Current code doesn't free the efi allocated memory in case the protocol
failed to install
Fixes: c8d0fd5825 ("efi_loader: Introduce eventlog support for TCG2_PROTOCOL")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The ESRT is initialised during efi_init_objlist after
efi_initialize_system_table().
The ESRT is recreated from scratch at the following events:
- successful UpdateCapsule;
- FMP instance install.
The code ensures that every ESRT entry has a unique fw_class value.
Limitations:
- The ESRT is not updated if an FMP instance is uninstalled;
- the fields image_type and flags are in the current implementation left
undefined. Setting these values will require a per-platform function
that returns the image_type/flags as a function of the image fw_class.
CC: Heinrich Schuchardt <xypron.glpk@gmx.de>
CC: Sughosh Ganu <sughosh.ganu@linaro.org>
CC: AKASHI Takahiro <takahiro.akashi@linaro.org>
CC: Ilias Apalodimas <ilias.apalodimas@linaro.org>
CC: Andre Przywara <andre.przywara@arm.com>
CC: Alexander Graf <agraf@csgraf.de>
CC: nd@arm.com
Signed-off-by: Jose Marinho <jose.marinho@arm.com>
Remove two EFI_CALL() indirections.
Move ESRT GUID in efidebug's list of GUIDs.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Up to now we install EFI_LOAD_FILE2_PROTOCOL to load an initrd
unconditionally. Although we correctly return various EFI exit codes
depending on the file status (i.e EFI_NO_MEDIA, EFI_NOT_FOUND etc), the
kernel loader, only falls back to the cmdline interpreted initrd if the
protocol is not installed.
This creates a problem for EFI installers, since they won't be able to
load their own initrd and continue the installation. It also makes the
feature hard to use, since we can either have a single initrd or we have
to recompile u-boot if the filename changes.
So let's introduce a different logic that will decouple the initrd
path from the config option we currently have.
When defining a UEFI BootXXXX we can use the filepathlist and store
a file path pointing to our initrd. Specifically the EFI spec describes:
"The first element of the array is a device path that describes the device
and location of the Image for this load option. Other device paths may
optionally exist in the FilePathList, but their usage is OSV specific"
When the EFI application is launched through the bootmgr, we'll try to
interpret the extra device path. If that points to a file that exists on
our disk, we'll now install the load_file2 and the efi-stub will be able
to use it.
This opens up another path using U-Boot and defines a new boot flow.
A user will be able to control the kernel/initrd pairs without explicit
cmdline args or GRUB.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
A following patch introduces a different logic for loading initrd's
based on the EFI_LOAD_FILE2_PROTOCOL.
Since similar logic can be applied in the future for other system files
(i.e DTBs), let's add some helper functions which will retrieve and
parse file paths stored in EFI variables.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
On the following patches we allow for an initrd path to be stored in
Boot#### variables. Specifically we encode in the FIlePathList[] of
the EFI_LOAD_OPTIONS for each Boot#### variable.
The FilePathList[] array looks like this:
kernel - 0xff - VenMedia(initrd GUID) - initrd1 - 0x01 initrd2 - 0xff
So let's add the relevant functions to concatenate and retrieve a device
path based on a Vendor GUID.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reformat function descriptions.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When uploading an EFI binary via the UART we need to assign a device path.
* Provide devicepath node to text conversion for Uart() node.
* Provide function to create Uart() device path.
* Add UART support to efi_dp_from_name().
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Even if CONFIG_DM_VIDEO=y and stdout="vidconsole", a video device may not
be available. Check the return values of the relevant functions.
If no video output device is available, assume that the serial console is
in use.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
This occur when building on Raspberry Pi 400 (32-bit ARM). Fix them.
