Commit graph

47 commits

Author SHA1 Message Date
Heinrich Schuchardt
39a75f5af1 efi_loader: wrong printf format in efi_image_parse
Commit 1b6c08548c ("efi_loader: image_loader: replace debug to
EFI_PRINT") leads to a build warning on 32bit systems:

lib/efi_loader/efi_image_loader.c: In function ‘efi_image_parse’:
include/efi_loader.h:123:8: warning: format ‘%lu’ expects argument
of type ‘long unsigned int’, but argument 8 has
type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]

Use %zu for printing size_t.

Fixes: 1b6c08548c ("efi_loader: image_loader: replace debug to
EFI_PRINT")

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11 23:14:16 +02:00
AKASHI Takahiro
7926dfb579 efi_loader: image_loader: add digest-based verification for signed image
In case that a type of certificate in "db" or "dbx" is
EFI_CERT_X509_SHA256_GUID, it is actually not a certificate which contains
a public key for RSA decryption, but a digest of image to be loaded.
If the value matches to a value calculated from a given binary image, it is
granted for loading.

With this patch, common digest check code, which used to be used for
unsigned image verification, will be extracted from
efi_signature_verify_with_sigdb() into efi_signature_lookup_digest(), and
extra step for digest check will be added to efi_image_authenticate().

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-07-11 23:14:15 +02:00
AKASHI Takahiro
11bafb2596 efi_loader: image_loader: verification for all signatures should pass
A signed image may have multiple signatures in
  - each WIN_CERTIFICATE in authenticode, and/or
  - each SignerInfo in pkcs7 SignedData (of WIN_CERTIFICATE)

In the initial implementation of efi_image_authenticate(), the criteria
of verification check for multiple signatures case is a bit ambiguous
and it may cause inconsistent result.

With this patch, we will make sure that verification check in
efi_image_authenticate() should pass against all the signatures.
The only exception would be
  - the case where a digest algorithm used in signature is not supported by
    U-Boot, or
  - the case where parsing some portion of authenticode has failed
In those cases, we don't know how the signature be handled and should
just ignore them.

Please note that, due to this change, efi_signature_verify_with_sigdb()'s
function prototype will be modified, taking "dbx" as well as "db"
instead of outputing a "certificate." If "dbx" is null, the behavior would
be the exact same as before.
The function's name will be changed to efi_signature_verify() once
current efi_signature_verify() has gone due to further improvement
in intermediate certificates support.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-07-11 23:14:15 +02:00
AKASHI Takahiro
eb537fd7eb efi_loader: image_loader: retrieve authenticode only if it exists
Since the certificate table, which is indexed by
IMAGE_DIRECTORY_ENTRY_SECURITY and contains authenticode in PE image,
doesn't always exist, we should make sure that we will retrieve its pointer
only if it exists.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-07-11 23:14:15 +02:00
AKASHI Takahiro
1a44b7059c efi_loader: image_loader: add a check against certificate type of authenticode
UEFI specification requires that we shall support three type of
certificates of authenticode in PE image:
  WIN_CERT_TYPE_EFI_GUID with the guid, EFI_CERT_TYPE_PCKS7_GUID
  WIN_CERT_TYPE_PKCS_SIGNED_DATA
  WIN_CERT_TYPE_EFI_PKCS1_15

As EDK2 does, we will support the first two that are pkcs7 SignedData.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-07-11 23:14:15 +02:00
AKASHI Takahiro
1b6c08548c efi_loader: image_loader: replace debug to EFI_PRINT
Just for style consistency, replace all the uses of debug() to
EFI_PRINT() in efi_image_loader.c.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-03 18:00:27 +02:00
Heinrich Schuchardt
4bb4249b39 efi_loader: printf code in efi_image_parse()
For size_t we have to use %zu for printing not %lu.

Fixes: 4540dabdca ("efi_loader: image_loader: support image
authentication")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-06-14 21:07:20 +02:00
Heinrich Schuchardt
55af40a578 efi_loader: simplify PE consistency check
Knowing that at least one section header follows the optional header we
only need to check for the length of the 64bit header which is longer than
the 32bit header.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-06-03 17:19:18 +02:00
Heinrich Schuchardt
13f62d9f7e efi_loader: function description cmp_pe_section()
Rework the description of function cmp_pe_section().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-06-03 17:19:17 +02:00
Heinrich Schuchardt
4afceb4d17 efi_loader: function descriptions efi_image_loader.c
We want to follow the Linux kernel style for function descriptions.

Add missing parentheses after function names.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-06-03 17:19:17 +02:00
AKASHI Takahiro
52d7bfe787 efi_loader: image_loader: fix a Coverity check against array access
Coverity detected:
  Using "&opt->CheckSum" as an array.  This might corrupt or misinterpret
  adjacent memory locations.

The code should work as far as a structure, IMAGE_OPTIONAL_HEADER(64) is
packed, but modify it in more logical form. Subsystem is a member next to
CheckSum.

Reported-by: Coverity (CID 300339)
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-09 09:30:27 +02:00
Heinrich Schuchardt
d7ca3ce3d3 efi_loader: crypto/pkcs7_parser.h is not a local include
User <> and not "" for referencing a global include.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-07 18:23:18 +02:00
Patrick Wildt
6f146155f8 efi_loader: pkcs7_parse_message() returns error pointer
Since pkcs7_parse_message() returns an error pointer, we must not
check for NULL.  We have to explicitly set msg to NULL in the error
case, otherwise the call to pkcs7_free_message() on the goto err
path will assume it's a valid object.

Signed-off-by: Patrick Wildt <patrick@blueri.se>
Add missing include linux/err.h
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-07 18:23:17 +02:00
AKASHI Takahiro
e3f5c9cb0f lib/crypto, efi_loader: move some headers to include/crypto
Pkcs7_parse.h and x509_parser.h are used in UEFI subsystem, in particular,
secure boot. So move them to include/crypto to avoid relative paths.

Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Don't include include x509_parser.h twice.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-04 12:26:11 +02:00
AKASHI Takahiro
4540dabdca efi_loader: image_loader: support image authentication
With this commit, image validation can be enforced, as UEFI specification
section 32.5 describes, if CONFIG_EFI_SECURE_BOOT is enabled.

Currently we support
* authentication based on db and dbx,
  so dbx-validated image will always be rejected.
* following signature types:
    EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images)
    EFI_CERT_X509_GUID (x509 certificate for signed images)
Timestamp-based certificate revocation is not supported here.

Internally, authentication data is stored in one of certificates tables
of PE image (See efi_image_parse()) and will be verified by
efi_image_authenticate() before loading a given image.

It seems that UEFI specification defines the verification process
in a bit ambiguous way. I tried to implement it as closely to as
EDK2 does.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-04-16 08:12:46 +02:00
Simon Glass
1eb69ae498 common: Move ARM cache operations out of common.h
These functions are CPU-related and do not use driver model. Move them to
cpu_func.h

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
2019-12-02 18:24:58 -05:00
Heinrich Schuchardt
126a43f15b efi_loader: unload applications upon Exit()
Implement unloading of images in the Exit() boot services:

* unload images that are not yet started,
* unload started applications,
* unload drivers returning an error.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-05-07 21:10:03 +02:00
Heinrich Schuchardt
dec88e41e0 efi_loader: consistent naming of protocol GUIDs
We should consistently use the same name for protocol GUIDs as defined in
the UEFI specification. Not adhering to this rule has led to duplicate
definitions for the EFI_LOADED_IMAGE_PROTOCOL_GUID.

Adjust misnamed protocol GUIDs.

Adjust the text for the graphics output protocol in the output of the
`efidebug dh` command.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-04-23 00:37:27 +02:00
AKASHI Takahiro
bc8fc32855 efi_loader: boottime: add loaded image device path protocol to image handle
To meet UEFI spec v2.7a section 9.2, we should add
EFI_LOADED_IMAGE_DEVICE_PATH_PROTOCOL to image handle,
instead of EFI_DEVICE_PATH_PROTOCOL.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-04-07 14:17:06 +02:00
AKASHI Takahiro
8458bf648f efi_loader: set image_base and image_size to correct values
Currently, image's image_base points to an address where the image was
temporarily uploaded for further loading. Since efi_loader relocates
the image to final destination, image_base and image_size should reflect
that.

This bug was detected in UEFI SCT, "Loaded Image Protocol Test - test 2,"
which shows that 'Unload' function doesn't fit into a range suggested by
image_base and image_size.

	TestCase/UEFI/EFI/Protocol/LoadedImage/BlackBoxTest/
	LoadedImageBBTestMain.c:1002

Changes in this patch also includes:
* reverts a patch, "efi_loader: save image relocation address
  and size" since newly added fields are no longer needed.
* copy PE headers as well since those information will be needed
  for module loading, in particular, at gurb.
  (This bug was reported by Heinrich.)

Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

Rebase patch.
Remove unused fields from struct efi_loaded_image_obj.

Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-04-07 14:17:06 +02:00
Heinrich Schuchardt
997fc12ec9 efi_loader: do not miss last relocation block
If the last block in the relocation table contains only a single
relocation, the current coding ignores it.

Fix the determination of the end of the relocation table.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-02-16 15:51:14 +01:00
Heinrich Schuchardt
1db561e11f efi_loader: documentation of image loader
- Add missing function descriptions.
- Update existing function descriptions to match Sphinx style.
- Add lib/efi_loader/efi_image_loader.c to the input files for Sphinx
  generated documentation.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-02-16 15:48:58 +01:00
Heinrich Schuchardt
8f7e2b2980 efi_loader: set entry point in efi_load_pe()
Up to now efi_load_pe() returns the entry point or NULL in case of an
error. This does not allow to return correct error codes from LoadImage().

Let efi_load_pe() return a status code and fill in the entry point in the
corresponding field of the image object.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-02-16 15:42:20 +01:00
Heinrich Schuchardt
c982874e93 efi_loader: refactor efi_setup_loaded_image()
Create the handle of loaded images and the EFI_LOADED_IMAGE_PROTOCOL
inside efi_setup_loaded_image(). Do not use local variables.

Currently we expect the loaded image handle to point to the loaded image
protocol. Additionally we have appended private fields to the protocol.

With the patch the handle points to a loaded image object and the private
fields are added here. This matches how we handle the net and the gop
object.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
2018-09-23 21:55:31 +02:00
Alexander Graf
b59f69712b efi_loader: Use compiler constants for image loader
The EFI image loader tries to determine which target architecture we're
working with to only load PE binaries that match.

So far this has worked based on CONFIG defines, because the target CPU
was always indicated by a config define. With sandbox however, this is
not longer true as all sandbox targets only encompass a single CONFIG
option and so we need to use compiler defines to determine the CPU
architecture.

Signed-off-by: Alexander Graf <agraf@suse.de>
2018-07-25 14:57:43 +02:00
Alexander Graf
de452c04c3 riscv: Add support for HI20 PE relocations
The PE standard allows for HI20/LOW12 relocations. Within the efi_loader
target we always know that our relocation target is 4k aligned, so we
don't need to worry about the LOW12 part.

This patch adds support for the respective relocations. With this and a
few grub patches I have cooking in parallel I'm able to run grub on RISC-V.

Signed-off-by: Alexander Graf <agraf@suse.de>
2018-06-14 10:52:14 +02:00
Heinrich Schuchardt
1f0532ca15 efi_loader: remove unnecessary include
asm/global_data.h is already included via common.h.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
2018-06-03 15:27:20 +02:00
Ivan Gorinov
e2dc4229ad efi_loader: correctly apply relocations from the .reloc section
Instead of difference between preferred and actual image base, the
actual base is added to the fields specified in the .reloc section.

