[prev in list] [next in list] [prev in thread] [next in thread]
List: linaro-boot-architecture
Subject: Re: [EBBR PATCH 3/3] Require EFI_UPDATE_CAPSULE
From: Stuart Yoder <stuart.yoder () arm ! com>
Date: 2021-02-16 15:40:03
Message-ID: cea9fe6b-d171-a4cc-a522-93ae87c7dceb () arm ! com
[Download RAW message or body]
On 2/15/21 6:17 PM, AKASHI Takahiro wrote:
> Hi Grant,
>
> # apart from capsule update/EBBR,
>
> On Mon, Feb 15, 2021 at 05:28:32PM +0000, Grant Likely wrote:
>>
>>
>> On 12/02/2021 21:50, Heinrich Schuchardt wrote:
>>> On 2/12/21 7:59 PM, Grant Likely wrote:
>>>> EFI_UPDATE_CAPSULE is the industry standard method for applying firmware
>>>> updates. Make it a requirement in EBBR so that fwupd, Windows Update,
>>>> and any other generic firmware update service can support EBBR platforms.
>>>>
>>>> This is made required because the ability to update firmware is a
>>>> critical part of building secure platforms.
>>>>
>>>> Fixes: #69
>>>> Signed-off-by: Grant Likely <grant.likely@arm.com>
>>>> ---
>>>> source/chapter2-uefi.rst | 29 ++++++++++++++++++++++++++++-
>>>> 1 file changed, 28 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/source/chapter2-uefi.rst b/source/chapter2-uefi.rst
>>>> index 3d48c99..4e8a24d 100644
>>>> --- a/source/chapter2-uefi.rst
>>>> +++ b/source/chapter2-uefi.rst
>>>> @@ -352,7 +352,7 @@ are required to be implemented during boot
>>>> services and runtime services.
>>>> - Required
>>>> - Optional
>>>> * - `EFI_UPDATE_CAPSULE`
>>>
>>> As you have secure firmware in mind, shouldn't we explicitly require
>>> signature verification of capsules?
>>
>> Yes, but not yet. All the security requirements need to come in at the same
>> time so that it makes sense, and it may be that we adopt BBSR as the
>> security standard instead of adding it into EBBR.
>
> looking at BBSR (v1.0a, downloaded from Arm site),
> it mentions EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS as
> one of required attributes for authenticated variables.
> But it is already marked as deprecated in UEFI spec, and
> I didn't implement it on U-Boot UEFI.
>
> Has that statement in BBSR already been modified/fixed?
That is removed in BBSR v1.1, which will be published later
this Spring.
Stuart
_______________________________________________
boot-architecture mailing list
boot-architecture@lists.linaro.org
https://lists.linaro.org/mailman/listinfo/boot-architecture
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic