public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: "Yao, Jiewen" <jiewen.yao@intel.com>
Cc: "Kinney, Michael D" <michael.d.kinney@intel.com>,
	 "edk2-devel@lists.01.org" <edk2-devel@lists.01.org>,
	 "leif.lindholm@linaro.org" <leif.lindholm@linaro.org>,
	"Zeng, Star" <star.zeng@intel.com>
Subject: Re: [PATCH v2 2/5] MdeModulePkg/DxeCapsuleLibFmp: permit ProcessCapsules () to be called once
Date: Mon, 11 Jun 2018 09:27:16 +0200	[thread overview]
Message-ID: <CAKv+Gu_NHv_i-4minn=qqTmN3=g6On+QZXF992cExFmrqyZ1ew@mail.gmail.com> (raw)
In-Reply-To: <74D8A39837DF1E4DA445A8C0B3885C503AC3ADF5@shsmsx102.ccr.corp.intel.com>

On 10 June 2018 at 21:21, Yao, Jiewen <jiewen.yao@intel.com> wrote:
> Just got some idea since I am also reviewing FmpDevicePkg patch.
>
>
> The key problem we are trying to resolve that is: The core code uses EndOfDxe as the lock event for system firmware, but an ARM platform may want to lock system firmware later, maybe in other lock event.
>
> As such, how about we generalize the lock event as PcdSystemFmpLockEventGuid? We can use EndOfDxeGuid as default one to keep the compatibility. At same time this brings the flexibility for platform overriding.
>
>
> We only need update DxeCapsuleLibConstructor() to use the new PcdGuid, instead of hardcode EndOfDxe.
> We don't need update the logic in ProcessCapsules() and ProcessTheseCapsules().
> The policy in current platform is already enforced, if the platform has a trusted console.
> For ARM platform, which wants to lock system firmware later. It can configure another lock event GUID explicitly in platform DSC.
>

But that means we are still required to call ProcessCapsules () twice, no?

>> -----Original Message-----
>> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Yao,
>> Jiewen
>> Sent: Sunday, June 10, 2018 12:02 PM
>> To: Kinney, Michael D <michael.d.kinney@intel.com>; Ard Biesheuvel
>> <ard.biesheuvel@linaro.org>
>> Cc: edk2-devel@lists.01.org; leif.lindholm@linaro.org; Zeng, Star
>> <star.zeng@intel.com>
>> Subject: Re: [edk2] [PATCH v2 2/5] MdeModulePkg/DxeCapsuleLibFmp: permit
>> ProcessCapsules () to be called once
>>
>> My concern is that *always allowing* processing SystemCapsule after EndOfDxe
>> has security risk.
>>
>> IMHO, the risk is not *process*, if it is a platform choice. Instead, the risk is
>> *allow*, in the core logic.
>>
>> If we really want to do that, I hope we need a way to distinguish the difference
>> between a platform dispatching SystemCapsule after EndOfDxe *purposely* and
>> a platform dispatching SystemCapsule after EndOfDxe *by mistake*.
>>
>> Maybe some policy enforcement in the core logic. Static policy, at build time.
>>
>> Thank you
>> Yao Jiewen
>>
>> > -----Original Message-----
>> > From: Kinney, Michael D
>> > Sent: Sunday, June 10, 2018 8:57 AM
>> > To: Ard Biesheuvel <ard.biesheuvel@linaro.org>; Yao, Jiewen
>> > <jiewen.yao@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>
>> > Cc: edk2-devel@lists.01.org; Zeng, Star <star.zeng@intel.com>;
>> > leif.lindholm@linaro.org
>> > Subject: RE: [edk2] [PATCH v2 2/5] MdeModulePkg/DxeCapsuleLibFmp: permit
>> > ProcessCapsules () to be called once
>> >
>> > Ard,
>> >
>> > I agree it should be a platform choice to process capsules
>> > before or after End of DXE.  It is even allowed in the
>> > UEFI Spec for capsules to be processed immediately
>> > which would include at OS runtime after ExitBootServices.
>> >
>> > There are 2 inputs to these choices:
>> > * The flags set in the Capsule itself.  See UEFI 2.7 Spec
>> >   Table 38 for the 5 allowed combinations.
>> > * Platform policy for each of these 5 capsule types and
>> >   when each of these 5 capsule types are allowed to be
>> >   processed.
>> >
>> > Jiewen's comments point to some assumptions that have been
>> > made in the logic.  These assumptions may be considered a
>> > safe default platform policy, but the code logic should
>> > allow the platform to easily select alternate policies.
>> >
>> > I think the patch you have provided attempts to add one
>> > additional policy.  Perhaps we should look at this from
>> > the UEFI Spec perspective and see how difficult it is to
>> > express policies for the supported capsule types.
