Commit graph

1147 commits

Author SHA1 Message Date
Heinrich Schuchardt
9c081a7eab efi_loader: limit output length for VenHw, VenMedia
VenHw and VenMedia device path nodes may carry vendor defined data of
arbitrary length. When converting a device path node to text ensure that we
do not overrun our internal buffer.

In our implementation of
EFI_DEVICE_PATH_TO_TEXT_PROTOCOL.ConvertDevicePathToText() we could first
determine the output length and then allocate buffers but that would nearly
double the code size. Therefore keep the preallocated buffers and truncate
excessive device paths instead.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-02-26 16:17:43 +01:00
Heinrich Schuchardt
992b1731e6 efi_loader: ACPI tables must be in EfiACPIReclaimMemory
The UEFI spec does not allow ACPI tables to be in runtime services memory.
It recommends EfiACPIReclaimMemory.

Remove a superfluous check that the allocated pages are 16 byte aligned.
EFI pages are 4 KiB aligned.

Fixes: 86df34d42b ("efi_loader: Install ACPI configuration tables")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-02-26 16:17:43 +01:00
Heinrich Schuchardt
bd3d75bb0c efi_loader: multi part device paths to text
Our current implementation of
EFI_DEVICE_PATH_TO_TEXT_PROTOCOL.ConvertDevicePathToText() truncates multi
part device paths after the first part. We should convert all parts.

Render device path instance ends as commas. This is not explicitly
described in the UEFI spec but mimics what EDK II does.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-02-21 09:21:35 +01:00
Jesper Schmitz Mouridsen
e67beffee0 Allow last block to be read
The last block is of size media->block_size

Signed-off-by: Jesper Schmitz Mouridsen <jesper@schmitz.computer>

Simplify expression.
Apply same change to efi_disk_write_blocks().

Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-02-21 09:21:35 +01:00
Tom Rini
2ae80437fb Merge branch '2021-02-02-drop-asm_global_data-when-unused'
- Merge the patch to take <asm/global_data.h> out of <common.h>
2021-02-15 10:16:45 -05:00
Heinrich Schuchardt
15bbcafab1 efi_loader: fix get_last_capsule()
fix get_last_capsule() leads to writes beyond the stack allocated buffer.
This was indicated when enabling the stack protector.

utf16_utf8_strcpy() only stops copying when reaching '\0'. The current
invocation always writes beyond the end of value[].

The output length of utf16_utf8_strcpy() may be longer than the number of
UTF-16 tokens. E.g has "CapsuleКиев" has 11 UTF-16 tokens but 15 UTF-8
tokens. Hence, using utf16_utf8_strcpy() without checking the input may
lead to further writes beyond value[].

The current invocation of strict_strtoul() reads beyond the end of value[].

A non-hexadecimal value after "Capsule" (e.g. "CapsuleZZZZ") must result in
an error. We cat catch this by checking the return value of strict_strtoul().

A value that is too short after "Capsule" (e.g. "Capsule0") must result in
an error. We must check the string length of value[].

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-02-14 10:34:15 +01:00
Heinrich Schuchardt
841f7a4ebb efi_loader: '.' and '..' are directories
'.' and '..' are directories. So when looking for capsule files it is
sufficient to check that the attribute EFI_FILE_DIRECTORY is not set. We
don't have to check for these special names.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-02-14 10:34:15 +01:00
Asherah Connor
9d30a941cc efi_loader: don't load beyond VirtualSize
PE section table entries' SizeOfRawData must be a multiple of
FileAlignment, and thus may be rounded up and larger than their
VirtualSize.

We should not load beyond the VirtualSize, which is "the total size of
the section when loaded into memory" -- we may clobber real data at the
target in some other section, since we load sections in reverse order
and sections are usually laid out sequentially.

Signed-off-by: Asherah Connor <ashe@kivikakk.ee>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-02-14 10:34:15 +01:00
Heinrich Schuchardt
02fc018a35 efi_loader: VenMedia device path node
The Load File2 protocol exposes a device path with a VenMedia() node. Hence
our implementation of the device path to text protocol should support this
node.

Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-02-04 20:12:41 +01:00
Heinrich Schuchardt
b9b0ea30c7 efi_loader: install UEFI System Partition GUID
On the handle for the UEFI System Partition we must install the System
Partition GUID (with a NULL interface).

Let the efidebug command display the GUID.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-02-04 20:09:02 +01:00
Heinrich Schuchardt
1bc9fc3483 efi_loader: only check size if EFI_DT_APPLY_FIXUPS
In the implementation of the EFI_DT_FIXUP_PROTOCOL:

* Only check the buffer size when EFI_DT_APPLY_FIXUPS is set.
* In this case the field totalsize of the device-tree may not exceed the
  buffer size.
* Install device-tree only if EFI_DT_INSTALL_TABLE is set.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-02-04 20:09:02 +01:00
Simon Glass
401d1c4f5d common: Drop asm/global_data.h from common header
Move this out of the common header and include it only where needed.  In
a number of cases this requires adding "struct udevice;" to avoid adding
another large header or in other cases replacing / adding missing header
files that had been pulled in, very indirectly.   Finally, we have a few
cases where we did not need to include <asm/global_data.h> at all, so
remove that include.

Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
2021-02-02 15:33:42 -05:00
Heinrich Schuchardt
82d01f04fa efi_loader: switch to non-secure mode later
Some ARMv7 boards using PSCI require to be in secure-mode when booted via
'bootz' or 'bootm'. During distro-boot 'bootefi bootmgr' is called to check
if booting via UEFI is possible.

With the change we change the switch from secure mode to non-secure mode is
moved from the UEFI subsystem setup to just before calling StartImage().

Cc: Jernej Škrabec <jernej.skrabec@gmail.com>
Reported by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-01-29 20:22:40 +01:00
Heinrich Schuchardt
688e88256f efi_loader: correct block IO alignment check
If the field Media->IoAlign of the EFI block IO protocol is zero, no
alignment is required. Our code required 4 GiB alignment in this case.

Don't check buffer alignment if Media->IoAlign == 0.

Fixes: f59f0825e8 ("efi_loader: parameter checks BLOCK_IO_PROTOCOL")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-01-29 20:22:40 +01:00
Heinrich Schuchardt
8d0949b3ed efi_loader: correct EFI_BLOCK_IO_PROTOCOL.Media.LastBlock
The field Media.LastBlock of the EFI_BLOCK_IO_PROTOCOL.Media was filled
incorrectly both for block devices as well as for partitions.

The field must be filled with the index of the last logical block (LBA):

* block devices: device size minus 1
* partitions: partition size minus 1

Reported-by: Alexander von Gluck IV <kallisti5@unixzen.com>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-01-23 07:56:54 +01:00
Heinrich Schuchardt
2cfb68fd83 efi_loader: notification with TPL_APPLICATION not allowed
The UEFI specification requires event notification levels to be
> TPL_APPLICATION and <= TPL_HIGH_LEVEL.

With the patch the CreateEvent() and CreatedEventEx() services are changed
to check that the notification level is not TPL_APPLICATION.

Reference:
UEFI Specification 2.8 Errata B, table 27 "TPL Restrictions",
"Event Notification Levels"

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-01-23 07:56:54 +01:00
AKASHI Takahiro
8f1844c333 efi_loader: capsule: fix SIZEOF_MISMATCH warning
CID 316361 says:
> Passing argument "count * 8UL /* sizeof (*files) */" to
> function "dlmalloc" and then casting the return value to "u16 **" is
> suspicious. In this particular case "sizeof (u16 **)" happens to be equal
> to "sizeof (u16 *)", but this is not a portable assumption.
> > 767         tmp_files = malloc(count * sizeof(*files));

The change in this patch fixes the ambiguity.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Fixes: CID 316361
For readability use *tmp_files instead of tmp_files[0]
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-01-23 07:56:53 +01:00
Heinrich Schuchardt
6e8c28cf52 efi_loader: fix efi_load_image_from_path()
Use the correct GUID when closing the file load protocol.
Remove an unnecessary check (Coverity CID 316363).

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-01-23 07:56:53 +01:00
Ilias Apalodimas
53e54bf50d efi_loader: Avoid emitting efi_var_buf to .GOT
Atish reports that on RISC-V, accessing the EFI variables causes
a kernel panic. An objdump of the file verifies that, since the
global pointer for efi_var_buf ends up in .GOT section which is
not mapped in virtual address space for Linux.

<snip of efi_var_mem_find>

0000000000000084 <efi_var_mem_find>:
  84:   715d                    addi    sp,sp,-80

* objdump -dr
0000000000000086 <.LCFI2>:
  86:   e0a2                    sd  s0,64(sp)
  88:   fc26                    sd  s1,56(sp)
  8a:   e486                    sd  ra,72(sp)
  8c:   f84a                    sd  s2,48(sp)
  8e:   f44e                    sd  s3,40(sp)
  90:   f052                    sd  s4,32(sp)
  92:   ec56                    sd  s5,24(sp)
  94:   00000497            auipc   s1,0x0
            94: R_RISCV_GOT_HI20    efi_var_buf
  98:   0004b483            ld  s1,0(s1) # 94 <.LCFI2+0xe>
            98: R_RISCV_PCREL_LO12_I    .L0
            98: R_RISCV_RELAX   *ABS*

* objdump -t
0000000000000084 g     F .text.efi_runtime  00000000000000b8 efi_var_mem_find

With the patch applied:

* objdump -dr
0000000000000086 <.LCFI2>:
  86:   e0a2                    sd  s0,64(sp)
  88:   fc26                    sd  s1,56(sp)
  8a:   e486                    sd  ra,72(sp)
  8c:   f84a                    sd  s2,48(sp)
  8e:   f44e                    sd  s3,40(sp)
  90:   f052                    sd  s4,32(sp)
  92:   ec56                    sd  s5,24(sp)
  94:   00000497            auipc   s1,0x0
            94: R_RISCV_PCREL_HI20  .LANCHOR0
            94: R_RISCV_RELAX   *ABS*
  98:   00048493            mv  s1,s1
            98: R_RISCV_PCREL_LO12_I    .L0
            98: R_RISCV_RELAX   *ABS*

* objdump -t
0000000000000008 l     O .data.efi_runtime  0000000000000008 efi_var_buf

On arm64 this works, because there's no .GOT entries for this
and everything is converted to relative references.

* objdump -dr (identical pre-post patch, only the new function shows up)
00000000000000b4 <efi_var_mem_find>:
  b4:   aa0003ee    mov x14, x0
  b8:   9000000a    adrp    x10, 0 <efi_var_mem_compare>
            b8: R_AARCH64_ADR_PREL_PG_HI21  .data.efi_runtime
  bc:   91000140    add x0, x10, #0x0
            bc: R_AARCH64_ADD_ABS_LO12_NC   .data.efi_runtime
  c0:   aa0103ed    mov x13, x1
  c4:   79400021    ldrh    w1, [x1]
  c8:   aa0203eb    mov x11, x2
  cc:   f9400400    ldr x0, [x0, #8]
  d0:   b940100c    ldr w12, [x0, #16]
  d4:   8b0c000c    add x12, x0, x12

So let's switch efi_var_buf to static and create a helper function for
anyone that needs to update it.

Fixes: e01aed47d6 ("efi_loader: Enable run-time variable support for tee based variables")
Reported-by: Atish Patra <atishp@atishpatra.org>
Tested-by: Atish Patra <atish.patra@wdc.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-01-20 08:17:17 +01:00
Heinrich Schuchardt
19ea5e66de efi_loader: remove EFI_UNICODE_COLLATION_PROTOCOL
In EFI 1.10 a version of the Unicode collation protocol using ISO 639-2
language codes existed. This protocol is not part of the UEFI specification
any longer. It was however required to run the UEFI Self Certification Test
(SCT) II, version 2.6, 2017. So we implemented it for the sole purpose of
running the SCT.

As the SCT does not need the protocol anymore it is time for removal.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-01-20 08:17:17 +01:00
Heinrich Schuchardt
59593a52a3 efi_loader: EFI_DEVICE_PATH_UTILITIES_PROTOCOL configurable
Allow the EFI_DEVICE_PATH_UTILITIES_PROTOCOL to be disabled via
configuration.

On systems that are very tight on U-Boot image size we may want to disable
the protocol. As it is required to run the UEFI Shell enable it by default.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-01-20 08:17:17 +01:00
Heinrich Schuchardt
4cb07d8d93 efi_loader: make EFI_DT_FIXUP_PROTOCOL configurable
Allow EFI_DT_FIXUP_PROTOCOL to be disabled via configuration.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-01-20 08:17:17 +01:00
Heinrich Schuchardt
535c473e10 efi_loader: fixup protocol, avoid forward declaration
Avoid a forward declaration.

Add a missing function description.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-01-20 08:17:17 +01:00
Heinrich Schuchardt
ff2f532fad efi_loader: make the UEFI boot manager configurable
Some boards are very tight on the binary size. Booting via UEFI is possible
without using the boot manager.

Provide a configuration option to make the boot manager available.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-01-20 08:09:34 +01:00
Heinrich Schuchardt
2363effb7a efi_loader: move load options to new module
Move all load options related functions to a new module. So that they can
be compiled independently.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-01-19 18:56:08 +01:00
Heinrich Schuchardt
94686f60a2 efi_loader: implement EFI_DT_FIXUP_PROTOCOL
A boot manager like GRUB can use the protocol to

* apply U-Boot's fix-ups to the a device-tree
* let U-Boot make memory reservations according to the device-tree
* install the device-tree as a configuration table

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-01-13 02:38:01 +01:00
Heinrich Schuchardt
db0f298416 efi_loader: remove outdated TODO in efi_memory.c
In efi_mem_sort() adjacent memory regions of same type are coalesced.
Remove the remark "Merging of adjacent free regions is missing".

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-01-13 02:38:01 +01:00
Heinrich Schuchardt
7913c7dc57 efi_loader: typedef efi_string_t text output protocol
We do not want to use typedefs in U-Boot.

Do not use efi_string_t in the EFI_TEXT_OUTPUT_PROTOCOL.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-01-13 02:38:01 +01:00
Heinrich Schuchardt
5dad05a0e6 efi_loader: carve out efi_check_pe()
Carve out a function to check that a buffer contains a PE-COFF image.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-01-13 02:38:00 +01:00
Heinrich Schuchardt
dd860b90ff efi_loader: print boot device and file path in helloworld
Let helloworld.efi print the device path of the boot device and the file
path as provided by the loaded image protocol.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-01-13 02:38:00 +01:00
Heinrich Schuchardt
db12f518ed efi_loader: implement non-blocking file services
Implement services OpenEx(), ReadEx(), WriteEx(), FlushEx() of the
EFI_FILE_PROTOCOL.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-01-13 02:38:00 +01:00
Simon Glass
0fd3d91152 dm: Use access methods for dev/uclass private data
Most drivers use these access methods but a few do not. Update them.

In some cases the access is not permitted, so mark those with a FIXME tag
for the maintainer to check.

Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Pratyush Yadav <p.yadav@ti.com>
2021-01-05 12:24:40 -07:00
Sughosh Ganu
88a2ef2720 efi_loader: Enable uefi capsule authentication
Add support for enabling uefi capsule authentication. This feature is
enabled by setting the environment variable
"capsule_authentication_enabled".

The following configs are needed for enabling uefi capsule update and
capsule authentication features on the platform.

CONFIG_EFI_HAVE_CAPSULE_SUPPORT=y
CONFIG_EFI_CAPSULE_ON_DISK=y
CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y
CONFIG_EFI_CAPSULE_FIRMWARE=y
CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
CONFIG_EFI_CAPSULE_AUTHENTICATE=y

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2020-12-31 14:41:31 +01:00
Sughosh Ganu
04be98bd6b efi: capsule: Add support for uefi capsule authentication
Add support for authenticating uefi capsules. Most of the signature
verification functionality is shared with the uefi secure boot
feature.

The root certificate containing the public key used for the signature
verification is stored as part of the device tree blob. The root
certificate is stored as an efi signature list(esl) file -- this file
contains the x509 certificate which is the root certificate.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2020-12-31 14:41:31 +01:00
Sughosh Ganu
b4f20a5d83 efi_loader: Re-factor code to build the signature store from efi signature list
The efi_sigstore_parse_sigdb function reads the uefi authenticated
variable, stored in the signature database format and builds the
signature store structure. Factor out the code for building
the signature store. This can then be used by the capsule
authentication routine to build the signature store even when the
signature database is not stored as an uefi authenticated variable

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2020-12-31 14:41:31 +01:00
Sughosh Ganu
201b8068f3 efi_loader: Make the pkcs7 header parsing function an extern
The pkcs7 header parsing functionality is pretty generic, and can be
used by other features like capsule authentication. Make the function
an extern, also changing it's name to efi_parse_pkcs7_header

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2020-12-31 14:41:31 +01:00
Sughosh Ganu
675b62e12f efi_loader: Add logic to parse EDKII specific fmp payload header
When building the capsule using scripts in edk2, a fmp header is
added on top of the binary payload. Add logic to detect presence of
the header. When present, the pointer to the image needs to be
adjusted as per the size of the header to point to the actual binary
payload.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2020-12-31 14:41:31 +01:00
Heinrich Schuchardt
b7d186f071 efi_loader: event queueing
When a new event is queued we have to process the event queue by calling
efi_process_event_queue(). But there is not reason to call the function
when the event is not queueable.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-31 14:33:32 +01:00
Ilias Apalodimas
fe179d7fb5 efi_loader: Add size checks to efi_create_indexed_name()
Although the function description states the caller must provide a
sufficient buffer, it's better to have in function checks that the
destination buffer can hold the intended value.

So let's add an extra argument with the buffer size and check that
before doing any copying.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-31 14:33:23 +01:00
Ilias Apalodimas
47d2b3b9c9 efi_loader: Remove unconditional installation of file2 protocol for initrd
Up to now we install the EFI_LOAD_FILE2_PROTOCOL to load an initrd
unconditionally. Although we correctly return various EFI exit codes
depending on the file status (i.e EFI_NO_MEDIA, EFI_NOT_FOUND etc), the
kernel loader only falls back to the cmdline interpreted initrd if the
protocol is not installed.

This creates a problem for EFI installers, since they won't be able to
load their own initrd and start the installation.

A following patch introduces a different logic where we search for an
initrd path defined in an EFI variable named 'Initrd####'.
If the bootmgr is used to launch the EFI payload, we'll will try to match
the BootCurrent value and find the corresponding initrd
(i.e Boot0000 -> Initrd0000 etc). If the file is found, we'll install
the required protocol which the kernel's efi-stub can use and load our
initrd.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-31 14:33:22 +01:00
Ilias Apalodimas
0c44452832 efi_loader: Remove unused headers from efi_load_initrd.c
dm.h and env.h serve no purpose here. Remove them and sort the
remaining in alphabetical order.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-31 14:33:22 +01:00
Heinrich Schuchardt
f8212f0970 efi_loader: use after free in efi_exit()
Do not use data from the loaded image object after deleting it.

Fixes: 126a43f15b ("efi_loader: unload applications upon Exit()")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-31 14:33:07 +01:00
Heinrich Schuchardt
2a0f80f058 efi_loader: efi_signal_event() fix comment typos
Add missing commas.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-31 14:33:07 +01:00
Heinrich Schuchardt
2a68cd492e efi_loader: avoid invalid free
load_options passed from do_efibootmgr() to do_bootefi_exec() may contain
invalid data from the stack which will lead to an invalid free().

Fixes: 0ad64007fe ("efi_loader: set load options in boot manager")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-31 14:33:07 +01:00
Heinrich Schuchardt
97d36f069d efi_loader: escape key handling
Up to now the escape key was not correctly detected in UEFI applications.
We had to hit it twice for a single escape to be recognized.

Use a 10 ms delay to detect if we are dealing with the escape key or an
escape sequence.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-31 14:33:07 +01:00
Heinrich Schuchardt
db6288de85 efi_loader: missing parentheses after if
IS_ENABLED() contains parentheses. But we should still put extra
parentheses around it in an if statement for readability.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-31 14:33:07 +01:00
Ilias Apalodimas
ffa375e6e5 efi_loader: Extra checks while opening an OPTEE session
When opening an OP-TEE session we need to check the internal return
value of OP-TEE call arguments as well the return code of the
function itself.
The code was also ignoring to close the OP-TEE session in case the
shared memory registration failed.

Fixes: f042e47e8f ("efi_loader: Implement EFI variable handling via OP-TEE")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-31 14:27:56 +01:00
Heinrich Schuchardt
c0c21d67f0 efi_loader: make variable store size customizable
Currently the size of the buffer to keep UEFI variables in memory is fixed
at 16384 bytes. This size has proven to be too small for some use cases.

Make the size of the memory buffer for UEFI variables customizable.

Reported-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2020-12-31 14:27:41 +01:00
Heinrich Schuchardt
9c54729c77 sandbox: implement runtime system reset
Implement a reset function that we can call after ExitBootServices(),
when all driver model devices are gone.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
2020-12-22 20:39:25 -07:00
Simon Glass
8b85dfc675 dm: Avoid accessing seq directly
At present various drivers etc. access the device's 'seq' member directly.
This makes it harder to change the meaning of that member. Change access
to go through a function instead.

The drivers/i2c/lpc32xx_i2c.c file is left unchanged for now.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-18 20:32:21 -07:00
Simon Glass
caa4daa2ae dm: treewide: Rename 'platdata' variables to just 'plat'
We use 'priv' for private data but often use 'platdata' for platform data.
We can't really use 'pdata' since that is ambiguous (it could mean private
or platform data).

Rename some of the latter variables to end with 'plat' for consistency.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-13 16:51:08 -07:00
Heinrich Schuchardt
264485131c efi_loader: link partition to block device
We provide a UEFI driver for block devices. When ConnectController() is
called for a handle with the EFI_BLOCK_IO_PROTOCOL this driver creates the
partitions. When DisconnectController() is called the handles for the
partitions have to be deleted. This requires that the child controllers
(partitions) open the EFI_BLOCK_IO_PROTOCOL of the controller (block IO
device) with attribute EFI_OPEN_PROTOCOL_BY_CHILD_CONTROLLER.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:33 +01:00
Heinrich Schuchardt
f9ad240e65 efi_loader: make efi_protocol_open() non-static
Provide efi_protocol_open() as library function.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:33 +01:00
Heinrich Schuchardt
3da0b28582 efi_loader: support EFI_LOAD_FILE_PROTOCOL
Support loading images via the EFI_LOAD_FILE_PROTOCOL and
EFI_LOAD_FILE2_PROTOCOL.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:32 +01:00
Heinrich Schuchardt
0e074d1239 efi_loader: carve out efi_load_image_from_file()
efi_load_image_from_file() should read via either of:

* EFI_SIMPLE_FILE_SYSTEM_PROTOCOL
* EFI_LOAD_FILE_PROTOCOL
* EFI_LOAD_FILE2_PROTOCOL

To make the code readable carve out a function to load the image via the
file system protocol.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:32 +01:00
Heinrich Schuchardt
c06c55b1f5 efi_loader: pass boot_policy to efi_load_image_from_path
Implementing support for loading images via the EFI_LOAD_FILE_PROTOCOL
requires the boot policy as input for efi_load_image_from_path().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:32 +01:00
Heinrich Schuchardt
b6f11098c9 efi_loader: move EFI_LOAD_FILE2_PROTOCOL_GUID
The EFI_LOAD_FILE_PROTOCOL_GUID and EFI_LOAD_FILE2_PROTOCOL_GUID are needed
to complement the implementation of the LoadFile() boot service.

Remove a duplicate declaration of a variable for the
EFI_LOAD_FILE2_PROTOCOL_GUID.
Move the remaining declaration to efi_boottime.c.
Add a variable for the EFI_LOAD_FILE_PROTOCOL_GUID.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:32 +01:00
Heinrich Schuchardt
0e9d2d7bc2 efi_loader: resequence functions in efi_boottime.c
For implementing support for the EFI_LOAD_FILE_PROTOCOL in the LoadImage()
service we will have to call the LocateDevicePath() service. To avoid a
forward declaration resequence the functions.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:32 +01:00
Heinrich Schuchardt
861072b2a8 efi_loader: remove EFI_HII_CONFIG_ROUTING_PROTOCOL
Our implementation of the EFI_HII_CONFIG_ROUTING_PROTOCOL is a mere stub,
where all services return an error code. The protocol is neither needed for
the EFI shell nor for the UEFI SCT. To reduce the code size remove it from
the U-Boot binary.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:32 +01:00
Heinrich Schuchardt
470fa190f3 efi_loader: don't set EFI_RT_SUPPORTED_UPDATE_CAPSULE
The EFI_RT_PROPERTIES_TABLE configuration table indicates which runtime
services are available at runtime.

Even if CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y, we neither support
UpdateCapsule() nor QueryCapsuleCapabilities() at runtime. Thus we should
not set the corresponding flags EFI_RT_SUPPORTED_UPDATE_CAPSULE and
EFI_RT_SUPPORTED_QUERY_CAPSULE_CAPABILITIES in RuntimeServicesSupported.

Fixes: 2bc27ca8a0 ("efi_loader: define UpdateCapsule api")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:32 +01:00
AKASHI Takahiro
bb7e71d33c efi_loader: add firmware management protocol for raw image
In this commit, a very simple firmware management protocol driver
is implemented. It will take a binary image in a capsule file and
apply the data using dfu backend storage drivers via dfu_write_by_alt()
interface.

So "dfu_alt_info" variable should be properly set to specify a device
and location to be updated. Please read README.dfu.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-12-03 21:22:50 +01:00
AKASHI Takahiro
f27c201485 efi_loader: add firmware management protocol for FIT image
In this commit, a very simple firmware management protocol driver
is implemented. It will take a common FIT image firmware in a capsule
file and apply the data using dfu backend storage drivers via
update_fit() interface.

So "dfu_alt_info" variable should be properly set to specify a device
and location to be updated. Please read README.dfu.

Fit image is a common file format for firmware update on U-Boot, and
this protocol works neatly just as a wrapper for one.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-12-03 21:22:50 +01:00
AKASHI Takahiro
8d99026f06 efi_loader: capsule: support firmware update
A capsule tagged with the guid, EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID,
is handled as a firmware update object.
What efi_update_capsule() basically does is to load any firmware management
protocol (or fmp) drivers contained in a capsule, find out an appropriate
fmp driver and then invoke its set_image() interface against each binary
in a capsule.
In this commit, however, loading drivers is not supported.

The result of applying a capsule is set to be stored in "CapsuleXXXX"
variable, but its implementation is deferred to a fmp driver.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-12-03 21:22:50 +01:00
AKASHI Takahiro
c74cd8bd08 efi_loader: capsule: add capsule_on_disk support
Capsule data can be loaded into the system either via UpdateCapsule
runtime service or files on a file system (of boot device).
The latter case is called "capsules on disk", and actual updates will
take place at the next boot time.

In this commit, we will support capsule on disk mechanism.

Please note that U-Boot itself has no notion of "boot device" and
all the capsule files to be executed will be detected only if they
are located in a specific directory, \EFI\UpdateCapsule, on a device
that is identified as a boot device by "BootXXXX" variables.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-12-03 21:22:49 +01:00
AKASHI Takahiro
2bc27ca8a0 efi_loader: define UpdateCapsule api
In this commit, skeleton functions for capsule-related API's are
added under CONFIG_EFI_UPDATE_CAPSULE configuration.
Detailed implementation for a specific capsule type will be added
in the succeeding patches.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-12-03 21:22:49 +01:00
Ilias Apalodimas
c8d0fd5825 efi_loader: Introduce eventlog support for TCG2_PROTOCOL
In the previous patches we only introduced a minimal subset of the
EFI_TCG2_PROTOCOL protocol implementing GetCapability().
So let's continue adding features to it, introducing the
GetEventLog() and HashLogExtendEvent() functions.

In order to do that we first need to construct the eventlog in memory,
specifically in EFI_BOOT_SERVICES_DATA memory and a configuration table
from EFI_ACPI_MEMORY_NVS.
U-Boot won't currently add any events to the log or measure any
components, but will expose the necessary EFI APIs for applications
to do so.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2020-12-03 21:22:40 +01:00
Heinrich Schuchardt
31cadc3635 efi_loader: enable EFI_SET_TIME on sandbox and QEMU ARM
Enable EFI_SET_TIME on the sandbox and QEMU ARM to ensure that we compile
and test the relevant code.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-11-29 05:18:37 +01:00
Heinrich Schuchardt
7e5875a856 efi_loader: parameter check in GetNextVariableName()
If GetNextVariableName() is called with a non-existing combination of
VariableName and VendorGuid, return EFI_INVALID_PARAMETER.

If GetNextVariableName() is called with a string that is not zero
terminated, return EFI_INVALID_PARAMETER.

Reformat a line over 80 characters.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-11-21 07:26:16 +01:00
Ilias Apalodimas
9aeb380277 efi_loader: tcg2 protocol updates
On pull reuqest
https://lists.denx.de/pipermail/u-boot/2020-November/432735.html
V4 of the patchset was sent instead of the v5.
This is the v4->v5 missing diff

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2020-11-21 07:26:16 +01:00
Ilias Apalodimas
c1c021052c efi_loader: Add basic EFI_TCG2_PROTOCOL support
Since U-boot EFI implementation is getting richer it makes sense to
add support for EFI_TCG2_PROTOCOL taking advantage of any hardware TPM
available on the device.

This is the initial implementation of the protocol which only adds
support for GetCapability(). It's limited in the newer and safer
TPMv2 devices.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-11-14 05:05:46 +01:00
Heinrich Schuchardt
792aee1150 efi_loader: incorrect buffer size in efi_file_setinfo()
When copying a string with must allocate a byte for the terminating '\0' in
the target buffer.

Fixes: fbe4c7df00 ("efi_loader: enable file SetInfo()")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-11-14 05:05:46 +01:00
Paulo Alcantara
337c97d935 efi_loader: Add missing newline to log_{err,warning}
Add missing newline to log messages in efi_rng_register() otherwise
something like below would be shown

	Scanning disk virtio-blk#31...
	Found 2 disks
	Missing RNG device for EFI_RNG_PROTOCOLNo EFI system partition

Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-11-14 05:05:46 +01:00
Heinrich Schuchardt
fccd3d9c42 efi_selftest: keep devices in ExitBootServices()
When calling ExitBootServices during out unit tests we should not detach
devices as we need console output for runtime tests.

Fixes: 529441ca89 ("efi_loader: Disable devices before handing over control")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-11-14 05:05:46 +01:00
Heinrich Schuchardt
ab02c3fec4 efi_loader: non-volatile variable not deleted from file
When deleting a non-volatile variable it was deleted from memory but the
deletion was not persisted to the file system.

SetVariable() may be called with attributes == 0 to delete a variable. To
determine if the deletion shall be persisted we have to consider the
non-volatile flag in the attributes of the deleted variable and not the
value passed in the call parameter.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-11-09 17:28:17 +01:00
AKASHI Takahiro
077153e085 efi_loader: add efi_create_indexed_name()
This function will be used from several places in UEFI subsystem
to generate some specific form of utf-16 variable name.
For example, L"Capsule0001"

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Move function to separate module.
Use char * as argument instead of u16 *.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-10-30 14:27:43 +01:00
AKASHI Takahiro
c57c943954 efi_loader: add option to initialise EFI subsystem early
If this option, CONFIG_EFI_SETUP_EARLY, is enabled, the initialisation
of UEFI subsystem will be done as part of U-Boot initialisation.

Please note that this option won't be enabled explicitly by users,
instead, should be enabled implicitly by other configuration options.

Specifically, this feature will be utilised in implementing capsule-on-disk
feature.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-10-30 14:20:27 +01:00
Heinrich Schuchardt
314bed6c85 efi_loader: fix DisconnectController() for sole child
If ChildHandle indicates the sole child of the driver, disconnect the
driver.

This fixes the test results for UEFI SCT 2.6 A
sub-tests 5.1.3.12.43, 5.1.3.12.44, 5.1.3.12.45.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-10-30 14:20:26 +01:00
Heinrich Schuchardt
0eae552d18 efi_loader: daylight saving time
Adjust the SetTime() and GetTime() runtime services to correctly convert
the daylight saving time information when communicating with the RTC.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-10-27 21:13:16 +01:00
Ilias Apalodimas
529441ca89 efi_loader: Disable devices before handing over control
U-Boot Driver Model is supposed to remove devices with either
DM_REMOVE_ACTIVE_DMA or DM_REMOVE_OS_PREPARE flags set, before exiting.
Our bootm command does that by explicitly calling calling
"dm_remove_devices_flags(DM_REMOVE_ACTIVE_ALL);" and we also disable any
USB devices.

The EFI equivalent is doing none of those at the moment. As a result
probing an fTPM driver now renders it unusable in Linux. During our
(*probe) callback we open a session with OP-TEE, which is supposed to
close with our (*remove) callback. Since the (*remove) is never called,
once we boot into Linux and try to probe the device again we are getting
a busy error response. Moreover all uclass (*preremove) functions won't
run.

So let's fix this by mimicking what bootm does and disconnect devices
when efi_exit_boot_services() is called.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-10-27 21:13:16 +01:00
Ilias Apalodimas
19763ea0d2 efi_loader: Sort header file ordering
Order header files according to https://www.denx.de/wiki/U-Boot/CodingStyle

Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-10-27 21:13:15 +01:00
Heinrich Schuchardt
c670aeee3d common: rename getc() to getchar()
The sandbox is built with the SDL2 library with invokes the X11 library
which in turn calls getc(). But getc() in glibc is defined as

    int getc(FILE *)

This does not match our definition.

    int getc(void)

The sandbox crashes when called with parameter -l.

Rename our library symbol getc() to getchar().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2020-10-22 09:54:53 -04:00
Patrick Wildt
42f804fbba efi_loader: fix use after free in receive path
With DM enabled the ethernet code will receive a packet, call
the push method that's set by the EFI network implementation
and then free the packet.  Unfortunately the push methods only
sets a flag that the packet needs to be handled, but the code
that provides the packet to an EFI application runs after the
packet has already been freed.

To rectify this issue, adjust the push method to accept the packet
and store it in a temporary buffer.  The EFI application then gets
the data copied from that buffer.  This way the packet is cached
until is is needed.

The DM Ethernet stack tries to receive 32 packets at once, thus
we better allocate as many buffers as the stack.

Signed-off-by: Patrick Wildt <patrick@blueri.se>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-10-19 22:59:53 +02:00
Heinrich Schuchardt
4b71f6dc4e efi_loader: QEMU CONFIG_EFI_GRUB_ARM32_WORKAROUND=n
CONFIG_EFI_GRUB_ARM32 is only needed for architectures with caches that are
not managed via CP15 (or for some outdated buggy versions of GRUB). It
makes more sense to disable the setting per architecture than per defconfig.

Move QEMU's CONFIG_EFI_GRUB_ARM32_WORKAROUND=n from defconfig to Kconfig.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-10-06 07:43:56 +02:00
Heinrich Schuchardt
e2aff337ed efi_loader: illegal free in EFI_LOAD_FILE2_PROTOCOL
strsep() changes the address that its first argument points to.
We cannot use the changed address as argument of free().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2020-10-06 07:43:56 +02:00
Heinrich Schuchardt
5cd28e1760 efi_loader: description EFI_LOAD_FILE2_PROTOCOL
U-Boot offers a EFI_LOAD_FILE2_PROTOCOL which the Linux EFI stub can use to
load an initial RAM disk. Update the function comments of the
implementation.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2020-10-06 07:43:56 +02:00
Heinrich Schuchardt
b59c13d42f efi_loader: installation of EFI_RNG_PROTOCOL
Having an EFI_RNG_PROTOCOL without a backing RNG device leads to failure
to boot Linux 5.8.

