Hi all,
a heads up and public documentation after a very useful internal
discussion yesterday:
EFI Boot Guard roughly falls into two pieces, namely the EFI loader and
the Linux tools/libs. As one purpose of the loader is to compensate
incomplete or possibly unsafe boot path selections/rollbacks via the
firmware, the loader is not part of (safe) OTA updates. The userland
tools may reside in updateable rootfs images, thus could move forward
without breaking a rollback.
Now, this may lead to userland becoming much more recent than the loader
on concrete system in the field. The interface between both is the
BGENV.DAT on the respective boot partitions. Luckily, it's format
(BG_ENVDATA) didn't change in structure and semantic since release v0.2.
So you may mix an older (not prehistoric) loader version with newer
userland - if you have good reasons to do so.
However, that compatibility may not always be givin in the future - who
knows. The challenge will then be that our current structure does not
foresee any versioning of the structure itself ("revision" is that of
the managed boot partition). We should therefore change this in order to
become extensible.
How to do that without breaking existing installations from today?
Luckily, there is one variable that we can use for this, and that is the
file size of BGENV.DAT. We will have to grow it, at least by a word that
holds the structure version, and loader as well as userland tools need
to check via the size if they see version 1 (current file size) or
version 2 (extended struct with version field).
The plan is to add such an extension soon, possibly before the next
release. That shall come in a backward-compatible manner for userland. A
newer loader may simply demand the extended structure, though, to make
things simpler.
One feature request from the internal discussion remains open so far:
How to read out the version of the installed loader from the userland
tools (and display it)? Unsure about this one so far, if BGENV.DAT
should carry it (risk of becoming stale) or if userland should add
support for extracting it from the installed loader binary or if we
should skip that.
Jan
--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux
--
You received this message because you are subscribed to the Google Groups "EFI
Boot Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/efibootguard-dev/04b8bf57-fdd9-6e44-f1e5-d25eb92d3c35%40siemens.com.