>> >
>> > I will review your patch in more detail tomorrow.
>> >
>> > Thanks,
>> >
>> > Mike
>> >
>> > > -----Original Message-----
>> > > From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org]
>> > > Sent: Saturday, June 9, 2018 10:42 PM
>> > > To: Yao, Jiewen <jiewen.yao@intel.com>
>> > > Cc: edk2-devel@lists.01.org; Kinney, Michael D
>> > > <michael.d.kinney@intel.com>; Zeng, Star
>> > > <star.zeng@intel.com>; leif.lindholm@linaro.org
>> > > Subject: Re: [edk2] [PATCH v2 2/5]
>> > > MdeModulePkg/DxeCapsuleLibFmp: permit ProcessCapsules
>> > > () to be called once
>> > >
>> > > On 10 June 2018 at 07:38, Yao, Jiewen
>> > > <jiewen.yao@intel.com> wrote:
>> > > > Hi Ard
>> > > > According to PI spec, "Prior to invoking any UEFI
>> > > drivers, or applications that are not from the platform
>> > > manufacturer, or connecting consoles, the platform
>> > > should signals the event EFI_END_OF_DXE_EVENT_GUID"
>> > > >
>> > > > In brief, EndOfDxe is signaled before 3rd part code
>> > > running.
>> > > >
>> > > > As such, it is legal that a trusted console is
>> > > connected before EndOfDxe.
>> > > > You can report progress to user before EndOfDxe.
>> > > >
>> > >
>> > > So how do I connect a trusted console on a system with
>> > > a plugin graphics card?
>> > > How can I report capsule update progress on such a
>> > > system?
>> > > On a system such as ARM where the actual flash update
>> > > involves calls
>> > > into the standalone MM layer, which makes the
>> > > distinction unnecessary,
>> > > how do you recommend to handle this if it is mandatory
>> > > according to
>> > > you to process the capsule before EndOfDxe?
>> > >
>> > >
>> > > >> -----Original Message-----
>> > > >> From: Ard Biesheuvel
>> > > [mailto:ard.biesheuvel@linaro.org]
>> > > >> Sent: Friday, June 8, 2018 8:38 AM
>> > > >> To: Yao, Jiewen <jiewen.yao@intel.com>
>> > > >> Cc: edk2-devel@lists.01.org; Kinney, Michael D
>> > > <michael.d.kinney@intel.com>;
>> > > >> Zeng, Star <star.zeng@intel.com>;
>> > > leif.lindholm@linaro.org
>> > > >> Subject: Re: [edk2] [PATCH v2 2/5]
>> > > MdeModulePkg/DxeCapsuleLibFmp: permit
>> > > >> ProcessCapsules () to be called once
>> > > >>
>> > > >>
>> > > >>
>> > > >> > On 8 Jun 2018, at 14:34, Yao, Jiewen
>> > > <jiewen.yao@intel.com> wrote:
>> > > >> >
>> > > >> > Hi Ard
>> > > >> > We don't allow platform to update system firmware
>> > > *after* EndOfDxe.
>> > > >> >
>> > > >> > According to PI spec, after EndOfDxe, 3rd part
>> > > code start running. It brings
>> > > >> security risk if we allow system firmware after
>> > > EndOfDxe.
>> > > >> >
>> > > >> > In our X86 system design, we lock flash part
>> > > *before* EndOfDxe in any boot
>> > > >> mode.
>> > > >> > Even in CapsuleUpdate boot mode, we also lock
>> > > flash part at EndOfDxe, just in
>> > > >> case the capsule update does not indicate a reset.
>> > > >> >
>> > > >> > Would you please share the info, why your platform
>> > > need update system
>> > > >> firmware after EndOfDxe?
>> > > >> > Is that possible to make it earlier?
>> > > >> >
>> > > >> >
>> > > >>
>> > > >> Because we need some kind of console to report
>> > > progress to the user.
>> > > >>
>> > > >> The secure platform execution context is completely
>> > > separate from UEFI on Arm,
>> > > >> so for us the distinction does not make sense.