Only install the EFI_RNG_PROTOCOL if we have a RNG device.

Reported-by: Scott K Logan <logans@cottsay.net>
Cc: Neil Armstrong <narmstrong@baylibre.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-09-27 16:10:45 +02:00
Maxim Uvarov
ffbeafe7e2 efi_memory: refine overlap_only_ram description
Refine text for overlap_only_ram description to
match to what exactly flag does and aling description
with other functions.

Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-09-18 22:23:58 +02:00
Heinrich Schuchardt
d68d7f47a9 efi_loader: save global data pointer on RISC-V
On RISC-V the global data pointer is stored in register gp. When a UEFI
binary calls the EFI API we have to restore it.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-09-14 23:28:52 +02:00
Heinrich Schuchardt
e5a31376ac efi_loader: efi_var_mem_notify_exit_boot_services
efi_var_mem_notify_exit_boot_services() is invoked when ExitBootServices()
is called by the UEFI payload.

efi_var_mem_notify_exit_boot_services() should not be defined as
__efi_runtime as it is invoking EFI_ENTRY() and EFI_EXIT() which themselves
are not __efi_runtime.

Fixes: f1f990a8c9 ("efi_loader: memory buffer for variables")
Fixes: e01aed47d6 ("efi_loader: Enable run-time variable support for tee based variables")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2020-09-14 23:28:52 +02:00
Heinrich Schuchardt
578d7cc8fa efi_loader: remove duplicate image size check
The image size is checked in efi_load_pe(). Avoid checking it twice.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-09-06 21:21:41 +02:00
Heinrich Schuchardt
0f7878b853 efi_loader: error message if image not authenticated
Currently if the bootefi command fails due to missing authentication, the
user gets no feedback.

Write a log message 'Image not authenticated' if LoadImage() fails due to
missing authentication.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-09-06 21:21:41 +02:00
Heinrich Schuchardt
24586059d3 efi_loader: log function in image loader
Use log_err() for error messages.
Replace debug() by EFI_PRINT().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-09-06 21:21:41 +02:00
Heinrich Schuchardt
15d8f008dc efi_loader: validate device path length in boot manager
Bootxxxx variables are provided by the user and therefore cannot be
trusted. We have to validate them before usage.

A device path provided by a Bootxxxx variable must have an end node within
the indicated device path length.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-24 16:37:53 +02:00
Heinrich Schuchardt
5cad4a3093 efi_loader: efi_dp_check_length()
We need to check that device paths provided via UEFI variables are not
malformed.

Provide function efi_dp_check_length() to check if a device path has an
end node within a given number of bytes.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-24 16:37:53 +02:00
Heinrich Schuchardt
f03a879d67 efi_loader: ResetSystem() should not hang
If ResetSystem() is not implemented at runtime, it should return instead
of hanging in an endless loop. This allows the operating system to reset
the system by other means as Linux does. It also matches what EDK II
suggests in comments for functions ResetShutdown() and ResetWarm() in
OvmfPkg/Library/ResetSystemLib/ResetSystemLib.c.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-24 16:37:53 +02:00
AKASHI Takahiro
52956e535e efi_loader: signature: correct a behavior against multiple signatures
Under the current implementation, all the signatures, if any, in
a signed image must be verified before loading it.

Meanwhile, UEFI specification v2.8b section 32.5.3.3 says,
    Multiple signatures are allowed to exist in the binary’s certificate
    table (as per PE/COFF Section “Attribute Certificate Table”). Only
    one hash or signature is required to be present in db in order to pass
    validation, so long as neither the SHA-256 hash of the binary nor any
    present signature is reflected in dbx.

This patch makes the semantics of signature verification compliant with
the specification mentioned above.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-14 12:28:25 +02:00
AKASHI Takahiro
f68a6d5835 efi_loader: variable: fix secure state initialization
Under the new file-based variable implementation, the secure state
is always and falsely set to 0 (hence, the secure boot gets disabled)
after the reboot even if PK (and other signature database) has already
been enrolled in the previous boot.

This is because the secure state is set up *before* loading non-volatile
variables' values from saved data.

This patch fixes the order of variable initialization and secure state
initialization.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Fixes: 5f7dcf079d ("efi_loader: UEFI variable persistence")
2020-08-13 22:37:42 +02:00
AKASHI Takahiro
1115edd846 efi_loader: signature: rework for intermediate certificates support
In this commit, efi_signature_verify(with_sigdb) will be re-implemented
using pcks7_verify_one() in order to support certificates chain, where
the signer's certificate will be signed by an intermediate CA (certificate
authority) and the latter's certificate will also be signed by another CA
and so on.

What we need to do here is to search for certificates in a signature,
build up a chain of certificates and verify one by one. pkcs7_verify_one()
handles most of these steps except the last one.

pkcs7_verify_one() returns, if succeeded, the last certificate to verify,
which can be either a self-signed one or one that should be signed by one
of certificates in "db". Re-worked efi_signature_verify() will take care
of this step.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-08-13 22:37:36 +02:00
AKASHI Takahiro
0658bb29b0 efi_loader: variable: keep temporary buffer during the authentication
This is a bug fix; Setting an authenticated variable may fail due to
a memory corruption in the authentication.

A temporary buffer will, if needed, be allocated to parse a variable's
authentication data, and some portion of buffer, specifically signer's
certificates, will be referenced by efi_signature_verify().

So the buffer should be kept valid until the authentication process
is finished.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Tested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-13 22:37:36 +02:00
Heinrich Schuchardt
0ad64007fe efi_loader: set load options in boot manager
Up to now we used the value of the bootargs environment variable as load
options in the boot manager. This is not correct. The data has to be taken
from the Boot#### variable.

Let the boot manager copy the optional data of the EFI_LOAD_OPTION as load
options to the loaded image protocol.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-08 19:03:24 +02:00
Heinrich Schuchardt
1064d04920 efi_loader: factor out efi_set_load_options()
The bootefi bootmgr command has to set the load options for a loaded image
from the value of BootXXXX variable. If the boot manager is not used, the
value is set from the environment variable bootargs (or efi_selftest).

Factor out a common function efi_set_load_options().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-08 19:03:24 +02:00
AKASHI Takahiro
dd92aad81c efi_loader: add copyright notice
Some amount of code was moved/derived from efi_variable.c regarding
UEFI secure boot, in particluar in the commit 012c56ac76 ("efi_loader:
restructure code for TEE variables").
So add the orignal author's copyright notice.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-08 19:03:24 +02:00
Heinrich Schuchardt
74b869bae7 efi_loader: use CONFIG_STACK_SIZE in the UEFI sub-system
The Kconfig symbol CONFIG_STACK_SIZE is used both by ARM and Microblaze
with the same meaning. Move it to menu 'General setup' so that we can use
it for all architectures.

Use the value of CONFIG_STACK_SIZE instead of a hard coded 16 MiB value for
reserving memory in the UEFI sub-system.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-01 11:58:23 +02:00
Ilias Apalodimas
e01aed47d6 efi_loader: Enable run-time variable support for tee based variables
We recently added functions for storing/restoring variables
from a file to a memory backed buffer marked as __efi_runtime_data
commit f1f990a8c9 ("efi_loader: memory buffer for variables")
commit 5f7dcf079d ("efi_loader: UEFI variable persistence")

Using the same idea we now can support GetVariable() and GetNextVariable()
on the OP-TEE based variables as well.

So let's re-arrange the code a bit and move the commmon code for
accessing variables out of efi_variable.c. Create common functions for
reading variables from memory that both implementations can use on
run-time. Then just use those functions in the run-time variants of the
OP-TEE based EFI variable implementation and initialize the memory
buffer on ExitBootServices()

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-01 11:57:41 +02:00
Ilias Apalodimas
db94dfbd52 efi_loader: Trim output buffer size correctly for tee variables
The current code does not trim the output buffer correctly.
In fact it doesn't trim the buffer at all, since it calculates a wrong
value for it, which isn't even applied.
So let's remove the unused temporary size variable and trim the buffer
correctly.
Since we are editing efi_get_next_variable_name_int(), fix an indentation
error along the way.

Fixes: f042e47e8f ("efi_loader: Implement EFI variable handling via OP-TEE")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Remove superfluous conversion to (u8 *) for memcpy argument.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-01 11:57:41 +02:00
Heinrich Schuchardt
af457cfca9 efi_loader: use logging for block device messages
Use logging instead of printf() for messages occurring when scanning block
devices during the initialization of the UEFI sub-system.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-22 12:32:42 +02:00
Heinrich Schuchardt
e7d64065cb efi_loader: document efi_save_gd(), efi_restore_gd()
Provide function descriptions for efi_save_gd() and efi_restore_gd().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-22 12:32:42 +02:00
Stefan Sørensen
1ef1cf1f93 efi_loader: loosen buffer parameter check in efi_file_read
When reading a directory, EFI_BUFFER_TOO_SMALL should be returned when
the supplied buffer is too small, so a use-case is to call
efi_file_read with *buffer_size=0 and buffer=NULL to obtain the needed
size before doing the actual read.

So move the buffer!=NULL check to after the buffer size has been checked.

This fix allows the Redhat shim fallback to run and e.g. Fedora 32 now
boots out of the box.

Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-22 12:32:41 +02:00
Ilias Apalodimas
9b87d4429c efi_loader: Check for the native OP-TEE result on mm_communicate calls
Currently we only check for the return value of tee_invoke_func().
Although OP-TEE and StMM will correctly set param[1].u.value.a and we'll
eventually return an error, the correct thing to do is check for the
OP_TEE return code as well.
So let's check for that and move tee_shm_free() and tee_close_session()
before exiting with an error to make sure we always clear the registered
memory.

Fixes: f042e47e8f ("efi_loader: Implement EFI variable handling via OP-TEE")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Use EFI_DEVICE_ERROR for TEE communication problems.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-22 12:32:41 +02:00
Ilias Apalodimas
5d1f79ba43 efi_loader: Rename and correct values for ARM_SMC_MM_*
Instead of adding the definition for the specific MM SVC used in
StandAloneMM we added the one used in the standard SMC calls.
So change the value from -4 to -5 to match the correct one defined in
EDK2 and rename them to avoid future confusion

Fixes 23a397d2e2: ("efi_loader: Add headers for EDK2 StandAloneMM communication")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-22 12:32:41 +02:00
Heinrich Schuchardt
ebbad02c1b efi_loader: don't use memmove() in efi_var_mem_del()
efi_var_mem_del() is in __efi_runtime because it would be needed for a
runtime implementation of SetVariable(). memmove() is not in __efi_runtime.
So we should not use it in efi_var_mem_del().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-22 12:32:41 +02:00
Heinrich Schuchardt
01fa922bbb efi_loader: efi_current_var after SetVirtualAddressMap
Variable efi_current_var is a pointer to a physical memory address that
becomes invalid after SetVirtualAddressMap(). Instead of converting it via
ConvertPointer() simply set it to NULL.

Fixes: b02a707152 ("efi_loader: enable UEFI variables at runtime")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-22 12:32:41 +02:00
Heinrich Schuchardt
7dda16343d efi_loader: pre-seed UEFI variables
Include a file with the initial values for non-volatile UEFI variables
into the U-Boot binary. If this variable is set, changes to variable PK
will not be allowed.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-16 12:37:02 +02:00
Heinrich Schuchardt
99bfab8b58 efi_loader: identify PK, KEK, db, dbx correctly
To determine if a varible is on the of the authentication variables
PK, KEK, db, dbx we have to check both the name and the GUID.

Provide a function converting the variable-name/guid pair to an enum and
use it consistently.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-16 12:37:02 +02:00
Heinrich Schuchardt
be66b89da3 efi_loader: configuration of variables store
The file based and the OP-TEE based UEFI variable store are mutually
exclusive. Define them as choice options in Kconfig.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-16 12:37:02 +02:00
Heinrich Schuchardt
1a7b0f6e4e efi_loader: update secure state
Update the UEFI secure state when variable 'PK' is updated in the TEE
variables implementation.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2020-07-16 12:37:02 +02:00
Heinrich Schuchardt
012c56ac76 efi_loader: restructure code for TEE variables
When using secure boot functions needed both for file and TEE based UEFI
variables have to be moved to the common code module efi_var_common.c.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-16 12:37:02 +02:00
Ilias Apalodimas
f96744b250 efi_loader: display RO attribute with TEE-backed variables
A previous commit adds support for displaying variables RO flag.
Let's add it on the TEE backed variable storage as well.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-16 12:37:02 +02:00
Heinrich Schuchardt
b02a707152 efi_loader: enable UEFI variables at runtime
Enable UEFI variables at runtime.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11 23:14:17 +02:00
Heinrich Schuchardt
ab7296c99c efi_loader: use memory based variable storage
Saving UEFI variable as encoded U-Boot environment variables does not allow
implement run-time support.

Use a memory buffer for storing UEFI variables.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11 23:14:17 +02:00
Heinrich Schuchardt
f1f990a8c9 efi_loader: memory buffer for variables
Saving UEFI variable as encoded U-Boot environment variables does not allow
support at runtime.

Provide functions to manage a memory buffer with UEFI variables.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11 23:14:17 +02:00
Heinrich Schuchardt
b0dd8cb407 efi_loader: new function efi_memcpy_runtime()
Provide a memcpy() function that we can use at UEFI runtime.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11 23:14:17 +02:00
Heinrich Schuchardt
724d28171e efi_loader: optional pointer for ConvertPointer
If the EFI_OPTIONAL_PTR is set in DebugDisposition, a NULL pointer does not
constitute an invalid parameter.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11 23:14:17 +02:00
Heinrich Schuchardt
a44d2a2399 efi_loader: export efi_convert_pointer()
We need ConvertPointer() to adjust pointers when implementing  runtime
services within U-Boot.

After ExitBootServices() gd is not available anymore. So we should not use
EFI_ENTRY() and EFI_EXIT().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11 23:14:17 +02:00
Heinrich Schuchardt
5f7dcf079d efi_loader: UEFI variable persistence
Persist non-volatile UEFI variables in a file on the EFI system partition.

The file is written whenever a non-volatile UEFI variable is changed after
initialization of the UEFI sub-system.

The file is read during the UEFI sub-system initialization to restore
non-volatile UEFI variables.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11 23:14:17 +02:00
Heinrich Schuchardt
198bf6418e efi_loader: secure boot flag
In audit mode the UEFI variable SecureBoot is set to zero but the
efi_secure_boot flag is set to true.

The efi_secure_boot flag should match the UEFIvariable SecureBoot.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11 23:14:17 +02:00
Heinrich Schuchardt
55a830560e efi_loader: read-only AuditMode and DeployedMode
Set the read only property of the UEFI variables AuditMode and DeployedMode
conforming to the UEFI specification.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11 23:14:17 +02:00
Heinrich Schuchardt
fd7b6730ab efi_loader: value of VendorKeys
According to the UEFI specification the variable VendorKeys is 1 if the
"system is configured to use only vendor-provided keys".

As we do not supply any vendor keys yet the variable VendorKeys must be
zero.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11 23:14:17 +02:00
Heinrich Schuchardt
37fa7cb045 efi_loader: keep attributes in efi_set_variable_int
Do not change the value of parameter attributes in function
efi_set_variable_int(). This allows to use it later.

Do not use variable attr for different purposes but declare separate
variables (attr and old_attr).

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11 23:14:17 +02:00
Heinrich Schuchardt
dda8c7163a efi_loader: simplify boot manager
Simplify the implementation of the UEFI boot manager:

* avoid EFI_CALL for SetVariable() and GetVariable()
* remove unnecessary type conversions

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11 23:14:17 +02:00
Heinrich Schuchardt
dc90e5c491 efi_loader: OsIndicationsSupported, PlatformLangCodes
UEFI variables OsIndicationsSupported, PlatformLangCodes should be read
only.

Avoid EFI_CALL() for SetVariable().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11 23:14:16 +02:00
Heinrich Schuchardt
01df8cf336 efi_loader: separate UEFI variable API from implemementation
Separate the remaining UEFI variable API functions GetNextVariableName and
QueryVariableInfo() from internal functions implementing them.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11 23:14:16 +02:00
Heinrich Schuchardt
f2d2b3a11c efi_loader: prepare for read only OP-TEE variables
We currently have two implementations of UEFI variables:

* variables provided via an OP-TEE module
* variables stored in the U-Boot environment

Read only variables are up to now only implemented in the U-Boot
environment implementation.

Provide a common interface for both implementations that allows handling
read-only variables.

As variable access is limited to very few source files put variable
related definitions into new include efi_variable.h instead of efi_loader.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11 23:14:16 +02:00
Heinrich Schuchardt
a27c78fddb efi_loader: NULL dereference in efi_convert_pointer
Avoid a possible NULL pointer dereference in efi_convert_pointer().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11 23:14:16 +02:00
Heinrich Schuchardt
1047c6e23c efi_loader: fix efi_get_child_controllers()
Don't call calloc(0, ..).
Consider return value of efi_get_child_controllers().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11 23:14:16 +02:00
Heinrich Schuchardt
39a75f5af1 efi_loader: wrong printf format in efi_image_parse
Commit 1b6c08548c ("efi_loader: image_loader: replace debug to
EFI_PRINT") leads to a build warning on 32bit systems:

lib/efi_loader/efi_image_loader.c: In function ‘efi_image_parse’:
include/efi_loader.h:123:8: warning: format ‘%lu’ expects argument
of type ‘long unsigned int’, but argument 8 has
type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]

Use %zu for printing size_t.

Fixes: 1b6c08548c ("efi_loader: image_loader: replace debug to
EFI_PRINT")

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11 23:14:16 +02:00
Ilias Apalodimas
ecb833a0c6 efi_loader: cleanup for tee backed variables
There's 2 variables in efi_get_next_variable_name() checking the size of
the variable name. Let's get rid of the reduntant definition and
simplitfy the code a bit.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11 23:14:16 +02:00
AKASHI Takahiro
7926dfb579 efi_loader: image_loader: add digest-based verification for signed image
In case that a type of certificate in "db" or "dbx" is
EFI_CERT_X509_SHA256_GUID, it is actually not a certificate which contains
a public key for RSA decryption, but a digest of image to be loaded.
If the value matches to a value calculated from a given binary image, it is
granted for loading.

With this patch, common digest check code, which used to be used for
unsigned image verification, will be extracted from
efi_signature_verify_with_sigdb() into efi_signature_lookup_digest(), and
extra step for digest check will be added to efi_image_authenticate().

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-07-11 23:14:15 +02:00
AKASHI Takahiro
11bafb2596 efi_loader: image_loader: verification for all signatures should pass
A signed image may have multiple signatures in
  - each WIN_CERTIFICATE in authenticode, and/or
  - each SignerInfo in pkcs7 SignedData (of WIN_CERTIFICATE)

In the initial implementation of efi_image_authenticate(), the criteria
of verification check for multiple signatures case is a bit ambiguous
and it may cause inconsistent result.

With this patch, we will make sure that verification check in
efi_image_authenticate() should pass against all the signatures.
The only exception would be
  - the case where a digest algorithm used in signature is not supported by
    U-Boot, or
  - the case where parsing some portion of authenticode has failed
In those cases, we don't know how the signature be handled and should
just ignore them.

Please note that, due to this change, efi_signature_verify_with_sigdb()'s
function prototype will be modified, taking "dbx" as well as "db"
instead of outputing a "certificate." If "dbx" is null, the behavior would
be the exact same as before.
The function's name will be changed to efi_signature_verify() once
current efi_signature_verify() has gone due to further improvement
in intermediate certificates support.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-07-11 23:14:15 +02:00
AKASHI Takahiro
1e64d0b5a4 efi_loader: signature: make efi_hash_regions more generic
There are a couple of occurrences of hash calculations in which a new
efi_hash_regions will be commonly used.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-07-11 23:14:15 +02:00
AKASHI Takahiro
36b2f9da5c efi_loader: signature: fix a size check against revocation list
Since the size check against an entry in efi_search_siglist() is
incorrect, this function will never find out a to-be-matched certificate
and its associated revocation time in the signature list.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-07-11 23:14:15 +02:00
AKASHI Takahiro
eb537fd7eb efi_loader: image_loader: retrieve authenticode only if it exists
Since the certificate table, which is indexed by
IMAGE_DIRECTORY_ENTRY_SECURITY and contains authenticode in PE image,
doesn't always exist, we should make sure that we will retrieve its pointer
only if it exists.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-07-11 23:14:15 +02:00
AKASHI Takahiro
1a44b7059c efi_loader: image_loader: add a check against certificate type of authenticode
UEFI specification requires that we shall support three type of
certificates of authenticode in PE image:
  WIN_CERT_TYPE_EFI_GUID with the guid, EFI_CERT_TYPE_PCKS7_GUID
  WIN_CERT_TYPE_PKCS_SIGNED_DATA
  WIN_CERT_TYPE_EFI_PKCS1_15

As EDK2 does, we will support the first two that are pkcs7 SignedData.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-07-11 23:14:15 +02:00
Heinrich Schuchardt
93f6201af7 efi_loader: imply FAT, FAT_WRITE
The UEFI spec requires support for the FAT file system.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-03 18:03:56 +02:00
Heinrich Schuchardt
15b1bf10d1 efi_loader: export initialization state
Export the UEFI sub-system initialization state. This will allow to treat
the setting of UEFI variables during and after initialization differently.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-03 18:03:56 +02:00
Heinrich Schuchardt
3a92f85f21 efi_loader: rtc_mktime() called twice
Don't call rtc_mktime() twice with the same argument in
efi_variable_authenticate().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-03 18:03:47 +02:00
Heinrich Schuchardt
7a373e5435 efi_loader: use log function in boot manager
When booting via the boot manager use log function for user messages
instead of printf() and debug().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-03 18:03:47 +02:00
Heinrich Schuchardt
cb7116030a efi_loader: time based authentication
When overwriting an existing time base authenticated variable we should
compare to the preceding time value and not to the start of the epoch.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-03 18:03:41 +02:00
Heinrich Schuchardt
33f183f68b efi_loader: add missing validation of timestamp
The UEFI specification requires that when UEFI variables are set using time
based authentication we have to check that unused fields of the timestamp
are zero

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-03 18:03:41 +02:00
Heinrich Schuchardt
28164c925e efi_loader: fix efi_image_region_add()
Use start and end address consistently as half-open interval.
Simplify the code.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-03 18:03:24 +02:00
AKASHI Takahiro
1b6c08548c efi_loader: image_loader: replace debug to EFI_PRINT
Just for style consistency, replace all the uses of debug() to
EFI_PRINT() in efi_image_loader.c.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-03 18:00:27 +02:00
AKASHI Takahiro
ce3c3865b0 efi_loader: variable: replace debug to EFI_PRINT
Just for style consistency, replace all the uses of debug() to
EFI_PRINT in efi_variable.c.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-03 18:00:27 +02:00
AKASHI Takahiro
3e9019d481 efi_loader: signature: replace debug to EFI_PRINT
Just for style consistency, replace all the uses of debug to
EFI_PRINT in efi_signature.c

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-03 18:00:27 +02:00
AKASHI Takahiro
f7a963c6af efi_loader: change efi objects initialization order
The simplest solution to revert the commit b32ac16f9a ("test/py: fix
test_efi_secboot/conftest.py") is to move efi_console_register()
forward before efi_disk_register().

