[RFC PATCH v3 0/9] FWU: Add support for FWU Multi Bank Update feature
Heinrich Schuchardt
xypron.glpk at gmx.de
Thu Jan 20 11:08:54 CET 2022
On 1/19/22 19:55, Sughosh Ganu wrote:
> The patchset adds support for the FWU Multi Bank Update[1]
> feature. Certain aspects of the Dependable Boot[2] specification have
> also been implemented.
The document "Platform Security Firmware Update for the A-profile Arm
Architecture Beta" [1] that you relate to describes updating using FF-A
[5] as a communication protocol between a normal world client and an
update agent in the secure world. [1] further describes an API for this
communication. I cannot see that you are implementing this:
* U-Boot is living in the normal world, so it cannot be the update agent
of [1].
* Implementing the client of [1] in U-Boot would not require board
specific changes.
This patch set comes without any documentation update. We need a patch
which adds documents to U-Boot describing
* the design of the update mechanism
* the usage of the update mechanism
before we can start the review of the patches.
Best regards
Heinrich
[1] Platform Security Firmware Update for the A-profile Arm Architecture
Beta
https://developer.arm.com/documentation/den0118/a
[5] Arm Firmware Framework for Arm A-profile
https://developer.arm.com/documentation/den0077/latest
>
> The FWU multi bank update feature is used for supporting multiple
> sets(also called banks) of firmware image(s), allowing the platform to
> boot from a different bank, in case it fails to boot from the active
> bank. This functionality is supported by keeping the relevant
> information in a structure called metadata, which provides information
> on the images. Among other parameters, the metadata structure contains
> information on the currect active bank that is being used to boot
> image(s).
>
> Functionality is being added to work with the UEFI capsule driver in
> u-boot. The metadata is read to gather information on the update bank,
> which is the bank to which the firmware images would be flashed to. On
> a successful completion of the update of all components, the active
> bank field in the metadata is updated, to reflect the bank from which
> the platform will boot on the subsequent boots.
>
> Currently, the feature is being enabled on the STM32MP157C-DK2
> board which boots a FIP image from a uSD card partitioned with the GPT
> partioning scheme. This also requires changes in the previous stage of
> bootloader, which parses the metadata and selects the bank to boot the
> image(s) from. Support is being added in tf-a(BL2 stage) for the
> STM32MP157C-DK2 board to boot the active bank images. These changes
> are under review currently[3].
>
> These patches are based on top of the series from Takahiro to add
> Authentication support to mkeficapsule utility[4]
>
> [1] - https://developer.arm.com/documentation/den0118/a
> [2] - https://staging-git.codelinaro.org/linaro/firmware-dual-banked-updates/test
> [3] - https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/12566
> [4] - https://patchwork.ozlabs.org/project/uboot/list/?series=281549
>
> Changes since V2:
> * Use uint*_t types in fwu_mdata.h since the file is to be reused in
> other projects
> * Keep only the FWU metadata structures in fwu_mdata.h
> * Move all other function and macro declarations in fwu.h
> * Keep common implementations of fwu_update_active_index and
> fwu_revert_boot_index in fwu_mdata.c
> * Add a update_mdata function pointer in the fwu_mdata_ops structure
> * Move the function definition of fwu_verify_mdata to fwu_mdata.c to
> facilitate reuse
> * Remove the block device specific desc->devnum parameter for the
> fwu_plat_get_alt_num function call
> * Change the implementation of fwu_plat_get_alt_num to get the devnum
> in the function before calling gpt_plat_get_alt_num
> * Add logic to delete the TrialStateCtr variable if system is not in
> Trial State
> * Add logic to check if bit 15(OS Acceptance) of the Flags member in
> the capsule header is set
> * Add logic to set the accept bit of all images from a capsule if the
> OS Acceptance bit in the capsule header is not set
> * Include the log.h and stdio.h header files
>
> Sughosh Ganu (9):
> FWU: Add FWU metadata structure and functions for accessing metadata
> FWU: Add FWU metadata access functions for GPT partitioned block
> devices
> FWU: stm32mp1: Add helper functions for accessing FWU metadata
> FWU: STM32MP1: Add support to read boot index from backup register
> EFI: FMP: Add provision to update image's ImageTypeId in image
> descriptor
> FWU: Add boot time checks as highlighted by the FWU specification
> FWU: Add support for FWU Multi Bank Update feature
> FWU: cmd: Add a command to read FWU metadata
> mkeficapsule: Add support for generating empty capsules
>
> board/st/stm32mp1/stm32mp1.c | 183 ++++++++++
> cmd/Kconfig | 7 +
> cmd/Makefile | 1 +
> cmd/fwu_mdata.c | 67 ++++
> common/board_r.c | 6 +
> include/fwu.h | 81 +++++
> include/fwu_mdata.h | 69 ++++
> lib/Kconfig | 6 +
> lib/Makefile | 1 +
> lib/efi_loader/efi_capsule.c | 233 ++++++++++++-
> lib/efi_loader/efi_firmware.c | 90 ++++-
> lib/efi_loader/efi_setup.c | 3 +-
> lib/fwu_updates/Kconfig | 31 ++
> lib/fwu_updates/Makefile | 11 +
> lib/fwu_updates/fwu.c | 198 +++++++++++
> lib/fwu_updates/fwu_mdata.c | 358 +++++++++++++++++++
> lib/fwu_updates/fwu_mdata_gpt_blk.c | 521 ++++++++++++++++++++++++++++
> tools/eficapsule.h | 8 +
> tools/mkeficapsule.c | 102 +++++-
> 19 files changed, 1955 insertions(+), 21 deletions(-)
> create mode 100644 cmd/fwu_mdata.c
> create mode 100644 include/fwu.h
> create mode 100644 include/fwu_mdata.h
> create mode 100644 lib/fwu_updates/Kconfig
> create mode 100644 lib/fwu_updates/Makefile
> create mode 100644 lib/fwu_updates/fwu.c
> create mode 100644 lib/fwu_updates/fwu_mdata.c
> create mode 100644 lib/fwu_updates/fwu_mdata_gpt_blk.c
>
More information about the U-Boot
mailing list