mirror of
https://github.com/brain-hackers/u-boot-brain
synced 2024-06-09 23:36:03 +09:00
Pull request for efi-2021-07-rc3
Documentation: * add a man-page for the size command * add man-page for extension command to index Bug fixes: * avoid build failure due to missing SHA512 hardware acceleration * correct error handling in TCG2 protocol * don't let user disable capsule authentication * correct reading directories via UEFI API -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAmCjmakACgkQxIHbvCwF GsSP4Q//eVn72X0WpP0yMBj/lSl1S2vP5RW+5ThWKAGvzQ/iV6h2A5Z8qOHjOTOk pbm3ywDFpUiOYaN0+sdOzSwBEPOR3Brob4VKfM+aE/6r9X+qBzbBHK/X3e+I3moZ Uxffa+yrP6xjnLO3u9e2jAD6jYxMaGApq72DAojlb8pBZep8jaiW6BGUlf4in6nk 5AiGJc41Vv872JoZ/FnwXnL8MZYGO1FgzmJvUcq4HV+GwG9QRhUZV8o9p1vIQc1n rxE5CfpyOf8WvmVuD3SFU6VueeTBrp8+WV+u13ivwddCOERD0pAFkP5Md/s26Cvd UJ06il20BoHWMAgVOthnkUvc3eaaMvERghhCBFI++SoHX4Ly3r3p6loEj2d49RXa ddAoR4O8mdSwQ9aRjBAQZctECXmrHn/eAAFNkvbegueUDwlDWytucuvD7X2T450g dVTLjsleMplt+cWypChcG0YYgTfOEuYnHjbDjEZXEBier6vpIFKsFFmX9AX+0p+k 5rfdWA58gWYzrMfjq2rThv6GyqKOrjBO825esWEA8XH5SXV2UKbzw9BziMjtFZNo 6urSigMfmylhnG0fHacsD1jttrHTlLjLhqRNDB2fmmdXzsRKpPCJzhW68OxgaoF/ 56efvDLXUWrI9w7kMaPqyQNO/d5bJvKd1QzJouQxFbnp6vkd0oA= =h8yY -----END PGP SIGNATURE----- Merge tag 'efi-2021-07-rc3' of https://source.denx.de/u-boot/custodians/u-boot-efi Pull request for efi-2021-07-rc3 Documentation: * add a man-page for the size command * add man-page for extension command to index Bug fixes: * avoid build failure due to missing SHA512 hardware acceleration * correct error handling in TCG2 protocol * don't let user disable capsule authentication * correct reading directories via UEFI API
This commit is contained in:
commit
7a1638c263
|
@ -41,9 +41,3 @@ int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool efi_capsule_auth_enabled(void)
|
|
||||||
{
|
|
||||||
return env_get("capsule_authentication_enabled") != NULL ?
|
|
||||||
true : false;
|
|
||||||
}
|
|
||||||
|
|
|
@ -80,6 +80,7 @@ config FIT_SIGNATURE
|
||||||
select RSA_VERIFY
|
select RSA_VERIFY
|
||||||
select IMAGE_SIGN_INFO
|
select IMAGE_SIGN_INFO
|
||||||
select FIT_FULL_CHECK
|
select FIT_FULL_CHECK
|
||||||
|
select HASH_CALCULATE
|
||||||
help
|
help
|
||||||
This option enables signature verification of FIT uImages,
|
This option enables signature verification of FIT uImages,
|
||||||
using a hash signed and verified using RSA. If
|
using a hash signed and verified using RSA. If
|
||||||
|
|
|
@ -260,12 +260,12 @@ static struct hash_algo hash_algo[] = {
|
||||||
.name = "sha384",
|
.name = "sha384",
|
||||||
.digest_size = SHA384_SUM_LEN,
|
.digest_size = SHA384_SUM_LEN,
|
||||||
.chunk_size = CHUNKSZ_SHA384,
|
.chunk_size = CHUNKSZ_SHA384,
|
||||||
#ifdef CONFIG_SHA_HW_ACCEL
|
#ifdef CONFIG_SHA512_HW_ACCEL
|
||||||
.hash_func_ws = hw_sha384,
|
.hash_func_ws = hw_sha384,
|
||||||
#else
|
#else
|
||||||
.hash_func_ws = sha384_csum_wd,
|
.hash_func_ws = sha384_csum_wd,
|
||||||
#endif
|
#endif
|
||||||
#ifdef CONFIG_SHA_PROG_HW_ACCEL
|
#if defined(CONFIG_SHA512_HW_ACCEL) && defined(CONFIG_SHA_PROG_HW_ACCEL)
