Commit graph

2483 commits

Author SHA1 Message Date
Ilias Apalodimas
6e0184b86f efi_loader: Always install FMPs
We only install FMPs if a CapsuleUpdate is requested.  Since we now have an
ESRT table which relies on FMPs to build the required information, it
makes more sense to unconditionally install them. This will allow userspace
applications (e.g fwupd) to make use of the ERST and provide us with files
we can use to run CapsuleUpdate on-disk

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-07-02 09:37:01 +02:00
Ilias Apalodimas
b891ff18f8 efi_loader: Force a single FMP instance per hardware store
Chapter 23 of the EFI spec (rev 2.9) says:
"A specific updatable hardware firmware store must be represented by
exactly one FMP instance".
This is not the case for us, since both of our FMP protocols can be
installed at the same time because they are controlled by a single
'dfu_alt_info' env variable.
So make the config options depend on each other and allow the user to
install one of them at any given time.  If we fix the meta-data provided
by the 'dfu_alt_info' in the future,  to hint about the capsule type
(fit or raw) we can revise this and enable both FMPs to be installed, as
long as they target different firmware hardware stores

Note that we are not using a Kconfig 'choice' on purpose, since we
want to allow both of those to be installed and tested in sandbox

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-07-02 09:37:01 +02:00
Masami Hiramatsu
3ef772230d efi: Fix to use null handle to create new handle for efi_fmp_raw
When running the efidebug capsule disk-update command, the efi_fmp_raw
protocol installation fails with 2 (EFI_INVALID_PARAMETER) as below.
This is because the code passes efi_root instead of the handle local var.

=> efidebug capsule disk-update
EFI: Call: efi_install_multiple_protocol_interfaces( &handle, &efi_guid_firmware_management_protocol, &efi_fmp_fit, NULL)
  EFI: Entry efi_install_multiple_protocol_interfaces(00000000fbaf5988)
    EFI: Call: efi_install_protocol_interface( handle, protocol, EFI_NATIVE_INTERFACE, protocol_interface)
      EFI: Entry efi_install_protocol_interface(00000000fbaf5988, 86c77a67-0b97-4633-a187-49104d0685c7, 0, 00000000fbfa6ee8)
        EFI: new handle 00000000fbb37520
      EFI: Exit: efi_install_protocol_interface: 0
    EFI: 0 returned by efi_install_protocol_interface( handle, protocol, EFI_NATIVE_INTERFACE, protocol_interface)
  EFI: Exit: efi_install_multiple_protocol_interfaces: 0
EFI: 0 returned by efi_install_multiple_protocol_interfaces( &handle, &efi_guid_firmware_management_protocol, &efi_fmp_fit, NULL)
EFI: Call: efi_install_multiple_protocol_interfaces( &efi_root, &efi_guid_firmware_management_protocol, &efi_fmp_raw, NULL)
  EFI: Entry efi_install_multiple_protocol_interfaces(00000000fbfec648)
    EFI: Call: efi_install_protocol_interface( handle, protocol, EFI_NATIVE_INTERFACE, protocol_interface)
      EFI: Entry efi_install_protocol_interface(00000000fbfec648, 86c77a67-0b97-4633-a187-49104d0685c7, 0, 00000000fbfa6f18)
        EFI: handle 00000000fbaf8520
      EFI: Exit: efi_install_protocol_interface: 2
    EFI: 2 returned by efi_install_protocol_interface( handle, protocol, EFI_NATIVE_INTERFACE, protocol_interface)
  EFI: Exit: efi_install_multiple_protocol_interfaces: 2
EFI: 2 returned by efi_install_multiple_protocol_interfaces( &efi_root, &efi_guid_firmware_management_protocol, &efi_fmp_raw, NULL)
Command failed, result=1

To fix this issue, pass the handle local var which is set NULL right
before installing efi_fmp_raw as same as the installing efi_fmp_fit.
(In both cases, the local reference to the handle will be just discarded)

Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-07-02 09:37:01 +02:00
Tom Rini
605cbcb0a4 Pull request for efi-2021-07-rc5-2
Documentation:
 