Examples:
cmd/efidebug.c: In function ‘do_efi_capsule_update’:
cmd/efidebug.c:75:49: warning: cast from pointer to integer of different
size [-Wpointer-to-int-cast]
ret = EFI_CALL(RT->update_capsule(&capsule, 1, (u64)NULL));
^
include/efi_loader.h:104:9: note: in definition of macro ‘EFI_CALL’
typeof(exp) _r = exp; \
^~~
cmd/efidebug.c:75:49: warning: cast from pointer to integer of different
size [-Wpointer-to-int-cast]
ret = EFI_CALL(RT->update_capsule(&capsule, 1, (u64)NULL));
^
include/efi_loader.h:104:19: note: in definition of macro ‘EFI_CALL’
typeof(exp) _r = exp; \
^~~
In file included from include/common.h:20,
from lib/efi_loader/efi_capsule.c:9:
lib/efi_loader/efi_capsule.c: In function ‘efi_update_capsule’:
include/efi_loader.h:83:8: warning: format ‘%lu’ expects argument of type
‘long unsigned int’, but argument 10 has type ‘size_t’
{aka ‘unsigned int’} [-Wformat=]
debug("%sEFI: Entry %s(" format ")\n", __efi_nesting_inc(), \
^~~~~~~~~~~~~~~~~~
include/linux/printk.h:37:21: note: in definition of macro ‘pr_fmt’
#define pr_fmt(fmt) fmt
^~~
include/log.h:229:2: note: in expansion of macro ‘log’
log(LOG_CATEGORY, LOGL_DEBUG, fmt, ##args); \
^~~
include/log.h:249:2: note: in expansion of macro ‘debug_cond’
debug_cond(_DEBUG, fmt, ##args)
^~~~~~~~~~
include/efi_loader.h:83:2: note: in expansion of macro ‘debug’
debug("%sEFI: Entry %s(" format ")\n", __efi_nesting_inc(), \
^~~~~
lib/efi_loader/efi_capsule.c:444:2: note: in expansion of macro ‘EFI_ENTRY’
EFI_ENTRY("%p, %lu, %llu\n", capsule_header_array, capsule_count,
^~~~~~~~~
lib/efi_loader/efi_capsule.c:444:19: note: format string is defined here
EFI_ENTRY("%p, %lu, %llu\n", capsule_header_array, capsule_count,
~~^
%u
Signed-off-by: Simon Glass <sjg@chromium.org>
Replace (uintptr_t)NULL by 0.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The (yet unreleased version of the) devicetree specification clearly
states that:
As with the /reserved-memory node, when booting via UEFI
entries in the Memory Reservation Block must also be listed
in the system memory map obtained via the GetMemoryMap() toi
protect against allocations by UEFI applications. The memory
reservation block entries should be listed with type
EfiReservedMemoryType.
This restores the behaviour that was changed by commit 4cbb2930bd
("efi_loader: consider no-map property of reserved memory").
Fixes: 4cbb2930bd ("efi_loader: consider no-map property of reserved memory")
Signed-off-by: Mark Kettenis <kettenis@openbsd.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
GRUB_ARM32_WORKAROUND can be disabled on ARCH_SUNXI as the Allwinner SoCs
only have a level 2 cache controlled via CP15 and not an architecturally
defined cache. Having the cache available speeds up booting Linux.
On ARCH_BCM283X it is already disabled via rpi_2_defconfig. But let's move
this setting to Kconfig.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When uploading an EFI binary via the UART we need to assign a device path.
* Provide devicepath node to text conversion for Uart() node.
* Provide function to create Uart() device path.
* Add UART support to efi_dp_from_name().
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Even if CONFIG_DM_VIDEO=y and stdout="vidconsole", a video device may not
be available. Check the return values of the relevant functions.
If no video output device is available, assume that the serial console is
in use.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
This occur when building on Raspberry Pi 400 (32-bit ARM). Fix them.
Examples:
cmd/efidebug.c: In function ‘do_efi_capsule_update’:
cmd/efidebug.c:75:49: warning: cast from pointer to integer of different
size [-Wpointer-to-int-cast]
ret = EFI_CALL(RT->update_capsule(&capsule, 1, (u64)NULL));
^
include/efi_loader.h:104:9: note: in definition of macro ‘EFI_CALL’
typeof(exp) _r = exp; \
^~~
cmd/efidebug.c:75:49: warning: cast from pointer to integer of different
size [-Wpointer-to-int-cast]
ret = EFI_CALL(RT->update_capsule(&capsule, 1, (u64)NULL));
^
include/efi_loader.h:104:19: note: in definition of macro ‘EFI_CALL’
typeof(exp) _r = exp; \
^~~
In file included from include/common.h:20,
from lib/efi_loader/efi_capsule.c:9:
lib/efi_loader/efi_capsule.c: In function ‘efi_update_capsule’:
include/efi_loader.h:83:8: warning: format ‘%lu’ expects argument of type
‘long unsigned int’, but argument 10 has type ‘size_t’
{aka ‘unsigned int’} [-Wformat=]
debug("%sEFI: Entry %s(" format ")\n", __efi_nesting_inc(), \
^~~~~~~~~~~~~~~~~~
include/linux/printk.h:37:21: note: in definition of macro ‘pr_fmt’
#define pr_fmt(fmt) fmt
^~~
include/log.h:229:2: note: in expansion of macro ‘log’
log(LOG_CATEGORY, LOGL_DEBUG, fmt, ##args); \
^~~
include/log.h:249:2: note: in expansion of macro ‘debug_cond’
debug_cond(_DEBUG, fmt, ##args)
^~~~~~~~~~
include/efi_loader.h:83:2: note: in expansion of macro ‘debug’
debug("%sEFI: Entry %s(" format ")\n", __efi_nesting_inc(), \
^~~~~
lib/efi_loader/efi_capsule.c:444:2: note: in expansion of macro ‘EFI_ENTRY’
EFI_ENTRY("%p, %lu, %llu\n", capsule_header_array, capsule_count,
^~~~~~~~~
lib/efi_loader/efi_capsule.c:444:19: note: format string is defined here
EFI_ENTRY("%p, %lu, %llu\n", capsule_header_array, capsule_count,
~~^
%u
Signed-off-by: Simon Glass <sjg@chromium.org>
Replace (uintptr_t)NULL by 0.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The (yet unreleased version of the) devicetree specification clearly
states that:
As with the /reserved-memory node, when booting via UEFI
entries in the Memory Reservation Block must also be listed
in the system memory map obtained via the GetMemoryMap() toi
protect against allocations by UEFI applications. The memory
reservation block entries should be listed with type
EfiReservedMemoryType.
This restores the behaviour that was changed by commit 4cbb2930bd
("efi_loader: consider no-map property of reserved memory").
Fixes: 4cbb2930bd ("efi_loader: consider no-map property of reserved memory")
Signed-off-by: Mark Kettenis <kettenis@openbsd.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
GRUB_ARM32_WORKAROUND can be disabled on ARCH_SUNXI as the Allwinner SoCs
only have a level 2 cache controlled via CP15 and not an architecturally
defined cache. Having the cache available speeds up booting Linux.
On ARCH_BCM283X it is already disabled via rpi_2_defconfig. But let's move
this setting to Kconfig.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Carve out a function to translate a Unicode code point to an 8bit codepage.
Provide a unit test for the new function.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
If stdout is 'vidconsole', we correctly set the console size.
If stdout is 'vidconsole,serial', the video console is ignored.
We should always evaluate the size of vidconsole if it is the primary
console.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
VenHw and VenMedia device path nodes may carry vendor defined data of
arbitrary length. When converting a device path node to text ensure that we
do not overrun our internal buffer.
In our implementation of
EFI_DEVICE_PATH_TO_TEXT_PROTOCOL.ConvertDevicePathToText() we could first
determine the output length and then allocate buffers but that would nearly
double the code size. Therefore keep the preallocated buffers and truncate
excessive device paths instead.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The UEFI spec does not allow ACPI tables to be in runtime services memory.
It recommends EfiACPIReclaimMemory.
