Update Certificate for UEFI Capsule update

[Red-Dragon-99]

Hi,

I would like to enable OTA updates on a Secureboot-enabled (i.e. fused) Jetson Orin Nano.
I fused SBK/PKC/etc .. using the following XML:

<genericfuse MagicId="0x45535546" version="1.0.0">
    <fuse name="PublicKeyHash" size="64" value="0x..."/>
    <fuse name="PkcPubkeyHash1" size="64" value="0x..."/>
    <fuse name="PkcPubkeyHash2" size="64" value="0x..."/>
    <fuse name="SecureBootKey" size="32" value="0x..."/>
    <fuse name="Kdk0" size="32"  value="0x..."/>
    <fuse name="OemK1" size="32" value="0x..."/>
    <fuse name="OemK2" size="32" value="0x..."/>
    <fuse name="PscOdmStatic" size="4" value="0x60"/>
    <fuse name="BootSecurityInfo" size="4" value="0x2A09"/>
    <fuse name="SecurityMode" size="4" value="0x1"/>
</genericfuse>

When I boot the device, I see that secureboot is enabled (MB2 prints "RSA PSS signature check: OK") and Linux boots nicely ("EFI stub: UEFI Secure Boot is enabled").
However, when triggering capsule updates they fail with the next reboot and the device stays on the current boot slot.

Surfing through the code, I realized that in tegra-uefi-capsule-signing.class some certificates must be specified:

UEFI_CAPSULE_SIGNER_PRIVATE_CERT ?= "${PYTHON_BASETOOLS}/Pkcs7Sign/TestCert.pem"
UEFI_CAPSULE_OTHER_PUBLIC_CERT ?= "${PYTHON_BASETOOLS}/Pkcs7Sign/TestSub.pub.pem"
UEFI_CAPSULE_TRUSTED_PUBLIC_CERT ?= "${PYTHON_BASETOOLS}/Pkcs7Sign/TestRoot.pub.pem"

I just don't understand how they are derived. Is there any documentation on that? There are no helpful comments in the class file and the NVIDIA documentation just mentions these test files. There is no explanation on how to create your own files. I assume they are somehow related to the keys in the EKB?

Any help is appreciated!

Regards
Stefan

[ichergui]

Hi @Red-Dragon-99
Sorry, I missed your post. Any update about this ?
Were you able to progress/solve the issue ?

[Lexmark-chad]

I think what you are looking for can be found here:

https://github.com/tianocore/edk2/tree/master/BaseTools/Source/Python/Pkcs7Sign

[gabrielssanches]

I just ran into this while looking at capsule update.

from what I can understand, those files are from edk2-firmware-tegra recipe at edk2/BaseTools/Source/Python/Pkcs7Sign/

and they are provided for develoment use only, as stated here https://docs.nvidia.com/jetson/archives/r36.4.3/DeveloperGuide/SD/Bootloader/UpdateAndRedundancy.html#generating-a-multi-spec-capsule-payload

For production, you must create or specify your own certificates to replace the test certificates, which include signer private cert, other public cert, and trusted public cert. Without specifying your own certificates, UEFI Capsule update security is highly vulnerable.

and of course the UEFI needs to be built with them

When specifying your own certificates, you must also rebuild UEFI with these certificates. The certificates are located in the edk2/BaseTools/Source/Python/Pkcs7Sign/ directory of the UEFI source. Please refer to the edk2/BaseTools/Source/Python/Pkcs7Sign/Readme.md for generating and replacing the certificates.

I haven't seen that beeing mentioned in the wiki (meta-tegra) anywhere in the secure boot section.

I'm gonna try changing it myself and add the steps to the wiki

[madisongh]

We do mention UEFI signing on the wiki, but I'm sure it could use some further explanation.

[gabrielssanches]

UEFI signing yes, but this is capsule update signing

[Lexmark-chad]

I think these are the basic steps:

• provision your keys and certs per here
• generate the DSC PCD .inc file that includes your root cert per here
• patch this file to replace the default root test cert with your root cert.
• add the patch to your build by .bbappend'ing to edk2-firmware-tegra

[gabrielssanches]

I have done something similar, but instead of patching with the generated .inc I had all certs/keys removed and replaced the .inc file.

Additionally, the .inc file generation document instructs to generate TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc
That file is not used in the build like TestRoot.cer.gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc. Instead, it is embedded here edk2/SecurityPkg/SecurityPkg.dec in plain text.

I have done some tests with a capsule update and PcdPkcs7CertBuffer is not used to validate it, only PcdFmpDevicePkcs7CertBufferXdr is.

In that sense, instead of patching edk2/SecurityPkg/SecurityPkg.dec with the new cert, I patched to remove it (e.g.: {0}).
Correct if I am wrong, but is that cert used in any case?

here is the bbappend relevant parts

FILESEXTRAPATHS:prepend := "${THISDIR}/files:"

SRC_URI:append = " \
        file://0002-SecurityPkg-SecurityPkg.dec-Disable-generic-PKCS7-ce.patch;patchdir=../edk2-nvidia \
        file://Root.cer.gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc \
"

do_unpack[postfuncs] += "remove_test_certificates"
remove_test_certificates() {
    # Remove all test certificates
    rm -f ${S}/BaseTools/Source/Python/Pkcs7Sign/*.inc
    rm -f ${S}/BaseTools/Source/Python/Pkcs7Sign/*.cer
    rm -f ${S}/BaseTools/Source/Python/Pkcs7Sign/*.pem

    # Move user root certificate in place of test certificate
    cp ${UNPACKDIR}/Root.cer.gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc ${S}/BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc
}

and edk2/SecurityPkg/SecurityPkg.dec after patched:

gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer|{0}|VOID*|0x00010014

As I am not sure if that is the correct solution yet, I have not pushed any thing to the wiki.

[Lexmark-chad]

It's been quite awhile since I've been through this, but I've captured this in my notes:

https://github.com/NVIDIA/edk2-nvidia/blob/r36.4.3-updates/Platform/NVIDIA/NVIDIA.common.dsc.inc#L851

That tells you which of gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer (the multi-cert version) or gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer (the single cert version) is used. I did not need to remove any of the default keys and certs. All I had to do was patch the test root cert as described above. Although, I will say that I vaguely recall when deciding how to implement there were multiple ways to approach it. For example, you could have provided your own .inc and patched the file above to include that instead of the test root cert.