>> > > >>
>> > > >> > Thank you
>> > > >> > Yao Jiewen
>> > > >> >
>> > > >> >> -----Original Message-----
>> > > >> >> From: edk2-devel [mailto:edk2-devel-
>> > > bounces@lists.01.org] On Behalf Of
>> > > >> Ard
>> > > >> >> Biesheuvel
>> > > >> >> Sent: Friday, June 8, 2018 2:58 AM
>> > > >> >> To: edk2-devel@lists.01.org
>> > > >> >> Cc: Kinney, Michael D
>> > > <michael.d.kinney@intel.com>; Yao, Jiewen
>> > > >> >> <jiewen.yao@intel.com>; Zeng, Star
>> > > <star.zeng@intel.com>;
>> > > >> >> leif.lindholm@linaro.org; Ard Biesheuvel
>> > > <ard.biesheuvel@linaro.org>
>> > > >> >> Subject: [edk2] [PATCH v2 2/5]
>> > > MdeModulePkg/DxeCapsuleLibFmp: permit
>> > > >> >> ProcessCapsules () to be called once
>> > > >> >>
>> > > >> >> Permit ProcessCapsules () to be called only a
>> > > single time, after
>> > > >> >> EndOfDxe. This allows platforms that are able to
>> > > update system
>> > > >> >> firmware after EndOfDxe (e.g., because the flash
>> > > ROM is not locked
>> > > >> >> down) to do so at a time when a non-trusted
>> > > console is up and running,
>> > > >> >> and progress can be reported to the user.
>> > > >> >>
>> > > >> >> Contributed-under: TianoCore Contribution
>> > > Agreement 1.1
>> > > >> >> Signed-off-by: Ard Biesheuvel
>> > > <ard.biesheuvel@linaro.org>
>> > > >> >> ---
>> > > >> >>
>> > > MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcess
>> > > Lib.c | 18
>> > > >> >> ++++++++++++------
>> > > >> >> 1 file changed, 12 insertions(+), 6 deletions(-)
>> > > >> >>
>> > > >> >> diff --git
>> > > >>
>> > > a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProce
>> > > ssLib.c
>> > > >> >>
>> > > b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProce
>> > > ssLib.c
>> > > >> >> index 26ca4e295f20..ad83660f1737 100644
>> > > >> >> ---
>> > > a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProce
>> > > ssLib.c
>> > > >> >> +++
>> > > b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProce
>> > > ssLib.c
>> > > >> >> @@ -100,6 +100,7 @@ IsValidCapsuleHeader (
>> > > >> >>
>> > > >> >> extern BOOLEAN
>> > > mDxeCapsuleLibEndOfDxe;
>> > > >> >> BOOLEAN                          mNeedReset;
>> > > >> >> +BOOLEAN                          mFirstRound =
>> > > TRUE;
>> > > >> >>
>> > > >> >> VOID                        **mCapsulePtr;
>> > > >> >> EFI_STATUS                  *mCapsuleStatusArray;
>> > > >> >> @@ -364,8 +365,11 @@
>> > > PopulateCapsuleInConfigurationTable (
>> > > >> >>
>> > > >> >>   Each individual capsule result is recorded in
>> > > capsule record variable.
>> > > >> >>
>> > > >> >> -  @param[in]  FirstRound         TRUE:  First
>> > > round. Need skip the
>> > > >> FMP
>> > > >> >> capsules with non zero EmbeddedDriverCount.
>> > > >> >> -                                 FALSE: Process
>> > > rest FMP capsules.
>> > > >> >> +  @param[in]  FirstRound         Whether this is
>> > > the first invocation
>> > > >> >> +  @param[in]  LastRound          Whether this is
>> > > the last invocation
>> > > >> >> +                                 FALSE:  First
>> > > of 2 rounds. Need skip
>> > > >> the
>> > > >> >> FMP
>> > > >> >> +
>> > > capsules with non zero
>> > > >> >> EmbeddedDriverCount.
>> > > >> >> +                                 TRUE:   Process
>> > > rest FMP capsules.
>> > > >> >>
>> > > >> >>   @retval EFI_SUCCESS             There is no
>> > > error when processing
>> > > >> >> capsules.
>> > > >> >>   @retval EFI_OUT_OF_RESOURCES    No enough
>> > > resource to process
>> > > >> >> capsules.
>> > > >> >> @@ -373,7 +377,8 @@
>> > > PopulateCapsuleInConfigurationTable (
>> > > >> >> **/
>> > > >> >> EFI_STATUS
>> > > >> >> ProcessTheseCapsules (
>> > > >> >> -  IN BOOLEAN  FirstRound
>> > > >> >> +  IN BOOLEAN  FirstRound,
>> > > >> >> +  IN BOOLEAN  LastRound
>> > > >> >>   )
>> > > >> >> {
>> > > >> >>   EFI_STATUS                  Status;
>> > > >> >> @@ -453,7 +458,7 @@ ProcessTheseCapsules (
>> > > >> >>         continue;
>> > > >> >>       }
>> > > >> >>
>> > > >> >> -      if ((!FirstRound) || (EmbeddedDriverCount
>> > > == 0)) {
>> > > >> >> +      if (LastRound || (EmbeddedDriverCount ==
>> > > 0)) {
>> > > >> >>         DEBUG((DEBUG_INFO, "ProcessCapsuleImage -
>> > > 0x%x\n",
>> > > >> >> CapsuleHeader));
>> > > >> >>         Status = ProcessCapsuleImage
>> > > (CapsuleHeader);
>> > > >> >>         mCapsuleStatusArray [Index] = Status;
>> > > >> >> @@ -546,7 +551,7 @@ ProcessCapsules (
>> > > >> >>   EFI_STATUS                    Status;
>> > > >> >>
>> > > >> >>   if (!mDxeCapsuleLibEndOfDxe) {
>> > > >> >> -    Status = ProcessTheseCapsules(TRUE);
>> > > >> >> +    Status = ProcessTheseCapsules(TRUE, FALSE);
>> > > >> >>
>> > > >> >>     //
>> > > >> >>     // Reboot System if and only if all capsule
>> > > processed.
