Speaker
Description
The UEFI spec mandates that UEFI variables related to the UEFI keyring must be stored in a non-volatile storage that is tamper and delete-resistant. On embedded platforms with an RPMB available this is supported at Boottime in U-Boot (U-Boot has supported this since ~2020). With SystemReady-IR getting adopted from various hardware vendors, SetVariable at Runtime is becoming a necessity for distro installers and firmware updates.
Due to the complexity of the solution, supporting it and adhering to the UEFI spec is very difficult on certain platforms.
There is a patchset under review https://lore.kernel.org/linux-efi/20231013074540.8980-2-masahisa.kojima@linaro.org/ which enables SetVariable at runtime for such platforms. This introduces a few dependencies on the kernel and violates the EFI spec.
Discuss the implementation, implications, current status, and ideas to lift the kernel dependencies.
