Adjust the SetTime() and GetTime() runtime services to correctly convert
the daylight saving time information when communicating with the RTC.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
U-Boot Driver Model is supposed to remove devices with either
DM_REMOVE_ACTIVE_DMA or DM_REMOVE_OS_PREPARE flags set, before exiting.
Our bootm command does that by explicitly calling calling
"dm_remove_devices_flags(DM_REMOVE_ACTIVE_ALL);" and we also disable any
USB devices.
The EFI equivalent is doing none of those at the moment. As a result
probing an fTPM driver now renders it unusable in Linux. During our
(*probe) callback we open a session with OP-TEE, which is supposed to
close with our (*remove) callback. Since the (*remove) is never called,
once we boot into Linux and try to probe the device again we are getting
a busy error response. Moreover all uclass (*preremove) functions won't
run.
So let's fix this by mimicking what bootm does and disconnect devices
when efi_exit_boot_services() is called.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Order header files according to https://www.denx.de/wiki/U-Boot/CodingStyle
Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The sandbox is built with the SDL2 library with invokes the X11 library
which in turn calls getc(). But getc() in glibc is defined as
int getc(FILE *)
This does not match our definition.
int getc(void)
The sandbox crashes when called with parameter -l.
Rename our library symbol getc() to getchar().
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
With DM enabled the ethernet code will receive a packet, call
the push method that's set by the EFI network implementation
and then free the packet. Unfortunately the push methods only
sets a flag that the packet needs to be handled, but the code
that provides the packet to an EFI application runs after the
packet has already been freed.
To rectify this issue, adjust the push method to accept the packet
and store it in a temporary buffer. The EFI application then gets
the data copied from that buffer. This way the packet is cached
until is is needed.
The DM Ethernet stack tries to receive 32 packets at once, thus
we better allocate as many buffers as the stack.
Signed-off-by: Patrick Wildt <patrick@blueri.se>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
CONFIG_EFI_GRUB_ARM32 is only needed for architectures with caches that are
not managed via CP15 (or for some outdated buggy versions of GRUB). It
makes more sense to disable the setting per architecture than per defconfig.
Move QEMU's CONFIG_EFI_GRUB_ARM32_WORKAROUND=n from defconfig to Kconfig.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
strsep() changes the address that its first argument points to.
We cannot use the changed address as argument of free().
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
U-Boot offers a EFI_LOAD_FILE2_PROTOCOL which the Linux EFI stub can use to
load an initial RAM disk. Update the function comments of the
implementation.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Having an EFI_RNG_PROTOCOL without a backing RNG device leads to failure
to boot Linux 5.8.
Only install the EFI_RNG_PROTOCOL if we have a RNG device.
Reported-by: Scott K Logan <logans@cottsay.net>
Cc: Neil Armstrong <narmstrong@baylibre.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Refine text for overlap_only_ram description to
match to what exactly flag does and aling description
with other functions.
Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
On RISC-V the global data pointer is stored in register gp. When a UEFI
binary calls the EFI API we have to restore it.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_var_mem_notify_exit_boot_services() is invoked when ExitBootServices()
is called by the UEFI payload.
efi_var_mem_notify_exit_boot_services() should not be defined as
__efi_runtime as it is invoking EFI_ENTRY() and EFI_EXIT() which themselves
are not __efi_runtime.
Fixes: f1f990a8c9 ("efi_loader: memory buffer for variables")
Fixes: e01aed47d6 ("efi_loader: Enable run-time variable support for tee based variables")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Currently if the bootefi command fails due to missing authentication, the
user gets no feedback.
Write a log message 'Image not authenticated' if LoadImage() fails due to
missing authentication.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Bootxxxx variables are provided by the user and therefore cannot be
trusted. We have to validate them before usage.
A device path provided by a Bootxxxx variable must have an end node within
the indicated device path length.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
We need to check that device paths provided via UEFI variables are not
malformed.
Provide function efi_dp_check_length() to check if a device path has an
end node within a given number of bytes.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
If ResetSystem() is not implemented at runtime, it should return instead
of hanging in an endless loop. This allows the operating system to reset
the system by other means as Linux does. It also matches what EDK II
suggests in comments for functions ResetShutdown() and ResetWarm() in
OvmfPkg/Library/ResetSystemLib/ResetSystemLib.c.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Under the current implementation, all the signatures, if any, in
a signed image must be verified before loading it.
Meanwhile, UEFI specification v2.8b section 32.5.3.3 says,
Multiple signatures are allowed to exist in the binary’s certificate
table (as per PE/COFF Section “Attribute Certificate Table”). Only
one hash or signature is required to be present in db in order to pass
validation, so long as neither the SHA-256 hash of the binary nor any
present signature is reflected in dbx.
This patch makes the semantics of signature verification compliant with
the specification mentioned above.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Under the new file-based variable implementation, the secure state
is always and falsely set to 0 (hence, the secure boot gets disabled)
after the reboot even if PK (and other signature database) has already
been enrolled in the previous boot.
This is because the secure state is set up *before* loading non-volatile
variables' values from saved data.
This patch fixes the order of variable initialization and secure state
initialization.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Fixes: 5f7dcf079d ("efi_loader: UEFI variable persistence")
In this commit, efi_signature_verify(with_sigdb) will be re-implemented
using pcks7_verify_one() in order to support certificates chain, where
the signer's certificate will be signed by an intermediate CA (certificate
authority) and the latter's certificate will also be signed by another CA
and so on.
What we need to do here is to search for certificates in a signature,
build up a chain of certificates and verify one by one. pkcs7_verify_one()
handles most of these steps except the last one.
pkcs7_verify_one() returns, if succeeded, the last certificate to verify,
which can be either a self-signed one or one that should be signed by one
of certificates in "db". Re-worked efi_signature_verify() will take care
of this step.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
This is a bug fix; Setting an authenticated variable may fail due to
a memory corruption in the authentication.
A temporary buffer will, if needed, be allocated to parse a variable's
authentication data, and some portion of buffer, specifically signer's
certificates, will be referenced by efi_signature_verify().
So the buffer should be kept valid until the authentication process
is finished.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Tested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Up to now we used the value of the bootargs environment variable as load
options in the boot manager. This is not correct. The data has to be taken
from the Boot#### variable.
Let the boot manager copy the optional data of the EFI_LOAD_OPTION as load
options to the loaded image protocol.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The bootefi bootmgr command has to set the load options for a loaded image
from the value of BootXXXX variable. If the boot manager is not used, the
value is set from the environment variable bootargs (or efi_selftest).
Factor out a common function efi_set_load_options().
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Some amount of code was moved/derived from efi_variable.c regarding
UEFI secure boot, in particluar in the commit 012c56ac76 ("efi_loader:
restructure code for TEE variables").
So add the orignal author's copyright notice.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The Kconfig symbol CONFIG_STACK_SIZE is used both by ARM and Microblaze
with the same meaning. Move it to menu 'General setup' so that we can use
it for all architectures.
Use the value of CONFIG_STACK_SIZE instead of a hard coded 16 MiB value for
reserving memory in the UEFI sub-system.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
We recently added functions for storing/restoring variables
from a file to a memory backed buffer marked as __efi_runtime_data
commit f1f990a8c9 ("efi_loader: memory buffer for variables")
commit 5f7dcf079d ("efi_loader: UEFI variable persistence")
Using the same idea we now can support GetVariable() and GetNextVariable()
on the OP-TEE based variables as well.
So let's re-arrange the code a bit and move the commmon code for
accessing variables out of efi_variable.c. Create common functions for
reading variables from memory that both implementations can use on
run-time. Then just use those functions in the run-time variants of the
OP-TEE based EFI variable implementation and initialize the memory
buffer on ExitBootServices()
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The current code does not trim the output buffer correctly.
In fact it doesn't trim the buffer at all, since it calculates a wrong
value for it, which isn't even applied.
So let's remove the unused temporary size variable and trim the buffer
correctly.
Since we are editing efi_get_next_variable_name_int(), fix an indentation
error along the way.
Fixes: f042e47e8f ("efi_loader: Implement EFI variable handling via OP-TEE")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Remove superfluous conversion to (u8 *) for memcpy argument.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Use logging instead of printf() for messages occurring when scanning block
devices during the initialization of the UEFI sub-system.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When reading a directory, EFI_BUFFER_TOO_SMALL should be returned when
the supplied buffer is too small, so a use-case is to call
efi_file_read with *buffer_size=0 and buffer=NULL to obtain the needed
size before doing the actual read.
