| Message ID | 20231206143528.1900797-1-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Add Bootloader to Update binary | expand |
On 06.12.23 22:33, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This series adds the, possible signed, efibootguard binaries to the deploy dir > and adds them to swu file and sw-description to update the bootloader. > > The new entry contains following information. > { > filename = "boot${SWU_EFI_ARCH}.efi" > path = "EFI/BOOT/boot${SWU_EFI_ARCH}.efi"; > device = "/dev/disk/by-uuid/4321-DCBA"; > filesystem = "vfat"; > sha256 = "boot${SWU_EFI_ARCH}.efi-sha256"; > }); > > Should we always update the bootloader or should this be a optional > addition to the swu? > This should not be the default as the EFI Boot Guard is a single point of failure. Updating it should only ever be considered if the consequences of not doing that would be worse than the risk of leaving devices bricked behind. Jan
On Thu, 2023-12-07 at 09:09 +0900, Jan Kiszka wrote: > On 06.12.23 22:33, Quirin Gylstorff wrote: > > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > > > This series adds the, possible signed, efibootguard binaries to the > > deploy dir > > and adds them to swu file and sw-description to update the > > bootloader. > > > > The new entry contains following information. > > { > > filename = "boot${SWU_EFI_ARCH}.efi" > > path = "EFI/BOOT/boot${SWU_EFI_ARCH}.efi"; > > device = "/dev/disk/by-uuid/4321-DCBA"; > > filesystem = "vfat"; > > sha256 = "boot${SWU_EFI_ARCH}.efi-sha256"; > > }); > > > > Should we always update the bootloader or should this be a optional > > addition to the swu? > > > > This should not be the default as the EFI Boot Guard is a single > point > of failure. Updating it should only ever be considered if the > consequences of not doing that would be worse than the risk of > leaving > devices bricked behind. Yes, this feature should be conditional. Normally you don't want to update, but there are some cases where updates are needed. How about a variable SWU_UPDATE_EBG? Felix > > Jan >
On 07.12.23 13:23, MOESSBAUER, Felix (T CED INW-CN) wrote: > On Thu, 2023-12-07 at 09:09 +0900, Jan Kiszka wrote: >> On 06.12.23 22:33, Quirin Gylstorff wrote: >>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >>> >>> This series adds the, possible signed, efibootguard binaries to the >>> deploy dir >>> and adds them to swu file and sw-description to update the >>> bootloader. >>> >>> The new entry contains following information. >>> { >>> filename = "boot${SWU_EFI_ARCH}.efi" >>> path = "EFI/BOOT/boot${SWU_EFI_ARCH}.efi"; >>> device = "/dev/disk/by-uuid/4321-DCBA"; >>> filesystem = "vfat"; >>> sha256 = "boot${SWU_EFI_ARCH}.efi-sha256"; >>> }); >>> >>> Should we always update the bootloader or should this be a optional >>> addition to the swu? >>> >> >> This should not be the default as the EFI Boot Guard is a single >> point >> of failure. Updating it should only ever be considered if the >> consequences of not doing that would be worse than the risk of >> leaving >> devices bricked behind. > > Yes, this feature should be conditional. Normally you don't want to > update, but there are some cases where updates are needed. > > How about a variable SWU_UPDATE_EBG? And we may try to shorten the corruption window: write new boot.efi, rename old one away, rename new one in place. Jan
From: Quirin Gylstorff <quirin.gylstorff@siemens.com> This series adds the, possible signed, efibootguard binaries to the deploy dir and adds them to swu file and sw-description to update the bootloader. The new entry contains following information. { filename = "boot${SWU_EFI_ARCH}.efi" path = "EFI/BOOT/boot${SWU_EFI_ARCH}.efi"; device = "/dev/disk/by-uuid/4321-DCBA"; filesystem = "vfat"; sha256 = "boot${SWU_EFI_ARCH}.efi-sha256"; }); Should we always update the bootloader or should this be a optional addition to the swu? Quirin Gylstorff (2): efibootguard-efi.py: copy signed ebg binary to DEPLOY_DIR swupdate.bbclass: Add boot<ARCH>.efi to swu classes/swupdate.bbclass | 18 +++++++++++++++--- recipes-core/images/swu/sw-description.tmpl | 7 +++++++ .../lib/wic/plugins/source/efibootguard-efi.py | 13 +++++++++++++ 3 files changed, 35 insertions(+), 3 deletions(-)