On Fri, 26 Apr 2019 at 12:36, Bryan O'Donoghue <[email protected]> wrote:
> > > On 26/04/2019 10:29, Ilias Apalodimas wrote: > >> I’d rather see Secure Boot image authentication implemented generically > for all u-boot platforms, even when secure world variable updates are not > available. > > Akashi and Sughosh already have code on that. It's not 100% complete or > tested > > yet, but the basic concept works. > > Is that to say that u-boot will provide, Runtime services for EFI > capsule update ? > That shall be one of the few runtime services supported as well as get/set variables. > > Is that the current POR ? > Yes > > Maybe its a stupid question but, on x86 the way this works is you submit > a capsule to the EFI runtime service, reboot and the EFI firmware does > your update. > > On Arm then the flow is > > #1 > Linux capsule update -> reboot -> BootROM -> [BL31],[BL32 TEE] -> u-boot > > and u-boot performs the update ? The bracketed items [] being optional ? > > only for the untrusted parts. S-EL3 shall update or validate the updates. > A question then would it not also be possible to bypass capsule > submission in Linux ? > > In a different thread (EFIBootguard: do you follow this one too?), someone proposed that in the context of A/B partitions, Linux software agent updates a partition and the reboot cycle validates if it accepts. This may be a flow but I see issues in this approach that need a lot of discussion. > #2 > Linux -> reboot -> BootROM -> [BL31],[BL32 TEE] -> u-boot > > with u-boot looking for say /boot/FirmwareUpdate.cap > > In the second case, there's no need from Runtime services is why I ask. > > --- > bod > _______________________________________________ > boot-architecture mailing list > [email protected] > https://lists.linaro.org/mailman/listinfo/boot-architecture > -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 [email protected] | Skype: ffozog _______________________________________________ boot-architecture mailing list [email protected] https://lists.linaro.org/mailman/listinfo/boot-architecture
