Commit graph

1184 commits

Author SHA1 Message Date
Sughosh Ganu
1ea06bc929 capsule: FMP: Populate the image descriptor array from platform data
Currently, the image descriptor array that has been passed to the
GetImageInfo function of the Firmware Management Protocol(FMP) gets
populated through the data stored with the dfu framework. The
dfu data is not restricted to contain information only of the images
updatable through the capsule update mechanism, but it also contains
information on other images. The image descriptor array is also parsed
by the ESRT generation code, and thus the ESRT table contains entries
for other images that are not being handled by the FMP for the capsule
updates. Fix this by populating the image descriptor array from the
structure initialised in the board file.

The other issue fixed is assignment of a separate GUID for all images
in the image descriptor array. The UEFI specification mandates that
all entries in the ESRT table should have a unique GUID value as part
of the FwClass member of the EFI_SYSTEM_RESOURCE_ENTRY. Currently, all
images are assigned a single GUID value, either an FIT GUID or a raw
image GUID. This is fixed by obtaining the GUID values from the
efi_fw_images array defined per platform.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
2022-04-15 10:43:18 +02:00
Masami Hiramatsu
7660cfee0f efi_loader: Use sysreset instead of reset command
Use sysreset_walk_halt() directly from reset-after-capsule-on-disk
feature to reboot (cold reset) machine instead of using reset command
interface, since this is not a command.
Note that this will make CONFIG_EFI_CAPSULE_ON_DISK depending on
the CONFIG_SYSRESET.

Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
2022-04-09 21:06:31 +02:00
Masami Hiramatsu
39bdf11580 efi_loader: Make efi_load_capsule_drivers() available even if EFI_CAPSULE_ON_DISK=n
Make efi_load_capsule_drivers() available even if EFI_CAPSULE_ON_DISK
is disabled because the caller (efi_init_obj_list()) expects it only
relays on EFI_HAVE_CAPSULE_SUPPORT.

Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
2022-04-09 21:06:31 +02:00
Tom Saeger
f2288a26ab efi_loader: optional persistence of variables
Since be66b89da3 ("efi_loader: configuration of variables store")
the choice of EFI_VARIABLE_FILE_STORE or EFI_MM_COMM_TEE
is mutually-exclusive, however efi_var_to_file also allows
for "neither". Provide an additional Kconfig option.

Signed-off-by: Tom Saeger <tom.saeger@oracle.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-04-09 21:06:31 +02:00
Tom Rini
01f1ab67f3 Merge branch 'next'
Signed-off-by: Tom Rini <trini@konsulko.com>
2022-04-04 10:48:44 -04:00
Andy Shevchenko
b6370aca37 efi_loader: initrddump: Actually use the custom CFLAGS
It seems a copy'n'paste typo when tool had been introduced.
It has never had the 'exit' suffix in the file name. Hence,
the custom CFLAGS never been applied and, for example, BFD
linker complains:

  LD      lib/efi_loader/initrddump_efi.so
  ld.bfd: lib/efi_loader/initrddump.o: warning: relocation in read-only section `.text.efi_main'
  ld.bfd: warning: creating DT_TEXTREL in a shared object

Remove wrong 'exit' suffix from the custom CFLAGS variable.

Fixes: 65ab48d69d ("efi_selftest: provide initrddump test tool")
Fixes: 9c045a49a9 ("efi_loader: move dtbdump.c, initrddump.c to lib/efi_loader")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-03-31 19:06:17 +02:00
Simon Glass
1fa43cad86 video: Drop references to CONFIG_VIDEO et al
Drop the Kconfigs which are not used and all references to them. In
particular, this drops CONFIG_VIDEO to avoid confusion and allow us to
eventually rename CONFIG_DM_VIDEO to CONFIG_VIDEO.

Also drop the prototype for video_get_info_str() which is no-longer used.

Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Jason Liu <jason.hui.liu@nxp.com>
2022-03-28 20:17:07 +02:00
Heinrich Schuchardt
24cf707ed7 efi_loader: initrddump: drain input before prompt
Up to now the initrddump.efi application has drained the input after
showing the prompt. This works for humans but leads to problems when
automating testing. If the input is drained, this should be done before
showing the prompt.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2022-03-26 07:46:21 +01:00
Heinrich Schuchardt
ae794fae09 efi_loader: nocolor command line attr for initrddump.efi
initrddump.efi uses colored output and clear the screen. This is not
helpful for integration into Python tests. Allow specifying 'nocolor' in
the load option data to suppress color output and clearing the screen.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-03-26 07:46:21 +01:00
Heinrich Schuchardt
df96deeed6 efi_loader: typo devie-path
%s/devie-path/device-path/

Reported-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-03-26 07:46:21 +01:00
Heinrich Schuchardt
9c045a49a9 efi_loader: move dtbdump.c, initrddump.c to lib/efi_loader
The tools dtbdump.efi and initrddump.efi are useful for Python testing even
if CONFIG_EFI_SELFTEST=n.

Don't clear the screen as it is incompatible with Python testing.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-03-20 17:01:00 +01:00
Heinrich Schuchardt
b78631d54f efi_loader: remove efi_disk_is_system_part()
The block IO protocol may be installed on any handle. We should make
no assumption about the structure the handle points to.

efi_disk_is_system_part() makes an illegal widening cast from a handle
to a struct efi_disk_obj. Remove the function.

Fixes: Fixes: 41fd506842 ("efi_loader: disk: add efi_disk_is_system_part()")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-03-20 11:03:06 +01:00
Heinrich Schuchardt
9cdf470274 efi_loader: support booting via short-form device-path
The boot manager must support loading from boot options using a short-form
device-path, e.g. one where the first element is a hard drive media path.

See '3.1.2 Load Options Processing' in UEFI specification version 2.9.

Fixes: 0e074d1239 ("efi_loader: carve out efi_load_image_from_file()")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-03-20 11:03:06 +01:00
Heinrich Schuchardt
e46ef1db9e efi_loader: efi_dp_find_obj() add protocol check
Let function efi_dp_find_obj() additionally check if a given protocol is
installed on the handle relating to the device-path.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-03-20 11:03:06 +01:00
Heinrich Schuchardt
c409593d08 efi_loader: fix efi_dp_find_obj()
efi_dp_find_obj() should not return any handle with a partially matching
device path but the handle with the maximum matching device path.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-03-20 11:03:06 +01:00
Heinrich Schuchardt
8399488672 efi_loader: export efi_dp_shorten()
Rename function shorten_path() to efi_dp_shorten() and export it.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-03-20 11:03:06 +01:00
Ilias Apalodimas
ff6af6eede efi_loader: Set variable attributes when EFI_BUFFER_TOO_SMALL is returned
Starting UEFI Spec 2.8 we must fill in the variable attributes when
GetVariable() returns EFI_BUFFER_TOO_SMALL and Attributes is non-NULL.

This code was written with 2.7 in mind so let's move the code around a
bit and fill in the attributes EFI_BUFFER_TOO_SMALL is returned

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-03-20 11:03:06 +01:00
Heinrich Schuchardt
66028930da efi_loader: copy GUID in InstallProtocolInterface()
InstallProtocolInterface() is called with a pointer to the protocol GUID.
There is not guarantee that the memory used by the caller for the protocol
GUID stays allocated. To play it safe the GUID should be copied to U-Boot's
internal structures.

Reported-by: Joerie de Gram <j.de.gram@gmail.com>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-03-12 12:27:07 +01:00
Masahisa Kojima
3fa9ed9ae3 efi_loader: update the timing of enabling and disabling EFI watchdog
UEFI specification requires that 5 minutes watchdog timer is
armed before the firmware's boot manager invokes an EFI boot option.
This watchdog timer is updated as follows, according to the
UEFI specification.

 1) The EFI Image may reset or disable the watchdog timer as needed.
 2) If control is returned to the firmware's boot manager,
    the watchdog timer must be disabled.
 3) On successful completion of EFI_BOOT_SERVICES.ExitBootServices()
    the watchdog timer is disabled.

1) is up to the EFI image, and 3) is already implemented in U-Boot.
This patch implements 2), the watchdog is disabled when control is
returned to U-Boot.

In addition, current implementation arms the EFI watchdog at only
the first "bootefi" invocation. The EFI watchdog must be armed
in every EFI boot option invocation.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-02-26 07:37:01 +01:00
Masami Hiramatsu
3e6f810006 efi_loader: test/py: Reset system after capsule update on disk
Add a cold reset soon after processing capsule update on disk.
This is required in UEFI specification 2.9 Section 8.5.5
"Delivery of Capsules via file on Mass Storage device" as;

    In all cases that a capsule is identified for processing the system is
    restarted after capsule processing is completed.

This also reports the result of each capsule update so that the user can
notice that the capsule update has been succeeded or not from console log.

Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-02-26 07:37:01 +01:00
Masami Hiramatsu
a6aafce494 efi_loader: use efi_update_capsule_firmware() for capsule on disk
Since the efi_update_capsule() represents the UpdateCapsule() runtime
service, it has to handle the capsule flags and update ESRT. However
the capsule-on-disk doesn't need to care about such things.

Thus, the capsule-on-disk should use the efi_capsule_update_firmware()
directly instead of calling efi_update_capsule().

This means the roles of the efi_update_capsule() and capsule-on-disk
are different. We have to keep the efi_update_capsule() for providing
runtime service API at boot time.

Suggested-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2022-02-26 07:37:00 +01:00
Ilias Apalodimas
bdcc0a9594 efi_loader: fix uefi secure boot with intermediate certs
The general rule of accepting or rejecting an image is
 1. Is the sha256 of the image in dbx
 2. Is the image signed with a certificate that's found in db and
    not in dbx
 3. The image carries a cert which is signed by a cert in db (and
    not in dbx) and the image can be verified against the former
 4. Is the sha256 of the image in db

For example SHIM is signed by "CN=Microsoft Windows UEFI Driver Publisher",
which is issued by "CN=Microsoft Corporation UEFI CA 2011", which in it's
turn is issued by "CN=Microsoft Corporation Third Party Marketplace Root".
The latter is a self-signed CA certificate and with our current implementation
allows shim to execute if we insert it in db.

However it's the CA cert in the middle of the chain which usually ends up
in the system's db.  pkcs7_verify_one() might or might not return the root
certificate for a given chain.  But when verifying executables in UEFI,  the
trust anchor can be in the middle of the chain, as long as that certificate
is present in db.  Currently we only allow this check on self-signed
certificates,  so let's remove that check and allow all certs to try a
match an entry in db.

Open questions:
- Does this break any aspect of variable authentication since
  efi_signature_verify() is used on those as well?

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2022-02-26 07:37:00 +01:00
Ilias Apalodimas
54cebe8a3a efi_loader: fix dual signed image certification
The EFI spec allows for images to carry multiple signatures. Currently
we don't adhere to the verification process for such images.

The spec says:
"Multiple signatures are allowed to exist in the binary's certificate
table (as per PE/COFF Section "Attribute Certificate Table"). Only one
hash or signature is required to be present in db in order to pass
validation, so long as neither the SHA-256 hash of the binary nor any
present signature is reflected in dbx."

With our current implementation signing the image with two certificates
and inserting both of them in db and one of them dbx doesn't always reject
the image.  The rejection depends on the order that the image was signed
and the order the certificates are read (and checked) in db.

While at it move the sha256 hash verification outside the signature
checking loop, since it only needs to run once per image and get simplify
the logic for authenticating an unsigned imahe using sha256 hashes.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2022-02-11 20:07:55 +01:00
Simon Glass
e2bceb0331 efi: Drop unnecessary calls to blk_find_device()
When we have the block descriptor we can simply access the device. Drop
the unnecessary function call.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2022-02-05 20:20:01 +01:00
Simon Glass
377d39d178 efi: Use device_get_uclass_id() where appropriate
Use this function rather than following the pointers, since it is there
for this purpose.

Add the uclass name to the debug call at the end of dp_fill() since it is
quite useful.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2022-02-05 20:20:01 +01:00
Heinrich Schuchardt
3c95b323c7 efi_loader: add handle for UART
When loading an EFI binary via the UART we assign a UART device path to it.
But we lack a handle with that device path.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-02-05 20:20:01 +01:00
Heinrich Schuchardt
915623c0d3 efi_loader: fix text output for Uart() DP nodes
The UEFI specification concerning Uart() device path nodes has been
clarified:

Parity and stop bits can either both use keywords or both use
numbers but numbers and keywords should not be mixed.

Let's go for keywords as this is what EDK II does. For illegal
values fall back to numbers.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-02-05 20:20:01 +01:00
Heinrich Schuchardt
b1193fa957 efi_loader: use %zu to print efi_uintn_t in FMP driver
For printing an unsigned value we should use %u and not %d.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-02-05 20:20:01 +01:00
Heinrich Schuchardt
e9df54968f efi_loader: use %zu not %zd to print efi_uintn_t
efi_uintnt_t is an unsigned type. We should avoid showing negative numbers.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-02-05 20:20:01 +01:00
Heinrich Schuchardt
344f26a766 efi_loader: fix device path to text protocol
The printing of a file path node must properly handle:

* odd length of the device path node
* UTF-16 character only partially contained in device path node
* buffer overflow due to very long file path

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-02-05 20:20:01 +01:00
Simon Glass
156ccbc3c4 efi: Use 16-bit unicode strings
At present we use wide characters for unicode but this is not necessary.
Change the code to use the 'u' literal instead. This helps to fix build
warnings for sandbox on rpi.

Signed-off-by: Simon Glass <sjg@chromium.org>
Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2022-02-03 12:16:01 -05:00
Ilias Apalodimas
5ee900c14f efi_loader: hash the image once before checking against db/dbx
We don't have to recalculate the image hash every time we check against a
new db/dbx entry.  So let's add a flag forcing it to run once since we only
support sha256 hashes

Suggested-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-01-29 10:23:40 +01:00
Ilias Apalodimas
4b63431323 efi_loader: correctly handle mixed hashes and signatures in db
A mix of signatures and hashes in db doesn't always work as intended.
Currently if the digest algorithm is not explicitly set to sha256 we
stop walking the security database and reject the image.

That's problematic in case we find and try to check a signature before
inspecting the sha256 hash.  If the image is unsigned we will reject it
even if the digest matches.

Since we no longer reject the image on unknown algorithms add an explicit
check and reject the image if any other hash algorithm apart from sha256
is detected on dbx.

Suggested-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-01-29 10:23:40 +01:00
Sunil V L
1ccf87165e efi_loader: Enable RISCV_EFI_BOOT_PROTOCOL support
This adds support for new RISCV_EFI_BOOT_PROTOCOL to
communicate the boot hart ID to bootloader/kernel on RISC-V
UEFI platforms.

The specification of the protocol is hosted at:
https://github.com/riscv-non-isa/riscv-uefi

Signed-off-by: Sunil V L <sunilvl@ventanamicro.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-01-29 10:23:40 +01:00
Heinrich Schuchardt
3dd719d4fb efi_loader: correct function comment style
Replace @return and @param.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-01-29 10:23:40 +01:00
Simon Glass
a9e414dd50 efi: Correct address handling with ACPI tables
The current EFI implementation confuses pointers and addresses. Normally
we can get away with this but in the case of sandbox it causes failures.

Despite the fact that efi_allocate_pages() returns a u64, it is actually
a pointer, not an address. Add special handling to avoid a crash when
running 'bootefi hello'.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-01-25 11:44:36 -07:00
Simon Glass
47642428ee efi: Correct call to write_acpi_tables()
This must be passed a ulong, not a u64. Fix it to avoid LTO warnings on
sandbox.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-01-25 11:44:36 -07:00
Tom Rini
da158ec5f2 Pull request for efi-2022-04-rc1-2
Documentation:
 
 * describe printf() format codes
 
 UEFI
 
 * enable more algorithms for UEFI image verification, e.g. SHA256-RSA2048
 
 General
 
 * simplify printing short texts for GUIDs
 * provide a unit test for printing GUIDs
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAmHoLnQACgkQxIHbvCwF
 GsQ25Q/9G5REcgmo9Hjv+2ri3VJJueIGRL1QeXDl84TxUYgYAtHj7zo/YaeacHKB
 RVBsQafU6vIuAq5YRJFKCSWCxjPJVUH9QO5QQz6RE14KoBh6OYUQP2wSf/+p6/sb
 47wfVtyAUEpCEz60eDj5EWrSPpH78BNW7MmKoTZWSgE1APaBTAHw/Uo6tnb52Qsv
 vQ73Q9R4s0hpsylVtmwIZ0udDcaJg3SQf/4glhnHxaUW/oMoRd0DU7Dnbbg2oxfd
 Y03J0zarqAdIjzNvADnUz6Ei2+H1TrzRe9tzhuXRuseZdANrUnzDIe6bdz+RCmkl
 sdBCmBDPoChosiAcaX9FkajaAi5XYpZ5Sitdpp9A8ZdVc0Lzr1XLbfLksJRM7WwM
 jSP/JDAGYzJqL86C4hrx46aERUuXgywf/vSM7UoG5OxbtMa/AqbHuXMOnd4jXGYD
 48fLlyMWlZ7+Kd4v3x9QlwSmM0LLsokn93JEWrJhJqFPzdHYUQifU2vlZmrJHWyS
 BjzCJxu+rCmXBO6wlcAvsF9V/kx5IO3CKIGn24UUt/wjSBu4VDO5oSzVseJxPBIQ
 vBV9qZfwKCk9U/F1VN43xvIKvcO+oK+pEE9FB5trffYGmHfSEmBwOq3LuHlyMpeJ
 L+TrJUsZstFtx0ZBmVB3YuERusb2z+x1osnifGJvUHCLqjCgvl0=
 =GoR6
 -----END PGP SIGNATURE-----

Merge tag 'efi-2022-04-rc1-2' of https://source.denx.de/u-boot/custodians/u-boot-efi

Pull request for efi-2022-04-rc1-2

Documentation:

* describe printf() format codes

UEFI

* enable more algorithms for UEFI image verification, e.g. SHA256-RSA2048

General

* simplify printing short texts for GUIDs
* provide a unit test for printing GUIDs
2022-01-22 15:43:36 -05:00
Heinrich Schuchardt
185f812c41 doc: replace @return by Return:
Sphinx expects Return: and not @return to indicate a return value.

find . -name '*.c' -exec \
sed -i 's/^\(\s\)\*\(\s*\)@return\(\s\)/\1*\2Return:\3/' {} \;

find . -name '*.h' -exec \
sed -i 's/^\(\s\)\*\(\s*\)@return\(\s\)/\1*\2Return:\3/' {} \;

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-01-19 18:11:34 +01:00
Heinrich Schuchardt
ce00a7401a efi_loader: use %pUs for printing GUIDs
For printing GUIDs with macro EFI_ENTRY use %pUs instead of %pUl to provide
readable debug output.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-01-19 16:16:33 +01:00
Heinrich Schuchardt
717b33cb9b efidebug: avoid 'dfu_alt_info not defined' message
If variable dfu_alt_info is not defined duplicate messages are displayed.

