EBBR Notes 2023.09.25

Attendees

• Heinrich Schuchardt (Canonical)
• Etienne Carrière (STMicroelectronics)
• Ilias Apalodimas (Linaro)
• Vincent Stehlé (Arm)

Agenda

• Pull requests:
  • Continue reviewing pull request #106: Recommend usage of partition type GUIDs to find firmware (Heinrich)
  • Continue reviewing pull request #107: Arm sections changes (was support Armv8-R AArch64)
  • Pull request #108: Add smbios tables details (should we require SMBIOS?)
  • Pull request #109: Add an extension for UEFI (and now DTSPEC) references
  • Pull request #110: Bump ACPI and PSCI versions
• Secure boot with systemd-boot requires EFI_SECURITY_ARCH_PROTOCOL and EFI_SECURITY2_ARCH_PROTOCOL (Heinrich)
• Issues scrub?

Notes

• Pull request #106: Recommend usage of partition type GUIDs to find firmware: delay until next meeting.
• Secure boot with systemd-boot requires EFI_SECURITY_ARCH_PROTOCOL and EFI_SECURITY2_ARCH_PROTOCOL: Heinrich will create a pull request to recommend those protocols.
• Pull request #109: Add an extension for UEFI (and now DTSPEC) references: add more details to the README.
• Pull request #110: Bump ACPI and PSCI versions: merged. Send pull request to clarify PSCI details.
• Pull request #108: Add smbios tables details: no will to require SMBIOS, evaluate if we require a subset of SMBIOS structures.

Raw notes

• Continue reviewing pull request #106: Recommend usage of partition type GUIDs to find firmware (Heinrich)
  • Maybe scalability concerns? Delay to next meeting.
• Secure boot with systemd-boot requires EFI_SECURITY_ARCH_PROTOCOL and EFI_SECURITY2_ARCH_PROTOCOL
  • systemd-boot in Secure Boot context. Different from shim. side-loads images, verify with shim. systemd-boot does not replace image protocols, only replace verification. edk2 uses those protocols internaly. systemd replaces function pointers in the protocols.
  • Another protocol (in UEFI spec, not PI) using db/dbx (see pkcs7 verify link).
  • Upstream GRUB loaded by shim can also be authenticated by other means as normal image loading. Even exit re-implemented, a lot of code. Has to re-implement e.g. relocation to be able to load image with MOK keys.
  • systemd can do with much less code.
  • Not in UEFI spec but PI spec.
  • Idea is to recommend, not enforce.
  • Heinrich to create a pull request.
  • edk2 is using db/dbx for those security protocols.
  • you could hardcode certificates in systemd-boot.
  • PI spec says LoadImage() must use these security protocols, which implies they are using db and dbx internally.
• Pull request #109: Add an extension for UEFI (and now DTSPEC) references
  • Add details in the README about re-creating the cvs.
• Pull request #110: Bump ACPI and PSCI versions
  • Merge
  • Do we require a specific version of PSCI? Not clear -> clarify.
• Pull request #108: Add smbios tables details (should we require SMBIOS?)
  • In U-Boot, SMBIOS has been broken; report unknown product.
  • Now repaired.
  • Distros depend on SMBIOS.
  • Crashes reported to distros on U-Boot say unknow product.
  • No consensus on making SMBIOS mandatory; not necessary for booting an OS for example.
  • Does it make sense to relax DMTF requirements? Do we need all the information?
  • U-Boot patch in-flight, setting many fields, which are set to unknown today (see link to e-mail from Ilias).
  • Today, info coming from DT.
  • But... would have to drop the node before boot for IR 2 conformance (!)
  • Serial number filled from U-Boot environment, coming from e.g. eeprom.

Links

• https://github.com/ARM-software/ebbr/pull/106
• https://github.com/ARM-software/ebbr/pull/107
• https://github.com/ARM-software/ebbr/pull/108
• https://github.com/ARM-software/ebbr/pull/109
• https://github.com/ARM-software/ebbr/pull/110
• https://github.com/ARM-software/ebbr/issues
• https://uefi.org/specs/UEFI/2.10/37_Secure_Technologies.html#pkcs7-verify-protocol
• https://lore.kernel.org/u-boot/[email protected]/