The following variable is exported as UEFI specification defines:
SignatureSupport: array of GUIDs representing the type of signatures
supported by the platform firmware
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
With this commit, image validation can be enforced, as UEFI specification
section 32.5 describes, if CONFIG_EFI_SECURE_BOOT is enabled.
Currently we support
* authentication based on db and dbx,
so dbx-validated image will always be rejected.
* following signature types:
EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images)
EFI_CERT_X509_GUID (x509 certificate for signed images)
Timestamp-based certificate revocation is not supported here.
Internally, authentication data is stored in one of certificates tables
of PE image (See efi_image_parse()) and will be verified by
efi_image_authenticate() before loading a given image.
It seems that UEFI specification defines the verification process
in a bit ambiguous way. I tried to implement it as closely to as
EDK2 does.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
The following variable is exported as UEFI specification defines:
VendorKeys: whether the system is configured to use only vendor-provided
keys or not
The value will have to be modified if a platform has its own way of
initializing signature database, in particular, PK.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
UEFI specification defines several global variables which are related to
the current secure boot state. In this commit, those values will be
maintained according to operations. Currently, AuditMode and DeployedMode
are defined but not implemented.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
With this commit, EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
is supported for authenticated variables and the system secure state
will transfer between setup mode and user mode as UEFI specification
section 32.3 describes.
Internally, authentication data is stored as part of authenticated
variable's value. It is nothing but a pkcs7 message (but we need some
wrapper, see efi_variable_parse_signature()) and will be validated by
efi_variable_authenticate(), hence efi_signature_verify_with_db().
Associated time value will be encoded in "{...,time=...}" along with
other UEFI variable's attributes.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
efi_signature_parse_sigdb() is a helper function will be used to parse
signature database variable and instantiate a signature store structure
in later patches.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
In this commit, implemented are a couple of helper functions which will be
used to materialize variable authentication as well as image authentication
in later patches.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Correct function descriptions in efi_watchdog.c.
Add the descriptions to the generated HTML documentation.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Correct function descriptions in efi_unicode_collation.c
Add the Unicode collation protocol to the generated HTML documentation.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Enable EFI_RNG_PROTOCOL by default if DM_RNG is set.
Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
Acked-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Remove superfluous 'if DM_RNG'
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Base autodetection is failing for this case:
if test 257 -gt 3ae; then echo first; else echo second; fi
It is because base for 3ae is recognized by _parse_integer_fixup_radix() as
10. The code detects the first char which is not between 'a'/'A' or 'f'/'F'
to change base from dec to hex.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Shiril Tichkule <shirilt@xlinx.com>
These are used in multiple places so update them to use a shared #define.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Philippe Reynes <philippe.reynes@softathome.com>
'vendor' is both an input and an output parameter. So it cannot be
constant.
Fixes: 0bda81bfdc ("efi_loader: use const efi_guid_t * for variable services")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
For EFI binaries we have to provide an implementation of memmove() in
efi_freestanding.c.
Before this patch the memmove() function was copying in the wrong
direction.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
GetNextVariableName should report the length of the variable including the
final 0x0000 in bytes.
Check this in the unit test.
Increase the buffer size for variable names. 40 bytes is too short.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The runtime service GetNextVariable() returns the length of the next
variable including the closing 0x0000. This length should be in bytes.
Comparing the output of EDK2 and U-Boot shows that this is currently not
correctly implemented:
EDK2:
OsIndicationsSupported: 46
PlatformLang: 26
PlatformLangCodes: 36
U-Boot:
OsIndicationsSupported: 23
PlatformLang: 13
PlatformLangCodes: 18
Provide correct length in GetNextVariable().
Fixes: d99a87f84b ("efi_loader: implement GetNextVariableName()")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
K3 J721E:
* OSPI boot support
* Support for loading remote cores in R5 SPL
* PMIC ESM Support
* Minor fixes for R5F and C7x remoteproc drivers
K3 AM654:
* Update AVS class 0 voltages.
* Add I2C nodes
DRA7xx/AM57xx:
* Fixed Android boot on AM57xx
AM33/AM43/Davinci:
* switch to driver model for the net and mdio driver for baltos
* Add DM/DTS support for omap video driver
* Enable fastboot on am335x-evm
This is a preparatory patch.
Those functions will be used in an implementation of UEFI firmware
management protocol as part of my capsule update patch.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
This function, and hence rsa_verify(), will perform RSA verification
with two essential parameters for a RSA public key in contract of
rsa_verify_with_keynode(), which requires additional three parameters
stored in FIT image.
It will be used in implementing UEFI secure boot, i.e. image authentication
and variable authentication.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
In the current implementation of FIT_SIGNATURE, five parameters for
a RSA public key are required while only two of them are essential.
(See rsa-mod-exp.h and uImage.FIT/signature.txt)
This is a result of considering relatively limited computer power
and resources on embedded systems, while such a assumption may not
be quite practical for other use cases.
In this patch, added is a function, rsa_gen_key_prop(), which will
generate additional parameters for other uses, in particular
UEFI secure boot, on the fly.
Note: the current code uses some "big number" routines from BearSSL
for the calculation.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
In the next couple of commits, under new CONFIG_RSA_VERIFY_WITH_PKEY,
rsa_verify() will be extended to be able to perform RSA decryption without
additional RSA key properties from FIT image, i.e. rr and n0inv.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Introduce new configuration, CONFIG_RSA_VERIFY which will decouple building
RSA functions from FIT verification and allow for adding a RSA-based
signature verification for other file formats, in particular PE file
for UEFI secure boot.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Currently, if GetMemoryMap API returns EFI_BUFFER_TOO_SMALL, it doesn't
set valid values to other parameters, descriptor_size and
descriptor_version, except memory_map_size.