Remove a superfluous check that the allocated pages are 16 byte aligned.
EFI pages are 4 KiB aligned.
Fixes: 86df34d42b ("efi_loader: Install ACPI configuration tables")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Our current implementation of
EFI_DEVICE_PATH_TO_TEXT_PROTOCOL.ConvertDevicePathToText() truncates multi
part device paths after the first part. We should convert all parts.
Render device path instance ends as commas. This is not explicitly
described in the UEFI spec but mimics what EDK II does.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The last block is of size media->block_size
Signed-off-by: Jesper Schmitz Mouridsen <jesper@schmitz.computer>
Simplify expression.
Apply same change to efi_disk_write_blocks().
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
fix get_last_capsule() leads to writes beyond the stack allocated buffer.
This was indicated when enabling the stack protector.
utf16_utf8_strcpy() only stops copying when reaching '\0'. The current
invocation always writes beyond the end of value[].
The output length of utf16_utf8_strcpy() may be longer than the number of
UTF-16 tokens. E.g has "CapsuleКиев" has 11 UTF-16 tokens but 15 UTF-8
tokens. Hence, using utf16_utf8_strcpy() without checking the input may
lead to further writes beyond value[].
The current invocation of strict_strtoul() reads beyond the end of value[].
A non-hexadecimal value after "Capsule" (e.g. "CapsuleZZZZ") must result in
an error. We cat catch this by checking the return value of strict_strtoul().
A value that is too short after "Capsule" (e.g. "Capsule0") must result in
an error. We must check the string length of value[].
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
'.' and '..' are directories. So when looking for capsule files it is
sufficient to check that the attribute EFI_FILE_DIRECTORY is not set. We
don't have to check for these special names.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
PE section table entries' SizeOfRawData must be a multiple of
FileAlignment, and thus may be rounded up and larger than their
VirtualSize.
We should not load beyond the VirtualSize, which is "the total size of
the section when loaded into memory" -- we may clobber real data at the
target in some other section, since we load sections in reverse order
and sections are usually laid out sequentially.
Signed-off-by: Asherah Connor <ashe@kivikakk.ee>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The Load File2 protocol exposes a device path with a VenMedia() node. Hence
our implementation of the device path to text protocol should support this
node.
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
On the handle for the UEFI System Partition we must install the System
Partition GUID (with a NULL interface).
Let the efidebug command display the GUID.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
In the implementation of the EFI_DT_FIXUP_PROTOCOL:
* Only check the buffer size when EFI_DT_APPLY_FIXUPS is set.
* In this case the field totalsize of the device-tree may not exceed the
buffer size.
* Install device-tree only if EFI_DT_INSTALL_TABLE is set.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Move this out of the common header and include it only where needed. In
a number of cases this requires adding "struct udevice;" to avoid adding
another large header or in other cases replacing / adding missing header
files that had been pulled in, very indirectly. Finally, we have a few
cases where we did not need to include <asm/global_data.h> at all, so
remove that include.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
Some ARMv7 boards using PSCI require to be in secure-mode when booted via
'bootz' or 'bootm'. During distro-boot 'bootefi bootmgr' is called to check
if booting via UEFI is possible.
With the change we change the switch from secure mode to non-secure mode is
moved from the UEFI subsystem setup to just before calling StartImage().
Cc: Jernej Škrabec <jernej.skrabec@gmail.com>
Reported by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
If the field Media->IoAlign of the EFI block IO protocol is zero, no
alignment is required. Our code required 4 GiB alignment in this case.
Don't check buffer alignment if Media->IoAlign == 0.
Fixes: f59f0825e8 ("efi_loader: parameter checks BLOCK_IO_PROTOCOL")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The field Media.LastBlock of the EFI_BLOCK_IO_PROTOCOL.Media was filled
incorrectly both for block devices as well as for partitions.
