As I proposed and discussed in [1] and [2], I have made a couple of improvements on the current implementation of capsule update in this patch set.
* add signing feature to mkeficapsule * add "--guid" option to mkeficapsule * add man page of mkeficapsule * update uefi document regarding capsule update * revise pytests * (as RFC) add CONFIG_EFI_CAPSULE_KEY_PATH # We have had some discussion about fdtsig.sh. # So RFCs (patch#10,#11) are still included for further discussion # if they are useful or not. # For smooth merge, the rest (patch#1-9) should work without them. [1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html [2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html Prerequisite patches ==================== None Test ==== * locally passed the pytest which is included in this patch series on sandbox built. (CONFIG_EFI_CAPSULE_AUTHENTICATE should explicitly be turned on in order to exercise the authentication code.) Changes ======= v5 (Oct 27, 2021) * rebased on pre-v2022.01-rc1 (WIP/26Oct2021) * drop already-merged patches * drop __weak from efi_get_public_key_data() (patch#1) * describe the format of public key node in device tree (patch#4) * re-order patches by grouping closely-related patches (patch#6-8) * modify pytest to make the test results correctly verified either with or without CONFIG_EFI_CAPSULE_AUTHENTICATE (patch#9) * add RFCs for embedding public keys during the build process (patch#10,11) v4 (Oct 7, 2021) * rebased on v2021.10 * align with "Revert "efi_capsule: Move signature from DTB to .rodata"" * add more missing *revert* commits (patch#1,#2,#3) * add fdtsig.sh, replacing dtb support in mkeficapsule (patch#4) * update/revise the man/uefi doc (patch#6,#7) * fix a bug in parsing guid string (patch#8) * add a test for "--guid" option (patch#10) * use dtb-based authentication test as done in v1 (patch#11) v3 (Aug 31, 2021) * rebased on v2021.10-rc3 * remove pytest-related patches * add function descriptions in mkeficapsule.c * correct format specifiers in printf() * let main() return 0 or -1 only * update doc/develop/uefi/uefi.rst for syntax change of mkeficapsule v2 (July 28, 2021) * rebased on v2021.10-rc* * removed dependency on target's configuration * removed fdtsig.sh and others * add man page * update the UEFI document * add dedicate defconfig for testing on sandbox * add gitlab CI support * add "--guid" option to mkeficapsule (yet rather RFC) Initial release (May 12, 2021) * based on v2021.07-rc2 AKASHI Takahiro (11): efi_loader: capsule: drop __weak from efi_get_public_key_data() tools: mkeficapsule: add firmwware image signing tools: mkeficapsule: add man page doc: update UEFI document for usage of mkeficapsule test/py: efi_capsule: add image authentication test tools: mkeficapsule: allow for specifying GUID explicitly test/py: efi_capsule: align with the syntax change of mkeficapsule test/py: efi_capsule: add a test for "--guid" option test/py: efi_capsule: check the results in case of CAPSULE_AUTHENTICATE (RFC) tools: add fdtsig.sh (RFC) efi_loader, dts: add public keys for capsules to device tree MAINTAINERS | 2 + doc/develop/uefi/uefi.rst | 143 +++-- doc/mkeficapsule.1 | 107 ++++ dts/Makefile | 23 +- lib/efi_loader/Kconfig | 7 + lib/efi_loader/efi_capsule.c | 2 +- .../py/tests/test_efi_capsule/capsule_defs.py | 5 + test/py/tests/test_efi_capsule/conftest.py | 42 +- test/py/tests/test_efi_capsule/signature.dts | 10 + .../test_efi_capsule/test_capsule_firmware.py | 91 +++- .../test_capsule_firmware_signed.py | 233 ++++++++ tools/Kconfig | 8 + tools/Makefile | 8 +- tools/fdtsig.sh | 40 ++ tools/mkeficapsule.c | 503 ++++++++++++++++-- 15 files changed, 1092 insertions(+), 132 deletions(-) create mode 100644 doc/mkeficapsule.1 create mode 100644 test/py/tests/test_efi_capsule/signature.dts create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py create mode 100755 tools/fdtsig.sh -- 2.33.0
