EBBR only requires a subset of UEFI. Provide a replacement for the UEFI
section that lists base requirements.
Fixes: #60
Fixes: #61
Fixes: #64
---
This is my first complete draft itemizing the specific UEFI requirements
for EBBR. Please review and comment.
Cheers,
g.
source/chapter2-uefi.rst | 155 ++++++++++++++++++++++++++++++++++++++-
1 file changed, 152 insertions(+), 3 deletions(-)
diff --git a/source/chapter2-uefi.rst b/source/chapter2-uefi.rst
index aab1c2c..5864a17 100644
--- a/source/chapter2-uefi.rst
+++ b/source/chapter2-uefi.rst
@@ -14,8 +14,157 @@ This document uses version 2.8 Errata A of the UEFI specification [UEFI]_.
UEFI Compliance
===============
-EBBR compliant platforms shall conform to the requirements in [UEFI]_ § 2.6,
-except where explicit exemptions are provided by this document.
+EBBR compliant platform shall conform to a subset of the [UEFI]_ spec as listed
+in this section.
+Normally, UEFI compliance would require full compliance with all items listed
+in section 2.6 of the UEFI spec.
+However, the EBBR target market has a reduced set of requirements,
+and so some UEFI features are omitted as unnecessary.
+
+Required Elements
+-----------------
+
+This section replaces the list of required elements in [UEFI]_ § 2.6.1.
+All of the following UEFI elements are required for EBBR compliance.
+
+.. list-table:: UEFI Required Elements
+ :widths: 50 50
+ :header-rows: 1
+
+ * - Element
+ - Requirement
+ * - `EFI_SYSTEM_TABLE`
+ - The system table is required to provide required to access UEFI Boot Services,
+ UEFI Runtime Services, consoles, and other firmware, vendor and platform
+ information.
+ * - `EFI_BOOT_SERVICES`
+ - All functions defined as boot services must exist.
+ Methods for unsupported or unimplemented behavour must return an appropriate error code.
+ * - `EFI_RUNTIME_SERVICES`
+ - All functions defined as runtime services must exist.
+ Methods for unsupported or unimplemented behavour must return an appropriate error code.
+ * - `EFI_LOADED_IMAGE_PROTOCOL`
+ - Must be installed for each loaded image
+ * - `EFI_LOADED_IMAGE_DEVICE_PATH_PROTOCOL`
+ - Must be installed for each loaded image
+ * - `EFI_DEVICE_PATH_PROTOCOL`
+ - Interface to provide location of a device
+ * - `EFI_DEVICE_PATH_UTILITIES_PROTOCOL`
+ - Interface for creating and manipulating UEFI device paths
+
+.. list-table:: Notible Omissions from UEFI section 2.6.1
+ :header-rows: 1
+
+ * - Element
+ - Note
+ * - EFI_DECOMPRESS_PROTOCOL
+ - Native EFI Decompression is rarely used and therefore not required.
+
+Required Platform Specific Elements
+-----------------------------------
+
+This section replaces the list of required elements in [UEFI]_ § 2.6.2.
+All of the following UEFI elements are required for EBBR compliance.
+
+.. list-table:: UEFI Platform-Specific Required Elements
+ :widths: 50 50
+ :header-rows: 1
+
+ * - Element
+ - Description
+ * - Console devices
+ - The platform must have at least one console device
+ * - `EFI_SIMPLE_TEXT_INPUT_PROTOCOL`
+ - Needed for console input
+ * - `EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL`
+ - Needed for console input
+ * - `EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL`
+ - Needed for console output
+ * - `EFI_DEVICE_PATH_TO_TEXT_PROTOCOL`
+ - Needed for console output
+ * - `EFI_HII_STRING_PROTOCOL`
+ - Required by EFI shell and for compliance testing
+ * - `EFI_HII_DATABASE_PROTOCOL`
+ - Required by EFI shell and for compliance testing
+ * - `EFI_UNICODE_COLLATION2_PROTOCOL`
+ - Required by EFI shell and for compliance testing
+ * - `EFI_BLOCK_IO_PROTOCOL`
+ - Required for block device access
+ * - `EFI_SIMPLE_FILE_SYSTEM_PROTOCOL`
+ - Required if booting from block device is supported
+ * - `EFI_RNG_PROTOCOL`
+ - Required if platform has a hardware entropy source
+ * - Network booting
+ - If the platform supports network booting via TFTP,
+ then `EFI_SIMPLE_NETWORK_PROTOCOL` and
+ `EFI_PXE_BASE_CODE_PROTOCOL` must be implemented.