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-03 18:00:27 +02:00
Heinrich Schuchardt
e4c1c48eeb efi_loader: fix incorrect use of EFI_EXIT()
efi_get_variable_common() does not use EFI_ENTRY(). So we should not use
EFI_EXIT() either.

Fixes: 767f6eeb01 ("efi_loader: variable: support variable authentication")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-06-29 11:56:10 +02:00
Heinrich Schuchardt
d80dd9e785 efi_loader: size of secure boot variables
The variables SetupMode, AuditMode, DeployedMode are explicitly defined as
UINT8 in the UEFI specification. The type of SecureBoot is UINT8 in EDK2.

Use variable name secure_boot instead of sec_boot for the value of the
UEFI variable SecureBoot.

Avoid abbreviations in function descriptions.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-06-24 16:50:15 +02:00
Heinrich Schuchardt
915f15ac57 efi_loader: type of efi_secure_mode
Variable efi_secure_mode is meant to hold a value of enum efi_secure_mode.
So it should not be defined as int but as enum efi_secure_mode.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-06-24 16:50:15 +02:00
Heinrich Schuchardt
4bb4249b39 efi_loader: printf code in efi_image_parse()
For size_t we have to use %zu for printing not %lu.

Fixes: 4540dabdca ("efi_loader: image_loader: support image
authentication")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-06-14 21:07:20 +02:00
Heinrich Schuchardt
325567d3c5 efi_loader: comments EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL
Provide missing comments for the functions implementing the
EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-06-05 04:04:41 +02:00
AKASHI Takahiro
a4292eccfd efi_loader: signature: move efi_guid_cert_type_pkcs7 to efi_signature.c
The global variable, efi_guid_cert_type_pkcs7, will also be used in
efi_image_loader.c in a succeeding patch so as to correctly handle
a signature type of authenticode in signed image.

Meanwhile, it is currently defined in efi_variable.c. Once some secure
storage solution for UEFI variables is introduced, efi_variable.c may
not always be compiled in.

So move the definition to efi_signature.c as a common place.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-06-03 17:19:19 +02:00
Heinrich Schuchardt
55af40a578 efi_loader: simplify PE consistency check
Knowing that at least one section header follows the optional header we
only need to check for the length of the 64bit header which is longer than
the 32bit header.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-06-03 17:19:18 +02:00
Heinrich Schuchardt
13f62d9f7e efi_loader: function description cmp_pe_section()
Rework the description of function cmp_pe_section().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-06-03 17:19:17 +02:00
Heinrich Schuchardt
4afceb4d17 efi_loader: function descriptions efi_image_loader.c
We want to follow the Linux kernel style for function descriptions.

Add missing parentheses after function names.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-06-03 17:19:17 +02:00
Heinrich Schuchardt
4f7dc5f608 efi_loader: allow compiling with clang
On ARM systems gd is stored in register r9 or x18. When compiling with
clang gd is defined as a macro calling function gd_ptr(). So we can not
make assignments to gd.

In the UEFI sub-system we need to save gd when leaving to UEFI binaries and
have to restore gd when reentering U-Boot.

Define a new function set_gd() for setting gd and use it in the UEFI
sub-system.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Tested-by: Tom Rini <trini@konsulko.com>
2020-06-03 17:19:17 +02:00
Heinrich Schuchardt
0e69bcfb27 efi_loader: validate load option
For passing the optional data of the load option to the loaded imaged
protocol we need its size.

efi_deserialize_load_option() is changed to return the size of the optional
data.

As a by-product we get a partial validation of the load option.
Checking the length of the device path remains to be implemented.

Some Coverity defects identified the load options as user input because
get_unaligned_le32() and get_unaligned_le16() is called. But non of these
Coverity defects can be resolved without marking functions with Coverity
specific tags.

Reported-by: Coverity (CID 303760)
Reported-by: Coverity (CID 303768)
Reported-by: Coverity (CID 303776)
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-06-03 17:19:17 +02:00
Heinrich Schuchardt
0a87e05dbd efi_loader: check device path is not installed twice
Prior to corrective patches for virtio and SATA devices the same device
path was installed on two different handles. This is not allowable.
With this patch we will throw an error if this condition occurs for
block devices.

Update a comment for the installation of the simple file system
protocol.

Reported-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-21 10:00:17 +02:00
Heinrich Schuchardt
bf3bcef7fb efi_loader: device path for SATA devices
Provide device path nodes for SATA devices.

This avoids creation of two handles with the same device path indicating
our root node.

This is what the device paths for a SATA drive with four partitions could
like:

/VenHw(..)/Sata(0x0,0xffff,0x0)
/VenHw(..)/Sata(0x0,0xffff,0x0)/HD(1,MBR,0x81ea591f,0x800,0x63ff830)
/VenHw(..)/Sata(0x0,0xffff,0x0)/HD(2,MBR,0x81ea591f,0x6400800,0x9ff830)
/VenHw(..)/Sata(0x0,0xffff,0x0)/HD(3,MBR,0x81ea591f,0x6e00800,0x16ef2ab0)
/VenHw(..)/Sata(0x0,0xffff,0x0)/HD(4,MBR,0x81ea591f,0x1dcf3800,0x1dcedab0)

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-21 10:00:17 +02:00
Heinrich Schuchardt
19ecced71c efi_loader: device path for virtio block devices
The UEFI specification does not define a device sub-type for virtio.
Let's use a vendor hardware node here.

This avoids creation of two handles with the same device path indicating
our root node.

Reported-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-21 10:00:17 +02:00
Heinrich Schuchardt
c067cef695 efi_loader: initialize root node first
With commit 16ad946f41 ("efi_loader: change setup sequence") the
detection of block device was moved to the start of the initialization
sequence. In the case of virtio devices two handles with the same device
path being created.

The root node handle should be created before anything else.

Reported-by: Ard Biesheuvel <ardb@kernel.org>
Fixes: 16ad946f41 ("efi_loader: change setup sequence")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-21 10:00:17 +02:00
Pragnesh Patel
9de6ce807e efi_loader: Remove unnecessary debug
Remove unnecessary debug() from efi_set_variable_common().
native_name is NULL, so there is no meaning to print it.

Signed-off-by: Pragnesh Patel <pragnesh.patel@sifive.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-21 10:00:17 +02:00
Simon Glass
cd93d625fd common: Drop linux/bitops.h from common header
Move this uncommon header out of the common header.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-05-18 21:19:23 -04:00
Simon Glass
f7ae49fc4f common: Drop log.h from common header
Move this header out of the common header.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-05-18 21:19:18 -04:00
Simon Glass
0914011310 command: Remove the cmd_tbl_t typedef
We should not use typedefs in U-Boot. They cannot be used as forward
declarations which means that header files must include the full header to
access them.

Drop the typedef and rename the struct to remove the _s suffix which is
now not useful.

This requires quite a few header-file additions.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-05-18 18:36:55 -04:00
Simon Glass
e6f6f9e648 common: Drop part.h from common header
Move this uncommon header out of the common header.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-05-18 17:33:33 -04:00
Simon Glass
0528979fa7 part: Drop disk_partition_t typedef
We should not be using typedefs and these make it harder to use
forward declarations (to reduce header file inclusions). Drop the typedef.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-05-18 17:33:33 -04:00
Simon Glass
90526e9fba common: Drop net.h from common header
Move this header out of the common header. Network support is used in
quite a few places but it still does not warrant blanket inclusion.

Note that this net.h header itself has quite a lot in it. It could be
split into the driver-mode support, functions, structures, checksumming,
etc.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-05-18 17:33:31 -04:00
Simon Glass
ba06b3c50b common: Drop uuid.h from common header
Move this uncommon header out of the common header.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-05-18 14:53:28 -04:00
Ilias Apalodimas
f042e47e8f efi_loader: Implement EFI variable handling via OP-TEE
In OP-TEE we can run EDK2's StandAloneMM on a secure partition.
StandAloneMM is responsible for the UEFI variable support. In
combination with OP-TEE and it's U-Boot supplicant, variables are
authenticated/validated in secure world and stored on an RPMB partition.

So let's add a new config option in U-Boot implementing the necessary
calls to OP-TEE for the variable management.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Pipat Methavanitpong <pipat1010@gmail.com>
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-17 21:59:53 +02:00
Michael Walle
714497e327 efi_loader: round the memory area in efi_add_memory_map()
Virtually all callers of this function do the rounding on their own.
Some do it right, some don't. Instead of doing this in each caller,
do the rounding in efi_add_memory_map(). Change the size parameter
to bytes instead of pages and remove aligning and size calculation in
all callers.

There is no more need to make the original efi_add_memory_map() (which
takes pages as size) available outside the module. Thus rename it to
efi_add_memory_map_pg() and make it static to prevent further misuse
outside the module.

Signed-off-by: Michael Walle <michael@walle.cc>
Add missing comma in sunxi_display.c.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-17 21:59:53 +02:00
AKASHI Takahiro
b433acbb81 efi_loader: variable: check a return value of uuid__str_to_bin()
The only error case is that a given UUID is in wrong format.
So just return EFI_INVALID_PARAMETER here.

Reported-by: Coverity (CID 300333)
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-09 09:30:27 +02:00
AKASHI Takahiro
52d7bfe787 efi_loader: image_loader: fix a Coverity check against array access
Coverity detected:
  Using "&opt->CheckSum" as an array.  This might corrupt or misinterpret
  adjacent memory locations.

The code should work as far as a structure, IMAGE_OPTIONAL_HEADER(64) is
packed, but modify it in more logical form. Subsystem is a member next to
CheckSum.

Reported-by: Coverity (CID 300339)
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-09 09:30:27 +02:00
Heinrich Schuchardt
d7ca3ce3d3 efi_loader: crypto/pkcs7_parser.h is not a local include
User <> and not "" for referencing a global include.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-07 18:23:18 +02:00
Patrick Wildt
6f146155f8 efi_loader: pkcs7_parse_message() returns error pointer
Since pkcs7_parse_message() returns an error pointer, we must not
check for NULL.  We have to explicitly set msg to NULL in the error
case, otherwise the call to pkcs7_free_message() on the goto err
path will assume it's a valid object.

Signed-off-by: Patrick Wildt <patrick@blueri.se>
Add missing include linux/err.h
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-07 18:23:17 +02:00
Patrick Wildt
9ad15227bb efi_loader: efi_variable_parse_signature() returns NULL on error
efi_variable_parse_signature() returns NULL on error, so IS_ERR()
is an incorrect check.  The goto err leads to pkcs7_free_message(),
which works fine on a NULL ptr.

Signed-off-by: Patrick Wildt <patrick@blueri.se>
Reviewed-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-05-07 18:23:16 +02:00
Heinrich Schuchardt
306bf6e7ff efi_loader: do not unnecessarily use EFI_CALL()
There is no need to call efi_get_variable() instead of
efi_get_variable_common(). So let's use the internal function.

Move forward declarations to the top of the file.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-07 18:23:16 +02:00
Heinrich Schuchardt
3fdff6be40 efi_loader: error handling in efi_set_variable_common().
Fix unreachable code. Free memory on error.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-07 18:23:16 +02:00
Heinrich Schuchardt
549b79e8e0 efi_loader: remove redundant assignment in dp_fill()
The value of dp is overwritten without being used.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-07 18:23:16 +02:00
Jan Kiszka
b37a0b5c89 kbuild: efi: Avoid rebuilding efi targets
Add a couple of missing targets so that helloworld and other efi targets
are not needlessly rebuilt.

CC: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Tested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-07 18:23:16 +02:00
Heinrich Schuchardt
16ad946f41 efi_loader: change setup sequence
If we want to restore variables from disk, we need to initialize block
devices before variables.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-04 12:26:12 +02:00
Heinrich Schuchardt
30f92ce9d5 efi_loader: correct comments for efi_status_t
EFI_STATUS is unsigned (UINTN). Hence it cannot be negative.
Correct comments for 'Return:'.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-04 12:26:11 +02:00
Heinrich Schuchardt
bb0e585c71 efi_loader: eliminate efi_set_(non)volatile_variable
Eliminate superfluous functions efi_set_volatile_variable() and
efi_set_nonvolatile_variable().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-04 12:26:11 +02:00
Heinrich Schuchardt
c08cac0edc efi_loader: eliminate efi_get_(non)volatile_variable
Eliminate superfluous functions efi_get_volatile_variable() and
efi_get_nonvolatile_variable().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-04 12:26:11 +02:00
AKASHI Takahiro
41fd506842 efi_loader: disk: add efi_disk_is_system_part()
This function will check if a given handle to device is an EFI system
partition. It will be utilised in implementing capsule-on-disk feature.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Add function description. Return bool.
Reviewed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-04 12:26:11 +02:00
AKASHI Takahiro
f0ff75f249 efi_loader: factor out the common code from efi_transfer_secure_state()
efi_set_secure_stat() provides the common code for each stat transition
caused by efi_transfer_secure_state().

Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Correct description of return value.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-04 12:26:11 +02:00
AKASHI Takahiro
964d5326c9 efi_loader: fix unreachable statement in efi_sigstore_parse_siglist
"if (left < esl->signature_size)" is not reachable in a while loop.
But it is still valuable in case that a given signature database is
somehow corrupted. So fix the while loop condition.

Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-04 12:26:11 +02:00
AKASHI Takahiro
e3f5c9cb0f lib/crypto, efi_loader: move some headers to include/crypto
Pkcs7_parse.h and x509_parser.h are used in UEFI subsystem, in particular,
secure boot. So move them to include/crypto to avoid relative paths.

Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Don't include include x509_parser.h twice.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-04 12:26:11 +02:00
Heinrich Schuchardt
11078bb262 efi_loader: identify EFI system partition
In subsequent patches UEFI variables shalled be stored on the EFI system
partition. Hence we need to identify the EFI system partition.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-04-30 10:25:07 +02:00
Tom Rini
cf87f7cd8c Pull request for UEFI sub-system for efi-2020-07-rc1
This pull request
 
 * provides an implementation of UEFI secure booting
 * fixes a problem with the rsa_mod_exp driver which stops some boards
   from booting when CONFIG_RSA is enabled which is needed for UEFI
   secure booting
 * enables the EFI_RNG_PROTOCOL if DM_RNG is enabled
 * fixes some function comments
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAl6YjlcACgkQxIHbvCwF
 GsQ6Jg/+KVRQF0Dn2jiag8Me9ZhafZx4xGTI3LEzFD7V9kG3dmUzbO3m8a5dEevW
 bcPNA6EmcKAjyP09AZY4C8ns4sU7wzPu/GQvApD4S5+vcuNbEqRHfW6zzReNXq09
 t89DrFH+XLhGnh4uSh0hmfjrlIPVi86hs/f57vKRayrBu8W2yGPci3SNTO5Y0AY1
 to7sxP3hGlDCUhqIABWp5ylpWWUSG1MsVNcMOnHpj+jl0iWWYP46EQrGr95egQor
 gcGgUOLdOLLOHPYUIOBmo9INnS2MbvE9Mfgh5Bw7JW8DIu/Xp7r1qePQyMLsngc1
 pO5yzwMq6EQy6OjuYnXdIBXtHOlZ8rnE9pbTgyUR8T/2CdL2hqr9ddpqa4ryDABX
 iaQF8FG+KhY0XQ5EIJV7pEkvf9TMwGguJNlOkmJPeub2n9i0k1tPk0Rwq5ZWWBIn
 rHcgZXwl0On3O3f0HvfL0Oas5u9KE1HhA12h/EVmu2Muy36x2WxAAzDnsH19HzqU
 QnWBAo8VMyp3qTIZjb3y+qrxcU/joPGt9+hxmur03hzmKOJ9JNOv6vExb+yUIyXQ
 4ML6jvTvSVZbvkP++0zMKOjT8ks3xv5q84oFD5Gp4cG8ZpHpA9dj3mXM92Waepo4
 pAkko5IGQ4SqaGIBltEQzrG+cCiHHezdD/raCwAo6DgYSmfZUvc=
 =+ZDZ
 -----END PGP SIGNATURE-----

Merge tag 'efi-2020-07-rc1' of https://gitlab.denx.de/u-boot/custodians/u-boot-efi

Pull request for UEFI sub-system for efi-2020-07-rc1

This pull request

* provides an implementation of UEFI secure booting
* fixes a problem with the rsa_mod_exp driver which stops some boards
  from booting when CONFIG_RSA is enabled which is needed for UEFI
  secure booting
* enables the EFI_RNG_PROTOCOL if DM_RNG is enabled
* fixes some function comments
2020-04-16 16:41:40 -04:00
Simon Glass
776cc20194 x86: Move acpi_table header to main include/ directory
This file is potentially useful to other architectures saddled with ACPI
so move most of its contents to a common location.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Wolfgang Wallner <wolfgang.wallner@br-automation.com>
2020-04-16 14:36:28 +08:00
AKASHI Takahiro
d0f07949cc efi_loader: set up secure boot
The following variable is exported as UEFI specification defines:
SignatureSupport: array of GUIDs representing the type of signatures
                      supported by the platform firmware

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-04-16 08:12:46 +02:00
AKASHI Takahiro
4540dabdca efi_loader: image_loader: support image authentication
With this commit, image validation can be enforced, as UEFI specification
section 32.5 describes, if CONFIG_EFI_SECURE_BOOT is enabled.

Currently we support
* authentication based on db and dbx,
  so dbx-validated image will always be rejected.
* following signature types:
    EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images)
    EFI_CERT_X509_GUID (x509 certificate for signed images)
Timestamp-based certificate revocation is not supported here.

Internally, authentication data is stored in one of certificates tables
of PE image (See efi_image_parse()) and will be verified by
efi_image_authenticate() before loading a given image.

It seems that UEFI specification defines the verification process
in a bit ambiguous way. I tried to implement it as closely to as
EDK2 does.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-04-16 08:12:46 +02:00
AKASHI Takahiro
8353516f4a efi_loader: variable: add VendorKeys variable
The following variable is exported as UEFI specification defines:
VendorKeys: whether the system is configured to use only vendor-provided
	    keys or not
The value will have to be modified if a platform has its own way of
initializing signature database, in particular, PK.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-04-16 08:12:46 +02:00
AKASHI Takahiro
434ffb6422 efi_loader: variable: add secure boot state transition
UEFI specification defines several global variables which are related to
the current secure boot state. In this commit, those values will be
maintained according to operations. Currently, AuditMode and DeployedMode
are defined but not implemented.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-04-16 08:12:46 +02:00
AKASHI Takahiro
767f6eeb01 efi_loader: variable: support variable authentication
With this commit, EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
is supported for authenticated variables and the system secure state
will transfer between setup mode and user mode as UEFI specification
section 32.3 describes.

Internally, authentication data is stored as part of authenticated
variable's value. It is nothing but a pkcs7 message (but we need some
wrapper, see efi_variable_parse_signature()) and will be validated by
efi_variable_authenticate(), hence efi_signature_verify_with_db().

Associated time value will be encoded in "{...,time=...}" along with
other UEFI variable's attributes.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-04-16 08:12:46 +02:00
AKASHI Takahiro
be6296d05b efi_loader: add signature database parser
efi_signature_parse_sigdb() is a helper function will be used to parse
signature database variable and instantiate a signature store structure
in later patches.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-04-16 08:12:46 +02:00
AKASHI Takahiro
593e17d673 efi_loader: add signature verification functions
In this commit, implemented are a couple of helper functions which will be
used to materialize variable authentication as well as image authentication
in later patches.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-04-16 08:12:46 +02:00
AKASHI Takahiro
9bf09b5120 efi_loader: add CONFIG_EFI_SECURE_BOOT config option
Under this configuration, UEFI secure boot support will be added
in later patches.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-04-16 08:12:46 +02:00
Heinrich Schuchardt
540faca8a1 efi_loader: function descriptions efi_watchdog.c
Correct function descriptions in efi_watchdog.c.
Add the descriptions to the generated HTML documentation.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-04-16 08:10:02 +02:00
Heinrich Schuchardt
55976b7fae efi_loader: add missing doc comments in efi_disk.c
Add missing descriptions for functions in efi_disk.c.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-04-16 08:10:01 +02:00
Heinrich Schuchardt
76956556fc efi_loader: function descriptions efi_unicode_collation.c
Correct function descriptions in efi_unicode_collation.c
Add the Unicode collation protocol to the generated HTML documentation.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-04-16 08:10:01 +02:00
Peter Robinson
bdf329e4a3 efi_loader: enable RNG if DM_RNG is enabled
Enable EFI_RNG_PROTOCOL by default if DM_RNG is set.

Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
Acked-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Remove superfluous 'if DM_RNG'
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-04-16 08:10:01 +02:00
Heinrich Schuchardt
7a4e717b9c efi_loader: definition of GetNextVariableName()
'vendor' is both an input and an output parameter. So it cannot be
constant.

Fixes: 0bda81bfdc ("efi_loader: use const efi_guid_t * for variable services")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-03-22 18:38:02 +01:00
Heinrich Schuchardt
72291a9d83 efi_loader: fix freestanding memmove()
For EFI binaries we have to provide an implementation of memmove() in
efi_freestanding.c.

Before this patch the memmove() function was copying in the wrong
direction.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-03-22 11:06:23 +01:00
Heinrich Schuchardt
7aeceffb25 efi_loader: description efi_convert_pointer()
Correct the description of function efi_convert_pointer().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-03-22 11:06:23 +01:00
Heinrich Schuchardt
9f888969fd efi_loader: simplify logical expression in efi_disk_add_dev()
To check if a variable is non-zero there is no need for '!= 0'.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-03-22 11:06:23 +01:00
Heinrich Schuchardt
4d7f5af841 efi_loader: correct reported length in GetNextVariable()
The runtime service GetNextVariable() returns the length of the next
variable including the closing 0x0000. This length should be in bytes.

Comparing the output of EDK2 and U-Boot shows that this is currently not
correctly implemented:

EDK2:
OsIndicationsSupported: 46
PlatformLang: 26
PlatformLangCodes: 36

U-Boot:
OsIndicationsSupported: 23
PlatformLang: 13
PlatformLangCodes: 18

Provide correct length in GetNextVariable().

Fixes: d99a87f84b ("efi_loader: implement GetNextVariableName()")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-03-22 11:06:23 +01:00
Heinrich Schuchardt
47a9596354 efi_loader: fix function descriptions in efi_disk.c
Use Sphinx style for function descriptions.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-03-22 11:06:23 +01:00
Heinrich Schuchardt
f0b0f7fe0e efi_loader: description of efi_variable.c
Correct the file description.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-03-22 11:06:23 +01:00
AKASHI Takahiro
b51ec63978 efi_loader: export a couple of protocol related functions
This is a preparatory patch.
Those functions will be used in an implementation of UEFI firmware
management protocol as part of my capsule update patch.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-03-17 08:29:52 +01:00
Heinrich Schuchardt
2b8568f461 efi_loader: unnecessary assignment in efi_queue_event
The assigned value NULL is never used.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-03-11 08:23:05 +01:00
AKASHI Takahiro
b484296f6f efi_loader: get_memory_map: return parameters whenever possible
Currently, if GetMemoryMap API returns EFI_BUFFER_TOO_SMALL, it doesn't
set valid values to other parameters, descriptor_size and
descriptor_version, except memory_map_size.
Some efi applications, however, may use those value; in particular,
xen uses descriptor_size to calculate a size of buffer to be allocated.

While UEFI specification is ambiguous in this point, it would be better
to address this issue proactively to maximize the compatibility with
existing efi applications.

With this patch, for example, xen.efi (and hence linux kernel) can be
started via bootefi without modification.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-03-11 08:23:05 +01:00
Ilias Apalodimas
ec80b4735a efi_loader: Implement FileLoad2 for initramfs loading
Following kernel's proposal for an arch-agnostic initrd loading
mechanism [1] let's implement the U-boot counterpart.
This new approach has a number of advantages compared to what we did up
to now. The file is loaded into memory only when requested limiting the
area of TOCTOU attacks. Users will be allowed to place the initramfs
file on any u-boot accessible partition instead of just the ESP one.
Finally this is an attempt of a generic interface across architectures
in the linux kernel so it makes sense to support that.

The file location is intentionally only supported as a config option
argument(CONFIG_EFI_INITRD_FILESPEC), in an effort to enhance security.
Although U-boot is not responsible for verifying the integrity of the
initramfs, we can enhance the offered security by only accepting a
built-in option, which will be naturally verified by UEFI Secure Boot.
This can easily change in the future if needed and configure that via ENV
or UEFI variable.

[1] https://lore.kernel.org/linux-efi/20200207202637.GA3464906@rani.riverdale.lan/T/#m4a25eb33112fab7a22faa0fd65d4d663209af32f

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-02-28 19:37:14 +01:00
Heinrich Schuchardt
76be687288 efi_loader: implement EFI_RT_PROPERTIES_TABLE
UEFI spec 2.8 errata A replaces the RuntimeServicesSupported variable
defined in UEFI spec 2.8 by the configuration table
EFI_RT_PROPERTIES_TABLE. So let's follow suit.

Cc: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Tested-by: Ard Biesheuvel <ardb@kernel.org>
2020-02-26 19:32:09 +01:00
Heinrich Schuchardt
0e228853b5 efi_loader: EFI_RNG_PROTOCOL
Do not use quotation marks for Kconfig help text.
Replace rng abbreviation by full words.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-02-19 12:53:36 +01:00
Simon Glass
336d4615f8 dm: core: Create a new header file for 'compat' features
At present dm/device.h includes the linux-compatible features. This
requires including linux/compat.h which in turn includes a lot of headers.
One of these is malloc.h which we thus end up including in every file in
U-Boot. Apart from the inefficiency of this, it is problematic for sandbox
which needs to use the system malloc() in some files.

Move the compatibility features into a separate header file.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-02-05 19:33:46 -07:00
Heinrich Schuchardt
faadc04180 efi_loader: imply VIDEO_ANSI
UEFI programs like GRUB make change terminal colors which requires support
for ANSI escape sequences.

Let CONFIG_EFI_LOADER=y imply CONFIG_VIDEO_ANSI.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-01-15 00:51:51 +01:00
Heinrich Schuchardt
55111c5052 efi_loader: describe returning of control
Provide a sober description of how control can be returned by a UEFI
binary.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-01-15 00:51:51 +01:00
Heinrich Schuchardt
d417b94e57 efi_loader: document functions in efi_rng.c
Add the missing Sphinx documentation.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-01-15 00:51:51 +01:00
Sughosh Ganu
33c37d9784 efi_rng_protocol: Install the efi_rng_protocol on the root node
Install the EFI_RNG_PROTOCOL implementation for it's subsequent use by
the kernel for features like kaslr.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-01-07 18:08:22 +01:00
Sughosh Ganu
f552fa496c efi: qemu: arm64: Add efi_rng_protocol implementation for the platform
Add support for the EFI_RNG_PROTOCOL routines for the qemu arm64
platform. EFI_RNG_PROTOCOL is an uefi boottime service which is
invoked by the efi stub in the kernel for getting random seed for
kaslr.

The routines are platform specific, and use the virtio-rng device on
the platform to get random data.

The feature can be enabled through the following config
CONFIG_EFI_RNG_PROTOCOL

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Changed SPDX header to use /* instead of //.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-01-07 18:08:22 +01:00
Sughosh Ganu
61e42d9465 efi_loader: Add guidcpy function
Add guidcpy function to copy the source guid to the destination
guid. Use this function instead of memcpy for copying to the
destination guid.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>

Use void * instead of efi_guid_t * for arguments to allow copying unaligned
GUIDs. The GUIDs of configuration tables are __packed.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-01-07 18:08:20 +01:00
Heinrich Schuchardt
9bb758aab6 efi_loader: __cyg_profile_func_enter/_exit
U-Boot can be compiled with function tracing enabled.

When compiling with FTRACE __cyg_profile_func_enter() is called when a
function is entered and __cyg_profile_func_exit() when the function is
left.

To avoid a crash we have to define these function for the free-standing
UEFI binaries.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-01-07 18:08:20 +01:00
Heinrich Schuchardt
b0ad9b5b2a efi_loader: clear screen should move cursor to home
On a VT100 terminal <ESC>[2J should be enough to both clear the whole
screen and set the cursor to position (1, 1). But the Linux console does
not behave like this. So send an extra <ESC>[H. For reference see the
console_codes(4) man page.

Add a function description.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-01-07 18:08:20 +01:00
Heinrich Schuchardt
07b57ef1eb efi_loader: git ignore helloworld_efi.S
Add *.S to .gitignore.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-01-07 18:08:20 +01:00
Heinrich Schuchardt
570147275c efi_loader: adjust file system info
When the GetInfo() method of the EFI_FILE_PROTOCOL is called to retrieve
the file system info we claim that the volume is read only and has no free
space. This leads to failures in programs that check this information
before writing to the volume like SCT's InstallSct.efi.

Currently there is no function to determine these parameters in U-Boot. So
let's return optimistic values:

Return that the volume is writable.

Return the volume size as free space.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-01-07 18:08:20 +01:00
Heinrich Schuchardt
8876e1bc88 efi_loader: imply USB_KEYBOARD_FN_KEYS
UEFI applications like GRUB and SCT assume that function keys are enabled
on the keyboard.

Let EFI_LOADER imply USB_KEYBOARD_FN_KEYS.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-01-07 18:08:20 +01:00
Simon Glass
67c4e9f815 common: Move board_get_usable_ram_top() out of common.h
Move this function into init.h which seems to be designed for this sort
of thing. Also update the header to declare struct global_data so that it
can be included without global_data.h being needed.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
2019-12-02 18:25:04 -05:00
Simon Glass
36bf446b64 common: Move enable/disable_interrupts out of common.h
Move these two functions into the irq_funcs.h header file. Also move
interrupt_handler_t as this is used by the irq_install_handler() function.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
2019-12-02 18:25:01 -05:00
Simon Glass
1eb69ae498 common: Move ARM cache operations out of common.h
These functions are CPU-related and do not use driver model. Move them to
cpu_func.h

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
2019-12-02 18:24:58 -05:00
Simon Glass
1045315df0 common: Move get_ticks() function out of common.h
This function belongs in time.h so move it over and add a comment.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
2019-12-02 18:23:13 -05:00
Simon Glass
3db7110857 crc32: Use the crc.h header for crc functions
Drop inclusion of crc.h in common.h and use the correct header directly
instead.

With this we can drop the conflicting definition in fw_env.h and rely on
the crc.h header, which is already included.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
2019-12-02 18:23:08 -05:00
Heinrich Schuchardt
b7cdecfc19 efi_loader: default EFI_LOADER=n on ARM11
Some of the ARM11 boards have tight limits on the size of U-Boots. Hence
use EFI_LOADER=n as default on ARM11.

Set EFI_LOADER=y for the Raspberry Pi and Raspberry Pi Zero as these boards
have sufficient storage on the SD card.

Suggested-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-11-23 09:19:31 +01:00
Heinrich Schuchardt
38064ee04c efi_loader: enable EFI_LOADER on arm1136 and arm1176
With an implementation for allow_unaligned() available for arm1136 and
arm1176 UEFI can be supported on these architectures.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-11-19 12:10:22 +01:00
Heinrich Schuchardt
b20bb09b21 efi_loader: restrict EFI_LOADER to armv7 and armv8 on ARM
fatload USB was reported to fail on the Sheevaplug. Debugging showed that
this was caused by an incorrect unaligned write to memory in
path_to_uefi().

UEFI on ARM requires that unaligned memory access is enabled.

* ARMv5 does not support unaligned access at all.
* ARMv6 supports unaligned access when we clear the A flag and set the
  U flag.
* On ARMv7 unaligned access is possible when clearing the aligned flag,
  which we do in function allow_unaligned() (arch/arm/cpu/armv7/sctlr.S).
  For none of the other cpus in arch/arm/cpu/ we have implemented a
  similar function.
* ARMv8 allows unaligned access.

Let EFI_LOADER on ARM depend on SYS_CPU=armv7 or SYS_CPU=armv8.

Once we have implemented allow_unaligned() for other ARM CPUs we can add
these to Kconfig.

Reported-by: Gray Remlin <gryrmln@gmail.com>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-11-19 12:10:22 +01:00
Heinrich Schuchardt
246e601846 efi_loader: remove unused function efi_dp_from_dev()
Function efi_dp_from_dev() is not used anywhere. Remove it.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-11-19 12:10:22 +01:00
Heinrich Schuchardt
3b4847cbee efi_loader: support building UEFI binaries on sandbox
On the sandbox the UEFI binaries must match the host architectures.

Adjust the Makefiles. Provide the PE/COFF header and relocation files.

Allow building helloworld.efi on the sandbox.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-11-12 23:13:54 +01:00
Heinrich Schuchardt
7264e21fde efi_loader: call add_u_boot_and_runtime() on sandbox
On the sandbox we should mark the stack area as EFI runtime memory like we
do on any other architecture.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-11-12 23:13:54 +01:00
AKASHI Takahiro
89cb6a5dd6 efi_loader: disk: install file system protocol to a whole disk
Currently, a whole disk without any partitions is not associated
with EFI_SIMPLE_FILE_SYSTEM_PROTOCOL. So even if it houses some
file system, there is a chance that we may not be able to access
it, particularly, when accesses are to be attempted after searching
that protocol against a device handle.

With this patch, EFI_SIMPLE_FILE_SYSTEM_PROTOCOL is installed
to such a disk if part_get_info() shows there is no partition
table installed on it.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

Only if no partition table exists, check for a file system on disk level.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-11-12 23:13:54 +01:00
Heinrich Schuchardt
cab6f06c14 efi_loader: fix efi_dp_from_name()
Correctly check the return value of efi_dp_from_file().
If we can determine device path for the file, should not depend on the
device path for the device being requested.
Provide a function description for efi_dp_from_name().

Reported-by: Coverity CID 273159, CID 273158
Fixes: 08c51fff30 ("efi_loader: device_path: check against file path length")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-11-12 23:13:54 +01:00
Heinrich Schuchardt
e731af4893 efi_loader: correct includes in efi_variable.c
'make tests' on an 32bit ARM system leads to

In file included from ../lib/efi_loader/efi_variable.c:9:
../include/malloc.h:364:7: error: conflicting types for ‘memset’
 void* memset(void*, int, size_t);
       ^~~~~~
In file included from ../include/compiler.h:126,
                 from ../include/env.h:12,
                 from ../lib/efi_loader/efi_variable.c:8:
../include/linux/string.h:103:15:
note: previous declaration of ‘memset’ was here
 extern void * memset(void *,int,__kernel_size_t);
               ^~~~~~
In file included from ../lib/efi_loader/efi_variable.c:9:
../include/malloc.h:365:7: error: conflicting types for ‘memcpy’
 void* memcpy(void*, const void*, size_t);
       ^~~~~~
In file included from ../include/compiler.h:126,
                 from ../include/env.h:12,
                 from ../lib/efi_loader/efi_variable.c:8:
../include/linux/string.h:106:15:
note: previous declaration of ‘memcpy’ was here
 extern void * memcpy(void *,const void *,__kernel_size_t);
               ^~~~~~

Use common.h as first include as recommended by the U-Boot coding style
guide.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-10-30 17:49:41 +01:00