So move the buffer!=NULL check to after the buffer size has been checked.
This fix allows the Redhat shim fallback to run and e.g. Fedora 32 now
boots out of the box.
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Currently we only check for the return value of tee_invoke_func().
Although OP-TEE and StMM will correctly set param[1].u.value.a and we'll
eventually return an error, the correct thing to do is check for the
OP_TEE return code as well.
So let's check for that and move tee_shm_free() and tee_close_session()
before exiting with an error to make sure we always clear the registered
memory.
Fixes: f042e47e8f ("efi_loader: Implement EFI variable handling via OP-TEE")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Use EFI_DEVICE_ERROR for TEE communication problems.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Instead of adding the definition for the specific MM SVC used in
StandAloneMM we added the one used in the standard SMC calls.
So change the value from -4 to -5 to match the correct one defined in
EDK2 and rename them to avoid future confusion
Fixes 23a397d2e2: ("efi_loader: Add headers for EDK2 StandAloneMM communication")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_var_mem_del() is in __efi_runtime because it would be needed for a
runtime implementation of SetVariable(). memmove() is not in __efi_runtime.
So we should not use it in efi_var_mem_del().
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Variable efi_current_var is a pointer to a physical memory address that
becomes invalid after SetVirtualAddressMap(). Instead of converting it via
ConvertPointer() simply set it to NULL.
Fixes: b02a707152 ("efi_loader: enable UEFI variables at runtime")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Include a file with the initial values for non-volatile UEFI variables
into the U-Boot binary. If this variable is set, changes to variable PK
will not be allowed.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
To determine if a varible is on the of the authentication variables
PK, KEK, db, dbx we have to check both the name and the GUID.
Provide a function converting the variable-name/guid pair to an enum and
use it consistently.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The file based and the OP-TEE based UEFI variable store are mutually
exclusive. Define them as choice options in Kconfig.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Update the UEFI secure state when variable 'PK' is updated in the TEE
variables implementation.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
When using secure boot functions needed both for file and TEE based UEFI
variables have to be moved to the common code module efi_var_common.c.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
A previous commit adds support for displaying variables RO flag.
Let's add it on the TEE backed variable storage as well.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Saving UEFI variable as encoded U-Boot environment variables does not allow
implement run-time support.
Use a memory buffer for storing UEFI variables.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Saving UEFI variable as encoded U-Boot environment variables does not allow
support at runtime.
Provide functions to manage a memory buffer with UEFI variables.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
If the EFI_OPTIONAL_PTR is set in DebugDisposition, a NULL pointer does not
constitute an invalid parameter.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
We need ConvertPointer() to adjust pointers when implementing runtime
services within U-Boot.
After ExitBootServices() gd is not available anymore. So we should not use
EFI_ENTRY() and EFI_EXIT().
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Persist non-volatile UEFI variables in a file on the EFI system partition.
The file is written whenever a non-volatile UEFI variable is changed after
initialization of the UEFI sub-system.
The file is read during the UEFI sub-system initialization to restore
non-volatile UEFI variables.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
In audit mode the UEFI variable SecureBoot is set to zero but the
efi_secure_boot flag is set to true.
The efi_secure_boot flag should match the UEFIvariable SecureBoot.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Set the read only property of the UEFI variables AuditMode and DeployedMode
conforming to the UEFI specification.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
According to the UEFI specification the variable VendorKeys is 1 if the
"system is configured to use only vendor-provided keys".
As we do not supply any vendor keys yet the variable VendorKeys must be
zero.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Do not change the value of parameter attributes in function
efi_set_variable_int(). This allows to use it later.
Do not use variable attr for different purposes but declare separate
variables (attr and old_attr).
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Simplify the implementation of the UEFI boot manager:
* avoid EFI_CALL for SetVariable() and GetVariable()
* remove unnecessary type conversions
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
UEFI variables OsIndicationsSupported, PlatformLangCodes should be read
only.
Avoid EFI_CALL() for SetVariable().
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Separate the remaining UEFI variable API functions GetNextVariableName and
QueryVariableInfo() from internal functions implementing them.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
We currently have two implementations of UEFI variables:
* variables provided via an OP-TEE module
* variables stored in the U-Boot environment
Read only variables are up to now only implemented in the U-Boot
environment implementation.
Provide a common interface for both implementations that allows handling
read-only variables.
As variable access is limited to very few source files put variable
related definitions into new include efi_variable.h instead of efi_loader.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Commit 1b6c08548c ("efi_loader: image_loader: replace debug to
EFI_PRINT") leads to a build warning on 32bit systems:
lib/efi_loader/efi_image_loader.c: In function ‘efi_image_parse’:
include/efi_loader.h:123:8: warning: format ‘%lu’ expects argument
of type ‘long unsigned int’, but argument 8 has
type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]
Use %zu for printing size_t.
Fixes: 1b6c08548c ("efi_loader: image_loader: replace debug to
EFI_PRINT")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
There's 2 variables in efi_get_next_variable_name() checking the size of
the variable name. Let's get rid of the reduntant definition and
simplitfy the code a bit.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
In case that a type of certificate in "db" or "dbx" is
EFI_CERT_X509_SHA256_GUID, it is actually not a certificate which contains
a public key for RSA decryption, but a digest of image to be loaded.
If the value matches to a value calculated from a given binary image, it is
granted for loading.
With this patch, common digest check code, which used to be used for
unsigned image verification, will be extracted from
efi_signature_verify_with_sigdb() into efi_signature_lookup_digest(), and
extra step for digest check will be added to efi_image_authenticate().
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
A signed image may have multiple signatures in
- each WIN_CERTIFICATE in authenticode, and/or
- each SignerInfo in pkcs7 SignedData (of WIN_CERTIFICATE)
In the initial implementation of efi_image_authenticate(), the criteria
of verification check for multiple signatures case is a bit ambiguous
and it may cause inconsistent result.
With this patch, we will make sure that verification check in
efi_image_authenticate() should pass against all the signatures.
The only exception would be
- the case where a digest algorithm used in signature is not supported by
U-Boot, or
- the case where parsing some portion of authenticode has failed
In those cases, we don't know how the signature be handled and should
just ignore them.
Please note that, due to this change, efi_signature_verify_with_sigdb()'s
function prototype will be modified, taking "dbx" as well as "db"
instead of outputing a "certificate." If "dbx" is null, the behavior would
be the exact same as before.
The function's name will be changed to efi_signature_verify() once
current efi_signature_verify() has gone due to further improvement
in intermediate certificates support.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
There are a couple of occurrences of hash calculations in which a new
efi_hash_regions will be commonly used.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Since the size check against an entry in efi_search_siglist() is
incorrect, this function will never find out a to-be-matched certificate
and its associated revocation time in the signature list.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Since the certificate table, which is indexed by
IMAGE_DIRECTORY_ENTRY_SECURITY and contains authenticode in PE image,
doesn't always exist, we should make sure that we will retrieve its pointer
only if it exists.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
UEFI specification requires that we shall support three type of
certificates of authenticode in PE image:
WIN_CERT_TYPE_EFI_GUID with the guid, EFI_CERT_TYPE_PCKS7_GUID
WIN_CERT_TYPE_PKCS_SIGNED_DATA
WIN_CERT_TYPE_EFI_PKCS1_15
As EDK2 does, we will support the first two that are pkcs7 SignedData.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Export the UEFI sub-system initialization state. This will allow to treat
the setting of UEFI variables during and after initialization differently.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When booting via the boot manager use log function for user messages
instead of printf() and debug().
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When overwriting an existing time base authenticated variable we should
compare to the preceding time value and not to the start of the epoch.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The UEFI specification requires that when UEFI variables are set using time
based authentication we have to check that unused fields of the timestamp
are zero
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Just for style consistency, replace all the uses of debug() to
EFI_PRINT() in efi_image_loader.c.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Just for style consistency, replace all the uses of debug() to
EFI_PRINT in efi_variable.c.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Just for style consistency, replace all the uses of debug to
EFI_PRINT in efi_signature.c
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The simplest solution to revert the commit b32ac16f9a ("test/py: fix
test_efi_secboot/conftest.py") is to move efi_console_register()
forward before efi_disk_register().
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_get_variable_common() does not use EFI_ENTRY(). So we should not use
EFI_EXIT() either.
Fixes: 767f6eeb01 ("efi_loader: variable: support variable authentication")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The variables SetupMode, AuditMode, DeployedMode are explicitly defined as
UINT8 in the UEFI specification. The type of SecureBoot is UINT8 in EDK2.
Use variable name secure_boot instead of sec_boot for the value of the
UEFI variable SecureBoot.
Avoid abbreviations in function descriptions.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Variable efi_secure_mode is meant to hold a value of enum efi_secure_mode.
So it should not be defined as int but as enum efi_secure_mode.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
For size_t we have to use %zu for printing not %lu.
Fixes: 4540dabdca ("efi_loader: image_loader: support image
authentication")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The global variable, efi_guid_cert_type_pkcs7, will also be used in
efi_image_loader.c in a succeeding patch so as to correctly handle
a signature type of authenticode in signed image.
Meanwhile, it is currently defined in efi_variable.c. Once some secure
storage solution for UEFI variables is introduced, efi_variable.c may
not always be compiled in.
So move the definition to efi_signature.c as a common place.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Knowing that at least one section header follows the optional header we
only need to check for the length of the 64bit header which is longer than
the 32bit header.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
We want to follow the Linux kernel style for function descriptions.
Add missing parentheses after function names.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
On ARM systems gd is stored in register r9 or x18. When compiling with
clang gd is defined as a macro calling function gd_ptr(). So we can not
make assignments to gd.
In the UEFI sub-system we need to save gd when leaving to UEFI binaries and
have to restore gd when reentering U-Boot.
Define a new function set_gd() for setting gd and use it in the UEFI
sub-system.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Tested-by: Tom Rini <trini@konsulko.com>
For passing the optional data of the load option to the loaded imaged
protocol we need its size.
efi_deserialize_load_option() is changed to return the size of the optional
data.
As a by-product we get a partial validation of the load option.
Checking the length of the device path remains to be implemented.
Some Coverity defects identified the load options as user input because
get_unaligned_le32() and get_unaligned_le16() is called. But non of these
Coverity defects can be resolved without marking functions with Coverity
specific tags.
Reported-by: Coverity (CID 303760)
Reported-by: Coverity (CID 303768)
Reported-by: Coverity (CID 303776)
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Prior to corrective patches for virtio and SATA devices the same device
path was installed on two different handles. This is not allowable.
With this patch we will throw an error if this condition occurs for
block devices.
Update a comment for the installation of the simple file system
protocol.
Reported-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Provide device path nodes for SATA devices.
This avoids creation of two handles with the same device path indicating
our root node.
This is what the device paths for a SATA drive with four partitions could
like:
/VenHw(..)/Sata(0x0,0xffff,0x0)
/VenHw(..)/Sata(0x0,0xffff,0x0)/HD(1,MBR,0x81ea591f,0x800,0x63ff830)
/VenHw(..)/Sata(0x0,0xffff,0x0)/HD(2,MBR,0x81ea591f,0x6400800,0x9ff830)
/VenHw(..)/Sata(0x0,0xffff,0x0)/HD(3,MBR,0x81ea591f,0x6e00800,0x16ef2ab0)
/VenHw(..)/Sata(0x0,0xffff,0x0)/HD(4,MBR,0x81ea591f,0x1dcf3800,0x1dcedab0)
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The UEFI specification does not define a device sub-type for virtio.
Let's use a vendor hardware node here.
This avoids creation of two handles with the same device path indicating
our root node.
Reported-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
With commit 16ad946f41 ("efi_loader: change setup sequence") the
detection of block device was moved to the start of the initialization
sequence. In the case of virtio devices two handles with the same device
path being created.
The root node handle should be created before anything else.
Reported-by: Ard Biesheuvel <ardb@kernel.org>
Fixes: 16ad946f41 ("efi_loader: change setup sequence")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Remove unnecessary debug() from efi_set_variable_common().
native_name is NULL, so there is no meaning to print it.