>> > > >> >> @@ -555,8 +560,9 @@ ProcessCapsules (
>> > > >> >>     if (mNeedReset && AreAllImagesProcessed()) {
>> > > >> >>       DoResetSystem();
>> > > >> >>     }
>> > > >> >> +    mFirstRound = FALSE;
>> > > >> >>   } else {
>> > > >> >> -    Status = ProcessTheseCapsules(FALSE);
>> > > >> >> +    Status = ProcessTheseCapsules(mFirstRound,
>> > > TRUE);
>> > > >> >>     //
>> > > >> >>     // Reboot System if required after all
>> > > capsule processed
>> > > >> >>     //
>> > > >> >> --
>> > > >> >> 2.17.0
>> > > >> >>
>> > > >> >> _______________________________________________
>> > > >> >> edk2-devel mailing list
>> > > >> >> edk2-devel@lists.01.org
>> > > >> >> https://lists.01.org/mailman/listinfo/edk2-devel
>> _______________________________________________
>> edk2-devel mailing list
>> edk2-devel@lists.01.org
>> https://lists.01.org/mailman/listinfo/edk2-devel


  reply	other threads:[~2018-06-11  7:27 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-08  6:58 [PATCH v2 0/5] MdeModulePkg ArmPkg: support for persistent capsules and progress reporting Ard Biesheuvel
2018-06-08  6:58 ` [PATCH v2 1/5] MdeModulePkg/CapsulePei: clean Dcache before consuming capsule data Ard Biesheuvel
2018-06-11 21:24   ` Ard Biesheuvel
2018-06-11 21:27     ` Yao, Jiewen
2018-06-11 21:28       ` Ard Biesheuvel
2018-06-11 21:40         ` Kinney, Michael D
2018-06-11 22:01           ` Ard Biesheuvel
2018-06-12  0:54             ` Kinney, Michael D
2018-06-12  9:01               ` Ard Biesheuvel
2018-06-12 10:31                 ` Ard Biesheuvel
2018-06-12 15:02                   ` Kinney, Michael D
2018-06-08  6:58 ` [PATCH v2 2/5] MdeModulePkg/DxeCapsuleLibFmp: permit ProcessCapsules () to be called once Ard Biesheuvel
2018-06-08 12:34   ` Yao, Jiewen
2018-06-08 12:37     ` Ard Biesheuvel
2018-06-10  5:38       ` Yao, Jiewen
2018-06-10  5:41         ` Ard Biesheuvel
2018-06-10 15:57           ` Kinney, Michael D
2018-06-10 19:01             ` Yao, Jiewen
2018-06-10 19:21               ` Yao, Jiewen
2018-06-11  7:27                 ` Ard Biesheuvel [this message]
2018-06-11 12:37                   ` Yao, Jiewen
2018-06-11 12:40                     ` Ard Biesheuvel
2018-06-11 13:55                       ` Yao, Jiewen
2018-06-11 14:06                         ` Ard Biesheuvel
2018-06-11 15:12                           ` Yao, Jiewen
2018-06-12  9:41                             ` Zeng, Star
2018-06-11 15:12                         ` Kinney, Michael D
2018-06-18 10:35     ` Udit Kumar
2018-06-18 14:59       ` Yao, Jiewen
2018-06-08  6:58 ` [PATCH v2 3/5] MdeModulePkg/DxeCapsuleLibFmp: pass progress callback only if it works Ard Biesheuvel
2018-06-08  6:58 ` [PATCH v2 4/5] ArmPkg/PlatformBootManagerLib: call ProcessCapsules() only once Ard Biesheuvel
2018-06-08  6:58 ` [PATCH v2 5/5] ArmPkg/ArmSmcPsciResetSystemLib: implement fallback for warm reboot Ard Biesheuvel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAKv+Gu_NHv_i-4minn=qqTmN3=g6On+QZXF992cExFmrqyZ1ew@mail.gmail.com' \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox