From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2607:f8b0:4001:c0b::22e; helo=mail-it0-x22e.google.com; envelope-from=ard.biesheuvel@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id ECF0E2132EA1B for ; Sat, 9 Jun 2018 22:41:54 -0700 (PDT) Received: by mail-it0-x22e.google.com with SMTP id m194-v6so6854469itg.2 for ; Sat, 09 Jun 2018 22:41:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=uuhUUianMDifubD7majp14dYgqpUYMx/CrZ6SBTQXzY=; b=BJtQtmTvKVD/1xgl1zHWBydhYxHTVr+RxHXbOScFijcM68imw9+KnxaEIpXxIXGYiy +nyvlsDGIv8Pis5T3ODBMDzVgHVUKx4PeGOxoqXMwEYAeoezyWOdn0Chc3h6a/3CviBo nbgjskFBy6GvJ42PAcDhwEfBIUpdNLKdqSmzc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=uuhUUianMDifubD7majp14dYgqpUYMx/CrZ6SBTQXzY=; b=bawOKKRu8ujjtdGmTZnhfPh+j1yMS234PHvx9Mwl4O9d5F01dvvqzAfgCW3OEWX5vf c9tukZsPCD1M5dZC1GYIzC/rVr/1eHowuZZPui3dSedu9bS51VGAFi8ydKhaWbNjbSo1 MAl36WSJNuXqyOBDzPyeDFEseKl93yecwZNFq3g/EYHhuwrMkTSTEsxTvSeDylrgMaQZ 4ecASKo85UuH1Y2RyYbV8ArefEUJ7wvB7zV5jWYyKu/1tY/g8mhirOYuawOLURlpJZkg 6Ph3OAi70PQld+/WZJUpRzdow9qrK1VwtG7OxH5Foz++KgaF5kzAlfZ15XMQVowx13ka GJ/w== X-Gm-Message-State: APt69E30oTE/1l5YMP7QtF11s2wbZb4+arnIFiQekXE87y8vudNlF0kj xwb22VVQLcsd1o2q164lzjW59bVe5DQcwccWRYZsUQ== X-Google-Smtp-Source: ADUXVKJKBcv8cocFfup6ITu4sn+bnCwORUNgfBldb30XyiQEgM2D+JD65jhStBCLF9dbk3LOA3O3qA40C8T5310i0Fw= X-Received: by 2002:a24:1d0e:: with SMTP id 14-v6mr6707795itj.50.1528609313626; Sat, 09 Jun 2018 22:41:53 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a6b:bbc7:0:0:0:0:0 with HTTP; Sat, 9 Jun 2018 22:41:53 -0700 (PDT) In-Reply-To: <74D8A39837DF1E4DA445A8C0B3885C503AC3A387@shsmsx102.ccr.corp.intel.com> References: <20180608065811.2065-1-ard.biesheuvel@linaro.org> <20180608065811.2065-3-ard.biesheuvel@linaro.org> <74D8A39837DF1E4DA445A8C0B3885C503AC3515B@shsmsx102.ccr.corp.intel.com> <6534F306-C3E7-40D2-84F4-D409BF1F7B68@linaro.org> <74D8A39837DF1E4DA445A8C0B3885C503AC3A387@shsmsx102.ccr.corp.intel.com> From: Ard Biesheuvel Date: Sun, 10 Jun 2018 07:41:53 +0200 Message-ID: To: "Yao, Jiewen" Cc: "edk2-devel@lists.01.org" , "Kinney, Michael D" , "Zeng, Star" , "leif.lindholm@linaro.org" Subject: Re: [PATCH v2 2/5] MdeModulePkg/DxeCapsuleLibFmp: permit ProcessCapsules () to be called once X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jun 2018 05:41:55 -0000 Content-Type: text/plain; charset="UTF-8" On 10 June 2018 at 07:38, Yao, Jiewen wrote: > Hi Ard > According to PI spec, "Prior to invoking any UEFI drivers, or applications that are not from the platform manufacturer, or connecting consoles, the platform should signals the event EFI_END_OF_DXE_EVENT_GUID" > > In brief, EndOfDxe is signaled before 3rd part code running. > > As such, it is legal that a trusted console is connected before EndOfDxe. > You can report progress to user before EndOfDxe. > So how do I connect a trusted console on a system with a plugin graphics card? How can I report capsule update progress on such a system? On a system such as ARM where the actual flash update involves calls into the standalone MM layer, which makes the distinction unnecessary, how do you recommend to handle this if it is mandatory according to you to process the capsule before EndOfDxe? >> -----Original Message----- >> From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org] >> Sent: Friday, June 8, 2018 8:38 AM >> To: Yao, Jiewen >> Cc: edk2-devel@lists.01.org; Kinney, Michael D ; >> Zeng, Star ; leif.lindholm@linaro.org >> Subject: Re: [edk2] [PATCH v2 2/5] MdeModulePkg/DxeCapsuleLibFmp: permit >> ProcessCapsules () to be called once >> >> >> >> > On 8 Jun 2018, at 14:34, Yao, Jiewen wrote: >> > >> > Hi Ard >> > We don't allow platform to update system firmware *after* EndOfDxe. >> > >> > According to PI spec, after EndOfDxe, 3rd part code start running. It brings >> security risk if we allow system firmware after EndOfDxe. >> > >> > In our X86 system design, we lock flash part *before* EndOfDxe in any boot >> mode. >> > Even in CapsuleUpdate boot mode, we also lock flash part at EndOfDxe, just in >> case the capsule update does not indicate a reset. >> > >> > Would you please share the info, why your platform need