UEFI Capsule-Update and Recovery

On the EDK2-Devel mailing list, Michael Kinney of Intel has started a new EDK2 wiki page on UEFI Capsule-Based-Firmware Update/Recovery. Capsule Updates are how UEFI-based firmware updates itself.

Draft of documentation for Signed Capsule Feature:
I have started a draft of Wiki pages that describe how to use and verify the Signed Capsule feature from Jiewen Yao. I have focused this first draft on the system firmware update use case for signed capsules. Please review this content and provide feedback. I will work on the remaining 3 signed capsule use cases while the content for this fist use case is reviewed. I plan to add this content to the edk2 Wiki once the reviews are completed.




CHIPSEC adds capsule parsing and blacklists ThinkPwn

CHIPSEC has had a few significant updates recently:



[…] It detects EFI binaries which have the following attributes:
1. GUID A56897A1-A77F-4600-84DB-22B0A801FA9A string of vulnerable UEFI SmmRuntime protocol within the contents of EFI binaries
2. Two names (UI strings) ‘SystemSmmRuntimeRt.efi’ and ‘SmmRuntime’ and two GUIDs 7C79AC8C-5E6C-4E3D-BA6F-C260EE7C172E and A56897A1-A77F-4600-84DB-22B0A801FA9A of vulnerable EFI binaries found in different systems[…]


New UEFI Capsule Update and Recovery sample

Jiewen Yao of Intel checked in a *45-part* patch to the Tianocore project, adding a new UEFi Capsule sample and documentation!

This series patch provides sample on how to do signed capsule update and recovery in EDKII. The feature includes:
1) Define EDKII signed system BIOS capsule format.
2) Provide EDKII signed system BIOS update sample.
3) Provide EDKII signed recovery sample.
4) Provide Microcode update sample for X86 system.
5) Update Quark to use new capsule/recovery solution.
6) Update Vlv2(MinnowMax) to use new capsule/recovery solution.

The signed capsule/recovery solution is in MdeModulePkg. The capsule in IntelFrameworkModulePkg is deprecated. The Microcode update solution is in UefiCpuPkg.

124 files changed, 17848 insertions(+), 384 deletions(-)

For more info, see the full patch:

new efi_capsule_loader Linux kernel interface from Intel

Hock Leong Kweh of Intel posted a patch to the Linux kernel which exposes a new UEFI capsule update interface. Some excerpts from the patch:

efi: a misc char interface for user to update efi firmware

Introducing a kernel module to expose capsule loader interface (misc char device file note) for user to upload capsule binaries. This option exposes a loader interface “/dev/efi_capsule_loader” for user to load EFI capsule binary and update the EFI firmware through system reboot. It expose a misc char interface for user to upload the capsule binary and calling efi_capsule_update() API to pass the binary to EFI firmware. The steps to update efi firmware are:

1) cat firmware.cap > /dev/efi_capsule_loader
2) reboot

Any failed upload error message will be returned while doing “cat” through Write() function call. Tested the code with Intel Quark Galileo platform. This patchset is created on top of Matt’s patchset:
1.)https://lkml.org/lkml/2014/10/7/390 “[PATCH 1/2] efi: Move efi_status_to_err() to efi.h”
2.)https://lkml.org/lkml/2014/10/7/391 “[PATCH 2/2] efi: Capsule update support”

See the linux-kernel/linux-efi/linux-fsdevel list archives for the patch (gmane.org is down for me currently, hope it returns…):

Fedora proposal for UEFI 2.5 Capsule Update support

As reported on Fedora devel-announce and on Softpedia, a proposal for Red Hat’s Fedora has been added to support UEFI Capuse Updates via UEFI 2.5’s ESRT.

“This adds the ability to perform updates of system firmware, as well as some peripheral firmware, on machines supporting the UEFI Capsule Update mechanism and UEFI 2.5’s “ESRT” feature. Right now this is generic support—the number of machines for which we actually have firmware updates available is very small, as the underlying technology is quite new—and it doesn’t include any actual delivery mechanism for such firmware images. But if they’re put at the right place for fwupd to notice them, and the system supports the right features, they’ll show up as updates in gnome-software.”

It will very be interesting to see how different distributions expose firmware updates to users.

More Information: