u-boot.git/lib/efi_loader/Kconfig, branch v2020.10 Unnamed repository; edit this file 'description' to name the repository. efi_loader: signature: rework for intermediate certificates support 2020-08-13T20:37:36+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-07-21T10:35:22+00:00 1115edd8462b047f83fcca4abcf89b68f2d87041 In this commit, efi_signature_verify(with_sigdb) will be re-implemented using pcks7_verify_one() in order to support certificates chain, where the signer's certificate will be signed by an intermediate CA (certificate authority) and the latter's certificate will also be signed by another CA and so on. What we need to do here is to search for certificates in a signature, build up a chain of certificates and verify one by one. pkcs7_verify_one() handles most of these steps except the last one. pkcs7_verify_one() returns, if succeeded, the last certificate to verify, which can be either a self-signed one or one that should be signed by one of certificates in "db". Re-worked efi_signature_verify() will take care of this step. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
In this commit, efi_signature_verify(with_sigdb) will be re-implemented
using pcks7_verify_one() in order to support certificates chain, where
the signer's certificate will be signed by an intermediate CA (certificate
authority) and the latter's certificate will also be signed by another CA
and so on.

What we need to do here is to search for certificates in a signature,
build up a chain of certificates and verify one by one. pkcs7_verify_one()
handles most of these steps except the last one.

pkcs7_verify_one() returns, if succeeded, the last certificate to verify,
which can be either a self-signed one or one that should be signed by one
of certificates in "db". Re-worked efi_signature_verify() will take care
of this step.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
efi_loader: pre-seed UEFI variables 2020-07-16T10:37:02+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-07-14T19:25:28+00:00 7dda16343d2577a52116148540ad7d17c6f19e55 Include a file with the initial values for non-volatile UEFI variables into the U-Boot binary. If this variable is set, changes to variable PK will not be allowed. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Include a file with the initial values for non-volatile UEFI variables
into the U-Boot binary. If this variable is set, changes to variable PK
will not be allowed.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: configuration of variables store 2020-07-16T10:37:02+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-07-14T17:18:33+00:00 be66b89da30670a6a90d07742305d89ed3ccd46e The file based and the OP-TEE based UEFI variable store are mutually exclusive. Define them as choice options in Kconfig. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
The file based and the OP-TEE based UEFI variable store are mutually
exclusive. Define them as choice options in Kconfig.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: UEFI variable persistence 2020-07-11T21:14:17+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-03-19T18:21:58+00:00 5f7dcf079de8caa5ef9c332c928bd6a3c3d12335 Persist non-volatile UEFI variables in a file on the EFI system partition. The file is written whenever a non-volatile UEFI variable is changed after initialization of the UEFI sub-system. The file is read during the UEFI sub-system initialization to restore non-volatile UEFI variables. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Persist non-volatile UEFI variables in a file on the EFI system partition.

The file is written whenever a non-volatile UEFI variable is changed after
initialization of the UEFI sub-system.

The file is read during the UEFI sub-system initialization to restore
non-volatile UEFI variables.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: imply FAT, FAT_WRITE 2020-07-03T16:03:56+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-03-21T19:45:50+00:00 93f6201af71d9a0a521c99212e6066778270a357 The UEFI spec requires support for the FAT file system. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
The UEFI spec requires support for the FAT file system.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: Implement EFI variable handling via OP-TEE 2020-05-17T19:59:53+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2020-05-17T19:25:44+00:00 f042e47e8fb433a7a1f8a25d997ba0fe74e2db53 In OP-TEE we can run EDK2's StandAloneMM on a secure partition. StandAloneMM is responsible for the UEFI variable support. In combination with OP-TEE and it's U-Boot supplicant, variables are authenticated/validated in secure world and stored on an RPMB partition. So let's add a new config option in U-Boot implementing the necessary calls to OP-TEE for the variable management. Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Pipat Methavanitpong <pipat1010@gmail.com> Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
In OP-TEE we can run EDK2's StandAloneMM on a secure partition.
StandAloneMM is responsible for the UEFI variable support. In
combination with OP-TEE and it's U-Boot supplicant, variables are
authenticated/validated in secure world and stored on an RPMB partition.

