From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.2 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2FF4FC432BE for ; Tue, 31 Aug 2021 06:07:29 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 587EC61027 for ; Tue, 31 Aug 2021 06:07:28 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 587EC61027 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmx.de Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 934D083413; Tue, 31 Aug 2021 08:07:26 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="dEyKS0pd"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id F31C783414; Tue, 31 Aug 2021 08:07:24 +0200 (CEST) Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7B63A83412 for ; Tue, 31 Aug 2021 08:07:20 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=xypron.glpk@gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1630390039; bh=+Eh3TstfFmHXCSpx1CvVanEM572hRFiFuXWld6KEX9U=; h=X-UI-Sender-Class:Subject:To:Cc:References:From:Date:In-Reply-To; b=dEyKS0pdCAgGawAH6xbyFtPfhHGw/36yAH1gEaQoG+v8/aSkK97HzP1n1+nqGtp81 aIguQgnD/lg42MutDKEsqMI9L1i1oKug8EfzlbP560eHTJKsEB6VnM2BqK69S2L3IC drhNRgAT321DWvxQEz/xUQUUgX/7VISqjN4Smlig= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [192.168.0.189] ([88.152.144.157]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MuUjC-1nC5Xo3cDS-00rWnD; Tue, 31 Aug 2021 08:07:18 +0200 Subject: Re: [PATCH v3 3/5] doc: update UEFI document for usage of mkeficapsule To: AKASHI Takahiro Cc: ilias.apalodimas@linaro.org, sughosh.ganu@linaro.org, masami.hiramatsu@linaro.org, u-boot@lists.denx.de, agraf@csgraf.de References: <20210831024659.53464-1-takahiro.akashi@linaro.org> <20210831024659.53464-4-takahiro.akashi@linaro.org> From: Heinrich Schuchardt Message-ID: <77787379-8f94-bba7-4a76-029844cc70d9@gmx.de> Date: Tue, 31 Aug 2021 08:07:18 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: <20210831024659.53464-4-takahiro.akashi@linaro.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:dE8x8msK/eDu4XplDFuKvyZ3NESgYfef5/ifgkonSJV+8C6nE0X dNpI/ZlUd9Y8YWMvOykAwQEWBYyAd1pij+6QfYfVCjuRYbRhIvRQcM9JhQR/8Myt9vx883w wDdUfZq0+oZQp25WwpmChvYUIq0ICBmV34h6c5D/x7N1VUsOzvLy26OQHj8Y9lFJkB7+9sc P3FW9pX1f2mNCC7ZEhypQ== X-UI-Out-Filterresults: notjunk:1;V03:K0:PlPhutcOQJw=:TIWpP+GxhbWQLLBnR7r79p VWi70bgM//fiVPPhy4r5i3vRfvx9OF3lXpJpYdVj1FUNaM+010YBYwc7vcCdvlR5RZJZvh0hX j1sAMCxeVDSOHYxzkDXk5J3dM3mNpSYNhIxPtPPbroZ5S+wcp96MzPD9R+0VYnYEyxrsH7jqu XKJWVE3TRgMncZTl2prDX83EXFaME+4UJ08AV2y9/CoCw0PeS2qEfF/A3pXg6zlcaUthrHP8g astJjtKHhQyqZHDZCh4tECVGVjYB7Yz13gBfNQ0QvAVCYkInsMyMDALYZvUg8neJA2h4BefeM +DeJsaCQF4bgDEyJoytZqxqf/dkxpsueSxnakd2dh0JFRLIPMAV9g/Q7g7fNqsREckqn8gAfc E0EZQj3/7IfuqzIQALx+oj+VJ2xHOzQstcBADmrKON2dsZB3SLnmknUKdVtbMkI1rsfvO5pXc AEkbSsqxZkfiC/D6/ImRF2sXQna4MeoHv7SK+7HhgcHLVRBVPJELKR7GzNOdEbS7nSAOiu8fW ctmnUfTYYzi4dejwFflsM5sI7p0rdUgVp1RT1tszFVw2qoF3TVNoGldhP+lILh04MMBWNeV0j uaUdkux7240Om47/eLoHBtUfOLEGR5CVUUV71Weqq72pKjlVJS3LtalJ/RHQ4r5EjMh6sq/lJ dXtRkIQn8hAsrwEC/7l6/3O5LpTQor3Pnk7FfOU8uMxzRZganL4eK/sQCsW5d9G3nTmOsKxw2 If2+JSeKYDmPrVPzdUnBujGeMRTecLAWPkRYXjXBctU435QP74fWG4d6VyqtarnQ5D6ZEwBbk vP9dDdTdCjiKVnWj2ZQakKOnFFLjhDNrbKxVjD4m5bxnWmxmQURrDN7P4dCh1zKnvRrgFMCZp 5rsCH77zSNpp/KwpRu+8fV7CeSYJpZRdS4IyoTS9JZSC3aYjlO5p0hh5Wsx3SaM9qNQAy5bef 7kA5RszDc/MQe9bNAcNeiRWD/tL1NYEseJi4oWqDQogkX+IHk/qwDAmR/Y3G54vJt1b7iB4R/ wumBiDiZmbwdIC7wNrUqApl4SYRuGoqiXEBVW2yYmneBnmV46f8w6Jvrqw0FKx12UL1TcxFcy HVIYebNxbYRmNm5nwj9btLMPVdzRgO9req58zPSBH0doTQ/yEH1kSDlyA== X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean On 8/31/21 4:46 AM, AKASHI Takahiro wrote: > Now we can use mkeficapsule command instead of EDK-II's script > to create a signed capsule file. So update the instruction for > capsule authentication. > > Signed-off-by: AKASHI Takahiro > --- > doc/develop/uefi/uefi.rst | 31 ++++++++++++++----------------- > 1 file changed, 14 insertions(+), 17 deletions(-) > > diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst > index 64fe9346c7f2..5ccb455da984 100644 > --- a/doc/develop/uefi/uefi.rst > +++ b/doc/develop/uefi/uefi.rst > @@ -347,23 +347,20 @@ and used by the steps highlighted below:: > -keyout CRT.key -out CRT.crt -nodes -days 365 > $ cert-to-efi-sig-list CRT.crt CRT.esl > > - $ openssl x509 -in CRT.crt -out CRT.cer -outform DER > - $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pu= b.pem > - > - $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.cr= t > - $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem > - > -The capsule file can be generated by using the GenerateCapsule.py > -script in EDKII:: > - > - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ > - --monotonic-count --fw-version \ > - --lsv --guid \ > - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ > - --update-image-index --signer-private-cert \ > - /path/to/CRT.pem --trusted-public-cert \ > - /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ > - > +The signed capsule file can be generated by using tools/mkeficapsule. > +To build this tool, enable:: > + > + CONFIG_TOOLS_MKEFICAPSULE=3Dy > + CONFIG_TOOLS_LIBCRYPTO=3Dy > + > +To generate and sign the capsule file:: > + > + $ mkeficapsule --monotonic-count 1 \ > + --private-key CRT.key \ > + --certificate CRT.crt \ > + --index 1 --instance 0 \ > + [--fit | --raw ] \ > + Patch 1 allows signed and unsigned capsules. So both should be described here. Best regards Heinrich > > Place the capsule generated in the above step on the EFI System > Partition under the EFI/UpdateCapsule directory >