All,
I hope we have finally settled on a standing meeting time for the DT Evo
call. We will have the call every other Monday alternating with EBBR in
the same time slot. If I have done the TZ math correctly this is 16:00
UTC, and 11 AM US Eastern, 8AM US Pacific.
I have sent a google calendar invite to all those listed on the previous
call. If you would like to be added to that please email me directly at
bill.mills(a)linaro.org
Topic: Devicetree Evolution
Time: Jan 25, 2021 11:00 AM Eastern Time (US and Canada)
Every 2 weeks on Mon
(Alternates with EBBR meeting in same time slot)
Join Zoom Meeting
https://linaro-org.zoom.us/j/96170428801?pwd=elBJNFdVMFJub0UzanFUcVQxTHBqdz…
Meeting ID: 961 7042 8801
Passcode: 8250
One tap mobile
+13017158592,,96170428801# US (Washington D.C)
+16465588656,,96170428801# US (New York)
Dial by your location
+1 301 715 8592 US (Washington D.C)
888 788 0099 US Toll-free
877 853 5247 US Toll-free
+44 203 481 5237 United Kingdom
0 800 031 5717 United Kingdom Toll-free
Meeting ID: 961 7042 8801
Find your local number: https://linaro-org.zoom.us/u/acQEZ30MEP
--
Bill Mills
Principal Technical Consultant, Linaro
+1-240-643-0836
TZ: US Eastern
Work Schedule: Tues/Wed/Thur
If the platform has an RTC, then EFI_GET_TIME and EFI_SET_TIME are required
before ExitBootServices(). Clarify this in the spec.
Also specify that EFI_{GET,SET}_WAKEUP_TIME are required before
ExitBootService() if the RTC can wakeup the platform.
Signed-off-by: Grant Likely <grant.likely(a)arm.com>
---
Reading through the RTC text it didn't seem clear to me. How's this for
a clarification?
g.
source/chapter2-uefi.rst | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/source/chapter2-uefi.rst b/source/chapter2-uefi.rst
index 9906fd9..ab22932 100644
--- a/source/chapter2-uefi.rst
+++ b/source/chapter2-uefi.rst
@@ -159,16 +159,16 @@ are required to be implemented during boot services and runtime services.
- Before ExitBootServices()
- After ExitBootServices()
* - `EFI_GET_TIME`
- - Optional
+ - Required if RTC present
- Optional
* - `EFI_SET_TIME`
- - Optional
+ - Required if RTC present
- Optional
* - `EFI_GET_WAKEUP_TIME`
- - Optional
+ - Required if wakeup supported
- Optional
* - `EFI_SET_WAKEUP_TIME`
- - Optional
+ - Required if wakeup supported
- Optional
* - `EFI_SET_VIRTUAL_ADDRESS_MAP`
- N/A
@@ -227,8 +227,11 @@ it may not be possible to access the RTC from runtime services.
e.g., The RTC may be on a shared I2C bus which runtime services cannot access
because it will conflict with the OS.
-If firmware does not support access to the RTC, then GetTime() and
-SetTime() shall return EFI_UNSUPPORTED,
+If an RTC is present, then GetTime() and SetTime() must be supported
+before ExitBootServices() is called.
+
+However, if firmware does not support access to the RTC after
+ExitBootServices(), then GetTime() and SetTime() shall return EFI_UNSUPPORTED
and the OS must use a device driver to control the RTC.
UEFI Reset and Shutdown
--
2.20.1
Hi
I assume this needs to be analyzed from System Device Tree perspective:
https://trustedfirmware-a.readthedocs.io/en/latest/components/psa-ffa-manif…
And this is to be included in the DT Technical Report.
Cheers
FF
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
Hi everyone.
I have to do this, but I have another unexpected conflict for the EBBR biweekly on the 14th.
Rather than cancelling outright, does anyone else want to chair the meeting? The major planned orientatio item on the agenda was to talk about EBBR testing, with Heinrich sharing what he is currently doing.
If I don't hear anything by about 1pm GMT tomorrow then I'll just cancel. Our next meeting will be in January as I believe most of us will already be on Christmas holiday on the 21st
g.