 * man-page for askenv
 
 bug fixes
 
 * correct display of BootOrder in efidebug command
 * do not allow TPL_HIGH_LEVEL for CreateEvent(Ex)
 * correct handling of unknown properties in SMBIOS tables
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAmDaDcEACgkQxIHbvCwF
 GsTjZQ//elKP0sKZYEMePzOZKZfzD0MnjnzTwsWALqA9h8kv1sAvQLtf5ZDXWIci
 bo4PNhgRD+FHQuprdoLUrQ2+fSNKTUZugmz8lW1Yudiyh+W4oyjYfINRx+gLTH8L
 h5W8w5QkV0R+3Ti8U42YYj+SqsUs0htGW5b2k55kZhH0uUFB63GG2ic0KkHr9cHl
 QQ3Y3tnW+PMxNaer5Q6q3DQjnPTnTO6vfwD9VAoesTd4aunlaPEvK7xAObJzxjpQ
 ySrj0+Yw4S+y0+02eZRnHXgAIZgI73aN2LiiSuT+FrgGN6JPmVlT6ey3LqLCxPDP
 VcEF8S25ULoIu7G7ZgIzzVgbvDjWU9WZNduPU3onVfqT2RaSsRPZoVdyGty+EKRi
 At40vUsAjC3TkttuhDZhfOOoM3ot9vEeeTIQ5Po7bnwwJyMT+PfUTi7PJT/vkfqy
 iN3KHCi0vuzxS/TbpV9ivrFnMdBP6g6v602VgeMeUTEvHFO9xAA3rHYqFQT7qNxH
 4IrRAma6t0R//oeQ5DKD3iqFdkoireHkobEJh0o3hRK7nDAenZiRmvec+o/iogKV
 YO+lZMboz5igAITBlJI5QoifGDs9B1DwoKxUe9dW61jA1CE7qqGg9Qvo251DZ8Ce
 6f8RLkglAkJUbgotyq/YGRRfad28KISEMewj8ATxbQWRCK2vSNQ=
 =ZMB2
 -----END PGP SIGNATURE-----

Merge tag 'efi-2021-07-rc5-2' of https://source.denx.de/u-boot/custodians/u-boot-efi

Pull request for efi-2021-07-rc5-2

Documentation:

* man-page for askenv

bug fixes

* correct display of BootOrder in efidebug command
* do not allow TPL_HIGH_LEVEL for CreateEvent(Ex)
* correct handling of unknown properties in SMBIOS tables
2021-06-29 11:25:39 -04:00
Kunihiko Hayashi
534f0fbd65 arm64: Fix relocation of env_addr if POSITION_INDEPENDENT=y
If both POSITION_INDEPENDENT and SYS_RELOC_GD_ENV_ADDR are enabled,
wherever original env is placed anywhere, it should be relocated to
the right address.

Relocation offset gd->reloc_off is calculated with SYS_TEXT_BASE in
setup_reloc() and env address gd->env_addr is relocated by the offset in
initr_reloc_global_data().

gd->env_addr
  = (orig env) + gd->reloc_off
  = (orig env) + (gd->relocaddr - SYS_TEXT_BASE)

However, SYS_TEXT_BASE isn't always runtime base address when
POSITION_INDEPENDENT is enabled. So the relocated env_addr might point to
wrong address. For example, if SYS_TEXT_BASE is zero, gd->env_addr is
out of memory location and memory exception will occur.

There is a difference between linked address such as SYS_TEXT_BASE and
runtime base address. In _main, the difference is calculated as
"run-vs-link" offset. The env_addr should also be added to the offset
to fix the address.

gd->env_addr
  = (orig env) + ("run-vs-link" offset)   + gd->reloc_off
  = (orig env) + (SYS_TEXT_BASE - _start) + (gd->relocaddr - SYS_TEXT_BASE)
  = (orig env) + (gd->relocaddr - _start)

Cc: Marek Vasut <marex@denx.de>
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Acked-by: Marek Vasut <marex@denx.de>
Tested-by: Marek Vasut <marex@denx.de>
2021-06-28 14:47:10 -04:00
Ilias Apalodimas
70e80666f2 smbios: Fix SMBIOS tables
Commit e4f8e543f1a9("smbios: Drop the unused Kconfig options")
break SMBIOS tables.  The reason is that the patch drops the Kconfig
options *after* removing the code using them,  but that changes the semantics
of the code completely.  Prior to the change a non NULL value was used in
the 'product' and 'manufacturer ' fields.

