u-boot.git/include/efi_api.h, branch v2023.01-rc2 Unnamed repository; edit this file 'description' to name the repository. efi: ECPT add EBBRv2.0 conformance profile 2022-09-03T08:13:26+00:00 Jose Marinho jose.marinho@arm.com 2021-12-17T12:55:05+00:00 648a8dcb39306ebd32353d6c503ac3b69e064190 Display the EBBRv2.0 conformance in the ECPT table. The EBBRv2.0 conformance profile is set in the ECPT if CONFIG_EFI_EBBR_2_0_CONFORMANCE=y. Signed-off-by: Jose Marinho <jose.marinho@arm.com> Add dependencies for CONFIG_EFI_EBBR_2_0_CONFORMANCE. Enable the setting by default. Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
Display the EBBRv2.0 conformance in the ECPT table.

The EBBRv2.0 conformance profile is set in the ECPT if
CONFIG_EFI_EBBR_2_0_CONFORMANCE=y.

Signed-off-by: Jose Marinho <jose.marinho@arm.com>

Add dependencies for CONFIG_EFI_EBBR_2_0_CONFORMANCE.
Enable the setting by default.
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
efi: Create ECPT table 2022-09-03T07:35:48+00:00 Jose Marinho jose.marinho@arm.com 2021-12-23T14:51:07+00:00 6b92c1735205eef308a9e33ec90330a3e6d27fc3 The ECPT table will be included in the UEFI specification 2.9+. The ECPT table was introduced in UEFI following the code-first path. The acceptance ticket can be viewed at: https://bugzilla.tianocore.org/show_bug.cgi?id=3591 The Conformance Profiles table is a UEFI configuration table that contains GUID of the UEFI profiles that the UEFI implementation conforms with. The ECPT table is created when CONFIG_EFI_ECPT=y. The config is set by default. Signed-off-by: Jose Marinho <jose.marinho@arm.com> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
The ECPT table will be included in the UEFI specification 2.9+.
The ECPT table was introduced in UEFI following the code-first path. The
acceptance ticket can be viewed at:
	https://bugzilla.tianocore.org/show_bug.cgi?id=3591

The Conformance Profiles table is a UEFI configuration table that contains
GUID of the UEFI profiles that the UEFI implementation conforms with.

The ECPT table is created when CONFIG_EFI_ECPT=y.
The config is set by default.

Signed-off-by: Jose Marinho <jose.marinho@arm.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
efi_loader: add sha384/512 on certificate revocation 2022-05-07T21:17:26+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2022-05-06T12:36:00+00:00 b436cc6a57cae017343a549f4b701e748d7e6448 Currently we don't support sha384/512 for the X.509 certificate in dbx. Moreover if we come across such a hash we skip the check and approve the image, although the image might needs to be rejected. Rework the code a bit and fix it by adding an array of structs with the supported GUIDs, len and literal used in the U-Boot crypto APIs instead of hardcoding the GUID types. It's worth noting here that efi_hash_regions() can now be reused from efi_signature_lookup_digest() and add sha348/512 support there as well Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Currently we don't support sha384/512 for the X.509 certificate
in dbx.  Moreover if we come across such a hash we skip the check
and approve the image,  although the image might needs to be rejected.

Rework the code a bit and fix it by adding an array of structs with the
supported GUIDs, len and literal used in the U-Boot crypto APIs instead
of hardcoding the GUID types.

It's worth noting here that efi_hash_regions() can now be reused from
efi_signature_lookup_digest() and add sha348/512 support there as well