Get Outlook for Android<https://aka.ms/ghei36>
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
EFI_UPDATE_CAPSULE is the industry standard method for applying firmware
updates. Make it a requirement in EBBR so that fwupd, Windows Update,
and any other generic firmware update service can support EBBR platforms.
This is made required because the ability to update firmware is a
critical part of building secure platforms.
Fixes: #69
Signed-off-by: Grant Likely <grant.likely(a)arm.com>
---
source/chapter2-uefi.rst | 32 +++++++++++++++++++++++++++++++-
1 file changed, 31 insertions(+), 1 deletion(-)
diff --git a/source/chapter2-uefi.rst b/source/chapter2-uefi.rst
index 7b5eb24..b1182a8 100644
--- a/source/chapter2-uefi.rst
+++ b/source/chapter2-uefi.rst
@@ -167,7 +167,10 @@ are required to be implemented during boot services and runtime services.
EFI_SET_VARIABLE Required Optional
EFI_GET_NEXT_HIGH_MONO_COUNT N/A Optional
EFI_RESET_SYSTEM Required Optional
- EFI_UPDATE_CAPSULE Optional Optional
+ EFI_UPDATE_CAPSULE Required Optional
+ for in-band
+ firmware
+ update
EFI_QUERY_CAPSULE_CAPABILITIES Optional Optional
EFI_QUERY_VARIABLE_INFO Optional Optional
============================== ============= ================
@@ -243,6 +246,25 @@ Even when SetVariable() is not supported during runtime services, firmware
should cache variable names and values in EfiRuntimeServicesData memory so
that GetVariable() and GetNextVeriableName() can behave as specified.
+Firmware Update
+---------------
+
+Being able to update firmware to address security issues is a key feature of secure platforms.
+EBBR platforms are required to implement either an in-band or an out-of-band firmware update mechanism.
+
+If firmware update is performed in-band (firmware on the application processor updates itself),
+then the firmware shall implement EFI_UPDATE_CAPSULE and accept updates in the
+"Firmware Management Protocol Data Capsule Structure" format as described in [UEFI]_ § 23.3,
+"Delivering Capsules Containing Updates to Firmware Management Protocol. [#FMPNote]_
+Firmware is also required to provide an EFI System Resource Table (ESRT). [UEFI]_ § 23.4
+Every firmware image that is updated in-band must be described in the ESRT.
+
+If firmware update is performed out-of-band (e.g., by an independent Board Management Controller,
+or firmware is provided by a hypervisor), then the platform is not required to implement EFI_UPDATE_CAPSULE.
+
+EFI_UPDATE_CAPSULE is only required before ExitBootServices() is called.
+
+
.. [#OPTEESupplicant] It is worth noting that OP-TEE has a similar problem
regarding secure storage.
OP-TEE's chosen solution is to rely on an OS supplicant agent to perform
@@ -253,3 +275,11 @@ that GetVariable() and GetNextVeriableName() can behave as specified.
during runtime services.
https://optee.readthedocs.io/en/latest/architecture/secure_storage.html
+
+.. [#FMPNote] The `EFI_UPDATE_CAPSULE` implementation is expected to be suitable
+ for use by generic firmware update services like fwupd and Windows Update.
+ Both fwupd and Windows Update read the ESRT table to determine what firmware
+ can be updated, and use an EFI helper application to call `EFI_UPDATE_CAPSULE`
+ before ExitBootServices() is called.
+
+ https://fwupd.org/
--
2.20.1
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi,
I thought perhaps it might be worth starting a thread on this, as
despite Grant and Heinrich kinding spending a bit of time talking
about this, I am still very much in the dark about how 'embedded' and
distro/other boot flows are going to come together with EBBR. Of
course this would be easier f2f.
Case 1:
Firmware loads the kernel to a particular address, selects DT and
boots it. The kernel may require EFI boot services, or may not, but in
the general case the firmware provides them.
Case 2:
Firmware loads EFI app and provides EFI boot services to it. How the
system actually boots is under control of the app.
