On 26/04/2019 10:29, Ilias Apalodimas wrote:
I’d rather see Secure Boot image authentication implemented generically for all
u-boot platforms, even when secure world variable updates are not available.
Akashi and Sughosh already have code on that. It's not 100% complete or tested
yet, but the basic concept works.
Is that to say that u-boot will provide, Runtime services for EFI
capsule update ?
Is that the current POR ?
Maybe its a stupid question but, on x86 the way this works is you submit
a capsule to the EFI runtime service, reboot and the EFI firmware does
your update.
On Arm then the flow is
#1
Linux capsule update -> reboot -> BootROM -> [BL31],[BL32 TEE] -> u-boot
and u-boot performs the update ? The bracketed items [] being optional ?
A question then would it not also be possible to bypass capsule
submission in Linux ?
#2
Linux -> reboot -> BootROM -> [BL31],[BL32 TEE] -> u-boot
with u-boot looking for say /boot/FirmwareUpdate.cap
In the second case, there's no need from Runtime services is why I ask.
---
bod
_______________________________________________
boot-architecture mailing list
[email protected]
https://lists.linaro.org/mailman/listinfo/boot-architecture
