From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752466AbdC0LCJ (ORCPT ); Mon, 27 Mar 2017 07:02:09 -0400 Received: from thoth.sbs.de ([192.35.17.2]:36421 "EHLO thoth.sbs.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752225AbdC0LCA (ORCPT ); Mon, 27 Mar 2017 07:02:00 -0400 Subject: Re: [PATCH v2 0/7] efi: Enhance capsule loader to support signed Quark images To: "Bryan O'Donoghue" , Matt Fleming , Ard Biesheuvel References: Cc: linux-efi@vger.kernel.org, Linux Kernel Mailing List , Andy Shevchenko , Hock Leong Kweh , Borislav Petkov , Sascha Weisenberger From: Jan Kiszka Message-ID: <7cff4583-d417-7107-80a3-34eb63d43be1@siemens.com> Date: Mon, 27 Mar 2017 13:01:38 +0200 User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.8.1.12) Gecko/20080226 SUSE/2.0.0.12-1.1 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2017-03-27 12:29, Bryan O'Donoghue wrote: > > > On 24/03/17 17:34, Jan Kiszka wrote: >> This addresses the review feedback provided on round 1, specifically >> - refactored queue to keep the Quark mess in >> - only check for CSH on Quark CPUs >> - added some smaller cleanups of the capsule loader >> - documented capsule header / linked to original code >> >> See last patch for the background of the series. >> >> The series has been tested on the Galileo Gen2, to exclude regressions, >> with a firmware.cap with AND without security header and the SIMATIC >> IOT2040 which requires the header because of its mandatory secure boot. >> >> Jan >> >> Jan Kiszka (7): >> efi/capsule: Fix return code on failing kmap/vmap >> efi/capsule: Remove pr_debug on ENOMEM or EFAULT >> efi/capsule: Clean up pr_err/info messages >> efi/capsule: Adjust return type of efi_capsule_setup_info >> efi/capsule: Prepare for loading images with security header >> efi/capsule: Factor out overloadable efi_capsule_identify_image >> efi/capsule: Add support for Quark security header >> >> arch/x86/platform/efi/quirks.c | 95 ++++++++++++++++++++++++ >> drivers/firmware/efi/capsule-loader.c | 136 >> +++++++++++++++++++--------------- >> drivers/firmware/efi/capsule.c | 21 +++++- >> include/linux/efi.h | 19 +++++ >> 4 files changed, 208 insertions(+), 63 deletions(-) >> > > BTW, > > Thanks for taking the time to remove the __func__ stuff all over the place. > > I'll try to test this out for you. I found that the current BSP Intel is > releasing has some sort of GUI that downloads an image to a board (which > completely fails for me on the Galileo I have)... not sure if you have > different results with the stuff from the Intel website but it's > non-functional for me :( I found the Galileo capsules *.cap in the jar archives of the Galileo firmware update packages, and they work. > > I'd like to suggest to you adding something to Documentation describing > how to load and trigger a capsule update. For example on Quark you need > to use the EFI reset method to cause capsule update to work. cat /path/to/capsule.cap > /dev/efi_capsule_loader The reset method is auto-adjusted by the kernel when an update is pending. So firmware update is now seriously simple. But I can write a 2 or 3-lines readme if it's preferred. > > Could you add a patch to your series for Documentation detailing: > > 1. Entry criteria (needing to boot in EFI reset mode) > 1. Description of loading a capsule > 3. Description of triggering the update (reboot) > 4. Verifying the update succeeded (actually is this possible right now?) dmidecode -> check BIOS version information (vendor-specific) Jan From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jan Kiszka Subject: Re: [PATCH v2 0/7] efi: Enhance capsule loader to support signed Quark images Date: Mon, 27 Mar 2017 13:01:38 +0200 Message-ID: <7cff4583-d417-7107-80a3-34eb63d43be1@siemens.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Sender: linux-efi-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: Bryan O'Donoghue , Matt Fleming , Ard Biesheuvel Cc: linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Linux Kernel Mailing List , Andy Shevchenko , Hock Leong Kweh , Borislav Petkov , Sascha Weisenberger List-Id: linux-efi@vger.kernel.org On 2017-03-27 12:29, Bryan O'Donoghue wrote: > > > On 24/03/17 17:34, Jan Kiszka wrote: >> This addresses the review feedback provided on round 1, specifically >> - refactored queue to keep the Quark mess in >> - only check for CSH on Quark CPUs >> - added some smaller cleanups of the capsule loader >> - documented capsule header / linked to original code >> >> See last patch for the background of the series. >> >> The series has been tested on the Galileo Gen2, to exclude regressions, >> with a firmware.cap with AND without security header and the SIMATIC >> IOT2040 which requires the header because of its mandatory secure boot. >> >> Jan >> >> Jan Kiszka (7): >> efi/capsule: Fix return code on failing kmap/vmap >> efi/capsule: Remove pr_debug on ENOMEM or EFAULT >> efi/capsule: Clean up pr_err/info messages >> efi/capsule: Adjust return type of efi_capsule_setup_info >> efi/capsule: Prepare for loading images with security header >> efi/capsule: Factor out overloadable efi_capsule_identify_image >> efi/capsule: Add support for Quark security header >> >> arch/x86/platform/efi/quirks.c | 95 ++++++++++++++++++++++++ >> drivers/firmware/efi/capsule-loader.c | 136 >> +++++++++++++++++++--------------- >> drivers/firmware/efi/capsule.c | 21 +++++- >> include/linux/efi.h | 19 +++++ >> 4 files changed, 208 insertions(+), 63 deletions(-) >> > > BTW, > > Thanks for taking the time to remove the __func__ stuff all over the place. > > I'll try to test this out for you. I found that the current BSP Intel is > releasing has some sort of GUI that downloads an image to a board (which > completely fails for me on the Galileo I have)... not sure if you have > different results with the stuff from the Intel website but it's > non-functional for me :( I found the Galileo capsules *.cap in the jar archives of the Galileo firmware update packages, and they work. > > I'd like to suggest to you adding something to Documentation describing > how to load and trigger a capsule update. For example on Quark you need > to use the EFI reset method to cause capsule update to work. cat /path/to/capsule.cap > /dev/efi_capsule_loader The reset method is auto-adjusted by the kernel when an update is pending. So firmware update is now seriously simple. But I can write a 2 or 3-lines readme if it's preferred. > > Could you add a patch to your series for Documentation detailing: > > 1. Entry criteria (needing to boot in EFI reset mode) > 1. Description of loading a capsule > 3. Description of triggering the update (reboot) > 4. Verifying the update succeeded (actually is this possible right now?) dmidecode -> check BIOS version information (vendor-specific) Jan