional command parameters:
>    -monotonic-cout <count> : monotonic count
>    -private-key <private key file> : private key file
>    -certificate <certificate file> : certificate file
> Only when all of those parameters are given, a signature will be added
> to a capsule file.
>
> Users are expected to maintain and increment the monotonic count at
> every time of the update for each firmware image.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> Reviewed-by: Simon Glass <sjg@chromium.org>
> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> ---
>   .azure-pipelines.yml |   2 +-
>   tools/Makefile       |   1 +
>   tools/eficapsule.h   | 115 +++++++++++++
>   tools/mkeficapsule.c | 380 +++++++++++++++++++++++++++++++++++++++----
>   4 files changed, 463 insertions(+), 35 deletions(-)
>   create mode 100644 tools/eficapsule.h
>
> diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
> index f2aa332be5cc..aecc9cb88441 100644
> --- a/.azure-pipelines.yml
> +++ b/.azure-pipelines.yml
> @@ -25,7 +25,7 @@ stages:
>             %CD:~0,2%\msys64\usr\bin\bash -lc "pacman --noconfirm -Syyuu"
>           displayName: 'Update MSYS2'
>         - script: |
> -          %CD:~0,2%\msys64\usr\bin\bash -lc "pacman --noconfirm --needed -Sy make gcc bison flex diffutils openssl-devel"
> +          %CD:~0,2%\msys64\usr\bin\bash -lc "pacman --noconfirm --needed -Sy make gcc bison flex diffutils openssl-devel libgnutls-devel"
>           displayName: 'Install Toolchain'
>         - script: |
>             echo make tools-only_defconfig tools-only NO_SDL=1 > build-tools.sh
> diff --git a/tools/Makefile b/tools/Makefile
> index 766c0674f4a0..8da07d60a755 100644
> --- a/tools/Makefile
> +++ b/tools/Makefile
> @@ -238,6 +238,7 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs
>   hostprogs-$(CONFIG_ASN1_COMPILER)	+= asn1_compiler
>   HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include
>
> +HOSTLDLIBS_mkeficapsule += -lgnutls
>   hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
>
>   # We build some files with extra pedantic flags to try to minimize things
> diff --git a/tools/eficapsule.h b/tools/eficapsule.h
> new file mode 100644
> index 000000000000..8c1560bb0671
> --- /dev/null
> +++ b/tools/eficapsule.h
> @@ -0,0 +1,115 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * Copyright 2021 Linaro Limited
> + *		Author: AKASHI Takahiro
> + *
> + * derived from efi.h and efi_api.h to make the file POSIX-compliant
> + */
> +
> +#ifndef _EFI_CAPSULE_H
> +#define _EFI_CAPSULE_H
> +
> +#include <stdint.h>
> +#include <pe.h> /* WIN_CERTIFICATE */
> +
> +/*
> + * Gcc's predefined attributes are not recognized by clang.
> + */
> +#ifndef __packed
> +#define __packed	__attribute__((__packed__))
> +#endif
> +
> +#ifndef __aligned
> +#define __aligned(x)	__attribute__((__aligned__(x)))
> +#endif
> +
> +typedef struct {
> +	uint8_t b[16];
> +} efi_guid_t __aligned(8);
> +
> +#define EFI_GUID(a, b, c, d0, d1, d2, d3, d4, d5, d6, d7) \
> +	{{ (a) & 0xff, ((a) >> 8) & 0xff, ((a) >> 16) & 0xff, \
> +		((a) >> 24) & 0xff, \
> +		(b) & 0xff, ((b) >> 8) & 0xff, \
> +		(c) & 0xff, ((c) >> 8) & 0xff, \
> +		(d0), (d1), (d2), (d3), (d4), (d5), (d6), (d7) } }
> +
> +#define EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID \
> +	EFI_GUID(0x6dcbd5ed, 0xe82d, 0x4c44, 0xbd, 0xa1, \
> +		 0x71, 0x94, 0x19, 0x9a, 0xd9, 0x2a)
> +
> +#define EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID \
> +	EFI_GUID(0xae13ff2d, 0x9ad4, 0x4e25, 0x9a, 0xc8, \
> +		 0x6d, 0x80, 0xb3, 0xb2, 0x21, 0x47)
> +
> +#define EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID \
> +	EFI_GUID(0xe2bb9c06, 0x70e9, 0x4b14, 0x97, 0xa3, \
> +		 0x5a, 0x79, 0x13, 0x17, 0x6e, 0x3f)
> +
> +#define EFI_CERT_TYPE_PKCS7_GUID \
> +	EFI_GUID(0x4aafd29d, 0x68df, 0x49ee, 0x8a, 0xa9, \
> +		 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7)
> +
> +/* flags */
> +#define CAPSULE_FLAGS_PERSIST_ACROSS_RESET      0x00010000
> +
> +struct efi_capsule_header {
> +	efi_guid_t capsule_guid;
> +	uint32_t header_size;
> +	uint32_t flags;
> +	uint32_t capsule_image_size;
> +} __packed;
> +
> +struct efi_firmware_management_capsule_header {
> +	uint32_t version;
> +	uint16_t embedded_driver_count;
> +	uint16_t payload_item_count;
> +	uint32_t item_offset_list[];
> +} __packed;
> +
> +/* image_capsule_support */
> +#define CAPSULE_SUPPORT_AUTHENTICATION          0x0000000000000001
> +
> +struct efi_firmware_management_capsule_image_header {
> +	uint32_t version;
> +	efi_guid_t update_image_type_id;
> +	uint8_t update_image_index;
> +	uint8_t reserved[3];
> +	uint32_t update_image_size;
> +	uint32_t update_vendor_code_size;
> +	uint64_t update_hardware_instance;
> +	uint64_t image_capsule_support;
> +} __packed;
> +
> +/**
> + * win_certificate_uefi_guid - A certificate that encapsulates
> + * a GUID-specific signature
> + *
> + * @hdr:	Windows certificate header
> + * @cert_type:	Certificate type
> + * @cert_data:	Certificate data
> + */
> +struct win_certificate_uefi_guid {
> +	WIN_CERTIFICATE	hdr;
> +	efi_guid_t cert_type;
> +	uint8_t cert_data[];
> +} __packed;
> +
> +/**
> + * efi_firmware_image_authentication - Capsule authentication method
> + * descriptor
> + *
> + * This structure describes an authentication information for
> + * a capsule with IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED set
> + * and should be included as part of the capsule.
> + * Only EFI_CERT_TYPE_PKCS7_GUID is accepted.
> + *
> + * @monotonic_count: Count to prevent replay
> + * @auth_info: Authentication info
> + */
> +struct efi_firmware_image_authentication {
> +	uint64_t monotonic_count;
> +	struct win_certificate_uefi_guid auth_info;
> +} __packed;
> +
> +#endif /* _EFI_CAPSULE_H */
> diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
> index 243fd6e48370..b996c66ad26a 100644
> --- a/tools/mkeficapsule.c
> +++ b/tools/mkeficapsule.c
> @@ -16,21 +16,13 @@
>   #include <sys/stat.h>
>   #include <sys/types.h>
>
> -typedef __u8 u8;
> -typedef __u16 u16;
> -typedef __u32 u32;
> -typedef __u64 u64;
> -typedef __s16 s16;
> -typedef __s32 s32;
> +#include <linux/kconfig.h>
>
> -#define aligned_u64 __aligned_u64
> +#include <gnutls/gnutls.h>
> +#include <gnutls/pkcs7.h>
> +#include <gnutls/abstract.h>
>
> -#ifndef __packed
> -#define __packed __attribute__((packed))
> -#endif
> -
> -#include <efi.h>
> -#include <efi_api.h>
> +#include "eficapsule.h"
>
>   static const char *tool_name = "mkeficapsule";
>
> @@ -39,12 +31,19 @@ efi_guid_t efi_guid_image_type_uboot_fit =
>   		EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID;
>   efi_guid_t efi_guid_image_type_uboot_raw =
>   		EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID;
> +efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID;
> +
> +static const char *opts_short = "f:r:i:I:v:p:c:m:dh";
>
>   static struct option options[] = {
>   	{"fit", required_argument, NULL, 'f'},
>   	{"raw", required_argument, NULL, 'r'},
>   	{"index", required_argument, NULL, 'i'},
>   	{"instance", required_argument, NULL, 'I'},
> +	{"private-key", required_argument, NULL, 'p'},
> +	{"certificate", required_argument, NULL, 'c'},
> +	{"monotonic-count", required_argument, NULL, 'm'},
> +	{"dump-sig", no_argument, NULL, 'd'},
>   	{"help", no_argument, NULL, 'h'},
>   	{NULL, 0, NULL, 0},
>   };
> @@ -58,10 +57,40 @@ static void print_usage(void)
>   		"\t-r, --raw <raw image>       new raw image file\n"
>   		"\t-i, --index <index>         update image index\n"
>   		"\t-I, --instance <instance>   update hardware instance\n"
> +		"\t-p, --private-key <privkey file>  private key file\n"
> +		"\t-c, --certificate <cert file>     signer's certificate file\n"
> +		"\t-m, --monotonic-count <count>     monotonic count\n"
> +		"\t-d, --dump_sig              dump signature (*.p7)\n"
>   		"\t-h, --help                  print a help message\n",
>   		tool_name);
>   }
>
> +/**
> + * auth_context - authentication context
> + * @key_file:	Path to a private key file
> + * @cert_file:	Path to a certificate file
> + * @image_data:	Pointer to firmware data
> + * @image_size:	Size of firmware data
> + * @auth:	Authentication header
> + * @sig_data:	Signature data
> + * @sig_size:	Size of signature data
> + *
> + * Data structure used in create_auth_data(). @key_file through
> + * @image_size are input parameters. @auth, @sig_data and @sig_size
> + * are filled in by create_auth_data().
> + */
> +struct auth_context {
> +	char *key_file;
> +	char *cert_file;
> +	uint8_t *image_data;
> +	size_t image_size;
> +	struct efi_firmware_image_authentication auth;
> +	uint8_t *sig_data;
> +	size_t sig_size;
> +};
> +
> +static int dump_sig;
> +
>   /**
>    * read_bin_file - read a firmware binary file
>    * @bin:	Path to a firmware binary file
> @@ -75,7 +104,7 @@ static void print_usage(void)
>    * * 0  - on success
>    * * -1 - on failure
>    */
> -static int read_bin_file(char *bin, void **data, off_t *bin_size)
> +static int read_bin_file(char *bin, uint8_t **data, off_t *bin_size)
>   {
>   	FILE *g;
>   	struct stat bin_stat;
> @@ -147,6 +176,205 @@ static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg)
>   	return 0;
>   }
>
> +/**
> + * create_auth_data - compose authentication data in capsule
> + * @auth_context:	Pointer to authentication context
> + *
> + * Fill up an authentication header (.auth) and signature data (.sig_data)
> + * in @auth_context, using library functions from openssl.
> + * All the parameters in @auth_context must be filled in by a caller.
> + *
> + * Return:
> + * * 0  - on success
> + * * -1 - on failure
> + */
> +static int create_auth_data(struct auth_context *ctx)
> +{
> +	gnutls_datum_t cert;
> +	gnutls_datum_t key;
> +	off_t file_size;
> +	gnutls_privkey_t pkey;
> +	gnutls_x509_crt_t x509;
> +	gnutls_pkcs7_t pkcs7;
> +	gnutls_datum_t data;
> +	gnutls_datum_t signature;
> +	int ret;
> +
> +	ret = read_bin_file(ctx->cert_file, &cert.data, &file_size);
> +	if (ret < 0)
> +		return -1;
> +	if (file_size > UINT_MAX)
> +		return -1;
> +	cert.size = file_size;
> +
> +	ret = read_bin_file(ctx->key_file, &key.data, &file_size);
> +	if (ret < 0)
> +		return -1;
> +	if (ret < 0)
> +		return -1;
> +	if (file_size > UINT_MAX)
> +		return -1;
> +	key.size = file_size;
> +
> +	/*
> +	 * For debugging,
> +	 * gnutls_global_set_time_function(mytime);
> +	 * gnutls_global_set_log_function(tls_log_func);
> +	 * gnutls_global_set_log_level(6);
> +	 */
> +
> +	ret = gnutls_privkey_init(&pkey);
> +	if (ret < 0) {
> +		fprintf(stderr, "error in gnutls_privkey_init(): %s\n",
> +			gnutls_strerror(ret));
> +		return -1;
> +	}
> +
> +	ret = gnutls_x509_crt_init(&x509);
> +	if (ret < 0) {
> +		fprintf(stderr, "error in gnutls_x509_crt_init(): %s\n",
> +			gnutls_strerror(ret));
> +		return -1;
> +	}
> +
> +	/* load a private key */
> +	ret = gnutls_privkey_import_x509_raw(pkey, &key, GNUTLS_X509_FMT_PEM,
> +					     0, 0);
> +	if (ret < 0) {
> +		fprintf(stderr,
> +			"error in gnutls_privkey_import_x509_raw(): %s\n",
> +			gnutls_strerror(ret));
> +		return -1;
> +	}
> +
> +	/* load x509 certificate */
> +	ret = gnutls_x509_crt_import(x509, &cert, GNUTLS_X509_FMT_PEM);
> +	if (ret < 0) {
> +		fprintf(stderr, "error in gnutls_x509_crt_import(): %s\n",
> +			gnutls_strerror(ret));
> +		return -1;
> +	}
> +
> +	/* generate a PKCS #7 structure */
> +	ret = gnutls_pkcs7_init(&pkcs7);
> +	if (ret < 0) {
> +		fprintf(stderr, "error in gnutls_pkcs7_init(): %s\n",
> +			gnutls_strerror(ret));
> +		return -1;
> +	}
> +
> +	/* sign */
> +	/*
> +	 * Data should have
> +	 *  * firmware image
> +	 *  * monotonic count
> +	 * in this order!
> +	 * See EDK2's FmpAuthenticatedHandlerRsa2048Sha256()
> +	 */
> +	data.size = ctx->image_size + sizeof(ctx->auth.monotonic_count);
> +	data.data = malloc(data.size);
> +	if (!data.data) {
> +		fprintf(stderr, "allocating memory (0x%x) failed\n", data.size);
> +		return -1;
> +	}
> +	memcpy(data.data, ctx->image_data, ctx->image_size);
> +	memcpy(data.data + ctx->image_size, &ctx->auth.monotonic_count,
> +	       sizeof(ctx->auth.monotonic_count));
> +
> +	ret = gnutls_pkcs7_sign(pkcs7, x509, pkey, &data, NULL, NULL,
> +				GNUTLS_DIG_SHA256,
> +				/* GNUTLS_PKCS7_EMBED_DATA? */
> +				GNUTLS_PKCS7_INCLUDE_CERT |
> +				GNUTLS_PKCS7_INCLUDE_TIME);
> +	if (ret < 0) {
> +		fprintf(stderr, "error in gnutls_pkcs7)sign(): %s\n",
> +			gnutls_strerror(ret));
> +		return -1;
> +	}
> +
> +	/* export */
> +	ret = gnutls_pkcs7_export2(pkcs7, GNUTLS_X509_FMT_DER, &signature);
> +	if (ret < 0) {
> +		fprintf(stderr, "error in gnutls_pkcs7_export2: %s\n",
> +			gnutls_strerror(ret));
> +		return -1;
> +	}
> +	ctx->sig_data = signature.data;
> +	ctx->sig_size = signature.size;
> +
> +	/* fill auth_info */
> +	ctx->auth.auth_info.hdr.dwLength = sizeof(ctx->auth.auth_info)
> +						+ ctx->sig_size;
> +	ctx->auth.auth_info.hdr.wRevision = WIN_CERT_REVISION_2_0;
> +	ctx->auth.auth_info.hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
> +	memcpy(&ctx->auth.auth_info.cert_type, &efi_guid_cert_type_pkcs7,
> +	       sizeof(efi_guid_cert_type_pkcs7));
> +
> +	/*
> +	 * For better clean-ups,
> +	 * gnutls_pkcs7_deinit(pkcs7);
> +	 * gnutls_privkey_deinit(pkey);
> +	 * gnutls_x509_crt_deinit(x509);
> +	 * free(cert.data);
> +	 * free(key.data);
> +	 * if error
> +	 *   gnutls_free(signature.data);
> +	 */
> +
> +	return 0;
> +}
> +
> +/**
> + * dump_signature - dump out a signature
> + * @path:	Path to a capsule file
> + * @signature:	Signature data
> + * @sig_size:	Size of signature data
> + *
> + * Signature data pointed to by @signature will be saved into
> + * a file whose file name is @path with ".p7" suffix.
> + *
> + * Return:
> + * * 0  - on success
> + * * -1 - on failure
> + */
> +static int dump_signature(const char *path, uint8_t *signature, size_t sig_size)
> +{
> +	char *sig_path;
> +	FILE *f;
> +	size_t size;
> +	int ret = -1;
> +
> +	sig_path = malloc(strlen(path) + 3 + 1);
> +	if (!sig_path)
> +		return ret;
> +
> +	sprintf(sig_path, "%s.p7", path);
> +	f = fopen(sig_path, "w");
> +	if (!f)
> +		goto err;
> +
> +	size = fwrite(signature, 1, sig_size, f);
> +	if (size == sig_size)
> +		ret = 0;
> +
> +	fclose(f);
> +err:
> +	free(sig_path);
> +	return ret;
> +}
> +
> +/**
> + * free_sig_data - free out signature data
> + * @ctx:	Pointer to authentication context
> + *
> + * Free signature data allocated in create_auth_data().
> + */
> +static void free_sig_data(struct auth_context *ctx)
> +{
> +	if (ctx->sig_size)
> +		gnutls_free(ctx->sig_data);
> +}
> +
>   /**
>    * create_fwbin - create an uefi capsule file
>    * @path:	Path to a created capsule file
> @@ -168,23 +396,25 @@ static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg)
>    * * -1 - on failure
>    */
>   static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
> -			unsigned long index, unsigned long instance)
> +			unsigned long index, unsigned long instance,
> +			uint64_t mcount, char *privkey_file, char *cert_file)
>   {
>   	struct efi_capsule_header header;
>   	struct efi_firmware_management_capsule_header capsule;
>   	struct efi_firmware_management_capsule_image_header image;
> +	struct auth_context auth_context;
>   	FILE *f;
> -	void *data;
> +	uint8_t *data;
>   	off_t bin_size;
> -	u64 offset;
> +	uint64_t offset;
>   	int ret;
>
>   #ifdef DEBUG
> -	printf("For output: %s\n", path);
> -	printf("\tbin: %s\n\ttype: %pUl\n", bin, guid);
> -	printf("\tindex: %ld\n\tinstance: %ld\n", index, instance);
> +	fprintf(stderr, "For output: %s\n", path);
> +	fprintf(stderr, "\tbin: %s\n\ttype: %pUl\n", bin, guid);
> +	fprintf(stderr, "\tindex: %lu\n\tinstance: %lu\n", index, instance);
>   #endif
> -
> +	auth_context.sig_size = 0;
>   	f = NULL;
>   	data = NULL;
>   	ret = -1;
> @@ -195,6 +425,27 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
>   	if (read_bin_file(bin, &data, &bin_size))
>   		goto err;
>
> +	/* first, calculate signature to determine its size */
> +	if (privkey_file && cert_file) {
> +		auth_context.key_file = privkey_file;
> +		auth_context.cert_file = cert_file;
> +		auth_context.auth.monotonic_count = mcount;
> +		auth_context.image_data = data;
> +		auth_context.image_size = bin_size;
> +
> +		if (create_auth_data(&auth_context)) {
> +			fprintf(stderr, "Signing firmware image failed\n");
> +			goto err;
> +		}
> +
> +		if (dump_sig &&
> +		    dump_signature(path, auth_context.sig_data,
> +				   auth_context.sig_size)) {
> +			fprintf(stderr, "Creating signature file failed\n");
> +			goto err;
> +		}
> +	}
> +
>   	/*
>   	 * write a capsule file
>   	 */
> @@ -212,9 +463,12 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
>   	/* TODO: The current implementation ignores flags */
>   	header.flags = CAPSULE_FLAGS_PERSIST_ACROSS_RESET;
>   	header.capsule_image_size = sizeof(header)
> -					+ sizeof(capsule) + sizeof(u64)
> +					+ sizeof(capsule) + sizeof(uint64_t)
>   					+ sizeof(image)
>   					+ bin_size;
> +	if (auth_context.sig_size)
> +		header.capsule_image_size += sizeof(auth_context.auth)
> +				+ auth_context.sig_size;
>   	if (write_capsule_file(f, &header, sizeof(header),
>   			       "Capsule header"))
>   		goto err;
> @@ -230,7 +484,7 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
>   			       "Firmware capsule header"))
>   		goto err;
>
> -	offset = sizeof(capsule) + sizeof(u64);
> +	offset = sizeof(capsule) + sizeof(uint64_t);
>   	if (write_capsule_file(f, &offset, sizeof(offset),
>   			       "Offset to capsule image"))
>   		goto err;
> @@ -245,13 +499,32 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
>   	image.reserved[1] = 0;
>   	image.reserved[2] = 0;
>   	image.update_image_size = bin_size;
> +	if (auth_context.sig_size)
> +		image.update_image_size += sizeof(auth_context.auth)
> +				+ auth_context.sig_size;
>   	image.update_vendor_code_size = 0; /* none */
>   	image.update_hardware_instance = instance;
>   	image.image_capsule_support = 0;
> +	if (auth_context.sig_size)
> +		image.image_capsule_support |= CAPSULE_SUPPORT_AUTHENTICATION;
>   	if (write_capsule_file(f, &image, sizeof(image),
>   			       "Firmware capsule image header"))
>   		goto err;
>
> +	/*
> +	 * signature
> +	 */
> +	if (auth_context.sig_size) {
> +		if (write_capsule_file(f, &auth_context.auth,
> +				       sizeof(auth_context.auth),
> +				       "Authentication header"))
> +			goto err;
> +
> +		if (write_capsule_file(f, auth_context.sig_data,
> +				       auth_context.sig_size, "Signature"))
> +			goto err;
> +	}
> +
>   	/*
>   	 * firmware binary
>   	 */
> @@ -262,28 +535,43 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
>   err:
>   	if (f)
>   		fclose(f);
> +	free_sig_data(&auth_context);
>   	free(data);
>
>   	return ret;
>   }
>
> -/*
> - * Usage:
> - *   $ mkeficapsule -f <firmware binary> <output file>
> +/**
> + * main - main entry function of mkeficapsule
> + * @argc:	Number of arguments
> + * @argv:	Array of pointers to arguments
> + *
> + * Create an uefi capsule file, optionally signing it.
> + * Parse all the arguments and pass them on to create_fwbin().
> + *
> + * Return:
> + * * 0  - on success
> + * * -1 - on failure
>    */
>   int main(int argc, char **argv)
>   {
>   	char *file;
>   	efi_guid_t *guid;
>   	unsigned long index, instance;
> +	uint64_t mcount;
> +	char *privkey_file, *cert_file;
>   	int c, idx;
>
>   	file = NULL;
>   	guid = NULL;
>   	index = 0;
>   	instance = 0;
> +	mcount = 0;
> +	privkey_file = NULL;
> +	cert_file = NULL;
> +	dump_sig = 0;
>   	for (;;) {
> -		c = getopt_long(argc, argv, "f:r:i:I:v:h", options, &idx);
> +		c = getopt_long(argc, argv, opts_short, options, &idx);
>   		if (c == -1)
>   			break;
>
> @@ -291,7 +579,7 @@ int main(int argc, char **argv)
>   		case 'f':
>   			if (file) {
>   				fprintf(stderr, "Image already specified\n");
> -				return -1;
> +				exit(EXIT_FAILURE);
>   			}
>   			file = optarg;
>   			guid = &efi_guid_image_type_uboot_fit;
> @@ -299,7 +587,7 @@ int main(int argc, char **argv)
>   		case 'r':
>   			if (file) {
>   				fprintf(stderr, "Image already specified\n");
> -				return -1;
> +				exit(EXIT_FAILURE);
>   			}
>   			file = optarg;
>   			guid = &efi_guid_image_type_uboot_raw;
> @@ -310,14 +598,38 @@ int main(int argc, char **argv)
>   		case 'I':
>   			instance = strtoul(optarg, NULL, 0);
>   			break;
> +		case 'p':
> +			if (privkey_file) {
> +				fprintf(stderr,
> +					"Private Key already specified\n");
> +				exit(EXIT_FAILURE);
> +			}
> +			privkey_file = optarg;
> +			break;
> +		case 'c':
> +			if (cert_file) {
> +				fprintf(stderr,
> +					"Certificate file already specified\n");
> +				exit(EXIT_FAILURE);
> +			}
> +			cert_file = optarg;
> +			break;
> +		case 'm':
> +			mcount = strtoul(optarg, NULL, 0);
> +			break;
> +		case 'd':
> +			dump_sig = 1;
> +			break;
>   		case 'h':
>   			print_usage();
> -			return 0;
> +			exit(EXIT_SUCCESS);
>   		}
>   	}
>
> -	/* need an output file */
> -	if (argc != optind + 1) {
> +	/* check necessary parameters */
> +	if ((argc != optind + 1) || !file ||
> +	    ((privkey_file && !cert_file) ||
> +	     (!privkey_file && cert_file))) {
>   		print_usage();
>   		exit(EXIT_FAILURE);
>   	}
> @@ -328,8 +640,8 @@ int main(int argc, char **argv)
>   		exit(EXIT_SUCCESS);
>   	}
>
> -	if (create_fwbin(argv[optind], file, guid, index, instance)
> -			< 0) {
> +	if (create_fwbin(argv[optind], file, guid, index, instance,
> +			 mcount, privkey_file, cert_file) < 0) {
>   		fprintf(stderr, "Creating firmware capsule failed\n");
>   		exit(EXIT_FAILURE);
>   	}

