On Mon, Sep 26, 2022 at 4:01 AM Sughosh Ganu <sughosh.g...@linaro.org> wrote: > On Mon, 26 Sept 2022 at 08:25, Jassi Brar <jassisinghb...@gmail.com> wrote:
> > ..... > > > > > > +static __maybe_unused efi_status_t fwu_post_update_process(bool > > > fw_accept_os) > > > +{ > > > + int status; > > > + u32 update_index; > > > + efi_status_t ret; > > > + > > > + status = fwu_plat_get_update_index(&update_index); > > > + if (status < 0) { > > > + log_err("Failed to get the FWU update_index value\n"); > > > + return EFI_DEVICE_ERROR; > > > + } > > > + > > > + /* > > > + * All the capsules have been updated successfully, > > > + * update the FWU metadata. > > > + */ > > > + log_debug("Update Complete. Now updating active_index to %u\n", > > > + update_index); > > > + status = fwu_update_active_index(update_index); > > > > > Do we want to check if all images in the bank are updated via capsules > > before switching the bank? > > This function does get called only when the update status for every > capsule is a success. Even if one of the capsules does not get > updated, the active index will not get updated. > .... but we don't check if the capsule for each image in the bank is provided for update. > > > > A developer will make sure all images are provided in one go, so that > > the switch is successful. > > But a malicious user may force some old vulnerable image back into use > > by updating all but that image. > > That I believe is to be handled through a combination of implementing > a rollback protection mechanism, along with capsule authentication. > These are separate to the implementation of the multi bank updates > that these patches are aiming for. > This sounds like : we don't worry about buffer-overflow vulnerabilities because the system will be secured and hardened by other mechanisms. A/B update does not _require_ rollback-protection or capsure-authentication. A platform may rely on some other technology for tamper-proofing. -j