TCG EFI Protocol Specification defines the number_of_algorithms
field in spec ID event to be equal to the number of active
algorithms supported by the TPM device. In current implementation,
this field is populated with the count of all algorithms supported
by the TPM which leads to incorrect spec ID event creation.
Similarly, the algorithm array in spec ID event should be a variable
length array with length being equal to the number_of_algorithms field.
In current implementation this is defined as a fixed length array
which has been fixed.
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
CC: Masahisa Kojima <masahisa.kojima@linaro.org>
CC: Ilias Apalodimas <ilias.apalodimas@linaro.org>
CC: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
This was unfortunately applied despite much discussion about it beiong
the wrong way to implement this feature.
Revert it before too many other things are built on top of it.
This reverts commit ddf67daac3.
Signed-off-by: Simon Glass <sjg@chromium.org>
We are not guaranteed to have the padding_pkcs_15_verify symbol since
commit 92c960bc1d ("lib: rsa: Remove #ifdefs from rsa.h"), and
commit 61416fe9df ("Kconfig: FIT_SIGNATURE should not select RSA_VERIFY")
The padding_algos only make sense with RSA verification, which can now
be disabled in lieu of ECDSA. In fact this will lead to build failures
because of the missing symbol mentioned earlier.
To resolve this, move the padding_algos to a linker list, with
declarations moved to rsa_verify.c. This is consistent with commit
6909edb4ce ("image: rsa: Move verification algorithm to a linker list")
One could argue that the added #ifdef USE_HOSTCC is ugly, and should
be hidden within the U_BOOT_PADDING_ALGO() macro. However, this would
be inconsistent with the "cryptos" list. This logic for was not
previously explored:
Without knowledge of the U_BOOT_PADDING_ALGO() macro, its use is
similar to something being declared. However, should #ifndef
USE_HOSTCC be part of the macro, it would not be obvious that it
behaves differently on host code and target code. Having the #ifndef
outside the macro makes this obvious.
Also, the #ifdef is not always necessary. For example ecda-verify
makes use of U_BOOT_CRYPTO_ALGO() without any accompanying #ifdefs.
The fundamental issue is a lack of separation of host and target code
in rsa_verify. Therefore, the declaration of a padding algo with the
external #ifdef is more readable and consistent.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
There are trivial typos in the Kconfig file. Fixed them.
Also, fixed grammar in the descriptions with typos.
Fixes: d56b4b1974 ("configs: Migrate RBTREE, LZO, CMD_MTDPARTS, CMD_UBI and CMD_UBIFS")
Fixes: 7264f2928b ("spl: fit: Eanble GZIP support for image decompression")
Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
If keydir is not provided but name is we want to use name as key_id.
But with the current coding name is only used on its own if it is NULL
and keydir is provided which never occurs.
Fixes: 824ee745fb ("lib/rsa: Use the 'keyfile' argument from mkimage")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
We don't need this check anymore since when PCI is enabled, driver model
is always used.
Sadly this doesn't work with nds32 for some reason to do with the
toolchain. Add a work-around for that.
Signed-off-by: Simon Glass <sjg@chromium.org>
There is two unneeded EFI_CALL references in tcg2_measure_pe_image().
The first one in efi_search_protocol() and the second on in the device path
calculation. The second isn't even a function we should be calling, but a
pointer assignment, which happens to work with the existing macro.
While at it switch the malloc call to a calloc, remove the unnecessary cast
and get rid of an unneeded if statement before copying the device path
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The move to driver model should by now be completed. To be able to remove
pre-driver model code from our block IO code require CONFIG_BLK=y for UEFI
support.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
boot_service_capability_min is constant, it should be capitalized.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When dropping SHA512_ALGO in general, we didn't catch some cases where
an option was selecting both SHA512 and SHA512_ALGO and caused them to
select SHA512 twice. Kconfig doesn't complain, but this is still wrong
and should be corrected.
Fixes: e60e449931 ("lib: Drop SHA512_ALGO in lieu of SHA512")
Reported-by: Andreas Schwab <schwab@suse.de>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
MD5 is being called directly in some places, but it is not available
via hash_lookup_algo("md5"). This is inconsistent with other hasing
routines. To resolve this, add an "md5" entry to hash_algos[].
The #ifdef clause looks funnier than those for other entries. This is
because both MD5 and SPL_MD5 configs exist, whereas the other hashes
do not have "SPL_" entries. The long term plan is to get rid of the
ifdefs, so those should not be expected to survive much longer.
The md5 entry does not have .hash_init/update/finish members. That's
okay because hash_progressive_lookup_algo() will catch that, and
return -EPROTONOSUPPORT, while hash_lookup_algo() will return the
correct pointer.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
[trini: Use CONFIG_IS_ENABLED not IS_ENABLED for MD5 check]
Signed-off-by: Tom Rini <trini@konsulko.com>
All of these configs exist. Stick to using CONFIG_[ST]PL_HASH, and drop all
references to CONFIG_[ST]PL_HASH_SUPPORT. This means we need for
CHAIN_OF_TRUST to select SPL_HASH now.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
[trini: Add TPL case, fix CHAIN_OF_TRUST, other tweaks]
Signed-off-by: Tom Rini <trini@konsulko.com>
SHA512_ALGO was used as a "either SHA512 or SHA384", although the
implementations of these two algorithms share a majority of code.
From a Kconfig interface perspective, it makes sense to present two
distinct options. This requires #ifdefing out the SHA512
implementation from sha512.c. The latter doesn't make any sense.
It's reasonable to say in Kconfig that SHA384 depends on SHA512, and
seems to be the more polite way to handle the selection.
Thus, automatically select SHA512 when SHA384 is enabled.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
TCG EFI Protocol Specification defines that PCRIndex parameter
passed from caller must be 0 to 23.
TPM2_MAX_PCRS is currently used to check the range of PCRIndex,
but TPM2_MAX_PCRS is tpm2 device dependent and may have larger value.
This commit newly adds EFI_TCG2_MAX_PCR_INDEX macro, it is used to
check the range of PCRIndex parameter.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Acked-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
TCG EFI Protocol Specification defines the required parameter
checking and return value for each API.
This commit adds the missing parameter check and
fixes the wrong return value to comply the specification.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
When U-Boot is started we have to use the existing variables to determine
in which secure boot state we are.
* If a platform key PK is present and DeployedMode=1, we are in deployed
mode.
* If no platform key PK is present and AuditMode=1, we are in audit mode.
* Otherwise if a platform key is present, we are in user mode.
* Otherwise if no platform key is present, we are in setup mode.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Writing variables AuditMode and DeployedMode serves to switch between
Secure Boot modes. Provide a separate value for these in efi_auth_var_type.
With this patch the variables will not be read from from file even if they
are marked as non-volatile by mistake.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
The UEFI specification requires that the signature database may only be
stored in tamper-resistant storage. So these variable may not be read
from an unsigned file.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
We should not first allocate memory and then report a rounded up value as
image size. Instead first round up according to section allocation and then
allocate the memory.
Fixes: 82786754b9 ("efi_loader: ImageSize must be multiple of SectionAlignment")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
In a section header VirtualSize may be zero. This is for instance seen in
the .sbat section of shim. In this case use SizeOfRawData as section size.
Fixes: 9d30a941cc ("efi_loader: don't load beyond VirtualSize")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Asherah Connor <ashe@kivikakk.ee>
Documentation:
* Rename Freescale to NXP
* Document structures used for the UEFI TCG2 protocol
UEFI:
* Device paths must use EfiBootServicesData
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEK7wKXt3/btL6/yA+hO4vgnE3U0sFAmEf+AgACgkQhO4vgnE3
U0skxhAAjjv6yMYLYlj2YNTtYDS2zVsnsY8i/vmWNmGYvwfrlcUC/e3J00ftBIjI
DEwImrzefvQwr4NOZgIlyxR81NwboWULxvHSF5avwctxQVoTElkSfE2Ji+nFYa23
P/L7E/Zf+NwTHBlE1wfkNJPZ/zya73DTOe+MGWvLnvOX56JZqEJOgmTtcQntRUll
9zkB76j6sCk8B3ydFZmzGqhB4aslJBypG+bQB72XXGVBZoHb9pEPv90hBl616AN/
5H8WewxTE2s6z3IfexxPAc7ssMQuW3RWw0WsJvBVviw8tSPj4SZjg5HNHAM3mz/i
EXHUqAEySP1oT6P4hVef7Xc9gC67N+dVZGAA1QcZBkAnH+BQQ2GmIWX5+3mZJflq
3eHWhMUHWc4q76MbN9QqReAo3wJ3GsBqdA1oORR5FgIPwEVl0jwQMYv6frC/vB6/
6VX8WcbAWsixjf8QeQlibfMqBO9xZI1Iue5rN6DcwMey6dZrDnXGMdk7Woj6F4ga
tERYBt+UBawTf2ww24wMXc7Hw2dZ6kj44ls2doRFKqHOpaY9Mk2QPTaVPrFkj33J
3xlH2BYdB3ALriS1jN6Qcq6xEwyaMdkj5MzVyitunaCLiAKKORwGf0chkqiRiA+k
zEET0uDBtO7beraiUJU9jeMPcVj3mYpiFR/CZBD/HWOVB/KwhGU=
=gMKg
-----END PGP SIGNATURE-----
Merge tag 'efi-2021-10-rc3' of https://source.denx.de/u-boot/custodians/u-boot-efi
Pull request for efi-2021-10-rc3
Documentation:
* Rename Freescale to NXP
* Document structures used for the UEFI TCG2 protocol
UEFI:
* Device paths must use EfiBootServicesData
tiny-printf variant doesn't know how to handle %llu format string, but both
tiny-printf and print_size can meet in SPL when TFTP is used to obtain main
u-boot image. This is known to lead to critical boot issue at AM335x platform
when printf is catched in infinite loop.
To avoid such issues and make print_size function tiny-printf friendly, use %u
instead of %luu. Note, that the size value is guaranteed to be less than 1024
in this conditional branch, so the cast to unsigned int is safe.
Signed-off-by: Matwey V. Kornilov <matwey.kornilov@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
%pM format string is used to print MAC-address and this is required while SPL
network boot.
This patch fixes the SPL boot issues like the following:
Trying to boot from USB eth
## Error: flags type check failure for "ethaddr" <= "40309614M" (type: m)
## Error inserting "ethaddr" variable, errno=1
eth0: eth_cpsw## Error: flags type check failure for "eth1addr" <=
"81f01114M" (type: m)
## Error inserting "eth1addr" variable, errno=1
, eth1: usb_ether
eth_cpsw Waiting for PHY auto negotiation to complete......... TIMEOUT !
Problem booting with BOOTP
SPL: failed to boot from all boot devices
### ERROR ### Please RESET the board ###
Signed-off-by: Matwey V. Kornilov <matwey.kornilov@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Memory allocated in the implementation of the
EFI_DEVICE_PATH_TO_TEXT_PROTOCOL must be of type EfiBootServicesData.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
dp_alloc() was using a constant from the wrong enum resulting in creating
device paths in EfiReservedMemory.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Use enum efi_memory_type and enum_allocate_type in the definitions of the
efi_allocate_pages(), efi_allocate_pool().
In the external UEFI API leave the type as int as the UEFI specification
explicitely requires that enums use a 32bit type.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Implement the crypto_algo .verify() function for ecdsa256. Because
it backends on UCLASS_ECDSA, this change is focused on parsing the
keys from devicetree and passing this information to the specific
UCLASS driver.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Refactor efi_append_scrtm_version() to use common
function for adding eventlog and extending PCR.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
TCG PC Client PFP spec requires to measure
"Exit Boot Services Invocation" if ExitBootServices() is invoked.
Depending upon the return code from the ExitBootServices() call,
"Exit Boot Services Returned with Success" or "Exit Boot Services
Returned with Failure" is also measured.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Swap two ifs in efi_exit_boot_services().
efi_tcg2_notify_exit_boot_services must have EFIAPI signature.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
TCG PC Client PFP spec requires to measure "Boot####"
and "BootOrder" variables, EV_SEPARATOR event prior
to the Ready to Boot invocation.
Since u-boot does not implement Ready to Boot event,
these measurements are performed when efi_start_image() is called.
TCG spec also requires to measure "Calling EFI Application from
Boot Option" for each boot attempt, and "Returning from EFI
Application from Boot Option" if a boot device returns control
back to the Boot Manager.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
TCG PC Client PFP spec requires to measure the secure
boot policy before validating the UEFI image.
This commit adds the secure boot variable measurement
of "SecureBoot", "PK", "KEK", "db", "dbx", "dbt", and "dbr".
