From 3a41a9486c3d0c1dddcd60b1b4ca2672c4200cde Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vincent=20Stehl=C3=A9?= <vincent.stehle@arm.com>
Date: Wed, 22 Jun 2022 19:03:09 +0200
Subject: [PATCH] chapter2: require authenticated fmp capsules for fw update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Require to accept only authenticated in-band firmware updates in FMP
  format.
- Explicitly allow non-firmware update capsules in any format and refer to
  the Dependable Boot Specification.

Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
---
 .typos.txt               |  1 +
 source/chapter2-uefi.rst | 12 ++++++++++--
 source/references.rst    |  4 ++++
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/.typos.txt b/.typos.txt
index 36f1509..6c3c9d0 100644
--- a/.typos.txt
+++ b/.typos.txt
@@ -6,3 +6,4 @@ recored
 veriable
 virtulized
 authenticaed
+conaining
diff --git a/source/chapter2-uefi.rst b/source/chapter2-uefi.rst
index d2ae4f5..f0f51b9 100644
--- a/source/chapter2-uefi.rst
+++ b/source/chapter2-uefi.rst
@@ -606,8 +606,9 @@ In-band firmware update
 
 If firmware update is performed in-band (firmware on the application processor
 updates itself), then the firmware shall implement the `UpdateCapsule()` runtime
-service and accept updates in the "Firmware Management Protocol Data Capsule
-Structure" format as described in :UEFI:`23.3`. [#FMPNote]_
+service and accept only authenticated updates in the "Firmware Management
+Protocol Data Capsule Structure" format as described in :UEFI:`23.3`, with
+`IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED` set. [#FMPNote]_
 `UpdateCapsule()` is only required before `ExitBootServices()` is called.
 
 .. [#FMPNote] The `UpdateCapsule()` runtime service is expected to be suitable
@@ -618,6 +619,13 @@ Structure" format as described in :UEFI:`23.3`. [#FMPNote]_
 
    https://fwupd.org/
 
+Firmware is allowed to accept capsules not containing firmware updates in any
+format, with or without authentication. [#SignalingNote]_
+
+.. [#SignalingNote] Capsules not containing firmware updates can be used as a
+   signaling mean between OS and firmware, as described in [DEPBOOT]_ for
+   example.
+
 Firmware is also required to provide an EFI System Resource Table (ESRT) as
 described in :UEFI:`23.4`.
 Every firmware image that can be updated in-band must be described in the ESRT.
diff --git a/source/references.rst b/source/references.rst
index 3631724..fb3bcf8 100644
--- a/source/references.rst
+++ b/source/references.rst
@@ -17,6 +17,10 @@ Bibliography
    <https://uefi.org/sites/default/files/resources/ACPI_Spec_6_5_Aug29.pdf>`_,
    August 2022, `UEFI Forum <https://uefi.org/>`_
 
+.. [DEPBOOT] `Dependable Boot Specification version 0.1-alpha.
+   <https://gitlab.com/Linaro/trustedsubstrate/mbfw/uploads/3d0d7d11ca9874dc9115616b418aa330/mbfw.pdf>`_
+   November 2021, `Linaro Limited and contributors <https://www.linaro.org>`_
+
 .. [DTSCHEMA] `Devicetree schema tools v2024.02
    <https://github.com/devicetree-org/dt-schema/releases/tag/v2024.02>`_,
    `Devicetree.org <https://www.devicetree.org/>`_