Chapter 6.2 of the DMTF spec requires Manufacturer and Product Name to be
non-null on some of the tables. So let's add sane defaults for Type1/2/3.

* Before the patchset:

<snip>
Handle 0x0002, DMI type 2, 14 bytes
Base Board Information
        Manufacturer: Not Specified
        Product Name: Not Specified
        Version: Not Specified
        Serial Number: Not Specified
        Asset Tag: Not Specified
        Features:
                Board is a hosting board
        Location In Chassis: Not Specified
        Chassis Handle: 0x0000
        Type: Motherboard

Invalid entry length (0). DMI table is broken! Stop.

* After the patchset:

<snip>
Handle 0x0005, DMI type 32, 11 bytes
System Boot Information
        Status: No errors detected

Handle 0x0006, DMI type 127, 4 bytes
End Of Table

Fixes: e4f8e543f1 ("smbios: Drop the unused Kconfig options")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-06-28 19:57:13 +02:00
Ilias Apalodimas
ff192304b6 smbios: Fix BIOS Characteristics Extension Byte 2
We currently define the EFI support of an SMBIOS table as the third bit of
"BIOS Characteristics Extension Byte 1". The latest DMTF spec defines it
on "BIOS Characteristics Extension Byte 2".

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Remove superfluous assignment.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-06-28 19:57:13 +02:00
Heinrich Schuchardt
8c6532d7c4 smbios: convert function descriptions to Sphinx style
Use 'Return:' instead of '@return:'.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-06-28 19:57:13 +02:00
Heinrich Schuchardt
7891fe675d efi_loader: TPL_HIGH_LEVEL not allowed for CreateEvent
According to chapter 7.1 "Event, Timer, and Task Priority Services"
TPL_HIGH_LEVEL should not be exposed to applications and drivers.

According to the discussion with EDK II contributors this implies that
CreateEvent() shall not allow to create events with TPL_HIGH_LEVEL.

Cc: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Acked-by: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>
2021-06-28 19:57:13 +02:00
Heinrich Schuchardt
b95e5edc42 efi_loader: fix Sphinx warning
Brackets '[' need to be escaped to avoid a build warning

    lib/efi_loader/efi_image_loader.c:223:
    WARNING: Inline strong start-string without end-string.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Masahisa Kojima <masahisa.kojima@linaro.org>
2021-06-09 12:35:01 +02:00
Heinrich Schuchardt
e27b0ff1b7 efi_loader: efi_capsule_delete_file() NULL dereference
If opening a file fails, the file handle pointer is not valid and must not
be dereferenced.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-06-09 00:16:39 +02:00
Heinrich Schuchardt
3dca77b1dc efi_loader: partition numbers are hexadecimal
If we want to address partition 15 of virtio block device 11, we have to
write:

	virtio b:f

When calling sprintf() we must use %x for the device and partition numbers.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-06-09 00:16:39 +02:00
Sean Anderson
89be8e31cc fastboot: Fix overflow when calculating chunk size
If a chunk was larger than 4GiB, then chunk_data_sz would overflow and
blkcnt would not be calculated correctly. Upgrade it to a u64 and cast
its multiplicands as well. Also fix bytes_written while we're at it.

Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Heiko Schocher <hs@denx.de>
2021-06-01 16:48:54 -04:00
Masahisa Kojima
163a0d7e2c efi_loader: add PE/COFF image measurement
"TCG PC Client Platform Firmware Profile Specification"
requires to measure every attempt to load and execute
a OS Loader(a UEFI application) into PCR[4].
This commit adds the PE/COFF image measurement, extends PCR,
and appends measurement into Event Log.

Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Replace CONFIG_HASH_CALCULATE by CONFIG_HASH
Fix conversions between pointers and u64.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-05-28 16:17:01 +02:00
Alexandru Gagniuc
464010b0be efi_loader: Work-around build issue due to missing hash_calculate()
The hash_calculate() symbol is provided by hash-checksum.c. It depends
on hash_progressive_lookup_algo(), provided when CONFIG_HASH=y.

The issue is that hash_calculate() is used by the efi_loader,
irregardless of CONFIG_FIT_SIGNATURE. As pointed out in
commit 87316da05f ("lib: introduce HASH_CALCULATE option"),
enabling hash_calculate() based on CONFIG_FIT_SIGNATURE is incorrect.

To resolve this, use CONFIG_HASH as the compile switch for
hash-checksum.c. This ensures that all dependencies are compiled, and
is the most natural Kconfig to use.

There is the issue of having to 'select HASH' in a couple of places
that already 'select SHA256'. This is a deeper problem with how hashes
are organized, and fixing it is beyonf the scope of this change.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Acked-by: Masahisa Kojima <masahisa.kojima@linaro.org>
2021-05-28 16:17:01 +02:00
Alexandru Gagniuc
ec0512b173 Revert "lib: introduce HASH_CALCULATE option"
When we think of Kconfig, we usually think of features that we like
to enable or not. Ideally, we wouldn't use Kconfig to fix a build
issue, although sometimes it might make sense. With Kconfig it's hard
to guarantee that the fix is universal. We can only say that it works
for the set of tested configurations. In the majority of cases, it's
preferable to let the linker figure things out for us.

The reverted commit attempted to fix a build issue by adding an
invisible Kconfig option. This is wrong in several ways:

It invents a new Kconfig variable when CONFIG_HASH already
exists for the same purpose.
Second, hash-checksum.c makes use of the hash_progressive_lookup_algo()
symbol, which is only provided with CONFIG_HASH, but this dependency
was not expressed in the reverted patch.

It feels like Kconfig is turning into a listing of all available
source files, and a buffet to 'select' which ones to compile. The
purpose of this revert is to enable the next change to make use of
CONFIG_HASH instead of adding to Kconfig.

This reverts commit 87316da05f.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Acked-by: Masahisa Kojima <masahisa.kojima@linaro.org>
2021-05-28 16:17:01 +02:00
Ilias Apalodimas
38de680e58 efi_loader: Fix coverity warnings for efi tcg2 protocol
Coverity reported 3 warnings on the current code.
CID 331856, 331855, 331854 on the latest scan.

Fix the rest of the warnings by initializing the variables before
passing them to tpm2_get_pcr_info().
In order to avoid future warnings and errors initialize them to 0 within
the function as well, since the values are always OR'ed after querying the
hardware.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-05-28 16:17:01 +02:00
Ilias Apalodimas
1f6871df40 efi_loader: Fix -Wextra warning for EFI TCG2
Compiling with -Wextra produces a number of (harmless) warnings for the EFI
TCG2 protocol.  Let's fix those in case we ever enable the flag on the EFI
subsystem

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-05-25 14:33:22 +02:00
Heinrich Schuchardt
9a6b33bef2 efi_loader: path length in efi_dp_from_name()
Before this patch efi_dp_from_name() only accommodated a maximum file path
length of 31 characters. This leads to boot failures due to file name
truncation.

Allow arbitrary path lengths.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-05-25 13:06:57 +02:00
Masahisa Kojima
f6081a8a1e efi_loader: expose efi_image_parse() even if UEFI Secure Boot is disabled
This is preparation for PE/COFF measurement support.
PE/COFF image hash calculation is same in both
UEFI Secure Boot image verification and measurement in
measured boot. PE/COFF image parsing functions are
gathered into efi_image_loader.c, and exposed even if
UEFI Secure Boot is not enabled.