Signed-off-by: Pragnesh Patel <pragnesh.patel@sifive.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
We should not use typedefs in U-Boot. They cannot be used as forward
declarations which means that header files must include the full header to
access them.
Drop the typedef and rename the struct to remove the _s suffix which is
now not useful.
This requires quite a few header-file additions.
Signed-off-by: Simon Glass <sjg@chromium.org>
We should not be using typedefs and these make it harder to use
forward declarations (to reduce header file inclusions). Drop the typedef.
Signed-off-by: Simon Glass <sjg@chromium.org>
Move this header out of the common header. Network support is used in
quite a few places but it still does not warrant blanket inclusion.
Note that this net.h header itself has quite a lot in it. It could be
split into the driver-mode support, functions, structures, checksumming,
etc.
Signed-off-by: Simon Glass <sjg@chromium.org>
In OP-TEE we can run EDK2's StandAloneMM on a secure partition.
StandAloneMM is responsible for the UEFI variable support. In
combination with OP-TEE and it's U-Boot supplicant, variables are
authenticated/validated in secure world and stored on an RPMB partition.
So let's add a new config option in U-Boot implementing the necessary
calls to OP-TEE for the variable management.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Pipat Methavanitpong <pipat1010@gmail.com>
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Virtually all callers of this function do the rounding on their own.
Some do it right, some don't. Instead of doing this in each caller,
do the rounding in efi_add_memory_map(). Change the size parameter
to bytes instead of pages and remove aligning and size calculation in
all callers.
There is no more need to make the original efi_add_memory_map() (which
takes pages as size) available outside the module. Thus rename it to
efi_add_memory_map_pg() and make it static to prevent further misuse
outside the module.
Signed-off-by: Michael Walle <michael@walle.cc>
Add missing comma in sunxi_display.c.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The only error case is that a given UUID is in wrong format.
So just return EFI_INVALID_PARAMETER here.
Reported-by: Coverity (CID 300333)
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Coverity detected:
Using "&opt->CheckSum" as an array. This might corrupt or misinterpret
adjacent memory locations.
The code should work as far as a structure, IMAGE_OPTIONAL_HEADER(64) is
packed, but modify it in more logical form. Subsystem is a member next to
CheckSum.
Reported-by: Coverity (CID 300339)
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Since pkcs7_parse_message() returns an error pointer, we must not
check for NULL. We have to explicitly set msg to NULL in the error
case, otherwise the call to pkcs7_free_message() on the goto err
path will assume it's a valid object.
Signed-off-by: Patrick Wildt <patrick@blueri.se>
Add missing include linux/err.h
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_variable_parse_signature() returns NULL on error, so IS_ERR()
is an incorrect check. The goto err leads to pkcs7_free_message(),
which works fine on a NULL ptr.
Signed-off-by: Patrick Wildt <patrick@blueri.se>
Reviewed-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
There is no need to call efi_get_variable() instead of
efi_get_variable_common(). So let's use the internal function.
Move forward declarations to the top of the file.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Add a couple of missing targets so that helloworld and other efi targets
are not needlessly rebuilt.
CC: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Tested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
If we want to restore variables from disk, we need to initialize block
devices before variables.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Eliminate superfluous functions efi_set_volatile_variable() and
efi_set_nonvolatile_variable().
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Eliminate superfluous functions efi_get_volatile_variable() and
efi_get_nonvolatile_variable().
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
This function will check if a given handle to device is an EFI system
partition. It will be utilised in implementing capsule-on-disk feature.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Add function description. Return bool.
Reviewed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_set_secure_stat() provides the common code for each stat transition
caused by efi_transfer_secure_state().
Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Correct description of return value.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
"if (left < esl->signature_size)" is not reachable in a while loop.
But it is still valuable in case that a given signature database is
somehow corrupted. So fix the while loop condition.
Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Pkcs7_parse.h and x509_parser.h are used in UEFI subsystem, in particular,
secure boot. So move them to include/crypto to avoid relative paths.
Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Don't include include x509_parser.h twice.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
In subsequent patches UEFI variables shalled be stored on the EFI system
partition. Hence we need to identify the EFI system partition.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
This pull request
* provides an implementation of UEFI secure booting
* fixes a problem with the rsa_mod_exp driver which stops some boards
from booting when CONFIG_RSA is enabled which is needed for UEFI
secure booting
* enables the EFI_RNG_PROTOCOL if DM_RNG is enabled
* fixes some function comments
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAl6YjlcACgkQxIHbvCwF
GsQ6Jg/+KVRQF0Dn2jiag8Me9ZhafZx4xGTI3LEzFD7V9kG3dmUzbO3m8a5dEevW
bcPNA6EmcKAjyP09AZY4C8ns4sU7wzPu/GQvApD4S5+vcuNbEqRHfW6zzReNXq09
t89DrFH+XLhGnh4uSh0hmfjrlIPVi86hs/f57vKRayrBu8W2yGPci3SNTO5Y0AY1
to7sxP3hGlDCUhqIABWp5ylpWWUSG1MsVNcMOnHpj+jl0iWWYP46EQrGr95egQor
gcGgUOLdOLLOHPYUIOBmo9INnS2MbvE9Mfgh5Bw7JW8DIu/Xp7r1qePQyMLsngc1
pO5yzwMq6EQy6OjuYnXdIBXtHOlZ8rnE9pbTgyUR8T/2CdL2hqr9ddpqa4ryDABX
iaQF8FG+KhY0XQ5EIJV7pEkvf9TMwGguJNlOkmJPeub2n9i0k1tPk0Rwq5ZWWBIn
rHcgZXwl0On3O3f0HvfL0Oas5u9KE1HhA12h/EVmu2Muy36x2WxAAzDnsH19HzqU
QnWBAo8VMyp3qTIZjb3y+qrxcU/joPGt9+hxmur03hzmKOJ9JNOv6vExb+yUIyXQ
4ML6jvTvSVZbvkP++0zMKOjT8ks3xv5q84oFD5Gp4cG8ZpHpA9dj3mXM92Waepo4
pAkko5IGQ4SqaGIBltEQzrG+cCiHHezdD/raCwAo6DgYSmfZUvc=
=+ZDZ
-----END PGP SIGNATURE-----
Merge tag 'efi-2020-07-rc1' of https://gitlab.denx.de/u-boot/custodians/u-boot-efi
Pull request for UEFI sub-system for efi-2020-07-rc1
This pull request
* provides an implementation of UEFI secure booting
* fixes a problem with the rsa_mod_exp driver which stops some boards
from booting when CONFIG_RSA is enabled which is needed for UEFI
secure booting
* enables the EFI_RNG_PROTOCOL if DM_RNG is enabled
* fixes some function comments
This file is potentially useful to other architectures saddled with ACPI
so move most of its contents to a common location.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Wolfgang Wallner <wolfgang.wallner@br-automation.com>
The following variable is exported as UEFI specification defines:
SignatureSupport: array of GUIDs representing the type of signatures
supported by the platform firmware
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
With this commit, image validation can be enforced, as UEFI specification
section 32.5 describes, if CONFIG_EFI_SECURE_BOOT is enabled.
Currently we support
* authentication based on db and dbx,
so dbx-validated image will always be rejected.
* following signature types:
EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images)
EFI_CERT_X509_GUID (x509 certificate for signed images)
Timestamp-based certificate revocation is not supported here.
Internally, authentication data is stored in one of certificates tables
of PE image (See efi_image_parse()) and will be verified by
efi_image_authenticate() before loading a given image.
It seems that UEFI specification defines the verification process
in a bit ambiguous way. I tried to implement it as closely to as
EDK2 does.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
The following variable is exported as UEFI specification defines:
VendorKeys: whether the system is configured to use only vendor-provided
keys or not
The value will have to be modified if a platform has its own way of
initializing signature database, in particular, PK.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
UEFI specification defines several global variables which are related to
the current secure boot state. In this commit, those values will be
maintained according to operations. Currently, AuditMode and DeployedMode
are defined but not implemented.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
With this commit, EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
is supported for authenticated variables and the system secure state
will transfer between setup mode and user mode as UEFI specification
section 32.3 describes.