|
||||||
.hash_init = hw_sha_init,
|
.hash_init = hw_sha_init,
|
||||||
.hash_update = hw_sha_update,
|
.hash_update = hw_sha_update,
|
||||||
.hash_finish = hw_sha_finish,
|
.hash_finish = hw_sha_finish,
|
||||||
|
@ -281,12 +281,12 @@ static struct hash_algo hash_algo[] = {
|
||||||
.name = "sha512",
|
.name = "sha512",
|
||||||
.digest_size = SHA512_SUM_LEN,
|
.digest_size = SHA512_SUM_LEN,
|
||||||
.chunk_size = CHUNKSZ_SHA512,
|
.chunk_size = CHUNKSZ_SHA512,
|
||||||
#ifdef CONFIG_SHA_HW_ACCEL
|
#ifdef CONFIG_SHA512_HW_ACCEL
|
||||||
.hash_func_ws = hw_sha512,
|
.hash_func_ws = hw_sha512,
|
||||||
#else
|
#else
|
||||||
.hash_func_ws = sha512_csum_wd,
|
.hash_func_ws = sha512_csum_wd,
|
||||||
#endif
|
#endif
|
||||||
#ifdef CONFIG_SHA_PROG_HW_ACCEL
|
#if defined(CONFIG_SHA512_HW_ACCEL) && defined(CONFIG_SHA_PROG_HW_ACCEL)
|
||||||
.hash_init = hw_sha_init,
|
.hash_init = hw_sha_init,
|
||||||
.hash_update = hw_sha_update,
|
.hash_update = hw_sha_update,
|
||||||
.hash_finish = hw_sha_finish,
|
.hash_finish = hw_sha_finish,
|
||||||
|
|
|
@ -26,6 +26,7 @@ Shell commands
|
||||||
conitrace
|
conitrace
|
||||||
echo
|
echo
|
||||||
exception
|
exception
|
||||||
|
extension
|
||||||
exit
|
exit
|
||||||
false
|
false
|
||||||
fatinfo
|
fatinfo
|
||||||
|
@ -38,6 +39,7 @@ Shell commands
|
||||||
pstore
|
pstore
|
||||||
qfw
|
qfw
|
||||||
sbi
|
sbi
|
||||||
|
size
|
||||||
true
|
true
|
||||||
scp03
|
scp03
|
||||||
reset
|
reset
|
||||||
|
|
40
doc/usage/size.rst
Normal file
40
doc/usage/size.rst
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
.. SPDX-License-Identifier: GPL-2.0+
|
||||||
|
|
||||||
|
size command
|
||||||
|
============
|
||||||
|
|
||||||
|
Synopsis
|
||||||
|
--------
|
||||||
|
|
||||||
|
::
|
||||||
|
|
||||||
|
size <interface> <dev[:part]> <filename>
|
||||||
|
|
||||||
|
Description
|
||||||
|
-----------
|
||||||
|
|
||||||
|
The size command determines the size of a file and sets the environment variable
|
||||||
|
filesize to this value. If filename points to a directory, the value is set to
|
||||||
|
zero.
|
||||||
|
|
||||||
|
If the command fails, the filesize environment variable is not changed.
|
||||||
|
|
||||||
|
dev
|
||||||
|
device number
|
||||||
|
|
||||||
|
part
|
||||||
|
partition number, defaults to 1
|
||||||
|
|
||||||
|
filename
|
||||||
|
path to file
|
||||||
|
|
||||||
|
Configuration
|
||||||
|
-------------
|
||||||
|
|
||||||
|
The size command is only available if CONFIG_CMD_FS_GENERIC=y.
|
||||||
|
|
||||||
|
Return value
|
||||||
|
------------
|
||||||
|
|
||||||
|
The return value $? is set to 0 (true) if the command succeded and to 1 (false)
|
||||||
|
otherwise.
|
24
lib/Kconfig
24
lib/Kconfig
|
@ -389,21 +389,32 @@ config SHA384
|
||||||
(digest).
|
(digest).
|
||||||
|
|
||||||
config SHA_HW_ACCEL
|
config SHA_HW_ACCEL
|
||||||
bool "Enable hashing using hardware"
|
bool "Enable hardware acceleration for SHA hash functions"
|
||||||
help
|
help
|
||||||
This option enables hardware acceleration for SHA hashing.
