# In this version, the crypto library was changed from openssl to # gnutls to avoid the license issue. So the dockerfile for sandbox # CI should be updated for necessary packages as well. # See my patch, "Dockerfile: Add libgnutls package for building # mkeficapsule command", I have not tested the docker image though.
As I proposed and discussed in [1] and [2], I have made a couple of improvements on the current implementation of capsule update in this patch set. * add signing feature to mkeficapsule * add "--guid" option to mkeficapsule * add man page of mkeficapsule * update uefi document regarding capsule update * revise pytests [1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html [2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html Prerequisite patches ==================== For azure pipeline (CI), * "CI: enforce packages upgrade for Msys2 on Windows" [3] [3] https://lists.denx.de/pipermail/u-boot/2022-February/474701.html Test ==== * locally passed the pytest which is included in this patch series on sandbox built. (CONFIG_EFI_CAPSULE_AUTHENTICATE should explicitly be turned on in order to exercise the authentication code.) * passed Azure pipeline Changes ======= v11 (Feb 9, 2022) * fix warnings in "make htmldocs" and revise the text formatting (patch#4) * fix package dependency for CI on Windows (patch#2,#6) * fix package dependency for CI on MacOS (patch#6) v10 (Feb 1, 2022) * rebased on v2022.04-rc1 * drop already-merge patches * change crypto library from openssl to gnutls (patch#2) v9 (Jan 18, 2022) * rebased on v2022.01 * print the output messages to stderr (patch#1,#2, #4 and #6) * use SIZE_MAX instead of (u32)!0U (patch#2) * revise and re-format the man page of mkeficapsule (patch#5) * add "code-block:: console" directives for command line examples in a ReST document (patch#6) * describe the case when a trailing '/' in EFITOOLS_PATH is needed (patch#7) * describe UUID data as a binary rather than a string (patch#8) * drop fdtsig.sh-related patches (patch#12,#13 in v8) v8 (Dec 20, 2021) * rebase on v2022.01-rc3 * move the definition of CONFIG_TOOLS_MKEFICAPSULE to a proper patch (patch#2) v7 (Nov 16, 2021) * rebased on pre-v2022.01-rc2 * drop already-merged patch * check for a size of firmware binary file (patch#1) * enable mkeficapsule in tools-only_defconfig (patch#2) * define eficapsule.h and include it from mkeficapsule (patch#3) Hopefully, the tool can now compile on non-linux host. v6 (Nov 02, 2021) * rebased on pre-v2022.01-rc1 * add patch#2 to rework/refactor the code for better readability (patch#2) * use exit(EXIT_SUCCESS/FAILURE) (patch#3) * truncate >80chars lines in pytest scripts (patch#6) v5 (Oct 27, 2021) * rebased on pre-v2022.01-rc1 (WIP/26Oct2021) * drop already-merged patches * drop __weak from efi_get_public_key_data() (patch#1) * describe the format of public key node in device tree (patch#4) * re-order patches by grouping closely-related patches (patch#6-8) * modify pytest to make the test results correctly verified either with or without CONFIG_EFI_CAPSULE_AUTHENTICATE (patch#9) * add RFCs for embedding public keys during the build process (patch#10,11) v4 (Oct 7, 2021) * rebased on v2021.10 * align with "Revert "efi_capsule: Move signature from DTB to .rodata"" * add more missing *revert* commits (patch#1,#2,#3) * add fdtsig.sh, replacing dtb support in mkeficapsule (patch#4) * update/revise the man/uefi doc (patch#6,#7) * fix a bug in parsing guid string (patch#8) * add a test for "--guid" option (patch#10) * use dtb-based authentication test as done in v1 (patch#11) v3 (Aug 31, 2021) * rebased on v2021.10-rc3 * remove pytest-related patches * add function descriptions in mkeficapsule.c * correct format specifiers in printf() * let main() return 0 or -1 only * update doc/develop/uefi/uefi.rst for syntax change of mkeficapsule v2 (July 28, 2021) * rebased on v2021.10-rc* * removed dependency on target's configuration * removed fdtsig.sh and others * add man page * update the UEFI document * add dedicate defconfig for testing on sandbox * add gitlab CI support * add "--guid" option to mkeficapsule (yet rather RFC) Initial release (May 12, 2021) * based on v2021.07-rc2 AKASHI Takahiro (9): tools: build mkeficapsule with tools-only_defconfig tools: mkeficapsule: add firmware image signing tools: mkeficapsule: add man page doc: update UEFI document for usage of mkeficapsule test/py: efi_capsule: add image authentication test tools: mkeficapsule: allow for specifying GUID explicitly test/py: efi_capsule: align with the syntax change of mkeficapsule test/py: efi_capsule: add a test for "--guid" option test/py: efi_capsule: check the results in case of CAPSULE_AUTHENTICATE .azure-pipelines.yml | 4 +- MAINTAINERS | 1 + configs/tools-only_defconfig | 1 + doc/develop/uefi/uefi.rst | 151 +++--- doc/mkeficapsule.1 | 111 +++++ .../py/tests/test_efi_capsule/capsule_defs.py | 5 + test/py/tests/test_efi_capsule/conftest.py | 59 ++- test/py/tests/test_efi_capsule/signature.dts | 10 + .../test_efi_capsule/test_capsule_firmware.py | 91 +++- .../test_capsule_firmware_signed.py | 254 ++++++++++ tools/Kconfig | 8 + tools/Makefile | 4 +- tools/eficapsule.h | 115 +++++ tools/mkeficapsule.c | 459 +++++++++++++++--- 14 files changed, 1132 insertions(+), 141 deletions(-) create mode 100644 doc/mkeficapsule.1 create mode 100644 test/py/tests/test_efi_capsule/signature.dts create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py create mode 100644 tools/eficapsule.h -- 2.33.0