+
+The following table is a list of notable deviations from UEFI section 2.6.2.
+Many of these deviations are because the EBBR use cases do not require
+interface specific UEFI protocols, and so they have been made optional.
+
+.. list-table:: Notible Deviations from UEFI section 2.6.2
+ :widths: 50 50
+ :header-rows: 1
+
+ * - Element
+ - Description of deviation
+ * - `EFI_HII_CONFIG_ACCESS_PROTOCOL`
+ - UEFI requires this for console devices, but it is rarely necessary in practice.
+ Therefore this protocol is not requried.
+ * - `EFI_HII_CONFIG_ROUTING_PROTOCOL`
+ - UEFI requires this for console devices, but it is rarely necessary in practice.
+ Therefore this protocol is not requried.
+ * - Graphical console
+ - Platforms with a graphical device are not required to expose it as a graphical console.
+ * - EFI_DISK_IO_PROTOCOL
+ - Rarely used interface that isn't requried for EBBR use cases
+ * - Network protocols
+ - A full implementation of the UEFI general purpose networking ABIs is not required,
+ including `EFI_NETWORK_INTERFACE_IDENTIFIER_PROTOCOL`, `EFI_MANAGED_NETWORK_PROTOCOL`,
+ `EFI_*_SERVICE_BINDING_PROTOCOL`, or any of the IPv4 or IPv6 protocols.
+ * - Byte stream device support (UART)
+ - UEFI protocols not required
+ * - PCI bus support
+ - UEFI protocols not required
+ * - USB bus support
+ - UEFI protocols not required
+ * - NVMe pass through support
+ - UEFI protocols not required
+ * - SCSI pass through support
+ - UEFI protocols not required
+ * - SCSI pass through support
+ - UEFI protocols not required
+ * - `EFI_DRIVER_FAMILY_OVERRIDE_PROTOCOL`
+ - Not required
+ * - Option ROM support
+ - EBBR implementations are not required to support option ROM loading
+
+Required Global Variables
+-------------------------
+
+EBBR compliant platforms are required to implement the following Global
+Variables as found in [UEFI]_ § 3.3.
+
+.. list-table:: Required UEFI Variables
+ :widths: 25 75
+ :header-rows: 1
+
+ * - Variable Name
+ - Description
+ * - `Boot####`
+ - A boot load option. #### is a numerical hex value
+ * - `BootCurrent`
+ - The boot option that was selected for the current boot
+ * - `BootNext`
+ - The boot option that will be used for the next boot only
+ * - `BootOrder`
+ - An ordered list of boot options.
+ Firmware will attempt each Boot#### entry in this order
+ * - `OsIndications`
+ - Method for OS to request features from firmware
+ * - `OsIndicationsSupported`
+ - Variable for firmware to indicate which features can be enabled
Block device partitioning
-------------------------
@@ -148,7 +297,7 @@ are required to be implemented during boot services and runtime services.
.. table:: EFI_RUNTIME_SERVICES Implementation Requirements
============================== ============= ================
- EFI_RUNTIME_SERVICES function Boot Services Runtime Services
+ EFI_RUNTIME_SERVICES function Before EBS() After EBS()
============================== ============= ================
EFI_GET_TIME Optional Optional
EFI_SET_TIME Optional Optional
--
2.20.1
Hi all,
Next EBBR biweekly is on Monday at 16:00 GMT. Dial-in details are below.
Below is the agenda I have so far. I've carried over the items that we
did not have time to discuss last week.
Agenda:
- Initrd passing
- Revised UEFI requirements (patch on mailing list)
- UpdateCapsule()
- other business
Please email if you want to add anything to the agenda
Cheers,
g.
----
Topic: EBBR Biweekly
Time: 1 Feb 2021, 16:00-17:00 GMT
Join Zoom Meeting
https://armltd.zoom.us/j/92081365511?pwd=SFZpRitXUEp3Zy9GM0h3UUZ1b1pnUT09
Meeting ID: 920 8136 5511
Passcode: 490324
One tap mobile
+14086380968,,92081365511#,,,,*490324# US (San Jose)
+16465189805,,92081365511#,,,,*490324# US (New York)
Dial by your location
+1 408 638 0968 US (San Jose)
+1 646 518 9805 US (New York)
+1 346 248 7799 US (Houston)
Meeting ID: 920 8136 5511
Passcode: 490324
Find your local number: https://armltd.zoom.us/u/aelJgr9ZAW
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi Bill,
Improve search algorithm performance:
We will need data to show the problem. I suppose this would best be done when unflatening the data at runtime? What is the expected gain in boot time? Are there any measurements of how much time is spent in the search
routines today?
