edk2 icon indicating copy to clipboard operation
edk2 copied to clipboard

Published 20 hours ago verified publisher icon tianocore

Capsule updates for coreboot+UefiPkgPayload

Open SergiiDmytruk opened this issue 6 months ago • 4 comments

Description

The proposed changes are part of UEFI Capsule Update for coreboot with EDK II project (funded by NLnet foundation), whose goal is to make updates of open source firmware easier for end users while also increasing update's security by limiting full flash access to the firmware itself.

Because capsules require persistent EFI variables, this also adds SMMSTOREv2 to EDK.

  • [ ] Breaking change?
    • Breaking change - Does this PR cause a break in build or boot behavior?
    • There is a possibility that building with CAPSULE_SUPPORT might require some changes. Maybe some new changes in DSC file need to not apply if CAPSULE_MAIN_FW_GUID is empty.
  • [ ] Impacts security?
    • Security - Does this PR have a direct security impact?
    • SMMSTORE and flash access in general might be considered related to security, but it's really dealt with by coreboot.
  • [ ] Includes tests?
    • Tests - Does this PR include any explicit test code?
    • No tests.

How This Was Tested

A combination of coreboot changes from here and here (for QEMU Q35) were combined with changes from this branch while update capsules were built as specified in this overview. Then CapsuleApp.efi and produced capsule file were made available in the VM and used to perform a successful firmware update.

Essentially the same changes but in forks of coreboot (https://github.com/Dasharo/coreboot/pull/509) and EDK2 (https://github.com/Dasharo/edk2/pull/147) were verified both on QEMU Q35 and MSI PRO Z690-A DDR4 hardware.

How to test for yourself

For convenience, I combined coreboot's capsule and Q35 changes in a single branch here (also fixes an issue with QEMU addressed by now abandoned Q35 patch) and this branch contains all needed EDK changes. After building coreboot with the following defconfig:

CONFIG_OPTION_BACKEND_NONE=y
CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y
CONFIG_EDK2_BOOT_TIMEOUT=5
CONFIG_CPU_QEMU_X86_TSEG_SMM=y
CONFIG_USE_UDK_202005_BINDING=y
CONFIG_VGA_TEXT_FRAMEBUFFER=y
CONFIG_RESOURCE_ALLOCATION_TOP_DOWN=y
CONFIG_DRIVERS_EFI_VARIABLE_STORE=y
CONFIG_DRIVERS_EFI_FW_INFO=y
CONFIG_PAYLOAD_EDK2=y
CONFIG_EDK2_REPO_CUSTOM=y
CONFIG_EDK2_REPOSITORY="https://github.com/Dasharo/edk2-upstream.git"
CONFIG_EDK2_TAG_OR_REV="origin/up/enable-capsule-updates"
CONFIG_EDK2_SERIAL_SUPPORT=y

cp defconfig .config
make olddefconfig
make -j$(nproc)

One should be able to run the image in QEMU:

qemu-system-x86_64 -M q35,smm=on -enable-kvm -m 512 \
    -drive if=pflash,format=raw,unit=0,file=build/coreboot.rom \
    -drive file=disk.qcow2,format=qcow2 \
    -serial stdio -nographic

Here disk.qcow2 is supposed to contain a capsule and CapsuleApp.efi (see https://docs.dasharo.com/kb/edk2-capsule-updates/ for how to produce those). I deliberately didn't go into every little detail here but can do if anyone will face issues testing this.

Integration Instructions

Those willing to make use of the changes from coreboot apart from pulling in relevant commits should have these options on:

CONFIG_USE_UDK_202005_BINDING=y
CONFIG_DRIVERS_EFI_VARIABLE_STORE=y
CONFIG_DRIVERS_EFI_FW_INFO=y

On EDK side this translates into -D CAPSULE_SUPPORT=TRUE and -D CAPSULE_MAIN_FW_GUID=<firmware guid>, plus building CapsuleApp.efi and capsules as mentioned above with proper key management for signing the capsules.

SergiiDmytruk avatar Aug 01 '24 22:08 SergiiDmytruk