I feel that a lot of the confusion about verified boot, DT selections,
boot menus, etc. is coming from the introduction of an EFI app which
has no specification (it can be grub, shim or something else, as I
understand it). Certainly this is very flexible and future-proof, but
it is also arbitrarily complex, unpredictable and hard to secure.
I am wondering if we can come up with a way to deterministically
specify how a system will boot and how to make it boot a different way
(i.e. with a different kernel, initrd, DT).
Heinrich mentioned EFI variables as a way of selecting
kernel/initrd/DT. Then the problem becomes just a case of being able
to change those variables from Linux userspace. Is that right?
We are talking about having a 'secure' part of EBBR, which allows for
secure boot. Should we have a 'defined boot' part of EBBR, that
defines how the kernel/DT/initrd are selected, based on EFI variables?
Unfortunately I just don't know enough about all the different boot
flows used by the different distros. It seems like crazy town. Does
anyone have some pointers so I can do some study?
Regards,
SImon
All,
On the Devicetree evolution call Wednesday I promised to finish my
comparison of u-boot DT vs kernel DT.
The script is not perfect but the results are still interesting.
For each dts and dtsi file in the tip of the u-boot tree, it tries to
correlate it to the kernel tip.
It compares git SHA1 signatures or falls back to filenames.
The results were surprising to me but perhaps they should not have been.
I have checked in the script[1] and the full results here [2]
The full file lists (with some diff stats) are in the root dir.
Example [3]
I also looked at the line count of the u-boot override files.
Even though we don't expect these to correlate, we do expect reasonable
usage to result in small files. Big files are an indication of possible
abuse of the system. (I don't think the idea was to have wholesale new
versions of the DTS as an override.)
I plan to redo the script in python. It will be much easier to be more
precise and to look deeper. (For example figure out how old the u-boot
version is in number of change sets and number of days. Or if no
content sync now were they ever synced?)
Here is the scripts output: (from summary.txt)
Devicetree sync status for u-boot v2021.01-rc5-7-gb8c725e736
Compared to kernel v5.11-rc2-156-g71c061d24438
14% (255) are completely synced
253 arm
2 riscv
0 mips
0 powerpc
0 x86
0 68k
0 microblaze
0 sh
0 arc
23% (416) content has appeared in the kernel but is not up to date
411 arm
0 riscv
1 mips
0 powerpc
1 x86
0 68k
0 microblaze
0 sh
1 arc
33% (584) filename appears in kernel but content never has
467 arm
1 riscv
12 mips
91 powerpc
0 x86
0 68k
0 microblaze
0 sh
8 arc
28% (510) neither filename nor content appears in kernel
305 arm
4 riscv
48 mips
35 powerpc
44 x86
0 68k
1 microblaze
1 sh
6 arc
n/a (510) U-Boot specific, no correlation expected
7 sandbox
358 override
211 test
histogram of override size (in raw lines)
10 61
20 53
30 38
40 33
50 23
60 14
70 12
80 7
90 5
100 4
110 4
120 5
130 6
140 4
150 0
160 2
170 0
180 0
190 4
200 0
210 2
220 2
230 1
240 2
250 1
260 1
270 1
280 0
290 0
300 0
310 0
320 1
[1]
https://github.com/wmamills/devicetree-source/blob/master/scripts/correlate…
[2] https://github.com/wmamills/devicetree-source
[3]
https://github.com/wmamills/devicetree-source/blob/master/dts-somewhere.txt
--
Bill Mills
Principal Technical Consultant, Linaro
+1-240-643-0836
TZ: US Eastern
Work Schedule: Tues/Wed/Thur
Hello,
Thanks to all that have participated in the doodle poll. We don't yet
have all key stakeholders so please add your info if you have not.
As expected there is no perfect time but the current leader is
Wednesdays at 4PM UK, 11 AM US Eastern.
I have scheduled a meeting for tomorrow as this first one.
Possible topics for tomorrow include:
* More Conformance testing of DT source
* Keeping multiple DT projects in sync (w/o moving the DT source)
* DT overlay source in the kernel source tree (for bootloader applied
overlays)
If we stay with Wednesdays the meeting after this one would be Jan 27.