Tom just caught the following warnings when building sandobox_defconfig
with clang. Unfortunately -Werror is not enabled for tools yet.

In file included from tools/mkeficapsule.c:24:
./tools/eficapsule.h:93:18: warning: field 'hdr' with variable sized
type 'WIN_CERTIFICATE' (aka 'struct _WIN_CERTIFICATE') not at the end of
a struct or class is a GNU extension [-Wgnu-variable-sized-type-not-at-end]
         WIN_CERTIFICATE hdr;
                         ^
tools/mkeficapsule.c:88:43: warning: field 'auth' with variable sized
type 'struct efi_firmware_image_authentication' not at the end of a
struct or class is a GNU extension [-Wgnu-variable-sized-type-not-at-end]
         struct efi_firmware_image_authentication auth;
                                                  ^

As the zero sized members are not referenced we can remove them. The
following diff seems to fix the problem:

diff --git a/tools/eficapsule.h b/tools/eficapsule.h
index 8c1560bb06..69c9c58c2f 100644
--- a/tools/eficapsule.h
+++ b/tools/eficapsule.h
@@ -10,7 +10,6 @@
  #define _EFI_CAPSULE_H

  #include <stdint.h>
-#include <pe.h> /* WIN_CERTIFICATE */

  /*
   * Gcc's predefined attributes are not recognized by clang.
@@ -85,14 +84,16 @@ struct efi_firmware_management_capsule_image_header {
   * win_certificate_uefi_guid - A certificate that encapsulates
   * a GUID-specific signature
   *
- * @hdr:       Windows certificate header
+ * @hdr:       Windows certificate header, cf. WIN_CERTIFICATE
   * @cert_type: Certificate type
- * @cert_data: Certificate data
   */
  struct win_certificate_uefi_guid {
-       WIN_CERTIFICATE hdr;
+       struct {
+               uint32_t dwLength;
+               uint16_t wRevision;
+               uint16_t wCertificateType;
+       } hdr;
         efi_guid_t cert_type;
-       uint8_t cert_data[];
  } __packed;

  /**
diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
index 550f5f88e3..f7590e482f 100644
--- a/tools/mkeficapsule.c
+++ b/tools/mkeficapsule.c
@@ -5,6 +5,7 @@
   */

  #include <getopt.h>
+#include <pe.h>
  #include <stdbool.h>
  #include <stdint.h>
  #include <stdio.h>

Best regards

Heinrich

Re: [PATCH v11 2/9] tools: mkeficapsule: add firmware image signing

[AKASHI Takahiro]

