Re: [PATCH v6 03/12] tools: mkeficapsule: add firmwware image signing
On Sun, Nov 07, 2021 at 07:53:24AM +0100, Heinrich Schuchardt wrote: > On 11/2/21 01:55, AKASHI Takahiro wrote: > > With this enhancement, mkeficapsule will be able to sign a capsule > > file when it is created. A signature added will be used later > > in the verification at FMP's SetImage() call. > > > > To do that, We need specify additional command parameters: > >-monotonic-cout : monotonic count > >-private-key : private key file > >-certificate : certificate file > > Only when all of those parameters are given, a signature will be added > > to a capsule file. > > > > Users are expected to maintain and increment the monotonic count at > > every time of the update for each firmware image. > > > > Signed-off-by: AKASHI Takahiro > > Reviewed-by: Simon Glass > > You licensed tools/mkeficapsule.c under GPL-2.0 which is imcompatible > with OpenSSL (https://www.gnu.org/licenses/license-list.html#OpenSSL). In fact, this is not a this-tool-specific issue, but other tools, including mkimage, have it and that is why CONFIG_TOOLS_LIBCRYPTO was introduced. # I think that I have mentioned the issue in my past comment. -Takahiro Akashi > Either agree with all contributors of the tool to use a more liberal > license or use another library. > > > --- > > tools/Kconfig| 8 + > > tools/Makefile | 8 +- > > tools/mkeficapsule.c | 382 --- > > 3 files changed, 376 insertions(+), 22 deletions(-) > > > > diff --git a/tools/Kconfig b/tools/Kconfig > > index 91ce8ae3e516..117c921da3fe 100644 > > --- a/tools/Kconfig > > +++ b/tools/Kconfig > > @@ -90,4 +90,12 @@ config TOOLS_SHA512 > > help > > Enable SHA512 support in the tools builds > > > > +config TOOLS_MKEFICAPSULE > > + bool "Build efimkcapsule command" > > + default y if EFI_CAPSULE_ON_DISK > > + help > > + This command allows users to create a UEFI capsule file and, > > + optionally sign that file. If you want to enable UEFI capsule > > + update feature on your target, you certainly need this. > > + > > endmenu > > diff --git a/tools/Makefile b/tools/Makefile > > index b45219e2c30c..5a73cc4b363d 100644 > > --- a/tools/Makefile > > +++ b/tools/Makefile > > @@ -238,8 +238,12 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs > > hostprogs-$(CONFIG_ASN1_COMPILER) += asn1_compiler > > HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include > > > > -mkeficapsule-objs := mkeficapsule.o $(LIBFDT_OBJS) > > -hostprogs-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += mkeficapsule > > +HOSTLDLIBS_mkeficapsule += -luuid > > +ifeq ($(CONFIG_TOOLS_LIBCRYPTO),y) > > +HOSTLDLIBS_mkeficapsule += \ > > + $(shell pkg-config --libs libssl libcrypto 2> /dev/null || echo "-lssl > > -lcrypto") > > +endif > > +hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule > > > > # We build some files with extra pedantic flags to try to minimize things > > # that won't build on some weird host compiler -- though there are lots of > > diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c > > index 8427fedd941c..086757ee8ad7 100644 > > --- a/tools/mkeficapsule.c > > +++ b/tools/mkeficapsule.c > > @@ -15,6 +15,16 @@ > > #include > > #include > > > > +#include > > +#ifdef CONFIG_TOOLS_LIBCRYPTO > > +#include > > +#include > > +#include > > +#include > > +#include > > +#include > > +#endif > > + > > typedef __u8 u8; > > typedef __u16 u16; > > typedef __u32 u32; > > @@ -38,12 +48,25 @@ efi_guid_t efi_guid_image_type_uboot_fit = > > EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID; > > efi_guid_t efi_guid_image_type_uboot_raw = > > EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID; > > +efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; > > + > > +#ifdef CONFIG_TOOLS_LIBCRYPTO > > +static const char *opts_short = "f:r:i:I:v:p:c:m:dh"; > > +#else > > +static const char *opts_short = "f:r:i:I:v:h"; > > +#endif > > > > static struct option options[] = { > > {"fit", required_argument, NULL, 'f'}, > > {"raw", required_argument, NULL, 'r'}, > > {"index", required_argument, NULL, 'i'}, > > {"instance", required_argument, NULL, 'I'}, > > +#ifdef CONFIG_TOOLS_LIBCRYPTO > > + {"private-key", required_argument, NULL, 'p'}, > > + {"certificate", required_argument, NULL, 'c'}, > > + {"monotonic-count", required_argument, NULL, 'm'}, > > + {"dump-sig", no_argument, NULL, 'd'}, > > +#endif > > {"help", no_argument, NULL, 'h'}, > > {NULL, 0, NULL, 0}, > > }; > > @@ -57,10 +80,252 @@ static void print_usage(void) > >"\t-r, --rawnew raw image file\n" > >"\t-i, --index update image index\n" > >"\t-I, --instanceupdate hardware instance\n" > > +#ifdef CONFIG_TOOLS_LIBCRYPTO > > + "\t-p, --private-key private key file\n" > > + "\t-c, --certificate signer's certificate file\n" > > + "\t-m, --monotonic-count monotonic count\n" > > + "
Re: [PATCH v6 03/12] tools: mkeficapsule: add firmwware image signing
On 11/2/21 01:55, AKASHI Takahiro wrote: With this enhancement, mkeficapsule will be able to sign a capsule file when it is created. A signature added will be used later in the verification at FMP's SetImage() call. To do that, We need specify additional command parameters: -monotonic-cout : monotonic count -private-key : private key file -certificate : certificate file Only when all of those parameters are given, a signature will be added to a capsule file. Users are expected to maintain and increment the monotonic count at every time of the update for each firmware image. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass You licensed tools/mkeficapsule.c under GPL-2.0 which is imcompatible with OpenSSL (https://www.gnu.org/licenses/license-list.html#OpenSSL). Either agree with all contributors of the tool to use a more liberal license or use another library. --- tools/Kconfig| 8 + tools/Makefile | 8 +- tools/mkeficapsule.c | 382 --- 3 files changed, 376 insertions(+), 22 deletions(-) diff --git a/tools/Kconfig b/tools/Kconfig index 91ce8ae3e516..117c921da3fe 100644 --- a/tools/Kconfig +++ b/tools/Kconfig @@ -90,4 +90,12 @@ config TOOLS_SHA512 help Enable SHA512 support in the tools builds +config TOOLS_MKEFICAPSULE + bool "Build efimkcapsule command" + default y if EFI_CAPSULE_ON_DISK + help + This command allows users to create a UEFI capsule file and, + optionally sign that file. If you want to enable UEFI capsule + update feature on your target, you certainly need this. + endmenu diff --git a/tools/Makefile b/tools/Makefile index b45219e2c30c..5a73cc4b363d 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -238,8 +238,12 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs hostprogs-$(CONFIG_ASN1_COMPILER) += asn1_compiler HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include -mkeficapsule-objs := mkeficapsule.o $(LIBFDT_OBJS) -hostprogs-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += mkeficapsule +HOSTLDLIBS_mkeficapsule += -luuid +ifeq ($(CONFIG_TOOLS_LIBCRYPTO),y) +HOSTLDLIBS_mkeficapsule += \ + $(shell pkg-config --libs libssl libcrypto 2> /dev/null || echo "-lssl -lcrypto") +endif +hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule # We build some files with extra pedantic flags to try to minimize things # that won't build on some weird host compiler -- though there are lots of diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 8427fedd941c..086757ee8ad7 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -15,6 +15,16 @@ #include #include +#include +#ifdef CONFIG_TOOLS_LIBCRYPTO +#include +#include +#include +#include +#include +#include +#endif + typedef __u8 u8; typedef __u16 u16; typedef __u32 u32; @@ -38,12 +48,25 @@ efi_guid_t efi_guid_image_type_uboot_fit = EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID; efi_guid_t efi_guid_image_type_uboot_raw = EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID; +efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; + +#ifdef CONFIG_TOOLS_LIBCRYPTO +static const char *opts_short = "f:r:i:I:v:p:c:m:dh"; +#else +static const char *opts_short = "f:r:i:I:v:h"; +#endif static struct option options[] = { {"fit", required_argument, NULL, 'f'}, {"raw", required_argument, NULL, 'r'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, +#ifdef CONFIG_TOOLS_LIBCRYPTO + {"private-key", required_argument, NULL, 'p'}, + {"certificate", required_argument, NULL, 'c'}, + {"monotonic-count", required_argument, NULL, 'm'}, + {"dump-sig", no_argument, NULL, 'd'}, +#endif {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0}, }; @@ -57,10 +80,252 @@ static void print_usage(void) "\t-r, --rawnew raw image file\n" "\t-i, --index update image index\n" "\t-I, --instanceupdate hardware instance\n" +#ifdef CONFIG_TOOLS_LIBCRYPTO + "\t-p, --private-key private key file\n" + "\t-c, --certificate signer's certificate file\n" + "\t-m, --monotonic-count monotonic count\n" + "\t-d, --dump_sig dump signature (*.p7)\n" +#endif "\t-h, --help print a help message\n", tool_name); } +/** + * auth_context - authentication context + * @key_file: Path to a private key file + * @cert_file: Path to a certificate file + * @image_data:Pointer to firmware data + * @image_size:Size of firmware data + * @auth: Authentication header + * @sig_data: Signature data + * @sig_size: Size of signature data + * + * Data structure used in create_auth_data(). @key_file through + * @image_size are input parameters. @auth, @sig_data and @sig_size + * are fi
[PATCH v6 03/12] tools: mkeficapsule: add firmwware image signing
With this enhancement, mkeficapsule will be able to sign a capsule file when it is created. A signature added will be used later in the verification at FMP's SetImage() call. To do that, We need specify additional command parameters: -monotonic-cout : monotonic count -private-key : private key file -certificate : certificate file Only when all of those parameters are given, a signature will be added to a capsule file. Users are expected to maintain and increment the monotonic count at every time of the update for each firmware image. Signed-off-by: AKASHI Takahiro Reviewed-by: Simon Glass --- tools/Kconfig| 8 + tools/Makefile | 8 +- tools/mkeficapsule.c | 382 --- 3 files changed, 376 insertions(+), 22 deletions(-) diff --git a/tools/Kconfig b/tools/Kconfig index 91ce8ae3e516..117c921da3fe 100644 --- a/tools/Kconfig +++ b/tools/Kconfig @@ -90,4 +90,12 @@ config TOOLS_SHA512 help Enable SHA512 support in the tools builds +config TOOLS_MKEFICAPSULE + bool "Build efimkcapsule command" + default y if EFI_CAPSULE_ON_DISK + help + This command allows users to create a UEFI capsule file and, + optionally sign that file. If you want to enable UEFI capsule + update feature on your target, you certainly need this. + endmenu diff --git a/tools/Makefile b/tools/Makefile index b45219e2c30c..5a73cc4b363d 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -238,8 +238,12 @@ hostprogs-$(CONFIG_MIPS) += mips-relocs hostprogs-$(CONFIG_ASN1_COMPILER) += asn1_compiler HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include -mkeficapsule-objs := mkeficapsule.o $(LIBFDT_OBJS) -hostprogs-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += mkeficapsule +HOSTLDLIBS_mkeficapsule += -luuid +ifeq ($(CONFIG_TOOLS_LIBCRYPTO),y) +HOSTLDLIBS_mkeficapsule += \ + $(shell pkg-config --libs libssl libcrypto 2> /dev/null || echo "-lssl -lcrypto") +endif +hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule # We build some files with extra pedantic flags to try to minimize things # that won't build on some weird host compiler -- though there are lots of diff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c index 8427fedd941c..086757ee8ad7 100644 --- a/tools/mkeficapsule.c +++ b/tools/mkeficapsule.c @@ -15,6 +15,16 @@ #include #include +#include +#ifdef CONFIG_TOOLS_LIBCRYPTO +#include +#include +#include +#include +#include +#include +#endif + typedef __u8 u8; typedef __u16 u16; typedef __u32 u32; @@ -38,12 +48,25 @@ efi_guid_t efi_guid_image_type_uboot_fit = EFI_FIRMWARE_IMAGE_TYPE_UBOOT_FIT_GUID; efi_guid_t efi_guid_image_type_uboot_raw = EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID; +efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; + +#ifdef CONFIG_TOOLS_LIBCRYPTO +static const char *opts_short = "f:r:i:I:v:p:c:m:dh"; +#else +static const char *opts_short = "f:r:i:I:v:h"; +#endif static struct option options[] = { {"fit", required_argument, NULL, 'f'}, {"raw", required_argument, NULL, 'r'}, {"index", required_argument, NULL, 'i'}, {"instance", required_argument, NULL, 'I'}, +#ifdef CONFIG_TOOLS_LIBCRYPTO + {"private-key", required_argument, NULL, 'p'}, + {"certificate", required_argument, NULL, 'c'}, + {"monotonic-count", required_argument, NULL, 'm'}, + {"dump-sig", no_argument, NULL, 'd'}, +#endif {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0}, }; @@ -57,10 +80,252 @@ static void print_usage(void) "\t-r, --rawnew raw image file\n" "\t-i, --index update image index\n" "\t-I, --instanceupdate hardware instance\n" +#ifdef CONFIG_TOOLS_LIBCRYPTO + "\t-p, --private-key private key file\n" + "\t-c, --certificate signer's certificate file\n" + "\t-m, --monotonic-count monotonic count\n" + "\t-d, --dump_sig dump signature (*.p7)\n" +#endif "\t-h, --help print a help message\n", tool_name); } +/** + * auth_context - authentication context + * @key_file: Path to a private key file + * @cert_file: Path to a certificate file + * @image_data:Pointer to firmware data + * @image_size:Size of firmware data + * @auth: Authentication header + * @sig_data: Signature data + * @sig_size: Size of signature data + * + * Data structure used in create_auth_data(). @key_file through + * @image_size are input parameters. @auth, @sig_data and @sig_size + * are filled in by create_auth_data(). + */ +struct auth_context { + char *key_file; + char *cert_file; + u8 *image_data; + size_t image_size; + struct efi_firmware_image_authentication auth; + u8 *sig_data; + size_t sig_size; +}; + +static int dump_sig; + +#ifdef CONFI