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
FMP: Remove GUIDs for FIT and raw images 2022-04-15T08:43:18+00:00 Sughosh Ganu sughosh.ganu@linaro.org 2022-04-15T05:59:39+00:00 9736287173cfdbe42f968314ab325169e1444fd6 The capsule update code has been modified for getting the image GUID values from the platform code. With this, each image now has a unique GUID value. With this change, there is no longer a need for defining GUIDs for FIT and raw images. Remove these GUID values. Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> 
The capsule update code has been modified for getting the image GUID
values from the platform code. With this, each image now has a unique
GUID value. With this change, there is no longer a need for defining
GUIDs for FIT and raw images. Remove these GUID values.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
efi_loader: correctly handle mixed hashes and signatures in db 2022-01-29T09:23:40+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2022-01-28T22:20:31+00:00 4b634313232ed4a17bbf66d228764fef639e1f65 A mix of signatures and hashes in db doesn't always work as intended. Currently if the digest algorithm is not explicitly set to sha256 we stop walking the security database and reject the image. That's problematic in case we find and try to check a signature before inspecting the sha256 hash. If the image is unsigned we will reject it even if the digest matches. Since we no longer reject the image on unknown algorithms add an explicit check and reject the image if any other hash algorithm apart from sha256 is detected on dbx. Suggested-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
A mix of signatures and hashes in db doesn't always work as intended.
Currently if the digest algorithm is not explicitly set to sha256 we
stop walking the security database and reject the image.

That's problematic in case we find and try to check a signature before
inspecting the sha256 hash.  If the image is unsigned we will reject it
even if the digest matches.

Since we no longer reject the image on unknown algorithms add an explicit
check and reject the image if any other hash algorithm apart from sha256
is detected on dbx.

Suggested-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
efi_loader: Enable RISCV_EFI_BOOT_PROTOCOL support 2022-01-29T09:23:40+00:00 Sunil V L sunilvl@ventanamicro.com 2022-01-28T15:18:44+00:00 1ccf87165e38cb32f2444d8fd4b3e4d8ea13928e This adds support for new RISCV_EFI_BOOT_PROTOCOL to communicate the boot hart ID to bootloader/kernel on RISC-V UEFI platforms. The specification of the protocol is hosted at: https://github.com/riscv-non-isa/riscv-uefi Signed-off-by: Sunil V L <sunilvl@ventanamicro.com> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
This adds support for new RISCV_EFI_BOOT_PROTOCOL to
communicate the boot hart ID to bootloader/kernel on RISC-V
UEFI platforms.

The specification of the protocol is hosted at:
https://github.com/riscv-non-isa/riscv-uefi

Signed-off-by: Sunil V L <sunilvl@ventanamicro.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
efi_loader: printing TCG2 protocol GUID 2022-01-19T15:16:33+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2022-01-16T16:46:38+00:00 38040a63a3e838a1eeb56c7d18875be485b14f5c We support the TCG2 protocol. Allow command efidebug to print it. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
We support the TCG2 protocol. Allow command efidebug to print it.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
cmd: efidebug: simplify printing GUIDs 2022-01-19T15:16:33+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2022-01-16T13:10:23+00:00 3adae64220be502cd6d522c96a3af7dd420a1a67 Use "%pS" to print text representations of GUIDs. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
Use "%pS" to print text representations of GUIDs.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
efi: Locate all block devices in the app 2021-12-31T05:45:01+00:00 Simon Glass sjg@chromium.org 2021-12-29T18:57:36+00:00 613cd0c46796cae340382679bc01ef220daf3768 When starting the app, locate all block devices and make them available to U-Boot. This allows listing partitions and accessing files in filesystems. EFI also has the concept of 'disks', meaning boot media. For now, this is not obviously useful in U-Boot, but add code to at least locate these. This can be expanded later as needed. We cannot use printf() in the early stub or app since it is not compiled in Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
When starting the app, locate all block devices and make them available
to U-Boot. This allows listing partitions and accessing files in
filesystems.

EFI also has the concept of 'disks', meaning boot media. For now, this
is not obviously useful in U-Boot, but add code to at least locate these.
This can be expanded later as needed.

We cannot use printf() in the early stub or app since it is not compiled
in

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
efi_loader: bump EFI_SPECIFICATION_VERSION to 2.9 2021-11-20T09:53:00+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2021-11-17T17:55:59+00:00 dc52578d7b48342c04484184199831893a983cbf We have implemented all what is new in UEFI specification 2.9 and relevant for U-Boot. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
We have implemented all what is new in UEFI specification 2.9 and relevant
for U-Boot.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>