Re: SubRegionAuthLib RFC


Mackay, Curtis A <curtis.a.mackay@...>
 

Friendly reminder to review and provide feedback on the RFC. We are looking to target a WW34 deadline with this design.

 

Best,

Curtis

 

From: Mackay, Curtis A
Sent: Tuesday, June 16, 2020 10:51 AM
To: 'rfc@edk2.groups.io' <rfc@edk2.groups.io>
Cc: Kinney, Michael D <michael.d.kinney@...>; Wang, Jian J <jian.j.wang@...>; Yao, Jiewen <jiewen.yao@...>; Sukerkar, Amol N <amol.n.sukerkar@...>; Agrawal, Sachin <sachin.agrawal@...>
Subject: SubRegionAuthLib RFC

 

Hi,

 

I filed a proposal for a new library to handle UEFI BIOS sub-regions at https://bugzilla.tianocore.org/show_bug.cgi?id=2808. Attached is a slide deck with design overview of the new library.

 

A UEFI BIOS sub-region is an independent signed FV that can be updated independent of UEFI BIOS on flash and is part of a pre-allocated region on flash that is visible to UEFI BIOS.

The primary use-cases for such a region would be to store independently updateable firmware and large IP configuration data files to be consumed by BIOS.

 

To maintain the integrity of the BIOS sub-region, this ticket proposes a mechanism that:

- Leverages UEFI Secure Boot to authenticate the BIOS sub-region

- Supports PKCS#7 standard as signing/authentication mechanism to maintain the integrity of sub-region in PEI, DXE or BDS Phase.

 

Please provide feedback and comments on the design.

 

Best regards,

Curtis Mackay

Join rfc@edk2.groups.io to automatically receive all group messages.