update system >> firmware after EndOfDxe? >> > Is that possible to make it earlier? >> > >> > >> >> Because we need some kind of console to report progress to the user. >> >> The secure platform execution context is completely separate from UEFI on Arm, >> so for us the distinction does not make sense. >> >> > Thank you >> > Yao Jiewen >> > >> >> -----Original Message----- >> >> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of >> Ard >> >> Biesheuvel >> >> Sent: Friday, June 8, 2018 2:58 AM >> >> To: edk2-devel@lists.01.org >> >> Cc: Kinney, Michael D ; Yao, Jiewen >> >> ; Zeng, Star ; >> >> leif.lindholm@linaro.org; Ard Biesheuvel >> >> Subject: [edk2] [PATCH v2 2/5] MdeModulePkg/DxeCapsuleLibFmp: permit >> >> ProcessCapsules () to be called once >> >> >> >> Permit ProcessCapsules () to be called only a single time, after >> >> EndOfDxe. This allows platforms that are able to update system >> >> firmware after EndOfDxe (e.g., because the flash ROM is not locked >> >> down) to do so at a time when a non-trusted console is up and running, >> >> and progress can be reported to the user. >> >> >> >> Contributed-under: TianoCore Contribution Agreement 1.1 >> >> Signed-off-by: Ard Biesheuvel >> >> --- >> >> MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c | 18 >> >> ++++++++++++------ >> >> 1 file changed, 12 insertions(+), 6 deletions(-) >> >> >> >> diff --git >> a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c >> >> b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c >> >> index 26ca4e295f20..ad83660f1737 100644 >> >> --- a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c >> >> +++ b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c >> >> @@ -100,6 +100,7 @@ IsValidCapsuleHeader ( >> >> >> >> extern BOOLEAN mDxeCapsuleLibEndOfDxe; >> >> BOOLEAN mNeedReset; >> >> +BOOLEAN mFirstRound = TRUE; >> >> >> >> VOID **mCapsulePtr; >> >> EFI_STATUS *mCapsuleStatusArray; >> >> @@ -364,8 +365,11 @@ PopulateCapsuleInConfigurationTable ( >> >> >> >> Each individual capsule result is recorded in capsule record variable. >> >> >> >> - @param[in] FirstRound TRUE: First round. Need skip the >> FMP >> >> capsules with non zero EmbeddedDriverCount. >> >> - FALSE: Process rest FMP capsules. >> >> + @param[in] FirstRound Whether this is the first invocation >> >> + @param[in] LastRound Whether this is the last invocation >> >> + FALSE: First of 2 rounds. Need skip >> the >> >> FMP >> >> + capsules with non zero >> >> EmbeddedDriverCount. >> >> + TRUE: Process rest FMP capsules. >> >> >> >> @retval EFI_SUCCESS There is no error when processing >> >> capsules. >> >> @retval EFI_OUT_OF_RESOURCES No enough resource to process >> >> capsules. >> >> @@ -373,7 +377,8 @@ PopulateCapsuleInConfigurationTable ( >> >> **/ >> >> EFI_STATUS >> >> ProcessTheseCapsules ( >> >> - IN BOOLEAN FirstRound >> >> + IN BOOLEAN FirstRound, >> >> + IN BOOLEAN LastRound >> >> ) >> >> { >> >> EFI_STATUS Status; >> >> @@ -453,7 +458,7 @@ ProcessTheseCapsules ( >> >> continue; >> >> } >> >> >> >> - if ((!FirstRound) || (EmbeddedDriverCount == 0)) { >> >> + if (LastRound || (EmbeddedDriverCount == 0)) { >> >> DEBUG((DEBUG_INFO, "ProcessCapsuleImage - 0x%x\n", >> >> CapsuleHeader)); >> >> Status = ProcessCapsuleImage (CapsuleHeader); >> >> mCapsuleStatusArray [Index] = Status; >> >> @@ -546,7 +551,7 @@ ProcessCapsules ( >> >> EFI_STATUS Status; >> >> >> >> if (!mDxeCapsuleLibEndOfDxe) { >> >> - Status = ProcessTheseCapsules(TRUE); >> >> + Status = ProcessTheseCapsules(TRUE, FALSE); >> >> >> >> // >> >> // Reboot System if and only if all capsule processed. >> >> @@ -555,8 +560,9 @@ ProcessCapsules ( >> >> if (mNeedReset && AreAllImagesProcessed()) { >> >> DoResetSystem(); >> >> } >> >> + mFirstRound = FALSE; >> >> } else { >> >> - Status = ProcessTheseCapsules(FALSE); >> >> + Status = ProcessTheseCapsules(mFirstRound, TRUE); >> >> // >> >> // Reboot System if required after all capsule processed >> >> // >> >> -- >> >> 2.17.0 >> >> >> >> _______________________________________________ >> >> edk2-devel mailing list >> >> edk2-devel@lists.01.org >> >> https://lists.01.org/mailman/listinfo/edk2-devel