Heinrich,

On Fri, Feb 11, 2022 at 08:16:34PM +0100, Heinrich Schuchardt wrote:
> On 2/9/22 11:10, AKASHI Takahiro wrote:
> > With this enhancement, mkeficapsule will be able to sign a capsule
> > file when it is created. A signature added will be used later
> > in the verification at FMP's SetImage() call.
> > 
> > To do that, we need specify additional command parameters:
> >    -monotonic-cout <count> : monotonic count
> >    -private-key <private key file> : private key file
> >    -certificate <certificate file> : certificate file
> > Only when all of those parameters are given, a signature will be added
> > to a capsule file.
> > 
> > Users are expected to maintain and increment the monotonic count at
> > every time of the update for each firmware image.
> > 
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > Reviewed-by: Simon Glass <sjg@chromium.org>
> > Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> > ---
> >   .azure-pipelines.yml |   2 +-
> >   tools/Makefile       |   1 +
> >   tools/eficapsule.h   | 115 +++++++++++++
> >   tools/mkeficapsule.c | 380 +++++++++++++++++++++++++++++++++++++++----
> >   4 files changed, 463 insertions(+), 35 deletions(-)
> >   create mode 100644 tools/eficapsule.h
> > 
> > diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
> > index f2aa332be5cc..aecc9cb88441 100644
> > --- a/.azure-pipelines.yml
> > +++ b/.azure-pipelines.yml
> > @@ -25,7 +25,7 @@ stages:
> >             %CD:~0,2%\msys64\usr\bin\bash -lc "pacman --noconfirm -Syyuu"
> >           displayName: 'Update MSYS2'
> >         - script: |
> > -          %CD:~0,2%\msys64\usr\bin\bash -lc "pacman --noconfirm --needed -Sy make gcc bison flex diffutils openssl-devel"
> > +          %CD:~0,2%\msys64\usr\bin\bash -lc "pacman --noconfirm --needed -Sy make gcc bison flex diffutils openssl-devel libgnutls-devel"
> >           displayName: 'Install Toolchain'
> >         - script: |
> >             echo make tools-only_defconfig tools-only NO_SDL=1 > build-tools.sh
> > diff --git a/tools/Makefile b/tools/Makefile
> > index 766c0674f4a0..8da07d60a755 100644
> > --- a/tools/Makefile
> > +++ b/tools/Makefile
> > @@ -238,6 +238,7 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs
> >   hostprogs-$(CONFIG_ASN1_COMPILER)	+= asn1_compiler
> >   HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include
> > 
> > +HOSTLDLIBS_mkeficapsule += -lgnutls
> >   hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
> > 
> >   # We build some files with extra pedantic flags to try to minimize things
> > diff --git a/tools/eficapsule.h b/tools/eficapsule.h
> > new file mode 100644
> > index 000000000000..8c1560bb0671
> > --- /dev/null
> > +++ b/tools/eficapsule.h
> > @@ -0,0 +1,115 @@
> > +/* SPDX-License-Identifier: GPL-2.0 */
> > +/*
> > + * Copyright 2021 Linaro Limited
> > + *		Author: AKASHI Takahiro
> > + *
> > + * derived from efi.h and efi_api.h to make the file POSIX-compliant
> > + */
> > +
> > +#ifndef _EFI_CAPSULE_H
> > +#define _EFI_CAPSULE_H
> > +
> > +#include <stdint.h>
> > +#include <pe.h> /* WIN_CERTIFICATE */
> > +
> > +/*
> > + * Gcc's predefined attributes are not recognized by clang.
> > + */
> > +#ifndef __packed
> > +#define __packed	__attribute__((__packed__))
> > +#endif
> > +
> > +#ifndef __aligned
> > +#define __aligned(x)	__attribute__((__aligned__(x)))
> > +#endif
> > +
> > +typedef struct {
> > +	uint8_t b[16];
> > +} efi_guid_t __aligned(8);
> > +
> > +#define EFI_GUID(a, b, c, d0, d1, d2, d3, d4, d5, d6, d7) \
> > +	{{ (a) & 0xff, ((a) >> 8) & 0xff, ((a) >> 16) & 0xff, \
> > +		((a) >> 24) & 0xff, \
> > +		(b) & 0xff, ((b) >> 8) & 0xff, \
> > +		(c) & 0xff, ((c) >> 8) & 0xff, \
> > +		(d0), (d1), (d2), (d3), (d4), (d5), (d6), (d7) } }
> > +
> > +#define EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID \
> > +	EFI_GUID(0x6dcbd5ed, 0xe82d, 0x4c44, 0xbd, 0xa1, \
> > +		 0x71, 0x94, 0x19, 0x9a, 0xd9, 0x2a)
> > +
> > +#define EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID \
> > +	EFI_GUID(0xae13ff2d, 0x9ad4, 0x4e25, 0x9a, 0xc8, \
> > +		 0x6d, 0x80, 0xb3, 0xb2, 0x21, 0x47)
> > +
> > +#define EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID \
> > +	EFI_GUID(0xe2bb9c06, 0x70e9, 0x4b14, 0x97, 0xa3, \
> > +		 0x5a, 0x79, 0x13, 0x17, 0x6e, 0x3f)
> > +
> > +#define EFI_CERT_TYPE_PKCS7_GUID \
> > +	EFI_GUID(0x4aafd29d, 0x68df, 0x49ee, 0x8a, 0xa9, \
> > +		 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7)
> > +
> > +/* flags */
> > +#define CAPSULE_FLAGS_PERSIST_ACROSS_RESET      0x00010000
> > +
> > +struct efi_capsule_header {
> > +	efi_guid_t capsule_guid;
> > +	uint32_t header_size;
> > +	uint32_t flags;
> > +	uint32_t capsule_image_size;
> > +} __packed;
> > +
> > +struct efi_firmware_management_capsule_header {
> > +	uint32_t version;
> > +	uint16_t embedded_driver_count;
> > +	uint16_t payload_item_count;
> > +	uint32_t item_offset_list[];
> > +} __packed;
> > +
> > +/* image_capsule_support */
> > +#define CAPSULE_SUPPORT_AUTHENTICATION          0x0000000000000001
> > +
> > +struct efi_firmware_management_capsule_image_header {
> > +	uint32_t version;
> > +	efi_guid_t update_image_type_id;
> > +	uint8_t update_image_index;
> > +	uint8_t reserved[3];
> > +	uint32_t update_image_size;
> > +	uint32_t update_vendor_code_size;
> > +	uint64_t update_hardware_instance;
> > +	uint64_t image_capsule_support;
> > +} __packed;
> > +
> > +/**
> > + * win_certificate_uefi_guid - A certificate that encapsulates
> > + * a GUID-specific signature
> > + *
> > + * @hdr:	Windows certificate header
> > + * @cert_type:	Certificate type
> > + * @cert_data:	Certificate data
> > + */
> > +struct win_certificate_uefi_guid {
> > +	WIN_CERTIFICATE	hdr;
> > +	efi_guid_t cert_type;
> > +	uint8_t cert_data[];
> > +} __packed;
> > +
> > +/**
> > + * efi_firmware_image_authentication - Capsule authentication method
> > + * descriptor
> > + *
> > + * This structure describes an authentication information for
> > + * a capsule with IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED set
> > + * and should be included as part of the capsule.
> > + * Only EFI_CERT_TYPE_PKCS7_GUID is accepted.
> > + *
> > + * @monotonic_count: Count to prevent replay
> > + * @auth_info: Authentication info
> > + */
> > +struct efi_firmware_image_authentication {
> > +	uint64_t monotonic_count;
> > +	struct win_certificate_uefi_guid auth_info;
> > +} __packed;
> > +
> > +#endif /* _EFI_CAPSULE_H */
> > diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
> > index 243fd6e48370..b996c66ad26a 100644
> > --- a/tools/mkeficapsule.c
> > +++ b/tools/mkeficapsule.c
> > @@ -16,21 +16,13 @@
> >   #include <sys/stat.h>
> >   #include <sys/types.h>
> > 
> > -typedef __u8 u8;
> > -typedef __u16 u16;
> > -typedef __u32 u32;
> > -typedef __u64 u64;
> > -typedef __s16 s16;
> > -typedef __s32 s32;
> > +#include <linux/kconfig.h>
> > 
> > -#define aligned_u64 __aligned_u64
> > +#include <gnutls/gnutls.h>
> > +#include <gnutls/pkcs7.h>
> > +#include <gnutls/abstract.h>
> > 
> > -#ifndef __packed
> > -#define __packed __attribute__((packed))
> > -#endif
> > -
> > -#include <efi.h>
> > -#include <efi_api.h>
> > +#include "eficapsule.h"
> > 
> >   static const char *tool_name = "mkeficapsule";
> > 
> > @@ -39,12 +31,19 @@ efi_guid_t efi_guid_image_type_uboot_fit =
> >   		EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID;
> >   efi_guid_t efi_guid_image_type_uboot_raw =
> >   		EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID;
> > +efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID;
> > +
> > +static const char *opts_short = "f:r:i:I:v:p:c:m:dh";
> > 
> >   static struct option options[] = {
> >   	{"fit", required_argument, NULL, 'f'},
> >   	{"raw", required_argument, NULL, 'r'},
> >   	{"index", required_argument, NULL, 'i'},
> >   	{"instance", required_argument, NULL, 'I'},
> > +	{"private-key", required_argument, NULL, 'p'},
> > +	{"certificate", required_argument, NULL, 'c'},
> > +	{"monotonic-count", required_argument, NULL, 'm'},
> > +	{"dump-sig", no_argument, NULL, 'd'},
> >   	{"help", no_argument, NULL, 'h'},
> >   	{NULL, 0, NULL, 0},
> >   };
> > @@ -58,10 +57,40 @@ static void print_usage(void)
> >   		"\t-r, --raw <raw image>       new raw image file\n"
> >   		"\t-i, --index <index>         update image index\n"
> >   		"\t-I, --instance <instance>   update hardware instance\n"
> > +		"\t-p, --private-key <privkey file>  private key file\n"
> > +		"\t-c, --certificate <cert file>     signer's certificate file\n"
> > +		"\t-m, --monotonic-count <count>     monotonic count\n"
> > +		"\t-d, --dump_sig              dump signature (*.p7)\n"
> >   		"\t-h, --help                  print a help message\n",
> >   		tool_name);
> >   }
> > 
> > +/**
> > + * auth_context - authentication context
> > + * @key_file:	Path to a private key file
> > + * @cert_file:	Path to a certificate file
> > + * @image_data:	Pointer to firmware data
> > + * @image_size:	Size of firmware data
> > + * @auth:	Authentication header
> > + * @sig_data:	Signature data
> > + * @sig_size:	Size of signature data
> > + *
> > + * Data structure used in create_auth_data(). @key_file through
> > + * @image_size are input parameters. @auth, @sig_data and @sig_size
> > + * are filled in by create_auth_data().
> > + */
> > +struct auth_context {
> > +	char *key_file;
> > +	char *cert_file;
> > +	uint8_t *image_data;
> > +	size_t image_size;
> > +	struct efi_firmware_image_authentication auth;
> > +	uint8_t *sig_data;
> > +	size_t sig_size;
> > +};
> > +
> > +static int dump_sig;
> > +
> >   /**
> >    * read_bin_file - read a firmware binary file
> >    * @bin:	Path to a firmware binary file
> > @@ -75,7 +104,7 @@ static void print_usage(void)
> >    * * 0  - on success
> >    * * -1 - on failure
> >    */
> > -static int read_bin_file(char *bin, void **data, off_t *bin_size)
> > +static int read_bin_file(char *bin, uint8_t **data, off_t *bin_size)
> >   {
> >   	FILE *g;
> >   	struct stat bin_stat;
> > @@ -147,6 +176,205 @@ static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg)
> >   	return 0;
> >   }
> > 
> > +/**
> > + * create_auth_data - compose authentication data in capsule
> > + * @auth_context:	Pointer to authentication context
> > + *
> > + * Fill up an authentication header (.auth) and signature data (.sig_data)
> > + * in @auth_context, using library functions from openssl.
> > + * All the parameters in @auth_context must be filled in by a caller.
> > + *
> > + * Return:
> > + * * 0  - on success
> > + * * -1 - on failure
> > + */
> > +static int create_auth_data(struct auth_context *ctx)
> > +{
> > +	gnutls_datum_t cert;
> > +	gnutls_datum_t key;
> > +	off_t file_size;
> > +	gnutls_privkey_t pkey;
> > +	gnutls_x509_crt_t x509;
> > +	gnutls_pkcs7_t pkcs7;
> > +	gnutls_datum_t data;
> > +	gnutls_datum_t signature;
> > +	int ret;
> > +
> > +	ret = read_bin_file(ctx->cert_file, &cert.data, &file_size);
> > +	if (ret < 0)
> > +		return -1;
> > +	if (file_size > UINT_MAX)
> > +		return -1;
> > +	cert.size = file_size;
> > +
> > +	ret = read_bin_file(ctx->key_file, &key.data, &file_size);
> > +	if (ret < 0)
> > +		return -1;
> > +	if (ret < 0)
> > +		return -1;
> > +	if (file_size > UINT_MAX)
> > +		return -1;
> > +	key.size = file_size;
> > +
> > +	/*
> > +	 * For debugging,
> > +	 * gnutls_global_set_time_function(mytime);
> > +	 * gnutls_global_set_log_function(tls_log_func);
> > +	 * gnutls_global_set_log_level(6);
> > +	 */
> > +
> > +	ret = gnutls_privkey_init(&pkey);
> > +	if (ret < 0) {
> > +		fprintf(stderr, "error in gnutls_privkey_init(): %s\n",
> > +			gnutls_strerror(ret));
> > +		return -1;
> > +	}
> > +
> > +	ret = gnutls_x509_crt_init(&x509);
> > +	if (ret < 0) {
> > +		fprintf(stderr, "error in gnutls_x509_crt_init(): %s\n",
> > +			gnutls_strerror(ret));
> > +		return -1;
> > +	}
> > +
> > +	/* load a private key */
> > +	ret = gnutls_privkey_import_x509_raw(pkey, &key, GNUTLS_X509_FMT_PEM,
> > +					     0, 0);
> > +	if (ret < 0) {
> > +		fprintf(stderr,
> > +			"error in gnutls_privkey_import_x509_raw(): %s\n",
> > +			gnutls_strerror(ret));
> > +		return -1;
> > +	}
> > +
> > +	/* load x509 certificate */
> > +	ret = gnutls_x509_crt_import(x509, &cert, GNUTLS_X509_FMT_PEM);
> > +	if (ret < 0) {
> > +		fprintf(stderr, "error in gnutls_x509_crt_import(): %s\n",
> > +			gnutls_strerror(ret));
> > +		return -1;
> > +	}
> > +
> > +	/* generate a PKCS #7 structure */
> > +	ret = gnutls_pkcs7_init(&pkcs7);
> > +	if (ret < 0) {
> > +		fprintf(stderr, "error in gnutls_pkcs7_init(): %s\n",
> > +			gnutls_strerror(ret));
> > +		return -1;
> > +	}
> > +
> > +	/* sign */
> > +	/*
> > +	 * Data should have
> > +	 *  * firmware image
> > +	 *  * monotonic count
> > +	 * in this order!
> > +	 * See EDK2's FmpAuthenticatedHandlerRsa2048Sha256()
> > +	 */
> > +	data.size = ctx->image_size + sizeof(ctx->auth.monotonic_count);
> > +	data.data = malloc(data.size);
> > +	if (!data.data) {
> > +		fprintf(stderr, "allocating memory (0x%x) failed\n", data.size);
> > +		return -1;
> > +	}
> > +	memcpy(data.data, ctx->image_data, ctx->image_size);
> > +	memcpy(data.data + ctx->image_size, &ctx->auth.monotonic_count,
> > +	       sizeof(ctx->auth.monotonic_count));
> > +
> > +	ret = gnutls_pkcs7_sign(pkcs7, x509, pkey, &data, NULL, NULL,
> > +				GNUTLS_DIG_SHA256,
> > +				/* GNUTLS_PKCS7_EMBED_DATA? */
> > +				GNUTLS_PKCS7_INCLUDE_CERT |
> > +				GNUTLS_PKCS7_INCLUDE_TIME);
> > +	if (ret < 0) {
> > +		fprintf(stderr, "error in gnutls_pkcs7)sign(): %s\n",
> > +			gnutls_strerror(ret));
> > +		return -1;
> > +	}
> > +
> > +	/* export */
> > +	ret = gnutls_pkcs7_export2(pkcs7, GNUTLS_X509_FMT_DER, &signature);
> > +	if (ret < 0) {
> > +		fprintf(stderr, "error in gnutls_pkcs7_export2: %s\n",
> > +			gnutls_strerror(ret));
> > +		return -1;
> > +	}
> > +	ctx->sig_data = signature.data;
> > +	ctx->sig_size = signature.size;
> > +
> > +	/* fill auth_info */
> > +	ctx->auth.auth_info.hdr.dwLength = sizeof(ctx->auth.auth_info)
> > +						+ ctx->sig_size;
> > +	ctx->auth.auth_info.hdr.wRevision = WIN_CERT_REVISION_2_0;
> > +	ctx->auth.auth_info.hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
> > +	memcpy(&ctx->auth.auth_info.cert_type, &efi_guid_cert_type_pkcs7,
> > +	       sizeof(efi_guid_cert_type_pkcs7));
> > +
> > +	/*
> > +	 * For better clean-ups,
> > +	 * gnutls_pkcs7_deinit(pkcs7);
> > +	 * gnutls_privkey_deinit(pkey);
> > +	 * gnutls_x509_crt_deinit(x509);
> > +	 * free(cert.data);
> > +	 * free(key.data);
> > +	 * if error
> > +	 *   gnutls_free(signature.data);
> > +	 */
> > +
> > +	return 0;
> > +}
> > +
> > +/**
> > + * dump_signature - dump out a signature
> > + * @path:	Path to a capsule file
> > + * @signature:	Signature data
> > + * @sig_size:	Size of signature data
> > + *
> > + * Signature data pointed to by @signature will be saved into
> > + * a file whose file name is @path with ".p7" suffix.
> > + *
> > + * Return:
> > + * * 0  - on success
> > + * * -1 - on failure
> > + */
> > +static int dump_signature(const char *path, uint8_t *signature, size_t sig_size)
> > +{
> > +	char *sig_path;
> > +	FILE *f;
> > +	size_t size;
> > +	int ret = -1;
> > +
> > +	sig_path = malloc(strlen(path) + 3 + 1);
> > +	if (!sig_path)
> > +		return ret;
> > +
> > +	sprintf(sig_path, "%s.p7", path);
> > +	f = fopen(sig_path, "w");
> > +	if (!f)
> > +		goto err;
> > +
> > +	size = fwrite(signature, 1, sig_size, f);
> > +	if (size == sig_size)
> > +		ret = 0;
> > +
> > +	fclose(f);
> > +err:
> > +	free(sig_path);
> > +	return ret;
> > +}
> > +
> > +/**
> > + * free_sig_data - free out signature data
> > + * @ctx:	Pointer to authentication context
> > + *
> > + * Free signature data allocated in create_auth_data().
> > + */
> > +static void free_sig_data(struct auth_context *ctx)
> > +{
> > +	if (ctx->sig_size)
> > +		gnutls_free(ctx->sig_data);
> > +}
> > +
> >   /**
> >    * create_fwbin - create an uefi capsule file
> >    * @path:	Path to a created capsule file
> > @@ -168,23 +396,25 @@ static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg)
> >    * * -1 - on failure
> >    */
> >   static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
> > -			unsigned long index, unsigned long instance)
> > +			unsigned long index, unsigned long instance,
> > +			uint64_t mcount, char *privkey_file, char *cert_file)
> >   {
> >   	struct efi_capsule_header header;
> >   	struct efi_firmware_management_capsule_header capsule;
> >   	struct efi_firmware_management_capsule_image_header image;
> > +	struct auth_context auth_context;
> >   	FILE *f;
> > -	void *data;
> > +	uint8_t *data;
> >   	off_t bin_size;
> > -	u64 offset;
> > +	uint64_t offset;
> >   	int ret;
> > 
> >   #ifdef DEBUG
> > -	printf("For output: %s\n", path);
> > -	printf("\tbin: %s\n\ttype: %pUl\n", bin, guid);
> > -	printf("\tindex: %ld\n\tinstance: %ld\n", index, instance);
> > +	fprintf(stderr, "For output: %s\n", path);
> > +	fprintf(stderr, "\tbin: %s\n\ttype: %pUl\n", bin, guid);
> > +	fprintf(stderr, "\tindex: %lu\n\tinstance: %lu\n", index, instance);
> >   #endif
> > -
> > +	auth_context.sig_size = 0;
> >   	f = NULL;
> >   	data = NULL;
> >   	ret = -1;
> > @@ -195,6 +425,27 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
> >   	if (read_bin_file(bin, &data, &bin_size))
> >   		goto err;
> > 
> > +	/* first, calculate signature to determine its size */
> > +	if (privkey_file && cert_file) {
> > +		auth_context.key_file = privkey_file;
> > +		auth_context.cert_file = cert_file;
> > +		auth_context.auth.monotonic_count = mcount;
> > +		auth_context.image_data = data;
> > +		auth_context.image_size = bin_size;
> > +
> > +		if (create_auth_data(&auth_context)) {
> > +			fprintf(stderr, "Signing firmware image failed\n");
> > +			goto err;
> > +		}
> > +
> > +		if (dump_sig &&
> > +		    dump_signature(path, auth_context.sig_data,
> > +				   auth_context.sig_size)) {
> > +			fprintf(stderr, "Creating signature file failed\n");
> > +			goto err;
> > +		}
> > +	}
> > +
> >   	/*
> >   	 * write a capsule file
> >   	 */
> > @@ -212,9 +463,12 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
> >   	/* TODO: The current implementation ignores flags */
> >   	header.flags = CAPSULE_FLAGS_PERSIST_ACROSS_RESET;
> >   	header.capsule_image_size = sizeof(header)
> > -					+ sizeof(capsule) + sizeof(u64)
> > +					+ sizeof(capsule) + sizeof(uint64_t)
> >   					+ sizeof(image)
> >   					+ bin_size;
> > +	if (auth_context.sig_size)
> > +		header.capsule_image_size += sizeof(auth_context.auth)
> > +				+ auth_context.sig_size;
> >   	if (write_capsule_file(f, &header, sizeof(header),
> >   			       "Capsule header"))
> >   		goto err;
> > @@ -230,7 +484,7 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
> >   			       "Firmware capsule header"))
> >   		goto err;
> > 
> > -	offset = sizeof(capsule) + sizeof(u64);
> > +	offset = sizeof(capsule) + sizeof(uint64_t);
> >   	if (write_capsule_file(f, &offset, sizeof(offset),
> >   			       "Offset to capsule image"))
> >   		goto err;
> > @@ -245,13 +499,32 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
> >   	image.reserved[1] = 0;
> >   	image.reserved[2] = 0;
> >   	image.update_image_size = bin_size;
> > +	if (auth_context.sig_size)
> > +		image.update_image_size += sizeof(auth_context.auth)
> > +				+ auth_context.sig_size;
> >   	image.update_vendor_code_size = 0; /* none */
> >   	image.update_hardware_instance = instance;
> >   	image.image_capsule_support = 0;
> > +	if (auth_context.sig_size)
> > +		image.image_capsule_support |= CAPSULE_SUPPORT_AUTHENTICATION;
> >   	if (write_capsule_file(f, &image, sizeof(image),
> >   			       "Firmware capsule image header"))
> >   		goto err;
> > 
> > +	/*
> > +	 * signature
> > +	 */
> > +	if (auth_context.sig_size) {
> > +		if (write_capsule_file(f, &auth_context.auth,
> > +				       sizeof(auth_context.auth),
> > +				       "Authentication header"))
> > +			goto err;
> > +
> > +		if (write_capsule_file(f, auth_context.sig_data,
> > +				       auth_context.sig_size, "Signature"))
> > +			goto err;
> > +	}
> > +
> >   	/*
> >   	 * firmware binary
> >   	 */
> > @@ -262,28 +535,43 @@ static int create_fwbin(char *path, char *bin, efi_guid_t *guid,
> >   err:
> >   	if (f)
> >   		fclose(f);
> > +	free_sig_data(&auth_context);
> >   	free(data);
> > 
> >   	return ret;
> >   }
> > 
> > -/*
> > - * Usage:
> > - *   $ mkeficapsule -f <firmware binary> <output file>
> > +/**
> > + * main - main entry function of mkeficapsule
> > + * @argc:	Number of arguments
> > + * @argv:	Array of pointers to arguments
> > + *
> > + * Create an uefi capsule file, optionally signing it.
> > + * Parse all the arguments and pass them on to create_fwbin().
> > + *
> > + * Return:
> > + * * 0  - on success
> > + * * -1 - on failure
> >    */
> >   int main(int argc, char **argv)
> >   {
> >   	char *file;
> >   	efi_guid_t *guid;
> >   	unsigned long index, instance;
> > +	uint64_t mcount;
> > +	char *privkey_file, *cert_file;
> >   	int c, idx;
> > 
> >   	file = NULL;
> >   	guid = NULL;
> >   	index = 0;
> >   	instance = 0;
> > +	mcount = 0;
> > +	privkey_file = NULL;
> > +	cert_file = NULL;
> > +	dump_sig = 0;
> >   	for (;;) {
> > -		c = getopt_long(argc, argv, "f:r:i:I:v:h", options, &idx);
> > +		c = getopt_long(argc, argv, opts_short, options, &idx);
> >   		if (c == -1)
> >   			break;
> > 
> > @@ -291,7 +579,7 @@ int main(int argc, char **argv)
> >   		case 'f':
> >   			if (file) {
> >   				fprintf(stderr, "Image already specified\n");
> > -				return -1;
> > +				exit(EXIT_FAILURE);
> >   			}
> >   			file = optarg;
> >   			guid = &efi_guid_image_type_uboot_fit;
> > @@ -299,7 +587,7 @@ int main(int argc, char **argv)
> >   		case 'r':
> >   			if (file) {
> >   				fprintf(stderr, "Image already specified\n");
> > -				return -1;
> > +				exit(EXIT_FAILURE);
> >   			}
> >   			file = optarg;
> >   			guid = &efi_guid_image_type_uboot_raw;
> > @@ -310,14 +598,38 @@ int main(int argc, char **argv)
> >   		case 'I':
> >   			instance = strtoul(optarg, NULL, 0);
> >   			break;
> > +		case 'p':
> > +			if (privkey_file) {
> > +				fprintf(stderr,
> > +					"Private Key already specified\n");
> > +				exit(EXIT_FAILURE);
> > +			}
> > +			privkey_file = optarg;
> > +			break;
> > +		case 'c':
> > +			if (cert_file) {
> > +				fprintf(stderr,
> > +					"Certificate file already specified\n");
> > +				exit(EXIT_FAILURE);
> > +			}
> > +			cert_file = optarg;
> > +			break;
> > +		case 'm':
> > +			mcount = strtoul(optarg, NULL, 0);
> > +			break;
> > +		case 'd':
> > +			dump_sig = 1;
> > +			break;
> >   		case 'h':
> >   			print_usage();
> > -			return 0;
> > +			exit(EXIT_SUCCESS);
> >   		}
> >   	}
> > 
> > -	/* need an output file */
> > -	if (argc != optind + 1) {
> > +	/* check necessary parameters */
> > +	if ((argc != optind + 1) || !file ||
> > +	    ((privkey_file && !cert_file) ||
> > +	     (!privkey_file && cert_file))) {
> >   		print_usage();
> >   		exit(EXIT_FAILURE);
> >   	}
> > @@ -328,8 +640,8 @@ int main(int argc, char **argv)
> >   		exit(EXIT_SUCCESS);
> >   	}
> > 
> > -	if (create_fwbin(argv[optind], file, guid, index, instance)
> > -			< 0) {
> > +	if (create_fwbin(argv[optind], file, guid, index, instance,
> > +			 mcount, privkey_file, cert_file) < 0) {
> >   		fprintf(stderr, "Creating firmware capsule failed\n");
> >   		exit(EXIT_FAILURE);
> >   	}
> 
> Tom just caught the following warnings when building sandobox_defconfig
> with clang. Unfortunately -Werror is not enabled for tools yet.
> 
> In file included from tools/mkeficapsule.c:24:
> ./tools/eficapsule.h:93:18: warning: field 'hdr' with variable sized
> type 'WIN_CERTIFICATE' (aka 'struct _WIN_CERTIFICATE') not at the end of
> a struct or class is a GNU extension [-Wgnu-variable-sized-type-not-at-end]
>         WIN_CERTIFICATE hdr;
>                         ^
> tools/mkeficapsule.c:88:43: warning: field 'auth' with variable sized
> type 'struct efi_firmware_image_authentication' not at the end of a
> struct or class is a GNU extension [-Wgnu-variable-sized-type-not-at-end]
>         struct efi_firmware_image_authentication auth;
>                                                  ^
> 
> As the zero sized members are not referenced we can remove them. The
> following diff seems to fix the problem:

The fix itself is fine, but

"Zero-sized members" is a common practice in UEFI specification and
a number of instances can also be seen in include/efi_api.h.

If this kind of technique is an "error", we should fix the header files
in the first place.