Use ImageBase from PE optional header to compute the delta,
exit early if the image is loaded at the preferred address.

Signed-off-by: Ivan Gorinov <ivan.gorinov@intel.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
2018-06-03 15:27:20 +02:00
Alexander Graf
89aea43642 efi_loader: Use EFI_CACHELINE_SIZE in the image loader too
We were using our EFI_CACHELINE_SIZE define only in the runtime service
code, but left the image loader to use plain CONFIG_SYS_CACHELINE_SIZE.

This patch moves EFI_CACHELINE_SIZE into efi_loader.h and converts
the image loader to use it.

Signed-off-by: Alexander Graf <agraf@suse.de>
2018-05-29 14:43:12 +08:00
Tom Rini
f739fcd831 SPDX: Convert a few files that were missed before
As part of the main conversion a few files were missed.  These files had
additional whitespace after the '*' and before the SPDX tag and my
previous regex was too strict.  This time I did a grep for all SPDX tags
and then filtered out anything that matched the correct styles.

Fixes: 83d290c56f ("SPDX: Convert all of our single license tags to Linux Kernel style")
Reported-by: Heinrich Schuchardt <xypron.debian@gmx.de>
Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-10 20:38:35 -04:00
Tom Rini
d024236e5a Remove unnecessary instances of DECLARE_GLOBAL_DATA_PTR
We have a large number of places where while we historically referenced
gd in the code we no longer do, as well as cases where the code added
that line "just in case" during development and never dropped it.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-04-27 14:54:48 -04:00
Ivan Gorinov
61a5ced6ad efi_loader: Check machine type in the image header
Check FileHeader.Machine to make sure the EFI executable image is built
for the same architecture. For example, 32-bit U-Boot on x86 will print
an error message instead of loading an x86_64 image and crashing.

Signed-off-by: Ivan Gorinov <ivan.gorinov@intel.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
2018-04-06 09:28:01 +02:00
Heinrich Schuchardt
c9a63f44b5 efi_loader: new functions to print loaded image information
Introduce functions to print information about loaded images.

If we want to analyze an exception in an EFI image we need the offset
between the PC and the start of the loaded image.

With efi_print_image_info() we can print the necessary information for a
single image, e.g.

UEFI image [0xbffe6000:0xbffe631f] pc=0x138 '/\snp.efi'

efi_print_image_infos() provides output for all loaded images.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
2018-04-05 15:23:55 +02:00
Heinrich Schuchardt
82786754b9 efi_loader: ImageSize must be multiple of SectionAlignment
According to the Portable Executable and Common Object File Format
Specification the image size must be a multiple of the alignment
of sections.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
2018-04-04 11:37:40 +02:00
Heinrich Schuchardt
84b40b40ad efi_loader: save image relocation address and size
For analyzing crash output the relocation address and size are needed.
Save them in the loaded image info.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
2018-04-04 11:37:34 +02:00
Heinrich Schuchardt
268ec6e00e efi_loader: fix building crt0 on arm
Before the patch an undefined constant EFI_SUBSYSTEM was used in the
crt0 code. The current version of binutils does not swallow the error.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888403

The necessary constant IMAGE_SUBSYSTEM_EFI_APPLICATION is already
defined in pe.h. So let's factor out asm-generic/pe.h for the
image subsystem constants and use it in our assembler code.

IMAGE_SUBSYSTEM_SAL_RUNTIME_DRIVER does not exist in the specification
let's use IMAGE_SUBSYSTEM_EFI_ROM instead.

The include pe.h is only used in code maintained by Alex so let him be the
maintainer here too.

Reported-by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Tested-by: Vagrant Cascadian <vagrant@debian.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
2018-02-10 00:24:00 +01:00
Heinrich Schuchardt
36b41a3ced efi_loader: allocate correct memory type for EFI image
The category of memory allocated for an EFI image should depend on
its type (application, bootime service driver, runtime service driver).

Our helloworld.efi built on arm64 has an illegal image type. Treat it
like an EFI application.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
2018-01-22 23:09:13 +01:00
Heinrich Schuchardt
e540c48636 efi_loader: use correct format string for unsigned long
virt_size is of type unsigned long.
So it should be printed with %ul.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
2018-01-22 23:09:12 +01:00
Rob Clark
4657a3f1ac efi_loader: set loaded image code/data type properly
These should be set according to the image type.  Shell.efi and SCT.efi
use these fields to determine what sort of image they are loading.

Signed-off-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
2017-09-20 11:10:24 +02:00
Rob Clark
9975fe96b6 efi_loader: add bootmgr
Similar to a "real" UEFI implementation, the bootmgr looks at the
BootOrder and BootXXXX variables to try to find an EFI payload to load
and boot.  This is added as a sub-command of bootefi.

The idea is that the distro bootcmd would first try loading a payload
via the bootmgr, and then if that fails (ie. first boot or corrupted
EFI variables) it would fallback to loading bootaa64.efi.  (Which
would then load fallback.efi which would look for \EFI\*\boot.csv and
populate BootOrder and BootXXXX based on what it found.)

Signed-off-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
2017-09-20 11:08:01 +02:00
Rob Clark
2a92080d8c efi_loader: add file/filesys support
fallback.efi (and probably other things) use UEFI's simple-file-system
protocol and file support to search for OS's to boot.

Signed-off-by: Rob Clark <robdclark@gmail.com>
[agraf: whitespace fixes, unsigned fixes]
Signed-off-by: Alexander Graf <agraf@suse.de>
2017-09-20 10:43:54 +02:00
xypron.glpk@gmx.de
b5349f742a efi_loader: refactor efi_open_protocol
efi_open_protocol was implemented to call a protocol specific open
function to retrieve the protocol interface.

The UEFI specification does not know of such a function.

It is not possible to implement InstallProtocolInterface with the
current design.

With the patch the protocol interface itself is stored in the list
of installed protocols of an efi_object instead of an open function.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
[agraf: fix efi gop support]
Signed-off-by: Alexander Graf <agraf@suse.de>
2017-07-19 14:14:23 +02:00
xypron.glpk@gmx.de
da684a646d efi_loader: abort on unsupported relocation type
If a relocation type is not supported loading the EFI binary
should be aborted.

Writing a message only is insufficient.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
[agraf: use a() != b coding style]
Signed-off-by: Alexander Graf <agraf@suse.de>
2017-07-04 09:03:00 +02:00
Simon Glass
d0d9099365 efi: Correct cache flush alignment
Make sure that the cache flushes correctly by ensuring that the end
address is correctly aligned.

Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
2016-11-14 23:24:03 +01:00
Alexander Graf
b1237c6e8a efi_loader: Fix relocations above 64kb image size
We were truncating the image offset within the target image to 16 bits
which again meant that we were potentially overwriting random memory
in the lower 16 bits of the image.

This patch casts the offset to a more reasonable 32bits.

With this applied, I can successfully see Shell.efi assert because it
can't find a protocol it expects to be available.

Signed-off-by: Alexander Graf <agraf@suse.de>
2016-08-20 14:03:27 -04:00
Alexander Graf
1cd29f0abd efi_loader: Fix some entry/exit points
When switching between EFI context and U-Boot context we need to swap
the register that "gd" resides in.

Some functions slipped through here, with efi_allocate_pool / efi_free_pool
not doing the switch correctly and efi_return_handle switching too often.

Fix them all up to make sure we always have consistent register state.

Signed-off-by: Alexander Graf <agraf@suse.de>
2016-03-27 09:13:02 -04:00
Alexander Graf
cb149c6634 efi_loader: Add PE image loader
EFI uses the PE binary format for its application images. Add support to EFI PE
binaries as well as all necessary bits for the "EFI image loader" interfaces.

Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Simon Glass <sjg@chromium.org>
2016-03-15 15:19:23 -04:00