public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [PATCH V5 00/15] Add capsule update and recovery sample.
@ 2016-10-27 13:36 Jiewen Yao
  2016-10-27 13:36 ` [PATCH V5 01/15] MdeModulePkg/Include: Add FmpAuthenticationLib header Jiewen Yao
                   ` (14 more replies)
  0 siblings, 15 replies; 16+ messages in thread
From: Jiewen Yao @ 2016-10-27 13:36 UTC (permalink / raw)
  To: edk2-devel
  Cc: Feng Tian, Star Zeng, Michael D Kinney, Liming Gao, Chao Zhang,
	Jeff Fan

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 14179 bytes --]

This is series 1 of the whole capsule solution. Version 5.
According to feedback, we split the big patch series to smaller one.

Series 1: Generic Update (MdeModulePkg/SecurityPkg)
	DxeCapsuleLib
	FmAuthenticationLib (*)
	CapsuleApp (*)

The code is also in https://github.com/jyao1/edk2
V5 is at Capsule_V5 branch.
V4, V3, V2, V1 are also pushed to coresponding branch.

==Below is V5 description==
1) MdeModulePkg/CapsuleApp: Remove [NR]. Add more description.
2) MdeModulePkg/DEC: Update StatusCode to OEM region.
3) MdeModulePkg/DxeCapsuleLib: Use NULL ProcessCapsules()
for runtime lib, because it is not needed for runtime.
4) MdeModulePkg/FmpAuthenticationLib: Add more description.
5) SignedCapsulePkg/DEC: Add data structure description
for PcdEdkiiSystemFirmwareImageDescriptor.
6) SignedCapsulePkg/DEC: Add Pkcs7 and Rsa2048 Key file PCD.
These 2 PCD are moved from platform pkg to SignedCapsulePkg.
7) QuarkPlatformPkg/FDF: Refine order of capsule section.
8) Fix typo and coding style issue.

Below items are defered to other patch series, because
the tool and library are not ready yet.

A) MdeModulePkg/DxeCapsuleLib: separate BMP parsing logic
to another library.
That is very good suggestion, and we agree it is a right direction.
I discussed with the owner of image decoder.
We prefer adding a generic library class to convert
the image data to GOP BLT buffer. It supports *any* image format,
not only BMP. The owner of image decoder will drive the new design.
I filed https://bugzilla.tianocore.org/show_bug.cgi?id=175 to track that.
I suggest we just keep the current solution as a temp solution and
migrate to the new one once it is ready later.

B) PlatformPkg/Bds: Move test key check logic to generic part.
This is very good suggestion and we are discussing with Tool
team to add such detection at build time and set a PCD to indicate that.
The generic code can use this PCD to know if there is a test key.
I filed https://bugzilla.tianocore.org/show_bug.cgi?id=185 to track that.
Adding such check in the generic code is very complicated, so current
temporary solution is to let platform BDS do such check.
The platform BDS will be cleaned up, once the tool is ready.

==Below is V4 description==
1) SecurityPkg - Refine AuthenticateFmpImage() API to let caller
input PublicKeyData and PublicKeyDataLength, instead of PCD.
The benefit is that then this API can be used for a platform
which stores PublicKeyData in anywhere other than PCD.
2) SecurityPkg - Use OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData)
for better understanding the code.
3) MdeModulePkg - Update CapsuleApp to let it consume
ShellParameters protocol to get Argc and Argv.
4) UefiCpuPkg - Update MicrocodeCapsuleApp to let it consume
ShellParameters protocol to get Argc and Argv.
5) QuarkPlatformPkg - Merge QuarkCapsule.fdf to Quark.fdf.

==Below is V3 description==
1) We move all EDKII related capsule definition to SignedCapsulePkg.
MdeModulePkg only contains FmAuthenticationLib and CapsuleApp,
because they are generic and follow UEFI specification on FMP/ESRT
and Microsoft platform firmware update document.
Any capsule implementation can use them.

Here is full library classes:
MdeModulePkg:
	FmpAuthenticationLib.h: new lib - follow UEFI spec. (*)
		Verify FMP signature of FMP Capsule
	CapsuleLib.h: new API ¨C ProcessCapsules()
		It processes all the capsules. Remove duplicated code in platform BDS.
UefiCpuPkg:
	MicrocodeFlashAccessLib.h: Update Microcode region.
SignedCapsulePkg:
	EdkiiSystemCapsuleLib.h ¨C Library for EDKII system FMP.
	IniParsingLib.h ¨C Library for INI file parsing.
	PlatformFlashAccessLib.h ¨C Library for write flash.

