From mboxrd@z Thu Jan  1 00:00:00 1970
From: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Date: Mon, 19 Apr 2021 11:24:37 +0900
Subject: [PATCH v2 12/13] doc: qemu: arm64: Fix the documentation of
 capsule update
In-Reply-To: <20210419003721.GA8702@laputa>
References: <161861622792.298230.15803163505976731363.stgit@localhost>
 <161861636024.298230.15188986250483737028.stgit@localhost>
 <f9d6871b-589b-cddb-a191-77433d385736@gmx.de>
 <CADg8p95RPCT_KV1H_7LOAgmrtxSdm1e2kfQxU4cCAUmL=BDxBA@mail.gmail.com>
 <20210419003721.GA8702@laputa>
Message-ID: <CAA93ih0KTTq_sVR8QkOF+_B3yZ_N0KZbvSE48-N2vpcpeRN4sA@mail.gmail.com>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

Hi,

2021?4?19?(?) 9:37 Takahiro Akashi <takahiro.akashi@linaro.org>:
>
> Sughosh,
>
> On Sun, Apr 18, 2021 at 01:37:58PM +0530, Sughosh Ganu wrote:
> > On Sat, 17 Apr 2021 at 23:51, Heinrich Schuchardt <xypron.glpk@gmx.de>
> > wrote:
> >
> > > On 4/17/21 1:39 AM, Masami Hiramatsu wrote:
> > > > Since the EDK2 GenerateCapsule script is out of date and it
> > > > doesn't generate the supported version capsule file, the document
> > > > should refer the mkeficapsule in tools.
> > > >
> > > > Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
> > > > ---
> > > >   doc/board/emulation/qemu_capsule_update.rst |   11 ++---------
> > > >   1 file changed, 2 insertions(+), 9 deletions(-)
> > > >
> > > > diff --git a/doc/board/emulation/qemu_capsule_update.rst
> > > b/doc/board/emulation/qemu_capsule_update.rst
> > > > index 9fec75f8f1..e2a9f0db71 100644
> > > > --- a/c
> > > > +++ b/doc/board/emulation/qemu_capsule_update.rst
> > > > @@ -39,16 +39,9 @@ In addition, the following config needs to be
> > > disabled(QEMU ARM specific)::
> > > >
> > > >       CONFIG_TFABOOT
> > > >
> > > > -The capsule file can be generated by using the GenerateCapsule.py
> > > > -script in EDKII::
> > > > -
> > > > -    $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \
> > > > -    <capsule_file_name> --fw-version <val> --lsv <val> --guid \
> > > > -    e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index
> > > \
> > > > -    <val> --verbose <u-boot.bin>
> > > > +The capsule file can be generated by using the tools/mkeficapsule::
> > > >
> > > > -The above is a wrapper script(GenerateCapsule) which eventually calls
> > > > -the actual GenerateCapsule.py script.
> > > > +    $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name>
> > >
> > > Thanks for the change.
> > >
> > > Could you, please, adjust the same in chapter "Enabling Capsule
> > > Authentication" below.

So as Sughosh said, since currently mkeficapsule doesn't support authentication,
I only changed it for the normal capsule update. Without this change,
the capsule
update just failed.


> > Currently, we do not have support for adding authentication header to the
> > capsule. This is because I have been using the GenerateCapsule script in
> > edk2 for generation of a capsule with authentication header. I think adding
> > the signature to the capsule is easier when done through a python script
> > rather than C code.
>
> Why do you think so?
> At a quick glance at the script, it internally uses openssl command like:
>     openssl smime -sign -binary -outform DER -md sha256 \
>         -signer <...> -certfile <...>
> (See PayloadDescriptor.Encode in the script.)
>
> The output from the standard output is exactly what you want
> to use to build a capsule file, that is "AuthInfo".
> Then you can naturally extend mkeficapsule to insert this signature
> between the header and the image itself in a capsule file.

Hmm, if it can be done by just calling openssl, I think it is easier for me
to run the tools/mkeficapsule, because I don't need to build EDK2
for U-Boot.

If GenerateCapsule becomes a standard implementation and
independent from the EDK2 project, from the interoperability point
of view, it is better to use that. But it is a part of EDK2 and the
GenerateCapsule seems out-of-date and not maintained well
(why doesn't it support the latest version yet??)

Thank you,

> Furthermore, I believe, it is fairly straightforward to add a native
> 'signing' feature to mkeficapsule if you use openssl library.
>
> -Takahiro Akashi
>
>
> > I am working on adding support for the latest version
> > of the EFI_FIRMWARE_MANAGEMENT_CAPSULE_IMAGE_HEADER in the GenerateCapsule
> > script in edk2. Meanwhile, would it be possible to have support for the
> > version 2 of this header in the capsule driver -- it is a minor change and
> > I already have a patch for it. If you are fine, I can submit a patch for
> > the same.
> >
> > -sughosh
> >
> >
> > >
> > > Best regards
> > >
> > > Heinrich
> > >
> > > >
> > > >   As per the UEFI specification, the capsule file needs to be placed on
> > > >   the EFI System Partition, under the \EFI\UpdateCapsule directory. The
> > > >
> > >
> > >



--
Masami Hiramatsu