Internally, authentication data is stored as part of authenticated
variable's value. It is nothing but a pkcs7 message (but we need some
wrapper, see efi_variable_parse_signature()) and will be validated by
efi_variable_authenticate(), hence efi_signature_verify_with_db().
Associated time value will be encoded in "{...,time=...}" along with
other UEFI variable's attributes.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
efi_signature_parse_sigdb() is a helper function will be used to parse
signature database variable and instantiate a signature store structure
in later patches.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
In this commit, implemented are a couple of helper functions which will be
used to materialize variable authentication as well as image authentication
in later patches.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Correct function descriptions in efi_watchdog.c.
Add the descriptions to the generated HTML documentation.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Correct function descriptions in efi_unicode_collation.c
Add the Unicode collation protocol to the generated HTML documentation.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Enable EFI_RNG_PROTOCOL by default if DM_RNG is set.
Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
Acked-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Remove superfluous 'if DM_RNG'
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
'vendor' is both an input and an output parameter. So it cannot be
constant.
Fixes: 0bda81bfdc ("efi_loader: use const efi_guid_t * for variable services")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
For EFI binaries we have to provide an implementation of memmove() in
efi_freestanding.c.
Before this patch the memmove() function was copying in the wrong
direction.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The runtime service GetNextVariable() returns the length of the next
variable including the closing 0x0000. This length should be in bytes.
Comparing the output of EDK2 and U-Boot shows that this is currently not
correctly implemented:
EDK2:
OsIndicationsSupported: 46
PlatformLang: 26
PlatformLangCodes: 36
U-Boot:
OsIndicationsSupported: 23
PlatformLang: 13
PlatformLangCodes: 18
Provide correct length in GetNextVariable().
Fixes: d99a87f84b ("efi_loader: implement GetNextVariableName()")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
This is a preparatory patch.
Those functions will be used in an implementation of UEFI firmware
management protocol as part of my capsule update patch.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Currently, if GetMemoryMap API returns EFI_BUFFER_TOO_SMALL, it doesn't
set valid values to other parameters, descriptor_size and
descriptor_version, except memory_map_size.
Some efi applications, however, may use those value; in particular,
xen uses descriptor_size to calculate a size of buffer to be allocated.
While UEFI specification is ambiguous in this point, it would be better
to address this issue proactively to maximize the compatibility with
existing efi applications.
With this patch, for example, xen.efi (and hence linux kernel) can be
started via bootefi without modification.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Following kernel's proposal for an arch-agnostic initrd loading
mechanism [1] let's implement the U-boot counterpart.
This new approach has a number of advantages compared to what we did up
to now. The file is loaded into memory only when requested limiting the
area of TOCTOU attacks. Users will be allowed to place the initramfs
file on any u-boot accessible partition instead of just the ESP one.
Finally this is an attempt of a generic interface across architectures
in the linux kernel so it makes sense to support that.
The file location is intentionally only supported as a config option
argument(CONFIG_EFI_INITRD_FILESPEC), in an effort to enhance security.
Although U-boot is not responsible for verifying the integrity of the
initramfs, we can enhance the offered security by only accepting a
built-in option, which will be naturally verified by UEFI Secure Boot.
This can easily change in the future if needed and configure that via ENV
or UEFI variable.
[1] https://lore.kernel.org/linux-efi/20200207202637.GA3464906@rani.riverdale.lan/T/#m4a25eb33112fab7a22faa0fd65d4d663209af32f
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
UEFI spec 2.8 errata A replaces the RuntimeServicesSupported variable
defined in UEFI spec 2.8 by the configuration table
EFI_RT_PROPERTIES_TABLE. So let's follow suit.
Cc: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Tested-by: Ard Biesheuvel <ardb@kernel.org>
At present dm/device.h includes the linux-compatible features. This
requires including linux/compat.h which in turn includes a lot of headers.
One of these is malloc.h which we thus end up including in every file in
U-Boot. Apart from the inefficiency of this, it is problematic for sandbox
which needs to use the system malloc() in some files.
Move the compatibility features into a separate header file.
Signed-off-by: Simon Glass <sjg@chromium.org>
UEFI programs like GRUB make change terminal colors which requires support
for ANSI escape sequences.
Let CONFIG_EFI_LOADER=y imply CONFIG_VIDEO_ANSI.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
