From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.93, mailfrom: chao.b.zhang@intel.com) Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by groups.io with SMTP; Wed, 05 Jun 2019 18:23:49 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Jun 2019 18:23:48 -0700 X-ExtLoop1: 1 Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by FMSMGA003.fm.intel.com with ESMTP; 05 Jun 2019 18:23:48 -0700 Received: from fmsmsx114.amr.corp.intel.com (10.18.116.8) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.408.0; Wed, 5 Jun 2019 18:23:48 -0700 Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by FMSMSX114.amr.corp.intel.com (10.18.116.8) with Microsoft SMTP Server (TLS) id 14.3.408.0; Wed, 5 Jun 2019 18:23:48 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.134]) by SHSMSX151.ccr.corp.intel.com ([169.254.3.6]) with mapi id 14.03.0415.000; Thu, 6 Jun 2019 09:23:46 +0800 From: "Zhang, Chao B" To: "Kinney, Michael D" , Felix Polyudov , "devel@edk2.groups.io" , "Xu, Wei6" CC: "Wang, Jian J" , "Wu, Hao A" , "Gao, Liming" Subject: Re: [edk2-devel][Patch v2 0/7] Implement Capsule On Disk. Thread-Topic: [edk2-devel][Patch v2 0/7] Implement Capsule On Disk. Thread-Index: AQHVG7VFddka4HU8Yk2VUGE0K/vSRqaNFJ0AgAAMO4CAALJBsA== Date: Thu, 6 Jun 2019 01:23:45 +0000 Message-ID: References: <20190605154203.11012-1-wei6.xu@intel.com> <9333E191E0D52B4999CE63A99BA663A00302C9234C@atlms1.us.megatrends.com> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ctpclassification: CTP_NT x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiOTg3N2M4YWUtOTFjZC00ZWUwLTkwNDYtYmQ1NjI2MzgxYWZiIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiZkFLRlFuSTZ0ejY1VFZzS1lKOFdERm1cL3NEdjhuU3Zjb1dLckJ4QnlUalcrZGNpK3d4RjBreXVsXC9EMElGTlRBIn0= dlp-product: dlpe-windows dlp-version: 11.0.600.7 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: chao.b.zhang@intel.com Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_FF72C7E4248F3C4E9BDF19D4918E90F24DECA62Dshsmsx102ccrcor_" --_000_FF72C7E4248F3C4E9BDF19D4918E90F24DECA62Dshsmsx102ccrcor_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Felix: We did this design for security consideration. For Solution B: 1) We don't want to introduce PartitionDxe and FatDxe into our trust = boundary. It brings in new attack surface 2) We reuse PEI storage stack as it is simple. But PEI FAT reduced at= tach surface by only accessing files in RootDir. That is why relocation hap= pens For Solution A: 3) It is considered securer with a smaller attack surface. Because i= n Solution B, we may suffer from DMA attack when accessing PEI storage devi= ce Solution B is still valuable option as some platform may don't have Caps= ule in RAM support. That is why we provide both solution and leave option t= o user We have a WIKI page to describe all cases https://github.com/tianocore/tia= nocore.github.io/wiki/UEFI-Capsule-on-Disk-Introducation Just feel free to ask question if anything is not clear From: Kinney, Michael D Sent: Thursday, June 6, 2019 6:37 AM To: Felix Polyudov ; devel@edk2.groups.io; Xu, Wei6 ; Kinney, Michael D Cc: Wang, Jian J ; Wu, Hao A ; = Gao, Liming ; Zhang, Chao B Subject: RE: [edk2-devel][Patch v2 0/7] Implement Capsule On Disk. Hi Felix, For (1), this is a limitation of UEFI Capsule On Disk for capsules that must be processed before End of DXE. This solution only work for EFI System Partitions that can be accessed from PEI. Platforms that require the use of a UEFI Driver loaded from a PCI Option ROM to access the EFI System Partition can not use the UEFI Capsule On Disk feature. They must use the UEFI Capsule In Memory feature. For (2), in order to access the capsule file in the UEFI Spec defines location, the FAT PEIM would have to be extended to support reading files from subdirectories. The current FAT PEIM only supports reading files from the root directory. This is sufficient for reading recovery images. In order to minimize the size of complexity of PEI phase modules, this solution uses the FAT PEIM "as is" and uses the features of the UEFI FAT driver to move the Capsule On Disk content into a location that is compatible with the existing FAT PEIM. Thanks, Mike > -----Original Message----- > From: Felix Polyudov [mailto:Felixp@ami.com] > Sent: Wednesday, June 5, 2019 2:53 PM > To: devel@edk2.groups.io; Xu, Wei6 > > Cc: Wang, Jian J >; = Wu, Hao A > >; Kinney, Michael D > >; Gao, Li= ming > >; Zhang, Chao B > > > Subject: RE: [edk2-devel][Patch v2 0/7] Implement > Capsule On Disk. > > 1. It looks like the implementation processes capsule > files in PEI. > According to UEFI specification capsule files are stored > on the active ESP. > Not every UEFI boot device can be accessed in PEI. > For example, RAID connected to the PCI plug in card > cannot