Skip to content

EBBR Notes 2022.11.22

Jump to bottom Edit New page
Heinrich Schuchardt edited this page Nov 22, 2022 · 2 revisions

Attendees

  • Heinrich Schuchardt (Canonical)
  • Anton Antonov (Arm)
  • Ilias Apalodimas (Linaro)
  • Vincent Stehlé (Arm)

Agenda

  • Preparing for next version 2.x.y (UEFI 2.10, ESRT, etc.)
    • Version numbering and corresponding update to conformance profile; 2.0.2?
    • Changes since v2.0.1 listed below
  • Issues scrub
  • Can we define a minimum viable product (MVP)?
    • Does this help?
    • Is Security in?
    • List of keywords to fuel discussion: HTTP(S) boot, FIDO device onboarding, Authenticated capsules, A/B update, Secure Boot, TPM/fTPM, media/display, Devicetree, power management, PKCS7
    • Others?
  • Requiring the PKCS7 protocol
    • To help validating initrams/command line/dtb pre-EBS
  • More?

Notes

  • Next EBBR version
    • Next version could be 2.1.0 after all (middle digit indicating content change, last digit minor text corrections)
    • EFI conformance table
    • ESRT requirement was dropped between 2.0.0 and 2.0.1
    • Conformance table could mean 2.1.0
    • Action: update accordingly to mean 2.1.0
    • U-Boot implements conformance profile entry only when other dependencies are there, e.g. HII, collation2, conformance table
    • Action: change the ECPT GUID variable name to reflect version 2.1 and U-Boot Kconfig texts.
  • PKCS7 (Ilias)
    • EFI PKCS7 protocol to verify buffer against signature (37.4)
    • Can be used to verify initramfs and more
    • Maybe not require but recommend in EBBR to implement
    • Ilias has out-of-tree (U-Boot) patch to demonstrate
    • Heinrich: where to put the certificates?
    • Could use db/dbx or others
    • Use certificate not used for PE
    • Mok keys
    • Could be common code internally between pkcs7 protocol and image
  • Roadmap and MVP
    • Future of SystemReady likely to split in 2 pieces: MVP + options
    • EBBR can cope already
    • What do we see as requirements in the future?
    • Security mandatory by v3.0.0
    • HTTP(S) challenges: ramdisk to survive EBS, external lib for U-Boot, TCP
    • Action: Start wiki page to collect keywords
    • Display, graphical output protocol, framebuffer accessible directly? no vsync in uefi (Heinrich)
    • RISC-V has requirements on graphics and RGB layout for example
    • Profiles for server and embedded platforms
    • FIDO onboarding a bit too early to discuss (Ilias)
    • Not relevant to firmware today (all done in the OS)
    • In the future, do some part at firmware level with a UEFI application
    • Would need TCP in U-Boot
    • Maybe all we need is simple network protocol :)
    • A/B patchset merged in U-Boot, working for ST board, will be updated for Synquacer
    • Need platform specific code in TF-A
    • Probably all banks are exposed in the ESRT to the OS
    • Action: Ilias to confirm
    • Ilias: SetVariable() at runtime

(Not all topics were discussed due to time constraints; continue in two weeks.)

Links

Appendix

Changes to EBBR since v2.0.1:

  • Restore ESRT requirement when capsule update is implemented
  • Update UEFI version to 2.10
  • Add an EFI Conformance Profile for EBBR v2.0.1
  • Drop requirement on now-ignored RISC-V boot-hartid
  • Update ACPI version to 6.4
  • Update PSCI version to issue D.b (v1.1)
  • Update BBR version to issue G (v2.0)
  • Fix typos and spelling
Add a custom footer
Add a custom sidebar
Clone this wiki locally