MdeModulePkg, FmpDevicePkg: support runtime capsule update#12193
MdeModulePkg, FmpDevicePkg: support runtime capsule update#12193LeviYeoReum wants to merge 6 commits intotianocore:masterfrom
Conversation
tianocore-assign-reviewers
Bot
requested review from
Flickdm,
jyao1,
lgao4,
liyi77,
mdkinney and
xuweiintel
LeviYeoReum
force-pushed
the
levi/2793_runtime_fmpdxe
branch
4 times, most recently
from
bfee5d2 to
f929005
Compare
|
⚠ WARNING: Cannot add some reviewers: A user specified as a reviewer for this PR is not a collaborator of the repository. Please add them as a collaborator to the repository so they can be requested in the future. Non-collaborators requested: Attn Admins: Admin Instructions:
|
tianocore-assign-reviewers
Bot
requested review from
ChaselChiu,
ajfish,
andreiw,
ardbiesheuvel,
benjamindoron,
bexcran,
gdong1,
gguo11837463,
jameslu8,
jongwu,
kraxel,
leiflindholm,
makubacki,
mdroth and
mikebeaton
|
PR can not be merged due to conflict. Please rebase and resubmit |
LeviYeoReum
force-pushed
the
levi/2793_runtime_fmpdxe
branch
from
f929005 to
c0dba69
Compare
tianocore-assign-reviewers
Bot
requested review from
Sean-StarLabs,
ruleof2,
samimujawar,
sgrams,
shuoliu0,
tlendacky,
tperard,
vlsunil and
weltling
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
LeviYeoReum
force-pushed
the
levi/2793_runtime_fmpdxe
branch
from
c0dba69 to
0999e35
Compare
Not only BaseCryptoLib, FmpDxe needs dynamic memory allocation to support runtime capsule update. For this, make a RuntimeMemoryAllocationLib with core implementation of CryptoPkg/Library/BaseCryptLib/Syscall/RuntimeMemAllocation.c Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
Former implementation of Runtime(Alloc/Free)Mem() is moved to RuntimeMemoryAllocationLib in MdeModulePkg. Apply RuntimeMemoryAllocationLib for RuntimeCryptLib. Continuous-integration-options: PatchCheck.ignore-multi-package Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
This patch supports FmpAuthenticationLibPkcs7 for runtime capsule update with FmpDevicePkg. For this, implements the wrapper function to allocate/free temporary buffer used to verify pkcs7 signature and add FmpAuthenticationRuntimeLibPkcs7. Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
To support runtime capsule update, add support FmpDxeRuntime. For this, change dynamic allocation for get variable to use stack value and add runtime supports. Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
To support runtime capsule update, DxeCapsuleLibFmp should manage the FmpDevice instance which updatable in runtime and Need to another update function which doesn't use boot service memory. This patch is modification to make DxeCapsuleLibFmp support runtime capsule update. Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
When runtime capsule update is supported, ESRT should be updated at runtime and OS should observe changes of correspondant entry on ESRT after it finishes to update. For this, override the ESRT with runtime memory. Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
LeviYeoReum
force-pushed
the
levi/2793_runtime_fmpdxe
branch
from
0999e35 to
5e56c88
Compare
spbrogan
left a comment
spbrogan
left a comment
There was a problem hiding this comment.
This is a massive change and adds a ton of complexity in really critical code. In many discussions across the industry, we have agreed that runtime capsules are not necessary and/or a bad idea.
- The user experience is unacceptable bad from production scenarios.
- Contention over hardware access is challenging (sharing between fw and os).
- Runtime isn't an area of UEFI we want to see expanded and if anything, we would want to see reduced.
- Runtime memory management and runtime crypto adds a lot of growth and bloat.
- Runtime memory management is risky because FW is not in control of the system. "Heap management" may work but will likely add to ongoing issues around memory stability and hibernate/resume reliability.
- Runtime crypto doesn't actually provide security value which is why isolation (secure world or smm) must be used.
Overall, I am opposed to this change and would either want to see a fully discussed RFC and/or edk2 community meetings to discuss this.
|
@LeviYeoReum, this is a large and impactful change. If you’d like to move forward with this change, please submit an RFC in accordance with the TianoCore RFC Process. The RFC will allow you to clearly articulate the proposed feature, its rationale, and its potential impact, while giving stakeholders an opportunity to review and provide feedback. Once approved, the RFC can also serve as the reference documentation for your implementation PR and any related community discussions. |
|
This PR has been automatically marked as stale because it has not had activity in 60 days. It will be closed if no further activity occurs within 7 days. Thank you for your contributions. |
github-actions
Bot
added
the
stale
|
PR can not be merged due to conflict. Please rebase and resubmit |
github-actions
Bot
removed
the
stale
4 participants
Description
This is runtime capsule update support with FmpDxeRuntime Driver.
Formerly, to update the firmware with capsule in FVP with fwupd, it follows below step:
Locate Capsule in specific location
reboot with DxeDriver to update firmware with capsule provided by fwupd.
Firmware Update Dxe driver calls ProcessFmpImage() and update firmware with Capsule
reboot to apply firmware.
These step requires 2 times of reboot -- first for update firmware and second to apply firmware.
With the runtime capsule update support, It could remove (2) and (3) steps.
How This Was Tested
In linux, tested with below command:
Integration Instructions
N/A
Reference
Link: tianocore/edk2-platforms#944 [0]