(Wednesdays require working around Linaro TSC calls)
Thanks,
Bill
***
Bill Mills is inviting you to a scheduled Zoom meeting.
Topic: DT Evolution
Time: Jan 6, 2021 04:00 PM London
Join Zoom Meeting
https://linaro-org.zoom.us/j/94413146152?pwd=NEs1Ym1xbnRBS0U4ZWNsaXFzbm1Ndz…
Meeting ID: 944 1314 6152
Passcode: 8250
One tap mobile
+13017158592,,94413146152# US (Washington D.C)
+13126266799,,94413146152# US (Chicago)
Dial by your location
+1 301 715 8592 US (Washington D.C)
+1 312 626 6799 US (Chicago)
+1 646 558 8656 US (New York)
+1 669 900 9128 US (San Jose)
+1 253 215 8782 US (Tacoma)
+1 346 248 7799 US (Houston)
877 853 5247 US Toll-free
888 788 0099 US Toll-free
Meeting ID: 944 1314 6152
Find your local number: https://linaro-org.zoom.us/u/aesZr3aPDG
--
Bill Mills
Principal Technical Consultant, Linaro
+1-240-643-0836
TZ: US Eastern
Work Schedule: Tues/Wed/Thur
Hi,
As I am thinking about conformance testing for SystemReady and Trusted
Substrate, I'd like to get your feedback on the following.
There are 7 values in the reg entry of interrupt-controller@210000 from the
below DT. This corresponds to 3 valid {address,size} plus a single
{address}.
The spec does not state anything on incomplete {address,size} pairs... I
understand that #size-cell can be zero, indicating that the reg will
contain only {address} "tuples" and not {address,size} tuples. But that
should be for all reg tuples, not just one.
In this case, I assume the driver will get what it wants, but from a
certification perspective:
- I would reject this DT.
- I would document proper tuple forming in the spec (no incomplete pairs)
Last, I would also add some "notes" in the spec about where to get the
"#*-cells" for the reg property of a device. If you think "hardware" it is
obvious that the information must be retrieved from the immediate parent
and "inheritance" does not make sense. But as I Googled the topic, I have
seen a number of discussions and wrong patches around that. So I would add
a non normative text (properly identified as such) to describe that in the
spec.
Thank you for your help
Cheers
FF
config-space@f0000000 {
#address-cells = <0x01>;
#size-cells = <0x01>;
compatible = "simple-bus";
ranges = <0x00 0x00 0xf0000000 0x1000000>;
interrupt-controller@210000 {
compatible = "arm,gic-400";
#interrupt-cells = <0x03>;
#address-cells = <0x01>;
#size-cells = <0x01>;
ranges;
interrupt-controller;
interrupts = <0x01 0x09 0xf04>;
reg = <0x210000 0x10000 0x220000 0x20000 0x240000 0 0x20000>;
phandle = <0x01>;
v2m@280000 {
compatible = "arm,gic-v2m-frame";
msi-controller;
reg = <0x280000 0x1000>;
arm,msi-base-spi = <0xa0>;
arm,msi-num-spis = <0x20>;
phandle = <0x03>;
};
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
All who participate or wish to participate in the DTE call,
Please fill in this pool before you go out for the holidays:
https://doodle.com/poll/fup2swsb9yi2u5u4?utm_source=poll&utm_medium=link
The current meeting time does not work well for people on the west coast
of North America as it is 6am Pacific time.
I have selected the following times:
7 am PT, 15:00 UTC
8 am PT, 16:00 UTC
9 am PT, 17:00 UTC
I have found options for Monday, Wednesday, Thursday, and Friday.
Tuesday does not work at all for me at any reasonable time for the EU.
All meeting times will repeat every two weeks except for the Wednesday
7am & 8am slots.
These will normally be the 2nd and 4th Wednesdays of the month but in
January will be the 6th and 27th. (This is to avoid the Linaro TSC
calls that a good number us participate in.)
If you want me to insert new times into the poll please respond to this
message.
Thanks,
Bill
--
Bill Mills
Principal Technical Consultant, Linaro
+1-240-643-0836
TZ: US Eastern
Work Schedule: Tues/Wed/Thur
