Intel has recently contributed a full implementation for UEFI Capsule update, including support for the EFI System Resource Table (ESRT) and Firmware Management Protocol (FMP), under EDK II. The SignedCapsulePkg has been ported to two open platforms, MinnowBoard Max/Turbot and Intel® Galileo, for further development and validation. This open implementation simplifies deployment of secure firmware updates, even when using designs based on open hardware.
The firmware driver package contains a firmware update payload, which is passed to UEFI firmware via the Update Capsule function. By processing the capsule after reset, the system firmware is responsible for authenticating the capsule and performing the update. If the capsule payload has been compromised or doesn’t apply to this system, the firmware can reject the update and avoid corruption. Firmware is essential to the platform’s root-of-trust, so it’s in the best position to securely update itself.
-- "Better Firmware Updates in Linux* Using UEFI Capsules"
Using signed images with UEFI Capsule allows an OS-agnostic process to provide verified firmware updates, utilizing root-of-trust established by the firmware. This scenario assumes the factory-provisioned firmware and subsequent updates are signed with the same public/private keypair, which the SignedCapsulePkg solution implements using OpenSSL.
- "Capsule Based Firmware Update and Firmware Recovery" (TianoCore wiki)
- "A Tour Beyond BIOS: Capsule Update and Recovery in EDK II" (Intel Whitepaper, Dec 2016)
- https://github.com/tianocore/edk2/tree/master/SignedCapsulePkg (TianoCore github)
- "Better Firmware Updates in Linux* Using UEFI Capsules" (Intel® Developer Zone)
- "The Tricky World of Securing Firmware" (Intel® Developer Zone)