Add support for the authentication of UEFI capsules containing FIT images.
The authentication code is moved out of the function handling raw images
into a new function efi_firmware_capsule_authenticate(). The special case
for the FMP header coming from edk2 tools is preserved. There is no
functional change for capsules containing raw images.
The python test for signed capsules with raw images is renamed with no
functional change and a new test is added for signed capsules containing
FIT images.
This can be tested with sandbox64_defconfig or sandbox_flattree_defconfig,
plus CONFIG_EFI_CAPSULE_AUTHENTICATE=y.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Repair the python tests for authenticated EFI capsules, which can be run
with sandbox_defconfig plus CONFIG_EFI_CAPSULE_AUTHENTICATE=y.
- Account for the reset changes done by commit 3e6f810006 ("efi_loader:
test/py: Reset system after capsule update on disk").
- Fix the capsule GUID typo introduced by commit 2e9c3c6965 ("test:
capsule: Modify the capsule tests to use GUID values for sandbox").
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
The current UEFI capsule updation code uses two GUID values, one for
FIT images, and one for raw images across platforms. This logic is
being changed to have GUID values per image, per platform. Change the
tests for the capsule update code to reflect this change. The GUID
values now used are the ones specific to the sandbox platform -- one
for the u-boot image, and another for the u-boot environment image.
Install the FMP instance for raw images on the sandbox variant for
testing the capsule update code. Install the FMP instance for the FIT
images on the sandbox64 and sandbox_flattree variant for testing
capsule update for FIT images. This is being done by splitting the
capsule update script for FIT and raw images.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
This test scenario tests a new feature of mkeficapsule, "--guid" option,
which allows us to specify FMP driver's guid explicitly at the command
line.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Since the syntax of mkeficapsule was changed in the previous commit,
we need to modify command line arguments in a pytest script.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add a couple of test cases against capsule image authentication
for capsule-on-disk, where only a signed capsule file with the verified
signature will be applied to the system.
Due to the difficulty of embedding a public key (esl file) in U-Boot
binary during pytest setup time, all the keys/certificates are pre-created.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The test can run on sandbox build and it attempts to execute a firmware
update via a capsule-on-disk, using a raw image capsule,
CONFIG_EFI_CAPSULE_RAW.
To run this test successfully, you need configure U-Boot specifically;
See test_capsule_firmware.py for requirements, and hence it won't run
on Travis CI, at least, for now.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
The test can run on sandbox build and it attempts to execute a firmware
update via a capsule-on-disk, using a FIT image capsule,
CONFIG_EFI_CAPSULE_FIT.
To run this test successfully, you need configure U-Boot specifically;
See test_capsule_firmware.py for requirements, and hence it won't run
on Travis CI, at least, for now.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
