u-boot.git/include/efi_loader.h, branch v2020.10 Unnamed repository; edit this file 'description' to name the repository. efi_loader: installation of EFI_RNG_PROTOCOL 2020-09-27T14:10:45+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-09-25T10:50:19+00:00 b59c13d42f42811912fd08f32f11e68a8e708c00 Having an EFI_RNG_PROTOCOL without a backing RNG device leads to failure to boot Linux 5.8. Only install the EFI_RNG_PROTOCOL if we have a RNG device. Reported-by: Scott K Logan <logans@cottsay.net> Cc: Neil Armstrong <narmstrong@baylibre.com> Cc: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Having an EFI_RNG_PROTOCOL without a backing RNG device leads to failure
to boot Linux 5.8.

Only install the EFI_RNG_PROTOCOL if we have a RNG device.

Reported-by: Scott K Logan <logans@cottsay.net>
Cc: Neil Armstrong <narmstrong@baylibre.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: efi_dp_check_length() 2020-08-24T14:37:53+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-08-23T08:49:46+00:00 5cad4a30932a31f1646510d35af7e9e36f71708a We need to check that device paths provided via UEFI variables are not malformed. Provide function efi_dp_check_length() to check if a device path has an end node within a given number of bytes. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
We need to check that device paths provided via UEFI variables are not
malformed.

Provide function efi_dp_check_length() to check if a device path has an
end node within a given number of bytes.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: signature: correct a behavior against multiple signatures 2020-08-14T10:28:25+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-08-14T05:39:23+00:00 52956e535e65c852b1f95d2ca5044cb7c4fc6bbe Under the current implementation, all the signatures, if any, in a signed image must be verified before loading it. Meanwhile, UEFI specification v2.8b section 32.5.3.3 says, Multiple signatures are allowed to exist in the binary’s certificate table (as per PE/COFF Section “Attribute Certificate Table”). Only one hash or signature is required to be present in db in order to pass validation, so long as neither the SHA-256 hash of the binary nor any present signature is reflected in dbx. This patch makes the semantics of signature verification compliant with the specification mentioned above. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Under the current implementation, all the signatures, if any, in
a signed image must be verified before loading it.

Meanwhile, UEFI specification v2.8b section 32.5.3.3 says,
    Multiple signatures are allowed to exist in the binary’s certificate
    table (as per PE/COFF Section “Attribute Certificate Table”). Only
    one hash or signature is required to be present in db in order to pass
    validation, so long as neither the SHA-256 hash of the binary nor any
    present signature is reflected in dbx.

This patch makes the semantics of signature verification compliant with
the specification mentioned above.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: signature: rework for intermediate certificates support 2020-08-13T20:37:36+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-07-21T10:35:22+00:00 1115edd8462b047f83fcca4abcf89b68f2d87041 In this commit, efi_signature_verify(with_sigdb) will be re-implemented using pcks7_verify_one() in order to support certificates chain, where the signer's certificate will be signed by an intermediate CA (certificate authority) and the latter's certificate will also be signed by another CA and so on. What we need to do here is to search for certificates in a signature, build up a chain of certificates and verify one by one. pkcs7_verify_one() handles most of these steps except the last one. pkcs7_verify_one() returns, if succeeded, the last certificate to verify, which can be either a self-signed one or one that should be signed by one of certificates in "db". Re-worked efi_signature_verify() will take care of this step. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
In this commit, efi_signature_verify(with_sigdb) will be re-implemented
using pcks7_verify_one() in order to support certificates chain, where
the signer's certificate will be signed by an intermediate CA (certificate
authority) and the latter's certificate will also be signed by another CA
and so on.

What we need to do here is to search for certificates in a signature,
build up a chain of certificates and verify one by one. pkcs7_verify_one()
handles most of these steps except the last one.

pkcs7_verify_one() returns, if succeeded, the last certificate to verify,
which can be either a self-signed one or one that should be signed by one
of certificates in "db". Re-worked efi_signature_verify() will take care
of this step.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
efi_loader: set load options in boot manager 2020-08-08T17:03:24+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-08-07T15:49:39+00:00 0ad64007feb93dced461647c75f782160b1c8ede Up to now we used the value of the bootargs environment variable as load options in the boot manager. This is not correct. The data has to be taken from the Boot#### variable. Let the boot manager copy the optional data of the EFI_LOAD_OPTION as load options to the loaded image protocol. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Up to now we used the value of the bootargs environment variable as load
options in the boot manager. This is not correct. The data has to be taken
from the Boot#### variable.