be accessed in PEI. > > 2. Solution B) below relocates capsule to "a temp file > which will be stored in root directory". I think it is > cleaner to reuse UEFI capsule-on-disk infrastructure and > keep capsule file in the dedicated \EFI\UpdateCapsule > folder (refer to "Delivery of Capsules via file on Mass > Storage device" section of the UEFI specification). > > -----Original Message----- > From: devel@edk2.groups.io [mailto:devel@ed= k2.groups.io] > On Behalf Of Xu, Wei6 > Sent: Wednesday, June 05, 2019 11:42 AM > To: devel@edk2.groups.io > Cc: Jian J Wang; Hao A Wu; Michael D Kinney; Liming Gao; > Chao B Zhang > Subject: [edk2-devel][Patch v2 0/7] Implement Capsule On > Disk. > > V2: > Fix Ecc check failure. > > V1: > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1852 > > This patch set implements Capsule On Disk. > Depends on whether platform supports Capsule-In-Ram, > Capsule On Disk feature is composed of 2 solutions: > Solution A): Load capsules out of TCB, rely on > UpdateCapsule() runtime service to deliver Capsule-On- > Disk. > Solution B): Relocate capsules into a temp file which > will be stored in root directory on a platform specific > storage device. > Leverage existing storage stack in PEI to load all > capsule on disk images and create capsule hobs for the > capsules. > This solution has bigger TCB, but can work without > Capsule-In-RAM support. > > > Cc: Jian J Wang > > Cc: Hao A Wu > > Cc: Michael D Kinney > > Cc: Liming Gao > > Cc: Chao B Zhang > > > xuwei6 (7): > MdePkg: Add Pei Boot In CapsuleOnDisk Mode Ppi > definition. > MdeModulePkg: Add Capsule On Disk related definition. > MdeModulePkg: Add CapsuleOnDiskLoadPei PEIM. > MdeModulePkg/BdsDxe: Support Capsule On Disk. > MdeModulePkg/CapsuleRuntimeDxe: Introduce PCD to > control this feature. > MdeModulePkg/DxeIpl: Support Capsule On Disk. > MdeModulePkg: Add Capsule On Disk APIs into > CapsuleLib. > > MdeModulePkg/Core/DxeIplPeim/DxeIpl.h | > 3 +- > MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | > 20 +- > MdeModulePkg/Core/DxeIplPeim/DxeLoad.c | > 37 +- > MdeModulePkg/Include/Library/CapsuleLib.h | > 94 +- > MdeModulePkg/Include/Ppi/CapsuleOnDisk.h | > 48 + > .../Library/DxeCapsuleLibFmp/CapsuleOnDisk.c | > 1983 ++++++++++++++++++++ > .../Library/DxeCapsuleLibFmp/CapsuleOnDisk.h | > 63 + > .../Library/DxeCapsuleLibFmp/DxeCapsuleLib.c | > 56 +- > .../Library/DxeCapsuleLibFmp/DxeCapsuleLib.inf | > 21 +- > .../DxeCapsuleLibFmp/DxeCapsuleProcessLib.c | > 121 +- > .../Library/DxeCapsuleLibFmp/DxeCapsuleReportLib.c | > 67 +- > .../DxeCapsuleLibFmp/DxeRuntimeCapsuleLib.inf | > 3 +- > .../Library/DxeCapsuleLibNull/DxeCapsuleLibNull.c | > 85 +- > MdeModulePkg/MdeModulePkg.dec | > 43 + > MdeModulePkg/MdeModulePkg.dsc | > 4 + > MdeModulePkg/MdeModulePkg.uni | > 32 + > MdeModulePkg/Universal/BdsDxe/BdsDxe.inf | > 3 +- > MdeModulePkg/Universal/BdsDxe/BdsEntry.c | > 6 +- > .../CapsuleOnDiskLoadPei/CapsuleOnDiskLoadPei.c | > 442 +++++ > .../CapsuleOnDiskLoadPei/CapsuleOnDiskLoadPei.inf | > 64 + > .../CapsuleOnDiskLoadPei/CapsuleOnDiskLoadPei.uni | > 15 + > .../CapsuleOnDiskLoadPeiExtra.uni | > 14 + > .../CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf | > 1 + > .../Universal/CapsuleRuntimeDxe/CapsuleService.c | > 10 +- > MdePkg/Include/Ppi/BootInRecoveryMode.h | > 9 +- > MdePkg/MdePkg.dec | > 3 + > 26 files changed, 3205 insertions(+), 42 deletions(-) > create mode 100644 > MdeModulePkg/Include/Ppi/CapsuleOnDisk.h > create mode 100644 > MdeModulePkg/Library/DxeCapsuleLibFmp/CapsuleOnDisk.c > create mode 100644 > MdeModulePkg/Library/DxeCapsuleLibFmp/CapsuleOnDisk.h > create mode 100644 > MdeModulePkg/Universal/CapsuleOnDiskLoadPei/CapsuleOnDis > kLoadPei.c > create mode 100644 > MdeModulePkg/Universal/CapsuleOnDiskLoadPei/CapsuleOnDis > kLoadPei.inf > create mode 100644 > MdeModulePkg/Universal/CapsuleOnDiskLoadPei/CapsuleOnDis > kLoadPei.uni > create mode 100644 > MdeModulePkg/Universal/CapsuleOnDiskLoadPei/CapsuleOnDis > kLoadPeiExtra.uni > > -- > 2.16.2.windows.1 > > >=20 > > > Please consider the environment before printing this > email. > > The information contained in this message may be > confidential and proprietary to American Megatrends, > Inc. This communication is intended to be read only by > the individual or entity to whom it is addressed or by > their designee. If the reader of this message is not the > intended recipient, you are on notice that any > distribution of this message, in any form, is strictly > prohibited. Please promptly notify the sender by reply > e-mail or by telephone at 770-246-8600, and then delete > or destroy all copies of the transmission. --_000_FF72C7E4248F3C4E9BDF19D4918E90F24DECA62Dshsmsx102ccrcor_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Felix:

   We did this design for se= curity consideration.

    For Solution B:

1)    &n= bsp; We don’t want to introdu= ce PartitionDxe and FatDxe into our trust boundary. It brings in new attack= surface

2)    &n= bsp; We reuse PEI storage stack as = it is simple. But PEI FAT reduced attach surface by only accessing files in= RootDir. That is why relocation happens

  For= Solution A:

3)    &n= bsp; It is considered securer with = a smaller attack surface.  Because in Solution B, we may suffer from D= MA attack when accessing PEI storage device

 = ;

  Sol= ution B is still valuable option as some platform may don’t have Caps= ule in RAM support. That is why we provide both solution and leave option to user

We have a = WIKI page to describe all cases https://github.com/tianocore/tianocore.gi= thub.io/wiki/UEFI-Capsule-on-Disk-Introducation

  Jus= t feel free to ask question if anything is not clear

 = ;

From: Kinney, Michael D
Sent: Thursday, June 6, 2019 6:37 AM
To: Felix Polyudov <Felixp@ami.com>; devel@edk2.groups.io; Xu= , Wei6 <wei6.xu@intel.com>; Kinney, Michael D <michael.d.kinney@in= tel.com>
Cc: Wang, Jian J <jian.j.wang@intel.com>; Wu, Hao A <hao.a= .wu@intel.com>; Gao, Liming <liming.gao@intel.com>; Zhang, Chao B = <chao.b.zhang@intel.com>
Subject: RE: [edk2-devel][Patch v2 0/7] Implement Capsule On Disk.<= o:p>

 

Hi Felix,

For (1), this is a li= mitation of UEFI Capsule On Disk
for capsules that must be&= nbsp;processed before End of DXE.
This solution only work fo= r EFI System Partitions that
can be accessed from PEI.&= nbsp; Platforms that require the
use of a UEFI Driver = loaded from a PCI Option ROM to
access the EFI System Part= ition can not use the UEFI 
Capsule On Disk feature. &= nbsp;They must use the UEFI Capsule
In Memory feature.

For (2), in order to = access the capsule file in the
UEFI Spec defines location,&nbs= p;the FAT PEIM would have to
be extended to support rea= ding files from subdirectories.
The current FAT PEIM only&= nbsp;supports reading files from the
root directory.  This is&n= bsp;sufficient for reading recovery
images.  In order to = minimize the size of complexity of
PEI phase modules, this so= lution uses the FAT PEIM "as is"
and uses the features of&n= bsp;the UEFI FAT driver to move the Capsule On Disk content in= to a location that is compatible
with the existing FAT PEIM= .

Thanks,

Mike

> -----Original Message-----
> From: Felix Polyudov = ;[mailto:Felixp@ami.com]
> Sent: Wednesday, June&nbs= p;5, 2019 2:53 PM
> To: devel@edk2.groups.io; Xu, Wei6 <wei6.xu@intel.com>
> Cc: Wang, Jian J&nbs= p;<jian.j.wang@intel.com>= ;; Wu, Hao A
> <hao.a.wu@intel.com>; Kinney, Michael D<= br> > <michael.d.kinney@intel.com>; Gao, Liming
> <liming.gao@intel.com>; Zhang, Chao B<= br> > <chao.b.zhang@intel.com>
> Subject: RE: [edk2-devel]= [Patch v2 0/7] Implement
> Capsule On Disk.
> 1. It looks like&nbs= p;the implementation processes capsule
> files in PEI.
> According to UEFI sp= ecification capsule files are stored
> on the active ESP.
> Not every UEFI boot&= nbsp;device can be accessed in PEI.
> For example, RAID co= nnected to the PCI plug in card
> cannot be accessed i= n PEI.

> 2. Solution B) below=  relocates capsule to "a temp file
> which will be stored=  in root directory". I think it is<= /span>
> cleaner to reuse UEF= I capsule-on-disk infrastructure and
> keep capsule file in=   the dedicated \EFI\UpdateCapsule
> folder (refer to &qu= ot;Delivery of Capsules via file on Mass
> Storage device" sect= ion of the UEFI specification).

> -----Original Message-----
> From: devel@edk2.groups.io [mailto:devel@edk2.groups.io]
> On Behalf Of Xu,&nbs= p;Wei6
> Sent: Wednesday, June&nbs= p;05, 2019 11:42 AM
> To: devel@edk2.groups.io
> Cc: Jian J Wang;&nbs= p;Hao A Wu; Michael D Kinney; Liming Gao= ;
> Chao B Zhang
> Subject: [edk2-devel][Patch&nb= sp;v2 0/7] Implement Capsule On
> Disk.

> V2:
> Fix Ecc check failur= e.

> V1:
> BZ: https://bugzilla.tianocore.org/show= _bug.cgi?id=3D1852

> This patch set imple= ments Capsule On Disk.
> Depends on whether p= latform supports Capsule-In-Ram,
> Capsule On Disk feat= ure is composed of 2 solutions:
> Solution A): Load ca= psules out of TCB, rely on
> UpdateCapsule() runtime s= ervice to deliver Capsule-On-
> Disk.
> Solution B): Relocate&nbs= p;capsules into a temp file which
> will be stored in&nb= sp;root directory on a platform specific > storage device.
> Leverage existing storage=  stack in PEI to load all
> capsule on disk imag= es and create capsule hobs for the
> capsules.
> This solution has bi= gger TCB, but can work without
> Capsule-In-RAM support.=


> Cc: Jian J Wang = ;<jian.j.wang@intel.com>=
> Cc: Hao A Wu &l= t;hao.a.wu@intel.com> > Cc: Michael D Kinney=  <michael.d.kinney@in= tel.com>
> Cc: Liming Gao <<= a href=3D"mailto:liming.gao@intel.com">liming.gao@intel.com><= br> > Cc: Chao B Zhang&nbs= p;<chao.b.zhang@intel.com&= gt;

> xuwei6 (7):
>   MdePkg: Add P= ei Boot In CapsuleOnDisk Mode Ppi
> definition.
>   MdeModulePkg: Add&= nbsp;Capsule On Disk related definition.
>   MdeModulePkg: Add&= nbsp;CapsuleOnDiskLoadPei PEIM.
>   MdeModulePkg/BdsDxe:&nb= sp;Support Capsule On Disk.
>   MdeModulePkg/CapsuleRun= timeDxe: Introduce PCD to
> control this feature.
>   MdeModulePkg/DxeIpl:&nb= sp;Support Capsule On Disk.
>   MdeModulePkg: Add&= nbsp;Capsule On Disk APIs into
> CapsuleLib.