    => efidebug boot dump
    Scanning disk mmc2.blk...
    Scanning disk mmc1.blk...
    Scanning disk mmc0.blk...
    Found 3 disks
    No EFI system partition
    "dfu_alt_info" env variable not defined!
    Probably dfu_alt_info not defined
    "dfu_alt_info" env variable not defined!
    Probably dfu_alt_info not defined

Remove the 'Probably dfu_alt_info not defined' message.
Instead write a warning if the variable contains no entities.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-01-15 10:57:22 +01:00
Ilias Apalodimas
a2f1482fc0 efi_loader: Get rid of kaslr-seed if EFI_RNG_PROTOCOL is installed
U-Boot, in some occasions, injects a 'kaslr-seed' property on the /chosen
node. That would be problematic in case we want to measure the DTB we
install in the configuration table, since it would change across reboots.

The Linux kernel EFI-stub completely ignores it and only relies on
EFI_RNG_PROTOCOL for it's own randomness needs (i.e the randomization
of the physical placement of the kernel). In fact it (blindly) overwrites
the existing seed if the protocol is installed. However it still uses it
for randomizing it's virtual placement.
So let's get rid of it in the presence of the RNG protocol.

It's worth noting that TPMs also provide an RNG.  So if we tweak our
EFI_RNG_PROTOCOL slightly and install the protocol when a TPM device
is present the 'kaslr-seed' property will always be removed, allowing
us to reliably measure our DTB.

Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
2022-01-15 10:57:22 +01:00
Ilias Apalodimas
2b18d95d91 efi_loader: Don't limit the StMM buffer size explicitly
Currently we allow and explicitly check a single shared page with
StandAloneMM.  This is dictated by OP-TEE which runs the application.
However there's no way for us dynamically discover the number of pages we
are allowed to use.  Since writing big EFI signature list variable
requires more than a page, OP-TEE has bumped the number of shared pages to
four.

Let's remove our explicit check and allow the request to reach OP-TEE even
if it's bigger than what it supports.  There's no need to sanitize the
number of pages internally.  OP-TEE will fail if we try to write more
than it's allowed. The error will just trigger later on,  during the
StMM access.

While at it add an error message to help users figure out what failed.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Ying-Chun Liu (PaulLiu) <paul.liu@linaro.org>

Signed-off-by: Ilias Apalodimas <apalos@gmail.com>
2021-12-26 06:49:14 +01:00
Masahisa Kojima
f9b51dcf29 efi_loader: correctly handle no tpm device error
When the TCG2 protocol is installed in efi_tcg2_register(),
TPM2 device must be present.
tcg2_measure_pe_image() expects that TCP2 protocol is installed
and TPM device is available. If TCG2 Protocol is installed but
TPM device is not found, tcg2_measure_pe_image() returns
EFI_SECURITY_VIOLATION and efi_load_image() ends with failure.

The same error handling is applied to
efi_tcg2_measure_efi_app_invocation().

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-12-09 11:43:25 -08:00
Masahisa Kojima
9e32bf9362 efi_loader: check tcg2 protocol installation outside the TCG protocol
There are functions that calls tcg2_agile_log_append() outside
of the TCG protocol invocation (e.g tcg2_measure_pe_image).
These functions must to check that TCG2 protocol is installed.
If not, measurement shall be skipped.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-12-09 11:43:25 -08:00
Masahisa Kojima
54bec17f6b efi_loader: efi_tcg2_register returns appropriate error
This commit modify efi_tcg2_register() to return the
appropriate error.
With this fix, sandbox will not boot because efi_tcg2_register()
fails due to some missing feature in GetCapabilities.
So disable sandbox if EFI_TCG2_PROTOCOL is enabled.

UEFI secure boot variable measurement is not directly related
to TCG2 protocol installation, tcg2_measure_secure_boot_variable()
is moved to the separate function.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-12-09 11:43:25 -08:00
Ruchika Gupta
c0d9bb0b4a efi_loader: Extend PCR's for firmware measurements
Firmwares before U-Boot may be capable of doing tpm measurements
and passing them to U-Boot in the form of eventlog. However there
may be scenarios where the firmwares don't have TPM driver and
are not capable of extending the measurements in the PCRs.
Based on TCG spec, if previous firnware has extended PCR's, PCR0
would not be 0. So, read the PCR0 to determine if the PCR's need
to be extended as eventlog is parsed or not.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-11-30 09:23:49 +01:00
Ruchika Gupta
34287efdaf efi_loader: Add check for event log passed from firmware
Platforms may have support to measure their initial firmware components
and pass the event log to u-boot. The event log address can be passed
in property tpm_event_log_addr and tpm_event_log_size of the tpm node.
Platforms may choose their own specific mechanism to do so. A weak
function is added to check if even log has been passed to u-boot
from earlier firmware components. If available, the eventlog is parsed
to check for its correctness and further event logs are appended to the
passed log.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-11-30 09:23:49 +01:00
Heinrich Schuchardt
9d1564dabc efi_loader: segfault in efi_clear_os_indications()
If we call efi_clear_os_indications() before initializing the memory store
for UEFI variables a NULL pointer dereference occurs.

The error was observed on the sandbox with:

    usb start
    host bind 0 sandbox.img
    load host 0:1 $kernel_addr_r helloworld.efi
    bootefi $kernel_addr_r

Here efi_resister_disk() failed due to an error in the BTRFS implementation.

Move the logic to clear EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED
to the rest of the capsule code.

If CONFIG_EFI_IGNORE_OSINDICATIONS=y, we should still clear the flag.
If OsIndications does not exist, we should not create it as it is owned by
the operating system.

Fixes: 149108a3eb ("efi_loader: clear OsIndications")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-11-26 21:30:59 +01:00
Heinrich Schuchardt
cd9a26bfe5 efi_loader: efi_disk_register() should not fail
Our algorithm for creating USB device paths may lead to duplicate device
paths which result in efi_disk_register() failing. Instead we should just
skip devices that cannot be registered as EFI block devices.

Fix a memory leak in efi_disk_add_dev() caused by the duplicate device
path.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2021-11-26 21:30:59 +01:00
Tom Rini
3f73e79de8 efi: Call bootm_disable_interrupts earlier in efi_exit_boot_services
If we look at the path that bootm/booti take when preparing to boot the
OS, we see that as part of (or prior to calling do_bootm_states,
explicitly) the process, bootm_disable_interrupts() is called prior to
announce_and_cleanup() which is where udc_disconnect() /
board_quiesce_devices() / dm_remove_devices_flags() are called from.  In
the EFI path, these are called afterwards.  In efi_exit_boot_services()
however we have been calling bootm_disable_interrupts() after the above
functions, as part of ensuring that we disable interrupts as required
by the spec.  However, bootm_disable_interrupts() is also where we go
and call usb_stop().  While this has been fine before, on the TI J721E
platform this leads us to an exception.  This exception seems likely to
be the case that we're trying to stop devices that we have already
disabled clocks for.  The most direct way to handle this particular
problem is to make EFI behave like the do_bootm_states() process and
ensure we call bootm_disable_interrupts() prior to ending up in
usb_stop().

Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Simon Glass <sjg@chromium.org>
Suggested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-11-26 21:30:59 +01:00
Ilias Apalodimas
d6b55a420c efi_loader: startup the tpm device when installing the protocol
Due to U-Boot's lazy binding mentality the TPM is probed but not properly
initialized.  The user can startup the device from the command line
e.g 'tpm2 startup TPM2_SU_CLEAR'.  However we can initialize the TPM during
the TCG protocol installation,  which is easier to use overall.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2021-11-20 10:53:01 +01:00
Ilias Apalodimas
5ba0397049 efi_loader: fix FinalEvents table if an EFI app invoked GetEventLog
As described in the TCG spec [1] in sections 7.1.1 and 7.1.2 the FinalEvent
table should include events after GetEventLog has been called.  This
currently works for us as long as the kernel is the only EFI application
calling that.  Specifically we only implement what's described in 7.1.1.

So refactor the code a bit and support EFI application(s) calling
GetEventLog.  Events will now be logged in both the EventLog and FinalEvent
table as long as ExitBootServices haven't been invoked.

[1] https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-11-20 10:53:00 +01:00
Heinrich Schuchardt
43eaf5b13f efi_loader: EFI_EVENT_GROUP_BEFORE_EXIT_BOOT_SERVICES
Implement the EFI_EVENT_GROUP_BEFORE_EXIT_BOOT_SERVICES event group
handling.

Add the definition of EFI_EVENT_GROUP_AFTER_READY_TO_BOOT.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2021-11-20 10:53:00 +01:00
Masami Hiramatsu
5d49b32f0a efi_loader: capsule: Record capsule result only if capsule is read
Record capsule update result only if the capsule file is
successfully read, because the capsule GUID is not sure when
the file can not be read or the file is not a capsule.
Without this fix, if user puts a dummy (non-capsule) file
under (ESP)EFI/UpdateCapsule, U-Boot causes a synchronous
abort.

This also fixes use-after-free bug of the 'capsule' variable.

Fixes: c74cd8bd08 ("efi_loader: capsule: add capsule_on_disk support")
Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-11-20 10:53:00 +01:00
Masahisa Kojima
3961bd9b55 efi_loader: Reduce efi_tcg2 logging statement
log_info() is used for the debug level logging statement
which should use log_debug() instead. Convert it to reduce the
log output.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-11-20 10:53:00 +01:00
Masahisa Kojima
c9c1cdbda3 efi_loader: fix BootOrder variable measurement handling
UEFI specification does not require that BootOrder is defined.
In current implementation, boot variable measurement fails and
returns EFI_NOT_FOUND if BootOrder is not defined.

This commit correcly handles this case, skip the boot variable
measurement if BootOrder is not defined.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2021-11-10 20:57:54 +01:00
Simon Glass
e16c47fa3d efi: Create a 64-bit app
Most modern platforms use 64-bit EFI so it is useful to have a U-Boot app
that runs under that. Add a (non-functional) build for this.

Note that --whole-archive causes the gcc 9.2 linker to crash, so disable
this for now. Once this is resolved, things should work.

For now, avoid mentioning the documentation for the 64-bit app, since it
does not work.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-11-07 18:36:55 +01:00
Masahisa Kojima
7fc93cae49 efi_loader: add EFI_TCG2_PROTOCOL.SubmitCommand
This commit adds the EFI_TCG2_PROTOCOL.SubmitCommand
required in the TCG PC Client PFP spec.
SubmitCommand enables to send the raw command to the TPM device.

To implement this api, tpm2_submit_command() is added
into tpm-v2.c.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-11-07 18:36:55 +01:00
Masahisa Kojima
14cbb330fe efi_loader: use byteshift unaligned access helper
Calling unaligned/access-ok.h version of put_unaligned_le64()
causes data abort in arm 32-bit QEMU.

The similar issue also occurs in linux kernel,
unaligned/access-ok.h is no longer used in linux kernel[1].

This commit uses the unaligned/be_byteshift.h and
unaligned/le_byteshift.h helper instead of unaligned/access-ok.h.

[1]https://lore.kernel.org/all/20210507220813.365382-8-arnd@kernel.org/

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2021-11-07 18:36:55 +01:00
AKASHI Takahiro
50b05eb606 efi_loader: capsule: drop __weak from efi_get_public_key_data()
As we discussed in ML, currently a device tree is the only place
to store public keys for capsule authentication. So __weak is not
necessary for now.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-11-07 18:36:55 +01:00
Masahisa Kojima
65aa259aa7 efi_loader: add DeployedMode and AuditMode variable measurement
This commit adds the DeployedMode and AuditMode variable
measurement required in TCG PC Client Platform Firmware
Profile Specification.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
2021-10-26 21:33:19 +02:00
Masahisa Kojima
96485d2f3f efi_loader: simplify tcg2_measure_secure_boot_variable()
This commit simplifies tcg2_measure_secure_boot_variable()
using secure_variables table.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
2021-10-26 21:33:19 +02:00
Masahisa Kojima
ce3dbc5d08 efi_loader: add UEFI GPT measurement
This commit adds the UEFI GPT disk partition topology
measurement required in TCG PC Client Platform Firmware
Profile Specification

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
2021-10-26 21:32:46 +02:00
Masahisa Kojima
3d49ee8510 efi_loader: add SMBIOS table measurement
TCG PC Client Platform Firmware Profile Specification
requires to measure the SMBIOS table that contains static
configuration information (e.g. Platform Manufacturer
Enterprise Number assigned by IANA, platform model number,
Vendor and Device IDs for each SMBIOS table).

The device- and environment-dependent information such as
serial number is cleared to zero or space character for
the measurement.

Existing smbios_string() function returns pointer to the string
with const qualifier, but exisintg use case is updating version
string and const qualifier must be removed.
This commit removes const qualifier from smbios_string()
return value and reuses to clear the strings for the measurement.

This commit also fixes the following compiler warning:

lib/smbios-parser.c:59:39: warning: cast to pointer from integer of
different size [-Wint-to-pointer-cast]
  const struct smbios_header *header = (struct smbios_header *)entry->struct_table_address;

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
2021-10-26 17:58:14 +02:00
Heinrich Schuchardt
a45dac1785 efi_loader: simplify tcg2_measure_secure_boot_variable()
Don't duplicate GUIDs.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-10-25 21:13:07 +02:00
Heinrich Schuchardt
02fef8b101 efi_loader: simplify efi_sigstore_parse_sigdb()
Simplify efi_sigstore_parse_sigdb() by using existing functions.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-10-25 21:13:07 +02:00
Heinrich Schuchardt
e618d1d285 efi_loader: function to get GUID for variable name
In multiple places we need the default GUID matching a variable name.
The patch provides a library function. For secure boot related variables
like 'PK', 'KEK', 'db' a lookup table is used. For all other variable
names EFI_GLOBAL_VARIABLE is returned.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-10-25 21:13:06 +02:00
Heinrich Schuchardt
d47671c631 efi_loader: treat UEFI variable name as const
UEFI variable names are typically constants and hence should be defined as
const. Unfortunately some of our API functions do not define the parameters
for UEFI variable names as const. This requires unnecessary conversions.

Adjust parameters of several internal functions to tre UEFI variable names
as const.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-10-25 21:13:06 +02:00
AKASHI Takahiro
7a6fb28c8e efi_loader: capsule: add back efi_get_public_key_data()
The commit 47a25e81d3 ("Revert "efi_capsule: Move signature from DTB to
.rodata"") failed to revert the removal of efi_get_public_key_data().

Add back this function and move it under lib/efi_loader so that other
platforms can utilize it. It is now declared as a weak function so that
it can be replaced with a platform-specific implementation.

Fixes: 47a25e81d3 ("Revert "efi_capsule: Move signature from DTB to
	.rodata"")
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2021-10-25 21:13:06 +02:00
Masahisa Kojima
f86352eb82 efi_loader: add missing const qualifier
This commit fixes the following compilation warning
of boottime->install_configuration_table() function.

lib/efi_selftest/efi_selftest_tcg2.c:475:46:
warning: passing argument 1 of ‘boottime->install_configuration_table’
discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
  ret = boottime->install_configuration_table(&smbios_guid, dmi);

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2021-10-25 21:13:06 +02:00
Heinrich Schuchardt
db61e70e0d efi_loader: efi_dp_from_lo() should skip VenMedia node
The 'efidebug boot dump' command should not display the VenMedia() device
path node preceding the device path of the initial ram disk.

By letting efi_dp_from_lo() skip the VenMedia() device path node we can
simplify the coding.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-10-21 03:46:04 +02:00
Heinrich Schuchardt
9ad37fe405 efi_loader: avoid multiple local copies of lf2_initrd_guid
Create the GUID as a global variable.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-10-21 03:46:04 +02:00
Heinrich Schuchardt
05345425ca efi_loader: efi_dp_from_lo() unused parameter size
Parameter size is never used in function efi_dp_from_lo(). Remove it.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-10-21 03:46:04 +02:00
Heinrich Schuchardt
0421735dd8 efi_loader: efi_dp_from_lo() don't copy GUID
Instead of copying a GUID and then using a pointer to the copy for calling
guidcmp(), just pass the pointer to the orginal GUID.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-10-21 03:46:04 +02:00
Ilias Apalodimas
ebdea88d57 efi_loader: Fix loaded image alignment
We are ignoring the alignment communicated via the PE/COFF header.
Starting 5.10 the Linux kernel will loudly complain about it. For more
details look at [1] (in linux kernel).

So add a function that can allocate aligned EFI memory and use it for our
relocated loaded image.

[1] c32ac11da3f83 ("efi/libstub: arm64: Double check image alignment at entry")

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Vincent Stehlé <vincent.stehle@arm.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-10-21 03:46:04 +02:00
Heinrich Schuchardt
fa00b6fc3f efi_loader: don't load Shim's MOK database from file
When using a file to store UEFI variables we must make sure that secure
boot related variables are not loaded from this file. With commit
9ef82e2947 ("efi_loader: don't load signature database from file")
this has already been implemented for variables defined in the UEFI
specification. As most Linux distributions use Shim we should do the same
for Shim's MOK database.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2021-10-21 03:46:04 +02:00
Simon Glass
c779e0d923 efi_loader: Drop code that doesn't work with driver model
This code should never have been added as it builds a new feature on top
of legacy code. This has already been improved with the dependency on BLK.

Add a dependency on DM_ETH also, to avoid needing to deal with this old
code.

Boards which want EFI_LOADER should migrate to driver model first.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-10-21 03:46:03 +02:00
Mark Kettenis
79f9defeba efi_loader: GOP: Fix 30bpp block transfer support
Convert pixel values when necessary like we do for 16bpp
framebuffers.

Signed-off-by: Mark Kettenis <kettenis@openbsd.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-10-09 18:50:31 +02:00
Mark Kettenis
01fcf0eea6 efi_loader: GOP: Add 30bpp support
Provide correct framebuffer information for 30bpp modes.

Signed-off-by: Mark Kettenis <kettenis@openbsd.org>
2021-10-09 18:46:13 +02:00
Simon Glass
1eccbb16a2 efi: Correct dependency on FIT_SIGNATURE
At present EFI_SECURE BOOT selects RSA but does not necessarily enable
FIT_SIGNATURE. Mostly this is fine, but a few boards do not enable it,
so U-Boot tries to do RSA verification when loading FIT images, but it
is not enabled.

This worked because the condition for checking the RSA signature is
wrong in the fit_image_verify_with_data() function. In order to fix it
we need to fix this dependency. Make sure that FIT_SIGNATURE is enabled
so that RSA can be used.

It might be better to avoid using 'select' in this situation.

Signed-off-by: Simon Glass <sjg@chromium.org>
2021-10-08 15:53:27 -04:00
Tom Rini
e908d20fcb Prepare v2021.10-rc5
-----BEGIN PGP SIGNATURE-----
 
 iQGzBAABCgAdFiEEGjx/cOCPqxcHgJu/FHw5/5Y0tywFAmFRyIMACgkQFHw5/5Y0
 tyz1jgv/aTtHWVcGiw+nvvnnlgdrY4h9yVP5AfBLhOR7ogYOw2B9xHmdh+9oCas9
 Rt45AC4nFvUszxCPJqg36kjljTKRVapemHqhCbgGGeb9GYMkNb1zjk79WnuqgeJy
 ydBUCh1NQI5pOvrpDv7kWRx1IyDi/gUgQO3RBdufbunNmn4Zj4jlw5RmMTgDACRC
 cvTr39gVQq1LOzL2W7+XkSfiEejtGERNs32Nt+jzyAm5a2PkngULUnPW6WsHu+qy
 5YJTR50TK55QgPIdoiqY14BUDpqEbHlNKsE7p6hHkDf6XSS7gLHYW2tVVt2Z8ocg
 9cW35Qotov7MeiSClc3SIEPiIefwh2oTVf0uYoP+uvlRAComvcIzphq68NIQe6Av
 es+ZJI1Qx5ERvDQMMW3xOHTlcBGgpqA0Y/QVr62rE8bEzK/1gvTiP+hVVqzUrnHJ
 f3ZAVt16clIfXKAxGsW4Am05iMmT+rtcS5IrUMuEzmkb0KK58YXsOVmsKHLX9aI1
 T74ewXfu
 =y67Q
 -----END PGP SIGNATURE-----

Merge tag 'v2021.10-rc5' into next

Prepare v2021.10-rc5
2021-09-27 09:45:36 -04:00
Ruchika Gupta
346cee3ac5 efi_loader: Fix spec ID event creation
TCG EFI Protocol Specification defines the number_of_algorithms
field in spec ID event to be equal to the number of active
algorithms supported by the TPM device. In current implementation,
this field is populated with the count of all algorithms supported
by the TPM which leads to incorrect spec ID event creation.

Similarly, the algorithm array in spec ID event should be a variable
length array with length being equal to the number_of_algorithms field.
In current implementation this is defined as a fixed length array
which has been fixed.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
CC: Masahisa Kojima <masahisa.kojima@linaro.org>
CC: Ilias Apalodimas <ilias.apalodimas@linaro.org>
CC: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-09-25 12:31:08 +02:00
Simon Glass
47a25e81d3 Revert "efi_capsule: Move signature from DTB to .rodata"
This was unfortunately applied despite much discussion about it beiong
the wrong way to implement this feature.

Revert it before too many other things are built on top of it.

This reverts commit ddf67daac3.
Signed-off-by: Simon Glass <sjg@chromium.org>
2021-09-18 03:47:50 -06:00
Pali Rohár
bdfb6d70bb version: Move version_string[] from version.h to version_string.h
More C files do not use compile time timestamp macros and do not have to be
recompiled every time when SOURCE_DATE_EPOCH changes.

This patch moves version_string[] from version.h to version_string.h and
updates other C files which only needs version_string[] string to include
version_string.h instead of version.h. After applying this patch these
files are not recompiled every time when SOURCE_DATE_EPOCH changes.

Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
2021-09-17 12:10:44 -04:00
Pali Rohár
fa9c5da702 efi_loader: Use directly version_string variable
Macro U_BOOT_VERSION_STRING is already stored in variable version_string.
So use directly this variable instead of storing U_BOOT_VERSION_STRING into
temporary variable.

Signed-off-by: Pali Rohár <pali@kernel.org>
[trini: This area was reworked since posted, what is here is now really
        inspired by the previous version, so drop Ilias' Acked-by]
Signed-off-by: Tom Rini <trini@konsulko.com>
2021-09-17 12:10:44 -04:00
Tom Rini
6674edaabf Prepare v2021.10-rc4
-----BEGIN PGP SIGNATURE-----
 
 iQGzBAABCgAdFiEEGjx/cOCPqxcHgJu/FHw5/5Y0tywFAmFBKRgACgkQFHw5/5Y0
 tyw/PwwAtGB3rBeYW4rjWuMC5WP1UDTnvZIAok5ImWumWDahjDm8Yq2VCzAe9adw
 EYBjuNmaNl9aQvGVqlVJeIcLku5MLuLQu2za8vhc1R8X9VTPPY+LLTcdOokOmB8y
 8JiaE7fJsb1bZeV+diF9tss3B0IkUrwSJtW1d+qfdz/4UiRvwK5BhnZgzIobDldO
 g1Ldz/xiR2GOAXlUMwDrNAi6qNvmeAqRsQxySVrjltAV2ST7LJnOiHuWvJX6g6VS
 l796Hleh/kULfEW6n+1ZaTNqvVRcJ8xYSOG8w8y9u6HuPBA3JrYH1p1Eo5n7PPDv
 US71Iy/ncweTyfTMEBThWLqjHOQ05sVkWX/r4fj2iJRli+Og53lE1fVJ4ajIx7vz
 Tc76wI43i0I5lr2yTErjUG6EzDDoueqd+c8BwxihNLUK/+QG31xoCEMfC80C25ro
 QhYVFgiPWN0ySUD5M5tbGXODvfNNIDKXpY5oSOTVtemZtDEMpO2zBM1s/K3RV7Ud
 Je9Pj0Cu
 =Me42
 -----END PGP SIGNATURE-----

Merge tag 'v2021.10-rc4' into next

Prepare v2021.10-rc4

Signed-off-by: Tom Rini <trini@konsulko.com>

# gpg: Signature made Tue 14 Sep 2021 06:58:32 PM EDT
# gpg:                using RSA key 1A3C7F70E08FAB1707809BBF147C39FF9634B72C
# gpg: Good signature from "Thomas Rini <trini@konsulko.com>" [ultimate]

# Conflicts:
#	board/Arcturus/ucp1020/spl.c
#	cmd/mvebu/Kconfig
#	common/Kconfig.boot
#	common/image-fit.c
#	configs/UCP1020_defconfig
#	configs/sifive_unmatched_defconfig
#	drivers/pci/Kconfig
#	include/configs/UCP1020.h
#	include/configs/sifive-unmatched.h
#	lib/Makefile
#	scripts/config_whitelist.txt
2021-09-16 10:29:40 -04:00
Tom Rini
56a85b831f Pull request for efi-2021-10-rc4-2
Documentation:
 
 * improve documentation of U-Boot for /config DT node
 * integrate bloblist documentation
 
 UEFI:
 
 * correct usage of EFI_CALL()
 * code tidy up
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAmE8coEACgkQxIHbvCwF
 GsSB4Q//VpVKE5/xKiDFkdFjrjgXLWv1ORuQ1glBf5Br/0SnYjTI570RKWtJRfn4
 ugW/ytZpfudi60EMOwmPEAx2nd6ERJeFewUkcsJjvRC/2gX1u49XkSHxoolqQlji
 1DaeWz3CH6LLq8d09ha1AsYWL2aFqZd8YrpICq47BmKJNitGd1puI+co2w0HpAFj
 mn2+J9ctbn3Evl0ipSzLB2MMR65Q79qyM3eJXUqli2t1BkWMsyqHtVDNVCTUKj4I
 TKOU7DNkwNcalKayzplSrMzzucQnkaQQbErhd78aYRsC2sIY2HTkhi2J7iFhN6/I
 tCZ45AD6+8UpCs1jy5xCJAJJ0nW44xmW7Q+UM61P75DJMccaUb2cKMvZKidiSu9m
 8ck5IBU8fVN9khhMxoVR54aKLK9tmJRjVX1ugrVCXoh32Dzu+Ikf9n91ACHaduU8
 s92DIrH3f9tyBQIHNLL0LGgDLB6YYTzLrmlcPC/t7n5iJUoznDdQddrhS4/9qx+l
 fpyyGLo8Vk/krvyNrYpiamRi2kGKV0CAWvig1YGjeDT6baC4NsEYjgL6JKKN6QPi
 xeENZ+yJJMvY5DXdaoERRMJutfuep64XkLx8mqYSNCIcLIjOpGrV7rk0O6qU5Ww+
 +9kLQq1ygWeDR0t6BWHlX5nEImvqc1+vDPb8IMt9r6aIZ/ED9/U=
 =hPaX
 -----END PGP SIGNATURE-----

Merge tag 'efi-2021-10-rc4-2' of https://source.denx.de/u-boot/custodians/u-boot-efi

Pull request for efi-2021-10-rc4-2

Documentation:

* improve documentation of U-Boot for /config DT node
* integrate bloblist documentation

UEFI:

* correct usage of EFI_CALL()
* code tidy up
2021-09-12 20:33:21 -04:00
Heinrich Schuchardt
aec7c0925c efi_loader: simplify efi_watchdog_timer_notify()
We can call do_reset() directly without invoking the UEFI API.
This decreases the code size.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-09-11 11:02:02 +02:00
Ilias Apalodimas
0bf538ce0c efi_loader: Remove incorrect calls of EFI_CALL in TCG2
There is two unneeded EFI_CALL references in tcg2_measure_pe_image().
The first one in efi_search_protocol() and the second on in the device path
calculation.  The second isn't even a function we should be calling, but a
pointer assignment, which happens to work with the existing macro.

While at it switch the malloc call to a calloc, remove the unnecessary cast
and get rid of an unneeded if statement before copying the device path

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-09-11 11:02:02 +02:00
Heinrich Schuchardt
6919619f9c efi_loader: require CONFIG_BLK
The move to driver model should by now be completed. To be able to remove
pre-driver model code from our block IO code require CONFIG_BLK=y for UEFI
support.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-09-11 11:02:02 +02:00
Masahisa Kojima
bad49da2bc efi_loader: boot_service_capability_min should be capitalized
boot_service_capability_min is constant, it should be capitalized.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-09-11 11:02:02 +02:00
Tom Rini
465bff8b10 Kconfig: Drop duplicate 'select SHA512' instances
When dropping SHA512_ALGO in general, we didn't catch some cases where
an option was selecting  both SHA512 and SHA512_ALGO and caused them to
select SHA512 twice.  Kconfig doesn't complain, but this is still wrong
and should be corrected.

Fixes: e60e449931 ("lib: Drop SHA512_ALGO in lieu of SHA512")
Reported-by: Andreas Schwab <schwab@suse.de>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
2021-09-09 11:11:33 -04:00
Alexandru Gagniuc
e60e449931 lib: Drop SHA512_ALGO in lieu of SHA512
SHA512_ALGO was used as a "either SHA512 or SHA384", although the
implementations of these two algorithms share a majority of code.

From a Kconfig interface perspective, it makes sense to present two
distinct options. This requires #ifdefing out the SHA512
implementation from sha512.c. The latter doesn't make any sense.

It's reasonable to say in Kconfig that SHA384 depends on SHA512, and
seems to be the more polite way to handle the selection.

Thus, automatically select SHA512 when SHA384 is enabled.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-09-08 16:11:46 -04:00
Masahisa Kojima
538c0f2d37 efi_loader: fix efi_tcg2_hash_log_extend_event() parameter check
TCG EFI Protocol Specification defines that PCRIndex parameter
passed from caller must be 0 to 23.
TPM2_MAX_PCRS is currently used to check the range of PCRIndex,
but TPM2_MAX_PCRS is tpm2 device dependent and may have larger value.
This commit newly adds EFI_TCG2_MAX_PCR_INDEX macro, it is used to
check the range of PCRIndex parameter.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Acked-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-09-04 12:03:57 +02:00
Masahisa Kojima
580d7242b1 efi_loader: add missing parameter check for EFI_TCG2_PROTOCOL api
TCG EFI Protocol Specification defines the required parameter
checking and return value for each API.
This commit adds the missing parameter check and
fixes the wrong return value to comply the specification.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2021-09-04 12:03:57 +02:00
Heinrich Schuchardt
7219856dae efi_loader: correct determination of secure boot state
When U-Boot is started we have to use the existing variables to determine
in which secure boot state we are.

* If a platform key PK is present and DeployedMode=1, we are in deployed
  mode.
* If no platform key PK is present and AuditMode=1, we are in audit mode.
* Otherwise if a platform key is present, we are in user mode.
* Otherwise if no platform key is present, we are in setup mode.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-09-04 12:03:57 +02:00
Heinrich Schuchardt
b191aa429e efi_loader: efi_auth_var_type for AuditMode, DeployedMode
Writing variables AuditMode and DeployedMode serves to switch between
Secure Boot modes. Provide a separate value for these in efi_auth_var_type.

With this patch the variables will not be read from from file even if they
are marked as non-volatile by mistake.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2021-09-04 12:03:57 +02:00
Heinrich Schuchardt
9ef82e2947 efi_loader: don't load signature database from file
The UEFI specification requires that the signature database may only be
stored in tamper-resistant storage. So these variable may not be read
from an unsigned file.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2021-09-04 12:03:57 +02:00
Heinrich Schuchardt
f3a343d733 efi_loader: rounding of image size
We should not first allocate memory and then report a rounded up value as
image size. Instead first round up according to section allocation and then
allocate the memory.

Fixes: 82786754b9 ("efi_loader: ImageSize must be multiple of SectionAlignment")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2021-09-04 12:03:57 +02:00