Let the boot manager copy the optional data of the EFI_LOAD_OPTION as load
options to the loaded image protocol.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: factor out efi_set_load_options() 2020-08-08T17:03:24+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-08-07T15:47:13+00:00 1064d04920beba5564c84fde1993dd39c809ed49 The bootefi bootmgr command has to set the load options for a loaded image from the value of BootXXXX variable. If the boot manager is not used, the value is set from the environment variable bootargs (or efi_selftest). Factor out a common function efi_set_load_options(). Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
The bootefi bootmgr command has to set the load options for a loaded image
from the value of BootXXXX variable. If the boot manager is not used, the
value is set from the environment variable bootargs (or efi_selftest).

Factor out a common function efi_set_load_options().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: new function efi_memcpy_runtime() 2020-07-11T21:14:17+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-06-28T14:30:29+00:00 b0dd8cb4076ea178df93ad56be6636dcdb444c33 Provide a memcpy() function that we can use at UEFI runtime. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Provide a memcpy() function that we can use at UEFI runtime.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: export efi_convert_pointer() 2020-07-11T21:14:17+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-03-24T17:05:22+00:00 a44d2a23992ba70dfeefbad9c55249bfc6be9fbc We need ConvertPointer() to adjust pointers when implementing runtime services within U-Boot. After ExitBootServices() gd is not available anymore. So we should not use EFI_ENTRY() and EFI_EXIT(). Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
We need ConvertPointer() to adjust pointers when implementing  runtime
services within U-Boot.

After ExitBootServices() gd is not available anymore. So we should not use
EFI_ENTRY() and EFI_EXIT().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: image_loader: add digest-based verification for signed image 2020-07-11T21:14:15+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-07-08T05:01:57+00:00 7926dfb579cb17efc62ede2ce6d5c0a6f7e2f855 In case that a type of certificate in "db" or "dbx" is EFI_CERT_X509_SHA256_GUID, it is actually not a certificate which contains a public key for RSA decryption, but a digest of image to be loaded. If the value matches to a value calculated from a given binary image, it is granted for loading. With this patch, common digest check code, which used to be used for unsigned image verification, will be extracted from efi_signature_verify_with_sigdb() into efi_signature_lookup_digest(), and extra step for digest check will be added to efi_image_authenticate(). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
In case that a type of certificate in "db" or "dbx" is
EFI_CERT_X509_SHA256_GUID, it is actually not a certificate which contains
a public key for RSA decryption, but a digest of image to be loaded.
If the value matches to a value calculated from a given binary image, it is
granted for loading.

With this patch, common digest check code, which used to be used for
unsigned image verification, will be extracted from
efi_signature_verify_with_sigdb() into efi_signature_lookup_digest(), and
extra step for digest check will be added to efi_image_authenticate().

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
efi_loader: image_loader: verification for all signatures should pass 2020-07-11T21:14:15+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-07-08T05:01:56+00:00 11bafb259648dea054e07dc5c8003eb8c736f36c A signed image may have multiple signatures in - each WIN_CERTIFICATE in authenticode, and/or - each SignerInfo in pkcs7 SignedData (of WIN_CERTIFICATE) In the initial implementation of efi_image_authenticate(), the criteria of verification check for multiple signatures case is a bit ambiguous and it may cause inconsistent result. With this patch, we will make sure that verification check in efi_image_authenticate() should pass against all the signatures. The only exception would be - the case where a digest algorithm used in signature is not supported by U-Boot, or - the case where parsing some portion of authenticode has failed In those cases, we don't know how the signature be handled and should just ignore them. Please note that, due to this change, efi_signature_verify_with_sigdb()'s function prototype will be modified, taking "dbx" as well as "db" instead of outputing a "certificate." If "dbx" is null, the behavior would be the exact same as before. The function's name will be changed to efi_signature_verify() once current efi_signature_verify() has gone due to further improvement in intermediate certificates support. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
A signed image may have multiple signatures in
  - each WIN_CERTIFICATE in authenticode, and/or
  - each SignerInfo in pkcs7 SignedData (of WIN_CERTIFICATE)

In the initial implementation of efi_image_authenticate(), the criteria
of verification check for multiple signatures case is a bit ambiguous
and it may cause inconsistent result.

With this patch, we will make sure that verification check in
efi_image_authenticate() should pass against all the signatures.
The only exception would be
  - the case where a digest algorithm used in signature is not supported by
    U-Boot, or
  - the case where parsing some portion of authenticode has failed
In those cases, we don't know how the signature be handled and should
just ignore them.

Please note that, due to this change, efi_signature_verify_with_sigdb()'s
function prototype will be modified, taking "dbx" as well as "db"
instead of outputing a "certificate." If "dbx" is null, the behavior would
be the exact same as before.
The function's name will be changed to efi_signature_verify() once
current efi_signature_verify() has gone due to further improvement
in intermediate certificates support.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>