This commit also adds the EFI_SIGNATURE_SUPPORT option
to decide if efi_signature.c shall be compiled.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-05-25 13:06:57 +02:00
Heinrich Schuchardt
6754e24b54 efi_loader: remove weak efi_get_public_key_data()
Configuring a system with CONFIG_EFI_CAPSULE_AUTHENTICATE=y but without a
method to retrieve the public key data is a misconfiguration. We should get
a build failure for it. Therefore remove the weak efi_get_public_key_data()
implementation.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-05-25 13:06:57 +02:00
Marek Behún
be1e77f286 sandbox: errno: avoid conflict with libc's errno
When building with LTO, the system libc's `errno` variable used in
arch/sandbox/cpu/os.c conflicts with U-Boot's `errno` (defined in
lib/errno.c) with the following error:
 .../ld: errno@@GLIBC_PRIVATE: TLS definition in /lib64/libc.so.6
         section .tbss mismatches non-TLS reference in
	 /tmp/u-boot.EQlEXz.ltrans0.ltrans.o

To avoid this conflict use different asm label for this variable when
CONFIG_SANDBOX is enabled.

Signed-off-by: Marek Behún <marek.behun@nic.cz>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-05-24 14:21:30 -04:00
Marek Behún
98e55f97af lib: crc32: put the crc_table variable into efi_runtime_rodata section
When compiling with LTO, the compiler fails with an error saying that
`crc_table` causes a section type conflict with `efi_var_buf`.

This is because both are declared to be in the same section (via macro
`__efi_runtime_data`), but one is const while the other is not.

Put this variable into the section .rodata.efi_runtime, instead of
.data.efi_runtime, via macro __efi_runtime_rodata.

Signed-off-by: Marek Behún <marek.behun@nic.cz>
Reviewed-by: Marek Vasut <marex@denx.de>
Reviewed-by: Heinrich Schuchardt <xypron.gpk@gmx.de>
2021-05-24 14:21:30 -04:00
Marek Behún
ead698acbc efi_selftest: compiler flags for efi_selftest_miniapp_exception.o
Add $(CFLAGS_EFI) and remove $(CFLAGS_NON_EFI) for
efi_selftest_miniapp_exception.o.

The removal is needed when compiling with LTO - this object file needs
to be compiled without -flto.

The adding is for consistency with other miniapps.

Signed-off-by: Marek Behún <marek.behun@nic.cz>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-05-24 14:21:30 -04:00
Marek Behún
46c3e29219 string: make memcpy(), memset(), memcmp() and memmove() visible for LTO
It seems that sometimes (happening on ARM64, for example with
turris_mox_defconfig) GCC, when linking with LTO, changes the symbol
names of some functions, for example lib/string.c's memcpy() function to
memcpy.isra.0.

This is a problem however when GCC for a code such as this:
	struct some_struct *info = get_some_struct();
	struct some struct tmpinfo;
	tmpinfo = *info;
emits a call to memcpy() by builtin behaviour, to copy *info to tmpinfo.

This then results in the following linking error:
  .../lz4.c:93: undefined reference to `memcpy'
  .../uuid.c:206: more undefined references to `memcpy' follow

GCC's documentation says this about -nodefaultlibs option:
  The compiler may generate calls to "memcmp", "memset", "memcpy" and
  "memmove".  These entries are usually resolved by entries in libc.
  These entry points should be supplied through some other mechanism
  when this option is specified.

Make these functions visible by using the __used macro to avoid this
error.

Signed-off-by: Marek Behún <marek.behun@nic.cz>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-05-24 14:21:30 -04:00
Marek Behún
236f2ec432 treewide: Convert macro and uses of __section(foo) to __section("foo")
This commit does the same thing as Linux commit 33def8498fdd.

Use a more generic form for __section that requires quotes to avoid
complications with clang and gcc differences.

Remove the quote operator # from compiler_attributes.h __section macro.

Convert all unquoted __section(foo) uses to quoted __section("foo").
Also convert __attribute__((section("foo"))) uses to __section("foo")
even if the __attribute__ has multiple list entry forms.

Signed-off-by: Marek Behún <marek.behun@nic.cz>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-05-24 14:21:30 -04:00
Bin Meng
1621d3c434 lib: kconfig: Limit BINMAN_FDT for OF_SEPARATE or OF_EMBED
Generally speaking BINMAN_FDT makes sense for OF_SEPARATE or OF_EMBED.
For the other OF_CONTROL methods, it's quite possible binman node is
not available as binman is invoked during the build phase instead of
runtime. Let's only turn it on for OF_SEPARATE or OF_EMBED by default.

Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-05-19 17:01:50 +08:00
Masahisa Kojima
87316da05f lib: introduce HASH_CALCULATE option
Build error occurs when CONFIG_EFI_SECURE_BOOT or
CONFIG_EFI_CAPSULE_AUTHENTICATE is enabled,
because hash-checksum.c is not compiled.

Since hash_calculate() implemented in hash-checksum.c can be
commonly used aside from FIT image signature verification,
this commit itroduces HASH_CALCULATE option to decide
if hash-checksum.c shall be compiled.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-05-18 12:36:13 +02:00
Ilias Apalodimas
48ee084602 efi_loader: Fix Kconfig for EFI_TCG2 protocol
EFI_TCG2 depends not only on TPMv2 but also on the underlying algorithms.
So select the missing SHA1, SHA256, SHA384 and SHA512 we currently support

Reported-by: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Add 'default y'.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-05-18 12:36:13 +02:00
Ilias Apalodimas
2052759a5e efi_loader: Don't stop EFI subsystem init if installing TCG2 fails
Up to now we are stopping the EFI subsystem if a TPMv2 exists but the
protocol fails to install.  Now that we've switched the config to 'default
y' the sandbox TPM fails, since it doesn't support all the required
capabilities of the protocol.

Not installing the protocol is not catastrophic.  If the protocol fails
to install the PCRs will never be extended to the expected values, so
some other entity later in the boot flow will eventually figure it out
and take the necessary actions.

While at it fix a corner case were the user can see an invalid error
message when the protocol failed to install.  We do have a tcg2_uninit()
which we call when the protocol installation fails.  There are cases though
that this might be called before the configuration table is installed (e.g
probing the TPM for capabilities failed).  In that case the user will see
"Failed to delete final events config table".  So stop printing it since it's
not an actual failure , simply because the config table was never installed
in the first place.

In order to stop printing it make efi_init_event_log() and create_final_event()
cleanup themselves and only call tcg2_uninit() when the protocol installation
fails.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-05-18 12:36:13 +02:00
Ilias Apalodimas
97f446a8ff efi_loader: Uninstall the TCG2 protocol if logging s-crtm fails
Instead of just failing, clean up the installed config table and
EventLog memory if logging an s-crtm event fails during the protocol
installation

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Eliminate label 'out:' by using return.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-05-18 12:36:13 +02:00
Ilias Apalodimas
b76edf6b07 efi_loader: Clean up tcg2 once in case of failure
efi_init_event_log() calls tcg2_uninit() in case of failure.
We can skip that since the function is called on efi_tcg2_register()
which also cleans up if an error occurs

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-05-18 12:36:12 +02:00
Peng Fan
bc3f465181 efi_loader: loosen buffer parameter check in efi_file_read_int
This is same issue as https://bugzilla.redhat.com/show_bug.cgi?id=1733817,
but that fix was wrongly partial reverted.

When reading a directory, EFI_BUFFER_TOO_SMALL should be returned when
the supplied buffer is too small, so a use-case is to call
EFI_FILE_PROTOCOL.Read() with *buffer_size=0 and buffer=NULL to
obtain the needed size before doing the actual read.

So remove the check only for directory reading, file reading already
do the check by itself.

Fixes: db12f518edb0("efi_loader: implement non-blocking file services")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Cc: Stefan Sørensen <stefan.sorensen@spectralink.com>
Tested-by: Peter Robinson <pbrobinson@gmail.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-05-18 12:36:12 +02:00
Sughosh Ganu
6a2e26b95f efi_loader: capsule: Remove the check for capsule_authentication_enabled environment variable
The current capsule authentication code checks if the environment
variable capsule_authentication_enabled is set, for authenticating the
capsule. This is in addition to the check for the config symbol
CONFIG_EFI_CAPSULE_AUTHENTICATE. Remove the check for the environment
variable. The capsule will now be authenticated if the config symbol
is set.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviwed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-05-18 12:36:12 +02:00
Heinrich Schuchardt
e2ae483c3b hash: Kconfig option for SHA512 hardware acceleration
Commit a479f103dc ("hash: Allow for SHA512 hardware implementations")
defined function definitions for hardware accelerated SHA384 and SHA512.
If CONFIG_SHA_HW_ACCEL=y, these functions are used.

