UEFI specification requires that 5 minutes watchdog timer is
armed before the firmware's boot manager invokes an EFI boot option.
This watchdog timer is updated as follows, according to the
UEFI specification.
1) The EFI Image may reset or disable the watchdog timer as needed.
2) If control is returned to the firmware's boot manager,
the watchdog timer must be disabled.
3) On successful completion of EFI_BOOT_SERVICES.ExitBootServices()
the watchdog timer is disabled.
1) is up to the EFI image, and 3) is already implemented in U-Boot.
This patch implements 2), the watchdog is disabled when control is
returned to U-Boot.
In addition, current implementation arms the EFI watchdog at only
the first "bootefi" invocation. The EFI watchdog must be armed
in every EFI boot option invocation.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Add a cold reset soon after processing capsule update on disk.
This is required in UEFI specification 2.9 Section 8.5.5
"Delivery of Capsules via file on Mass Storage device" as;
In all cases that a capsule is identified for processing the system is
restarted after capsule processing is completed.
This also reports the result of each capsule update so that the user can
notice that the capsule update has been succeeded or not from console log.
Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Since the efi_update_capsule() represents the UpdateCapsule() runtime
service, it has to handle the capsule flags and update ESRT. However
the capsule-on-disk doesn't need to care about such things.
Thus, the capsule-on-disk should use the efi_capsule_update_firmware()
directly instead of calling efi_update_capsule().
This means the roles of the efi_update_capsule() and capsule-on-disk
are different. We have to keep the efi_update_capsule() for providing
runtime service API at boot time.
Suggested-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The general rule of accepting or rejecting an image is
1. Is the sha256 of the image in dbx
2. Is the image signed with a certificate that's found in db and
not in dbx
3. The image carries a cert which is signed by a cert in db (and
not in dbx) and the image can be verified against the former
4. Is the sha256 of the image in db
For example SHIM is signed by "CN=Microsoft Windows UEFI Driver Publisher",
which is issued by "CN=Microsoft Corporation UEFI CA 2011", which in it's
turn is issued by "CN=Microsoft Corporation Third Party Marketplace Root".
The latter is a self-signed CA certificate and with our current implementation
allows shim to execute if we insert it in db.
However it's the CA cert in the middle of the chain which usually ends up
in the system's db. pkcs7_verify_one() might or might not return the root
certificate for a given chain. But when verifying executables in UEFI, the
trust anchor can be in the middle of the chain, as long as that certificate
is present in db. Currently we only allow this check on self-signed
certificates, so let's remove that check and allow all certs to try a
match an entry in db.
Open questions:
- Does this break any aspect of variable authentication since
efi_signature_verify() is used on those as well?
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The EFI spec allows for images to carry multiple signatures. Currently
we don't adhere to the verification process for such images.
The spec says:
"Multiple signatures are allowed to exist in the binary's certificate
table (as per PE/COFF Section "Attribute Certificate Table"). Only one
hash or signature is required to be present in db in order to pass
validation, so long as neither the SHA-256 hash of the binary nor any
present signature is reflected in dbx."
With our current implementation signing the image with two certificates
and inserting both of them in db and one of them dbx doesn't always reject
the image. The rejection depends on the order that the image was signed
and the order the certificates are read (and checked) in db.
While at it move the sha256 hash verification outside the signature
checking loop, since it only needs to run once per image and get simplify
the logic for authenticating an unsigned imahe using sha256 hashes.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
MCFG tables are used on multiple arches. Move to common ACPI lib.
Cc: Simon Glass <sjg@chromium.org>
Signed-off-by: Moritz Fischer <moritzf@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Use sizeof(*mcfg) instead of sizeof(*header)
Signed-off-by: Simon Glass <sjg@chromium.org>
When we have the block descriptor we can simply access the device. Drop
the unnecessary function call.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Use this function rather than following the pointers, since it is there
for this purpose.
Add the uclass name to the debug call at the end of dp_fill() since it is
quite useful.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When loading an EFI binary via the UART we assign a UART device path to it.
But we lack a handle with that device path.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
The UEFI specification concerning Uart() device path nodes has been
clarified:
Parity and stop bits can either both use keywords or both use
numbers but numbers and keywords should not be mixed.
Let's go for keywords as this is what EDK II does. For illegal
values fall back to numbers.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
The printing of a file path node must properly handle:
* odd length of the device path node
* UTF-16 character only partially contained in device path node
* buffer overflow due to very long file path
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
The test for the RISCV_EFI_BOOT_PROTOCOL retrieves the boot hart id via the
protocol and compares it to the value of the boot hart id in the device
tree. The boot hart id is already retrieved from the device tree in the FDT
test.
Merge the two tests to avoid code duplication.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
At present we use wide characters for Unicode but this is not necessary.
Change the code to use the 'u' literal instead. This helps to fix build
warnings for sandbox on the Raspberry Pi.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
At present we use wide characters for unicode but this is not necessary.
Change the code to use the 'u' literal instead. This helps to fix build
warnings for sandbox on rpi.
Signed-off-by: Simon Glass <sjg@chromium.org>
Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Documentation:
* update Nokia RX-51 documentation and move it to rst
* describe boot switch settings for HiFive Unmatched board
UEFI:
* fix the checking of images hashes and signatures
* provide the RISCV_EFI_BOOT_PROTOCOL
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAmH1CY8ACgkQxIHbvCwF
GsTTXA/+L53FjKHiOQLf9+FrNO7AZ7OcL51brl97eRuQ/jVaF4ClPnDrwPv+uj8m
rXJHZr6WLRc7A1bIwTYhoetrir07A4pZSHAiKTQuJS2uVFgX25Lp4y5vPt1jgIwF
BsRyVxF50crNQjDuSDUQF6RHCa5QhvgZ9mZ/WQQ0MjRRysnw6sISvNc9HbZLdbau
FheOHERJknE1HELeAg/5KKRn1lt3ew6/QdEqPCvKuhsNW4y31zYyHXt1bvpK8cq0
6m2fRX87nnaIExAb3WLiID91jyPMmrg3ZUndFJfjcAwjelYa50xxHr/vEgw9S1Pb
xMMZSKTmEFoVdX7umW9uw/p0tWygGOUw8/d9bsZPv7qh1akwoKog2BVl/zRbW+5n
x4zCNXOllh0p2u8rRQRu8BqVNXZpw+Intk5frVPeazwbnvBrZFd7jN3JyHMtbUkv
xXJBgHQgbn3z3+zQf9XEa7VjQ+l92x5n0IRWlRxYYEUkMW6o8XZyhzY5Xn1Q7K2z
kLBx/U7o633D2BPtlt66HmIJa/fH02nD7TmmQy3j0ICQdB2GbHOs2uRF5rATV7v0
LukLrTr7kSebOhyINvabsLl126URsx2YjUs7lhPy6ILWm+QGUs8tqyKdTe0gQ7AZ
vneyV2v3CDmMBF3MhE178/kdoJnwk8q7c7JiCQpLNXA33CJCnxw=
=+edp
-----END PGP SIGNATURE-----
Merge tag 'efi-2022-04-rc1-3' of https://source.denx.de/u-boot/custodians/u-boot-efi
Pull request for efi-2022-04-rc1-3
Documentation:
* update Nokia RX-51 documentation and move it to rst
* describe boot switch settings for HiFive Unmatched board
UEFI:
* fix the checking of images hashes and signatures
* provide the RISCV_EFI_BOOT_PROTOCOL
We don't have to recalculate the image hash every time we check against a
new db/dbx entry. So let's add a flag forcing it to run once since we only
support sha256 hashes
Suggested-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
A mix of signatures and hashes in db doesn't always work as intended.
Currently if the digest algorithm is not explicitly set to sha256 we
stop walking the security database and reject the image.
That's problematic in case we find and try to check a signature before
inspecting the sha256 hash. If the image is unsigned we will reject it
even if the digest matches.
Since we no longer reject the image on unknown algorithms add an explicit
check and reject the image if any other hash algorithm apart from sha256
is detected on dbx.
Suggested-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
On RISC-V a new UEFI protocol has been introduced. Support printing
its GUID using %pUs.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
This adds support for new RISCV_EFI_BOOT_PROTOCOL to
communicate the boot hart ID to bootloader/kernel on RISC-V
UEFI platforms.
The specification of the protocol is hosted at:
https://github.com/riscv-non-isa/riscv-uefi
Signed-off-by: Sunil V L <sunilvl@ventanamicro.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Add to support rsa 3072 bits algorithm in tools
for image sign at host side and adds rsa 3072 bits
verification in the image binary.
Add test case in vboot for sha384 with rsa3072 algorithm testing.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
binman support for bintools (binary tools)
minor tools improvements in preparation for FDT signing
various minor fixes and improvements
-----BEGIN PGP SIGNATURE-----
iQFFBAABCgAvFiEEslwAIq+Gp8wWVbYnfxc6PpAIreYFAmHyEeYRHHNqZ0BjaHJv
bWl1bS5vcmcACgkQfxc6PpAIreYYlgf8C7tQVklXz9ZHhxVrFaPHWwgmBzEZJSrc
7SWhDX9yBrAYBUk8Q4OMnJz6nXW8Rz5Td9GfBNWcJag1HjJqno4BxkqwGk2tshgj
GIY0D1cGfKJzB4E6/rK/ETwmX4KVUyEf7S2IdJ0oydkn9t7OwDkUX5WtGXo70E7q
ZJGYlX5NQCVBRAF9NYDuyVFljrPzAiyT58VCtXY3q63C7PmRYvag8r56ug+8lkk3
9EbOTcwETqq9SbT1vucyBxwbUmoKhb2BF32jEcIhozowIM3GNsSpkdzQCUnylqfa
LYI/p0oVTKLfFRBRvQjLgdB/OQP8MLkby8A++Db2OW49mBXhn/5JWA==
=PdpE
-----END PGP SIGNATURE-----
Merge tag 'dm-pull-26jan22' of https://source.denx.de/u-boot/custodians/u-boot-dm
acpi refactoring to allow non-x86 use
binman support for bintools (binary tools)
minor tools improvements in preparation for FDT signing
various minor fixes and improvements
It is currenly only used from usbtty driver but make it properly
selectable via Kconfig symbol, for future usage.
Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
Add some more debugging to make it easier to see what is being tried and
what fails. Fix a few comment styles while here.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present this list is used to collect items within the DSDT and SSDT
tables. It is useful for it to collect the whole tables as well, so there
is a list of what was created and which write created each one.
Refactor the code accordingly.
Signed-off-by: Simon Glass <sjg@chromium.org>
Move this over to use a writer file, moving the code from the x86
implementation.
There is no need to store a separate variable since we can simply access
the ACPI context.
With this, the original monolithic x86 function for writing ACPI tables
is gone.
Note that QEMU has its own implementation.
Signed-off-by: Simon Glass <sjg@chromium.org>
Update this function to the newer style, so we can avoid passing and
returning an address through this function.
Also move this function out of the x86 code so it can be used by other
archs.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Move this table over to use a writer function, moving the code from the
x86 implementation.
Add a pointer to the DSDT in struct acpi_ctx so we can reference it later.
Disable this table for sandbox since we don't actually compile real ASL
code.
Signed-off-by: Simon Glass <sjg@chromium.org>
Move this table over to use a writer function, moving the code from the
x86 implementation.
Add a pointer to the DSDT in struct acpi_ctx so we can reference it later.
Signed-off-by: Simon Glass <sjg@chromium.org>
Use the new ACPI writer to write the base tables at the start of the area,
moving this code from the x86 implementation.
Signed-off-by: Simon Glass <sjg@chromium.org>
Use the new ACPI writer to write the ACPI tables. At present this is all
done in one monolithic function. Future work will split this out.
Unfortunately the QFW write_acpi_tables() function conflicts with the
'writer' version, so disable that for sandbox.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present acpi_setup_base_tables() both sets up the ACPI context and
writes out the base tables.
We want to use an ACPI writer to write the base tables, so split this
function into two, with acpi_setup_ctx() doing the context set, and
acpi_setup_base_tables() just doing the base tables.
Disable the writer's write_acpi_tables() function for now, to avoid
build errors. It is enabled in a following patch.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present we call lots of functions to generate the required ACPI tables.
It would be better to standardise these functions and allow them to be
automatically collected and used when needed.
Add a linker list to handle this.
Signed-off-by: Simon Glass <sjg@chromium.org>
Rather than keying everything off ACPIGEN, use the main
GENERATE_ACPI_TABLE option to determine whether the core ACPI code
is included. Make sure these option are not enabled in SPL/TPL since we
never generate tables there.
Signed-off-by: Simon Glass <sjg@chromium.org>
The current EFI implementation confuses pointers and addresses. Normally
we can get away with this but in the case of sandbox it causes failures.
Despite the fact that efi_allocate_pages() returns a u64, it is actually
a pointer, not an address. Add special handling to avoid a crash when
running 'bootefi hello'.
Signed-off-by: Simon Glass <sjg@chromium.org>
Allow this to be used on any arch. Also convert to using macros so that
we can check the CONFIG option in C code.
Signed-off-by: Simon Glass <sjg@chromium.org>
These have sadly found their way to ARM now. Allow any arch to support
generating ACPI tables.
Disable this for the tools build.