2) We will submit 5 series.
Series 1: Generic Update (MdeModulePkg/SecurityPkg)
	DxeCapsuleLib
	FmAuthenticationLib (*)
	CapsuleApp (*)
Series 2: EDKII Capsule (SignedCapsulePkg)
	IniParsingLib
	EdkiiSystemCapsuleLib
	PlatformFlashAccessLib
	SystemFirmwareUpdate driver
	RecoveryModuleLoadPei driver
Series 3: Microcode Update (UefiCpuPkg)
	MicrocodeFlashAccessLib
	MicrocodeUpdate driver.
Series 4: Quark update
Series 5: Vlv2 update

3) DxeCapsuleLib: Move code that performs authentication and parsing of
the capsule format into the implementation of the FMP Protocol.
We move the dispatch FV code from CapsuleLib to SystemFirmwareReport.efi.
SystemFirmwareReport.efi supports SetImage() to verify and dispatch the
SystemFirmwareUpdate.efi, then pass thru SetImage() request to
SystemFirmwareUpdate.efi.

Now the DxeCapsuleLib is very clean and it does not have any EDKII
capsule format knowledge.

4) DxeCapsuleLib: Fix issue where a reset may be too soon.
Defer reset to 2nd pass.

5) DxeCapsuleLib: Boot mode check is removed. 
Capsule should be populated to system table even boot mode is not BIOS_UPDATE.

5) FmAuthenticationLib: Add zero ImageSize check.

6) FmAuthenticationLib: Remove Authentication Library Registration.
Each FMP Producer needs to carry its own auth algoritms(s).
Now we have FmpAuthenticationLibPkcs7 and FmpAuthenticationLibRsa2048Sha256.
No registration is needed.

7) FmAuthenticationLib: Move MonotonicCount handling after Payload
We confirmed with USWG to process MonotonicCount after PayLoad.

==Below is V2 description==
The V2 series patch incorporated the feedback for V1.

There are 3 major updates.
1) BDS is update to display a warning message if TEST key
is used to sign recovery image or capsule image.
So a production BIOS should always use its own production singing
key for the capsule image generation. A production BIOS should
never use test key.
2) IniParsingLib is enhanced to do more sanity check for invalid
input. The detail data format is added in IniParsingLib.h header
file. If there is any vialation, the OpenInitFile() API will
return failure.
3) The *Bios* keyword is renamed to *SystemFirmware* in any
header file or c file data structure definition.

The rest is minor update, such as add help info, clean
up debug message, coding style.

==Below is V1 description==
This series patch provides sample on how to do signed capsule update
and recovery in EDKII.

This series patch is also checked into git@github.com:jyao1/edk2.git.

The feature includes:
1) Define EDKII signed system BIOS capsule format.
2) Provide EDKII signed system BIOS update sample.
3) Provide EDKII signed recovery sample.
4) Provide Microcode update sample for X86 system.
5) Update Quark to use new capsule/recovery solution.
6) Update Vlv2(MinnowMax) to use new capsule/recovery solution.

The signed capsule/recovery solution is in MdeModulePkg.
The capsule in IntelFrameworkModulePkg is deprecated.
The Microcode update solution is in UefiCpuPkg.

Cc: Feng Tian <feng.tian@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jeff Fan <jeff.fan@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>


Jiewen Yao (15):
  MdeModulePkg/Include: Add FmpAuthenticationLib header.
  MdeModulePkg/CapsuleLib: Add ProcessCapsules() API.
  MdeModulePkg/MdeModulePkg.dec: Add capsule related definition.
  MdeModulePkg/FmpAuthenticationLibNull: Add NULL instance FMP.
  MdeModulePkg/DxeCapsuleLibNull: Add ProcessCapsules() interface.
  MdeModulePkg/DxeCapsuleLibFmp: Add DxeCapsuleLibFmp instance.
  MdeModulePkg/Esrt: Add ESRT_FW_TYPE_SYSTEMFIRMWARE check.
  MdeModulePkg/CapsuleApp: Add CapsuleApp application.
  MdeModulePkg/UiApp: Show test key warning info in FrontPage.
  MdeModulePkg/MdeModulePkg.dsc: Add FMP related component.
  IntelFrameworkModulePkg/DxeCapsuleLib: Add ProcessCapsules()
    interface.
  SecurityPkg/SecurityPkg.dec: Add PcdPkcs7CertBuffer PCD.
  SecurityPkg/FmpAuthenticationLibPkcs7: Add PKCS7 instance for FMP.
  SecurityPkg/FmpAuthenticationLibRsa2048Sha256: Add RSA2048 instance.
  SecurityPkg/SecurityPkg.dsc: Add FmpAuthenticationLib*.