We already have boards using CONFIG_SHA_HW_ACCEL=y but none implements the
new functions hw_sha384() and hw_sha512().

For implementing the EFI TCG2 protocol we need SHA384 and SHA512. The
missing hardware acceleration functions lead to build errors on boards like
peach-pi_defconfig.

Introduce a new Kconfig symbol CONFIG_SHA512_HW_ACCEL to control if the
functions hw_sha384() and hw_sha512() shall be used to implement the SHA384
and SHA512 algorithms.

Fixes: a479f103dc ("hash: Allow for SHA512 hardware implementations")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>

Reviewed-by: Simon Glass <sjg@chromium.org>
2021-05-18 12:36:12 +02:00
Heinrich Schuchardt
700f68c354 efi_loader: build warning in efi_tcg2_hash_log_extend_event
Building 32bit boards with the TCG2 protocol enabled leads to a build
warning due to a missing conversion.

    lib/efi_loader/efi_tcg2.c:774:27:
    error: cast to pointer from integer of different size
    [-Werror=int-to-pointer-cast]
    774 |  ret = tcg2_create_digest((u8 *)data_to_hash, data_to_hash_len,
        |                           ^

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-05-18 12:36:12 +02:00
Patrick Delaunay
feb7ac457c dm: core: Add address translation in fdt_get_resource
Today of_address_to_resource() is called only in
ofnode_read_resource() for livetree support and
fdt_get_resource() is called when livetree is not supported.

The fdt_get_resource() doesn't do the address translation
so when it is required, but the address translation is done
by ofnode_read_resource() caller, for example in
drivers/firmware/scmi/smt.c::scmi_dt_get_smt_buffer() {
...
	ret = ofnode_read_resource(args.node, 0, &resource);
	if (ret)
		return ret;

	faddr = cpu_to_fdt32(resource.start);
	paddr = ofnode_translate_address(args.node, &faddr);
...

The both behavior should be aligned and the address translation
must be called in fdt_get_resource() and removed for each caller.

Fixes: a44810123f ("dm: core: Add dev_read_resource() to read device resources")
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
2021-04-29 03:23:39 -07:00
AKASHI Takahiro
2c1a684049 efi_loader: capsule: return a correct error code at find_boot_device()
In case of failure at efi_get_variable_int("BootOrder"), we should
skip examining boot option variables and return an appropriate error
code which is the one the function returned.

Fixes: CID 331153 Code maintainability issues  (UNUSED_VALUE)
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-04-24 06:53:40 +02:00
Jose Marinho
3627cf4bff efi: Fix ESRT refresh after Capsule update
Indicated by Coverity Scan CID 331147

The ESRT was being refreshed in situations where the UpdateCapsule
procedure failed. In that scenario:

1) the ESRT refresh was superfluous.
2) a failed ESRT refresh return code overwrites the UpdateCapsule error
return code.

This commit ensures that the ESRT is only refreshed when the
UpdateCapsule performs successfully.

CC: Heinrich Schuchardt <xypron.glpk@gmx.de>
CC: Sughosh Ganu <sughosh.ganu@linaro.org>
CC: AKASHI Takahiro <takahiro.akashi@linaro.org>
CC: Tom Rini <trini@konsulko.com>
CC: Andre Przywara <andre.przywara@arm.com>
CC: nd@arm.com

Signed-off-by: Jose Marinho <jose.marinho@arm.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-04-24 06:53:40 +02:00
Ilias Apalodimas
6fe8b4a39d efi_loader: simplify tcg2_create_digest()
Bumping the digest list count, for all supported algorithms,  can be
calculated outside of the individual switch statements.  So let's do that
for every loop iteration instead and simplify the code a bit.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-04-24 06:53:40 +02:00
Heinrich Schuchardt
a07ee3c198 efi_loader: missing include in efi_string.c
To avoid diverging function definitions we need to include efi_loader.h.