Signed-off-by: Simon Glass <sjg@chromium.org>
Documentation:
* describe printf() format codes
UEFI
* enable more algorithms for UEFI image verification, e.g. SHA256-RSA2048
General
* simplify printing short texts for GUIDs
* provide a unit test for printing GUIDs
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAmHoLnQACgkQxIHbvCwF
GsQ25Q/9G5REcgmo9Hjv+2ri3VJJueIGRL1QeXDl84TxUYgYAtHj7zo/YaeacHKB
RVBsQafU6vIuAq5YRJFKCSWCxjPJVUH9QO5QQz6RE14KoBh6OYUQP2wSf/+p6/sb
47wfVtyAUEpCEz60eDj5EWrSPpH78BNW7MmKoTZWSgE1APaBTAHw/Uo6tnb52Qsv
vQ73Q9R4s0hpsylVtmwIZ0udDcaJg3SQf/4glhnHxaUW/oMoRd0DU7Dnbbg2oxfd
Y03J0zarqAdIjzNvADnUz6Ei2+H1TrzRe9tzhuXRuseZdANrUnzDIe6bdz+RCmkl
sdBCmBDPoChosiAcaX9FkajaAi5XYpZ5Sitdpp9A8ZdVc0Lzr1XLbfLksJRM7WwM
jSP/JDAGYzJqL86C4hrx46aERUuXgywf/vSM7UoG5OxbtMa/AqbHuXMOnd4jXGYD
48fLlyMWlZ7+Kd4v3x9QlwSmM0LLsokn93JEWrJhJqFPzdHYUQifU2vlZmrJHWyS
BjzCJxu+rCmXBO6wlcAvsF9V/kx5IO3CKIGn24UUt/wjSBu4VDO5oSzVseJxPBIQ
vBV9qZfwKCk9U/F1VN43xvIKvcO+oK+pEE9FB5trffYGmHfSEmBwOq3LuHlyMpeJ
L+TrJUsZstFtx0ZBmVB3YuERusb2z+x1osnifGJvUHCLqjCgvl0=
=GoR6
-----END PGP SIGNATURE-----
Merge tag 'efi-2022-04-rc1-2' of https://source.denx.de/u-boot/custodians/u-boot-efi
Pull request for efi-2022-04-rc1-2
Documentation:
* describe printf() format codes
UEFI
* enable more algorithms for UEFI image verification, e.g. SHA256-RSA2048
General
* simplify printing short texts for GUIDs
* provide a unit test for printing GUIDs
Right now the code explicitly limits us to sha1,256 hashes with RSA2048
encryption. But the limitation is artificial since U-Boot supports
a wider range of algorithms.
The internal image_get_[checksum|crypto]_algo() functions expect an
argument in the format of <checksum>,<crypto>. So let's remove the size
checking and create the needed string on the fly in order to support
more hash/signing combinations.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The ESRT test may try to print a GUID if an error occurs.
Implement the %pU print code.
Correct the ESRT test to use %pU instead of %pUl to avoid the output
of character 'l'.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
For printing GUIDs with macro EFI_ENTRY use %pUs instead of %pUl to provide
readable debug output.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
In different places text representations are used for GUIDs, e.g.
* command efidebug
* command part list for GPT partitions
To allow reducing code duplication introduce a new printf code %pUs.
It will call uuid_guid_get_str() to get a text representation. If none is
found it will fallback to %pUl and print a hexadecimal representation.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Currently uuid_guid_get_str() is only built if
CONFIG_PARTITION_TYPE_GUID=y.
To make it usable for other GUIDs compile it if CONFIG_LIB_UUID=y.
The linker will take care of removing it if it is unused.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
The code is cross-ported from BLAKE2 reference implementation
(https://github.com/BLAKE2/BLAKE2).
With minimal change to remove unused macros/features.
Currently there is only one user inside U-boot (btrfs), and since it
only utilize BLAKE2B, all other favors are all removed.
Signed-off-by: Qu Wenruo <wqu@suse.com>
[trini: Rename ROUND to R to avoid clash with <linux/bitops.h>
Signed-off-by: Tom Rini <trini@konsulko.com>
Documentation:
* Fix building HTML documentation of readthedocs.io
* Add ARM Juno board documentation
* Build requirements for Alpine Linux
* Include DM headers in API documentation
UEFI:
* Fix section alignment of EFI binaries
* Fix header length of RISC-V EFI binaries allowing to run them on EDK II
* Remove kaslr-seed from device tree if the EFI_RNG_PROTOCOL is provided
Other:
* Let 'part list' show all 128 GPT partitions
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAmHiqKYACgkQxIHbvCwF
GsTrMA//XQRIS9f8pD3/FsSfVfmtxkCLG9axEe/lRQp7l7109v+m832CJV5Em7pX
GtRGOSUdj930v1q9fZ/nUx9/IJjf/lnB0eEcMcVai2NVgyuRohGAzX9JWsVLbdOE
MicDX7D/VZ+86lPxLRJbq61jMj7Dnj+atonJQ3Bc1eBLutUaBOr6aenA99TyLavU
+guuQmQLpJz6VbyZIYxr7/CZVaVkXS0jmcfEoDHD8BrsBe3pZvNuUC4D9KIFWnLo
pQYYNuIWiVCPGE/iMbUZGjJfgHnD3qW1DWOfmeWPTysALnTSxx0m8FJrOqlxZk6R
HkEhcr/RkI2JT89C+07qsXkfvJ7YBg3r6bSNtng4i8VwSm384ffF9Y+cfoBv1285
7wo+Vbh6LuOlp0OAo3bjAuhW7gpnUkkGoc4sXv7wr560mGOtJAPrp0T1ku17ZANd
GP0T4TgvL15PAFbK+Yg6NxF+l26Lb5EkvC5bGFlM/5ceafD/B7qA2m8KG9+cR2/t
UFAyI0FB3yWp1TLfdCRXR4YEHDl3nWjs8GuwdwTPFXLWFPkf73DX/r+ZAnZAY+M+
FTGJuMZUp71aiqeAs7CHw4ePZMQCt0Hjs9kYbAMekoUncpMCFXwXmp1KxLkHBM+X
+i6WPflTL/sOSO+3M8fcUeZI7IWerOHZqCu/RTb9W0n3Ee+odBc=
=NZ+6
-----END PGP SIGNATURE-----
Merge tag 'efi-2022-04-rc1' of https://source.denx.de/u-boot/custodians/u-boot-efi
Pull request for efi-2022-04-rc1
Documentation:
* Fix building HTML documentation of readthedocs.io
* Add ARM Juno board documentation
* Build requirements for Alpine Linux
* Include DM headers in API documentation
UEFI:
* Fix section alignment of EFI binaries
* Fix header length of RISC-V EFI binaries allowing to run them on EDK II
* Remove kaslr-seed from device tree if the EFI_RNG_PROTOCOL is provided
Other:
* Let 'part list' show all 128 GPT partitions
At present the 'efi' command only works in the EFI payload. Update it to
work in the app too, so the memory map can be examined.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
At present this code is inline in the app and stub. But they do the same
thing. The difference is that the stub does it immediately and the app
doesn't want to do it until the end (when it boots a kernel) or not at
all, if returning to UEFI.
Move it into a function so it can be called as needed.
Add a comment showing how to store the memory map so that it can be
accessed within the app if needed, for debugging purposes only. The map
can change without notice.
Signed-off-by: Simon Glass <sjg@chromium.org>
If variable dfu_alt_info is not defined duplicate messages are displayed.
=> efidebug boot dump
Scanning disk mmc2.blk...
Scanning disk mmc1.blk...
Scanning disk mmc0.blk...
Found 3 disks
No EFI system partition
"dfu_alt_info" env variable not defined!
Probably dfu_alt_info not defined
"dfu_alt_info" env variable not defined!
Probably dfu_alt_info not defined
Remove the 'Probably dfu_alt_info not defined' message.
Instead write a warning if the variable contains no entities.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
U-Boot, in some occasions, injects a 'kaslr-seed' property on the /chosen
node. That would be problematic in case we want to measure the DTB we
install in the configuration table, since it would change across reboots.
The Linux kernel EFI-stub completely ignores it and only relies on
EFI_RNG_PROTOCOL for it's own randomness needs (i.e the randomization
of the physical placement of the kernel). In fact it (blindly) overwrites
the existing seed if the protocol is installed. However it still uses it
for randomizing it's virtual placement.
So let's get rid of it in the presence of the RNG protocol.
It's worth noting that TPMs also provide an RNG. So if we tweak our
EFI_RNG_PROTOCOL slightly and install the protocol when a TPM device
is present the 'kaslr-seed' property will always be removed, allowing
us to reliably measure our DTB.
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
CONFIG_PHANDLE_CHECK_SEQ is outside of the menu 'Library routines'
thus it's invisible in menuconfig and cannot be selected.
Fix this by moving the 'endmenu' after the PHANDLE_CHECK_SEQ definition
Fixes: c589132a1d ("fdt: Use phandle to distinguish DT nodes with same name")
Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
Reviewed-by: Aswath Govindraju <a-govindraju@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
CHUNK_TYPE_RAW buffer is not aligned, and flash sparse images by
fastboot will report "Misaligned operation" if DCACHE is enabled.
Flashing Sparse Image
CACHE: Misaligned operation at range [84000028, 84001028]
CACHE: Misaligned operation at range [84001034, 84002034]
CACHE: Misaligned operation at range [8401104c, 8401304c]
Fix it
Signed-off-by: qianfan Zhao <qianfanguijin@163.com>
Reviewed-by: Sean Anderson <sean.anderson@seco.com>
The return type of EVP_PKEY_get0_RSA() is const struct rsa_st *.
Our code drops the const qualifier leading to
In file included from tools/lib/rsa/rsa-sign.c:1:
./tools/../lib/rsa/rsa-sign.c: In function ‘rsa_add_verify_data’:
./tools/../lib/rsa/rsa-sign.c:631:13: warning:
assignment discards ‘const’ qualifier from pointer target type
[-Wdiscarded-qualifiers]
631 | rsa = EVP_PKEY_get0_RSA(pkey);
| ^
Add a type conversion.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
- meson64_android: add board specific env settings, in order to support VIM3/L for android
- add changes to support VIM3/L android boot by using meson64_android.h config
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEPVPGJshWBf4d9CyLd9zb2sjISdEFAmHYV8MACgkQd9zb2sjI
SdELkA/+LjyjJB1KI6/KLLg43zyFeeZX/SjQd5BUIx6EfaCgyTkuq2lzQnErGmbi
HoyMoNLpBxLIL27/5TXPzmKYAeOfKPxA/sXTTtx/l7PG8ncSZIoU0+utqjycdUsK
tSi7EdFzk7/kDDRkqqA7q9nxsPn/7GQNh/ZC9zstMXKaTO/TEb/sZWCMcvQ0MNoB
ynZKOCg5t60UkIYIRwZwC/OS/ssn86dovv/Aa/8D6qpL2AbS5DoCXHuAr8Dnz7fJ
q4rV7oLh7a+WHe/qC7R6ylYFIVVqY5JaIgbLDwuvk1z9o7txchMMQnGgllZ35sN9
LECD2iSDGjhPaHuGCvQwl3TWtIpvtdcP4sQTyJhsXNPxCG6HHvRz7xY4erUohR1I
LIddwCCHeCrBiaamXNbCzph2+JhfPSQ5ETCL9M6iBMxNUPunlCxjfjDzlT/pg11p
EO9PIPjRMR9QhxKtd3gZpyAqPuMBEmIwhDtHI6dL3DNOOsF44ObE4swnzS6qXIDn
jRZzFCC2f/Vyg11YnzFtV3A5eWwJahGDWAGAnnlg6Y8GCLlLmDJitcgA/rWSALko
T5fC8L8IFUx2RnHczyitJ/wqJl9FqOAnIaoB3Trpwp8gFQ15dQjbvoXldQnAjSS2
9bns3zOrx79EF4lbHhwNE9UDLm6OjK5vR3h4bGJvyZBmasVsA90=
=dLEg
-----END PGP SIGNATURE-----
Merge tag 'u-boot-amlogic-20220107' of https://source.denx.de/u-boot/custodians/u-boot-amlogic into next
- disable CONFIG_NET_RANDOM_ETHADDR when unnecessary on amlogic based configs
- meson64_android: add board specific env settings, in order to support VIM3/L for android
- add changes to support VIM3/L android boot by using meson64_android.h config
Add a message here so that both paths of memory allocation are reported.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
The stub checks for failure with efi_init(). Add this for the app as well.
It is unlikely that anything can be done, but we may as well stop.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
At present each of these has its own static variable and helper functions.
Move them into a shared file.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Comment some functions that need more information.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
When starting the app, locate all block devices and make them available
to U-Boot. This allows listing partitions and accessing files in
filesystems.
EFI also has the concept of 'disks', meaning boot media. For now, this
is not obviously useful in U-Boot, but add code to at least locate these.
This can be expanded later as needed.
We cannot use printf() in the early stub or app since it is not compiled
in
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
This is needed to show unicode strings. Enable this code in the app.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Currently we allow and explicitly check a single shared page with
StandAloneMM. This is dictated by OP-TEE which runs the application.
However there's no way for us dynamically discover the number of pages we
are allowed to use. Since writing big EFI signature list variable
requires more than a page, OP-TEE has bumped the number of shared pages to
four.
Let's remove our explicit check and allow the request to reach OP-TEE even
if it's bigger than what it supports. There's no need to sanitize the
number of pages internally. OP-TEE will fail if we try to write more
than it's allowed. The error will just trigger later on, during the
StMM access.
While at it add an error message to help users figure out what failed.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Ying-Chun Liu (PaulLiu) <paul.liu@linaro.org>
Signed-off-by: Ilias Apalodimas <apalos@gmail.com>
In order to finish moving this symbol to Kconfig for all platforms, we
need to do a few more things. First, for all platforms that define this
to a function, introduce CONFIG_DYNAMIC_SYS_CLK_FREQ, similar to
CONFIG_DYNAMIC_DDR_CLK_FREQ and populate clock_legacy.h. This entails
also switching all users from CONFIG_SYS_CLK_FREQ to get_board_sys_clk()
and updating a few preprocessor tests.
With that done, all platforms that define a value here can be converted
to Kconfig, and a fall-back of zero is sufficiently safe to use (and
what is used today in cases where code may or may not have this
available). Make sure that code which calls this function includes
<clock_legacy.h> to get the prototype.
Signed-off-by: Tom Rini <trini@konsulko.com>
Our Gitlab CI buildsystem is set up to treat warnings as errors.
With OpenSSL 3.0 a lot of deprecation warnings occur.
With the patch compatibility with OpenSSL 1.1.1 is declared.
In the long run we should upgrade our code to use the current API.
A -Wdiscarded-qualifiers warning is muted by casting.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Currently we allow and explicitly check a single shared page with
StandAloneMM. This is dictated by OP-TEE which runs the application.
However there's no way for us dynamically discover the number of pages we
are allowed to use. Since writing big EFI signature list variable
requires more than a page, OP-TEE has bumped the number of shared pages to
four.
Let's remove our explicit check and allow the request to reach OP-TEE even
if it's bigger than what it supports. There's no need to sanitize the
number of pages internally. OP-TEE will fail if we try to write more
than it's allowed. The error will just trigger later on, during the
StMM access.
While at it add an error message to help users figure out what failed.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Ying-Chun Liu (PaulLiu) <paul.liu@linaro.org>
Signed-off-by: Ilias Apalodimas <apalos@gmail.com>
When U-Boot is started from another firmware program, not just a prior
phase of U-Boot, special behaviour is typically used. In particular, the
device tree may come from that prior stage.
At present this is sort-of indicated by OF_BOARD, although the
correlation is not 1:1, since that option simply means that the board has
a custom mechanism for obtaining the device tree. For example, sandbox
defines OF_BOARD. Also the board_fdt_blob_setup() function can in fact
make use of the devicetree in U-Boot if it wishes, as used by
dragonboard410c until very recently.
Add an explicit Kconfig for this situation. Update the OF_BOARD option to
more-accurately reflect what it is doing, e.g. for sandbox.
Drop the docs in the README as it is out of date.
Signed-off-by: Simon Glass <sjg@chromium.org>
It can be confusing to figure out where the devicetree came from. It seems
important enough to warrant a message during boot. Add information about
the number of devices and uclasses too since it is helpful to have some
idea what is going on with driver model.
Report the devicetree source in bdinfo too.
This looks something like this, with > marking the new line.
U-Boot 2021.10-00190 (Oct 30 2021 - 09:01:29 -0600)
DRAM: 128 MiB
> Core: 42 devices, 11 uclasses, devicetree: passage
Flash: 64 MiB
Signed-off-by: Simon Glass <sjg@chromium.org>
At present this override function is called even when OF_BOARD is not
enabled. This makes it impossible to disable this feature and in fact
makes the OF_BOARD option useless.
Reinstate its intended purpose, so that it is possible to switch between
the appended devicetree and one provided by the board's custom function.
A follower patch adds warnings for this scenario, but for now we don't
have a Kconfig that definitively tells us that OF_BOARD should be used.
Signed-off-by: Simon Glass <sjg@chromium.org>
This function should only be called when OF_CONTROL is enabled. It
fails in fdtdec_prepare_fdt() anyway, since gd->fdt_blob stays as NULL
if OF_CONTROL is not enabled.
Drop this useless check.
Signed-off-by: Simon Glass <sjg@chromium.org>
This logic is a bit convoluted for one function. Move the mulit-FIT part
into its own function.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
These names are better used for access to devices provided by an EFI
layer. Use EFI_LOADER instead here, since these are only available in
U-Boot's EFI_LOADER layer.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
When the TCG2 protocol is installed in efi_tcg2_register(),
TPM2 device must be present.
tcg2_measure_pe_image() expects that TCP2 protocol is installed
and TPM device is available. If TCG2 Protocol is installed but
TPM device is not found, tcg2_measure_pe_image() returns
EFI_SECURITY_VIOLATION and efi_load_image() ends with failure.
The same error handling is applied to
efi_tcg2_measure_efi_app_invocation().
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
There are functions that calls tcg2_agile_log_append() outside
of the TCG protocol invocation (e.g tcg2_measure_pe_image).
These functions must to check that TCG2 protocol is installed.
If not, measurement shall be skipped.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
This commit modify efi_tcg2_register() to return the
appropriate error.
With this fix, sandbox will not boot because efi_tcg2_register()
fails due to some missing feature in GetCapabilities.
So disable sandbox if EFI_TCG2_PROTOCOL is enabled.
UEFI secure boot variable measurement is not directly related
to TCG2 protocol installation, tcg2_measure_secure_boot_variable()
is moved to the separate function.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Firmwares before U-Boot may be capable of doing tpm measurements
and passing them to U-Boot in the form of eventlog. However there
may be scenarios where the firmwares don't have TPM driver and
are not capable of extending the measurements in the PCRs.
Based on TCG spec, if previous firnware has extended PCR's, PCR0
would not be 0. So, read the PCR0 to determine if the PCR's need
to be extended as eventlog is parsed or not.
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The current tpm2_pcr_read is hardcoded using SHA256. Make the
actual command to TPM configurable to use wider range of algorithms.
The current command line is kept as is i.e limited to SHA-256 only.
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Platforms may have support to measure their initial firmware components
and pass the event log to u-boot. The event log address can be passed
in property tpm_event_log_addr and tpm_event_log_size of the tpm node.
Platforms may choose their own specific mechanism to do so. A weak
function is added to check if even log has been passed to u-boot
from earlier firmware components. If available, the eventlog is parsed
to check for its correctness and further event logs are appended to the
passed log.
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
UEFI code is always little-endian. Remove a superfluous test.
Remove a superfluous type conversion.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
If we call efi_clear_os_indications() before initializing the memory store
for UEFI variables a NULL pointer dereference occurs.
The error was observed on the sandbox with:
usb start
host bind 0 sandbox.img
load host 0:1 $kernel_addr_r helloworld.efi
bootefi $kernel_addr_r
Here efi_resister_disk() failed due to an error in the BTRFS implementation.
Move the logic to clear EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED
to the rest of the capsule code.
If CONFIG_EFI_IGNORE_OSINDICATIONS=y, we should still clear the flag.
If OsIndications does not exist, we should not create it as it is owned by
the operating system.
Fixes: 149108a3eb ("efi_loader: clear OsIndications")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Our algorithm for creating USB device paths may lead to duplicate device
paths which result in efi_disk_register() failing. Instead we should just
skip devices that cannot be registered as EFI block devices.
Fix a memory leak in efi_disk_add_dev() caused by the duplicate device
path.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
If we look at the path that bootm/booti take when preparing to boot the
OS, we see that as part of (or prior to calling do_bootm_states,
explicitly) the process, bootm_disable_interrupts() is called prior to
announce_and_cleanup() which is where udc_disconnect() /
board_quiesce_devices() / dm_remove_devices_flags() are called from. In
the EFI path, these are called afterwards. In efi_exit_boot_services()
however we have been calling bootm_disable_interrupts() after the above
functions, as part of ensuring that we disable interrupts as required
by the spec. However, bootm_disable_interrupts() is also where we go
and call usb_stop(). While this has been fine before, on the TI J721E
platform this leads us to an exception. This exception seems likely to
be the case that we're trying to stop devices that we have already
disabled clocks for. The most direct way to handle this particular
problem is to make EFI behave like the do_bootm_states() process and
ensure we call bootm_disable_interrupts() prior to ending up in
usb_stop().
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Simon Glass <sjg@chromium.org>
Suggested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Due to U-Boot's lazy binding mentality the TPM is probed but not properly
initialized. The user can startup the device from the command line
e.g 'tpm2 startup TPM2_SU_CLEAR'. However we can initialize the TPM during
the TCG protocol installation, which is easier to use overall.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
As described in the TCG spec [1] in sections 7.1.1 and 7.1.2 the FinalEvent
table should include events after GetEventLog has been called. This
currently works for us as long as the kernel is the only EFI application
calling that. Specifically we only implement what's described in 7.1.1.
So refactor the code a bit and support EFI application(s) calling
GetEventLog. Events will now be logged in both the EventLog and FinalEvent
table as long as ExitBootServices haven't been invoked.
[1] https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Implement the EFI_EVENT_GROUP_BEFORE_EXIT_BOOT_SERVICES event group
handling.
Add the definition of EFI_EVENT_GROUP_AFTER_READY_TO_BOOT.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Record capsule update result only if the capsule file is
successfully read, because the capsule GUID is not sure when
the file can not be read or the file is not a capsule.
Without this fix, if user puts a dummy (non-capsule) file
under (ESP)EFI/UpdateCapsule, U-Boot causes a synchronous
abort.
This also fixes use-after-free bug of the 'capsule' variable.
Fixes: c74cd8bd08 ("efi_loader: capsule: add capsule_on_disk support")
Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
log_info() is used for the debug level logging statement
which should use log_debug() instead. Convert it to reduce the
log output.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
In case U-Boot enters relocation with GD_FLG_SKIP_RELOC, skip the
relocation. The code still has to set up new_gd pointer and new
stack pointer.
Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Cc: Simon Glass <sjg@chromium.org>
Cc: Tom Rini <trini@konsulko.com>
In case U-Boot starts with GD_FLG_SKIP_RELOC, the U-Boot code is
not relocated, however the stack and heap is at the end of DRAM
after relocation. Reserve a LMB area for the non-relocated U-Boot
code so it won't be overwritten.
Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Cc: Simon Glass <sjg@chromium.org>
Cc: Tom Rini <trini@konsulko.com>
This command is not compiled by default and has not been updated alongside
changes to the tpmv1 API, such as passing the TPM udevice to the relevant
functions.
Signed-off-by: Mathew McBride <matt@traverse.com.au>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Add an xtoa() function, similar to itoa() but for hex instead.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Artem Lapkin <email2tema@gmail.com>
Tested-by: Artem Lapkin <email2tema@gmail.com>
UEFI specification does not require that BootOrder is defined.
In current implementation, boot variable measurement fails and
returns EFI_NOT_FOUND if BootOrder is not defined.
This commit correcly handles this case, skip the boot variable
measurement if BootOrder is not defined.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
This commit adds the missing EFI_TCG2_PROTOCOL selftest
and Measured Boot selftest in lib/efi_selftest.
This selftest includes PE/COFF image measurement test, some PCR values are
different in each architecture. With that, this commit also adds pre-built
versions of lib/efi_selftest/efi_miniapp_file_image_exit.c for PE/COFF
image measurement test for 32-bit arm, arm64, ia32, x86_64, riscv32 and
riscv64. Prebuilding avoids the problem of reproducible builds.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Make the test 'onrequest'.
Add code comments to the includes with the binaries.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Add a function to return this information along with a stub for the
efi_info_get() function, since calling it otherwise hangs U-Boot.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
This variable is already defined by the EFI code. Drop the duplicate
definition when building a 64-bit EFI app.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Most modern platforms use 64-bit EFI so it is useful to have a U-Boot app
that runs under that. Add a (non-functional) build for this.
Note that --whole-archive causes the gcc 9.2 linker to crash, so disable
this for now. Once this is resolved, things should work.
For now, avoid mentioning the documentation for the 64-bit app, since it
does not work.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Most EFI implementations use 64-bit but U-Boot only supports running as
a 32-bit app at present. While efi-x86_payload64 does boot from 64-bit
UEFI it immediately changes back to 32-bit before starting U-Boot.
In order to support a 64-bit U-Boot app, update the Kconfig to add an
option for 32/64 bit. Update the prompt for the existing option so it is
clear it relates to the stub. Move both up to just under the choice that
controls them, since this looks better and the menu.
Use CONFIG_EFI_APP in the Makefile instead of CONFIG_TARGET_EFI_APP,
since the latter is specific to a single target and we will have two.
Memory size is set to 32MB for now so that it can run on qemu without
increasing the default memory size. We may need to increase the default
later.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
This commit adds the EFI_TCG2_PROTOCOL.SubmitCommand
required in the TCG PC Client PFP spec.
SubmitCommand enables to send the raw command to the TPM device.
To implement this api, tpm2_submit_command() is added
into tpm-v2.c.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Calling unaligned/access-ok.h version of put_unaligned_le64()
causes data abort in arm 32-bit QEMU.
The similar issue also occurs in linux kernel,
unaligned/access-ok.h is no longer used in linux kernel[1].
This commit uses the unaligned/be_byteshift.h and
unaligned/le_byteshift.h helper instead of unaligned/access-ok.h.
[1]https://lore.kernel.org/all/20210507220813.365382-8-arnd@kernel.org/
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
As we discussed in ML, currently a device tree is the only place
to store public keys for capsule authentication. So __weak is not
necessary for now.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
OF_HOSTFILE is used on sandbox configs only. Although it's pretty
unique and not causing any confusions, we are better of having simpler
config options for the DTB.
So let's replace that with the existing OF_BOARD. U-Boot would then
have only three config options for the DTB origin.
- OF_SEPARATE, build separately from U-Boot
- OF_BOARD, board specific way of providing the DTB
- OF_EMBED embedded in the u-boot binary(should not be used in production
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
This commit adds the DeployedMode and AuditMode variable
measurement required in TCG PC Client Platform Firmware
Profile Specification.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
This commit adds the UEFI GPT disk partition topology
measurement required in TCG PC Client Platform Firmware
Profile Specification
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Correct the test on RNG device presence,when ret is equal to 0,
before to call dm_rng_read function.
Without this patch the RNG device is not used when present (when ret == 0)
or a data abort occurs in dm_rng_read when CONFIG_DM_RNG is activated but
the RNG device is not present in device tree (ret != 0 and devp = NULL).
Fixes: 92fdad28cf ("lib: uuid: use RNG device if present")
CC: Matthias Brugger <mbrugger@suse.com>
CC: Torsten Duwe <duwe@suse.de>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This commit adds a check on the padding in the function rsa_verify_key
to avoid using a NULL pointer.
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
TCG PC Client Platform Firmware Profile Specification
requires to measure the SMBIOS table that contains static
configuration information (e.g. Platform Manufacturer
Enterprise Number assigned by IANA, platform model number,
Vendor and Device IDs for each SMBIOS table).
The device- and environment-dependent information such as
serial number is cleared to zero or space character for
the measurement.
Existing smbios_string() function returns pointer to the string
with const qualifier, but exisintg use case is updating version
string and const qualifier must be removed.
This commit removes const qualifier from smbios_string()
return value and reuses to clear the strings for the measurement.
This commit also fixes the following compiler warning:
lib/smbios-parser.c:59:39: warning: cast to pointer from integer of
different size [-Wint-to-pointer-cast]
const struct smbios_header *header = (struct smbios_header *)entry->struct_table_address;
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Simplify efi_sigstore_parse_sigdb() by using existing functions.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
In multiple places we need the default GUID matching a variable name.
The patch provides a library function. For secure boot related variables
like 'PK', 'KEK', 'db' a lookup table is used. For all other variable
names EFI_GLOBAL_VARIABLE is returned.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
UEFI variable names are typically constants and hence should be defined as
const. Unfortunately some of our API functions do not define the parameters
for UEFI variable names as const. This requires unnecessary conversions.
Adjust parameters of several internal functions to tre UEFI variable names
as const.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The commit 47a25e81d3 ("Revert "efi_capsule: Move signature from DTB to
.rodata"") failed to revert the removal of efi_get_public_key_data().
Add back this function and move it under lib/efi_loader so that other
platforms can utilize it. It is now declared as a weak function so that
it can be replaced with a platform-specific implementation.
Fixes: 47a25e81d3 ("Revert "efi_capsule: Move signature from DTB to
.rodata"")
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
This commit fixes the following compilation warning
of boottime->install_configuration_table() function.
lib/efi_selftest/efi_selftest_tcg2.c:475:46:
warning: passing argument 1 of ‘boottime->install_configuration_table’
discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
ret = boottime->install_configuration_table(&smbios_guid, dmi);
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
The 'efidebug boot dump' command should not display the VenMedia() device
path node preceding the device path of the initial ram disk.
By letting efi_dp_from_lo() skip the VenMedia() device path node we can
simplify the coding.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Create the GUID as a global variable.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Parameter size is never used in function efi_dp_from_lo(). Remove it.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Instead of copying a GUID and then using a pointer to the copy for calling
guidcmp(), just pass the pointer to the orginal GUID.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
We are ignoring the alignment communicated via the PE/COFF header.
Starting 5.10 the Linux kernel will loudly complain about it. For more
details look at [1] (in linux kernel).
So add a function that can allocate aligned EFI memory and use it for our
relocated loaded image.
[1] c32ac11da3f83 ("efi/libstub: arm64: Double check image alignment at entry")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Vincent Stehlé <vincent.stehle@arm.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When using a file to store UEFI variables we must make sure that secure
boot related variables are not loaded from this file. With commit
9ef82e2947 ("efi_loader: don't load signature database from file")
this has already been implemented for variables defined in the UEFI
specification. As most Linux distributions use Shim we should do the same
for Shim's MOK database.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
This code should never have been added as it builds a new feature on top
of legacy code. This has already been improved with the dependency on BLK.
Add a dependency on DM_ETH also, to avoid needing to deal with this old
code.
Boards which want EFI_LOADER should migrate to driver model first.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Repeatedly receive the packets until the receive buffer is empty.
If the buffer is empty, EFI_SIMPLE_NETWORK_PROTOCOL::Receive()
returns EFI_NOT_READY. We don't need to use the wait_for_event()
every time.
Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Do not check EFI_SIMPLE_NETWORK_RECEIVE_INTERRUPT in packet
receiving loop. This depends on the implementation and not
related to whether the packet can be received or not.
Whether the received packets are available or not is ensured
by wait_for_packet, and that is already done in the loop.
Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
According to the UEF specification v2.9, the main purpose of the
EFI_SIMPLE_NETWORK_PROTOCOL::GetStatus() is for checking the link
status via EFI_SIMPLE_NETWORK_MODE::MediaPresent.
So this uses net->get_status() for checking the link status before
running network test.
Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The previous patches removed OF_PRIOR_STAGE from the last consumers of the
Kconfig option. Cleanup any references to it in documentation, code and
configuration options.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reserved memory nodes can have additional flags. Support reading and
writing these flags to ensure that reserved memory nodes can be properly
parsed and emitted.
This converts support for the existing "no-map" flag to avoid extending
the argument list for fdtdec_add_reserved_memory() to excessive length.
Signed-off-by: Thierry Reding <treding@nvidia.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Warren <twarren@nvidia.com>
The fdtdec_set_carveout() function's parameters are inconsistent with
the parameters passed to fdtdec_add_reserved_memory(). Fix up the order
to make it more consistent.
Signed-off-by: Thierry Reding <treding@nvidia.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Warren <twarren@nvidia.com>
Reserved memory nodes can have a compatible string list to identify the
type of reserved memory that they represent. Support specifying an
optional compatible string list when creating these nodes.
Signed-off-by: Thierry Reding <treding@nvidia.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Warren <twarren@nvidia.com>
When retrieving a given carveout for a device, allow callers to query
the name. This helps differentiating between carveouts when there are
more than one.
This is also useful when copying carveouts to help assign a meaningful
name that cannot always be guessed.
Signed-off-by: Thierry Reding <treding@nvidia.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Warren <twarren@nvidia.com>
In order make it possible to use fdtdec_get_carveout() in loops, return
FDT_ERR_NOTFOUND when the passed-in index exceeds the number of phandles
present in the given property.
Signed-off-by: Thierry Reding <treding@nvidia.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Warren <twarren@nvidia.com>
At present U-Boot has a header file called lz4.h for its own use. If the
host has its own lz4 header file installed (e.g. from the 'liblz4-dev'
package) then host builds will use that instead.
Move the U-Boot file into its own directory, as is done with various
other headers with the same problem.
Signed-off-by: Simon Glass <sjg@chromium.org>
Convert pixel values when necessary like we do for 16bpp
framebuffers.
Signed-off-by: Mark Kettenis <kettenis@openbsd.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
This file has a lot of conditional code and much of it is unnecessary.
Clean this up to reduce the number of build combinations.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present EFI_SECURE BOOT selects RSA but does not necessarily enable
FIT_SIGNATURE. Mostly this is fine, but a few boards do not enable it,
so U-Boot tries to do RSA verification when loading FIT images, but it
is not enabled.
This worked because the condition for checking the RSA signature is
wrong in the fit_image_verify_with_data() function. In order to fix it
we need to fix this dependency. Make sure that FIT_SIGNATURE is enabled
so that RSA can be used.
It might be better to avoid using 'select' in this situation.
Signed-off-by: Simon Glass <sjg@chromium.org>
Add a host Kconfig for CRC32. With this we can use CONFIG_IS_ENABLED(CRC32)
directly in the host build, so drop the unnecessary indirection.
Add a few more conditions to SPL_CRC32 to avoid build failures as well as
TPL_CRC32. Also update hash.c to make crc32 optional and to actually take
notice of SPL_CRC32.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Add a host Kconfig for FIT_RSASSA_PSS. With this we can use
CONFIG_IS_ENABLED(FIT_RSASSA_PSS) directly in the host build, so drop the
forcing of this in the image.h header.
Drop the #ifdef around padding_pss_verify() too since it is not needed.
Use the compiler to check the config where possible, instead of the
preprocessor.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Add a host Kconfig for OF_LIBFDT. With this we can use
CONFIG_IS_ENABLED(OF_LIBFDT) directly in the tools build, so drop the
unnecessary indirection.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
At present when building host tools, we force CONFIG_SHAxxx to be enabled
regardless of the board Kconfig setting. This is done in the image.h
header file.
For SPL we currently just assume the algorithm is desired if U-Boot proper
enables it.
Clean this up by adding new Kconfig options to enable hashing on the host,
relying on CONFIG_IS_ENABLED() to deal with the different builds.
Add new SPL Kconfigs for hardware-accelerated hashing, to maintain the
current settings.
This allows us to drop the image.h code and the I_WANT_MD5 hack.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Unfortunately these were removed by mistake. This means that adding hash
support to SPL brings in all software algorithms, with a substantial
increase in code size.
The origin of the problem was renaming them to SPL_FIT_xxx and then these
were removed altogether in a later commit.
Add them back. This aligns with CONFIG_MD5, for example, which has an SPL
variant.
Signed-off-by: Simon Glass <sjg@chromium.org>
Fixes: f5bc9c25f3 ("image: Rename SPL_SHAxxx_SUPPORT to SPL_FIT_SHAxxx")
Fixes: eb5171ddec ("common: Remove unused CONFIG_FIT_SHAxxx selectors")
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
The gzip API uses the u64 type in it, which is not available in the host
build. This makes it impossible to include the header file.
We could make this type available, but it seems unnecessary. Limiting the
compression size to that of the 'unsigned long' type seems good enough. On
32-bit machines the limit then becomes 4GB, which likely exceeds available
RAM anyway, therefore it should be sufficient. On 64-bit machines this is
effectively u64 anyway.
Update the header file and implementation to use 'ulong' instead of 'u64'.
Add a definition of u32 for the cases that seem to need exactly that
length. This should be safe enough.
Signed-off-by: Simon Glass <sjg@chromium.org>
The existing zstd API requires the same sequence of calls to perform its
task. Create a helper for U-Boot, to avoid code duplication, as is done
with other compression algorithms. Make use of of this from the image
code.
Note that the zstd code lacks a test in test/compression.c and this should
be added by the maintainer.
Signed-off-by: Simon Glass <sjg@chromium.org>
When passing a data buffer back from a function, it is not always clear
who owns the buffer, i.e. who is responsible for freeing the memory used.
An example of this is where multiple files are decompressed from the
firmware image, using a temporary buffer for reading (since the
compressed data has to live somewhere) and producing a temporary or
permanent buffer with the resuilts.
Where the firmware image can be memory-mapped, as on x86, the compressed
data does not need to be buffered, but the complexity of having a buffer
which is either allocated or not, makes the code hard to understand.
Introduce a new 'abuf' which supports simple buffer operations:
- encapsulating a buffer and its size
- either allocated with malloc() or not
- able to be reliably freed if necessary
- able to be converted to an allocated buffer if needed
This simple API makes it easier to deal with allocated and memory-mapped
buffers.
Signed-off-by: Simon Glass <sjg@chromium.org>
The CAAM on IMX7ULP doesn't support public key hardware acceleration
(PKHA), as in other NXP parts. Disable RSA_FREESCALE_EXP for IMX7ULP
too.
Fixed: f4e9ff7135 ("Kconfig: Don't use RSA_FREESCALE_EXP on IMX")
Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
OEM_REVISION is 32-bit unsigned number. It should be increased only when
changing software version. Therefore it should not depend on build time.
Change calculation to use U-Boot version numbers and set this revision
to date number.
Prior this change OEM_REVISION was calculated from build date and stored in
the same format.
After this change macro U_BOOT_BUILD_DATE is not used in other files so
remove it from global autogenerated files and also from Makefile.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
This config is only used by three boards with this SOC. Most other
platforms derive this information from devicetree, and are unlikely
to ever need this config.
Moreover, it is confusing when Kconfig asks for this value under
"Support OPTEE images", but does not do anything with the value.
Move it to imx7 for those boards who still make use of it.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
This value is not used by u-boot, and it should not. The load address
of an OPTEE image is defined by said image. Either a uImage or a FIT
will have a defined load address and entry point. Those values are the
correct ones, not CONFIG_OPTEE_LOAD_ADDR.
Commit f25006b96e ("optee: Add CONFIG_OPTEE_LOAD_ADDR") justifies
this config by requiring its presence in u-boot's .config for other
images as part of a larger build, claiming it is "the best way".
This argument is not persuasive. U-boot's configuration is driven by
platform requirements, not the other way around. It seems more likely
that the argument is conflating tooling issues with Kconfig. Yocto and
buildroot have excellent mechanisms for defining values across the
board (pun intended). u-boot's Kconfig is the wrong place to do it.
Furthermore, it is not "best" for u-boot because it hardcodes a value
which is then not used. In fact the load address that u-boot uses is
the one derived from the OPTEE image.
Confused yet? I sure was. To prevent future confusion, remove
CONFIG_OPTEE_LOAD_ADDR.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
It is no longer used in u-boot. Information about the TZDRAM location
is usually available in the devicetree as "/reserved-memory/" nodes.
Because this isn't used, remove it.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
The configs TZDRAM_BASE and TZDRAM_SIZE are expected to describe the
memory allocated to the OPTEE region. according to according to commit
c5a6e8bd00 ("optee: Add optee_verify_bootm_image()"). The TZDRAM is
with some limitations, described by "/reserved-memory" nodes in the
devicetree.
Consequently TZDRAM_BASE and TZDRAM_SIZE can point to imaginary
regions which have nothing to do with actual DRAM. They are not used
to configure the hardware or set up the Trust Zone Controller (TZC)
for OP-TEE -- the devicetree values are used instead.
When a valid OP-TEE image does not fall within the region described by
these configs, u-boot will refuse to load it. In fact, it mostly
serves to cause "bootm" to reject perfectly good OP-TEE images.
Ironically, someone has to correctly configure the devicetree for
TZDRAM, then go back and enter the same information in Kconfig for
"bootm". To remedy this, do not use TZDRAM_BASE and TZDRAM_SIZE in the
verification of OPTEE images.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
The configuration CONFIG_OPTEE is defined 2 times:
1- in lib/optee/Kconfig for support of OPTEE images loaded by bootm command
2- in drivers/tee/optee/Kconfig for support of OP-TEE driver.
It is abnormal to have the same CONFIG define for 2 purpose;
and it is difficult to managed correctly their dependencies.
Moreover CONFIG_SPL_OPTEE is defined in common/spl/Kconfig
to manage OPTEE image load in SPL.
This definition causes an issue with the macro CONFIG_IS_ENABLED(OPTEE)
to test the availability of the OP-TEE driver.
This patch cleans the configuration dependency with:
- CONFIG_OPTEE_IMAGE (renamed) => support of OP-TEE image in U-Boot
- CONFIG_SPL_OPTEE_IMAGE (renamed) => support of OP-TEE image in SPL
- CONFIG_OPTEE (same) => support of OP-TEE driver in U-Boot
- CONFIG_OPTEE_LIB (new) => support of OP-TEE library
After this patch, the macro have the correct behavior:
- CONFIG_IS_ENABLED(OPTEE_IMAGE) => Load of OP-TEE image is supported
- CONFIG_IS_ENABLED(OPTEE) => OP-TEE driver is supported
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
-----BEGIN PGP SIGNATURE-----
iQFFBAABCgAvFiEEslwAIq+Gp8wWVbYnfxc6PpAIreYFAmFR2fMRHHNqZ0BjaHJv
bWl1bS5vcmcACgkQfxc6PpAIreaAnAf/ZKPy3CRphbgAmbLhNQhQGpLosLcFp343
cv53gfsv1DakLRrhqMSnOQSVoTg9P22uHbooDDR9WHfZyEL6tvGZ+dgN2/wlDhDj
wbvvsM7FB+uvLVfMF3MURQBvy4dPO+FyCm/uHmry2V2uqWPw4ss+aVhxeQ5s4/oI
LpS6yaiM8UAj2GTUZSqJ1+/W7YG9N6tL73n0PDyCvSrdCkyPWqpww1rtST88SfFI
bBEWc6ksna/29haOwHQ2xopEbVxtHv2byULfqUtnsbtE4Ozw8o0fx66tdwPHTQlM
7eSuRiEbqjlJuUZFIbMat7nb7inZkaWupZ/Sr1HUUiDdKMygrRsQhg==
=x8Uf
-----END PGP SIGNATURE-----
Merge tag 'dm-pull-next-27sep21' of https://source.denx.de/u-boot/custodians/u-boot-dm into next
Various of-platdata improvements, including CONFIG_OF_REAL
The current API is outdated as it requires a devicetree pointer.
Move these functions to use the ofnode API and update this globally. Add
some tests while we are here.
Correct the call in exynos_dsim_config_parse_dt() which is obviously
wrong.
Signed-off-by: Simon Glass <sjg@chromium.org>
TCG EFI Protocol Specification defines the number_of_algorithms
field in spec ID event to be equal to the number of active
algorithms supported by the TPM device. In current implementation,
this field is populated with the count of all algorithms supported
by the TPM which leads to incorrect spec ID event creation.
Similarly, the algorithm array in spec ID event should be a variable
length array with length being equal to the number_of_algorithms field.
In current implementation this is defined as a fixed length array
which has been fixed.
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
CC: Masahisa Kojima <masahisa.kojima@linaro.org>
CC: Ilias Apalodimas <ilias.apalodimas@linaro.org>
CC: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The arc/arm/m68k/microblaze/mips/ppc arch_lmb_reserve() implementations
are all mostly the same, except for a couple of details. Implement a
generic arch_lmb_reserve_generic() function which can be parametrized
enough to cater for those differences between architectures. This can
also be parametrized enough so it can handle cases where U-Boot is not
relocated to the end of DRAM e.g. because there is some other reserved
memory past U-Boot (e.g. unmovable firmware for coprocessor), it is not
relocated at all, and other such use cases.
Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Cc: Alexey Brodkin <alexey.brodkin@synopsys.com>
Cc: Angelo Dureghello <angelo@sysam.it>
Cc: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
Cc: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
Cc: Hai Pham <hai.pham.ud@renesas.com>
Cc: Michal Simek <monstr@monstr.eu>
Cc: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Cc: Tom Rini <trini@konsulko.com>
Cc: Wolfgang Denk <wd@denx.de>
Reviewed-by: Tom Rini <trini@konsulko.com>
ARMv8.0 has optional crc32 instruction for crc32 calculation. The
instruction is mandatory since ARMv8.1. The crc32 calculation is
faster using the dedicated instruction, e.g. 1.4 GHz iMX8MN gives:
=> time crc32 0x50000000 0x2000000
time: 0.126 seconds # crc32 instruction
time: 0.213 seconds # software crc32
Add implementation using the compiler builtin wrapper for the crc32
instruction and enable it by default, since we don't support any
platforms which do not implement this instruction.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Simon Glass <sjg@chromium.org>
[trini: Make crc32_table guarded by CONFIG_ARM64_CRC32]
Signed-off-by: Tom Rini <trini@konsulko.com>
This was unfortunately applied despite much discussion about it beiong
the wrong way to implement this feature.
Revert it before too many other things are built on top of it.
This reverts commit ddf67daac3.
Signed-off-by: Simon Glass <sjg@chromium.org>
Header file version.h does not use anything from timestamp.h. Including of
timestamp.h has side effect which cause recompiling object file at every
make run because timestamp.h changes at every run.
So remove timestamp.h from version.h and include timestamp.h in files
which needs it.
This change reduce recompilation time of final U-Boot binary when U-Boot
source files were not changed as less source files needs to be recompiled.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
[trini: Add in lib/acpi/acpi_table.c and test/dm/acpi.c, rework a few others]
Signed-off-by: Tom Rini <trini@konsulko.com>
More C files do not use compile time timestamp macros and do not have to be
recompiled every time when SOURCE_DATE_EPOCH changes.
This patch moves version_string[] from version.h to version_string.h and
updates other C files which only needs version_string[] string to include
version_string.h instead of version.h. After applying this patch these
files are not recompiled every time when SOURCE_DATE_EPOCH changes.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
Macro U_BOOT_VERSION_STRING is already stored in variable version_string.
So use directly this variable instead of storing U_BOOT_VERSION_STRING into
temporary variable.
Signed-off-by: Pali Rohár <pali@kernel.org>
[trini: This area was reworked since posted, what is here is now really
inspired by the previous version, so drop Ilias' Acked-by]
Signed-off-by: Tom Rini <trini@konsulko.com>
We are not guaranteed to have the padding_pkcs_15_verify symbol since
commit 92c960bc1d ("lib: rsa: Remove #ifdefs from rsa.h"), and
commit 61416fe9df ("Kconfig: FIT_SIGNATURE should not select RSA_VERIFY")
The padding_algos only make sense with RSA verification, which can now
be disabled in lieu of ECDSA. In fact this will lead to build failures
because of the missing symbol mentioned earlier.
To resolve this, move the padding_algos to a linker list, with
declarations moved to rsa_verify.c. This is consistent with commit
6909edb4ce ("image: rsa: Move verification algorithm to a linker list")
One could argue that the added #ifdef USE_HOSTCC is ugly, and should
be hidden within the U_BOOT_PADDING_ALGO() macro. However, this would
be inconsistent with the "cryptos" list. This logic for was not
previously explored:
Without knowledge of the U_BOOT_PADDING_ALGO() macro, its use is
similar to something being declared. However, should #ifndef
USE_HOSTCC be part of the macro, it would not be obvious that it
behaves differently on host code and target code. Having the #ifndef
outside the macro makes this obvious.
Also, the #ifdef is not always necessary. For example ecda-verify
makes use of U_BOOT_CRYPTO_ALGO() without any accompanying #ifdefs.
The fundamental issue is a lack of separation of host and target code
in rsa_verify. Therefore, the declaration of a padding algo with the
external #ifdef is more readable and consistent.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
There are trivial typos in the Kconfig file. Fixed them.
Also, fixed grammar in the descriptions with typos.
Fixes: d56b4b1974 ("configs: Migrate RBTREE, LZO, CMD_MTDPARTS, CMD_UBI and CMD_UBIFS")
Fixes: 7264f2928b ("spl: fit: Eanble GZIP support for image decompression")
Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
If keydir is not provided but name is we want to use name as key_id.
But with the current coding name is only used on its own if it is NULL
and keydir is provided which never occurs.
Fixes: 824ee745fb ("lib/rsa: Use the 'keyfile' argument from mkimage")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
We don't need this check anymore since when PCI is enabled, driver model
is always used.
Sadly this doesn't work with nds32 for some reason to do with the
toolchain. Add a work-around for that.
Signed-off-by: Simon Glass <sjg@chromium.org>
There is two unneeded EFI_CALL references in tcg2_measure_pe_image().
The first one in efi_search_protocol() and the second on in the device path
calculation. The second isn't even a function we should be calling, but a
pointer assignment, which happens to work with the existing macro.
While at it switch the malloc call to a calloc, remove the unnecessary cast
and get rid of an unneeded if statement before copying the device path
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The move to driver model should by now be completed. To be able to remove
pre-driver model code from our block IO code require CONFIG_BLK=y for UEFI
support.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
boot_service_capability_min is constant, it should be capitalized.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When dropping SHA512_ALGO in general, we didn't catch some cases where
an option was selecting both SHA512 and SHA512_ALGO and caused them to
select SHA512 twice. Kconfig doesn't complain, but this is still wrong
and should be corrected.
Fixes: e60e449931 ("lib: Drop SHA512_ALGO in lieu of SHA512")
Reported-by: Andreas Schwab <schwab@suse.de>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
MD5 is being called directly in some places, but it is not available
via hash_lookup_algo("md5"). This is inconsistent with other hasing
routines. To resolve this, add an "md5" entry to hash_algos[].
The #ifdef clause looks funnier than those for other entries. This is
because both MD5 and SPL_MD5 configs exist, whereas the other hashes
do not have "SPL_" entries. The long term plan is to get rid of the
ifdefs, so those should not be expected to survive much longer.
The md5 entry does not have .hash_init/update/finish members. That's
okay because hash_progressive_lookup_algo() will catch that, and
return -EPROTONOSUPPORT, while hash_lookup_algo() will return the
correct pointer.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
[trini: Use CONFIG_IS_ENABLED not IS_ENABLED for MD5 check]
Signed-off-by: Tom Rini <trini@konsulko.com>
All of these configs exist. Stick to using CONFIG_[ST]PL_HASH, and drop all
references to CONFIG_[ST]PL_HASH_SUPPORT. This means we need for
CHAIN_OF_TRUST to select SPL_HASH now.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
[trini: Add TPL case, fix CHAIN_OF_TRUST, other tweaks]
Signed-off-by: Tom Rini <trini@konsulko.com>
SHA512_ALGO was used as a "either SHA512 or SHA384", although the
implementations of these two algorithms share a majority of code.
From a Kconfig interface perspective, it makes sense to present two
distinct options. This requires #ifdefing out the SHA512
implementation from sha512.c. The latter doesn't make any sense.
It's reasonable to say in Kconfig that SHA384 depends on SHA512, and
seems to be the more polite way to handle the selection.
Thus, automatically select SHA512 when SHA384 is enabled.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
TCG EFI Protocol Specification defines that PCRIndex parameter
passed from caller must be 0 to 23.
TPM2_MAX_PCRS is currently used to check the range of PCRIndex,
but TPM2_MAX_PCRS is tpm2 device dependent and may have larger value.
This commit newly adds EFI_TCG2_MAX_PCR_INDEX macro, it is used to
check the range of PCRIndex parameter.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Acked-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
TCG EFI Protocol Specification defines the required parameter
checking and return value for each API.
This commit adds the missing parameter check and
fixes the wrong return value to comply the specification.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
When U-Boot is started we have to use the existing variables to determine
in which secure boot state we are.
* If a platform key PK is present and DeployedMode=1, we are in deployed
mode.
* If no platform key PK is present and AuditMode=1, we are in audit mode.
* Otherwise if a platform key is present, we are in user mode.
* Otherwise if no platform key is present, we are in setup mode.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Writing variables AuditMode and DeployedMode serves to switch between
Secure Boot modes. Provide a separate value for these in efi_auth_var_type.
With this patch the variables will not be read from from file even if they
are marked as non-volatile by mistake.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
The UEFI specification requires that the signature database may only be
stored in tamper-resistant storage. So these variable may not be read
from an unsigned file.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
We should not first allocate memory and then report a rounded up value as
image size. Instead first round up according to section allocation and then
allocate the memory.
Fixes: 82786754b9 ("efi_loader: ImageSize must be multiple of SectionAlignment")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
In a section header VirtualSize may be zero. This is for instance seen in
the .sbat section of shim. In this case use SizeOfRawData as section size.
Fixes: 9d30a941cc ("efi_loader: don't load beyond VirtualSize")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Asherah Connor <ashe@kivikakk.ee>
CONFIG_MMC_SPI_CRC_ON needs the crc16 functions, but it was not included
in an SPL build. For non-SPL builds, crc16.o is already added
unconditionally. This also removes CONFIG_SPL_YMODEM_SUPPORT from the
sifive board configs, which is only relevant for some ARM boards and was
only set for its side effect of adding crc16.o.
With glibc 2.33 (Ubuntu package glibc6 2.33-0ubuntu9) building
sifive_unmatched_defconfig results in:
In file included from /usr/include/stdio.h:866,
from ././include/compiler.h:26,
from <command-line>:
In function ‘snprintf’,
inlined from ‘rsa_engine_get_priv_key’ at ./tools/../^:273:4:
/usr/include/riscv64-linux-gnu/bits/stdio2.h:71:10: warning:
‘%s’ directive argument is null [-Wformat-truncation=]
71 | return __builtin___snprintf_chk (__s, __n,
__USE_FORTIFY_LEVEL - 1,
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
72 | __glibc_objsize (__s), __fmt,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
73 | __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~
Avoid passing a NULL string.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Older OpenSSL and libressl versions have a slightly different API.
This require #ifdefs to support. However, we still can't support it
because the ECDSA path does not compile with these older versions.
These #ifdefs are truly a vestigial appendage.
Alternatively, the ECDSA path could be updated for older libraries,
but this requires significant extra code, and #ifdefs. Those libraries
are over three years old, and there concerns whether it makes sense to
build modern software for real world use against such old libraries.
Thusly, remove #ifdefs and code for old OpenSSL and LibreSSL support.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
default n/no doesn't need to be specified. It is default option anyway.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
[trini: Rework FSP_USE_UPD portion]
Signed-off-by: Tom Rini <trini@konsulko.com>
Documentation:
* Rename Freescale to NXP
* Document structures used for the UEFI TCG2 protocol
UEFI:
* Device paths must use EfiBootServicesData
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEK7wKXt3/btL6/yA+hO4vgnE3U0sFAmEf+AgACgkQhO4vgnE3
U0skxhAAjjv6yMYLYlj2YNTtYDS2zVsnsY8i/vmWNmGYvwfrlcUC/e3J00ftBIjI
DEwImrzefvQwr4NOZgIlyxR81NwboWULxvHSF5avwctxQVoTElkSfE2Ji+nFYa23
P/L7E/Zf+NwTHBlE1wfkNJPZ/zya73DTOe+MGWvLnvOX56JZqEJOgmTtcQntRUll
9zkB76j6sCk8B3ydFZmzGqhB4aslJBypG+bQB72XXGVBZoHb9pEPv90hBl616AN/
5H8WewxTE2s6z3IfexxPAc7ssMQuW3RWw0WsJvBVviw8tSPj4SZjg5HNHAM3mz/i
EXHUqAEySP1oT6P4hVef7Xc9gC67N+dVZGAA1QcZBkAnH+BQQ2GmIWX5+3mZJflq
3eHWhMUHWc4q76MbN9QqReAo3wJ3GsBqdA1oORR5FgIPwEVl0jwQMYv6frC/vB6/
6VX8WcbAWsixjf8QeQlibfMqBO9xZI1Iue5rN6DcwMey6dZrDnXGMdk7Woj6F4ga
tERYBt+UBawTf2ww24wMXc7Hw2dZ6kj44ls2doRFKqHOpaY9Mk2QPTaVPrFkj33J
3xlH2BYdB3ALriS1jN6Qcq6xEwyaMdkj5MzVyitunaCLiAKKORwGf0chkqiRiA+k
zEET0uDBtO7beraiUJU9jeMPcVj3mYpiFR/CZBD/HWOVB/KwhGU=
=gMKg
-----END PGP SIGNATURE-----
Merge tag 'efi-2021-10-rc3' of https://source.denx.de/u-boot/custodians/u-boot-efi
Pull request for efi-2021-10-rc3
Documentation:
* Rename Freescale to NXP
* Document structures used for the UEFI TCG2 protocol
UEFI:
* Device paths must use EfiBootServicesData
tiny-printf variant doesn't know how to handle %llu format string, but both
tiny-printf and print_size can meet in SPL when TFTP is used to obtain main
u-boot image. This is known to lead to critical boot issue at AM335x platform
when printf is catched in infinite loop.
To avoid such issues and make print_size function tiny-printf friendly, use %u
instead of %luu. Note, that the size value is guaranteed to be less than 1024
in this conditional branch, so the cast to unsigned int is safe.
Signed-off-by: Matwey V. Kornilov <matwey.kornilov@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
%pM format string is used to print MAC-address and this is required while SPL
network boot.
This patch fixes the SPL boot issues like the following:
Trying to boot from USB eth
## Error: flags type check failure for "ethaddr" <= "40309614M" (type: m)
## Error inserting "ethaddr" variable, errno=1
eth0: eth_cpsw## Error: flags type check failure for "eth1addr" <=
"81f01114M" (type: m)
## Error inserting "eth1addr" variable, errno=1
, eth1: usb_ether
eth_cpsw Waiting for PHY auto negotiation to complete......... TIMEOUT !
Problem booting with BOOTP
SPL: failed to boot from all boot devices
### ERROR ### Please RESET the board ###
Signed-off-by: Matwey V. Kornilov <matwey.kornilov@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Memory allocated in the implementation of the
EFI_DEVICE_PATH_TO_TEXT_PROTOCOL must be of type EfiBootServicesData.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
dp_alloc() was using a constant from the wrong enum resulting in creating
device paths in EfiReservedMemory.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Use enum efi_memory_type and enum_allocate_type in the definitions of the
efi_allocate_pages(), efi_allocate_pool().
In the external UEFI API leave the type as int as the UEFI specification
explicitely requires that enums use a 32bit type.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Implement the crypto_algo .verify() function for ecdsa256. Because
it backends on UCLASS_ECDSA, this change is focused on parsing the
keys from devicetree and passing this information to the specific
UCLASS driver.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Refactor efi_append_scrtm_version() to use common
function for adding eventlog and extending PCR.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
TCG PC Client PFP spec requires to measure
"Exit Boot Services Invocation" if ExitBootServices() is invoked.
Depending upon the return code from the ExitBootServices() call,
"Exit Boot Services Returned with Success" or "Exit Boot Services
Returned with Failure" is also measured.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Swap two ifs in efi_exit_boot_services().
efi_tcg2_notify_exit_boot_services must have EFIAPI signature.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
TCG PC Client PFP spec requires to measure "Boot####"
and "BootOrder" variables, EV_SEPARATOR event prior
to the Ready to Boot invocation.
Since u-boot does not implement Ready to Boot event,
these measurements are performed when efi_start_image() is called.
TCG spec also requires to measure "Calling EFI Application from
Boot Option" for each boot attempt, and "Returning from EFI
Application from Boot Option" if a boot device returns control
back to the Boot Manager.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
TCG PC Client PFP spec requires to measure the secure
boot policy before validating the UEFI image.
This commit adds the secure boot variable measurement
of "SecureBoot", "PK", "KEK", "db", "dbx", "dbt", and "dbr".
Note that this implementation assumes that secure boot
variables are pre-configured and not be set/updated in runtime.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
iPXE used Uri() device path nodes. So we should support them in the
device path to text protocol.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
U-Boot mostly uses hex for value input, largely because addresses are much
easier to understand in hex.
But in some cases a decimal value is requested, such as where the value is
small or hex does not make sense in the context. In these cases it is
sometimes useful to be able to provide a hex value in any case, if only to
resolve any ambiguity.
Add this functionality, for increased flexibility.
Signed-off-by: Simon Glass <sjg@chromium.org>
The code to convert a character into a digit is repeated twice in this
file. Factor it out into a separate function. This also makes the code a
little easier to read.
Signed-off-by: Simon Glass <sjg@chromium.org>
If we see 0x then we can assume this is the start of a hex value. It
does not seem necessary to check for a hex digit after that since it will
happen when parsing the value anyway.
Drop this check to simplify the code and reduce size. Add a few more test
cases for when a 0x prefix is used.
Signed-off-by: Simon Glass <sjg@chromium.org>
It is a pain to have to specify the value 10 in each call. Add a new
dectoul() function and update the code to use it.
Signed-off-by: Simon Glass <sjg@chromium.org>
It is a pain to have to specify the value 16 in each call. Add a new
hextoul() function and update the code to use it.
Add a proper comment to simple_strtoul() while we are here.
Signed-off-by: Simon Glass <sjg@chromium.org>
CONFIG_HEXDUMP is needed to display UEFI variables using 'printenv -e'.
Enabling CONFIG_SPL_HEXDUMP only makes sense for debugging purposes.
Hence CONFIG_SPL_HEXDUMP should not be enabled by default.
The following boards currently have CONFIG_SPL_HEXDUMP=y. This includes
boards that don't use SPL at all.
axm_defconfig
imx8mm-cl-iot-gate_defconfig
imx8mm_venice_defconfig
imxrt1020-evk_defconfig
imxrt1050-evk_defconfig
kontron_sl28_defconfig
kp_imx53_defconfig
lx2160ardb_tfa_stmm_defconfig
mt7622_rfb_defconfig
octeon_ebb7304_defconfig
octeon_nic23_defconfig
qemu_arm64_defconfig
qemu_arm_defconfig
qemu-riscv32_defconfig
qemu-riscv32_smode_defconfig
qemu-riscv64_defconfig
qemu-riscv64_smode_defconfig
qemu-x86_64_defconfig
qemu-x86_defconfig
sandbox64_defconfig
sandbox_defconfig
stm32mp15_basic_defconfig
stm32mp15_trusted_defconfig
synquacer_developerbox_defconfig
taurus_defconfig
xilinx_versal_virt_defconfig
The patch only keeps it enabled on
sandbox_spl_defconfig
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
This patch adds the possibility to pass the PIN the OpenSSL Engine
used during signing via the environment variable MKIMAGE_SIGN_PIN.
This follows the approach used during kernel module
signing ("KBUILD_SIGN_PIN") or UBIFS image
signing ("MKIMAGE_SIGN_PIN").
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
*sig_size isn't set until later so use the correct variables.
Signed-off-by: Donald Chan <hoiho@lab126.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Rather than looking at two KConfig options in the Makefile, create a new
Kconfig option for compiling lib/charset.c
Enable it for UFS also, which needs this support.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Add simple_strtoll function for converting a string containing digits
into a long long int value.
Signed-off-by: Roland Gaudig <roland.gaudig@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add a bus driver for this and use it to configure the bus parameters for
the Ethernet interface. Drop the old pre-driver-model code.
Switch over to use driver model for Ethernet.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Jaehoon Chung <jh80.chung@samsung.com>
Signed-off-by: Minkyu Kang <mk7.kang@samsung.com>
In the commit c982874e93 ("efi_loader: refactor
efi_setup_loaded_image()"), setjmp-related definitions were moved to
efi_loaded_image_obj in efi_loader.h. So setjmp.h is no longer
refererenced in efi_api.h.
This also fixes some error when efi_api.h will be included in
mkeficapsule.c.
Fixes: c982874e93 ("efi_loader: refactor efi_setup_loaded_image()")
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
If capsule authentication is disabled and yet a capsule file is signed,
its signature must be removed from image data to flush.
Otherwise, the firmware will be corrupted after update.
Fixes: 04be98bd6b ("efi: capsule: Add support for uefi capsule
authentication")
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
efi_guid_capsule_root_cert_guid is never used.
Just remove it.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
SMBIOS tables only support 32bit addresses. If we don't have memory here
handle the error gracefully:
* on x86_64 fail to start U-Boot
* during UEFI booting ignore the missing table
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
BIOS Release Date must be in format mm/dd/yyyy and must be release date.
U-Boot currently sets BIOS Release Date from U_BOOT_DMI_DATE macro which is
generated from current build timestamp.
Fix this issue by setting U_BOOT_DMI_DATE macro to U-Boot version which is
better approximation of U-Boot release date than current build timestamp.
Current U-Boot versioning is in format yyyy.mm so as a day choose 01.
Some operating systems are using BIOS Release Date for detecting when was
SMBIOS table filled or if it could support some feature (e.g. BIOS from
1990 cannot support features invented in 2000). So this change also ensures
that recompiling U-Boot from same sources but in different year does not
change behavior of some operating systems.
Macro U_BOOT_DMI_DATE is not used in other file than lib/smbios.c
so remove it from global autogenerated files and also from Makefile.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
In order to prevent using the global errno, replace it with a static
version and create a wrapper function which returns the error value.
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heiko Schocher <hs@denx.de>
Add the basic functionality required to support the standard crypt
format.
The files crypt-sha256.c and crypt-sha512.c originate from libxcrypt and
their formatting is therefor retained.
The integration is done via a crypt_compare() function in crypt.c.
```
libxcrypt $ git describe --long --always --all
tags/v4.4.17-0-g6b110bc
```
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heiko Schocher <hs@denx.de>
The capsule signature is now part of our DTB. This is problematic when a
user is allowed to change/fixup that DTB from U-Boots command line since he
can overwrite the signature as well.
So Instead of adding the key on the DTB, embed it in the u-boot binary it
self as part of it's .rodata. This assumes that the U-Boot binary we load
is authenticated by a previous boot stage loader.
Reviewed-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Tested-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
TCG PC Client PFP spec says "The Log Area Minimum Length
for the TCG event log MUST be at least 64KB." in ACPI chapter.
This commit increase the buffer size to 64KB.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Use %pD to log device-path instead of using efi_dp_str() and
efi_free_pool() locally in find_boot_device().
This is a cleanup patch, no feature update nor fix.
Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Previously, the GPT device GUID was being used instead of the partition,
which was incorrect.
Signed-off-by: Alfonso Sánchez-Beato <alfonso.sanchez-beato@canonical.com>
Let EFI_LOADER select CONFIG_PARTITION_UUIDS.
Use log_warning() instead of printf() for warning.
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Move the RSA verification crytpo_algo structure out of the
crypto_algos array, and into a linker list.
Although it appears we are adding an #ifdef to rsa-verify.c, the gains
outweigh this small inconvenience. This is because rsa_verify() is
defined differently based on #ifdefs. This change allows us to have
a single definition of rsa_verify().
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Drop the ENABLE and SUPPORT parts of this, which are redundant.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
There's currently no user of %p[iI]6, so including ip6_addr_string()
in the image is a waste of bytes. It's easy enough to have the
compiler elide it without removing the code completely.
The closest I can find to anybody "handling" ipv6 in U-Boot currently
is in efi_net.c which does
if (ipv6) {
ret = EFI_UNSUPPORTED;
As indicated in the comment, it can easily be put back, but preferably
under a config knob.
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
U-Boot doesn't support %pS/%pF or any other kind of kallsyms-like
lookups. Remove the comment.
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
This saves some code, both in terms of #LOC and .text size, and it is
also the normal convention that foo(...) is implemented in terms of
vfoo().
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
In tpm_sendrecv_command() the command buffer is passed in. If a mistake is
somehow made in setting this up, the size could be out of range. Add a
sanity check for this.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Coverity (CID: 331152)
Function rtc_to_tm() is needed for FAT file system support even if we don't
have a real time clock. So move it from drivers/ to lib/.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Fix find_boot_device() to set bootdev_root if it finds the
bootdev from BootNext. Currently it sets the bootdev_root only
when it finds bootdev from BootOrder.
Fixes: c74cd8bd08 ("efi_loader: capsule: add capsule_on_disk support")
Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Accked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
If multiple capsules are applied, the FMP drivers for the individual
capsules can expect the value of CapsuleLast to be accurate. Hence
CapsuleLast must be updated after each capsule.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
* Use log category LOGC_EFI. This allows to remove 'EFI:' prefixes in
messages.
* Rephrase some of the messages.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When reading a directory using EFI_FILE_PROTOCOL.Read() provide file
attributes and timestamps.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Although U-Boot supports capsule update on-disk, it's lack of support for
SetVariable at runtime prevents applications like fwupd from using it.
In order to perform the capsule update on-disk the spec says that the OS
must copy the capsule to the \EFI\UpdateCapsule directory and set a bit in
the OsIndications variable. The firmware then checks for the
EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED bit in OsIndications
variable, which is set by the submitter to trigger processing of the
capsule on the next reboot.
Let's add a config option which ignores the bit and just relies on the
capsule being present. Since U-Boot deletes the capsule while processing
it, we won't end up applying it multiple times.
Note that this is allowed for all capsules. In the future, once
authenticated capsules are fully supported, we can limit the functionality
to those only.
Signed-off-by: apalos <ilias.apalodimas@linaro.org>
Reword Kconfig description.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
After each reboot we must clear flag
EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED in variable
OsIndications.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Improve efi_query_variable_info() to check the parameter settings and
return correct error code according to the UEFI Specification 2.9,
and the Self Certification Test (SCT) II Case Specification, June
2017, chapter 4.1.4 QueryVariableInfo().
Reported-by: Kazuhiko Sakamoto <sakamoto.kazuhiko@socionext.com>
Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
After if we should use parentheses to keep the code readable.
Fixes: a95f4c8859 ("efi_loader: NULL dereference in EFI console")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
We only install FMPs if a CapsuleUpdate is requested. Since we now have an
ESRT table which relies on FMPs to build the required information, it
makes more sense to unconditionally install them. This will allow userspace
applications (e.g fwupd) to make use of the ERST and provide us with files
we can use to run CapsuleUpdate on-disk
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Chapter 23 of the EFI spec (rev 2.9) says:
"A specific updatable hardware firmware store must be represented by
exactly one FMP instance".
This is not the case for us, since both of our FMP protocols can be
installed at the same time because they are controlled by a single
'dfu_alt_info' env variable.
So make the config options depend on each other and allow the user to
install one of them at any given time. If we fix the meta-data provided
by the 'dfu_alt_info' in the future, to hint about the capsule type
(fit or raw) we can revise this and enable both FMPs to be installed, as
long as they target different firmware hardware stores
Note that we are not using a Kconfig 'choice' on purpose, since we
want to allow both of those to be installed and tested in sandbox
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When running the efidebug capsule disk-update command, the efi_fmp_raw
protocol installation fails with 2 (EFI_INVALID_PARAMETER) as below.