-Takahiro Akashi


> 
> diff --git a/tools/eficapsule.h b/tools/eficapsule.h
> index 8c1560bb06..69c9c58c2f 100644
> --- a/tools/eficapsule.h
> +++ b/tools/eficapsule.h
> @@ -10,7 +10,6 @@
>  #define _EFI_CAPSULE_H
> 
>  #include <stdint.h>
> -#include <pe.h> /* WIN_CERTIFICATE */
> 
>  /*
>   * Gcc's predefined attributes are not recognized by clang.
> @@ -85,14 +84,16 @@ struct efi_firmware_management_capsule_image_header {
>   * win_certificate_uefi_guid - A certificate that encapsulates
>   * a GUID-specific signature
>   *
> - * @hdr:       Windows certificate header
> + * @hdr:       Windows certificate header, cf. WIN_CERTIFICATE
>   * @cert_type: Certificate type
> - * @cert_data: Certificate data
>   */
>  struct win_certificate_uefi_guid {
> -       WIN_CERTIFICATE hdr;
> +       struct {
> +               uint32_t dwLength;
> +               uint16_t wRevision;
> +               uint16_t wCertificateType;
> +       } hdr;
>         efi_guid_t cert_type;
> -       uint8_t cert_data[];
>  } __packed;
> 
>  /**
> diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
> index 550f5f88e3..f7590e482f 100644
> --- a/tools/mkeficapsule.c
> +++ b/tools/mkeficapsule.c
> @@ -5,6 +5,7 @@
>   */
> 
>  #include <getopt.h>
> +#include <pe.h>
>  #include <stdbool.h>
>  #include <stdint.h>
>  #include <stdio.h>
> 
> Best regards
> 
> Heinrich

Re: [PATCH v11 2/9] tools: mkeficapsule: add firmware image signing

[Simon Glass]

Hi,

On Sun, 13 Feb 2022 at 17:54, AKASHI Takahiro
<takahiro.akashi@linaro.org> wrote:
>
> Heinrich,
>
> On Fri, Feb 11, 2022 at 08:16:34PM +0100, Heinrich Schuchardt wrote:
> > On 2/9/22 11:10, AKASHI Takahiro wrote:
> > > With this enhancement, mkeficapsule will be able to sign a capsule
> > > file when it is created. A signature added will be used later
> > > in the verification at FMP's SetImage() call.
> > >
> > > To do that, we need specify additional command parameters:
> > >    -monotonic-cout <count> : monotonic count
> > >    -private-key <private key file> : private key file
> > >    -certificate <certificate file> : certificate file
> > > Only when all of those parameters are given, a signature will be added
> > > to a capsule file.
> > >
> > > Users are expected to maintain and increment the monotonic count at
> > > every time of the update for each firmware image.
> > >
> > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > > Reviewed-by: Simon Glass <sjg@chromium.org>
> > > Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> > > ---
> > >   .azure-pipelines.yml |   2 +-
> > >   tools/Makefile       |   1 +
> > >   tools/eficapsule.h   | 115 +++++++++++++
> > >   tools/mkeficapsule.c | 380 +++++++++++++++++++++++++++++++++++++++----
> > >   4 files changed, 463 insertions(+), 35 deletions(-)
> > >   create mode 100644 tools/eficapsule.h

I'm not sure if it is this patch or something else, but building is
broken as it needs

gnutls/gnutls.h

Please update the docs in doc/build/gcc.rst to fix this.

Regards,
Simon

Re: [PATCH v11 2/9] tools: mkeficapsule: add firmware image signing

[AKASHI Takahiro]

Hi Simon,

On Sat, Feb 19, 2022 at 04:11:08PM -0700, Simon Glass wrote:
> Hi,
> 
> On Sun, 13 Feb 2022 at 17:54, AKASHI Takahiro
> <takahiro.akashi@linaro.org> wrote:
> >
> > Heinrich,
> >
> > On Fri, Feb 11, 2022 at 08:16:34PM +0100, Heinrich Schuchardt wrote:
> > > On 2/9/22 11:10, AKASHI Takahiro wrote:
> > > > With this enhancement, mkeficapsule will be able to sign a capsule
> > > > file when it is created. A signature added will be used later
> > > > in the verification at FMP's SetImage() call.
> > > >
> > > > To do that, we need specify additional command parameters:
> > > >    -monotonic-cout <count> : monotonic count
> > > >    -private-key <private key file> : private key file
> > > >    -certificate <certificate file> : certificate file
> > > > Only when all of those parameters are given, a signature will be added
> > > > to a capsule file.
> > > >
> > > > Users are expected to maintain and increment the monotonic count at
> > > > every time of the update for each firmware image.
> > > >
> > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > > > Reviewed-by: Simon Glass <sjg@chromium.org>
> > > > Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> > > > ---
> > > >   .azure-pipelines.yml |   2 +-
> > > >   tools/Makefile       |   1 +
> > > >   tools/eficapsule.h   | 115 +++++++++++++
> > > >   tools/mkeficapsule.c | 380 +++++++++++++++++++++++++++++++++++++++----
> > > >   4 files changed, 463 insertions(+), 35 deletions(-)
> > > >   create mode 100644 tools/eficapsule.h
> 
> I'm not sure if it is this patch or something else, but building is
> broken as it needs
> 
> gnutls/gnutls.h
> 
> Please update the docs in doc/build/gcc.rst to fix this.

I have not noticed that there is *another* list of package dependency.
It is easy to fix against gnutls.h, but gnutls.h (or libgnutls-dev)
is NOT the only component missing in the list.

Comparing gcc.rst with gitlab-ci.yml, there already exist a lot of
such packages:

gcc.rst                           |  gitlab-ci.yml
======                               ======
                                  >  automake
                                  >  autopoint
bc                                   bc
                                  >  binutils-dev
bison                                bison
build-essential                      build-essential
coccinelle                        |  clang-10
                                  >  coreutils
                                  >  cpio
                                  >  cppcheck
                                  >  curl
device-tree-compiler                 device-tree-compiler
dfu-util                          |  dosfstools
                                  >  e2fsprogs
efitools                             efitools
                                  >  fakeroot
flex                                 flex
gdisk                                gdisk
                                  >  git
                                  >  gnu-efi
graphviz                             graphviz
                                  >  grub-efi-amd64-bin
                                  >  grub-efi-ia32-bin
                                  >  help2man
                                  >  iasl
imagemagick                          imagemagick
liblz4-tool                       |  iputils-ping
libguestfs-tools                     libguestfs-tools
libncurses-dev                    |  libgnutls28-dev
libpython3-dev                    |  libgnutls30
                                  >  libisl15
                                  >  liblz4-tool
                                  >  libpixman-1-dev
                                  >  libpython-dev
                                  >  libsdl1.2-dev
libsdl2-dev                          libsdl2-dev
libssl-dev                           libssl-dev
lz4                               |  libudev-dev
lzma                              |  libusb-1.0-0-dev
lzma-alone                           lzma-alone
                                  >  lzop
                                  >  mount
                                  >  mtd-utils
                                  >  mtools
openssl                              openssl
                                  >  picocom
                                  >  parted
pkg-config                           pkg-config
python3                           |  python
python3-coverage                  |  python-dev
python3-pkg-resources             |  python-pip
python3-pycryptodome              |  python-virtualenv
python3-pyelftools                |  python3-pip
python3-pytest                    |  python3-sphinx
python3-sphinxcontrib.apidoc      |  rpm2cpio
python3-sphinx-rtd-theme          |  sbsigntool
python3-virtualenv                |  sloccount
                                  >  sparse
                                  >  srecord
                                  >  sudo
swig                                 swig
                                  >  util-linux
                                  >  uuid-dev
                                  >  virtualenv
                                  >  zip

-Takahiro Akashi

Re: [PATCH v11 2/9] tools: mkeficapsule: add firmware image signing

[Heinrich Schuchardt]

On 2/21/22 01:43, AKASHI Takahiro wrote:
> Hi Simon,
>
> On Sat, Feb 19, 2022 at 04:11:08PM -0700, Simon Glass wrote:
>> Hi,
>>
>> On Sun, 13 Feb 2022 at 17:54, AKASHI Takahiro
>> <takahiro.akashi@linaro.org> wrote:
>>>
>>> Heinrich,
>>>
>>> On Fri, Feb 11, 2022 at 08:16:34PM +0100, Heinrich Schuchardt wrote:
>>>> On 2/9/22 11:10, AKASHI Takahiro wrote:
>>>>> With this enhancement, mkeficapsule will be able to sign a capsule
>>>>> file when it is created. A signature added will be used later
>>>>> in the verification at FMP's SetImage() call.
>>>>>
>>>>> To do that, we need specify additional command parameters:
>>>>>     -monotonic-cout <count> : monotonic count
>>>>>     -private-key <private key file> : private key file
>>>>>     -certificate <certificate file> : certificate file
>>>>> Only when all of those parameters are given, a signature will be added
>>>>> to a capsule file.
>>>>>
>>>>> Users are expected to maintain and increment the monotonic count at
>>>>> every time of the update for each firmware image.
>>>>>
>>>>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>>>>> Reviewed-by: Simon Glass <sjg@chromium.org>
>>>>> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
>>>>> ---
>>>>>    .azure-pipelines.yml |   2 +-
>>>>>    tools/Makefile       |   1 +
>>>>>    tools/eficapsule.h   | 115 +++++++++++++
>>>>>    tools/mkeficapsule.c | 380 +++++++++++++++++++++++++++++++++++++++----
>>>>>    4 files changed, 463 insertions(+), 35 deletions(-)
>>>>>    create mode 100644 tools/eficapsule.h
>>
>> I'm not sure if it is this patch or something else, but building is
>> broken as it needs
>>
>> gnutls/gnutls.h
>>
>> Please update the docs in doc/build/gcc.rst to fix this.
>
> I have not noticed that there is *another* list of package dependency.
> It is easy to fix against gnutls.h, but gnutls.h (or libgnutls-dev)
> is NOT the only component missing in the list.
>
> Comparing gcc.rst with gitlab-ci.yml, there already exist a lot of
> such packages:
>
> gcc.rst                           |  gitlab-ci.yml
> ======                               ======
>                                    >  automake
>                                    >  autopoint
> bc                                   bc
>                                    >  binutils-dev
> bison                                bison
> build-essential                      build-essential
> coccinelle                        |  clang-10
>                                    >  coreutils
>                                    >  cpio
>                                    >  cppcheck
>                                    >  curl
> device-tree-compiler                 device-tree-compiler
> dfu-util                          |  dosfstools
>                                    >  e2fsprogs
> efitools                             efitools
>                                    >  fakeroot
> flex                                 flex
> gdisk                                gdisk
>                                    >  git
>                                    >  gnu-efi
> graphviz                             graphviz
>                                    >  grub-efi-amd64-bin
>                                    >  grub-efi-ia32-bin

There are some package that are not needed for building at all like
these GRUB packages which just serve as test binaries.

>                                    >  help2man
>                                    >  iasl
> imagemagick                          imagemagick
> liblz4-tool                       |  iputils-ping
> libguestfs-tools                     libguestfs-tools
> libncurses-dev                    |  libgnutls28-dev
> libpython3-dev                    |  libgnutls30
>                                    >  libisl15
>                                    >  liblz4-tool
>                                    >  libpixman-1-dev
>                                    >  libpython-dev

libpython-dev does not even exist in Ubuntu 22.04. Who cares about
Python2 package anymore?

Best regards

Heinrich

>                                    >  libsdl1.2-dev
> libsdl2-dev                          libsdl2-dev
> libssl-dev                           libssl-dev
> lz4                               |  libudev-dev
> lzma                              |  libusb-1.0-0-dev
> lzma-alone                           lzma-alone
>                                    >  lzop
>                                    >  mount
>                                    >  mtd-utils
>                                    >  mtools
> openssl                              openssl
>                                    >  picocom
>                                    >  parted
> pkg-config                           pkg-config
> python3                           |  python
> python3-coverage                  |  python-dev
> python3-pkg-resources             |  python-pip
> python3-pycryptodome              |  python-virtualenv
> python3-pyelftools                |  python3-pip
> python3-pytest                    |  python3-sphinx
> python3-sphinxcontrib.apidoc      |  rpm2cpio
> python3-sphinx-rtd-theme          |  sbsigntool
> python3-virtualenv                |  sloccount
>                                    >  sparse
>                                    >  srecord
>                                    >  sudo
> swig                                 swig
>                                    >  util-linux
>                                    >  uuid-dev
>                                    >  virtualenv
>                                    >  zip
>
> -Takahiro Akashi

Re: [PATCH v11 2/9] tools: mkeficapsule: add firmware image signing

[Simon Glass]

Hi Heinrich,

On Mon, 21 Feb 2022 at 11:59, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote:
>
> On 2/21/22 01:43, AKASHI Takahiro wrote:
> > Hi Simon,
> >
> > On Sat, Feb 19, 2022 at 04:11:08PM -0700, Simon Glass wrote:
> >> Hi,
> >>
> >> On Sun, 13 Feb 2022 at 17:54, AKASHI Takahiro
> >> <takahiro.akashi@linaro.org> wrote:
> >>>
> >>> Heinrich,
> >>>
> >>> On Fri, Feb 11, 2022 at 08:16:34PM +0100, Heinrich Schuchardt wrote:
> >>>> On 2/9/22 11:10, AKASHI Takahiro wrote:
> >>>>> With this enhancement, mkeficapsule will be able to sign a capsule
> >>>>> file when it is created. A signature added will be used later
> >>>>> in the verification at FMP's SetImage() call.
> >>>>>
> >>>>> To do that, we need specify additional command parameters:
> >>>>>     -monotonic-cout <count> : monotonic count
> >>>>>     -private-key <private key file> : private key file
> >>>>>     -certificate <certificate file> : certificate file
> >>>>> Only when all of those parameters are given, a signature will be added
> >>>>> to a capsule file.
> >>>>>
> >>>>> Users are expected to maintain and increment the monotonic count at
> >>>>> every time of the update for each firmware image.
> >>>>>
> >>>>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> >>>>> Reviewed-by: Simon Glass <sjg@chromium.org>
> >>>>> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> >>>>> ---
> >>>>>    .azure-pipelines.yml |   2 +-
> >>>>>    tools/Makefile       |   1 +
> >>>>>    tools/eficapsule.h   | 115 +++++++++++++
> >>>>>    tools/mkeficapsule.c | 380 +++++++++++++++++++++++++++++++++++++++----
> >>>>>    4 files changed, 463 insertions(+), 35 deletions(-)
> >>>>>    create mode 100644 tools/eficapsule.h
> >>
> >> I'm not sure if it is this patch or something else, but building is
> >> broken as it needs
> >>
> >> gnutls/gnutls.h
> >>
> >> Please update the docs in doc/build/gcc.rst to fix this.
> >
> > I have not noticed that there is *another* list of package dependency.
> > It is easy to fix against gnutls.h, but gnutls.h (or libgnutls-dev)
> > is NOT the only component missing in the list.
> >
> > Comparing gcc.rst with gitlab-ci.yml, there already exist a lot of
> > such packages:
> >
> > gcc.rst                           |  gitlab-ci.yml
> > ======                               ======
> >                                    >  automake
> >                                    >  autopoint
> > bc                                   bc
> >                                    >  binutils-dev
> > bison                                bison
> > build-essential                      build-essential
> > coccinelle                        |  clang-10
> >                                    >  coreutils
> >                                    >  cpio
> >                                    >  cppcheck
> >                                    >  curl
> > device-tree-compiler                 device-tree-compiler
> > dfu-util                          |  dosfstools
> >                                    >  e2fsprogs
> > efitools                             efitools
> >                                    >  fakeroot
> > flex                                 flex
> > gdisk                                gdisk
> >                                    >  git
> >                                    >  gnu-efi
> > graphviz                             graphviz
> >                                    >  grub-efi-amd64-bin
> >                                    >  grub-efi-ia32-bin
>
> There are some package that are not needed for building at all like
> these GRUB packages which just serve as test binaries.
>
> >                                    >  help2man
> >                                    >  iasl
> > imagemagick                          imagemagick
> > liblz4-tool                       |  iputils-ping
> > libguestfs-tools                     libguestfs-tools
> > libncurses-dev                    |  libgnutls28-dev
> > libpython3-dev                    |  libgnutls30
> >                                    >  libisl15
> >                                    >  liblz4-tool
> >                                    >  libpixman-1-dev
> >                                    >  libpython-dev

We could split the list, but on the other hand, who develops code in
U-Boot without running the tests? Perhaps we could split into things
needed to build sandbox and things needed to run tests?

>
> libpython-dev does not even exist in Ubuntu 22.04. Who cares about
> Python2 package anymore?

Everything in U-Boot is migrated.

Regards,
Simon

>
> Best regards
>
> Heinrich
>
> >                                    >  libsdl1.2-dev
> > libsdl2-dev                          libsdl2-dev
> > libssl-dev                           libssl-dev
> > lz4                               |  libudev-dev
> > lzma                              |  libusb-1.0-0-dev
> > lzma-alone                           lzma-alone
> >                                    >  lzop
> >                                    >  mount
> >                                    >  mtd-utils
> >                                    >  mtools
> > openssl                              openssl
> >                                    >  picocom
> >                                    >  parted
> > pkg-config                           pkg-config
> > python3                           |  python
> > python3-coverage                  |  python-dev
> > python3-pkg-resources             |  python-pip
> > python3-pycryptodome              |  python-virtualenv
> > python3-pyelftools                |  python3-pip
> > python3-pytest                    |  python3-sphinx
> > python3-sphinxcontrib.apidoc      |  rpm2cpio
> > python3-sphinx-rtd-theme          |  sbsigntool
> > python3-virtualenv                |  sloccount
> >                                    >  sparse
> >                                    >  srecord
> >                                    >  sudo
> > swig                                 swig
> >                                    >  util-linux
> >                                    >  uuid-dev
> >                                    >  virtualenv
> >                                    >  zip
> >
> > -Takahiro Akashi
>

[PATCH v11 3/9] tools: mkeficapsule: add man page

[AKASHI Takahiro]

Add a man page for mkeficapsule command.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
 MAINTAINERS        |  1 +
 doc/mkeficapsule.1 | 99 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 100 insertions(+)
 create mode 100644 doc/mkeficapsule.1

diff --git a/MAINTAINERS b/MAINTAINERS
index dcdd99e368d1..2a8f70d70833 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -749,6 +749,7 @@ S:	Maintained
 T:	git https://source.denx.de/u-boot/custodians/u-boot-efi.git
 F:	doc/api/efi.rst
 F:	doc/develop/uefi/*
+F:	doc/mkeficapsule.1
 F:	doc/usage/bootefi.rst
 F:	drivers/rtc/emul_rtc.c
 F:	include/capitalization.h
diff --git a/doc/mkeficapsule.1 b/doc/mkeficapsule.1
new file mode 100644
index 000000000000..680362f5c4e9
--- /dev/null
+++ b/doc/mkeficapsule.1
@@ -0,0 +1,99 @@
+.\" SPDX-License-Identifier: GPL-2.0+
+.\" Copyright (c) 2021, Linaro Limited
+.\" 		written by AKASHI Takahiro <takahiro.akashi@linaro.org>
+.TH MAEFICAPSULE 1 "May 2021"
+
+.SH NAME
+mkeficapsule \- Generate EFI capsule file for U-Boot
+
+.SH SYNOPSIS
+.B mkeficapsule
+.RI [ options "] " capsule-file
+
+.SH "DESCRIPTION"
+.B mkeficapsule
+command is used to create an EFI capsule file for use with the U-Boot
+EFI capsule update.
+A capsule file may contain various type of firmware blobs which
+are to be applied to the system and must be placed in the specific
+directory on the UEFI system partition.
+An update will be automatically executed at next reboot.
+
+Optionally, a capsule file can be signed with a given private key.
+In this case, the update will be authenticated by verifying the signature
+before applying.
+
+.B mkeficapsule
+supports two different format of image files:
+.TP
+.I raw image
+format is a single binary blob of any type of firmware.
+
+.TP
+.I FIT (Flattened Image Tree) image
+format is the same as used in the new uImage format and allows for
+multiple binary blobs in a single capsule file.
+This type of image file can be generated by
+.BR mkimage .
+
+.SH "OPTIONS"
+One of
+.BR --fit " or " --raw
+option must be specified.
+
+.TP
+.BI "-f\fR,\fB --fit " fit-image-file
+Specify a FIT image file
+
+.TP
+.BI "-r\fR,\fB --raw " raw-image-file
+Specify a raw image file
+
+.TP
+.BI "-i\fR,\fB --index " index
+Specify an image index
+
+.TP
+.BI "-I\fR,\fB --instance " instance
+Specify a hardware instance
+
+.TP
+.BR -h ", " --help
+Print a help message
+
+.PP
+With signing,
+.BR --private-key ", " --certificate " and " --monotonic-count
+are all mandatory.
+
+.TP
+.BI "-p\fR,\fB --private-key " private-key-file
+Specify signer's private key file in PEM
+
+.TP
+.BI "-c\fR,\fB --certificate " certificate-file
+Specify signer's certificate file in EFI certificate list format
+
+.TP
+.BI "-m\fR,\fB --monotonic-count " count
+Specify a monotonic count which is set to be monotonically incremented
+at every firmware update.
+
+.TP
+.B "-d\fR,\fB --dump_sig"
+Dump signature data into *.p7 file
+
+.PP
+.SH FILES
+.TP
+.I /EFI/UpdateCapsule
+The directory in which all capsule files be placed
+
+.SH SEE ALSO
+.BR mkimage (1)
+
+.SH AUTHORS
+Written by AKASHI Takahiro <takahiro.akashi@linaro.org>
+
+.SH HOMEPAGE
+http://www.denx.de/wiki/U-Boot/WebHome
-- 
2.33.0

