arm-bsp/u-boot: corstone1000: introduce authenticated capsule update

Adds signature to device-tree overlay and enables authenticated capsule update in u-boot for corstone1000. Signed-off-by: Emekcan Aras <emekcan.aras@arm.com> Signed-off-by: Jon Mason <jon.mason@arm.com>
2026-06-05 02:20:30 +00:00 · 2023-10-02 11:43:22 +01:00
parent aafcf21459
commit fdbf5f55ad
4 changed files with 149 additions and 1 deletions
@@ -0,0 +1,31 @@
+From 88cb6f5a91178903d4e306d8653b941f9727987b Mon Sep 17 00:00:00 2001
+From: Emekcan Aras <emekcan.aras@arm.com>
+Date: Wed, 13 Sep 2023 13:20:15 +0100
+Subject: [PATCH] corstone1000: add signature device tree overlay
+
+Adds signature device tree overlay.
+
+Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
+Upstream-Status: Pending [Not submitted to upstream yet]
+---
+ arch/arm/dts/corstone1000.dtsi | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/arm/dts/corstone1000.dtsi b/arch/arm/dts/corstone1000.dtsi
+index 25a032b6b3..1c3ab2c315 100644
+--- a/arch/arm/dts/corstone1000.dtsi
+++ b/arch/arm/dts/corstone1000.dtsi
+@@ -111,6 +111,10 @@
+ 		fwu-mdata-store = <&nvmxip>;
+ 	};
+ 
+	signature {
+		capsule-key = /incbin/("../../../CRT.esl");
+	};
+
+ 	soc {
+ 		compatible = "simple-bus";
+ 		#address-cells = <1>;
+-- 
+2.17.1
+
@@ -0,0 +1,28 @@
+From 9b884d4f483474b99fcb4850197a1c8dde34147d Mon Sep 17 00:00:00 2001
+From: Emekcan Aras <emekcan.aras@arm.com>
+Date: Wed, 13 Sep 2023 13:52:02 +0100
+Subject: [PATCH] corstone1000: enable authenticated capsule config
+
+Enables authenticated capsule update config for corstone1000.
+
+Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
+Upstream-Status: Pending [Not submitted to upstream yet]
+---
+ configs/corstone1000_defconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/configs/corstone1000_defconfig b/configs/corstone1000_defconfig
+index 5b0b2ac3bf..2de3f5d7b3 100644
+--- a/configs/corstone1000_defconfig
+++ b/configs/corstone1000_defconfig
+@@ -70,6 +70,7 @@ CONFIG_FWU_MDATA=y
+ CONFIG_FWU_MDATA_GPT_BLK=y
+ CONFIG_SYSRESET=y
+ CONFIG_EFI_CAPSULE_ON_DISK=y
+CONFIG_EFI_CAPSULE_AUTHENTICATE=y
+ CONFIG_EFI_IGNORE_OSINDICATIONS=y
+ CONFIG_FWU_MULTI_BANK_UPDATE=y
+ # CONFIG_TOOLS_MKEFICAPSULE is not set
+-- 
+2.17.1
+
@@ -0,0 +1,76 @@
+From b99a39c662b9be5f940b895efa8016f5567e1c1f Mon Sep 17 00:00:00 2001
+From: Emekcan Aras <emekcan.aras@arm.com>
+Date: Wed, 13 Sep 2023 13:55:08 +0100
+Subject: [PATCH] corstone1000: introduce EFI authenticated capsule update
+
+Introduces EFI authenticated capsule update for corstone1000. Corstone1000
+implements platform-specific capsule update mechanism in u-bootdue to the SoC
+design. This patch add authenticated capsule update mechanism to the
+platform-specific firmware-update routine.