This is because the code passes efi_root instead of the handle local var.
=> efidebug capsule disk-update
EFI: Call: efi_install_multiple_protocol_interfaces( &handle, &efi_guid_firmware_management_protocol, &efi_fmp_fit, NULL)
EFI: Entry efi_install_multiple_protocol_interfaces(00000000fbaf5988)
EFI: Call: efi_install_protocol_interface( handle, protocol, EFI_NATIVE_INTERFACE, protocol_interface)
EFI: Entry efi_install_protocol_interface(00000000fbaf5988, 86c77a67-0b97-4633-a187-49104d0685c7, 0, 00000000fbfa6ee8)
EFI: new handle 00000000fbb37520
EFI: Exit: efi_install_protocol_interface: 0
EFI: 0 returned by efi_install_protocol_interface( handle, protocol, EFI_NATIVE_INTERFACE, protocol_interface)
EFI: Exit: efi_install_multiple_protocol_interfaces: 0
EFI: 0 returned by efi_install_multiple_protocol_interfaces( &handle, &efi_guid_firmware_management_protocol, &efi_fmp_fit, NULL)
EFI: Call: efi_install_multiple_protocol_interfaces( &efi_root, &efi_guid_firmware_management_protocol, &efi_fmp_raw, NULL)
EFI: Entry efi_install_multiple_protocol_interfaces(00000000fbfec648)
EFI: Call: efi_install_protocol_interface( handle, protocol, EFI_NATIVE_INTERFACE, protocol_interface)
EFI: Entry efi_install_protocol_interface(00000000fbfec648, 86c77a67-0b97-4633-a187-49104d0685c7, 0, 00000000fbfa6f18)
EFI: handle 00000000fbaf8520
EFI: Exit: efi_install_protocol_interface: 2
EFI: 2 returned by efi_install_protocol_interface( handle, protocol, EFI_NATIVE_INTERFACE, protocol_interface)
EFI: Exit: efi_install_multiple_protocol_interfaces: 2
EFI: 2 returned by efi_install_multiple_protocol_interfaces( &efi_root, &efi_guid_firmware_management_protocol, &efi_fmp_raw, NULL)
Command failed, result=1
To fix this issue, pass the handle local var which is set NULL right
before installing efi_fmp_raw as same as the installing efi_fmp_fit.
(In both cases, the local reference to the handle will be just discarded)
Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Documentation:
* man-page for askenv
bug fixes
* correct display of BootOrder in efidebug command
* do not allow TPL_HIGH_LEVEL for CreateEvent(Ex)
* correct handling of unknown properties in SMBIOS tables
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAmDaDcEACgkQxIHbvCwF
GsTjZQ//elKP0sKZYEMePzOZKZfzD0MnjnzTwsWALqA9h8kv1sAvQLtf5ZDXWIci
bo4PNhgRD+FHQuprdoLUrQ2+fSNKTUZugmz8lW1Yudiyh+W4oyjYfINRx+gLTH8L
h5W8w5QkV0R+3Ti8U42YYj+SqsUs0htGW5b2k55kZhH0uUFB63GG2ic0KkHr9cHl
QQ3Y3tnW+PMxNaer5Q6q3DQjnPTnTO6vfwD9VAoesTd4aunlaPEvK7xAObJzxjpQ
ySrj0+Yw4S+y0+02eZRnHXgAIZgI73aN2LiiSuT+FrgGN6JPmVlT6ey3LqLCxPDP
VcEF8S25ULoIu7G7ZgIzzVgbvDjWU9WZNduPU3onVfqT2RaSsRPZoVdyGty+EKRi
At40vUsAjC3TkttuhDZhfOOoM3ot9vEeeTIQ5Po7bnwwJyMT+PfUTi7PJT/vkfqy
iN3KHCi0vuzxS/TbpV9ivrFnMdBP6g6v602VgeMeUTEvHFO9xAA3rHYqFQT7qNxH
4IrRAma6t0R//oeQ5DKD3iqFdkoireHkobEJh0o3hRK7nDAenZiRmvec+o/iogKV
YO+lZMboz5igAITBlJI5QoifGDs9B1DwoKxUe9dW61jA1CE7qqGg9Qvo251DZ8Ce
6f8RLkglAkJUbgotyq/YGRRfad28KISEMewj8ATxbQWRCK2vSNQ=
=ZMB2
-----END PGP SIGNATURE-----
Merge tag 'efi-2021-07-rc5-2' of https://source.denx.de/u-boot/custodians/u-boot-efi
Pull request for efi-2021-07-rc5-2
Documentation:
* man-page for askenv
bug fixes
* correct display of BootOrder in efidebug command
* do not allow TPL_HIGH_LEVEL for CreateEvent(Ex)
* correct handling of unknown properties in SMBIOS tables
If both POSITION_INDEPENDENT and SYS_RELOC_GD_ENV_ADDR are enabled,
wherever original env is placed anywhere, it should be relocated to
the right address.
Relocation offset gd->reloc_off is calculated with SYS_TEXT_BASE in
setup_reloc() and env address gd->env_addr is relocated by the offset in
initr_reloc_global_data().
gd->env_addr
= (orig env) + gd->reloc_off
= (orig env) + (gd->relocaddr - SYS_TEXT_BASE)
However, SYS_TEXT_BASE isn't always runtime base address when
POSITION_INDEPENDENT is enabled. So the relocated env_addr might point to
wrong address. For example, if SYS_TEXT_BASE is zero, gd->env_addr is
out of memory location and memory exception will occur.
There is a difference between linked address such as SYS_TEXT_BASE and
runtime base address. In _main, the difference is calculated as
"run-vs-link" offset. The env_addr should also be added to the offset
to fix the address.
gd->env_addr
= (orig env) + ("run-vs-link" offset) + gd->reloc_off
= (orig env) + (SYS_TEXT_BASE - _start) + (gd->relocaddr - SYS_TEXT_BASE)
= (orig env) + (gd->relocaddr - _start)
Cc: Marek Vasut <marex@denx.de>
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Acked-by: Marek Vasut <marex@denx.de>
Tested-by: Marek Vasut <marex@denx.de>
Commit e4f8e543f1a9("smbios: Drop the unused Kconfig options")
break SMBIOS tables. The reason is that the patch drops the Kconfig
options *after* removing the code using them, but that changes the semantics
of the code completely. Prior to the change a non NULL value was used in
the 'product' and 'manufacturer ' fields.
Chapter 6.2 of the DMTF spec requires Manufacturer and Product Name to be
non-null on some of the tables. So let's add sane defaults for Type1/2/3.
* Before the patchset:
<snip>
Handle 0x0002, DMI type 2, 14 bytes
Base Board Information
Manufacturer: Not Specified
Product Name: Not Specified
Version: Not Specified
Serial Number: Not Specified
Asset Tag: Not Specified
Features:
Board is a hosting board
Location In Chassis: Not Specified
Chassis Handle: 0x0000
Type: Motherboard
Invalid entry length (0). DMI table is broken! Stop.
* After the patchset:
<snip>
Handle 0x0005, DMI type 32, 11 bytes
System Boot Information
Status: No errors detected
Handle 0x0006, DMI type 127, 4 bytes
End Of Table
Fixes: e4f8e543f1 ("smbios: Drop the unused Kconfig options")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
We currently define the EFI support of an SMBIOS table as the third bit of
"BIOS Characteristics Extension Byte 1". The latest DMTF spec defines it
on "BIOS Characteristics Extension Byte 2".
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Remove superfluous assignment.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
According to chapter 7.1 "Event, Timer, and Task Priority Services"
TPL_HIGH_LEVEL should not be exposed to applications and drivers.
According to the discussion with EDK II contributors this implies that
CreateEvent() shall not allow to create events with TPL_HIGH_LEVEL.
Cc: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Acked-by: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>
Copy the best rational approximation calculation routines from Linux.
Typical usecase for these routines is to calculate the M/N divider
values for PLLs to reach a specific clock rate.
This is based on linux kernel commit:
"lib/math/rational.c: fix possible incorrect result from rational
fractions helper"
(sha1: 323dd2c3ed0641f49e89b4e420f9eef5d3d5a881)
Signed-off-by: Tero Kristo <t-kristo@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Tero Kristo <kristo@kernel.org>
Brackets '[' need to be escaped to avoid a build warning
lib/efi_loader/efi_image_loader.c:223:
WARNING: Inline strong start-string without end-string.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Masahisa Kojima <masahisa.kojima@linaro.org>
If we want to address partition 15 of virtio block device 11, we have to
write:
virtio b:f
When calling sprintf() we must use %x for the device and partition numbers.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
At present print_buffer() outputs a hex dump but it is not possible to
place this dump in a string. Refactor it into a top-level function which
does the printing and a utility function that dumps a line into a string.
This makes the code more generally useful.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present print_hex_dump() only supports either 16- or 32-byte lines.
With U-Boot we want to support any line length up to a maximum of 64.
Update the function to support this, with 0 defaulting to 16, as with
print_buffer().
Signed-off-by: Simon Glass <sjg@chromium.org>
The current implementation outputs an address as a pointer. Update the
code to use an address instead, respecting the 32/64 nature of the CPU.
Add some initial tests copied from print_test_display_buffer(), just the
ones that can pass with the current implementation.
Note that for this case print_hex_dump() and print_bufffer() produce the
same result. For now the tests are duplicated sine we have separate
functions.
Signed-off-by: Simon Glass <sjg@chromium.org>
Move the comments to the header file so people can find the function info
without digging in the implementation. Fix up the code style and add an
enum for the first arg.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present with print_buffer() U-Boot shows four spaces between the hex
and ASCII data. Two seems enough and matches print_hex_dump(). Change it.
Signed-off-by: Simon Glass <sjg@chromium.org>
Add a new function lmb_is_reserved_flags to check if
an address is reserved with a specific flags.
This function can be used to check if an address was
reserved with no-map flags with:
lmb_is_reserved_flags(lmb, addr, LMB_NOMAP);
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Add "flags" in lmb_property to save the "no-map" property of
reserved region and a new function lmb_reserve_flags() to check
this flag.
The default allocation use flags = LMB_NONE.
The adjacent reserved memory region are merged only when they have
the same flags value.
This patch is partially based on flags support done in Linux kernel
mm/memblock .c (previously lmb.c); it is why LMB_NOMAP = 0x4, it is
aligned with MEMBLOCK_NOMAP value.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
If a chunk was larger than 4GiB, then chunk_data_sz would overflow and
blkcnt would not be calculated correctly. Upgrade it to a u64 and cast
its multiplicands as well. Also fix bytes_written while we're at it.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Heiko Schocher <hs@denx.de>
"TCG PC Client Platform Firmware Profile Specification"
requires to measure every attempt to load and execute
a OS Loader(a UEFI application) into PCR[4].
This commit adds the PE/COFF image measurement, extends PCR,
and appends measurement into Event Log.
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Replace CONFIG_HASH_CALCULATE by CONFIG_HASH
Fix conversions between pointers and u64.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The hash_calculate() symbol is provided by hash-checksum.c. It depends
on hash_progressive_lookup_algo(), provided when CONFIG_HASH=y.
The issue is that hash_calculate() is used by the efi_loader,
irregardless of CONFIG_FIT_SIGNATURE. As pointed out in
commit 87316da05f ("lib: introduce HASH_CALCULATE option"),
enabling hash_calculate() based on CONFIG_FIT_SIGNATURE is incorrect.
To resolve this, use CONFIG_HASH as the compile switch for
hash-checksum.c. This ensures that all dependencies are compiled, and
is the most natural Kconfig to use.
There is the issue of having to 'select HASH' in a couple of places
that already 'select SHA256'. This is a deeper problem with how hashes
are organized, and fixing it is beyonf the scope of this change.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Acked-by: Masahisa Kojima <masahisa.kojima@linaro.org>
When we think of Kconfig, we usually think of features that we like
to enable or not. Ideally, we wouldn't use Kconfig to fix a build
issue, although sometimes it might make sense. With Kconfig it's hard
to guarantee that the fix is universal. We can only say that it works
for the set of tested configurations. In the majority of cases, it's
preferable to let the linker figure things out for us.
The reverted commit attempted to fix a build issue by adding an
invisible Kconfig option. This is wrong in several ways:
It invents a new Kconfig variable when CONFIG_HASH already
exists for the same purpose.
Second, hash-checksum.c makes use of the hash_progressive_lookup_algo()
symbol, which is only provided with CONFIG_HASH, but this dependency
was not expressed in the reverted patch.
It feels like Kconfig is turning into a listing of all available
source files, and a buffet to 'select' which ones to compile. The
purpose of this revert is to enable the next change to make use of
CONFIG_HASH instead of adding to Kconfig.
This reverts commit 87316da05f.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Acked-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Coverity reported 3 warnings on the current code.
CID 331856, 331855, 331854 on the latest scan.
Fix the rest of the warnings by initializing the variables before
passing them to tpm2_get_pcr_info().
In order to avoid future warnings and errors initialize them to 0 within
the function as well, since the values are always OR'ed after querying the
hardware.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Compiling with -Wextra produces a number of (harmless) warnings for the EFI
TCG2 protocol. Let's fix those in case we ever enable the flag on the EFI
subsystem
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Before this patch efi_dp_from_name() only accommodated a maximum file path
length of 31 characters. This leads to boot failures due to file name
truncation.
Allow arbitrary path lengths.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
This is preparation for PE/COFF measurement support.
PE/COFF image hash calculation is same in both
UEFI Secure Boot image verification and measurement in
measured boot. PE/COFF image parsing functions are
gathered into efi_image_loader.c, and exposed even if
UEFI Secure Boot is not enabled.
This commit also adds the EFI_SIGNATURE_SUPPORT option
to decide if efi_signature.c shall be compiled.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Configuring a system with CONFIG_EFI_CAPSULE_AUTHENTICATE=y but without a
method to retrieve the public key data is a misconfiguration. We should get
a build failure for it. Therefore remove the weak efi_get_public_key_data()
implementation.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When building with LTO, the system libc's `errno` variable used in
arch/sandbox/cpu/os.c conflicts with U-Boot's `errno` (defined in
lib/errno.c) with the following error:
.../ld: errno@@GLIBC_PRIVATE: TLS definition in /lib64/libc.so.6
section .tbss mismatches non-TLS reference in
/tmp/u-boot.EQlEXz.ltrans0.ltrans.o
To avoid this conflict use different asm label for this variable when
CONFIG_SANDBOX is enabled.
Signed-off-by: Marek Behún <marek.behun@nic.cz>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
When compiling with LTO, the compiler fails with an error saying that
`crc_table` causes a section type conflict with `efi_var_buf`.
This is because both are declared to be in the same section (via macro
`__efi_runtime_data`), but one is const while the other is not.
Put this variable into the section .rodata.efi_runtime, instead of
.data.efi_runtime, via macro __efi_runtime_rodata.
Signed-off-by: Marek Behún <marek.behun@nic.cz>
Reviewed-by: Marek Vasut <marex@denx.de>
Reviewed-by: Heinrich Schuchardt <xypron.gpk@gmx.de>
Add $(CFLAGS_EFI) and remove $(CFLAGS_NON_EFI) for
efi_selftest_miniapp_exception.o.
The removal is needed when compiling with LTO - this object file needs
to be compiled without -flto.
The adding is for consistency with other miniapps.
Signed-off-by: Marek Behún <marek.behun@nic.cz>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
It seems that sometimes (happening on ARM64, for example with
turris_mox_defconfig) GCC, when linking with LTO, changes the symbol
names of some functions, for example lib/string.c's memcpy() function to
memcpy.isra.0.
This is a problem however when GCC for a code such as this:
struct some_struct *info = get_some_struct();
struct some struct tmpinfo;
tmpinfo = *info;
emits a call to memcpy() by builtin behaviour, to copy *info to tmpinfo.
This then results in the following linking error:
.../lz4.c:93: undefined reference to `memcpy'
.../uuid.c:206: more undefined references to `memcpy' follow
GCC's documentation says this about -nodefaultlibs option:
The compiler may generate calls to "memcmp", "memset", "memcpy" and
"memmove". These entries are usually resolved by entries in libc.
These entry points should be supplied through some other mechanism
when this option is specified.
Make these functions visible by using the __used macro to avoid this
error.
Signed-off-by: Marek Behún <marek.behun@nic.cz>
Reviewed-by: Simon Glass <sjg@chromium.org>
This commit does the same thing as Linux commit 33def8498fdd.
Use a more generic form for __section that requires quotes to avoid
complications with clang and gcc differences.
Remove the quote operator # from compiler_attributes.h __section macro.
Convert all unquoted __section(foo) uses to quoted __section("foo").
Also convert __attribute__((section("foo"))) uses to __section("foo")
even if the __attribute__ has multiple list entry forms.
Signed-off-by: Marek Behún <marek.behun@nic.cz>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Generally speaking BINMAN_FDT makes sense for OF_SEPARATE or OF_EMBED.
For the other OF_CONTROL methods, it's quite possible binman node is
not available as binman is invoked during the build phase instead of
runtime. Let's only turn it on for OF_SEPARATE or OF_EMBED by default.
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Build error occurs when CONFIG_EFI_SECURE_BOOT or
CONFIG_EFI_CAPSULE_AUTHENTICATE is enabled,
because hash-checksum.c is not compiled.
Since hash_calculate() implemented in hash-checksum.c can be
commonly used aside from FIT image signature verification,
this commit itroduces HASH_CALCULATE option to decide
if hash-checksum.c shall be compiled.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
EFI_TCG2 depends not only on TPMv2 but also on the underlying algorithms.
So select the missing SHA1, SHA256, SHA384 and SHA512 we currently support
Reported-by: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Add 'default y'.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Up to now we are stopping the EFI subsystem if a TPMv2 exists but the
protocol fails to install. Now that we've switched the config to 'default
y' the sandbox TPM fails, since it doesn't support all the required
capabilities of the protocol.
Not installing the protocol is not catastrophic. If the protocol fails
to install the PCRs will never be extended to the expected values, so
some other entity later in the boot flow will eventually figure it out
and take the necessary actions.
While at it fix a corner case were the user can see an invalid error
message when the protocol failed to install. We do have a tcg2_uninit()
which we call when the protocol installation fails. There are cases though
that this might be called before the configuration table is installed (e.g
probing the TPM for capabilities failed). In that case the user will see
"Failed to delete final events config table". So stop printing it since it's
not an actual failure , simply because the config table was never installed
in the first place.
In order to stop printing it make efi_init_event_log() and create_final_event()
cleanup themselves and only call tcg2_uninit() when the protocol installation
fails.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Instead of just failing, clean up the installed config table and
EventLog memory if logging an s-crtm event fails during the protocol
installation
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Eliminate label 'out:' by using return.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_init_event_log() calls tcg2_uninit() in case of failure.
We can skip that since the function is called on efi_tcg2_register()
which also cleans up if an error occurs
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
This is same issue as https://bugzilla.redhat.com/show_bug.cgi?id=1733817,
but that fix was wrongly partial reverted.
When reading a directory, EFI_BUFFER_TOO_SMALL should be returned when
the supplied buffer is too small, so a use-case is to call
EFI_FILE_PROTOCOL.Read() with *buffer_size=0 and buffer=NULL to
obtain the needed size before doing the actual read.
So remove the check only for directory reading, file reading already
do the check by itself.
Fixes: db12f518edb0("efi_loader: implement non-blocking file services")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Cc: Stefan Sørensen <stefan.sorensen@spectralink.com>
Tested-by: Peter Robinson <pbrobinson@gmail.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The current capsule authentication code checks if the environment
variable capsule_authentication_enabled is set, for authenticating the
capsule. This is in addition to the check for the config symbol
CONFIG_EFI_CAPSULE_AUTHENTICATE. Remove the check for the environment
variable. The capsule will now be authenticated if the config symbol
is set.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviwed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Commit a479f103dc ("hash: Allow for SHA512 hardware implementations")
defined function definitions for hardware accelerated SHA384 and SHA512.
If CONFIG_SHA_HW_ACCEL=y, these functions are used.
We already have boards using CONFIG_SHA_HW_ACCEL=y but none implements the
new functions hw_sha384() and hw_sha512().
For implementing the EFI TCG2 protocol we need SHA384 and SHA512. The
missing hardware acceleration functions lead to build errors on boards like
peach-pi_defconfig.
Introduce a new Kconfig symbol CONFIG_SHA512_HW_ACCEL to control if the
functions hw_sha384() and hw_sha512() shall be used to implement the SHA384
and SHA512 algorithms.
Fixes: a479f103dc ("hash: Allow for SHA512 hardware implementations")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Building 32bit boards with the TCG2 protocol enabled leads to a build
warning due to a missing conversion.
lib/efi_loader/efi_tcg2.c:774:27:
error: cast to pointer from integer of different size
[-Werror=int-to-pointer-cast]
774 | ret = tcg2_create_digest((u8 *)data_to_hash, data_to_hash_len,
| ^
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Today of_address_to_resource() is called only in
ofnode_read_resource() for livetree support and
fdt_get_resource() is called when livetree is not supported.
The fdt_get_resource() doesn't do the address translation
so when it is required, but the address translation is done
by ofnode_read_resource() caller, for example in
drivers/firmware/scmi/smt.c::scmi_dt_get_smt_buffer() {
...
ret = ofnode_read_resource(args.node, 0, &resource);
if (ret)
return ret;
faddr = cpu_to_fdt32(resource.start);
paddr = ofnode_translate_address(args.node, &faddr);
...
The both behavior should be aligned and the address translation
must be called in fdt_get_resource() and removed for each caller.
Fixes: a44810123f ("dm: core: Add dev_read_resource() to read device resources")
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
In case of failure at efi_get_variable_int("BootOrder"), we should
skip examining boot option variables and return an appropriate error
code which is the one the function returned.
Fixes: CID 331153 Code maintainability issues (UNUSED_VALUE)
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Indicated by Coverity Scan CID 331147
The ESRT was being refreshed in situations where the UpdateCapsule
procedure failed. In that scenario:
1) the ESRT refresh was superfluous.
2) a failed ESRT refresh return code overwrites the UpdateCapsule error
return code.
This commit ensures that the ESRT is only refreshed when the
UpdateCapsule performs successfully.
CC: Heinrich Schuchardt <xypron.glpk@gmx.de>
CC: Sughosh Ganu <sughosh.ganu@linaro.org>
CC: AKASHI Takahiro <takahiro.akashi@linaro.org>
CC: Tom Rini <trini@konsulko.com>
CC: Andre Przywara <andre.przywara@arm.com>
CC: nd@arm.com
Signed-off-by: Jose Marinho <jose.marinho@arm.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Bumping the digest list count, for all supported algorithms, can be
calculated outside of the individual switch statements. So let's do that
for every loop iteration instead and simplify the code a bit.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
To avoid diverging function definitions we need to include efi_loader.h.
Fixes: fe179d7fb5 ("efi_loader: Add size checks to efi_create_indexed_name()")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Add 2 configs CONFIG_LMB_MEMORY_REGIONS and CONFIG_LMB_RESERVED_REGIONS
to change independently the max number of the regions in lmb
library.
When CONFIG_LMB_USE_MAX_REGIONS=y, move the lmb property arrays to
struct lmb and manage the array size with the element 'max' of struct
lmb_region; their are still allocated in stack.
When CONFIG_LMB_USE_MAX_REGIONS=n, keep the current location in
struct lmb_region to allow compiler optimization.
Increase CONFIG_LMB_RESERVED_REGIONS is useful to avoid lmb errors in
bootm when the number of reserved regions (not adjacent) is reached:
+ 1 region for relocated U-Boot
+ 1 region for initrd
+ 1 region for relocated linux device tree
+ reserved memory regions present in Linux device tree.
The current limit of 8 regions is reached with only 5 reserved regions
in DT.
see Linux kernel commit bf23c51f1f49 ("memblock: Move memblock arrays
to static storage in memblock.c and make their size a variable")
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Add a max parameter in lmb_region struct to handle test
in lmb_add_region without using the MAX_LMB_REGIONS
define.
This patch allows to modify these size independently for
memory of reserved regions in the next patches.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Remove the unused field size of struct lmb_region as it is initialized to 0
and never used after in lmb library.
See Linux kernel commit 4734b594c6ca ("memblock: Remove memblock_type.size
and add memblock.memory_size instead")
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Variable "final" will have SHA512 digest, but currently
the array size is not sufficient. Let's fix it.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
If realloc() fails, we should free the old buffer.
Fixes: c74cd8bd08: ("efi_loader: capsule: add capsule_on_disk support")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Remove function invocations using the EFI_CALL macro for those
functions that do not have an EFI_ENTRY call in their definition. Such
functions can use u-boot api's which rely on u-boot global data(gd)
pointer. The Arm and RiscV architectures maintain a separate gd
pointer, one for u-boot, and a separate gd for the efi application.
Calling a function through the EFI_CALL macro changes the gd pointer
to that used for the efi application, with u-boot gd being
unavailable. Any function then trying to dereference u-boot's gd will
result in an abort.
Fix this issue by removing the EFI_CALL macro for all of such
functions which do not begin by an EFI_ENTRY function call.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Most modern OpenSSL engines have methods overridden at the EVP level rather
than at RSA level, to make these engines work properly with mkimage, the RSA
signing code needs to switch to using EVP_* APIs as much as possible.
Signed-off-by: Donald Chan <hoiho@lab126.com>
[trini: Rebase on top of keyfile changes]
Signed-off-by: Tom Rini <trini@konsulko.com>
Keys can be derived from keydir, and the "key-name-hint" property of
the FIT. They can also be specified ad-literam via 'keyfile'. Update
the ECDSA signing path to use the appropriate one.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Keys can be derived from keydir, and the "key-name-hint" property of
the FIT. They can also be specified ad-literam via 'keyfile'. Update
the RSA signing path to use the appropriate one.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
mkimage supports rsa2048, and rsa4096 signatures. With newer silicon
now supporting hardware-accelerated ECDSA, it makes sense to expand
signing support to elliptic curves.
Implement host-side ECDSA signing and verification with libcrypto.
Device-side implementation of signature verification is beyond the
scope of this patch.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
fdt_add_bignum() is useful for algorithms other than just RSA. To
allow its use for ECDSA, move it to a common file under lib/.
The new file is suffixed with '-libcrypto' because it has a direct
dependency on openssl. This is due to the use of the "BIGNUM *" type.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
rsa-checksum.c sontains the hash_calculate() implementations. Despite
the "rsa-" file prefix, this function is useful for other algorithms.
To prevent confusion, move this file to lib/, and rename it to
hash-checksum.c, to give it a more "generic" feel.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This introduces strlcat, which provides a safer interface than strncat. It
never copies more than its size bytes, including the terminating nul. In
addition, it never reads past dest[size - 1], even if dest is not
nul-terminated.
This also removes the stub for dwc3 now that we have a proper
implementation.
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
strlcpy should always return the number of bytes copied. We were
accidentally missing the nul-terminator. We also always used to return a
non-zero value, even if we did not actually copy anything.
Fixes: 23cd138503 ("Integrate USB gadget layer and USB CDC driver layer")
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Similar to support for SHA1 and SHA256, allow the use of hardware hashing
engine by enabling the algorithm and setting CONFIG_SHA_HW_ACCEL /
CONFIG_SHA_PROG_HW_ACCEL.
Signed-off-by: Joel Stanley <joel@jms.id.au>
The optee_copy_fdt_nodes is only used to copy op-tee nodes
of U-Boot device tree (from gd->fdt_blob when OF_LIVE is not activated)
to external device tree but it is not compatible with OF_LIVE.
This patch migrates all used function fdt_ functions to read node on
old_blob to ofnode functions, compatible with OF_LIVE and remove this
parameter "old_blob".
The generated "device tree" is checked on stm32mp platform with OF_LIVE
activated.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Although ptr arithmetics are allowed with extensions in gcc, they
are not allowed by the C spec. So switch to (void *)(uintptr_t) instead
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Fix the build warning when building for 32 bit systems by using the
length modifier for size_t.
lib/efi_loader/efi_esrt.c: In function ‘efi_esrt_populate’:
include/efi_loader.h:126:8: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 8 has type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Enable building of the crypto helper functions used during capsule
authentication by selecting IMAGE_SIGN_INFO.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