Fixes: fe179d7fb5 ("efi_loader: Add size checks to efi_create_indexed_name()")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-04-24 06:53:40 +02:00
Patrick Delaunay
6d66502bc7 lmb: Add 2 config to define the max number of regions
Add 2 configs CONFIG_LMB_MEMORY_REGIONS and CONFIG_LMB_RESERVED_REGIONS
to change independently the max number of the regions in lmb
library.

When CONFIG_LMB_USE_MAX_REGIONS=y, move the lmb property arrays to
struct lmb and manage the array size with the element 'max' of struct
lmb_region; their are still allocated in stack.

When CONFIG_LMB_USE_MAX_REGIONS=n, keep the current location in
struct lmb_region to allow compiler optimization.

Increase CONFIG_LMB_RESERVED_REGIONS is useful to avoid lmb errors in
bootm when the number of reserved regions (not adjacent) is reached:
+ 1 region for relocated U-Boot
+ 1 region for initrd
+ 1 region for relocated linux device tree
+ reserved memory regions present in Linux device tree.

The current limit of 8 regions is reached with only 5 reserved regions
in DT.

see Linux kernel commit bf23c51f1f49 ("memblock: Move memblock arrays
to static storage in memblock.c and make their size a variable")

Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
2021-04-22 14:09:45 -04:00
Patrick Delaunay
4fa0150d6c lmb: move MAX_LMB_REGIONS value in Kconfig
Move MAX_LMB_REGIONS value in Kconfig, the max number of the regions
in lmb library.

Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
2021-04-22 14:09:45 -04:00
Patrick Delaunay
00fd8dad4d lmb: add a max parameter in the struct lmb_region
Add a max parameter in lmb_region struct to handle test
in lmb_add_region without using the MAX_LMB_REGIONS
define.

This patch allows to modify these size independently for
memory of reserved regions in the next patches.

Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
2021-04-22 14:09:45 -04:00
Patrick Delaunay
8f167da9c5 lmb: remove lmb_region.size
Remove the unused field size of struct lmb_region as it is initialized to 0
and never used after in lmb library.

See Linux kernel commit 4734b594c6ca ("memblock: Remove memblock_type.size
and add memblock.memory_size instead")

Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
2021-04-22 14:09:45 -04:00
Patrick Delaunay
77b8cfef53 lmb: move CONFIG_LMB in Kconfig
Migrate CONFIG_LMB in Kconfig.

Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
2021-04-22 14:09:45 -04:00
Karl Beldan
227c53de87 lz4: Fix unaligned accesses
Signed-off-by: Karl Beldan <karl.beldan+oss@gmail.com>
2021-04-20 07:31:12 -04:00
Masahisa Kojima
b1a7a5e0b8 efi_loader: fix possible buffer overflow
Variable "final" will have SHA512 digest, but currently
the array size is not sufficient. Let's fix it.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-04-17 20:01:32 +02:00
Heinrich Schuchardt
e8287b0fb2 efi_loader: memory leak in efi_capsule_scan_dir()
If realloc() fails, we should free the old buffer.

Fixes: c74cd8bd08: ("efi_loader: capsule: add capsule_on_disk support")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-04-17 20:01:32 +02:00
Sughosh Ganu
7d823747c6 efi_loader: esrt: Remove incorrect invocations of EFI_CALL macro
Remove function invocations using the EFI_CALL macro for those
functions that do not have an EFI_ENTRY call in their definition. Such
functions can use u-boot api's which rely on u-boot global data(gd)
pointer. The Arm and RiscV architectures maintain a separate gd
pointer, one for u-boot, and a separate gd for the efi application.

Calling a function through the EFI_CALL macro changes the gd pointer
to that used for the efi application, with u-boot gd being
unavailable. Any function then trying to dereference u-boot's gd will
result in an abort.

Fix this issue by removing the EFI_CALL macro for all of such
functions which do not begin by an EFI_ENTRY function call.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-04-17 20:01:31 +02:00