Skip to content

Commit

Permalink
Remove signing for Tianocore ATF image
Browse files Browse the repository at this point in the history 
The firmware secure update services in the ATF firmware version 1.06x
will abort the capsule update if the firmware image is signed but the
DBU key is not deployed in the system. However, in case the DBU is not
deployed and the image is not signed too, the update is allowed.

This patch removes signing the Tianocore ATF image with the DBU key as
the EDK2 firmware doesn't have an application for DBU deployment.

Signed-off-by: Nhi Pham <npham@amperecomputing.com>
  • Loading branch information
@nhivp
nhivp committed May 17, 2021
1 parent 829efb5 commit 125776a
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 17 deletions.
14 changes: 3 additions & 11 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -309,22 +309,14 @@ endif
.PHONY: tianocore_capsule
tianocore_capsule: tianocore_img
@echo "Build Tianocore $(BUILD_VARIANT_UFL) Capsule..."
$(eval TIANOCORE_ATF_SIGNED_IMAGE := $(WORKSPACE)/Build/$(BOARD_NAME_UFL)/$(BUILD_VARIANT)_$(EDK2_GCC_TAG)/$(BOARD_NAME)_tianocore_atf.img.signed)
$(eval TIANOCORE_ATF_IMAGE := $(WORKSPACE)/Build/$(BOARD_NAME_UFL)/$(BOARD_NAME)_tianocore_atf.img)
$(eval OUTPUT_CAPSULE := $(OUTPUT_BIN_DIR)/$(BOARD_NAME)_tianocore_atf$(LINUXBOOT_FMT)$(OUTPUT_VARIANT)_$(VER).$(BUILD).cap)
$(eval DBU_KEY := $(EDK2_PLATFORMS_SRC_DIR)/Platform/Ampere/$(BOARD_NAME_UFL)Pkg/TestKeys/Dbu_AmpereTest.priv.pem)
@echo "Sign Tianocore Image"
@openssl dgst -sha256 -sign $(DBU_KEY) -out $(OUTPUT_RAW_IMAGE).sig $(OUTPUT_RAW_IMAGE)
@cat $(OUTPUT_RAW_IMAGE).sig $(OUTPUT_RAW_IMAGE) > $(OUTPUT_RAW_IMAGE).signed
@cp -f $(OUTPUT_RAW_IMAGE).signed $(TIANOCORE_ATF_SIGNED_IMAGE)
# support 1.01 tag
$(eval EDK2_ATF_SIGNED_IMAGE := $(WORKSPACE)/Build/$(BOARD_NAME_UFL)/$(BOARD_NAME)_atfedk2.img.signed)
@ln -sf $(TIANOCORE_ATF_SIGNED_IMAGE) $(EDK2_ATF_SIGNED_IMAGE)
@ln -sf $(OUTPUT_IMAGE) $(TIANOCORE_ATF_IMAGE)

@echo "Build Capsule Image"
. $(EDK2_SRC_DIR)/edksetup.sh && build -a AARCH64 -t $(EDK2_GCC_TAG) -b $(BUILD_VARIANT) \
-D UEFI_ATF_IMAGE=$(TIANOCORE_ATF_SIGNED_IMAGE) \
-D UEFI_ATF_IMAGE=$(TIANOCORE_ATF_IMAGE) \
-p Platform/Ampere/$(BOARD_NAME_UFL)Pkg/$(BOARD_NAME_UFL)Capsule.dsc
@cp -f $(EDK2_FV_DIR)/JADEFIRMWAREUPDATECAPSULEFMPPKCS7.Cap $(OUTPUT_CAPSULE)
@rm -fr $(OUTPUT_RAW_IMAGE).sig $(OUTPUT_RAW_IMAGE).signed $(OUTPUT_RAW_IMAGE)

# end of makefile
9 changes: 3 additions & 6 deletions edk2-build.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,17 +133,14 @@ function build_tianocore_atf
dd bs=1 seek=2031616 conv=notrunc if=$DEST_DIR/${PLATFORM_LOWER}_board_setting.bin of=${TIANOCORE_ATF_SLIM}
dd bs=1024 seek=2048 if=$DEST_DIR/${PLATFORM_LOWER}_tianocore${LINUXBOOT_FMT}${BUILD_TYPE}_${VER}.${BUILD}.fip.signed of=${TIANOCORE_ATF_SLIM}
fi
openssl dgst -sha256 -sign $PLATFORM_PATH/TestKeys/Dbu_AmpereTest.priv.pem -out $DEST_DIR/${PLATFORM_LOWER}_tianocore_atf${BUILD_TYPE}_${VER}.${BUILD}.img.sig ${TIANOCORE_ATF_SLIM}
cat $DEST_DIR/${PLATFORM_LOWER}_tianocore_atf${BUILD_TYPE}_${VER}.${BUILD}.img.sig ${TIANOCORE_ATF_SLIM} > $WS_BOARD/${target}_${PLATFORM_TOOLCHAIN}/${PLATFORM_LOWER}_tianocore_atf.img.signed
# support 1.01 tag
ln -sf $WS_BOARD/${target}_${PLATFORM_TOOLCHAIN}/${PLATFORM_LOWER}_tianocore_atf.img.signed $WS_BOARD/${PLATFORM_LOWER}_atfedk2.img.signed
ln -sf ${TIANOCORE_ATF_SLIM} $WS_BOARD/${PLATFORM_LOWER}_tianocore_atf.img
CAPSULE_DSC="`$TOOLS_DIR/parse-platforms.py $PLATFORM_CONFIG -p $board get -o capsule_dsc`"
build -n $NUM_THREADS -a "$PLATFORM_ARCH" -t ${PLATFORM_TOOLCHAIN} -p "$CAPSULE_DSC" -b "$target" ${PLATFORM_BUILDFLAGS} -D FIRMWARE_VER="${VER}.${BUILD} Build ${BUILD_DATE}" \
-D UEFI_ATF_IMAGE=$WS_BOARD/${target}_${PLATFORM_TOOLCHAIN}/${PLATFORM_LOWER}_tianocore_atf.img.signed
-D UEFI_ATF_IMAGE=${TIANOCORE_ATF_SLIM}
cp $WS_BOARD/${target}_${PLATFORM_TOOLCHAIN}/FV/JADEFIRMWAREUPDATECAPSULEFMPPKCS7.Cap $DEST_DIR/${PLATFORM_LOWER}_tianocore_atf${BUILD_TYPE}_${VER}.${BUILD}.cap
rm -fr ${TIANOCORE_ATF_SLIM}
fi
rm -fr $DEST_DIR/*.img.signed $DEST_DIR/*.img.sig $DEST_DIR/*.bin.padded $DEST_DIR/*.fd.crt $DEST_DIR/*.fip.signed
rm -fr $DEST_DIR/*.bin.padded $DEST_DIR/*.fd.crt $DEST_DIR/*.fip.signed
fi
echo "Results: `readlink -f $DEST_DIR`"
if which tree >/dev/null 2>&1; then
Expand Down

0 comments on commit 125776a

Please sign in to comment.