Note that this implementation assumes that secure boot
variables are pre-configured and not be set/updated in runtime.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
iPXE used Uri() device path nodes. So we should support them in the
device path to text protocol.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
U-Boot mostly uses hex for value input, largely because addresses are much
easier to understand in hex.
But in some cases a decimal value is requested, such as where the value is
small or hex does not make sense in the context. In these cases it is
sometimes useful to be able to provide a hex value in any case, if only to
resolve any ambiguity.
Add this functionality, for increased flexibility.
Signed-off-by: Simon Glass <sjg@chromium.org>
The code to convert a character into a digit is repeated twice in this
file. Factor it out into a separate function. This also makes the code a
little easier to read.
Signed-off-by: Simon Glass <sjg@chromium.org>
If we see 0x then we can assume this is the start of a hex value. It
does not seem necessary to check for a hex digit after that since it will
happen when parsing the value anyway.
Drop this check to simplify the code and reduce size. Add a few more test
cases for when a 0x prefix is used.
Signed-off-by: Simon Glass <sjg@chromium.org>
It is a pain to have to specify the value 10 in each call. Add a new
dectoul() function and update the code to use it.
Signed-off-by: Simon Glass <sjg@chromium.org>
It is a pain to have to specify the value 16 in each call. Add a new
hextoul() function and update the code to use it.
Add a proper comment to simple_strtoul() while we are here.
Signed-off-by: Simon Glass <sjg@chromium.org>
CONFIG_HEXDUMP is needed to display UEFI variables using 'printenv -e'.
Enabling CONFIG_SPL_HEXDUMP only makes sense for debugging purposes.
Hence CONFIG_SPL_HEXDUMP should not be enabled by default.
The following boards currently have CONFIG_SPL_HEXDUMP=y. This includes
boards that don't use SPL at all.
axm_defconfig
imx8mm-cl-iot-gate_defconfig
imx8mm_venice_defconfig
imxrt1020-evk_defconfig
imxrt1050-evk_defconfig
kontron_sl28_defconfig
kp_imx53_defconfig
lx2160ardb_tfa_stmm_defconfig
mt7622_rfb_defconfig
octeon_ebb7304_defconfig
octeon_nic23_defconfig
qemu_arm64_defconfig
qemu_arm_defconfig
qemu-riscv32_defconfig
qemu-riscv32_smode_defconfig
qemu-riscv64_defconfig
qemu-riscv64_smode_defconfig
qemu-x86_64_defconfig
qemu-x86_defconfig
sandbox64_defconfig
sandbox_defconfig
stm32mp15_basic_defconfig
stm32mp15_trusted_defconfig
synquacer_developerbox_defconfig
taurus_defconfig
xilinx_versal_virt_defconfig
The patch only keeps it enabled on
sandbox_spl_defconfig
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
This patch adds the possibility to pass the PIN the OpenSSL Engine
used during signing via the environment variable MKIMAGE_SIGN_PIN.
This follows the approach used during kernel module
signing ("KBUILD_SIGN_PIN") or UBIFS image
signing ("MKIMAGE_SIGN_PIN").
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
*sig_size isn't set until later so use the correct variables.
Signed-off-by: Donald Chan <hoiho@lab126.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Rather than looking at two KConfig options in the Makefile, create a new
Kconfig option for compiling lib/charset.c
Enable it for UFS also, which needs this support.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Add simple_strtoll function for converting a string containing digits
into a long long int value.
Signed-off-by: Roland Gaudig <roland.gaudig@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add a bus driver for this and use it to configure the bus parameters for
the Ethernet interface. Drop the old pre-driver-model code.
Switch over to use driver model for Ethernet.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Jaehoon Chung <jh80.chung@samsung.com>
Signed-off-by: Minkyu Kang <mk7.kang@samsung.com>
In the commit c982874e93 ("efi_loader: refactor
efi_setup_loaded_image()"), setjmp-related definitions were moved to
efi_loaded_image_obj in efi_loader.h. So setjmp.h is no longer
refererenced in efi_api.h.
This also fixes some error when efi_api.h will be included in
mkeficapsule.c.
Fixes: c982874e93 ("efi_loader: refactor efi_setup_loaded_image()")
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
If capsule authentication is disabled and yet a capsule file is signed,
its signature must be removed from image data to flush.
Otherwise, the firmware will be corrupted after update.
Fixes: 04be98bd6b ("efi: capsule: Add support for uefi capsule
authentication")
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