+
+Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
+Upstream-Status: Inappropriate [Redesign of Capsule update interface is required]
+---
+ lib/efi_loader/efi_capsule.c | 39 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c
+index 6a06605ad9..30fb7d1dd5 100644
+--- a/lib/efi_loader/efi_capsule.c
+++ b/lib/efi_loader/efi_capsule.c
+@@ -820,6 +820,12 @@ efi_status_t __efi_runtime EFIAPI efi_update_capsule(
+ 		u64 scatter_gather_list)
+ {
+ 	struct efi_capsule_header *capsule;
+	struct efi_firmware_management_capsule_header *capsule_header;
+	struct efi_firmware_management_capsule_image_header *image;
+	size_t image_binary_size;
+	size_t tmp_capsule_payload_size=0;
+	void *tmp_capsule_payload=NULL;
+	void *image_binary;
+ 	unsigned int i;
+ 	efi_status_t ret;
+ 
+@@ -859,6 +865,39 @@ efi_status_t __efi_runtime EFIAPI efi_update_capsule(
+ 			goto out;
+ 		}
+ 
+		capsule_header = (void *)capsule + capsule->header_size;
+		image = (void *)capsule_header + capsule_header->item_offset_list[0];
+		if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) &&
+			!(image->image_capsule_support &
+			CAPSULE_SUPPORT_AUTHENTICATION)) {
+			/* no signature */
+			log_err("Corstone1000: Capsule authentication flag check failed. Aborting update\n");
+			ret = EFI_SECURITY_VIOLATION;
+			goto out;
+		}
+
+		image_binary = (void *)image + sizeof(*image);
+		image_binary_size = image->update_image_size;
+		if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) &&
+		    (image->image_capsule_support &
+			CAPSULE_SUPPORT_AUTHENTICATION)){
+			ret = efi_capsule_authenticate(image_binary, image_binary_size,
+						  &tmp_capsule_payload,
+						  &tmp_capsule_payload_size);
+
+			if (ret == EFI_SECURITY_VIOLATION) {
+				log_err("Corstone1000: Capsule authentication check failed. Aborting update\n");
+				goto out;
+			} else if (ret != EFI_SUCCESS) {
+				goto out;
+			}
+
+			log_debug("Corstone1000: Capsule authentication successful\n");
+		} else {
+			log_debug("Corstone1000: Capsule authentication disabled. ");
+			log_debug("Corstone1000: Updating capsule without authenticating.\n");
+		}
+
+ 		/* copy the data to the contiguous buffer */
+ 		efi_memcpy_runtime(corstone1000_capsule_buf, capsule, capsule->capsule_image_size);
+ 
+-- 
+2.17.1
+
@@ -3,7 +3,7 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
 #
 # Corstone1000 64-bit machines
 #
-DEPENDS:append:corstone1000 = " gnutls-native"
+DEPENDS:append:corstone1000 = " gnutls-native openssl-native efitools-native"
 CORSTONE1000_DEVICE_TREE:corstone1000-mps3 = "corstone1000-mps3"
 CORSTONE1000_DEVICE_TREE:corstone1000-fvp = "corstone1000-fvp"
 EXTRA_OEMAKE:append:corstone1000 = ' DEVICE_TREE=${CORSTONE1000_DEVICE_TREE}'
@@ -48,8 +48,21 @@ SRC_URI:append:corstone1000 = " \
 	file://0035-dt-Provide-a-way-to-remove-non-compliant-nodes-and-p.patch \
 	file://0036-bootefi-Call-the-EVT_FT_FIXUP-event-handler.patch \
 	file://0037-corstone1000-purge-U-Boot-specific-DT-nodes.patch \
+	file://0038-corstone1000-add-signature-device-tree-overlay.patch	  \
+	file://0039-corstone1000-enable-authenticated-capsule-config.patch	  \
+	file://0040-corstone1000-introduce-EFI-authenticated-capsule-upd.patch	  \
        "

+do_configure:append:corstone1000(){
+    openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ -keyout ${B}/CRT.key -out ${B}/CRT.crt -nodes -days 365
+    cert-to-efi-sig-list ${B}/CRT.crt ${B}/corstone1000_defconfig/CRT.esl
+}
+
+do_install:append:corstone1000() {
+   install -D -p -m 0644 ${B}/CRT.crt ${DEPLOY_DIR_IMAGE}/corstone1000_capsule_cert.crt
+   install -D -p -m 0644 ${B}/CRT.key ${DEPLOY_DIR_IMAGE}/corstone1000_capsule_key.key
+}
+
 #
 # FVP BASE
 #