So let's add a new config option in U-Boot implementing the necessary
calls to OP-TEE for the variable management.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Pipat Methavanitpong <pipat1010@gmail.com>
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: add CONFIG_EFI_SECURE_BOOT config option 2020-04-16T06:12:46+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-04-14T02:51:38+00:00 9bf09b5120da6d21d9e7774d958b98116828f907 Under this configuration, UEFI secure boot support will be added in later patches. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
Under this configuration, UEFI secure boot support will be added
in later patches.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
efi_loader: enable RNG if DM_RNG is enabled 2020-04-16T06:10:01+00:00 Peter Robinson pbrobinson@gmail.com 2020-04-01T10:15:01+00:00 bdf329e4a3ea1209a50d4cbe267ada41384eb750 Enable EFI_RNG_PROTOCOL by default if DM_RNG is set. Signed-off-by: Peter Robinson <pbrobinson@gmail.com> Acked-by: Sughosh Ganu <sughosh.ganu@linaro.org> Remove superfluous 'if DM_RNG' Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Enable EFI_RNG_PROTOCOL by default if DM_RNG is set.

Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
Acked-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Remove superfluous 'if DM_RNG'
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: Implement FileLoad2 for initramfs loading 2020-02-28T18:37:14+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2020-02-21T07:55:45+00:00 ec80b4735a593961fe701cc3a5d717d4739b0fd0 Following kernel's proposal for an arch-agnostic initrd loading mechanism [1] let's implement the U-boot counterpart. This new approach has a number of advantages compared to what we did up to now. The file is loaded into memory only when requested limiting the area of TOCTOU attacks. Users will be allowed to place the initramfs file on any u-boot accessible partition instead of just the ESP one. Finally this is an attempt of a generic interface across architectures in the linux kernel so it makes sense to support that. The file location is intentionally only supported as a config option argument(CONFIG_EFI_INITRD_FILESPEC), in an effort to enhance security. Although U-boot is not responsible for verifying the integrity of the initramfs, we can enhance the offered security by only accepting a built-in option, which will be naturally verified by UEFI Secure Boot. This can easily change in the future if needed and configure that via ENV or UEFI variable. [1] https://lore.kernel.org/linux-efi/20200207202637.GA3464906@rani.riverdale.lan/T/#m4a25eb33112fab7a22faa0fd65d4d663209af32f Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Following kernel's proposal for an arch-agnostic initrd loading
mechanism [1] let's implement the U-boot counterpart.
This new approach has a number of advantages compared to what we did up
to now. The file is loaded into memory only when requested limiting the
area of TOCTOU attacks. Users will be allowed to place the initramfs
file on any u-boot accessible partition instead of just the ESP one.
Finally this is an attempt of a generic interface across architectures
in the linux kernel so it makes sense to support that.

The file location is intentionally only supported as a config option
argument(CONFIG_EFI_INITRD_FILESPEC), in an effort to enhance security.
Although U-boot is not responsible for verifying the integrity of the
initramfs, we can enhance the offered security by only accepting a
built-in option, which will be naturally verified by UEFI Secure Boot.
This can easily change in the future if needed and configure that via ENV
or UEFI variable.

[1] https://lore.kernel.org/linux-efi/20200207202637.GA3464906@rani.riverdale.lan/T/#m4a25eb33112fab7a22faa0fd65d4d663209af32f

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: EFI_RNG_PROTOCOL 2020-02-19T11:53:36+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-02-14T22:28:58+00:00 0e228853b520611a0ee6fe2b9bd7a0bc3f8c30fc Do not use quotation marks for Kconfig help text. Replace rng abbreviation by full words. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Do not use quotation marks for Kconfig help text.
Replace rng abbreviation by full words.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>