|
This option enables hardware acceleration for the SHA1 and SHA256
|
||||||
This affects the 'hash' command and also the hash_lookup_algo()
|
hashing algorithms. This affects the 'hash' command and also the
|
||||||
function.
|
hash_lookup_algo() function.
|
||||||
|
|
||||||
|
if SHA_HW_ACCEL
|
||||||
|
|
||||||
|
config SHA512_HW_ACCEL
|
||||||
|
bool "Enable hardware acceleration for SHA512"
|
||||||
|
depends on SHA512_ALGO
|
||||||
|
help
|
||||||
|
This option enables hardware acceleration for the SHA384 and SHA512
|
||||||
|
hashing algorithms. This affects the 'hash' command and also the
|
||||||
|
hash_lookup_algo() function.
|
||||||
|
|
||||||
config SHA_PROG_HW_ACCEL
|
config SHA_PROG_HW_ACCEL
|
||||||
bool "Enable Progressive hashing support using hardware"
|
bool "Enable Progressive hashing support using hardware"
|
||||||
depends on SHA_HW_ACCEL
|
|
||||||
help
|
help
|
||||||
This option enables hardware-acceleration for SHA progressive
|
This option enables hardware-acceleration for SHA progressive
|
||||||
hashing.
|
hashing.
|
||||||
Data can be streamed in a block at a time and the hashing is
|
Data can be streamed in a block at a time and the hashing is
|
||||||
performed in hardware.
|
performed in hardware.
|
||||||
|
|
||||||
|
endif
|
||||||
|
|
||||||
config MD5
|
config MD5
|
||||||
bool "Support MD5 algorithm"
|
bool "Support MD5 algorithm"
|
||||||
help
|
help
|
||||||
|
@ -428,6 +439,9 @@ config CRC32C
|
||||||
config XXHASH
|
config XXHASH
|
||||||
bool
|
bool
|
||||||
|
|
||||||
|
config HASH_CALCULATE
|
||||||
|
bool
|
||||||
|
|
||||||
endmenu
|
endmenu
|
||||||
|
|
||||||
menu "Compression Support"
|
menu "Compression Support"
|
||||||
|
|
|
@ -61,7 +61,7 @@ endif
|
||||||
obj-$(CONFIG_$(SPL_)ACPIGEN) += acpi/
|
obj-$(CONFIG_$(SPL_)ACPIGEN) += acpi/
|
||||||
obj-$(CONFIG_$(SPL_)MD5) += md5.o
|
obj-$(CONFIG_$(SPL_)MD5) += md5.o
|
||||||
obj-$(CONFIG_$(SPL_)RSA) += rsa/
|
obj-$(CONFIG_$(SPL_)RSA) += rsa/
|
||||||
obj-$(CONFIG_FIT_SIGNATURE) += hash-checksum.o
|
obj-$(CONFIG_HASH_CALCULATE) += hash-checksum.o
|
||||||
obj-$(CONFIG_SHA1) += sha1.o
|
obj-$(CONFIG_SHA1) += sha1.o
|
||||||
obj-$(CONFIG_SHA256) += sha256.o
|
obj-$(CONFIG_SHA256) += sha256.o
|
||||||
obj-$(CONFIG_SHA512_ALGO) += sha512.o
|
obj-$(CONFIG_SHA512_ALGO) += sha512.o
|
||||||
|
|
|
@ -174,6 +174,7 @@ config EFI_CAPSULE_AUTHENTICATE
|
||||||
select PKCS7_MESSAGE_PARSER
|
select PKCS7_MESSAGE_PARSER
|
||||||
select PKCS7_VERIFY
|
select PKCS7_VERIFY
|
||||||
select IMAGE_SIGN_INFO
|
select IMAGE_SIGN_INFO
|
||||||
|
select HASH_CALCULATE
|
||||||
default n
|
default n
|
||||||
help
|
help
|
||||||
Select this option if you want to enable capsule
|
Select this option if you want to enable capsule
|
||||||
|
@ -300,7 +301,13 @@ config EFI_RNG_PROTOCOL
|
||||||
|
|
||||||
config EFI_TCG2_PROTOCOL
|
config EFI_TCG2_PROTOCOL
|
||||||
bool "EFI_TCG2_PROTOCOL support"
|
bool "EFI_TCG2_PROTOCOL support"
|
||||||
|
default y
|
||||||
depends on TPM_V2
|
depends on TPM_V2
|
||||||
|
select SHA1
|
||||||
|
select SHA256
|
||||||
|
select SHA512_ALGO
|
||||||
|
select SHA384
|
||||||
|
select SHA512
|
||||||
help
|
help
|
||||||
Provide a EFI_TCG2_PROTOCOL implementation using the TPM hardware
|
Provide a EFI_TCG2_PROTOCOL implementation using the TPM hardware
|
||||||
of the platform.
