From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2a00:1450:400c:c09::242; helo=mail-wm0-x242.google.com; envelope-from=ard.biesheuvel@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-wm0-x242.google.com (mail-wm0-x242.google.com [IPv6:2a00:1450:400c:c09::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C027B210C6454 for ; Fri, 8 Jun 2018 05:37:46 -0700 (PDT) Received: by mail-wm0-x242.google.com with SMTP id r15-v6so3092510wmc.1 for ; Fri, 08 Jun 2018 05:37:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=kryaWkJXzMgfuoiDOxyvY1G8+BjqOz/IBNYNTcZuVzA=; b=FcFg5F2POLxchckmrR04073yKHQSiJ6lbYmm4W74fVk5pZXWTde2EDzDaCskp8VDs3 Dvg2AHvUK+r4zq1JUhtpngDFuyYI3VTt0+sJYAXwr7zO0a4eOXBRHTg3bZo1On6mDDLC VaG9GvMjXqyI5I7lJgylQVytWnI9qU9K8CTO0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=kryaWkJXzMgfuoiDOxyvY1G8+BjqOz/IBNYNTcZuVzA=; b=YEAV18j5khRk8nbmb1KkIc9nFZyBDk7Gqglbx1mbkRzUP8aJaw0SXdo4kF4LJLTkO8 R+sb5QTW/FvmrKLMjPKjM0QSrya9jTcw7tS1eOX2GO5ZPdCI2OFMt8IojawBIJQ8Z9Gn p2SZI1ewuBpkDGY437NPJJltk4gGTmQK3DVWa5beC9voyqKwgTtESjNH8gEZIreMe1gK 66zCGGDQogwdhVZDInIfGiwkg2Ek9SUqwisoSnj0J87tWWmjeLSUXaFFa6QfL0a/zSJl xVLl0r0lDbEsKzXF69uePTYsltjClFYJQLHUsQsOwDp8Ds0cF2TQl4A1M2NWQcQ1web7 niAA== X-Gm-Message-State: APt69E1SR7p8YVFhJgmA2fkYmjzQ3vZrUdbKrcVVZNykQ6gyFkyFsAVq OUFRfyjyNc0z1kRYeUCDteu79Q== X-Google-Smtp-Source: ADUXVKJoXLX/uwBp73XyNMfY9jKiCfeMj9u4mEm4b6llfPU3zy3vsWIl/f3hUHTHPLEUIdoUJHuZzQ== X-Received: by 2002:a1c:8ec1:: with SMTP id q184-v6mr1387153wmd.48.1528461464569; Fri, 08 Jun 2018 05:37:44 -0700 (PDT) Received: from [100.118.206.194] (44.15.136.77.rev.sfr.net. [77.136.15.44]) by smtp.gmail.com with ESMTPSA id b15-v6sm68489489wri.14.2018.06.08.05.37.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 Jun 2018 05:37:43 -0700 (PDT) Mime-Version: 1.0 (1.0) From: Ard Biesheuvel X-Mailer: iPhone Mail (15E302) In-Reply-To: <74D8A39837DF1E4DA445A8C0B3885C503AC3515B@shsmsx102.ccr.corp.intel.com> Date: Fri, 8 Jun 2018 14:37:42 +0200 Cc: "edk2-devel@lists.01.org" , "Kinney, Michael D" , "Zeng, Star" , "leif.lindholm@linaro.org" Message-Id: <6534F306-C3E7-40D2-84F4-D409BF1F7B68@linaro.org> References: <20180608065811.2065-1-ard.biesheuvel@linaro.org> <20180608065811.2065-3-ard.biesheuvel@linaro.org> <74D8A39837DF1E4DA445A8C0B3885C503AC3515B@shsmsx102.ccr.corp.intel.com> To: "Yao, Jiewen" Subject: Re: [PATCH v2 2/5] MdeModulePkg/DxeCapsuleLibFmp: permit ProcessCapsules () to be called once X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jun 2018 12:37:47 -0000 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable > On 8 Jun 2018, at 14:34, Yao, Jiewen wrote: >=20 > Hi Ard > We don't allow platform to update system firmware *after* EndOfDxe. >=20 > According to PI spec, after EndOfDxe, 3rd part code start running. It brin= gs security risk if we allow system firmware after EndOfDxe. >=20 > In our X86 system design, we lock flash part *before* EndOfDxe in any boot= mode. > Even in CapsuleUpdate boot mode, we also lock flash part at EndOfDxe, just= in case the capsule update does not indicate a reset. >=20 > Would you please share the info, why your platform need update system firm= ware after EndOfDxe? > Is that possible to make it earlier? >=20 >=20 Because we need some kind of console to report progress to the user. The secure platform execution context is completely separate from UEFI on Ar= m, so for us the distinction does not make sense. > Thank you > Yao Jiewen >=20 >> -----Original