Merge pull request #8 from jmarinho/master

auth hollow capsule + max Trial state boots + fixes

source/chapter2-uefi.rst

@@ -68,6 +68,8 @@ If the OS wants to revert the FW images to a previously working bank, it can do
 - Flags = 0
 - CapsuleImageSize = sizeof(EFI_CAPSULE_HEADER)
 
+Note: the image acceptance capsule must be authenticated. Details TBD.
+
 When UEFI receives the capsule above, UEFI will change the FWU metadata active_index to a previously working bank index by either:
 
 #. Calling the FWU primitive fwu_set_active [FWU]_ if the flash store is owned the Secure World.
@@ -95,10 +97,11 @@ The OS must accept each image, that has an acceptance pending, by using a capsul
 - CapsuleGuid 0c996046-bcc0-4d04-85ec-e1fcedf1c6f8
 - HeaderSize = sizeof(EFI_CAPSULE_HEADER)
 - Flags = 0
-- CapsuleImageSize = sizeof(EFI_CAPSULE_HEADER) + sizeof(EFI_GUID)
-- image_uuid
+- CapsuleImageSize = sizeof(EFI_CAPSULE_HEADER)
 
 
+Note: the image acceptance capsule must be authenticated. Details TBD.
+
 Update permission verification
 ------------------------------
 
@@ -130,3 +133,13 @@ The FW vendor signature should be placed before the FW image as is described in
 
 The FW images should be authenticated before being written to the FW store or before being
 allowed to execute on the platform.
+
+
+
+Maximum Trial platform boots
+----------------------------
+
+The UEFI implementation must keep a count of the consecutive platform boots in
+the Trial state [FWU]_.  If the number of consecutive platform boot in the
+Trial state exceeds a platform defined value of *max_trial_boots* then the UEFI
+implementation must revert the FW to the previous working bank [FWU]_.

source/chapter3-fwupdate.rst

@@ -116,7 +116,7 @@ Post-capsule install reboot success
 #. OS inspects the information in the ESRT
 #. OS performs an image acceptance test for any un-accepted image
 #. If all image tests pass correctly the OS exists the FW update procedure
-#. OS install the image acceptance capsule for every image that passes the acceptance test
+#. OS install the image acceptance capsule when all acceptance tests pass
 #. Firmware processes the image acceptance capsule and updates the boot bank
 #. On the next reboot BL2 will detect the new version (rollback counter < fw
    rollback counter).  It must then update the rollback counters accordingly.
@@ -161,5 +161,5 @@ Post-capsule install image fails OS test
 #. OS boots
 #. OS inspects the information in the ESRT
 #. OS performs an image acceptance test for any un-accepted image
-#. If any image tests fails, the OS install an "FW downgrade request" capsule, instructing UEFI to select the previously working FW bank
+#. If any image tests fails, the OS install a "FW downgrade request" capsule, instructing UEFI to select the previously working FW bank, or imediately reboots.
 #. OS requests a system reset

source/references.rst

@@ -9,8 +9,8 @@
    September 2018, `Arm Limited <http://arm.com>`_
 
 .. [FWU] `Platform Security Firmware Update for the A-profile Arm Architecture 1.0
-   <https://developer.arm.com/-/media/Files/pdf/PlatformSecurityArchitecture/Architect/FWU-PSA-A_DEN0118_1.0ALP2.pdf>`_,
-   January 2021, `Arm Limited <http://arm.com>`_
+   <https://developer.arm.com/documentation/den0118/a>`_,
+   May 2021, `Arm Limited <http://arm.com>`_
 
 .. [EBBR] `Embedded Base Boot Requirements v2.0.0-pre1
    <https://arm-software.github.io/ebbr/>`_,