>  MdeModulePkg/Core/DxeIplPeim/= DxeIpl.h           &= nbsp;  |
> 3 +-
>  MdeModulePkg/Core/DxeIplPeim/= DxeIpl.inf           = ; |
> 20 +-
>  MdeModulePkg/Core/DxeIplPeim/= DxeLoad.c           =   |
> 37 +-
>  MdeModulePkg/Include/Library/= CapsuleLib.h          |
> 94 +-
>  MdeModulePkg/Include/Ppi/Caps= uleOnDisk.h          &nbs= p;|
> 48 +
>  .../Library/DxeCapsuleLibFmp/= CapsuleOnDisk.c       |
> 1983 +++++= +++++++++++++++=
>  .../Library/DxeCapsuleLibFmp/= CapsuleOnDisk.h       |
> 63 +
>  .../Library/DxeCapsuleLibFmp/= DxeCapsuleLib.c       |
> 56 +-
>  .../Library/DxeCapsuleLibFmp/= DxeCapsuleLib.inf     |
> 21 +-
>  .../DxeCapsuleLibFmp/DxeCapsu= leProcessLib.c        |
> 121 +-
>  .../Library/DxeCapsuleLibFmp/= DxeCapsuleReportLib.c |
> 67 +-
>  .../DxeCapsuleLibFmp/DxeRunti= meCapsuleLib.inf      |
> 3 +-
>  .../Library/DxeCapsuleLibNull= /DxeCapsuleLibNull.c  |
> 85 +-
>  MdeModulePkg/MdeModulePkg.dec=             &nb= sp;         |
> 43 +
>  MdeModulePkg/MdeModulePkg.dsc=             &nb= sp;         |
> 4 +
>  MdeModulePkg/MdeModulePkg.uni=             &nb= sp;         |
> 32 +
>  MdeModulePkg/Universal/BdsDxe= /BdsDxe.inf          &nbs= p;|
> 3 +-
>  MdeModulePkg/Universal/BdsDxe= /BdsEntry.c          &nbs= p;|
> 6 +-
>  .../CapsuleOnDiskLoadPei/Caps= uleOnDiskLoadPei.c    |
> 442 +++++<= /span>
>  .../CapsuleOnDiskLoadPei/Caps= uleOnDiskLoadPei.inf  |
> 64 +
>  .../CapsuleOnDiskLoadPei/Caps= uleOnDiskLoadPei.uni  |
> 15 +
>  .../CapsuleOnDiskLoadPeiExtra= .uni            = ;      |
> 14 +
>  .../CapsuleRuntimeDxe/Capsule= RuntimeDxe.inf        |
> 1 +
>  .../Universal/CapsuleRuntimeD= xe/CapsuleService.c   |
> 10 +-
>  MdePkg/Include/Ppi/BootInReco= veryMode.h           = ; |
> 9 +-
>  MdePkg/MdePkg.dec  =             &nb= sp;            =        |
> 3 +
>  26 files changed,&n= bsp;3205 insertions(+), 42 deletions(-)
> create mode 100644=
> MdeModulePkg/Include/Ppi/CapsuleOnD= isk.h
>  create mode 100644<= /span>
> MdeModulePkg/Library/DxeCapsuleLibF= mp/CapsuleOnDisk.c
>  create mode 100644<= /span>
> MdeModulePkg/Library/DxeCapsuleLibF= mp/CapsuleOnDisk.h
>  create mode 100644<= /span>
> MdeModulePkg/Universal/CapsuleOnDis= kLoadPei/CapsuleOnDis
> kLoadPei.c
>  create mode 100644<= /span>
> MdeModulePkg/Universal/CapsuleOnDis= kLoadPei/CapsuleOnDis
> kLoadPei.inf
>  create mode 100644<= /span>
> MdeModulePkg/Universal/CapsuleOnDis= kLoadPei/CapsuleOnDis
> kLoadPei.uni
>  create mode 100644<= /span>
> MdeModulePkg/Universal/CapsuleOnDis= kLoadPei/CapsuleOnDis
> kLoadPeiExtra.uni

> --
> 2.16.2.windows.1





> Please consider the = environment before printing this
> email.

> The information contained=  in this message may be
> confidential and propriet= ary to American Megatrends,
> Inc.  This communica= tion is intended to be read only by
> the individual or en= tity to whom it is addressed or by
> their designee. If t= he reader of this message is not the
> intended recipient, you&n= bsp;are on notice that any
> distribution of this = ;message, in any form, is strictly
> prohibited.  Please = promptly notify the sender by reply
> e-mail or by telepho= ne at 770-246-8600, and then delete
> or destroy all copie= s of the transmission.

--_000_FF72C7E4248F3C4E9BDF19D4918E90F24DECA62Dshsmsx102ccrcor_--