lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <F54AEECA5E2B9541821D670476DAE19C2B80EB68@PGSMSX102.gar.corp.intel.com>
Date:	Tue, 4 Nov 2014 08:03:30 +0000
From:	"Kweh, Hock Leong" <hock.leong.kweh@...el.com>
To:	Andy Lutomirski <luto@...capital.net>
CC:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	"Fleming, Matt" <matt.fleming@...el.com>,
	Ming Lei <ming.lei@...onical.com>,
	Sam Protsenko <semen.protsenko@...aro.org>,
	LKML <linux-kernel@...r.kernel.org>,
	"linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>,
	"Ong, Boon Leong" <boon.leong.ong@...el.com>
Subject: RE: [PATCH v2 3/3] efi: Capsule update with user helper interface

> -----Original Message-----
> From: Andy Lutomirski [mailto:luto@...capital.net]
> Sent: Tuesday, November 04, 2014 2:32 PM
> 
> It seems like a large fraction of the code in this module exists just to work
> around the fact that request_firmware doesn't do what you want it to do.
> You have code to:
> 
>  - Prevent the /lib/firmware mechanism from working.
>  - Avoid a deadlock by doing strange things in the unload code.
>  - Allow more than one capsule per module load.  (Isn't this hard to use?
> User code will have to wait for the next firmware request before sending a
> second capsule.)

I did try to upload more than one capsule binaries and I don't observe a long wait
is required. In fact, it seem to me the interface is instantly re-created.

> 
> All of this is for dubious gain.  You have to do three separate opens in sysfs to
> upload a capsule, and there's no way to report back to userspace whether
> the EFI call worked and whether a reboot is needed.

I have not encounter any capsule update that does not require reboot.
Base on my understanding, the EFI firmware only do the binary decoding
during the next reboot. If the binary is broken/corrupted, you would only
know during the next reboot. On kernel driver point of view, it just registers
the binary by calling the EFI API UpdateCapsule(). May be Matt you could
help out with this?

Regarding the EFI call failed message, besides obtains from the dmesg log,
you also can verify that through this sysfs:
/sys/devices/platform/efi_capsule_user_helper/capsule_loaded

I did mention this in the commit message as showed below:
Besides the request_firmware user helper interface, this module also exposes
a 'capsule_loaded' file note for user to verify the number of successfully uploaded
capsule binaries. This file note has the read only attribute.

> 
> What's the benefit of using the firmware interface here?
> 
> --Andy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