[PATCH v11 4/9] doc: update UEFI document for usage of mkeficapsule

[AKASHI Takahiro]

Now we can use mkeficapsule command instead of EDK-II's script
to create a signed capsule file. So update the instruction for
capsule authentication.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
 doc/develop/uefi/uefi.rst | 151 +++++++++++++++++++-------------------
 1 file changed, 76 insertions(+), 75 deletions(-)

diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
index 43fb10f7978e..52a38c6b231c 100644
--- a/doc/develop/uefi/uefi.rst
+++ b/doc/develop/uefi/uefi.rst
@@ -284,37 +284,56 @@ Support has been added for the UEFI capsule update feature which
 enables updating the U-Boot image using the UEFI firmware management
 protocol (FMP). The capsules are not passed to the firmware through
 the UpdateCapsule runtime service. Instead, capsule-on-disk
-functionality is used for fetching the capsule from the EFI System
-Partition (ESP) by placing the capsule file under the
-\EFI\UpdateCapsule directory.
-
-The directory \EFI\UpdateCapsule is checked for capsules only within the
-EFI system partition on the device specified in the active boot option
-determined by reference to BootNext variable or BootOrder variable processing.
-The active Boot Variable is the variable with highest priority BootNext or
-within BootOrder that refers to a device found to be present. Boot variables
-in BootOrder but referring to devices not present are ignored when determining
-active boot variable.
-Before starting a capsule update make sure your capsules are installed in the
-correct ESP partition or set BootNext.
+functionality is used for fetching capsules from the EFI System
+Partition (ESP) by placing capsule files under the directory::
+
+    \EFI\UpdateCapsule
+
+The directory is checked for capsules only within the
+EFI system partition on the device specified in the active boot option,
+which is determined by BootXXXX variable in BootNext, or if not, the highest
+priority one within BootOrder. Any BootXXXX variables referring to devices
+not present are ignored when determining the active boot option.
+
+Please note that capsules will be applied in the alphabetic order of
+capsule file names.
+
+Creating a capsule file
+***********************
+
+A capsule file can be created by using tools/mkeficapsule.
+To build this tool, enable::
+
+    CONFIG_TOOLS_MKEFICAPSULE=y
+    CONFIG_TOOLS_LIBCRYPTO=y
+
+Run the following command
+
+.. code-block:: console
+
+    $ mkeficapsule \
+      --index 1 --instance 0 \
+      [--fit <FIT image> | --raw <raw image>] \
+      <capsule_file_name>
 
 Performing the update
 *********************
 
-Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig
-option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable
-check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule.
+Put capsule files under the directory mentioned above.
+Then, following the UEFI specification, you'll need to set
+the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED
+bit in OsIndications variable with
 
-If that option is disabled, you'll need to set the OsIndications variable with::
+.. code-block:: console
 
     => setenv -e -nv -bs -rt -v OsIndications =0x04
 
-Finally, the capsule update can be initiated either by rebooting the board,
-which is the preferred method, or by issuing the following command::
-
-    => efidebug capsule disk-update
+Since U-boot doesn't currently support SetVariable at runtime, its value
+won't be taken over across the reboot. If this is the case, you can skip
+this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS)
+set.
 
-**The efidebug command is should only be used during debugging/development.**
+Finally, the capsule update can be initiated by rebooting the board.
 
 Enabling Capsule Authentication
 *******************************
@@ -324,82 +343,64 @@ be updated by verifying the capsule signature. The capsule signature
 is computed and prepended to the capsule payload at the time of
 capsule generation. This signature is then verified by using the
 public key stored as part of the X509 certificate. This certificate is
-in the form of an efi signature list (esl) file, which is embedded as
-part of U-Boot.
+in the form of an efi signature list (esl) file, which is embedded in
+a device tree.
 
 The capsule authentication feature can be enabled through the
 following config, in addition to the configs listed above for capsule
 update::
 
     CONFIG_EFI_CAPSULE_AUTHENTICATE=y
-    CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert>
 
 The public and private keys used for the signing process are generated
-and used by the steps highlighted below::
+and used by the steps highlighted below.
 
-    1. Install utility commands on your host
-       * OPENSSL
+1. Install utility commands on your host
+       * openssl
        * efitools
 
-    2. Create signing keys and certificate files on your host
+2. Create signing keys and certificate files on your host
 
-        $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \
-            -keyout CRT.key -out CRT.crt -nodes -days 365
-        $ cert-to-efi-sig-list CRT.crt CRT.esl
+.. code-block:: console
 
-        $ openssl x509 -in CRT.crt -out CRT.cer -outform DER
-        $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem
+    $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \
+        -keyout CRT.key -out CRT.crt -nodes -days 365
+    $ cert-to-efi-sig-list CRT.crt CRT.esl
 
-        $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt
-        $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem
+3. Run the following command to create and sign the capsule file
 
-The capsule file can be generated by using the GenerateCapsule.py
-script in EDKII::
+.. code-block:: console
 
-    $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \
-      <capsule_file_name> --monotonic-count <val> --fw-version \
-      <val> --lsv <val> --guid \
-      e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \
-      --update-image-index <val> --signer-private-cert \
-      /path/to/CRT.pem --trusted-public-cert \
-      /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \
-      <u-boot.bin>
+    $ mkeficapsule --monotonic-count 1 \
+      --private-key CRT.key \
+      --certificate CRT.crt \
+      --index 1 --instance 0 \
+      [--fit <FIT image> | --raw <raw image>] \
+      <capsule_file_name>
 
-Place the capsule generated in the above step on the EFI System
-Partition under the EFI/UpdateCapsule directory
+4. Insert the signature list into a device tree in the following format::
 
-Testing on QEMU
-***************
+    {
+            signature {
+                    capsule-key = [ <binary of signature list> ];
+            }
+            ...
+    }
 
-Currently, support has been added on the QEMU ARM64 virt platform for
-updating the U-Boot binary as a raw image when the platform is booted
-in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this
-configuration, the QEMU platform needs to be booted with
-'secure=off'. The U-Boot binary placed on the first bank of the NOR
-flash at offset 0x0. The U-Boot environment is placed on the second
-NOR flash bank at offset 0x4000000.
+You can do step-4 manually with
 
-The capsule update feature is enabled with the following configuration
-settings::
+.. code-block:: console
 
-    CONFIG_MTD=y
-    CONFIG_FLASH_CFI_MTD=y
-    CONFIG_CMD_MTDPARTS=y
-    CONFIG_CMD_DFU=y
-    CONFIG_DFU_MTD=y
-    CONFIG_PCI_INIT_R=y
-    CONFIG_EFI_CAPSULE_ON_DISK=y
-    CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y
-    CONFIG_EFI_CAPSULE_FIRMWARE=y
-    CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
+    $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts
+    $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo
 
-In addition, the following config needs to be disabled(QEMU ARM specific)::
+where signature.dts looks like::
 
-    CONFIG_TFABOOT
-
-The capsule file can be generated by using the tools/mkeficapsule::
-
-    $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name>
+    &{/} {
+            signature {
+                    capsule-key = /incbin/("CRT.esl");
+            };
+    };
 
 Executing the boot manager
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
-- 
2.33.0

[PATCH v11 5/9] test/py: efi_capsule: add image authentication test

[AKASHI Takahiro]

Add a couple of test cases against capsule image authentication
for capsule-on-disk, where only a signed capsule file with the verified
signature will be applied to the system.

Due to the difficulty of embedding a public key (esl file) in U-Boot
binary during pytest setup time, all the keys/certificates are pre-created.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
 .../py/tests/test_efi_capsule/capsule_defs.py |   5 +
 test/py/tests/test_efi_capsule/conftest.py    |  52 +++-
 test/py/tests/test_efi_capsule/signature.dts  |  10 +
 .../test_capsule_firmware_signed.py           | 254 ++++++++++++++++++
 4 files changed, 318 insertions(+), 3 deletions(-)
 create mode 100644 test/py/tests/test_efi_capsule/signature.dts
 create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py

diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py
index 4fd6353c2040..59b40f11bd1d 100644
--- a/test/py/tests/test_efi_capsule/capsule_defs.py
+++ b/test/py/tests/test_efi_capsule/capsule_defs.py
@@ -3,3 +3,8 @@
 # Directories
 CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'
 CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'
+
+# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and
+# you need build a newer version on your own.
+# The path must terminate with '/' if it is not null.
+EFITOOLS_PATH = ''
diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py
index 6ad5608cd71c..27c05971ca32 100644
--- a/test/py/tests/test_efi_capsule/conftest.py
+++ b/test/py/tests/test_efi_capsule/conftest.py
@@ -10,13 +10,13 @@ import pytest
 from capsule_defs import *
 
 #
-# Fixture for UEFI secure boot test
+# Fixture for UEFI capsule test
 #
 
-
 @pytest.fixture(scope='session')
 def efi_capsule_data(request, u_boot_config):
-    """Set up a file system to be used in UEFI capsule test.
+    """Set up a file system to be used in UEFI capsule and
+       authentication test.
 
     Args:
         request: Pytest request object.
@@ -40,6 +40,36 @@ def efi_capsule_data(request, u_boot_config):
         check_call('mkdir -p %s' % data_dir, shell=True)
         check_call('mkdir -p %s' % install_dir, shell=True)
 
+        capsule_auth_enabled = u_boot_config.buildconfig.get(
+                    'config_efi_capsule_authenticate')
+        if capsule_auth_enabled:
+            # Create private key (SIGNER.key) and certificate (SIGNER.crt)
+            check_call('cd %s; '
+                       'openssl req -x509 -sha256 -newkey rsa:2048 '
+                            '-subj /CN=TEST_SIGNER/ -keyout SIGNER.key '
+                            '-out SIGNER.crt -nodes -days 365'
+                       % data_dir, shell=True)
+            check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'
+                       % (data_dir, EFITOOLS_PATH), shell=True)
+
+            # Update dtb adding capsule certificate
+            check_call('cd %s; '
+                       'cp %s/test/py/tests/test_efi_capsule/signature.dts .'
+                       % (data_dir, u_boot_config.source_dir), shell=True)
+            check_call('cd %s; '
+                       'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; '
+                       'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
+                            '-o test_sig.dtb signature.dtbo'
+                       % (data_dir, u_boot_config.build_dir), shell=True)
+
+            # Create *malicious* private key (SIGNER2.key) and certificate
+            # (SIGNER2.crt)
+            check_call('cd %s; '
+                       'openssl req -x509 -sha256 -newkey rsa:2048 '
+                            '-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key '
+                            '-out SIGNER2.crt -nodes -days 365'
+                       % data_dir, shell=True)
+
         # Create capsule files
         # two regions: one for u-boot.bin and the other for u-boot.env
         check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old -> u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir,
@@ -56,6 +86,22 @@ def efi_capsule_data(request, u_boot_config):
         check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' %
                    (data_dir, u_boot_config.build_dir),
                    shell=True)
+        if capsule_auth_enabled:
+            # firmware signed with proper key
+            check_call('cd %s; '
+                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
+                            '--private-key SIGNER.key --certificate SIGNER.crt '
+                            '--raw u-boot.bin.new Test11'
+                       % (data_dir, u_boot_config.build_dir),
+                       shell=True)
+            # firmware signed with *mal* key
+            check_call('cd %s; '
+                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
+                            '--private-key SIGNER2.key '
+                            '--certificate SIGNER2.crt '
+                            '--raw u-boot.bin.new Test12'
+                       % (data_dir, u_boot_config.build_dir),
+                       shell=True)
 
         # Create a disk image with EFI system partition
         check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' %
diff --git a/test/py/tests/test_efi_capsule/signature.dts b/test/py/tests/test_efi_capsule/signature.dts
new file mode 100644
index 000000000000..078cfc76c93c
--- /dev/null
+++ b/test/py/tests/test_efi_capsule/signature.dts
@@ -0,0 +1,10 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+/plugin/;
+
+&{/} {
+	signature {
+		capsule-key = /incbin/("SIGNER.esl");
+	};
+};
diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
new file mode 100644
index 000000000000..593b032e9015
--- /dev/null
+++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
@@ -0,0 +1,254 @@
+# SPDX-License-Identifier:      GPL-2.0+
+# Copyright (c) 2021, Linaro Limited
+# Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
+#
+# U-Boot UEFI: Firmware Update (Signed capsule) Test
+
+"""
+This test verifies capsule-on-disk firmware update
+with signed capsule files
+"""
+
+import pytest
+from capsule_defs import CAPSULE_DATA_DIR, CAPSULE_INSTALL_DIR
+
+@pytest.mark.boardspec('sandbox')
+@pytest.mark.buildconfigspec('efi_capsule_firmware_raw')
+@pytest.mark.buildconfigspec('efi_capsule_authenticate')
+@pytest.mark.buildconfigspec('dfu')
+@pytest.mark.buildconfigspec('dfu_sf')
+@pytest.mark.buildconfigspec('cmd_efidebug')
+@pytest.mark.buildconfigspec('cmd_fat')
+@pytest.mark.buildconfigspec('cmd_memory')
+@pytest.mark.buildconfigspec('cmd_nvedit_efi')
+@pytest.mark.buildconfigspec('cmd_sf')
+@pytest.mark.slow
+class TestEfiCapsuleFirmwareSigned(object):
+    def test_efi_capsule_auth1(
+            self, u_boot_config, u_boot_console, efi_capsule_data):
+        """
+        Test Case 1 - Update U-Boot on SPI Flash, raw image format
+                      0x100000-0x150000: U-Boot binary (but dummy)
+
+                      If the capsule is properly signed, the authentication
+                      should pass and the firmware be updated.
+        """
+        disk_img = efi_capsule_data
+        with u_boot_console.log.section('Test Case 1-a, before reboot'):
+            output = u_boot_console.run_command_list([
+                'host bind 0 %s' % disk_img,
+                'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi',
+                'efidebug boot order 1',
+                'env set -e -nv -bs -rt OsIndications =0x0000000000000004',
+                'env set dfu_alt_info '
+                        '"sf 0:0=u-boot-bin raw 0x100000 '
+                        '0x50000;u-boot-env raw 0x150000 0x200000"',
+                'env save'])
+
+            # initialize content
+            output = u_boot_console.run_command_list([
+                'sf probe 0:0',
+                'fatload host 0:1 4000000 %s/u-boot.bin.old'
+                        % CAPSULE_DATA_DIR,
+                'sf write 4000000 100000 10',
+                'sf read 5000000 100000 10',
+                'md.b 5000000 10'])
+            assert 'Old' in ''.join(output)
+
+            # place a capsule file
+            output = u_boot_console.run_command_list([
+                'fatload host 0:1 4000000 %s/Test11' % CAPSULE_DATA_DIR,
+                'fatwrite host 0:1 4000000 %s/Test11 $filesize'
+                        % CAPSULE_INSTALL_DIR,
+                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+            assert 'Test11' in ''.join(output)
+
+        # reboot
+        mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
+        u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \
+                                    + '/test_sig.dtb'
+        u_boot_console.restart_uboot()
+
+        capsule_early = u_boot_config.buildconfig.get(
+            'config_efi_capsule_on_disk_early')
+        with u_boot_console.log.section('Test Case 1-b, after reboot'):
+            if not capsule_early:
+                # make sure that dfu_alt_info exists even persistent variables
+                # are not available.
+                output = u_boot_console.run_command_list([
+                    'env set dfu_alt_info '
+                            '"sf 0:0=u-boot-bin raw 0x100000 '
+                            '0x50000;u-boot-env raw 0x150000 0x200000"',
+                    'host bind 0 %s' % disk_img,
+                    'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+                assert 'Test11' in ''.join(output)
+
+                # need to run uefi command to initiate capsule handling
+                output = u_boot_console.run_command(
+                    'env print -e Capsule0000')
+
+            output = u_boot_console.run_command_list([
+                'host bind 0 %s' % disk_img,
+                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+            assert 'Test11' not in ''.join(output)
+
+            output = u_boot_console.run_command_list([
+                'sf probe 0:0',
+                'sf read 4000000 100000 10',
+                'md.b 4000000 10'])
+            assert 'u-boot:New' in ''.join(output)
+
+    def test_efi_capsule_auth2(
+            self, u_boot_config, u_boot_console, efi_capsule_data):
+        """
+        Test Case 2 - Update U-Boot on SPI Flash, raw image format
+                      0x100000-0x150000: U-Boot binary (but dummy)
+
+                      If the capsule is signed but with an invalid key,
+                      the authentication should fail and the firmware
+                      not be updated.
+        """
+        disk_img = efi_capsule_data
+        with u_boot_console.log.section('Test Case 2-a, before reboot'):
+            output = u_boot_console.run_command_list([
+                'host bind 0 %s' % disk_img,
+                'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi',
+                'efidebug boot order 1',
+                'env set -e -nv -bs -rt OsIndications =0x0000000000000004',
+                'env set dfu_alt_info '
+                        '"sf 0:0=u-boot-bin raw 0x100000 '
+                        '0x50000;u-boot-env raw 0x150000 0x200000"',
+                'env save'])
+
+            # initialize content
+            output = u_boot_console.run_command_list([
+                'sf probe 0:0',
+                'fatload host 0:1 4000000 %s/u-boot.bin.old'
+                        % CAPSULE_DATA_DIR,
+                'sf write 4000000 100000 10',
+                'sf read 5000000 100000 10',
+                'md.b 5000000 10'])
+            assert 'Old' in ''.join(output)
+
+            # place a capsule file
+            output = u_boot_console.run_command_list([
+                'fatload host 0:1 4000000 %s/Test12' % CAPSULE_DATA_DIR,
+                'fatwrite host 0:1 4000000 %s/Test12 $filesize'
+                                % CAPSULE_INSTALL_DIR,
+                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+            assert 'Test12' in ''.join(output)
+
+        # reboot
+        mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
+        u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \
+                                    + '/test_sig.dtb'
+        u_boot_console.restart_uboot()
+
+        capsule_early = u_boot_config.buildconfig.get(
+            'config_efi_capsule_on_disk_early')
+        with u_boot_console.log.section('Test Case 2-b, after reboot'):
+            if not capsule_early:
+                # make sure that dfu_alt_info exists even persistent variables
+                # are not available.
+                output = u_boot_console.run_command_list([
+                    'env set dfu_alt_info '
+                        '"sf 0:0=u-boot-bin raw 0x100000 '
+                        '0x50000;u-boot-env raw 0x150000 0x200000"',
+                    'host bind 0 %s' % disk_img,
+                    'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+                assert 'Test12' in ''.join(output)
+
+                # need to run uefi command to initiate capsule handling
+                output = u_boot_console.run_command(
+                    'env print -e Capsule0000')
+
+            # deleted any way
+            output = u_boot_console.run_command_list([
+                'host bind 0 %s' % disk_img,
+                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+            assert 'Test12' not in ''.join(output)
+
+            # TODO: check CapsuleStatus in CapsuleXXXX
+
+            output = u_boot_console.run_command_list([
+                'sf probe 0:0',
+                'sf read 4000000 100000 10',
+                'md.b 4000000 10'])
+            assert 'u-boot:Old' in ''.join(output)
+
+    def test_efi_capsule_auth3(
+            self, u_boot_config, u_boot_console, efi_capsule_data):
+        """
+        Test Case 3 - Update U-Boot on SPI Flash, raw image format
+                      0x100000-0x150000: U-Boot binary (but dummy)
+
+                      If the capsule is not signed, the authentication
+                      should fail and the firmware not be updated.
+        """
+        disk_img = efi_capsule_data
+        with u_boot_console.log.section('Test Case 3-a, before reboot'):
+            output = u_boot_console.run_command_list([
+                'host bind 0 %s' % disk_img,
+                'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi',
+                'efidebug boot order 1',
+                'env set -e -nv -bs -rt OsIndications =0x0000000000000004',
+                'env set dfu_alt_info '
+                        '"sf 0:0=u-boot-bin raw 0x100000 '
+                        '0x50000;u-boot-env raw 0x150000 0x200000"',
+                'env save'])
+
+            # initialize content
+            output = u_boot_console.run_command_list([
+                'sf probe 0:0',
+                'fatload host 0:1 4000000 %s/u-boot.bin.old'
+                        % CAPSULE_DATA_DIR,
+                'sf write 4000000 100000 10',
+                'sf read 5000000 100000 10',
+                'md.b 5000000 10'])
+            assert 'Old' in ''.join(output)
+
+            # place a capsule file
+            output = u_boot_console.run_command_list([
+                'fatload host 0:1 4000000 %s/Test02' % CAPSULE_DATA_DIR,
+                'fatwrite host 0:1 4000000 %s/Test02 $filesize'
+                            % CAPSULE_INSTALL_DIR,
+                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+            assert 'Test02' in ''.join(output)
+
+        # reboot
+        mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
+        u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \
+                                    + '/test_sig.dtb'
+        u_boot_console.restart_uboot()
+
+        capsule_early = u_boot_config.buildconfig.get(
+            'config_efi_capsule_on_disk_early')
+        with u_boot_console.log.section('Test Case 3-b, after reboot'):
+            if not capsule_early:
+                # make sure that dfu_alt_info exists even persistent variables
+                # are not available.
+                output = u_boot_console.run_command_list([
+                    'env set dfu_alt_info '
+                            '"sf 0:0=u-boot-bin raw 0x100000 '
+                            '0x50000;u-boot-env raw 0x150000 0x200000"',
+                    'host bind 0 %s' % disk_img,
+                    'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+                assert 'Test02' in ''.join(output)
+
+                # need to run uefi command to initiate capsule handling
+                output = u_boot_console.run_command(
+                    'env print -e Capsule0000')
+
+            # deleted any way
+            output = u_boot_console.run_command_list([
+                'host bind 0 %s' % disk_img,
+                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+            assert 'Test02' not in ''.join(output)
+
+            # TODO: check CapsuleStatus in CapsuleXXXX
+
+            output = u_boot_console.run_command_list([
+                'sf probe 0:0',
+                'sf read 4000000 100000 10',
+                'md.b 4000000 10'])
+            assert 'u-boot:Old' in ''.join(output)
-- 
2.33.0

