Skip to content

EBBR Notes 2023.02.27

Jump to bottom Edit New page
Vincent Stehlé edited this page Feb 27, 2023 · 1 revision

Attendees

  • Etienne Carrière (STMicroelectronics)
  • Heinrich Schuchardt (Canonical)
  • Stuart Yoder (Arm)
  • Vincent Stehlé (Arm)

Agenda

  • Review pull requests:

Notes

  • Pull request #102: File Format For Storing EFI Variables (Heinrich)
    • In good shape, comments have been posted.
    • (As far as we know) Ilias sees no need for storing authenticated variables in a file.
    • How to identify the var file unambiguously? UUID, ESP? If more than one ESP possible, which takes precedence? Boot options? This needs variables access. Linux EFI stub would have access anyway.
    • Authenticated variables: U-Boot can write to file but will not load from file the security related variables (PK, KEK, db, dbx, MOK*); other authenticated variables yes. U-Boot has an option to set those variables at build time, though.
    • EDK II .fd format has state related fields. For authenticated variables, have "old" monotonic count (for v1), timestamp (for v2) + header (for v3 but currently unused). Reason could be to help with atomic update during runtime. We could support v3 with the data field.
    • Etienne: update from the OS; what happens in case of corruption? Fallback copy? A comment was posted on a similar topic (by Jan, here). Add a recommendation how to update in the best way?
    • Context: UEFI variables at runtime, sharing the device with the OS at runtime.
      • Implementation with dedicated SPI flash in secure world, StMM.
      • Implementation with op-tee secret + eMMC, needs supplicant in Linux & U-Boot.
      • Implementation with a file on the ESP (the focus of specifying the file format).
      • Implementation with a temporary file on the ESP, processed at next boottime, or even a capsule.
    • U-Boot has a python script tools/efivar.py to edit the file. One can use it from userspace already. In the future: add knowledge in the kernel to make it more transparent.
  • Pull request #103: Require capsule update "on disk" and corresponding variables
    • Looks good: approved.

Links

Add a custom footer
Add a custom sidebar
Clone this wiki locally