Actually, It is nessary to search and modify device tree in boot loader, and the device tree has not be unflatened.
We need to search device tree node int dtb by libfdt, however libfdt algorithm is pretty horrible, eg:fdt_node_offset_by_compatible.
It takes about 10ms on average to search for a node.
I suppose the dtb structure and libfdt algorithm can be optimized to reduce boot time?
The time for searching for a node should be less than 1 ms.
Reduce DTB space:
What is the goal of the use case?
1) Fit in limited storage ( ex: 256MB )
2) Conserve more space of modest storage for container data ( 1GB eMMC)
3) Improve boot time
For 3, the load time will be reduced but the decompression time will be added. These need to be balanced based on the CPU.
One pet peeve I have in most of our boot loaders today is that they do loading and decompression serially. During loading the IO is 100% loaded and the CPU is very lightly loaded. During decomoression the CPU is 100% loaded and the IO is 0%.
It makes sense to pipleline / overlap these things which means that it needs to go into the loader. To optimize boot time the decompression algorithm needs to be chosen correctly. On smaller CPUs the time taken to decompress
newer algorithms can greatly outweigh the time taken to load the decompressed data. Ideally the time to decompress 1 block == time to load one block. The dynamics shift with CPU and IO performance.
Today, a lot of people focused on boot speed just use decompressed data but I think we could do better if we pipeline
Since one dtbo image contains of hundreds of dtbs, the iamge is too large.
The goal of reducing dtb space is to fit in limited storage without increasing boot time.
Pipleline / overlap loading and decompression is a good idea.
We can try to overlap them in boot loader, and discuss it further if there's a problem.
Define specific rule for properties:
This is harder.In 2019 I had proposed an ATOM based DTB enhancement [2]. I was told Frank Rowand had other proposals for format changes.
OK.I am very interested in the ATOM based DTB enhancement.
I will learn about it and other format changes, then make some detailed discussions with you.
Thanks very much, Bill.
Happy Chinese New Year
Regards,
Zhangpeng
发件人: Jammy Zhou [mailto:jammy.zhou@linaro.org]
发送时间: 2021年2月9日 16:45
收件人: Xiamingliang (XML, Hisilicon) <xiamingliang(a)huawei.com>
抄送: Bill Mills <bill.mills(a)linaro.org>; boot-architecture(a)lists.linaro.org; Frank Rowand <frowand.list(a)gmail.com>; Zhangpeng (Parker, Kirin) <zhangpeng55(a)huawei.com>; Wangjun (U) <wangjundrv.wang(a)huawei.com>
主题: Re: Ideas for DT improvements
Hi Bill,
Thanks very much for your comments. Since we're close to the Chinese New Year holiday, I would assume there will be some delay for the response by Zhangpeng.
Regards,
Jammy
On Sun, 7 Feb 2021 at 09:35, Xiamingliang (XML, Hisilicon) <xiamingliang(a)huawei.com<mailto:xiamingliang@huawei.com>> wrote:
+ zhangpeng, owner of DT in Hisilicon
-----Original Message-----
From: Bill Mills [mailto:bill.mills@linaro.org<mailto:bill.mills@linaro.org>]
Sent: 2021年2月7日 1:39
To: Jammy Zhou <jammy.zhou(a)linaro.org<mailto:jammy.zhou@linaro.org>>; boot-architecture(a)lists.linaro.org<mailto:boot-architecture@lists.linaro.org>; Frank Rowand <frowand.list(a)gmail.com<mailto:frowand.list@gmail.com>>
Cc: Xiamingliang (XML, Hisilicon) <xiamingliang(a)huawei.com<mailto:xiamingliang@huawei.com>>
Subject: Re: Ideas for DT improvements
Hi Jammy & Mingliang,
On 2/5/21 2:59 AM, Jammy Zhou wrote:
> Hi,
>
> There are several ideas for DT improvements. Please check if they are
> reasonable, and any comments are welcome. I would let Mingliang (CCed)
> share more details if needed.
>
> 1) Improve search algorithm performance: Is the binary search tree or
> other algorithm better than current algorithm?
>
We will need data to show the problem. I suppose this would best be done when unflatening the data at runtime? What is the expected gain in boot time? Are there any measurements of how much time is spent in the search routines today?
> 2) Reduce DTB space: when use one DTB to support multiple boards, the
> image is quite big (e.g, ~39MB space for 100 configurations), and some
> compression algorithm can reduce the space a lot (e.g, from 39MB to 7MB).
> Shall we have such compression support for DTB? And it can be helpful
> if we can have more efficient compression algorithm.
>
This could be done as an enhancement to the DTB loader instead of the DTB format itself.
Compressing each DTB (boardx.dtb.xz) will get you gains but compressing a set of boards (vmlinux-5.4.0-65-generic-dbt-set-20.tar.xz) might give you more.
To be significant, the number of boards would need to be large and the size of the rootfs would need to be modest. A 200 to 300 MB minimal image would make an interesting comparison point. (A rootfs of 10s of MB would probably only target a few boards.)
What is the goal of the use case?
1) Fit in limited storage ( ex: 256MB )
2) Conserve more space of modest storage for container data ( 1GB eMMC)
3) Improve boot time
For 3, the load time will be reduced but the decompression time will be added. These need to be balanced based on the CPU.
One pet peeve I have in most of our boot loaders today is that they do loading and decompression serially. During loading the IO is 100% loaded and the CPU is very lightly loaded. During decomoression the CPU is 100% loaded and the IO is 0%. It makes sense to pipleline / overlap these things which means that it needs to go into the loader. To optimize boot time the decompression algorithm needs to be chosen correctly. On smaller CPUs the time taken to decompress newer algorithms can greatly outweigh the time taken to load the decompressed data. Ideally the time to decompress 1 block == time to load one block.
The dynamics shift with CPU and IO performance.
Today, a lot of people focused on boot speed just use decompressed data but I think we could do better if we pipeline
> 3) Define specific rule for properties: The property value
> (FDT_PROP_DATA) itself occupies only ~50% of the total DTB space. And
> the property of each node is different and the private property name
> length is too long, for
> example: “freq-autodown-baseaddress-num” in dt_strings. It seems more
> reasonable that the property value should occupies more than 70% of
> the total DTB space. It can probably be achieved to define some rules
> to restrict the length of property name, etc.
>
This is harder. In 2019 I had proposed an ATOM based DTB enhancement [2]. I was told Frank Rowand had other proposals for format changes.
Thanks,
Bill
[2]
https://docs.google.com/document/d/19XbxN-zX-GYwOXdF78lGnp0j7UNx1MT3wzyCjai…
> Thanks,
> Jammy
> _______________________________________________
> boot-architecture mailing list
> boot-architecture(a)lists.linaro.org<mailto:boot-architecture@lists.linaro.org>
> https://lists.linaro.org/mailman/listinfo/boot-architecture
>
--
Bill Mills
Principal Technical Consultant, Linaro
+1-240-643-0836
TZ: US Eastern
Work Schedule: Tues/Wed/Thur
Hi,
There are several ideas for DT improvements. Please check if they are
reasonable, and any comments are welcome. I would let Mingliang (CCed)
share more details if needed.
1) Improve search algorithm performance: Is the binary search tree or other
algorithm better than current algorithm?
2) Reduce DTB space: when use one DTB to support multiple boards, the image
is quite big (e.g, ~39MB space for 100 configurations), and some
compression algorithm can reduce the space a lot (e.g, from 39MB to 7MB).
Shall we have such compression support for DTB? And it can be helpful if we
can have more efficient compression algorithm.
3) Define specific rule for properties: The property value (FDT_PROP_DATA)
itself occupies only ~50% of the total DTB space. And the property of each
node is different and the private property name length is too long, for
example: “freq-autodown-baseaddress-num” in dt_strings. It seems more
reasonable that the property value should occupies more than 70% of the
total DTB space. It can probably be achieved to define some rules to
restrict the length of property name, etc.
Thanks,
Jammy
All,
I hope we have finally settled on a standing meeting time for the DT Evo
call. We will have the call every other Monday alternating with EBBR in
the same time slot. If I have done the TZ math correctly this is 16:00
UTC, and 11 AM US Eastern, 8AM US Pacific.
