Akashi-san, [...] > > -Since U-boot doesn't currently support SetVariable at runtime there's a > Kconfig > -option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications > variable > -check. If that option is enabled just copy your capsule to > \EFI\UpdateCapsule. > - > -If that option is disabled, you'll need to set the OsIndications variable > with:: > +Put capsule files under the directory mentioned above. > +Then, following the UEFI specification, you'll need to set > +the EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED > +bit in OsIndications variable with:: > > => setenv -e -nv -bs -rt -v OsIndications =0x04 > > -Finally, the capsule update can be initiated either by rebooting the board, > -which is the preferred method, or by issuing the following command:: > +Since U-boot doesn't currently support SetVariable at runtime, its value > +won't be taken over across the reboot. If this is the case, you can skip > +this feature check with the Kconfig option (CONFIG_EFI_IGNORE_OSINDICATIONS) > +set. > > - => efidebug capsule disk-update > - > -**The efidebug command is should only be used during debugging/development.** > +Finally, the capsule update can be initiated by rebooting the board. > > Enabling Capsule Authentication > ******************************* > @@ -324,82 +339,58 @@ be updated by verifying the capsule signature. The > capsule signature > is computed and prepended to the capsule payload at the time of > capsule generation. This signature is then verified by using the > public key stored as part of the X509 certificate. This certificate is > -in the form of an efi signature list (esl) file, which is embedded as > -part of U-Boot. > +in the form of an efi signature list (esl) file, which is embedded in > +a device tree. > > The capsule authentication feature can be enabled through the > following config, in addition to the configs listed above for capsule > update:: > > CONFIG_EFI_CAPSULE_AUTHENTICATE=y > - CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert> > > The public and private keys used for the signing process are generated > -and used by the steps highlighted below:: > +and used by the steps highlighted below. > > - 1. Install utility commands on your host > - * OPENSSL > +1. Install utility commands on your host > + * openssl > * efitools > > - 2. Create signing keys and certificate files on your host > +2. Create signing keys and certificate files on your host:: > > $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \ > -keyout CRT.key -out CRT.crt -nodes -days 365 > $ cert-to-efi-sig-list CRT.crt CRT.esl > > - $ openssl x509 -in CRT.crt -out CRT.cer -outform DER > - $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem > - > - $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt > - $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem > - > -The capsule file can be generated by using the GenerateCapsule.py > -script in EDKII:: > - > - $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ > - <capsule_file_name> --monotonic-count <val> --fw-version \ > - <val> --lsv <val> --guid \ > - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \ > - --update-image-index <val> --signer-private-cert \ > - /path/to/CRT.pem --trusted-public-cert \ > - /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \ > - <u-boot.bin> > - > -Place the capsule generated in the above step on the EFI System > -Partition under the EFI/UpdateCapsule directory > - > -Testing on QEMU > -*************** > +3. Run the following command to create and sign the capsule file:: > > -Currently, support has been added on the QEMU ARM64 virt platform for > -updating the U-Boot binary as a raw image when the platform is booted > -in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this > -configuration, the QEMU platform needs to be booted with > -'secure=off'. The U-Boot binary placed on the first bank of the NOR > -flash at offset 0x0. The U-Boot environment is placed on the second > -NOR flash bank at offset 0x4000000. > + $ mkeficapsule --monotonic-count 1 \ > + --private-key CRT.key \ > + --certificate CRT.crt \ > + --index 1 --instance 0 \ > + [--fit <FIT image> | --raw <raw image>] \ > + <capsule_file_name> > > -The capsule update feature is enabled with the following configuration > -settings:: > +4. Insert the signature list into a device tree in the following format:: > > - CONFIG_MTD=y > - CONFIG_FLASH_CFI_MTD=y > - CONFIG_CMD_MTDPARTS=y > - CONFIG_CMD_DFU=y > - CONFIG_DFU_MTD=y > - CONFIG_PCI_INIT_R=y > - CONFIG_EFI_CAPSULE_ON_DISK=y > - CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y > - CONFIG_EFI_CAPSULE_FIRMWARE=y > - CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y > + { > + signature { > + capsule-key = [ <binary of signature list> ]; > + } > + ... > + } > > -In addition, the following config needs to be disabled(QEMU ARM specific):: > + You can do this manually with:: > > - CONFIG_TFABOOT > + $ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts > + $ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo > > -The capsule file can be generated by using the tools/mkeficapsule:: > + where signature.dts looks like:: > > - $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name> > + &{/} { > + signature { > + capsule-key = /incbin/("CRT.esl"); > + }; > + }; > > Executing the boot manager > ~~~~~~~~~~~~~~~~~~~~~~~~~~ > -- > 2.33.0 >
Acked-by: Ilias Apalodimas <ilias.apalodi...@linaro.org>