/iotg-fbu

Primary LanguagePythonBSD 2-Clause "Simplified" LicenseBSD-2-Clause

Firmware and BIOS Utilities (FBU)

The project contains command line Python scripts to stitch sub-region images to Intel FirmWare Image (IFWI) and create UEFI capsule images. Optionally, signing tool is included to generate signed sub-region image.

It supports Windows 10, Ubuntu Linux, or Yocto Linux.

Installation

  • Install Python v3.6 and additional modules
pip install -r requirements.txt
  • Install openssl

Manually install OpenSSL to the host and add it to the system environment variable PATH.

Pre-compiled OpenSSL for Windows can be downloaded from here. You may use apt-get to install openssl on Ubuntu Linux.

Usage

Sub-region capsule tool

JSON Input Format

Input file to run sub-region capsule requires a JSON format that describes the data structure and field values to be serialized into binary format.

Format of the JSON payload descriptor file:

  {
     "FmpGuid": <string (GUID)>,
     "Version": <integer>,
     "FV" :
     {
       "FvGuid": <string (GUID)>,
       "FfsFiles":
       [
         {
          "FileGuid": <string (GUID)>,
          "Compression": <boolean>,
          "Data" :
          [
             [<string (member_name)>, <string (data_type)>, <integer (byte_size)>, <integer|string (member_value)>],
            ...
          ]
        }
      ]
    }
  }

Supported data_type values are "DECIMAL", "HEXADECIMAL", "STRING" or "FILE".

Certificate files

If the signed capsule is required, you shall provide certificates from the command line. For testing purpose, they can be downloaded from here.

TestCert.pem
TestSub.pub.pem
TestRoot.pub.pem

NOTE: if certificate files does not match the ones built in BIOS, the capsule cannot be updated.

Create capsule image

NOTE: JSON_FILE should be obtained from the owners of sub-region data.

$ python3 subregion_capsule.py -o capsule.out.bin -s TestCert.pem -p TestSub.pub.pem -t TestRoot.pub.pem <JSON_FILE>

Output messages :
Read binary input file ./SubRegionFv.fv
FMP_PAYLOAD_HEADER.Signature              = 3153534D (MSS1)
FMP_PAYLOAD_HEADER.HeaderSize             = 00000010
FMP_PAYLOAD_HEADER.FwVersion              = 00000001
FMP_PAYLOAD_HEADER.LowestSupportedVersion = 00000000
...
...
EFI_CAPSULE_HEADER.CapsuleImageSize = 00001B5D
sizeof (Payload)                    = 00001B3D
Write binary output file capsule.out.bin
Success

The capsule file capsule.out.bin is generated and should be used as input file for fwupdate tool on the target device to trigger capsule update.

Stitching tool

The stitch tool can change or merge a supported sub-region file inside a full IFWI image based on UEFI Firmware Volume format.

To get a list of supported sub-regions, run:

$ python3 siip_stitch.py -h

usage: siip_stitch [-h] -ip ipname [-k PRIVATE_KEY] [-v] [-o FileName]
                   IFWI_IN IPNAME_IN

...
...
Supported Sub-Region Names: ['pse', 'fkm', 'tmac', 'tsnip', 'tsn', 'tcc',
'oob', 'oob_rootca', 'vbt', 'gop', 'gfxpeim']

To stitch a sub-region, provide the sub-region name (e.g. pse), IFWI image to be updated, and the sub-region file. For example:

$python3 siip_stitch.py -ip pse -o new.ifwi.bin ifwi.bin pse.bin

...
siip_stitch INFO *** Replacing pse ...
...
...
Decoding
Decoding
Decoding
Decoding
Decoding
Decoding
Decoding
Decoding
Create New FD file successfully.

Done!

Signing tool

The signing tool generates security signatures and auxiliary data for a payload file. When BIOS loads the payload (code or data) during boot, it verifies the payload authenticity and integrity first.

For example, to sign an image using RSA private key priv3k.pem, run:

python3 siip_sign.py sign -i pse.bin -k priv3k.pem -o pse.signed.bin

The signed image (e.g. pse.signed.bin), is the input file to be either stitched into IFWI image, or for creating a capsule image for firmware update.

License

See LICENSE for details.