I have sent a google calendar invite to all those listed on the previous
call. If you would like to be added to that please email me directly at
bill.mills(a)linaro.org
Topic: Devicetree Evolution
Time: Jan 25, 2021 11:00 AM Eastern Time (US and Canada)
Every 2 weeks on Mon
(Alternates with EBBR meeting in same time slot)
Join Zoom Meeting
https://linaro-org.zoom.us/j/96170428801?pwd=elBJNFdVMFJub0UzanFUcVQxTHBqdz…
Meeting ID: 961 7042 8801
Passcode: 8250
One tap mobile
+13017158592,,96170428801# US (Washington D.C)
+16465588656,,96170428801# US (New York)
Dial by your location
+1 301 715 8592 US (Washington D.C)
888 788 0099 US Toll-free
877 853 5247 US Toll-free
+44 203 481 5237 United Kingdom
0 800 031 5717 United Kingdom Toll-free
Meeting ID: 961 7042 8801
Find your local number: https://linaro-org.zoom.us/u/acQEZ30MEP
--
Bill Mills
Principal Technical Consultant, Linaro
+1-240-643-0836
TZ: US Eastern
Work Schedule: Tues/Wed/Thur
If the platform has an RTC, then EFI_GET_TIME and EFI_SET_TIME are required
before ExitBootServices(). Clarify this in the spec.
Also specify that EFI_{GET,SET}_WAKEUP_TIME are required before
ExitBootService() if the RTC can wakeup the platform.
Signed-off-by: Grant Likely <grant.likely(a)arm.com>
---
Reading through the RTC text it didn't seem clear to me. How's this for
a clarification?
g.
source/chapter2-uefi.rst | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/source/chapter2-uefi.rst b/source/chapter2-uefi.rst
index 9906fd9..ab22932 100644
--- a/source/chapter2-uefi.rst
+++ b/source/chapter2-uefi.rst
@@ -159,16 +159,16 @@ are required to be implemented during boot services and runtime services.
- Before ExitBootServices()
- After ExitBootServices()
* - `EFI_GET_TIME`
- - Optional
+ - Required if RTC present
- Optional
* - `EFI_SET_TIME`
- - Optional
+ - Required if RTC present
- Optional
* - `EFI_GET_WAKEUP_TIME`
- - Optional
+ - Required if wakeup supported
- Optional
* - `EFI_SET_WAKEUP_TIME`
- - Optional
+ - Required if wakeup supported
- Optional
* - `EFI_SET_VIRTUAL_ADDRESS_MAP`
- N/A
@@ -227,8 +227,11 @@ it may not be possible to access the RTC from runtime services.
e.g., The RTC may be on a shared I2C bus which runtime services cannot access
because it will conflict with the OS.
-If firmware does not support access to the RTC, then GetTime() and
-SetTime() shall return EFI_UNSUPPORTED,
+If an RTC is present, then GetTime() and SetTime() must be supported
+before ExitBootServices() is called.
+
+However, if firmware does not support access to the RTC after
+ExitBootServices(), then GetTime() and SetTime() shall return EFI_UNSUPPORTED
and the OS must use a device driver to control the RTC.
UEFI Reset and Shutdown
--
2.20.1
Hi
I assume this needs to be analyzed from System Device Tree perspective:
https://trustedfirmware-a.readthedocs.io/en/latest/components/psa-ffa-manif…
And this is to be included in the DT Technical Report.
Cheers
FF
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
Hi everyone.
I have to do this, but I have another unexpected conflict for the EBBR biweekly on the 14th.
Rather than cancelling outright, does anyone else want to chair the meeting? The major planned orientatio item on the agenda was to talk about EBBR testing, with Heinrich sharing what he is currently doing.
If I don't hear anything by about 1pm GMT tomorrow then I'll just cancel. Our next meeting will be in January as I believe most of us will already be on Christmas holiday on the 21st
g.
Get Outlook for Android<https://aka.ms/ghei36>
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
EFI_UPDATE_CAPSULE is the industry standard method for applying firmware
updates. Make it a requirement in EBBR so that fwupd, Windows Update,
and any other generic firmware update service can support EBBR platforms.
This is made required because the ability to update firmware is a
critical part of building secure platforms.