 IntelFrameworkModulePkg/Library/DxeCapsuleLib/DxeCapsuleLib.c                               |   40 +-
 MdeModulePkg/Application/CapsuleApp/AppSupport.c                                            |  445 +++++++
 MdeModulePkg/Application/CapsuleApp/CapsuleApp.c                                            |  847 ++++++++++++
 MdeModulePkg/Application/CapsuleApp/CapsuleApp.inf                                          |   71 +
 MdeModulePkg/Application/CapsuleApp/CapsuleApp.uni                                          |   22 +
 MdeModulePkg/Application/CapsuleApp/CapsuleAppExtra.uni                                     |   19 +
 MdeModulePkg/Application/CapsuleApp/CapsuleDump.c                                           |  740 +++++++++++
 MdeModulePkg/Application/UiApp/FrontPageCustomizedUi.c                                      |   13 +
 MdeModulePkg/Application/UiApp/FrontPageStrings.uni                                         |    4 +-
 MdeModulePkg/Application/UiApp/UiApp.inf                                                    |    3 +-
 MdeModulePkg/Include/Library/CapsuleLib.h                                                   |   46 +-
 MdeModulePkg/Include/Library/FmpAuthenticationLib.h                                         |   66 +
 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c                                       | 1363 ++++++++++++++++++++
 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.inf                                     |   80 ++
 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.uni                                     |   22 +
 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c                                |  475 +++++++
 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLibNull.c                            |   57 +
 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleReportLib.c                                 |  489 +++++++
 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleReportLibNull.c                             |   91 ++
 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleRuntime.c                                   |  112 ++
 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeRuntimeCapsuleLib.inf                              |   83 ++
 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeRuntimeCapsuleLib.uni                              |   22 +
 MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.c                                  |   48 +-
 MdeModulePkg/Library/FmpAuthenticationLibNull/FmpAuthenticationLibNull.c                    |   66 +
 MdeModulePkg/Library/FmpAuthenticationLibNull/FmpAuthenticationLibNull.inf                  |   40 +
 MdeModulePkg/Library/FmpAuthenticationLibNull/FmpAuthenticationLibNull.uni                  |   22 +
 MdeModulePkg/MdeModulePkg.dec                                                               |   59 +
 MdeModulePkg/MdeModulePkg.dsc                                                               |   10 +
 MdeModulePkg/Universal/EsrtDxe/EsrtDxe.inf                                                  |    3 +-
 MdeModulePkg/Universal/EsrtDxe/EsrtImpl.c                                                   |   37 +-
 SecurityPkg/Library/FmpAuthenticationLibPkcs7/FmpAuthenticationLibPkcs7.c                   |  222 ++++
 SecurityPkg/Library/FmpAuthenticationLibPkcs7/FmpAuthenticationLibPkcs7.inf                 |   49 +
 SecurityPkg/Library/FmpAuthenticationLibPkcs7/FmpAuthenticationLibPkcs7.uni                 |   26 +
 SecurityPkg/Library/FmpAuthenticationLibRsa2048Sha256/FmpAuthenticationLibRsa2048Sha256.c   |  355 +++++
 SecurityPkg/Library/FmpAuthenticationLibRsa2048Sha256/FmpAuthenticationLibRsa2048Sha256.inf |   53 +
 SecurityPkg/Library/FmpAuthenticationLibRsa2048Sha256/FmpAuthenticationLibRsa2048Sha256.uni |   26 +
 SecurityPkg/SecurityPkg.dec                                                                 |    8 +-
 SecurityPkg/SecurityPkg.dsc                                                                 |    3 +
 38 files changed, 6124 insertions(+), 13 deletions(-)
 create mode 100644 MdeModulePkg/Application/CapsuleApp/AppSupport.c
 create mode 100644 MdeModulePkg/Application/CapsuleApp/CapsuleApp.c
 create mode 100644 MdeModulePkg/Application/CapsuleApp/CapsuleApp.inf
 create mode 100644 MdeModulePkg/Application/CapsuleApp/CapsuleApp.uni
 create mode 100644 MdeModulePkg/Application/CapsuleApp/CapsuleAppExtra.uni
 create mode 100644 MdeModulePkg/Application/CapsuleApp/CapsuleDump.c
 create mode 100644 MdeModulePkg/Include/Library/FmpAuthenticationLib.h
 create mode 100644 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c
 create mode 100644 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.inf
 create mode 100644 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.uni
 create mode 100644 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c
 create mode 100644 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLibNull.c
 create mode 100644 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleReportLib.c
 create mode 100644 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleReportLibNull.c
 create mode 100644 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleRuntime.c
 create mode 100644 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeRuntimeCapsuleLib.inf
 create mode 100644 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeRuntimeCapsuleLib.uni
 create mode 100644 MdeModulePkg/Library/FmpAuthenticationLibNull/FmpAuthenticationLibNull.c
 create mode 100644 MdeModulePkg/Library/FmpAuthenticationLibNull/FmpAuthenticationLibNull.inf
 create mode 100644 MdeModulePkg/Library/FmpAuthenticationLibNull/FmpAuthenticationLibNull.uni
 create mode 100644 SecurityPkg/Library/FmpAuthenticationLibPkcs7/FmpAuthenticationLibPkcs7.c
 create mode 100644 SecurityPkg/Library/FmpAuthenticationLibPkcs7/FmpAuthenticationLibPkcs7.inf
 create mode 100644 SecurityPkg/Library/FmpAuthenticationLibPkcs7/FmpAuthenticationLibPkcs7.uni
 create mode 100644 SecurityPkg/Library/FmpAuthenticationLibRsa2048Sha256/FmpAuthenticationLibRsa2048Sha256.c
 create mode 100644 SecurityPkg/Library/FmpAuthenticationLibRsa2048Sha256/FmpAuthenticationLibRsa2048Sha256.inf
 create mode 100644 SecurityPkg/Library/FmpAuthenticationLibRsa2048Sha256/FmpAuthenticationLibRsa2048Sha256.uni

