[1] https://optee.readthedocs.io/en/latest/building/efi_vars/stmm.html
-Enabling UEFI Capsule Update feature
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Support has been added for the UEFI capsule update feature which
-enables updating the U-Boot image using the UEFI firmware management
-protocol (FMP). The capsules are not passed to the firmware through
-the UpdateCapsule runtime service. Instead, capsule-on-disk
-functionality is used for fetching the capsule from the EFI System
-Partition (ESP) by placing the capsule file under the
-\EFI\UpdateCapsule directory.
-
-The directory \EFI\UpdateCapsule is checked for capsules only within the
-EFI system partition on the device specified in the active boot option
-determined by reference to BootNext variable or BootOrder variable processing.
-The active Boot Variable is the variable with highest priority BootNext or
-within BootOrder that refers to a device found to be present. Boot variables
-in BootOrder but referring to devices not present are ignored when determining
-active boot variable.
-Before starting a capsule update make sure your capsules are installed in the
-correct ESP partition or set BootNext.
-
-Performing the update
-*********************
-
-Since U-boot doesn't currently support SetVariable at runtime there's a Kconfig
-option (CONFIG_EFI_IGNORE_OSINDICATIONS) to disable the OsIndications variable
-check. If that option is enabled just copy your capsule to \EFI\UpdateCapsule.
-
-If that option is disabled, you'll need to set the OsIndications variable with::
-
- => setenv -e -nv -bs -rt -v OsIndications =0x04
-
-Finally, the capsule update can be initiated either by rebooting the board,
-which is the preferred method, or by issuing the following command::
-
- => efidebug capsule disk-update
-
-**The efidebug command is should only be used during debugging/development.**
-
-Enabling Capsule Authentication
-*******************************
-
-The UEFI specification defines a way of authenticating the capsule to
-be updated by verifying the capsule signature. The capsule signature
-is computed and prepended to the capsule payload at the time of
-capsule generation. This signature is then verified by using the
-public key stored as part of the X509 certificate. This certificate is
-in the form of an efi signature list (esl) file, which is embedded as
-part of U-Boot.
-
-The capsule authentication feature can be enabled through the
-following config, in addition to the configs listed above for capsule
-update::
-
- CONFIG_EFI_CAPSULE_AUTHENTICATE=y
- CONFIG_EFI_CAPSULE_KEY_PATH=<path to .esl cert>
-
-The public and private keys used for the signing process are generated
-and used by the steps highlighted below::
-
- 1. Install utility commands on your host
- * OPENSSL
- * efitools
-
- 2. Create signing keys and certificate files on your host
-
- $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=CRT/ \
- -keyout CRT.key -out CRT.crt -nodes -days 365
- $ cert-to-efi-sig-list CRT.crt CRT.esl
-
- $ openssl x509 -in CRT.crt -out CRT.cer -outform DER
- $ openssl x509 -inform DER -in CRT.cer -outform PEM -out CRT.pub.pem
-
- $ openssl pkcs12 -export -out CRT.pfx -inkey CRT.key -in CRT.crt
- $ openssl pkcs12 -in CRT.pfx -nodes -out CRT.pem
-
-The capsule file can be generated by using the GenerateCapsule.py
-script in EDKII::
-
- $ ./BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \
- <capsule_file_name> --monotonic-count <val> --fw-version \
- <val> --lsv <val> --guid \
- e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose \
- --update-image-index <val> --signer-private-cert \
- /path/to/CRT.pem --trusted-public-cert \
- /path/to/CRT.pub.pem --other-public-cert /path/to/CRT.pub.pem \
- <u-boot.bin>
-
-Place the capsule generated in the above step on the EFI System
-Partition under the EFI/UpdateCapsule directory
-
-Testing on QEMU
-***************
-
-Currently, support has been added on the QEMU ARM64 virt platform for
-updating the U-Boot binary as a raw image when the platform is booted
-in non-secure mode, i.e. with CONFIG_TFABOOT disabled. For this
-configuration, the QEMU platform needs to be booted with
-'secure=off'. The U-Boot binary placed on the first bank of the NOR
-flash at offset 0x0. The U-Boot environment is placed on the second
-NOR flash bank at offset 0x4000000.
-
-The capsule update feature is enabled with the following configuration
-settings::
-
- CONFIG_MTD=y
- CONFIG_FLASH_CFI_MTD=y
- CONFIG_CMD_MTDPARTS=y
- CONFIG_CMD_DFU=y
- CONFIG_DFU_MTD=y
- CONFIG_PCI_INIT_R=y
- CONFIG_EFI_CAPSULE_ON_DISK=y
- CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y
- CONFIG_EFI_CAPSULE_FIRMWARE=y
- CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
-
-In addition, the following config needs to be disabled(QEMU ARM specific)::
-
- CONFIG_TFABOOT
-
-The capsule file can be generated by using the tools/mkeficapsule::
-
- $ mkeficapsule --raw <u-boot.bin> --index 1 <capsule_file_name>
-
Executing the boot manager
~~~~~~~~~~~~~~~~~~~~~~~~~~