Fixes: #69
Signed-off-by: Grant Likely <grant.likely(a)arm.com>
---
source/chapter2-uefi.rst | 32 +++++++++++++++++++++++++++++++-
1 file changed, 31 insertions(+), 1 deletion(-)
diff --git a/source/chapter2-uefi.rst b/source/chapter2-uefi.rst
index 7b5eb24..b1182a8 100644
--- a/source/chapter2-uefi.rst
+++ b/source/chapter2-uefi.rst
@@ -167,7 +167,10 @@ are required to be implemented during boot services and runtime services.
EFI_SET_VARIABLE Required Optional
EFI_GET_NEXT_HIGH_MONO_COUNT N/A Optional
EFI_RESET_SYSTEM Required Optional
- EFI_UPDATE_CAPSULE Optional Optional
+ EFI_UPDATE_CAPSULE Required Optional
+ for in-band
+ firmware
+ update
EFI_QUERY_CAPSULE_CAPABILITIES Optional Optional
EFI_QUERY_VARIABLE_INFO Optional Optional
============================== ============= ================
@@ -243,6 +246,25 @@ Even when SetVariable() is not supported during runtime services, firmware
should cache variable names and values in EfiRuntimeServicesData memory so
that GetVariable() and GetNextVeriableName() can behave as specified.
+Firmware Update
+---------------
+
+Being able to update firmware to address security issues is a key feature of secure platforms.
+EBBR platforms are required to implement either an in-band or an out-of-band firmware update mechanism.
+
+If firmware update is performed in-band (firmware on the application processor updates itself),
+then the firmware shall implement EFI_UPDATE_CAPSULE and accept updates in the
+"Firmware Management Protocol Data Capsule Structure" format as described in [UEFI]_ § 23.3,
+"Delivering Capsules Containing Updates to Firmware Management Protocol. [#FMPNote]_
+Firmware is also required to provide an EFI System Resource Table (ESRT). [UEFI]_ § 23.4
+Every firmware image that is updated in-band must be described in the ESRT.
+
+If firmware update is performed out-of-band (e.g., by an independent Board Management Controller,
+or firmware is provided by a hypervisor), then the platform is not required to implement EFI_UPDATE_CAPSULE.
+
+EFI_UPDATE_CAPSULE is only required before ExitBootServices() is called.
+
+
.. [#OPTEESupplicant] It is worth noting that OP-TEE has a similar problem
regarding secure storage.
OP-TEE's chosen solution is to rely on an OS supplicant agent to perform
@@ -253,3 +275,11 @@ that GetVariable() and GetNextVeriableName() can behave as specified.
during runtime services.
https://optee.readthedocs.io/en/latest/architecture/secure_storage.html
+
+.. [#FMPNote] The `EFI_UPDATE_CAPSULE` implementation is expected to be suitable
+ for use by generic firmware update services like fwupd and Windows Update.
+ Both fwupd and Windows Update read the ESRT table to determine what firmware
+ can be updated, and use an EFI helper application to call `EFI_UPDATE_CAPSULE`
+ before ExitBootServices() is called.
+
+ https://fwupd.org/
--
2.20.1
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi,
I thought perhaps it might be worth starting a thread on this, as
despite Grant and Heinrich kinding spending a bit of time talking
about this, I am still very much in the dark about how 'embedded' and
distro/other boot flows are going to come together with EBBR. Of
course this would be easier f2f.
Case 1:
Firmware loads the kernel to a particular address, selects DT and
boots it. The kernel may require EFI boot services, or may not, but in
the general case the firmware provides them.
Case 2:
Firmware loads EFI app and provides EFI boot services to it. How the
system actually boots is under control of the app.
I feel that a lot of the confusion about verified boot, DT selections,
boot menus, etc. is coming from the introduction of an EFI app which
has no specification (it can be grub, shim or something else, as I
understand it). Certainly this is very flexible and future-proof, but
it is also arbitrarily complex, unpredictable and hard to secure.
I am wondering if we can come up with a way to deterministically
specify how a system will boot and how to make it boot a different way
(i.e. with a different kernel, initrd, DT).
Heinrich mentioned EFI variables as a way of selecting
kernel/initrd/DT. Then the problem becomes just a case of being able
to change those variables from Linux userspace. Is that right?
We are talking about having a 'secure' part of EBBR, which allows for
secure boot. Should we have a 'defined boot' part of EBBR, that
defines how the kernel/DT/initrd are selected, based on EFI variables?
Unfortunately I just don't know enough about all the different boot
flows used by the different distros. It seems like crazy town. Does
anyone have some pointers so I can do some study?
Regards,
SImon