-- 
2.7.4.windows.1



^ permalink raw reply	[flat|nested] 16+ messages in thread

end of thread, other threads:[~2016-10-27 13:37 UTC | newest]

Thread overview: 16+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-27 13:36 [PATCH V5 00/15] Add capsule update and recovery sample Jiewen Yao
2016-10-27 13:36 ` [PATCH V5 01/15] MdeModulePkg/Include: Add FmpAuthenticationLib header Jiewen Yao
2016-10-27 13:36 ` [PATCH V5 02/15] MdeModulePkg/CapsuleLib: Add ProcessCapsules() API Jiewen Yao
2016-10-27 13:36 ` [PATCH V5 03/15] MdeModulePkg/MdeModulePkg.dec: Add capsule related definition Jiewen Yao
2016-10-27 13:36 ` [PATCH V5 04/15] MdeModulePkg/FmpAuthenticationLibNull: Add NULL instance FMP Jiewen Yao
2016-10-27 13:36 ` [PATCH V5 05/15] MdeModulePkg/DxeCapsuleLibNull: Add ProcessCapsules() interface Jiewen Yao
2016-10-27 13:36 ` [PATCH V5 06/15] MdeModulePkg/DxeCapsuleLibFmp: Add DxeCapsuleLibFmp instance Jiewen Yao
2016-10-27 13:36 ` [PATCH V5 07/15] MdeModulePkg/Esrt: Add ESRT_FW_TYPE_SYSTEMFIRMWARE check Jiewen Yao
2016-10-27 13:36 ` [PATCH V5 08/15] MdeModulePkg/CapsuleApp: Add CapsuleApp application Jiewen Yao
2016-10-27 13:36 ` [PATCH V5 09/15] MdeModulePkg/UiApp: Show test key warning info in FrontPage Jiewen Yao
2016-10-27 13:36 ` [PATCH V5 10/15] MdeModulePkg/MdeModulePkg.dsc: Add FMP related component Jiewen Yao
2016-10-27 13:36 ` [PATCH V5 11/15] IntelFrameworkModulePkg/DxeCapsuleLib: Add ProcessCapsules() interface Jiewen Yao
2016-10-27 13:36 ` [PATCH V5 12/15] SecurityPkg/SecurityPkg.dec: Add PcdPkcs7CertBuffer PCD Jiewen Yao
2016-10-27 13:36 ` [PATCH V5 13/15] SecurityPkg/FmpAuthenticationLibPkcs7: Add PKCS7 instance for FMP Jiewen Yao
2016-10-27 13:36 ` [PATCH V5 14/15] SecurityPkg/FmpAuthenticationLibRsa2048Sha256: Add RSA2048 instance Jiewen Yao
2016-10-27 13:36 ` [PATCH V5 15/15] SecurityPkg/SecurityPkg.dsc: Add FmpAuthenticationLib* Jiewen Yao

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox