Add support for signing with the pkcs11 engine. This allows FIT images
to be signed with keys securely stored on a smartcard, hardware security
module, etc without exposing the keys.
Support for other engines can be added in the future by modifying
rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct
correct key_id strings.
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Ensure '.' is used to separate octets. If another character is seen
reject the string outright and return 0.0.0.0.
Signed-off-by: Chris Packham <judge.packham@gmail.com>
Previously values greater than 255 were implicitly truncated. Add some
stricter checking to reject addresses with components >255.
With the input "1234192.168.1.1" the old behaviour would truncate the
address to 192.168.1.1. New behaviour rejects the string outright and
returns 0.0.0.0, which for the purposes of IP addresses can be
considered an error.
Signed-off-by: Chris Packham <judge.packham@gmail.com>
Currently, mdelay() and udelay() are declared in include/common.h,
while ndelay() in include/linux/compat.h. It would be nice to
collect them into include/linux/delay.h like Linux.
While we are here, fix the ndelay() implementation; I used the
DIV_ROUND_UP() instead of (x)/1000 because it must wait *longer*
than the given period of time.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The fdt_overlay_apply() function purports to support the edge cases where
an overlay has no fixups to be applied, or a base tree which has no
symbols (the latter can only work if the former is also true). However it
gets it wrong in a couple of small ways:
* In the no fixups case, it doesn't fail immediately, but will attempt
fdt_for_each_property_offset() giving -FDT_ERR_NOTFOUND as the node
offset, which will fail. Instead it should succeed immediately, since
there's nothing to do.
* In the case of no symbols, it again doesn't fail immediately. However
if there is an actual fixup it will fail with an unexpected error,
because -FDT_ERR_NOTFOUND is passed to fdt_getprop() when attempting to
look up the symbols. We should instead return -FDT_ERR_NOTFOUND
directly.
Both of these errors lead to the code returning misleading error codes in
failing cases.
[ DTC commit: 7d8ef6e1db9794f72805a0855f4f7f12fadd03d3 ]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Acked-by: Simon Glass <sjg@chromium.org>
tiny-printf does not know about the "-" modifier, which aligns numbers.
This is used by some SPL code, but as it's purely cosmetical, we just
ignore this modifier here to avoid changing correct printf strings.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Jagan Teki <jagan@openedev.com>
tiny-printf does not know about the "l" modifier so far, which breaks
the crash dump on AArch64, because it uses %lx to print the registers.
Add an easy way of handling longs correctly.
Using a relatively decent compiler (GCC 5.3.0) this does _not_ increase
the code size of tiny-printf.o for 32-bit builds (where long and int
are actually the same), actually it looses three (ARM Thumb2) instructions
from the actual SPL (numbers for orangepi_plus_defconfig):
text data bss dec hex filename
758 0 0 758 2f6 spl/lib/tiny-printf.o before
18839 488 232 19559 4c67 spl/u-boot-spl before
758 0 0 758 2f6 spl/lib/tiny-printf.o after
18833 488 232 19553 4c61 spl/u-boot-spl after
This adds some substantial amount of code to a 64-bit build, though:
(taken after a later commit, which enables the ARM64 SPL build for sunxi)
text data bss dec hex filename
1542 0 0 1542 606 spl/lib/tiny-printf.o before
25830 392 360 26582 67d6 spl/u-boot-spl before
1758 0 0 1758 6de spl/lib/tiny-printf.o after
26040 392 360 26792 68a8 spl/u-boot-spl after
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Jagan Teki <jagan@openedev.com>
Add two functions for use by board implementations to decode the memory
banks of the /memory node so as to populate the global data with
ram_size and board info for memory banks.
The fdtdec_setup_memory_size() function decodes the first memory bank
and sets up the gd->ram_size with the size of the memory bank. This
function should be called from the boards dram_init().
The fdtdec_setup_memory_banksize() function decode the memory banks
(up to the CONFIG_NR_DRAM_BANKS) and populates the base address and size
into the gd->bd->bi_dram array of banks. This function should be called
from the boards dram_init_banksize().
Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Cc: Simon Glass <sjg@chromium.org>
Cc: Michal Simek <monstr@monstr.eu>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Today we can compile a self-contained hello world efi test binary that
allows us to quickly verify whether the EFI loader framwork works.
We can use that binary outside of the self-contained test case though,
by providing it to a to-be-tested system via tftp.
This patch separates compilation of the helloworld.efi file from
including it in the u-boot binary for "bootefi hello". It also modifies
the efi_loader test case to enable travis to pick up the compiled file.
Because we're now no longer bloating the resulting u-boot binary, we
can enable compilation always, giving us good travis test coverage.
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Tom Rini <trini@konsulko.com>
Remove the need to explicitly add SHA/RSA pairings. Invalid SHA/RSA
pairings will still fail on verify operations when the hash length is
longer than the key length.
Follow the same naming scheme "checksum,crytpo" without explicitly
defining the string.
Indirectly adds support for "sha1,rsa4096" signing/verification.
Signed-off-by: Andrew Duda <aduda@meraki.com>
Signed-off-by: aduda <aduda@meraki.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Cut down on the repetition of algorithm information by defining separate
checksum and crypto structs. image_sig_algos are now simply pairs of
unique checksum and crypto algos.
Signed-off-by: Andrew Duda <aduda@meraki.com>
Signed-off-by: aduda <aduda@meraki.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Padding verification was done against static SHA/RSA pair arrays which
take up a lot of static memory, are mostly 0xff, and cannot be reused
for additional SHA/RSA pairings. The padding can be easily computed
according to PKCS#1v2.1 as:
EM = 0x00 || 0x01 || PS || 0x00 || T
where PS is (emLen - tLen - 3) octets of 0xff and T is DER encoding
of the hash.
Store DER prefix in checksum_algo and create rsa_verify_padding
function to handle verification of a message for any SHA/RSA pairing.
Signed-off-by: Andrew Duda <aduda@meraki.com>
Signed-off-by: aduda <aduda@meraki.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
checksum_algo's pad_len field isn't actually used to store the length of
the padding but the total length of the RSA key (msg_len + pad_len)
Signed-off-by: Andrew Duda <aduda@meraki.com>
Signed-off-by: aduda <aduda@meraki.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
On ls2080 we have a separate network fabric component which we need to
shut down before we enter Linux (or any other OS). Along with that also
comes configuration of the fabric using a description file.
Today we always stop and configure the fabric in the boot script and
(again) exit it on device tree generation. This works ok for the normal
booti case, but with bootefi the payload we're running may still want to
access the network.
So let's add a new fsl_mc command that defers configuration and stopping
the hardware to when we actually exit U-Boot, so that we can still use
the fabric from an EFI payload.
For existing boot scripts, nothing should change with this patch.
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: York Sun <york.sun@nxp.com>
[agraf: Fix x86 build]
Enable this so that EFI applications (notably grub) can be run under U-Boot
on x86 platforms.
At present the 'hello world' EFI application is not supported for the
qemu-x86_efi_payload64 board. That board builds a payload consisting of a
64-bit header and a 32-bit U-Boot, which is incompatible with the way the
EFI loader builds its EFI application. The following error is obtained:
x86_64-linux-ld.bfd: i386 architecture of input file
`lib/efi_loader/helloworld.o' is incompatible with i386:x86-64 output
This could be corrected with additional Makefile rules. For now, this
feature is disabled for that board.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
[agraf: drop hello kconfig bits]
Signed-off-by: Alexander Graf <agraf@suse.de>
It is useful to have a basic sanity check for EFI loader support. Add a
'bootefi hello' command which loads HelloWord.efi and runs it under U-Boot.
Signed-off-by: Simon Glass <sjg@chromium.org>
[agraf: Fix documentation, add unfulfilled kconfig dep]
Signed-off-by: Alexander Graf <agraf@suse.de>
At present we use a CONFIG option in efi.h to determine whether we are
building the EFI stub or not. This means that the same header cannot be
used for EFI_LOADER support. The CONFIG option will be enabled for the
whole build, even when not building the stub.
Use a different define instead, set up just for the files that make up the
stub.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
Make sure that the cache flushes correctly by ensuring that the end
address is correctly aligned.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
Add support for EFI console modes.
Mode 0 is always 80x25 and present by EFI specification.
Mode 1 is always 80x50 and not mandatory.
Mode 2 and above is freely usable.
If the terminal can handle mode 1, we mark it as supported.
If the terminal size is greater than mode 0 and different than mode 1,
we install it as mode 2.
Modes can be switch with cout_set_mode.
Changes in V5:
Correctly detect mode before enabling mode 2.
Changes in V4:
Reset cursor positon on mode switch
Use local variables in console query code
Changes in V3:
Valid mode are 0 to EFIMode-1
Fix style
Changes in V2:
Add mode switch
Report only the modes that we support
Signed-off-by: Emmanuel Vadot <manu@bidouilliste.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
When adding network interface node use Messaging device path with
subtype MAC Address and device's MAC address as a value instead
of Media Device path type with subtype File Path and path "Net"
Signed-off-by: Oleksandr Tymoshenko <gonzo@bluezbox.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
This line is shown as
depends on (ARM64 ||\302\240ARM) && OF_LIBFDT
on my Emacs. Use ASCII characters only.
Assuming it is (ARM64 || ARM), remove the redundancy.
Unlike Linux, CONFIG_ARM includes CONFIG_ARM64 in U-Boot.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
Now that the overlay code has been merge upstream, update our copy to
what's been merged, since a significant number of issues have been fixed
during the merge process.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Acked-by: Simon Glass <sjg@chromium.org>
Compiler attributes are more commonly __foo style tags rather than big
upper case eye sores like EFI_RUNTIME_TEXT.
Simon Glass felt quite strongly about this, so this patch converts our
existing defines over to more eye friendly ones.
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add the required pieces to support the EFI loader on x86.
Since U-Boot only builds for 32-bit on x86, only a 32-bit EFI application
is supported. If a 64-bit kernel must be booted, U-Boot supports this
directly using FIT (see doc/uImage.FIT/kernel.its). U-Boot can act as a
payload for both 32-bit and 64-bit EFI.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
These are missing in some functions. Add them to keep things consistent.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
If the system has a valid "serial#" environment variable set (which boards that
can find it out programatically set automatically), use that as input for the
serial number and UUID fields in the SMBIOS tables.
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
So far we were only installing the FDT table and didn't have space
to store any other. Hence nobody realized that our efi table allocation
was broken in that it didn't set the indicator for the number of tables
plus one.
This patch fixes it, allowing code to allocate new efi tables.
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
We can pass SMBIOS easily as EFI configuration table to an EFI payload. This
patch adds enablement for that case.
While at it, we also enable SMBIOS generation for ARM systems, since they support
EFI_LOADER.
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The type 4 table generation code is very x86 centric today. Refactor things
out into the device model cpu class to allow the tables to get generated for
other architectures as well.
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
The SMBIOS generation code passes pointers as u32. That causes the compiler
to warn on casts to pointers. This patch moves all address pointers to
uintptr_t instead.
Technically u32 would be enough for the current SMBIOS2 style tables, but
we may want to extend the code to SMBIOS3 in the future which is 64bit
address capable.
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
We want to be able to add configuration table entries from our own code as
well as from EFI payload code. Export the boot service function internally
too, so that we can reuse it.
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
We will need the SMBIOS generation function on ARM as well going forward,
so let's move it into a non arch specific location.
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
We need the checksum function without all the other table functionality
soon, so let's split it out into its own C file.
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
When we're running in 32bpp mode, expose the frame buffer address
to our payloads so that Linux efifb can pick it up.
Signed-off-by: Alexander Graf <agraf@suse.de>
So far bounce buffers were only used for disk I/O, but network I/O
may suffer from the same problem.
On platforms that have problems doing DMA on high addresses, let's
also bounce outgoing network packets. Incoming ones always already
get bounced.
This patch fixes EFI PXE boot on ZynqMP for me.
Signed-off-by: Alexander Graf <agraf@suse.de>
EFI allows an OS to leverage firmware drivers while the OS is running. In the
generic code we so far had to stub those implementations out, because we would
need board specific knowledge about MMIO setups for it.
However, boards can easily implement those themselves. This patch provides the
framework so that a board can implement its own versions of get_time and
reset_system which would actually do something useful.
While at it we also introduce a simple way for code to reserve MMIO pointers
as runtime available.
Signed-off-by: Alexander Graf <agraf@suse.de>
As soon as a mapping is unlinked from the list, there are no further
references to it, so it should be freed. If it not unlinked,
update the start address and length.
Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
The code assumes sorted mappings in descending address order. When
splitting a mapping, insert the new part next to the current mapping.
Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
Currently each allocation creates a new mapping. Readding the mapping
as free memory (EFI_CONVENTIONAL_MEMORY) potentially allows to hand out
an existing mapping, thus limiting the number of mapping descriptors in
the memory map.
Mitigates a problem with current (4.8rc7) linux kernels when doing an
efi_get_memory map, resulting in an infinite loop. Space for the memory
map is reserved with allocate_pool (implicitly creating a new mapping) and
filled. If there is insufficient slack space (8 entries) in the map, the
space is freed and a new round is started, with space for one more entry.
As each round increases requirement and allocation by exactly one, there
is never enough slack space. (At least 32 entries are allocated, so as
long as there are less than 24 entries, there is enough slack).
Earlier kernels reserved no slack, and did less allocations, so this
problem was not visible.
Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
We need a functional free_pool implementation, as otherwise each
allocate_pool causes growth of the memory descriptor table.
Different to free_pages, free_pool does not provide the size for the
to be freed allocation, thus we have to track the size ourselves.
As the only EFI requirement for pool allocation is an alignment of
8 bytes, we can keep allocating a range using the page allocator,
reserve the first 8 bytes for our bookkeeping and hand out the
remainder to the caller. This saves us from having to use any
independent data structures for tracking.
To simplify the conversion between pool allocations and the corresponding
page allocation, we create an auxiliary struct efi_pool_allocation.
Given the allocation size free_pool size can handoff freeing the page
range, which was indirectly allocated by a call to allocate_pool,
to free_pages.
Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
We currently handle efi_allocate_pool() in our boot time service
file. In the following patch, pool allocation will receive additional
internal semantics that we should preserve inside efi_memory.c instead.
As foundation for those changes, split the function into an externally
facing efi_allocate_pool_ext() for use by payloads and an internal helper
efi_allocate_pool() in efi_memory.c that handles the actual allocation.
While at it, change the magic 0xfff / 12 constants to the more obvious
EFI_PAGE_MASK/SHIFT defines.
Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
A type mismatch in the efi_allocate_pool boot service flow causes
hazardous memory scribbling on 32-bit systems.
This is efi_allocate_pool's prototype:
static efi_status_t EFIAPI efi_allocate_pool(int pool_type,
unsigned long size,
void **buffer);
Internally, it invokes efi_allocate_pages as follows:
efi_allocate_pages(0, pool_type, (size + 0xfff) >> 12,
(void*)buffer);
This is efi_allocate_pages' prototype:
efi_status_t efi_allocate_pages(int type, int memory_type,
unsigned long pages,
uint64_t *memory);
The problem: efi_allocate_pages does this internally:
*memory = addr;
This fix in efi_allocate_pool uses a transitional uintptr_t cast to
ensure the correct outcome, irrespective of the system's native word
size.
This was observed when bootefi'ing the EFI instance of FreeBSD's first
stage bootstrap (boot1.efi) on a 32-bit ARM platform (Qemu VExpress +
Cortex-a9).
Signed-off-by: Robin Randhawa <robin.randhawa@arm.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
The current efi_get_memory_map() function overwrites the map_size
property before reading its value. That way the sanity check whether our
memory map fits into the given array always succeeds, potentially
overwriting arbitrary payload memory.
This patch moves the property update write after its sanity check, so
that the check actually verifies the correct value.
So far this has not triggered any known bugs, but we're better off safe
than sorry.
If the buffer is to small, the returned memory_map_size indicates the
required size to the caller.
Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
In 74c16acce3 the return values where
changed, but the description was kept.
Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Alexander Graf <agraf@suse.de>