-
Notifications
You must be signed in to change notification settings - Fork 37
EBBR Notes 2022.09.26
Vincent Stehlé edited this page Sep 28, 2022
·
2 revisions
- Heinrich Schuchardt (Canonical)
- Ilias Apalodimas (Linaro)
- Vincent Stehlé (Arm)
- EFI_CONFORMANCE_PROFILE_TABLE
- EFI_DT_FIXUP_PROTOCOL
- ESRT & Authenticated capsules
- Bump UEFI specification version to 2.10
-
EFI_CONFORMANCE_PROFILE_TABLE
- U-Boot already compliant with IR 2.0, but config EFI_EBBR_2_0_CONFORMANCE should depend on authenticated capsules in FMP format.
- Merged EBBR pull request to specify the GUID to put in the conformance profile table to claim conformance.
- EDK2 does not implement the table as it claims that it fully compliant to UEFI (chapter 2.6), but it still be possible to not implement some features such as capsule update.
- Action: add mention/requirement in EBBR that if conformance table and EBBR GUID are there, then system must be conformant to EBBR.
-
Moving to UEFI 2.10
- Difference is minimal and it helps with the conformance profile table.
- Action: let's advance the UEFI version to 2.10 in EBBR.
-
DT fixup protocol
- How to progress? Canonical and Siemens are implementing it.
- The definition of the protocol needs to be hosted somewhere. Push to UEFI? Or host in EBBR (but do not require)?
- Action: ping Samer to evaluate the best solution.
-
ESRT & Authenticated capsules
- Move towards more security. Some systems do not even sign U-Boot. Case of SD card based devices.
- ESRT and authenticated capsules are two different things.
- Action: require ESRT (if capsule update is implemented).
- Should EBBR require authenticated capsules? Should we continue supporting boards with no security (ex: SD card) in the future?
-
EBBR versioning
- ESRT, UEFI version bump should be point releases.
- Moving to UEFI 2.10, requiring security, would that be in EBBR 2.1? 3.0?
- Security should be a major bump in EBBR version (ex: 3.0.0). Should forbid insecure implementations (ex: SD card).
- Action: develop towards 3.0.0 on the master branch, create a 2.x branch for maintenance at some point.