Re: [PATCH v11 5/9] test/py: efi_capsule: add image authentication test

[Heinrich Schuchardt]

On 2/9/22 11:10, AKASHI Takahiro wrote:
> Add a couple of test cases against capsule image authentication
> for capsule-on-disk, where only a signed capsule file with the verified
> signature will be applied to the system.
>
> Due to the difficulty of embedding a public key (esl file) in U-Boot
> binary during pytest setup time, all the keys/certificates are pre-created.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> Reviewed-by: Simon Glass <sjg@chromium.org>
> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

The test is not executed on Gitlab:

test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py sss

SKIPPED [3] /builds/u-boot/custodians/u-boot-efi/test/py/conftest.py:490:
.config feature "efi_capsule_authenticate" not enabled

Please, provide a defconfig with CONFIG_EFI_CAPSULE_AUTHENTICATE=y in a
follow-up patch.

Best regards

Heinrich


> ---
>   .../py/tests/test_efi_capsule/capsule_defs.py |   5 +
>   test/py/tests/test_efi_capsule/conftest.py    |  52 +++-
>   test/py/tests/test_efi_capsule/signature.dts  |  10 +
>   .../test_capsule_firmware_signed.py           | 254 ++++++++++++++++++
>   4 files changed, 318 insertions(+), 3 deletions(-)
>   create mode 100644 test/py/tests/test_efi_capsule/signature.dts
>   create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
>
> diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py
> index 4fd6353c2040..59b40f11bd1d 100644
> --- a/test/py/tests/test_efi_capsule/capsule_defs.py
> +++ b/test/py/tests/test_efi_capsule/capsule_defs.py
> @@ -3,3 +3,8 @@
>   # Directories
>   CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'
>   CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'
> +
> +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and
> +# you need build a newer version on your own.
> +# The path must terminate with '/' if it is not null.
> +EFITOOLS_PATH = ''
> diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py
> index 6ad5608cd71c..27c05971ca32 100644
> --- a/test/py/tests/test_efi_capsule/conftest.py
> +++ b/test/py/tests/test_efi_capsule/conftest.py
> @@ -10,13 +10,13 @@ import pytest
>   from capsule_defs import *
>
>   #
> -# Fixture for UEFI secure boot test
> +# Fixture for UEFI capsule test
>   #
>
> -
>   @pytest.fixture(scope='session')
>   def efi_capsule_data(request, u_boot_config):
> -    """Set up a file system to be used in UEFI capsule test.
> +    """Set up a file system to be used in UEFI capsule and
> +       authentication test.
>
>       Args:
>           request: Pytest request object.
> @@ -40,6 +40,36 @@ def efi_capsule_data(request, u_boot_config):
>           check_call('mkdir -p %s' % data_dir, shell=True)
>           check_call('mkdir -p %s' % install_dir, shell=True)
>
> +        capsule_auth_enabled = u_boot_config.buildconfig.get(
> +                    'config_efi_capsule_authenticate')
> +        if capsule_auth_enabled:
> +            # Create private key (SIGNER.key) and certificate (SIGNER.crt)
> +            check_call('cd %s; '
> +                       'openssl req -x509 -sha256 -newkey rsa:2048 '
> +                            '-subj /CN=TEST_SIGNER/ -keyout SIGNER.key '
> +                            '-out SIGNER.crt -nodes -days 365'
> +                       % data_dir, shell=True)
> +            check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'
> +                       % (data_dir, EFITOOLS_PATH), shell=True)
> +
> +            # Update dtb adding capsule certificate
> +            check_call('cd %s; '
> +                       'cp %s/test/py/tests/test_efi_capsule/signature.dts .'
> +                       % (data_dir, u_boot_config.source_dir), shell=True)
> +            check_call('cd %s; '
> +                       'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; '
> +                       'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
> +                            '-o test_sig.dtb signature.dtbo'
> +                       % (data_dir, u_boot_config.build_dir), shell=True)
> +
> +            # Create *malicious* private key (SIGNER2.key) and certificate
> +            # (SIGNER2.crt)
> +            check_call('cd %s; '
> +                       'openssl req -x509 -sha256 -newkey rsa:2048 '
> +                            '-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key '
> +                            '-out SIGNER2.crt -nodes -days 365'
> +                       % data_dir, shell=True)
> +
>           # Create capsule files
>           # two regions: one for u-boot.bin and the other for u-boot.env
>           check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old -> u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir,
> @@ -56,6 +86,22 @@ def efi_capsule_data(request, u_boot_config):
>           check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' %
>                      (data_dir, u_boot_config.build_dir),
>                      shell=True)
> +        if capsule_auth_enabled:
> +            # firmware signed with proper key
> +            check_call('cd %s; '
> +                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
> +                            '--private-key SIGNER.key --certificate SIGNER.crt '
> +                            '--raw u-boot.bin.new Test11'
> +                       % (data_dir, u_boot_config.build_dir),
> +                       shell=True)
> +            # firmware signed with *mal* key
> +            check_call('cd %s; '
> +                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
> +                            '--private-key SIGNER2.key '
> +                            '--certificate SIGNER2.crt '
> +                            '--raw u-boot.bin.new Test12'
> +                       % (data_dir, u_boot_config.build_dir),
> +                       shell=True)
>
>           # Create a disk image with EFI system partition
>           check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' %
> diff --git a/test/py/tests/test_efi_capsule/signature.dts b/test/py/tests/test_efi_capsule/signature.dts
> new file mode 100644
> index 000000000000..078cfc76c93c
> --- /dev/null
> +++ b/test/py/tests/test_efi_capsule/signature.dts
> @@ -0,0 +1,10 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +
> +/dts-v1/;
> +/plugin/;
> +
> +&{/} {
> +	signature {
> +		capsule-key = /incbin/("SIGNER.esl");
> +	};
> +};
> diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
> new file mode 100644
> index 000000000000..593b032e9015
> --- /dev/null
> +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
> @@ -0,0 +1,254 @@
> +# SPDX-License-Identifier:      GPL-2.0+
> +# Copyright (c) 2021, Linaro Limited
> +# Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
> +#
> +# U-Boot UEFI: Firmware Update (Signed capsule) Test
> +
> +"""
> +This test verifies capsule-on-disk firmware update
> +with signed capsule files
> +"""
> +
> +import pytest
> +from capsule_defs import CAPSULE_DATA_DIR, CAPSULE_INSTALL_DIR
> +
> +@pytest.mark.boardspec('sandbox')
> +@pytest.mark.buildconfigspec('efi_capsule_firmware_raw')
> +@pytest.mark.buildconfigspec('efi_capsule_authenticate')
> +@pytest.mark.buildconfigspec('dfu')
> +@pytest.mark.buildconfigspec('dfu_sf')
> +@pytest.mark.buildconfigspec('cmd_efidebug')
> +@pytest.mark.buildconfigspec('cmd_fat')
> +@pytest.mark.buildconfigspec('cmd_memory')
> +@pytest.mark.buildconfigspec('cmd_nvedit_efi')
> +@pytest.mark.buildconfigspec('cmd_sf')
> +@pytest.mark.slow
> +class TestEfiCapsuleFirmwareSigned(object):
> +    def test_efi_capsule_auth1(
> +            self, u_boot_config, u_boot_console, efi_capsule_data):
> +        """
> +        Test Case 1 - Update U-Boot on SPI Flash, raw image format
> +                      0x100000-0x150000: U-Boot binary (but dummy)
> +
> +                      If the capsule is properly signed, the authentication
> +                      should pass and the firmware be updated.
> +        """
> +        disk_img = efi_capsule_data
> +        with u_boot_console.log.section('Test Case 1-a, before reboot'):
> +            output = u_boot_console.run_command_list([
> +                'host bind 0 %s' % disk_img,
> +                'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi',
> +                'efidebug boot order 1',
> +                'env set -e -nv -bs -rt OsIndications =0x0000000000000004',
> +                'env set dfu_alt_info '
> +                        '"sf 0:0=u-boot-bin raw 0x100000 '
> +                        '0x50000;u-boot-env raw 0x150000 0x200000"',
> +                'env save'])
> +
> +            # initialize content
> +            output = u_boot_console.run_command_list([
> +                'sf probe 0:0',
> +                'fatload host 0:1 4000000 %s/u-boot.bin.old'
> +                        % CAPSULE_DATA_DIR,
> +                'sf write 4000000 100000 10',
> +                'sf read 5000000 100000 10',
> +                'md.b 5000000 10'])
> +            assert 'Old' in ''.join(output)
> +
> +            # place a capsule file
> +            output = u_boot_console.run_command_list([
> +                'fatload host 0:1 4000000 %s/Test11' % CAPSULE_DATA_DIR,
> +                'fatwrite host 0:1 4000000 %s/Test11 $filesize'
> +                        % CAPSULE_INSTALL_DIR,
> +                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> +            assert 'Test11' in ''.join(output)
> +
> +        # reboot
> +        mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
> +        u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \
> +                                    + '/test_sig.dtb'
> +        u_boot_console.restart_uboot()
> +
> +        capsule_early = u_boot_config.buildconfig.get(
> +            'config_efi_capsule_on_disk_early')
> +        with u_boot_console.log.section('Test Case 1-b, after reboot'):
> +            if not capsule_early:
> +                # make sure that dfu_alt_info exists even persistent variables
> +                # are not available.
> +                output = u_boot_console.run_command_list([
> +                    'env set dfu_alt_info '
> +                            '"sf 0:0=u-boot-bin raw 0x100000 '
> +                            '0x50000;u-boot-env raw 0x150000 0x200000"',
> +                    'host bind 0 %s' % disk_img,
> +                    'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> +                assert 'Test11' in ''.join(output)
> +
> +                # need to run uefi command to initiate capsule handling
> +                output = u_boot_console.run_command(
> +                    'env print -e Capsule0000')
> +
> +            output = u_boot_console.run_command_list([
> +                'host bind 0 %s' % disk_img,
> +                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> +            assert 'Test11' not in ''.join(output)
> +
> +            output = u_boot_console.run_command_list([
> +                'sf probe 0:0',
> +                'sf read 4000000 100000 10',
> +                'md.b 4000000 10'])
> +            assert 'u-boot:New' in ''.join(output)
> +
> +    def test_efi_capsule_auth2(
> +            self, u_boot_config, u_boot_console, efi_capsule_data):
> +        """
> +        Test Case 2 - Update U-Boot on SPI Flash, raw image format
> +                      0x100000-0x150000: U-Boot binary (but dummy)
> +
> +                      If the capsule is signed but with an invalid key,
> +                      the authentication should fail and the firmware
> +                      not be updated.
> +        """
> +        disk_img = efi_capsule_data
> +        with u_boot_console.log.section('Test Case 2-a, before reboot'):
> +            output = u_boot_console.run_command_list([
> +                'host bind 0 %s' % disk_img,
> +                'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi',
> +                'efidebug boot order 1',
> +                'env set -e -nv -bs -rt OsIndications =0x0000000000000004',
> +                'env set dfu_alt_info '
> +                        '"sf 0:0=u-boot-bin raw 0x100000 '
> +                        '0x50000;u-boot-env raw 0x150000 0x200000"',
> +                'env save'])
> +
> +            # initialize content
> +            output = u_boot_console.run_command_list([
> +                'sf probe 0:0',
> +                'fatload host 0:1 4000000 %s/u-boot.bin.old'
> +                        % CAPSULE_DATA_DIR,
> +                'sf write 4000000 100000 10',
> +                'sf read 5000000 100000 10',
> +                'md.b 5000000 10'])
> +            assert 'Old' in ''.join(output)
> +
> +            # place a capsule file
> +            output = u_boot_console.run_command_list([
> +                'fatload host 0:1 4000000 %s/Test12' % CAPSULE_DATA_DIR,
> +                'fatwrite host 0:1 4000000 %s/Test12 $filesize'
> +                                % CAPSULE_INSTALL_DIR,
> +                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> +            assert 'Test12' in ''.join(output)
> +
> +        # reboot
> +        mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
> +        u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \
> +                                    + '/test_sig.dtb'
> +        u_boot_console.restart_uboot()
> +
> +        capsule_early = u_boot_config.buildconfig.get(
> +            'config_efi_capsule_on_disk_early')
> +        with u_boot_console.log.section('Test Case 2-b, after reboot'):
> +            if not capsule_early:
> +                # make sure that dfu_alt_info exists even persistent variables
> +                # are not available.
> +                output = u_boot_console.run_command_list([
> +                    'env set dfu_alt_info '
> +                        '"sf 0:0=u-boot-bin raw 0x100000 '
> +                        '0x50000;u-boot-env raw 0x150000 0x200000"',
> +                    'host bind 0 %s' % disk_img,
> +                    'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> +                assert 'Test12' in ''.join(output)
> +
> +                # need to run uefi command to initiate capsule handling
> +                output = u_boot_console.run_command(
> +                    'env print -e Capsule0000')
> +
> +            # deleted any way
> +            output = u_boot_console.run_command_list([
> +                'host bind 0 %s' % disk_img,
> +                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> +            assert 'Test12' not in ''.join(output)
> +
> +            # TODO: check CapsuleStatus in CapsuleXXXX
> +
> +            output = u_boot_console.run_command_list([
> +                'sf probe 0:0',
> +                'sf read 4000000 100000 10',
> +                'md.b 4000000 10'])
> +            assert 'u-boot:Old' in ''.join(output)
> +
> +    def test_efi_capsule_auth3(
> +            self, u_boot_config, u_boot_console, efi_capsule_data):
> +        """
> +        Test Case 3 - Update U-Boot on SPI Flash, raw image format
> +                      0x100000-0x150000: U-Boot binary (but dummy)
> +
> +                      If the capsule is not signed, the authentication
> +                      should fail and the firmware not be updated.
> +        """
> +        disk_img = efi_capsule_data
> +        with u_boot_console.log.section('Test Case 3-a, before reboot'):
> +            output = u_boot_console.run_command_list([
> +                'host bind 0 %s' % disk_img,
> +                'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi',
> +                'efidebug boot order 1',
> +                'env set -e -nv -bs -rt OsIndications =0x0000000000000004',
> +                'env set dfu_alt_info '
> +                        '"sf 0:0=u-boot-bin raw 0x100000 '
> +                        '0x50000;u-boot-env raw 0x150000 0x200000"',
> +                'env save'])
> +
> +            # initialize content
> +            output = u_boot_console.run_command_list([
> +                'sf probe 0:0',
> +                'fatload host 0:1 4000000 %s/u-boot.bin.old'
> +                        % CAPSULE_DATA_DIR,
> +                'sf write 4000000 100000 10',
> +                'sf read 5000000 100000 10',
> +                'md.b 5000000 10'])
> +            assert 'Old' in ''.join(output)
> +
> +            # place a capsule file
> +            output = u_boot_console.run_command_list([
> +                'fatload host 0:1 4000000 %s/Test02' % CAPSULE_DATA_DIR,
> +                'fatwrite host 0:1 4000000 %s/Test02 $filesize'
> +                            % CAPSULE_INSTALL_DIR,
> +                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> +            assert 'Test02' in ''.join(output)
> +
> +        # reboot
> +        mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
> +        u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \
> +                                    + '/test_sig.dtb'
> +        u_boot_console.restart_uboot()
> +
> +        capsule_early = u_boot_config.buildconfig.get(
> +            'config_efi_capsule_on_disk_early')
> +        with u_boot_console.log.section('Test Case 3-b, after reboot'):
> +            if not capsule_early:
> +                # make sure that dfu_alt_info exists even persistent variables
> +                # are not available.
> +                output = u_boot_console.run_command_list([
> +                    'env set dfu_alt_info '
> +                            '"sf 0:0=u-boot-bin raw 0x100000 '
> +                            '0x50000;u-boot-env raw 0x150000 0x200000"',
> +                    'host bind 0 %s' % disk_img,
> +                    'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> +                assert 'Test02' in ''.join(output)
> +
> +                # need to run uefi command to initiate capsule handling
> +                output = u_boot_console.run_command(
> +                    'env print -e Capsule0000')
> +
> +            # deleted any way
> +            output = u_boot_console.run_command_list([
> +                'host bind 0 %s' % disk_img,
> +                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> +            assert 'Test02' not in ''.join(output)
> +
> +            # TODO: check CapsuleStatus in CapsuleXXXX
> +
> +            output = u_boot_console.run_command_list([
> +                'sf probe 0:0',
> +                'sf read 4000000 100000 10',
> +                'md.b 4000000 10'])
> +            assert 'u-boot:Old' in ''.join(output)

Re: [PATCH v11 5/9] test/py: efi_capsule: add image authentication test

[AKASHI Takahiro]

Heinrich,

On Fri, Feb 11, 2022 at 08:25:15PM +0100, Heinrich Schuchardt wrote:
> On 2/9/22 11:10, AKASHI Takahiro wrote:
> > Add a couple of test cases against capsule image authentication
> > for capsule-on-disk, where only a signed capsule file with the verified
> > signature will be applied to the system.
> > 
> > Due to the difficulty of embedding a public key (esl file) in U-Boot
> > binary during pytest setup time, all the keys/certificates are pre-created.
> > 
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > Reviewed-by: Simon Glass <sjg@chromium.org>
> > Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> 
> The test is not executed on Gitlab:
> 
> test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py sss
> 
> SKIPPED [3] /builds/u-boot/custodians/u-boot-efi/test/py/conftest.py:490:
> .config feature "efi_capsule_authenticate" not enabled
> 
> Please, provide a defconfig with CONFIG_EFI_CAPSULE_AUTHENTICATE=y in a
> follow-up patch.