|
of the platform.
|
||||||
|
@ -336,6 +343,7 @@ config EFI_SECURE_BOOT
|
||||||
select X509_CERTIFICATE_PARSER
|
select X509_CERTIFICATE_PARSER
|
||||||
select PKCS7_MESSAGE_PARSER
|
select PKCS7_MESSAGE_PARSER
|
||||||
select PKCS7_VERIFY
|
select PKCS7_VERIFY
|
||||||
|
select HASH_CALCULATE
|
||||||
default n
|
default n
|
||||||
help
|
help
|
||||||
Select this option to enable EFI secure boot support.
|
Select this option to enable EFI secure boot support.
|
||||||
|
|
|
@ -554,7 +554,7 @@ static efi_status_t efi_file_read_int(struct efi_file_handle *this,
|
||||||
efi_status_t ret = EFI_SUCCESS;
|
efi_status_t ret = EFI_SUCCESS;
|
||||||
u64 bs;
|
u64 bs;
|
||||||
|
|
||||||
if (!this || !buffer_size || !buffer)
|
if (!this || !buffer_size)
|
||||||
return EFI_INVALID_PARAMETER;
|
return EFI_INVALID_PARAMETER;
|
||||||
|
|
||||||
bs = *buffer_size;
|
bs = *buffer_size;
|
||||||
|
|
|
@ -190,7 +190,7 @@ static efi_status_t efi_get_dfu_info(
|
||||||
IMAGE_ATTRIBUTE_IMAGE_UPDATABLE;
|
IMAGE_ATTRIBUTE_IMAGE_UPDATABLE;
|
||||||
|
|
||||||
/* Check if the capsule authentication is enabled */
|
/* Check if the capsule authentication is enabled */
|
||||||
if (env_get("capsule_authentication_enabled"))
|
if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE))
|
||||||
image_info[0].attributes_setting |=
|
image_info[0].attributes_setting |=
|
||||||
IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED;
|
IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED;
|
||||||
|
|
||||||
|
@ -421,8 +421,7 @@ efi_status_t EFIAPI efi_firmware_raw_set_image(
|
||||||
return EFI_EXIT(EFI_INVALID_PARAMETER);
|
return EFI_EXIT(EFI_INVALID_PARAMETER);
|
||||||
|
|
||||||
/* Authenticate the capsule if authentication enabled */
|
/* Authenticate the capsule if authentication enabled */
|
||||||
if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) &&
|
if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE)) {
|
||||||
env_get("capsule_authentication_enabled")) {
|
|
||||||
capsule_payload = NULL;
|
capsule_payload = NULL;
|
||||||
capsule_payload_size = 0;
|
capsule_payload_size = 0;
|
||||||
status = efi_capsule_authenticate(image, image_size,
|
status = efi_capsule_authenticate(image, image_size,
|
||||||
|
|
|
@ -771,8 +771,8 @@ efi_tcg2_hash_log_extend_event(struct efi_tcg2_protocol *this, u64 flags,
|
||||||
pcr_index = efi_tcg_event->header.pcr_index;
|
pcr_index = efi_tcg_event->header.pcr_index;
|
||||||
event_type = efi_tcg_event->header.event_type;
|
event_type = efi_tcg_event->header.event_type;
|
||||||
|
|
||||||
ret = tcg2_create_digest((u8 *)data_to_hash, data_to_hash_len,
|
ret = tcg2_create_digest((u8 *)(uintptr_t)data_to_hash,
|
||||||
&digest_list);
|
data_to_hash_len, &digest_list);
|
||||||
if (ret != EFI_SUCCESS)
|
if (ret != EFI_SUCCESS)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
|
@ -999,6 +999,11 @@ static efi_status_t create_final_event(void)
|
||||||
event_log.final_pos = sizeof(*final_event);
|
event_log.final_pos = sizeof(*final_event);
|
||||||
ret = efi_install_configuration_table(&efi_guid_final_events,
|
ret = efi_install_configuration_table(&efi_guid_final_events,
|
||||||
final_event);
|
final_event);
|
||||||
|
if (ret != EFI_SUCCESS) {
|
||||||
|
efi_free_pool(event_log.final_buffer);
|
||||||
|
event_log.final_buffer = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
out:
|
out:
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
@ -1047,18 +1052,21 @@ static efi_status_t efi_init_event_log(void)
|
||||||
ret = create_specid_event(dev, (void *)((uintptr_t)event_log.buffer + sizeof(*event_header)),
|
ret = create_specid_event(dev, (void *)((uintptr_t)event_log.buffer + sizeof(*event_header)),
|
||||||
&spec_event_size);
|
&spec_event_size);
|
||||||
if (ret != EFI_SUCCESS)
|
if (ret != EFI_SUCCESS)
|
||||||
goto out;
|
goto free_pool;
|
||||||
put_unaligned_le32(spec_event_size, &event_header->event_size);
|
put_unaligned_le32(spec_event_size, &event_header->event_size);
|
||||||
event_log.pos = spec_event_size + sizeof(*event_header);
|
event_log.pos = spec_event_size + sizeof(*event_header);
|
||||||
event_log.last_event_size = event_log.pos;
|
event_log.last_event_size = event_log.pos;
|
||||||
|
|
||||||
ret = create_final_event();
|
ret = create_final_event();
|
||||||
if (ret != EFI_SUCCESS)
|
if (ret != EFI_SUCCESS)
|
||||||
goto out;
|
goto free_pool;
|
||||||
|
|
||||||
return EFI_SUCCESS;
|
|
||||||
out:
|
out:
|
||||||
tcg2_uninit();
|
return ret;
|
||||||
|
|
||||||
|
free_pool:
|
||||||
|
efi_free_pool(event_log.buffer);
|
||||||
|
event_log.buffer = NULL;
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1107,8 +1115,7 @@ efi_status_t efi_tcg2_register(void)
|
||||||
ret = platform_get_tpm2_device(&dev);
|
ret = platform_get_tpm2_device(&dev);
|
||||||
if (ret != EFI_SUCCESS) {
|
if (ret != EFI_SUCCESS) {
|
||||||
log_warning("Unable to find TPMv2 device\n");
|
log_warning("Unable to find TPMv2 device\n");
|
||||||
ret = EFI_SUCCESS;
|
return EFI_SUCCESS;
|
||||||
goto out;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = efi_init_event_log();
|
ret = efi_init_event_log();
|
||||||
|
@ -1116,19 +1123,29 @@ efi_status_t efi_tcg2_register(void)
|
||||||
goto fail;
|
goto fail;
|
||||||
|
|
||||||
ret = efi_append_scrtm_version(dev);
|
ret = efi_append_scrtm_version(dev);
|
||||||
if (ret != EFI_SUCCESS)
|
if (ret != EFI_SUCCESS) {
|
||||||
goto out;
|
tcg2_uninit();
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
ret = efi_add_protocol(efi_root, &efi_guid_tcg2_protocol,
|
ret = efi_add_protocol(efi_root, &efi_guid_tcg2_protocol,
|
||||||
(void *)&efi_tcg2_protocol);
|
(void *)&efi_tcg2_protocol);
|
||||||
if (ret != EFI_SUCCESS) {
|
if (ret != EFI_SUCCESS) {
|
||||||
log_err("Cannot install EFI_TCG2_PROTOCOL\n");
|
tcg2_uninit();
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
|
return ret;
|
||||||
|
|
||||||
out:
|
|
||||||
return ret;
|
|
||||||
fail:
|
fail:
|
||||||
tcg2_uninit();
|
log_err("Cannot install EFI_TCG2_PROTOCOL\n");
|
||||||
return ret;
|
/*
|
||||||
|
* Return EFI_SUCCESS and don't stop the EFI subsystem.
|
||||||
|
* That's done for 2 reasons
|
||||||
|
* - If the protocol is not installed the PCRs won't be extended. So
|
||||||
|
* someone later in the boot flow will notice that and take the
|
||||||
|
* necessary actions.
|
||||||
|
* - The TPM sandbox is limited and we won't be able to run any efi
|
||||||
|
* related tests with TCG2 enabled
|
||||||
|
*/
|
||||||
|
return EFI_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user