Commit a7e4f905 authored by Simon Glass's avatar Simon Glass
Browse files

Revert "doc: Update CapsuleUpdate READMEs"

This reverts commit 316ab801

.
Signed-off-by: Simon Glass's avatarSimon Glass <sjg@chromium.org>
parent d0b8c9a2
......@@ -277,130 +277,6 @@ Enable ``CONFIG_OPTEE``, ``CONFIG_CMD_OPTEE_RPMB`` and ``CONFIG_EFI_MM_COMM_TEE`
[1] https://optee.readthedocs.io/en/latest/building/efi_vars/stmm.html
Enabling UEFI Capsule Update feature
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Support has been added for the UEFI capsule update feature which
enables updating the U-Boot image using the UEFI firmware management
protocol (FMP). The capsules are not passed to the firmware through
the UpdateCapsule runtime service. Instead, capsule-on-disk
functionality is used for fetching the capsule from the EFI System
Partition (ESP) by placing the capsule file under the
\EFI\UpdateCapsule directory.
The directory \EFI\UpdateCapsule is checked for capsules only within the
EFI system partition on the device specified in the active boot option
determined by reference to BootNext variable or BootOrder variable processing.
The active Boot Variable is the variable with highest priority BootNext or
within BootOrder that refers to a device found to be present. Boot variables
in BootOrder but referring to devices not present are ignored when determining
active boot variable.
Before starting a capsule update make sure your capsules are installed in the
correct ESP partition or set BootNext.
Performing the update
*********************
Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig
option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable
check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule.
If that option is disabled, you'll need to set the OsIndications variable with::
=> setenv -e -nv -bs -rt -v OsIndications =0x04
Finally, the capsule update can be initiated either by rebooting the board,
which is the preferred method, or by issuing the following command::
=> efidebug capsule disk-update
**The efidebug command is should only be used during debugging/development.**
Enabling Capsule Authentication
*******************************
The UEFI specification defines a way of authenticating the capsule to
be updated by verifying the capsule signature. The capsule signature
is computed and prepended to the capsule payload at the time of
capsule generation. This signature is then verified by using the
public key stored as part of the X509 certificate. This certificate is
in the form of an efi signature list (esl) file, which is embedded as
part of U-Boot.
The capsule authentication feature can be enabled through the
following config, in addition to the configs listed above for capsule
update::
CONFIG_EFI_CAPSULE_AUTHENTICATE=y
CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert>
The public and private keys used for the signing process are generated
and used by the steps highlighted below::
1. Install utility commands on your host
* OPENSSL
* efitools
2. Create signing keys and certificate files on your host
$ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \
-keyout CRT.key -out CRT.crt -nodes -days 365
$ cert-to-efi-sig-list CRT.crt CRT.esl
$ openssl x509 -in CRT.crt -out CRT.cer -outform DER
$ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem
$ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt
$ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem
The capsule file can be generated by using the GenerateCapsule.py
script in EDKII::
$ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \
<capsule_file_name> --monotonic-count <val> --fw-version \
<val> --lsv <val> --guid \
e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \
--update-image-index <val> --signer-private-cert \
/path/to/CRT.pem --trusted-public-cert \
/path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \
<u-boot.bin>
Place the capsule generated in the above step on the EFI System
Partition under the EFI/UpdateCapsule directory
Testing on QEMU
***************
Currently, support has been added on the QEMU ARM64 virt platform for
updating the U-Boot binary as a raw image when the platform is booted
in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this
configuration, the QEMU platform needs to be booted with
'secure=off'. The U-Boot binary placed on the first bank of the NOR
flash at offset 0x0. The U-Boot environment is placed on the second
NOR flash bank at offset 0x4000000.
The capsule update feature is enabled with the following configuration
settings::
CONFIG_MTD=y
CONFIG_FLASH_CFI_MTD=y
CONFIG_CMD_MTDPARTS=y
CONFIG_CMD_DFU=y
CONFIG_DFU_MTD=y
CONFIG_PCI_INIT_R=y
CONFIG_EFI_CAPSULE_ON_DISK=y
CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y
CONFIG_EFI_CAPSULE_FIRMWARE=y
CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
In addition, the following config needs to be disabled(QEMU ARM specific)::
CONFIG_TFABOOT
The capsule file can be generated by using the tools/mkeficapsule::
$ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name>
Executing the boot manager
~~~~~~~~~~~~~~~~~~~~~~~~~~
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment