Attention is currently required from: Sergii Dmytruk.

Nico Huber has posted comments on this change by Sergii Dmytruk. ( https://review.coreboot.org/c/coreboot/+/83422?usp=email )

Change subject: drivers/efi/uefi_capsules.c: coalesce and store UEFI capsules ......................................................................

Patch Set 6:

(1 comment)

File src/drivers/efi/capsules.c:

https://review.coreboot.org/c/coreboot/+/83422/comment/fdd61119_8e3ca6ee?usp... : PS6, Line 347: data_size += ALIGN_UP(capsule_hdr->CapsuleImageSize, CAPSULE_ALIGNMENT);

Your computation assumes that a payload will accept such huge capsules while there is `gEfiMdeModulePkgTokenSpaceGuid.PcdMaxSizePopulateCapsule` limit with the default value of 100 MiB.

Yes. Actually it's a matter of your specific threat model of course. If you consider local attackers (could be an evil housekeeper with a live OS; even signed if using Microsoft's secure-boot keys) or any otherwise compromised OS, then the payload can't help you when the attacker can bypass the payload at runtime and attack coreboot directly. That was my thought. I believe that's a common threat model and why we do the signature verification of updates inside the firmware (not in the OS update tool, for instance).