Conversation
Upstream-Status: Inappropriate [Dasharo downstream] Change-Id: Iedbcfcbca5c048774ae66cd4cf4566500cd615e8 Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
If CapsuleRootKey.inc exists and CONFIG_EDK2_CAPSULES_V2 is set, copy the file to EDK. This needs to be done as part of coreboot's build process because EDK's worktree doesn't exist right after cloning coreboot and there is no way to initialize it without building coreboot. This makes it impossible to provision EDK's key before the build without coreboot knowing about it at some level. Also reset DasharoPayloadPkg/CapsuleRootKey.inf in EDK if CONFIG_EDK2_CAPSULES_V2 is enabled, like it's already done for logos. Not adding the file to .gitignore so it's more visible to the user when present. Change-Id: I8b557c4ab239d61a5cef01928fda13b8417d54cb Upstream-Status: Inappropriate [Dasharo downstream] Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Change-Id: Ia9462cc4997dd04a17bc43d41fd3f8a08d318341 Upstream-Status: Inappropriate [Dasharo downstream] Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
There was one outlier in this file. Upstream-Status: Inappropriate [Dasharo downstream] Change-Id: I3334d8eccaf64c57fc37580dce3d057938795427 Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
SergiiDmytruk
changed the title
| # check that `CONFIG_EDK2_CAPSULES_V2=y` is not added to | ||
| # `CONFIG_DRIVERS_EFI_UPDATE_CAPSULES=y` without | ||
| # `CONFIG_EDK2_CAPSULES_V2_TRANSITION=y` | ||
| if uses_v1_capsules "$old_config" && |
There was a problem hiding this comment.
Is CONFIG_DRIVERS_EFI_UPDATE_CAPSULES supposed to be disabled on full, non-transition V2 releases?
The checks don't allow CONFIG_DRIVERS_EFI_UPDATE_CAPSULES=y && CONFIG_EDK2_CAPSULES_V2=y after the transition is finished.
There was a problem hiding this comment.
Not sure which combination of options you think is problematic. CONFIG_DRIVERS_EFI_UPDATE_CAPSULES=y will always be there when capsules are enabled. uses_v1_capsules() returns non-zero for a config with V2 capsules, so this condition will not be entered.
| new_config=$(git show "$new_tag:$config") | ||
| old_config=$(git show "$old_tag:$config") | ||
|
|
||
| # check that `CONFIG_EDK2_CAPSULES_V2=y` is not added to |
There was a problem hiding this comment.
Could also check if the transition is not used without CONFIG_EDK2_CAPSULES_V2.
There was a problem hiding this comment.
That can't happen because
coreboot/payloads/external/edk2/Kconfig.dasharo
Lines 442 to 445 in a155c21
and this script probably shouldn't validate state of
Kconfig files.
|
|
||
| old_tag=$(get_previous_release "$new_tag") | ||
| if [ -z "$old_tag" ]; then | ||
| echo "warning: no previous release for '$tag', skipping checks." |
There was a problem hiding this comment.
I don't know if $tag is defined in this context? I think it's only defined within get_previous_release() here
There was a problem hiding this comment.
should probably be new_tag
There was a problem hiding this comment.
Yes, I renamed variables for consistency at some point and introduced this mistake.
…ates Check that `CONFIG_EDK2_CAPSULES_V2=y` is not added to `CONFIG_DRIVERS_EFI_UPDATE_CAPSULES=y` without `CONFIG_EDK2_CAPSULES_V2_TRANSITION=y`. Check that `CONFIG_EDK2_CAPSULES_V2_TRANSITION=y` doesn't live longer than one release cycle. Check that `CONFIG_EDK2_CAPSULES_V2_TRANSITION=y` is not added to `CONFIG_EDK2_CAPSULES_V2=y`. Check that `CONFIG_EDK2_CAPSULES_V2_TRANSITION=y` is not removed. Change-Id: I24a1fd41864983fff3f9dfa717a0e4a7505fecac Upstream-Status: Inappropriate [Dasharo downstream] Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
SergiiDmytruk
force-pushed
the
capsules-v2-release-changes
branch
from
9e03837 to
e72877e
Compare
SergiiDmytruk
left a comment
SergiiDmytruk
left a comment
There was a problem hiding this comment.
- check that
CONFIG_EDK2_CAPSULES_V2_TRANSITION=yis not added to a V2 config - check that
CONFIG_EDK2_CAPSULES_V2=yis not removed - usage
- redirection or errors and warnings to stderr
|
|
||
| old_tag=$(get_previous_release "$new_tag") | ||
| if [ -z "$old_tag" ]; then | ||
| echo "warning: no previous release for '$tag', skipping checks." |
There was a problem hiding this comment.
Yes, I renamed variables for consistency at some point and introduced this mistake.
| new_config=$(git show "$new_tag:$config") | ||
| old_config=$(git show "$old_tag:$config") | ||
|
|
||
| # check that `CONFIG_EDK2_CAPSULES_V2=y` is not added to |
There was a problem hiding this comment.
That can't happen because
coreboot/payloads/external/edk2/Kconfig.dasharo
Lines 442 to 445 in a155c21
and this script probably shouldn't validate state of
Kconfig files.
| # check that `CONFIG_EDK2_CAPSULES_V2=y` is not added to | ||
| # `CONFIG_DRIVERS_EFI_UPDATE_CAPSULES=y` without | ||
| # `CONFIG_EDK2_CAPSULES_V2_TRANSITION=y` | ||
| if uses_v1_capsules "$old_config" && |
There was a problem hiding this comment.
Not sure which combination of options you think is problematic. CONFIG_DRIVERS_EFI_UPDATE_CAPSULES=y will always be there when capsules are enabled. uses_v1_capsules() returns non-zero for a config with V2 capsules, so this condition will not be entered.
They will reused by upcoming changes. Change-Id: Ie81e82f402e4c171f957a9b53b1e40dc559d19a4 Upstream-Status: Inappropriate [Dasharo downstream] Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Takes a capsule and signing keys, unpacks the capsule, then packs it back under a (likely) different name. Two functions were borrowed from a script in OSFV. Change-Id: I23157aaeedb4e1fdcfb10c5a0235acd571aa72b4 Upstream-Status: Inappropriate [Dasharo downstream] Co-authored-by: Filip Gołaś <filip.golas@3mdeb.com> Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
|
Added |
3 participants
These are RC1s for MSI boards, new CI checks of defconfigs and build system updates to support provisioning of capsule root keys.
ref: dsh-1176