The field must be filled with the index of the last logical block (LBA):
* block devices: device size minus 1
* partitions: partition size minus 1
Reported-by: Alexander von Gluck IV <kallisti5@unixzen.com>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The UEFI specification requires event notification levels to be
> TPL_APPLICATION and <= TPL_HIGH_LEVEL.
With the patch the CreateEvent() and CreatedEventEx() services are changed
to check that the notification level is not TPL_APPLICATION.
Reference:
UEFI Specification 2.8 Errata B, table 27 "TPL Restrictions",
"Event Notification Levels"
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
CID 316361 says:
> Passing argument "count * 8UL /* sizeof (*files) */" to
> function "dlmalloc" and then casting the return value to "u16 **" is
> suspicious. In this particular case "sizeof (u16 **)" happens to be equal
> to "sizeof (u16 *)", but this is not a portable assumption.
> > 767 tmp_files = malloc(count * sizeof(*files));
The change in this patch fixes the ambiguity.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Fixes: CID 316361
For readability use *tmp_files instead of tmp_files[0]
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Use the correct GUID when closing the file load protocol.
Remove an unnecessary check (Coverity CID 316363).
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
In EFI 1.10 a version of the Unicode collation protocol using ISO 639-2
language codes existed. This protocol is not part of the UEFI specification
any longer. It was however required to run the UEFI Self Certification Test
(SCT) II, version 2.6, 2017. So we implemented it for the sole purpose of
running the SCT.
As the SCT does not need the protocol anymore it is time for removal.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Allow the EFI_DEVICE_PATH_UTILITIES_PROTOCOL to be disabled via
configuration.
On systems that are very tight on U-Boot image size we may want to disable
the protocol. As it is required to run the UEFI Shell enable it by default.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Some boards are very tight on the binary size. Booting via UEFI is possible
without using the boot manager.
Provide a configuration option to make the boot manager available.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Move all load options related functions to a new module. So that they can
be compiled independently.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
A boot manager like GRUB can use the protocol to
* apply U-Boot's fix-ups to the a device-tree
* let U-Boot make memory reservations according to the device-tree
* install the device-tree as a configuration table
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
In efi_mem_sort() adjacent memory regions of same type are coalesced.
Remove the remark "Merging of adjacent free regions is missing".
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
We do not want to use typedefs in U-Boot.
Do not use efi_string_t in the EFI_TEXT_OUTPUT_PROTOCOL.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Let helloworld.efi print the device path of the boot device and the file
path as provided by the loaded image protocol.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Most drivers use these access methods but a few do not. Update them.
In some cases the access is not permitted, so mark those with a FIXME tag
for the maintainer to check.
Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Pratyush Yadav <p.yadav@ti.com>
Add support for enabling uefi capsule authentication. This feature is
enabled by setting the environment variable
"capsule_authentication_enabled".
The following configs are needed for enabling uefi capsule update and
capsule authentication features on the platform.
CONFIG_EFI_HAVE_CAPSULE_SUPPORT=y
CONFIG_EFI_CAPSULE_ON_DISK=y
CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y
CONFIG_EFI_CAPSULE_FIRMWARE=y
CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
CONFIG_EFI_CAPSULE_AUTHENTICATE=y
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Add support for authenticating uefi capsules. Most of the signature
verification functionality is shared with the uefi secure boot
feature.
The root certificate containing the public key used for the signature
verification is stored as part of the device tree blob. The root
certificate is stored as an efi signature list(esl) file -- this file
contains the x509 certificate which is the root certificate.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
The efi_sigstore_parse_sigdb function reads the uefi authenticated
variable, stored in the signature database format and builds the
signature store structure. Factor out the code for building
the signature store. This can then be used by the capsule
authentication routine to build the signature store even when the
signature database is not stored as an uefi authenticated variable
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
The pkcs7 header parsing functionality is pretty generic, and can be
used by other features like capsule authentication. Make the function
an extern, also changing it's name to efi_parse_pkcs7_header
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
When building the capsule using scripts in edk2, a fmp header is
added on top of the binary payload. Add logic to detect presence of
the header. When present, the pointer to the image needs to be
adjusted as per the size of the header to point to the actual binary
payload.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
When a new event is queued we have to process the event queue by calling
efi_process_event_queue(). But there is not reason to call the function
when the event is not queueable.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Although the function description states the caller must provide a
sufficient buffer, it's better to have in function checks that the
destination buffer can hold the intended value.
So let's add an extra argument with the buffer size and check that
before doing any copying.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Up to now we install the EFI_LOAD_FILE2_PROTOCOL to load an initrd
unconditionally. Although we correctly return various EFI exit codes
depending on the file status (i.e EFI_NO_MEDIA, EFI_NOT_FOUND etc), the
kernel loader only falls back to the cmdline interpreted initrd if the
protocol is not installed.
This creates a problem for EFI installers, since they won't be able to
load their own initrd and start the installation.
A following patch introduces a different logic where we search for an
initrd path defined in an EFI variable named 'Initrd####'.
If the bootmgr is used to launch the EFI payload, we'll will try to match
the BootCurrent value and find the corresponding initrd
(i.e Boot0000 -> Initrd0000 etc). If the file is found, we'll install
the required protocol which the kernel's efi-stub can use and load our
initrd.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
dm.h and env.h serve no purpose here. Remove them and sort the
remaining in alphabetical order.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Do not use data from the loaded image object after deleting it.
Fixes: 126a43f15b ("efi_loader: unload applications upon Exit()")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
load_options passed from do_efibootmgr() to do_bootefi_exec() may contain
invalid data from the stack which will lead to an invalid free().
Fixes: 0ad64007fe ("efi_loader: set load options in boot manager")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Up to now the escape key was not correctly detected in UEFI applications.
We had to hit it twice for a single escape to be recognized.
Use a 10 ms delay to detect if we are dealing with the escape key or an
escape sequence.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
IS_ENABLED() contains parentheses. But we should still put extra
parentheses around it in an if statement for readability.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When opening an OP-TEE session we need to check the internal return
value of OP-TEE call arguments as well the return code of the
function itself.
The code was also ignoring to close the OP-TEE session in case the
shared memory registration failed.
Fixes: f042e47e8f ("efi_loader: Implement EFI variable handling via OP-TEE")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Currently the size of the buffer to keep UEFI variables in memory is fixed
at 16384 bytes. This size has proven to be too small for some use cases.
Make the size of the memory buffer for UEFI variables customizable.
Reported-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Implement a reset function that we can call after ExitBootServices(),
when all driver model devices are gone.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
At present various drivers etc. access the device's 'seq' member directly.
This makes it harder to change the meaning of that member. Change access
to go through a function instead.
The drivers/i2c/lpc32xx_i2c.c file is left unchanged for now.
Signed-off-by: Simon Glass <sjg@chromium.org>
We use 'priv' for private data but often use 'platdata' for platform data.
We can't really use 'pdata' since that is ambiguous (it could mean private
or platform data).
Rename some of the latter variables to end with 'plat' for consistency.
Signed-off-by: Simon Glass <sjg@chromium.org>
We provide a UEFI driver for block devices. When ConnectController() is
called for a handle with the EFI_BLOCK_IO_PROTOCOL this driver creates the
partitions. When DisconnectController() is called the handles for the
partitions have to be deleted. This requires that the child controllers
(partitions) open the EFI_BLOCK_IO_PROTOCOL of the controller (block IO
device) with attribute EFI_OPEN_PROTOCOL_BY_CHILD_CONTROLLER.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_load_image_from_file() should read via either of:
* EFI_SIMPLE_FILE_SYSTEM_PROTOCOL
* EFI_LOAD_FILE_PROTOCOL
* EFI_LOAD_FILE2_PROTOCOL
To make the code readable carve out a function to load the image via the
file system protocol.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Implementing support for loading images via the EFI_LOAD_FILE_PROTOCOL
requires the boot policy as input for efi_load_image_from_path().
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The EFI_LOAD_FILE_PROTOCOL_GUID and EFI_LOAD_FILE2_PROTOCOL_GUID are needed
to complement the implementation of the LoadFile() boot service.
Remove a duplicate declaration of a variable for the
EFI_LOAD_FILE2_PROTOCOL_GUID.
Move the remaining declaration to efi_boottime.c.
Add a variable for the EFI_LOAD_FILE_PROTOCOL_GUID.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
For implementing support for the EFI_LOAD_FILE_PROTOCOL in the LoadImage()
service we will have to call the LocateDevicePath() service. To avoid a
forward declaration resequence the functions.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Our implementation of the EFI_HII_CONFIG_ROUTING_PROTOCOL is a mere stub,
where all services return an error code. The protocol is neither needed for
the EFI shell nor for the UEFI SCT. To reduce the code size remove it from
the U-Boot binary.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The EFI_RT_PROPERTIES_TABLE configuration table indicates which runtime
services are available at runtime.
Even if CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y, we neither support
UpdateCapsule() nor QueryCapsuleCapabilities() at runtime. Thus we should
not set the corresponding flags EFI_RT_SUPPORTED_UPDATE_CAPSULE and
EFI_RT_SUPPORTED_QUERY_CAPSULE_CAPABILITIES in RuntimeServicesSupported.
Fixes: 2bc27ca8a0 ("efi_loader: define UpdateCapsule api")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
In this commit, a very simple firmware management protocol driver
is implemented. It will take a binary image in a capsule file and
apply the data using dfu backend storage drivers via dfu_write_by_alt()
interface.
So "dfu_alt_info" variable should be properly set to specify a device
and location to be updated. Please read README.dfu.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
In this commit, a very simple firmware management protocol driver
is implemented. It will take a common FIT image firmware in a capsule
file and apply the data using dfu backend storage drivers via
update_fit() interface.
So "dfu_alt_info" variable should be properly set to specify a device
and location to be updated. Please read README.dfu.
Fit image is a common file format for firmware update on U-Boot, and
this protocol works neatly just as a wrapper for one.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
A capsule tagged with the guid, EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID,
is handled as a firmware update object.
What efi_update_capsule() basically does is to load any firmware management
protocol (or fmp) drivers contained in a capsule, find out an appropriate
fmp driver and then invoke its set_image() interface against each binary
in a capsule.
In this commit, however, loading drivers is not supported.
The result of applying a capsule is set to be stored in "CapsuleXXXX"
variable, but its implementation is deferred to a fmp driver.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Capsule data can be loaded into the system either via UpdateCapsule
runtime service or files on a file system (of boot device).
The latter case is called "capsules on disk", and actual updates will
take place at the next boot time.
In this commit, we will support capsule on disk mechanism.
Please note that U-Boot itself has no notion of "boot device" and
all the capsule files to be executed will be detected only if they
are located in a specific directory, \EFI\UpdateCapsule, on a device
that is identified as a boot device by "BootXXXX" variables.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
In this commit, skeleton functions for capsule-related API's are
added under CONFIG_EFI_UPDATE_CAPSULE configuration.
Detailed implementation for a specific capsule type will be added
in the succeeding patches.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
In the previous patches we only introduced a minimal subset of the
EFI_TCG2_PROTOCOL protocol implementing GetCapability().
So let's continue adding features to it, introducing the
GetEventLog() and HashLogExtendEvent() functions.
In order to do that we first need to construct the eventlog in memory,
specifically in EFI_BOOT_SERVICES_DATA memory and a configuration table
from EFI_ACPI_MEMORY_NVS.
U-Boot won't currently add any events to the log or measure any
components, but will expose the necessary EFI APIs for applications
to do so.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Enable EFI_SET_TIME on the sandbox and QEMU ARM to ensure that we compile
and test the relevant code.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
If GetNextVariableName() is called with a non-existing combination of
VariableName and VendorGuid, return EFI_INVALID_PARAMETER.
If GetNextVariableName() is called with a string that is not zero
terminated, return EFI_INVALID_PARAMETER.
Reformat a line over 80 characters.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Since U-boot EFI implementation is getting richer it makes sense to
add support for EFI_TCG2_PROTOCOL taking advantage of any hardware TPM
available on the device.
This is the initial implementation of the protocol which only adds
support for GetCapability(). It's limited in the newer and safer
TPMv2 devices.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When copying a string with must allocate a byte for the terminating '\0' in
the target buffer.
Fixes: fbe4c7df00 ("efi_loader: enable file SetInfo()")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Add missing newline to log messages in efi_rng_register() otherwise
something like below would be shown
Scanning disk virtio-blk#31...
Found 2 disks
Missing RNG device for EFI_RNG_PROTOCOLNo EFI system partition
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When calling ExitBootServices during out unit tests we should not detach
devices as we need console output for runtime tests.
Fixes: 529441ca89 ("efi_loader: Disable devices before handing over control")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When deleting a non-volatile variable it was deleted from memory but the
deletion was not persisted to the file system.
SetVariable() may be called with attributes == 0 to delete a variable. To
determine if the deletion shall be persisted we have to consider the
non-volatile flag in the attributes of the deleted variable and not the
value passed in the call parameter.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
This function will be used from several places in UEFI subsystem
to generate some specific form of utf-16 variable name.
For example, L"Capsule0001"
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Move function to separate module.
Use char * as argument instead of u16 *.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
If this option, CONFIG_EFI_SETUP_EARLY, is enabled, the initialisation
of UEFI subsystem will be done as part of U-Boot initialisation.
Please note that this option won't be enabled explicitly by users,
instead, should be enabled implicitly by other configuration options.
Specifically, this feature will be utilised in implementing capsule-on-disk
feature.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
If ChildHandle indicates the sole child of the driver, disconnect the
driver.
This fixes the test results for UEFI SCT 2.6 A
sub-tests 5.1.3.12.43, 5.1.3.12.44, 5.1.3.12.45.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Adjust the SetTime() and GetTime() runtime services to correctly convert
the daylight saving time information when communicating with the RTC.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
U-Boot Driver Model is supposed to remove devices with either
DM_REMOVE_ACTIVE_DMA or DM_REMOVE_OS_PREPARE flags set, before exiting.
Our bootm command does that by explicitly calling calling
"dm_remove_devices_flags(DM_REMOVE_ACTIVE_ALL);" and we also disable any
USB devices.
The EFI equivalent is doing none of those at the moment. As a result
probing an fTPM driver now renders it unusable in Linux. During our
(*probe) callback we open a session with OP-TEE, which is supposed to
close with our (*remove) callback. Since the (*remove) is never called,
once we boot into Linux and try to probe the device again we are getting
a busy error response. Moreover all uclass (*preremove) functions won't
run.
So let's fix this by mimicking what bootm does and disconnect devices
when efi_exit_boot_services() is called.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Order header files according to https://www.denx.de/wiki/U-Boot/CodingStyle
Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The sandbox is built with the SDL2 library with invokes the X11 library
which in turn calls getc(). But getc() in glibc is defined as
int getc(FILE *)
This does not match our definition.
int getc(void)
The sandbox crashes when called with parameter -l.
Rename our library symbol getc() to getchar().
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
With DM enabled the ethernet code will receive a packet, call
the push method that's set by the EFI network implementation
and then free the packet. Unfortunately the push methods only
sets a flag that the packet needs to be handled, but the code
that provides the packet to an EFI application runs after the
packet has already been freed.
To rectify this issue, adjust the push method to accept the packet
and store it in a temporary buffer. The EFI application then gets
the data copied from that buffer. This way the packet is cached
until is is needed.
The DM Ethernet stack tries to receive 32 packets at once, thus
we better allocate as many buffers as the stack.
Signed-off-by: Patrick Wildt <patrick@blueri.se>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>