[SRU] backport mkeficapsule to jammy

Bug #2036406 reported by Aristo Chen
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OEM Priority Project
Aristo Chen
u-boot (Ubuntu)

Bug Description


* mkeficapsule is a standalone command used to generate a capsule file for updating specially configured U-Boot (not only on SD card but also on SPI flash and other media) and possibly other firmware like TF-A.
* mkeficapsule code exists in Jammy already, but is not shipped in the u-boot-tools Debian package, so users are not able to generate capsule file in Jammy environment, and since the mkeficapsule command is not available in Jammy, ideally no one should be impacted.

[Test case]

Test case 1:
Users can use mkeficapsule to generate capsule file which contains firmware, or anything they want, such as dtb or fip.bin, we use mkeficapsule to create a capsule file that contains U-Boot in this test case
1. Please prepare a device that is capable to use capsule file to update firmware
2. Prepare your own key by this command
   $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365
1. use mkeficapsule command to generate test_new.cap and test_old.cap, both contain U-Boot built at different time
   $ mkeficapsule --private-key SIGNER.key --certificate SIGNER.crt --monotonic-count 1 --instance 0 --index 2 --guid "12345678-abcd-1234-5678-12345678abcd" test.bin test_new.cap
2. Put the capsule file to required path(both test_new.cap and test_old.cap)
3. Reboot device and stop at u-boot prompt, then type the command. Note the actual location of test_new.cap may bedifferent in your case
   => efidebug boot add -b 0 0 mmc 0:8 test_new.cap
4. The device should reset and check if the U-Boot build stamp is different from previous

Test case 2:
1. sudo apt install efitools libguestfs-tools
2. Add CONFIG_EFI_CAPSULE_AUTHENTICATE=y to configs/sandbox_defconfig
3. Follow the command here(https://u-boot.readthedocs.io/en/latest/develop/testing.html#pytest-suite) to test with U-Boot sandbox, the command needs to be run as sudo, otherwise the test_efi_capsule related test cases will be skipped, the test result can be found in comment #9

[Where problems could occur]

* There is no mkeficapsule command in Jammy yet, and mkeficapsule is a standalone tool, so the regression risk should be low

[Other Info]
* These patches are already in Lunar, so we only need to backport to Jammy

Revision history for this message
Heinrich Schuchardt (xypron) wrote :

The U-Boot v2022.01 source code already contains mkeficapsule. Do you plan to backport any patches from higher U-Boot versions or do you simply want to change the list of installed files in u-boot-tools?

Revision history for this message
Aristo Chen (aristochen) wrote :

Hi Heinrich,

Thanks for replying so fast! sorry that I haven't put all the required info in this bug yet. I am still building the debian package in PPA, but I would need to put the bug number in changelog, so I open the bug first without having all info ready

I am planning to backport some patches from higher U-Boot versions for mkeficapsule, will update the bug once everything is ready, thanks!

Aristo Chen (aristochen)
description: updated
Revision history for this message
Aristo Chen (aristochen) wrote :

This is the test result for test case 2 mentioned in bug description

Revision history for this message
Aristo Chen (aristochen) wrote :

This(https://launchpad.net/~aristochen/+archive/ubuntu/dev-amd64/+packages) is the PPA that I used for building a test debian package, and the debian package was used for the test case 1 mentioned in bug description

Revision history for this message
Heinrich Schuchardt (xypron) wrote :

Hello Aristo,

in your mkeficapsule.log the following tests are skipped:


I guess test_capsule_firmware.py is skipped due to missing local tools.

By adding -ra as pytest argument you should see the reason for skipping:
./test/py/test.py -ra --bd sandbox --build

See this line in test/py/tests/test_efi_capsule/conftest.py:
pytest.skip('Setup failed: %s' % exception.cmd)

When I run on my system
'make tests' passes test/py/tests/test_efi_capsule/test_capsule_firmware.py

With CONFIG_EFI_CAPSULE_AUTHENTICATE=y added to sandbox_defconfig the package also passes

I would suggest to add the following information to debian/changelog:

"mkeficapsule with the patches applied matches U-Boot v2022.04."

Best regards


Revision history for this message
Aristo Chen (aristochen) wrote :

Hi Heinrich,

thanks for the suggestions! I was not that familiar with testing U-Boot, it turns out that I need to install efitools and libguestfs-tools, and then run the test with sudo permission

I will update the test result later and try to build a new debian package in PPA, will update here once it's done

Best regards,

Aristo Chen (aristochen)
tags: added: oem-priority originate-from-2031356
Changed in oem-priority:
assignee: nobody → Aristo Chen (aristochen)
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "jammy.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Aristo Chen (aristochen) wrote :

This is the test result after installed required debian packages and run with sudo permission

Revision history for this message
Aristo Chen (aristochen) wrote :

This is the debdiff for Jammy, and I have deleted previous jammy.debdiff to prevent confusion

Revision history for this message
Dave Jones (waveform) wrote :

Trying to channel the SRU team, a couple of things I'd point out that may need some clarification in the bug description:

* Does this also need back-porting to lunar? We shouldn't have a situation where something is fixed in jammy but regresses for people upgrading to lunar (ignore this if these changes are already present in the lunar version)

* The Impact specifies what the bug is doing but not really what the "impact" actually is. What will it mean for users if this bug is *not* fixed? It may also be useful to describe precisely what firmware we're talking about (typically most firmware comes from the linux-firmware package but I'm guessing we're talking about early-boot related firmware here).

* In the Test Case is there enough information for people other than the reporter to test the fix?

* In the regression potential: as I understand it from the patches, there's *some* mkeficapsule code already in the jammy version but it's not built as part of u-boot-tools. Is that mkeficapsule code solely used by the mkeficapsule binary, or does patching it affect anything else in u-boot (i.e. does anything else pull in any parts of mkeficapsule)? If not, it's probably worth mentioning that mkeficapsule is "standalone" and these patches affect nothing other than a binary that isn't currently built in the jammy version.

Revision history for this message
Aristo Chen (aristochen) wrote :

Hi Dave,

Thanks for the reply, I have updated the bug description, hopefully it answers all your questions, thanks!

description: updated
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote :

I've uploaded this to the SRU queue for Jammy. Thanks!

Changed in u-boot (Ubuntu):
importance: Undecided → High
status: New → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.