-
Notifications
You must be signed in to change notification settings - Fork 4
Capsule Based Firmware Update and Firmware Recovery
This page describes the UEFI Capsule ("capsule") implementation in EDK II, along with common use cases. EDK II provides an implementation of capsule-based firmware update and firmware recovery features that can detect if a firmware update or a recovery image delivered via UEFI Capsule has been modified (SignedCapsulePkg). It can also verify that the capsule applies to the platform that receives the capsule, and verifies that a firmware update does not violate any of the platforms's firmware rollback rules.
Firmware is responsible for low-level platform initialization and the hand-off to the operating system. This means firmware establishes root-of-trust for the platform. Signed images via UEFI Capsule allow an OS-agnostic process to provide the platform with verified firmware updates.
The UEFI Specification and the PI Specification provide details on the services, tables, and variables associated with the use of capsules for firmware update and recovery.
- [UEFI]
UpdateCapsule()andQueryCapsuleCapabilities()Runtime Services - [UEFI]
_OsIndicationsSupported_and_OsIndications_UEFI Variables- Support for
EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTEDis not implemented.
- Support for
- [UEFI] CapsuleNNNN Capsule Report Variables
- [UEFI] Firmware Management Protocol (FMP)
- [UEFI] EFI System Resource Table (ESRT)
- [PI] Recovery Module PPI
- [PI] Device Recovery Module PPI
- [PI] Recovery Block I/O PPI and Recovery Block I/O 2 PPI
- [PI] Boot to Recovery Mode PPI
SignedCapsulePkg makes use of OpenSSL command line utilities to sign firmware update capsules and firmware recovery images. It also uses OpenSSL libraries to authenticate firmware update capsules and firmware recovery images before they are used.
The EDK II implementation of capsule-based firmware update and firmware recovery provides test signing keys that may be used during firmware development and debug. If the EDK II implementation of capsule-based firmware update and recovery is used to build a production firmware images, production firmware updates, or production recovery images, then the product owner must create and manage their production signing keys.
NOTE: These instructions only cover how to generate a new X.509 Certificate Chain. It is up to the product owner to properly handle and protect a the cryptographic pair of private keys and public X.509 certificates used to sign and authenticate capsule-based system firmware update images.
As of December 2016, SignedCapsulePkg is integrated into the master branch of the Intel Galileo 2 ("Quark") and MinnowBoard Max platform firmware projects on EDK II. To implement this package on other EDK II platforms, please review the porting documentation.