This is somehow intentional.
I don't remember quite well, but when I tried to add another defconfig file
for sandbox to initiate some test in the past, you or Simon (sorry if I
remember incorrectly here) opposed it.

Please also note that adding CONFIG_EFI_CAPSULE_AUTHENTICATE to
sandbox_defconfig doesn't make sense as it makes non-signed capsule
tests (test_capsule_firmware.py) meaningless.

-Takahiro Akashi

> Best regards
> 
> Heinrich
> 
> 
> > ---
> >   .../py/tests/test_efi_capsule/capsule_defs.py |   5 +
> >   test/py/tests/test_efi_capsule/conftest.py    |  52 +++-
> >   test/py/tests/test_efi_capsule/signature.dts  |  10 +
> >   .../test_capsule_firmware_signed.py           | 254 ++++++++++++++++++
> >   4 files changed, 318 insertions(+), 3 deletions(-)
> >   create mode 100644 test/py/tests/test_efi_capsule/signature.dts
> >   create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
> > 
> > diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py
> > index 4fd6353c2040..59b40f11bd1d 100644
> > --- a/test/py/tests/test_efi_capsule/capsule_defs.py
> > +++ b/test/py/tests/test_efi_capsule/capsule_defs.py
> > @@ -3,3 +3,8 @@
> >   # Directories
> >   CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'
> >   CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'
> > +
> > +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and
> > +# you need build a newer version on your own.
> > +# The path must terminate with '/' if it is not null.
> > +EFITOOLS_PATH = ''
> > diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py
> > index 6ad5608cd71c..27c05971ca32 100644
> > --- a/test/py/tests/test_efi_capsule/conftest.py
> > +++ b/test/py/tests/test_efi_capsule/conftest.py
> > @@ -10,13 +10,13 @@ import pytest
> >   from capsule_defs import *
> > 
> >   #
> > -# Fixture for UEFI secure boot test
> > +# Fixture for UEFI capsule test
> >   #
> > 
> > -
> >   @pytest.fixture(scope='session')
> >   def efi_capsule_data(request, u_boot_config):
> > -    """Set up a file system to be used in UEFI capsule test.
> > +    """Set up a file system to be used in UEFI capsule and
> > +       authentication test.
> > 
> >       Args:
> >           request: Pytest request object.
> > @@ -40,6 +40,36 @@ def efi_capsule_data(request, u_boot_config):
> >           check_call('mkdir -p %s' % data_dir, shell=True)
> >           check_call('mkdir -p %s' % install_dir, shell=True)
> > 
> > +        capsule_auth_enabled = u_boot_config.buildconfig.get(
> > +                    'config_efi_capsule_authenticate')
> > +        if capsule_auth_enabled:
> > +            # Create private key (SIGNER.key) and certificate (SIGNER.crt)
> > +            check_call('cd %s; '
> > +                       'openssl req -x509 -sha256 -newkey rsa:2048 '
> > +                            '-subj /CN=TEST_SIGNER/ -keyout SIGNER.key '
> > +                            '-out SIGNER.crt -nodes -days 365'
> > +                       % data_dir, shell=True)
> > +            check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'
> > +                       % (data_dir, EFITOOLS_PATH), shell=True)
> > +
> > +            # Update dtb adding capsule certificate
> > +            check_call('cd %s; '
> > +                       'cp %s/test/py/tests/test_efi_capsule/signature.dts .'
> > +                       % (data_dir, u_boot_config.source_dir), shell=True)
> > +            check_call('cd %s; '
> > +                       'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; '
> > +                       'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
> > +                            '-o test_sig.dtb signature.dtbo'
> > +                       % (data_dir, u_boot_config.build_dir), shell=True)
> > +
> > +            # Create *malicious* private key (SIGNER2.key) and certificate
> > +            # (SIGNER2.crt)
> > +            check_call('cd %s; '
> > +                       'openssl req -x509 -sha256 -newkey rsa:2048 '
> > +                            '-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key '
> > +                            '-out SIGNER2.crt -nodes -days 365'
> > +                       % data_dir, shell=True)
> > +
> >           # Create capsule files
> >           # two regions: one for u-boot.bin and the other for u-boot.env
> >           check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old -> u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir,
> > @@ -56,6 +86,22 @@ def efi_capsule_data(request, u_boot_config):
> >           check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' %
> >                      (data_dir, u_boot_config.build_dir),
> >                      shell=True)
> > +        if capsule_auth_enabled:
> > +            # firmware signed with proper key
> > +            check_call('cd %s; '
> > +                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
> > +                            '--private-key SIGNER.key --certificate SIGNER.crt '
> > +                            '--raw u-boot.bin.new Test11'
> > +                       % (data_dir, u_boot_config.build_dir),
> > +                       shell=True)
> > +            # firmware signed with *mal* key
> > +            check_call('cd %s; '
> > +                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
> > +                            '--private-key SIGNER2.key '
> > +                            '--certificate SIGNER2.crt '
> > +                            '--raw u-boot.bin.new Test12'
> > +                       % (data_dir, u_boot_config.build_dir),
> > +                       shell=True)
> > 
> >           # Create a disk image with EFI system partition
> >           check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' %
> > diff --git a/test/py/tests/test_efi_capsule/signature.dts b/test/py/tests/test_efi_capsule/signature.dts
> > new file mode 100644
> > index 000000000000..078cfc76c93c
> > --- /dev/null
> > +++ b/test/py/tests/test_efi_capsule/signature.dts
> > @@ -0,0 +1,10 @@
> > +// SPDX-License-Identifier: GPL-2.0+
> > +
> > +/dts-v1/;
> > +/plugin/;
> > +
> > +&{/} {
> > +	signature {
> > +		capsule-key = /incbin/("SIGNER.esl");
> > +	};
> > +};
> > diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
> > new file mode 100644
> > index 000000000000..593b032e9015
> > --- /dev/null
> > +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
> > @@ -0,0 +1,254 @@
> > +# SPDX-License-Identifier:      GPL-2.0+
> > +# Copyright (c) 2021, Linaro Limited
> > +# Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > +#
> > +# U-Boot UEFI: Firmware Update (Signed capsule) Test
> > +
> > +"""
> > +This test verifies capsule-on-disk firmware update
> > +with signed capsule files
> > +"""
> > +
> > +import pytest
> > +from capsule_defs import CAPSULE_DATA_DIR, CAPSULE_INSTALL_DIR
> > +
> > +@pytest.mark.boardspec('sandbox')
> > +@pytest.mark.buildconfigspec('efi_capsule_firmware_raw')
> > +@pytest.mark.buildconfigspec('efi_capsule_authenticate')
> > +@pytest.mark.buildconfigspec('dfu')
> > +@pytest.mark.buildconfigspec('dfu_sf')
> > +@pytest.mark.buildconfigspec('cmd_efidebug')
> > +@pytest.mark.buildconfigspec('cmd_fat')
> > +@pytest.mark.buildconfigspec('cmd_memory')
> > +@pytest.mark.buildconfigspec('cmd_nvedit_efi')
> > +@pytest.mark.buildconfigspec('cmd_sf')
> > +@pytest.mark.slow
> > +class TestEfiCapsuleFirmwareSigned(object):
> > +    def test_efi_capsule_auth1(
> > +            self, u_boot_config, u_boot_console, efi_capsule_data):
> > +        """
> > +        Test Case 1 - Update U-Boot on SPI Flash, raw image format
> > +                      0x100000-0x150000: U-Boot binary (but dummy)
> > +
> > +                      If the capsule is properly signed, the authentication
> > +                      should pass and the firmware be updated.
> > +        """
> > +        disk_img = efi_capsule_data
> > +        with u_boot_console.log.section('Test Case 1-a, before reboot'):
> > +            output = u_boot_console.run_command_list([
> > +                'host bind 0 %s' % disk_img,
> > +                'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi',
> > +                'efidebug boot order 1',
> > +                'env set -e -nv -bs -rt OsIndications =0x0000000000000004',
> > +                'env set dfu_alt_info '
> > +                        '"sf 0:0=u-boot-bin raw 0x100000 '
> > +                        '0x50000;u-boot-env raw 0x150000 0x200000"',
> > +                'env save'])
> > +
> > +            # initialize content
> > +            output = u_boot_console.run_command_list([
> > +                'sf probe 0:0',
> > +                'fatload host 0:1 4000000 %s/u-boot.bin.old'
> > +                        % CAPSULE_DATA_DIR,
> > +                'sf write 4000000 100000 10',
> > +                'sf read 5000000 100000 10',
> > +                'md.b 5000000 10'])
> > +            assert 'Old' in ''.join(output)
> > +
> > +            # place a capsule file
> > +            output = u_boot_console.run_command_list([
> > +                'fatload host 0:1 4000000 %s/Test11' % CAPSULE_DATA_DIR,
> > +                'fatwrite host 0:1 4000000 %s/Test11 $filesize'
> > +                        % CAPSULE_INSTALL_DIR,
> > +                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> > +            assert 'Test11' in ''.join(output)
> > +
> > +        # reboot
> > +        mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
> > +        u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \
> > +                                    + '/test_sig.dtb'
> > +        u_boot_console.restart_uboot()
> > +
> > +        capsule_early = u_boot_config.buildconfig.get(
> > +            'config_efi_capsule_on_disk_early')
> > +        with u_boot_console.log.section('Test Case 1-b, after reboot'):
> > +            if not capsule_early:
> > +                # make sure that dfu_alt_info exists even persistent variables
> > +                # are not available.
> > +                output = u_boot_console.run_command_list([
> > +                    'env set dfu_alt_info '
> > +                            '"sf 0:0=u-boot-bin raw 0x100000 '
> > +                            '0x50000;u-boot-env raw 0x150000 0x200000"',
> > +                    'host bind 0 %s' % disk_img,
> > +                    'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> > +                assert 'Test11' in ''.join(output)
> > +
> > +                # need to run uefi command to initiate capsule handling
> > +                output = u_boot_console.run_command(
> > +                    'env print -e Capsule0000')
> > +
> > +            output = u_boot_console.run_command_list([
> > +                'host bind 0 %s' % disk_img,
> > +                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> > +            assert 'Test11' not in ''.join(output)
> > +
> > +            output = u_boot_console.run_command_list([
> > +                'sf probe 0:0',
> > +                'sf read 4000000 100000 10',
> > +                'md.b 4000000 10'])
> > +            assert 'u-boot:New' in ''.join(output)
> > +
> > +    def test_efi_capsule_auth2(
> > +            self, u_boot_config, u_boot_console, efi_capsule_data):
> > +        """
> > +        Test Case 2 - Update U-Boot on SPI Flash, raw image format
> > +                      0x100000-0x150000: U-Boot binary (but dummy)
> > +
> > +                      If the capsule is signed but with an invalid key,
> > +                      the authentication should fail and the firmware
> > +                      not be updated.
> > +        """
> > +        disk_img = efi_capsule_data
> > +        with u_boot_console.log.section('Test Case 2-a, before reboot'):
> > +            output = u_boot_console.run_command_list([
> > +                'host bind 0 %s' % disk_img,
> > +                'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi',
> > +                'efidebug boot order 1',
> > +                'env set -e -nv -bs -rt OsIndications =0x0000000000000004',
> > +                'env set dfu_alt_info '
> > +                        '"sf 0:0=u-boot-bin raw 0x100000 '
> > +                        '0x50000;u-boot-env raw 0x150000 0x200000"',
> > +                'env save'])
> > +
> > +            # initialize content
> > +            output = u_boot_console.run_command_list([
> > +                'sf probe 0:0',
> > +                'fatload host 0:1 4000000 %s/u-boot.bin.old'
> > +                        % CAPSULE_DATA_DIR,
> > +                'sf write 4000000 100000 10',
> > +                'sf read 5000000 100000 10',
> > +                'md.b 5000000 10'])
> > +            assert 'Old' in ''.join(output)
> > +
> > +            # place a capsule file
> > +            output = u_boot_console.run_command_list([
> > +                'fatload host 0:1 4000000 %s/Test12' % CAPSULE_DATA_DIR,
> > +                'fatwrite host 0:1 4000000 %s/Test12 $filesize'
> > +                                % CAPSULE_INSTALL_DIR,
> > +                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> > +            assert 'Test12' in ''.join(output)
> > +
> > +        # reboot
> > +        mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
> > +        u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \
> > +                                    + '/test_sig.dtb'
> > +        u_boot_console.restart_uboot()
> > +
> > +        capsule_early = u_boot_config.buildconfig.get(
> > +            'config_efi_capsule_on_disk_early')
> > +        with u_boot_console.log.section('Test Case 2-b, after reboot'):
> > +            if not capsule_early:
> > +                # make sure that dfu_alt_info exists even persistent variables
> > +                # are not available.
> > +                output = u_boot_console.run_command_list([
> > +                    'env set dfu_alt_info '
> > +                        '"sf 0:0=u-boot-bin raw 0x100000 '
> > +                        '0x50000;u-boot-env raw 0x150000 0x200000"',
> > +                    'host bind 0 %s' % disk_img,
> > +                    'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> > +                assert 'Test12' in ''.join(output)
> > +
> > +                # need to run uefi command to initiate capsule handling
> > +                output = u_boot_console.run_command(
> > +                    'env print -e Capsule0000')
> > +
> > +            # deleted any way
> > +            output = u_boot_console.run_command_list([
> > +                'host bind 0 %s' % disk_img,
> > +                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> > +            assert 'Test12' not in ''.join(output)
> > +
> > +            # TODO: check CapsuleStatus in CapsuleXXXX
> > +
> > +            output = u_boot_console.run_command_list([
> > +                'sf probe 0:0',
> > +                'sf read 4000000 100000 10',
> > +                'md.b 4000000 10'])
> > +            assert 'u-boot:Old' in ''.join(output)
> > +
> > +    def test_efi_capsule_auth3(
> > +            self, u_boot_config, u_boot_console, efi_capsule_data):
> > +        """
> > +        Test Case 3 - Update U-Boot on SPI Flash, raw image format
> > +                      0x100000-0x150000: U-Boot binary (but dummy)
> > +
> > +                      If the capsule is not signed, the authentication
> > +                      should fail and the firmware not be updated.
> > +        """
> > +        disk_img = efi_capsule_data
> > +        with u_boot_console.log.section('Test Case 3-a, before reboot'):
> > +            output = u_boot_console.run_command_list([
> > +                'host bind 0 %s' % disk_img,
> > +                'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi',
> > +                'efidebug boot order 1',
> > +                'env set -e -nv -bs -rt OsIndications =0x0000000000000004',
> > +                'env set dfu_alt_info '
> > +                        '"sf 0:0=u-boot-bin raw 0x100000 '
> > +                        '0x50000;u-boot-env raw 0x150000 0x200000"',
> > +                'env save'])
> > +
> > +            # initialize content
> > +            output = u_boot_console.run_command_list([
> > +                'sf probe 0:0',
> > +                'fatload host 0:1 4000000 %s/u-boot.bin.old'
> > +                        % CAPSULE_DATA_DIR,
> > +                'sf write 4000000 100000 10',
> > +                'sf read 5000000 100000 10',
> > +                'md.b 5000000 10'])
> > +            assert 'Old' in ''.join(output)
> > +
> > +            # place a capsule file
> > +            output = u_boot_console.run_command_list([
> > +                'fatload host 0:1 4000000 %s/Test02' % CAPSULE_DATA_DIR,
> > +                'fatwrite host 0:1 4000000 %s/Test02 $filesize'
> > +                            % CAPSULE_INSTALL_DIR,
> > +                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> > +            assert 'Test02' in ''.join(output)
> > +
> > +        # reboot
> > +        mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
> > +        u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \
> > +                                    + '/test_sig.dtb'
> > +        u_boot_console.restart_uboot()
> > +
> > +        capsule_early = u_boot_config.buildconfig.get(
> > +            'config_efi_capsule_on_disk_early')
> > +        with u_boot_console.log.section('Test Case 3-b, after reboot'):
> > +            if not capsule_early:
> > +                # make sure that dfu_alt_info exists even persistent variables
> > +                # are not available.
> > +                output = u_boot_console.run_command_list([
> > +                    'env set dfu_alt_info '
> > +                            '"sf 0:0=u-boot-bin raw 0x100000 '
> > +                            '0x50000;u-boot-env raw 0x150000 0x200000"',
> > +                    'host bind 0 %s' % disk_img,
> > +                    'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> > +                assert 'Test02' in ''.join(output)
> > +
> > +                # need to run uefi command to initiate capsule handling
> > +                output = u_boot_console.run_command(
> > +                    'env print -e Capsule0000')
> > +
> > +            # deleted any way
> > +            output = u_boot_console.run_command_list([
> > +                'host bind 0 %s' % disk_img,
> > +                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> > +            assert 'Test02' not in ''.join(output)
> > +
> > +            # TODO: check CapsuleStatus in CapsuleXXXX
> > +
> > +            output = u_boot_console.run_command_list([
> > +                'sf probe 0:0',
> > +                'sf read 4000000 100000 10',
> > +                'md.b 4000000 10'])
> > +            assert 'u-boot:Old' in ''.join(output)
> 

Re: [PATCH v11 5/9] test/py: efi_capsule: add image authentication test

[Heinrich Schuchardt]

On 2/14/22 01:43, AKASHI Takahiro wrote:
> Heinrich,
>
> On Fri, Feb 11, 2022 at 08:25:15PM +0100, Heinrich Schuchardt wrote:
>> On 2/9/22 11:10, AKASHI Takahiro wrote:
>>> Add a couple of test cases against capsule image authentication
>>> for capsule-on-disk, where only a signed capsule file with the verified
>>> signature will be applied to the system.
>>>
>>> Due to the difficulty of embedding a public key (esl file) in U-Boot
>>> binary during pytest setup time, all the keys/certificates are pre-created.
>>>
>>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>>> Reviewed-by: Simon Glass <sjg@chromium.org>
>>> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
>>
>> The test is not executed on Gitlab:
>>
>> test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py sss
>>
>> SKIPPED [3] /builds/u-boot/custodians/u-boot-efi/test/py/conftest.py:490:
>> .config feature "efi_capsule_authenticate" not enabled
>>
>> Please, provide a defconfig with CONFIG_EFI_CAPSULE_AUTHENTICATE=y in a
>> follow-up patch.
>
> This is somehow intentional.
> I don't remember quite well, but when I tried to add another defconfig file
> for sandbox to initiate some test in the past, you or Simon (sorry if I
> remember incorrectly here) opposed it.
>
> Please also note that adding CONFIG_EFI_CAPSULE_AUTHENTICATE to
> sandbox_defconfig doesn't make sense as it makes non-signed capsule
> tests (test_capsule_firmware.py) meaningless.

This function really should be tested in Gitlab. How about adding the
setting to sandbox_spl_defconfig?

You will have to change test/run line 31 for the test to be run on
sandbox_spl.

Best regards

Heinrich

>
> -Takahiro Akashi

[PATCH v11 6/9] tools: mkeficapsule: allow for specifying GUID explicitly

[AKASHI Takahiro]

The existing options, "--fit" and "--raw," are only used to put a proper
GUID in a capsule header, where GUID identifies a particular FMP (Firmware
Management Protocol) driver which then would handle the firmware binary in
a capsule. In fact, mkeficapsule does the exact same job in creating
a capsule file whatever the firmware binary type is.