Some efi applications, however, may use those value; in particular,
xen uses descriptor_size to calculate a size of buffer to be allocated.
While UEFI specification is ambiguous in this point, it would be better
to address this issue proactively to maximize the compatibility with
existing efi applications.
With this patch, for example, xen.efi (and hence linux kernel) can be
started via bootefi without modification.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Move the generic elf loading/validating functions to lib/
so that they can be re-used and accessed by code existing
outside cmd.
While at it remove the duplicate static version of load_elf_image_phdr
under arch/arm/mach-imx/imx_bootaux.c.
Signed-off-by: Keerthy <j-keerthy@ti.com>
Suggested-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Provide a unit test loading an initial ramdisk using the
EFI_LOAD_FILE2_PROTOCOL. The test is only executed on request.
An example usage - given a file image with a file system in partition 1
holding file initrd - is:
* Configure the sandbox with
CONFIG_EFI_SELFTEST=y
CONFIG_EFI_LOAD_FILE2_INITRD=y
CONFIG_EFI_INITRD_FILESPEC="host 0:1 initrd"
* Run ./u-boot and execute
host bind 0 image
setenv efi_selftest load initrd
bootefi selftest
This would provide a test output like:
Testing EFI API implementation
Selected test: 'load initrd'
Setting up 'load initrd'
Setting up 'load initrd' succeeded
Executing 'load initrd'
Loaded 12378613 bytes
CRC32 2997478465
Executing 'load initrd' succeeded
Now the size and CRC32 can be compared to the provided file.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Following kernel's proposal for an arch-agnostic initrd loading
mechanism [1] let's implement the U-boot counterpart.
This new approach has a number of advantages compared to what we did up
to now. The file is loaded into memory only when requested limiting the
area of TOCTOU attacks. Users will be allowed to place the initramfs
file on any u-boot accessible partition instead of just the ESP one.
Finally this is an attempt of a generic interface across architectures
in the linux kernel so it makes sense to support that.
The file location is intentionally only supported as a config option
argument(CONFIG_EFI_INITRD_FILESPEC), in an effort to enhance security.
Although U-boot is not responsible for verifying the integrity of the
initramfs, we can enhance the offered security by only accepting a
built-in option, which will be naturally verified by UEFI Secure Boot.
This can easily change in the future if needed and configure that via ENV
or UEFI variable.
[1] https://lore.kernel.org/linux-efi/20200207202637.GA3464906@rani.riverdale.lan/T/#m4a25eb33112fab7a22faa0fd65d4d663209af32f
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
UEFI spec 2.8 errata A replaces the RuntimeServicesSupported variable
defined in UEFI spec 2.8 by the configuration table
EFI_RT_PROPERTIES_TABLE. So let's follow suit.
Cc: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Tested-by: Ard Biesheuvel <ardb@kernel.org>
At present dm/device.h includes the linux-compatible features. This
requires including linux/compat.h which in turn includes a lot of headers.
One of these is malloc.h which we thus end up including in every file in
U-Boot. Apart from the inefficiency of this, it is problematic for sandbox
which needs to use the system malloc() in some files.
Move the compatibility features into a separate header file.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present devres.h is included in all files that include dm.h but few
make use of it. Also this pulls in linux/compat which adds several more
headers. Drop the automatic inclusion and require files to include devres
themselves. This provides a good indication of which files use devres.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Anatolij Gustschin <agust@denx.de>
In upstream libfdt, 6dcb8ba4 "libfdt: Add helpers for accessing
unaligned words" introduced changes to support unaligned reads for ARM
platforms and 11738cf01f15 "libfdt: Don't use memcpy to handle unaligned
reads on ARM" improved the performance of these helpers.
In practice however, this only occurs when the user has forced the
device tree to be placed in memory in a non-aligned way, which in turn
violates both our rules and the Linux Kernel rules for how things must
reside in memory to function.
This "in practice" part is important as handling these other cases adds
visible (1 second or more) delay to boot in what would be considered the
fast path of the code.
Cc: Patrice CHOTARD <patrice.chotard@st.com>
Cc: Patrick DELAUNAY <patrick.delaunay@st.com>
Link: https://www.spinics.net/lists/devicetree-compiler/msg02972.html
Signed-off-by: Tom Rini <trini@konsulko.com>
Tested-by: Patrice Chotard <patrice.chotard@st.com>
As hinted by GCC 9, there is a return statement that returns
an uninitialized variable in optee_copy_firmware_node().
This patch addresses this.
Signed-off-by: Christoph Müllner <christoph.muellner@theobroma-systems.com>
Reviewed-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
drivers/rng/sandbox_rng.c requires rand() to be defined but configuration
option CONFIG_CONFIG_LIB_RAND selected in drivers/rng/Kconfig does not
exist.
test/lib/test_aes.c requires rand() to be defined.
Fix the selection criteria for choice "Pseudo-random library support type".
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
CONFIG_SPL_RSA is meant to control if lib/rsa/* is used for SPL. Adjust
lib/Makefile to consider this setting.
This was correctly setup with commit 51c14cd128 ("verified-boot: Minimal
support for booting U-Boot proper from SPL") and got lost with commit
089df18bfe ("lib: move hash CONFIG options to Kconfig").
Fixes: 089df18bfe ("lib: move hash CONFIG options to Kconfig")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Correct some function comments. Convert to Sphinx style.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
This is not really a CONFIG since it is not intended to be set by boards.
Move it into the compiler header with other similar defines, and rename
it.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present panic() is in the vsprintf.h header file. That does not seem
like an obvious choice for hang(), even though it relates to panic(). So
let's put hang() in its own header.
Signed-off-by: Simon Glass <sjg@chromium.org>
[trini: Migrate a few more files]
Signed-off-by: Tom Rini <trini@konsulko.com>