Message----- >> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Ar= d >> Biesheuvel >> Sent: Friday, June 8, 2018 2:58 AM >> To: edk2-devel@lists.01.org >> Cc: Kinney, Michael D ; Yao, Jiewen >> ; Zeng, Star ; >> leif.lindholm@linaro.org; Ard Biesheuvel >> Subject: [edk2] [PATCH v2 2/5] MdeModulePkg/DxeCapsuleLibFmp: permit >> ProcessCapsules () to be called once >>=20 >> Permit ProcessCapsules () to be called only a single time, after >> EndOfDxe. This allows platforms that are able to update system >> firmware after EndOfDxe (e.g., because the flash ROM is not locked >> down) to do so at a time when a non-trusted console is up and running, >> and progress can be reported to the user. >>=20 >> Contributed-under: TianoCore Contribution Agreement 1.1 >> Signed-off-by: Ard Biesheuvel >> --- >> MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c | 18 >> ++++++++++++------ >> 1 file changed, 12 insertions(+), 6 deletions(-) >>=20 >> diff --git a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c= >> b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c >> index 26ca4e295f20..ad83660f1737 100644 >> --- a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c >> +++ b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c >> @@ -100,6 +100,7 @@ IsValidCapsuleHeader ( >>=20 >> extern BOOLEAN mDxeCapsuleLibEndOfDxe; >> BOOLEAN mNeedReset; >> +BOOLEAN mFirstRound =3D TRUE; >>=20 >> VOID **mCapsulePtr; >> EFI_STATUS *mCapsuleStatusArray; >> @@ -364,8 +365,11 @@ PopulateCapsuleInConfigurationTable ( >>=20 >> Each individual capsule result is recorded in capsule record variable. >>=20 >> - @param[in] FirstRound TRUE: First round. Need skip the FMP >> capsules with non zero EmbeddedDriverCount. >> - FALSE: Process rest FMP capsules. >> + @param[in] FirstRound Whether this is the first invocation >> + @param[in] LastRound Whether this is the last invocation >> + FALSE: First of 2 rounds. Need skip th= e >> FMP >> + capsules with non zero >> EmbeddedDriverCount. >> + TRUE: Process rest FMP capsules. >>=20 >> @retval EFI_SUCCESS There is no error when processing >> capsules. >> @retval EFI_OUT_OF_RESOURCES No enough resource to process >> capsules. >> @@ -373,7 +377,8 @@ PopulateCapsuleInConfigurationTable ( >> **/ >> EFI_STATUS >> ProcessTheseCapsules ( >> - IN BOOLEAN FirstRound >> + IN BOOLEAN FirstRound, >> + IN BOOLEAN LastRound >> ) >> { >> EFI_STATUS Status; >> @@ -453,7 +458,7 @@ ProcessTheseCapsules ( >> continue; >> } >>=20 >> - if ((!FirstRound) || (EmbeddedDriverCount =3D=3D 0)) { >> + if (LastRound || (EmbeddedDriverCount =3D=3D 0)) { >> DEBUG((DEBUG_INFO, "ProcessCapsuleImage - 0x%x\n", >> CapsuleHeader)); >> Status =3D ProcessCapsuleImage (CapsuleHeader); >> mCapsuleStatusArray [Index] =3D Status; >> @@ -546,7 +551,7 @@ ProcessCapsules ( >> EFI_STATUS Status; >>=20 >> if (!mDxeCapsuleLibEndOfDxe) { >> - Status =3D ProcessTheseCapsules(TRUE); >> + Status =3D ProcessTheseCapsules(TRUE, FALSE); >>=20 >> // >> // Reboot System if and only if all capsule processed. >> @@ -555,8 +560,9 @@ ProcessCapsules ( >> if (mNeedReset && AreAllImagesProcessed()) { >> DoResetSystem(); >> } >> + mFirstRound =3D FALSE; >> } else { >> - Status =3D ProcessTheseCapsules(FALSE); >> + Status =3D ProcessTheseCapsules(mFirstRound, TRUE); >> // >> // Reboot System if required after all capsule processed >> // >> -- >> 2.17.0 >>=20 >> _______________________________________________ >> edk2-devel mailing list >> edk2-devel@lists.01.org >> https://lists.01.org/mailman/listinfo/edk2-devel