To prepare for the future extension, the command syntax will be a bit
modified to allow users to specify arbitrary GUID for their own FMP driver.
OLD:
   [--fit <image> | --raw <image>] <capsule file>
NEW:
   [--fit | --raw | --guid <guid-string>] <image> <capsule file>

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 .azure-pipelines.yml      |  4 +-
 doc/develop/uefi/uefi.rst |  4 +-
 doc/mkeficapsule.1        | 26 ++++++++----
 tools/Makefile            |  2 +-
 tools/mkeficapsule.c      | 85 ++++++++++++++++++++++++++++-----------
 5 files changed, 86 insertions(+), 35 deletions(-)

diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
index aecc9cb88441..eb8ec630a593 100644
--- a/.azure-pipelines.yml
+++ b/.azure-pipelines.yml
@@ -25,7 +25,7 @@ stages:
           %CD:~0,2%\msys64\usr\bin\bash -lc "pacman --noconfirm -Syyuu"
         displayName: 'Update MSYS2'
       - script: |
-          %CD:~0,2%\msys64\usr\bin\bash -lc "pacman --noconfirm --needed -Sy make gcc bison flex diffutils openssl-devel libgnutls-devel"
+          %CD:~0,2%\msys64\usr\bin\bash -lc "pacman --noconfirm --needed -Sy make gcc bison flex diffutils openssl-devel libgnutls-devel libutil-linux-devel"
         displayName: 'Install Toolchain'
       - script: |
           echo make tools-only_defconfig tools-only NO_SDL=1 > build-tools.sh
@@ -42,7 +42,7 @@ stages:
     pool:
       vmImage: $(macos_vm)
     steps:
-      - script: brew install make
+      - script: brew install make ossp-uuid
         displayName: Brew install dependencies
       - script: |
           gmake tools-only_config tools-only NO_SDL=1 \
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
index 52a38c6b231c..b7bf1356276d 100644
--- a/doc/develop/uefi/uefi.rst
+++ b/doc/develop/uefi/uefi.rst
@@ -375,8 +375,8 @@ and used by the steps highlighted below.
       --private-key CRT.key \
       --certificate CRT.crt \
       --index 1 --instance 0 \
-      [--fit <FIT image> | --raw <raw image>] \
-      <capsule_file_name>
+      [--fit | --raw | --guid <guid-string] \
+      <image_blob> <capsule_file_name>
 
 4. Insert the signature list into a device tree in the following format::
 
diff --git a/doc/mkeficapsule.1 b/doc/mkeficapsule.1
index 680362f5c4e9..8babb27ee8b2 100644
--- a/doc/mkeficapsule.1
+++ b/doc/mkeficapsule.1
@@ -8,7 +8,7 @@ mkeficapsule \- Generate EFI capsule file for U-Boot
 
 .SH SYNOPSIS
 .B mkeficapsule
-.RI [ options "] " capsule-file
+.RI [ options "] " image-blob " " capsule-file
 
 .SH "DESCRIPTION"
 .B mkeficapsule
@@ -24,7 +24,7 @@ In this case, the update will be authenticated by verifying the signature
 before applying.
 
 .B mkeficapsule
-supports two different format of image files:
+takes any type of image files, including:
 .TP
 .I raw image
 format is a single binary blob of any type of firmware.
@@ -36,18 +36,30 @@ multiple binary blobs in a single capsule file.
 This type of image file can be generated by
 .BR mkimage .
 
+.PP
+If you want to use other types than above two, you should explicitly
+specify a guid for the FMP driver.
+
 .SH "OPTIONS"
 One of
-.BR --fit " or " --raw
+.BR --fit ", " --raw " or " --guid
 option must be specified.
 
 .TP
-.BI "-f\fR,\fB --fit " fit-image-file
-Specify a FIT image file
+.BR -f ", " --fit
+Indicate that the blob is a FIT image file
 
 .TP
-.BI "-r\fR,\fB --raw " raw-image-file
-Specify a raw image file
+.BR -r ", " --raw
+Indicate that the blob is a raw image file
+
+.TP
+.BI "-g\fR,\fB --guid " guid-string
+Specify guid for image blob type. The format is:
+    xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+
+The first three elements are in little endian, while the rest
+is in big endian.
 
 .TP
 .BI "-i\fR,\fB --index " index
diff --git a/tools/Makefile b/tools/Makefile
index 8da07d60a755..5409ff2879c6 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -238,7 +238,7 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs
 hostprogs-$(CONFIG_ASN1_COMPILER)	+= asn1_compiler
 HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include
 
-HOSTLDLIBS_mkeficapsule += -lgnutls
+HOSTLDLIBS_mkeficapsule += -lgnutls -luuid
 hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
 
 # We build some files with extra pedantic flags to try to minimize things
diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c
index b996c66ad26a..7ff1f999db85 100644
--- a/tools/mkeficapsule.c
+++ b/tools/mkeficapsule.c
@@ -15,7 +15,7 @@
 
 #include <sys/stat.h>
 #include <sys/types.h>
-
+#include <uuid/uuid.h>
 #include <linux/kconfig.h>
 
 #include <gnutls/gnutls.h>
@@ -33,11 +33,12 @@ efi_guid_t efi_guid_image_type_uboot_raw =
 		EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID;
 efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID;
 
-static const char *opts_short = "f:r:i:I:v:p:c:m:dh";
+static const char *opts_short = "frg:i:I:v:p:c:m:dh";
 
 static struct option options[] = {
-	{"fit", required_argument, NULL, 'f'},
-	{"raw", required_argument, NULL, 'r'},
+	{"fit", no_argument, NULL, 'f'},
+	{"raw", no_argument, NULL, 'r'},
+	{"guid", required_argument, NULL, 'g'},
 	{"index", required_argument, NULL, 'i'},
 	{"instance", required_argument, NULL, 'I'},
 	{"private-key", required_argument, NULL, 'p'},
@@ -50,11 +51,12 @@ static struct option options[] = {
 
 static void print_usage(void)
 {
-	printf("Usage: %s [options] <output file>\n"
+	fprintf(stderr, "Usage: %s [options] <image blob> <output file>\n"
 		"Options:\n"
 
-		"\t-f, --fit <fit image>       new FIT image file\n"
-		"\t-r, --raw <raw image>       new raw image file\n"
+		"\t-f, --fit                   FIT image type\n"
+		"\t-r, --raw                   raw image type\n"
+		"\t-g, --guid <guid string>    guid for image blob type\n"
 		"\t-i, --index <index>         update image index\n"
 		"\t-I, --instance <instance>   update hardware instance\n"
 		"\t-p, --private-key <privkey file>  private key file\n"
@@ -541,6 +543,37 @@ err:
 	return ret;
 }
 
+/**
+ * convert_uuid_to_guid() - convert UUID to GUID
+ * @buf:	UUID binary
+ *
+ * UUID and GUID have the same data structure, but their binary
+ * formats are different due to the endianness. See lib/uuid.c.
+ * Since uuid_parse() can handle only UUID, this function must
+ * be called to get correct data for GUID when parsing a string.
+ *
+ * The correct data will be returned in @buf.
+ */
+void convert_uuid_to_guid(unsigned char *buf)
+{
+	unsigned char c;
+
+	c = buf[0];
+	buf[0] = buf[3];
+	buf[3] = c;
+	c = buf[1];
+	buf[1] = buf[2];
+	buf[2] = c;
+
+	c = buf[4];
+	buf[4] = buf[5];
+	buf[5] = c;
+
+	c = buf[6];
+	buf[6] = buf[7];
+	buf[7] = c;
+}
+
 /**
  * main - main entry function of mkeficapsule
  * @argc:	Number of arguments
@@ -555,14 +588,13 @@ err:
  */
 int main(int argc, char **argv)
 {
-	char *file;
 	efi_guid_t *guid;
+	unsigned char uuid_buf[16];
 	unsigned long index, instance;
 	uint64_t mcount;
 	char *privkey_file, *cert_file;
 	int c, idx;
 
-	file = NULL;
 	guid = NULL;
 	index = 0;
 	instance = 0;
@@ -577,21 +609,34 @@ int main(int argc, char **argv)
 
 		switch (c) {
 		case 'f':
-			if (file) {
-				fprintf(stderr, "Image already specified\n");
+			if (guid) {
+				fprintf(stderr,
+					"Image type already specified\n");
 				exit(EXIT_FAILURE);
 			}
-			file = optarg;
 			guid = &efi_guid_image_type_uboot_fit;
 			break;
 		case 'r':
-			if (file) {
-				fprintf(stderr, "Image already specified\n");
+			if (guid) {
+				fprintf(stderr,
+					"Image type already specified\n");
 				exit(EXIT_FAILURE);
 			}
-			file = optarg;
 			guid = &efi_guid_image_type_uboot_raw;
 			break;
+		case 'g':
+			if (guid) {
+				fprintf(stderr,
+					"Image type already specified\n");
+				exit(EXIT_FAILURE);
+			}
+			if (uuid_parse(optarg, uuid_buf)) {
+				fprintf(stderr, "Wrong guid format\n");
+				exit(EXIT_FAILURE);
+			}
+			convert_uuid_to_guid(uuid_buf);
+			guid = (efi_guid_t *)uuid_buf;
+			break;
 		case 'i':
 			index = strtoul(optarg, NULL, 0);
 			break;
@@ -627,20 +672,14 @@ int main(int argc, char **argv)
 	}
 
 	/* check necessary parameters */
-	if ((argc != optind + 1) || !file ||
+	if ((argc != optind + 2) || !guid ||
 	    ((privkey_file && !cert_file) ||
 	     (!privkey_file && cert_file))) {
 		print_usage();
 		exit(EXIT_FAILURE);
 	}
 
-	/* need a fit image file or raw image file */
-	if (!file) {
-		print_usage();
-		exit(EXIT_SUCCESS);
-	}
-
-	if (create_fwbin(argv[optind], file, guid, index, instance,
+	if (create_fwbin(argv[argc - 1], argv[argc - 2], guid, index, instance,
 			 mcount, privkey_file, cert_file) < 0) {
 		fprintf(stderr, "Creating firmware capsule failed\n");
 		exit(EXIT_FAILURE);
-- 
2.33.0

[PATCH v11 7/9] test/py: efi_capsule: align with the syntax change of mkeficapsule

[AKASHI Takahiro]

Since the syntax of mkeficapsule was changed in the previous commit,
we need to modify command line arguments in a pytest script.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 test/py/tests/test_efi_capsule/conftest.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py
index 27c05971ca32..a5a25c53dcb4 100644
--- a/test/py/tests/test_efi_capsule/conftest.py
+++ b/test/py/tests/test_efi_capsule/conftest.py
@@ -80,10 +80,10 @@ def efi_capsule_data(request, u_boot_config):
         check_call('cd %s; %s/tools/mkimage -f uboot_bin_env.its uboot_bin_env.itb' %
                    (data_dir, u_boot_config.build_dir),
                    shell=True)
-        check_call('cd %s; %s/tools/mkeficapsule --fit uboot_bin_env.itb --index 1 Test01' %
+        check_call('cd %s; %s/tools/mkeficapsule --index 1 --fit uboot_bin_env.itb Test01' %
                    (data_dir, u_boot_config.build_dir),
                    shell=True)
-        check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' %
+        check_call('cd %s; %s/tools/mkeficapsule --index 1 --raw u-boot.bin.new Test02' %
                    (data_dir, u_boot_config.build_dir),
                    shell=True)
         if capsule_auth_enabled:
-- 
2.33.0

[PATCH v11 8/9] test/py: efi_capsule: add a test for "--guid" option

[AKASHI Takahiro]

This test scenario tests a new feature of mkeficapsule, "--guid" option,
which allows us to specify FMP driver's guid explicitly at the command
line.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 test/py/tests/test_efi_capsule/conftest.py    |  3 +
 .../test_efi_capsule/test_capsule_firmware.py | 67 +++++++++++++++++++
 2 files changed, 70 insertions(+)

diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py
index a5a25c53dcb4..9076087a12b7 100644
--- a/test/py/tests/test_efi_capsule/conftest.py
+++ b/test/py/tests/test_efi_capsule/conftest.py
@@ -86,6 +86,9 @@ def efi_capsule_data(request, u_boot_config):
         check_call('cd %s; %s/tools/mkeficapsule --index 1 --raw u-boot.bin.new Test02' %
                    (data_dir, u_boot_config.build_dir),
                    shell=True)
+        check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid E2BB9C06-70E9-4B14-97A3-5A7913176E3F u-boot.bin.new Test03' %
+                   (data_dir, u_boot_config.build_dir),
+                   shell=True)
         if capsule_auth_enabled:
             # firmware signed with proper key
             check_call('cd %s; '
diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware.py b/test/py/tests/test_efi_capsule/test_capsule_firmware.py
index 9eeaae27d626..9cc973560fa1 100644
--- a/test/py/tests/test_efi_capsule/test_capsule_firmware.py
+++ b/test/py/tests/test_efi_capsule/test_capsule_firmware.py
@@ -247,3 +247,70 @@ class TestEfiCapsuleFirmwareFit(object):
                 'sf read 4000000 100000 10',
                 'md.b 4000000 10'])
             assert 'u-boot:New' in ''.join(output)
+
+    def test_efi_capsule_fw4(
+            self, u_boot_config, u_boot_console, efi_capsule_data):
+        """
+        Test Case 4 - Test "--guid" option of mkeficapsule
+                      The test scenario is the same as Case 3.
+        """
+        disk_img = efi_capsule_data
+        with u_boot_console.log.section('Test Case 4-a, before reboot'):
+            output = u_boot_console.run_command_list([
+                'host bind 0 %s' % disk_img,
+                'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi -s ""',
+                'efidebug boot order 1',
+                'env set -e -nv -bs -rt OsIndications =0x0000000000000004',
+                'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
+                'env save'])
+
+            # initialize content
+            output = u_boot_console.run_command_list([
+                'sf probe 0:0',
+                'fatload host 0:1 4000000 %s/u-boot.bin.old' % CAPSULE_DATA_DIR,
+                'sf write 4000000 100000 10',
+                'sf read 5000000 100000 10',
+                'md.b 5000000 10'])
+            assert 'Old' in ''.join(output)
+
+            # place a capsule file
+            output = u_boot_console.run_command_list([
+                'fatload host 0:1 4000000 %s/Test03' % CAPSULE_DATA_DIR,
+                'fatwrite host 0:1 4000000 %s/Test03 $filesize' % CAPSULE_INSTALL_DIR,
+                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+            assert 'Test03' in ''.join(output)
+
+        # reboot
+        u_boot_console.restart_uboot()
+
+        capsule_early = u_boot_config.buildconfig.get(
+            'config_efi_capsule_on_disk_early')
+        with u_boot_console.log.section('Test Case 4-b, after reboot'):
+            if not capsule_early:
+                # make sure that dfu_alt_info exists even persistent variables
+                # are not available.
+                output = u_boot_console.run_command_list([
+                    'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
+                    'host bind 0 %s' % disk_img,
+                    'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+                assert 'Test03' in ''.join(output)
+
+                # need to run uefi command to initiate capsule handling
+                output = u_boot_console.run_command(
+                    'env print -e Capsule0000')
+
+            output = u_boot_console.run_command_list(['efidebug capsule esrt'])
+
+            # ensure that  EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID is in the ESRT.
+            assert 'E2BB9C06-70E9-4B14-97A3-5A7913176E3F' in ''.join(output)
+
+            output = u_boot_console.run_command_list([
+                'host bind 0 %s' % disk_img,
+                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+            assert 'Test03' not in ''.join(output)
+
+            output = u_boot_console.run_command_list([
+                'sf probe 0:0',
+                'sf read 4000000 100000 10',
+                'md.b 4000000 10'])
+            assert 'u-boot:New' in ''.join(output)
-- 
2.33.0

[PATCH v11 9/9] test/py: efi_capsule: check the results in case of CAPSULE_AUTHENTICATE

[AKASHI Takahiro]

Before the capsule authentication is supported, this test script works
correctly, but with the feature enabled, most tests will fail due to
unsigned capsules.
So check the results depending on CAPSULE_AUTHENTICATE or not.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 .../test_efi_capsule/test_capsule_firmware.py | 26 ++++++++++++++++---
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware.py b/test/py/tests/test_efi_capsule/test_capsule_firmware.py
index 9cc973560fa1..6e803f699f2f 100644
--- a/test/py/tests/test_efi_capsule/test_capsule_firmware.py
+++ b/test/py/tests/test_efi_capsule/test_capsule_firmware.py
@@ -148,6 +148,8 @@ class TestEfiCapsuleFirmwareFit(object):
 
         capsule_early = u_boot_config.buildconfig.get(
             'config_efi_capsule_on_disk_early')
+        capsule_auth = u_boot_config.buildconfig.get(
+            'config_efi_capsule_authenticate')
         with u_boot_console.log.section('Test Case 2-b, after reboot'):
             if not capsule_early:
                 # make sure that dfu_alt_info exists even persistent variables
@@ -171,12 +173,18 @@ class TestEfiCapsuleFirmwareFit(object):
                 'sf probe 0:0',
                 'sf read 4000000 100000 10',
                 'md.b 4000000 10'])
-            assert 'u-boot:New' in ''.join(output)
+            if capsule_auth:
+                assert 'u-boot:Old' in ''.join(output)
+            else:
+                assert 'u-boot:New' in ''.join(output)
 
             output = u_boot_console.run_command_list([
                 'sf read 4000000 150000 10',
                 'md.b 4000000 10'])
-            assert 'u-boot-env:New' in ''.join(output)
+            if capsule_auth:
+                assert 'u-boot-env:Old' in ''.join(output)
+            else:
+                assert 'u-boot-env:New' in ''.join(output)
 
     def test_efi_capsule_fw3(
             self, u_boot_config, u_boot_console, efi_capsule_data):
@@ -215,6 +223,8 @@ class TestEfiCapsuleFirmwareFit(object):
 
         capsule_early = u_boot_config.buildconfig.get(
             'config_efi_capsule_on_disk_early')
+        capsule_auth = u_boot_config.buildconfig.get(
+            'config_efi_capsule_authenticate')
         with u_boot_console.log.section('Test Case 3-b, after reboot'):
             if not capsule_early:
                 # make sure that dfu_alt_info exists even persistent variables
@@ -246,7 +256,10 @@ class TestEfiCapsuleFirmwareFit(object):
                 'sf probe 0:0',
                 'sf read 4000000 100000 10',
                 'md.b 4000000 10'])
-            assert 'u-boot:New' in ''.join(output)
+            if capsule_auth:
+                assert 'u-boot:Old' in ''.join(output)
+            else:
+                assert 'u-boot:New' in ''.join(output)
 
     def test_efi_capsule_fw4(
             self, u_boot_config, u_boot_console, efi_capsule_data):
@@ -285,6 +298,8 @@ class TestEfiCapsuleFirmwareFit(object):
 
         capsule_early = u_boot_config.buildconfig.get(
             'config_efi_capsule_on_disk_early')
+        capsule_auth = u_boot_config.buildconfig.get(
+            'config_efi_capsule_authenticate')
         with u_boot_console.log.section('Test Case 4-b, after reboot'):
             if not capsule_early:
                 # make sure that dfu_alt_info exists even persistent variables
@@ -313,4 +328,7 @@ class TestEfiCapsuleFirmwareFit(object):
                 'sf probe 0:0',
                 'sf read 4000000 100000 10',
                 'md.b 4000000 10'])
-            assert 'u-boot:New' in ''.join(output)
+            if capsule_auth:
+                assert 'u-boot:Old' in ''.join(output)
+            else:
+                assert 'u-boot:New' in ''.join(output)
-- 
2.33.0