u-boot.git/lib/efi_loader/efi_image_loader.c, branch v2021.07 Unnamed repository; edit this file 'description' to name the repository. efi_loader: fix Sphinx warning 2021-06-09T10:35:01+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2021-06-08T22:21:24+00:00 b95e5edc424a14c1d03848c03f92389a945d3e61 Brackets '[' need to be escaped to avoid a build warning lib/efi_loader/efi_image_loader.c:223: WARNING: Inline strong start-string without end-string. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Reviewed-by: Masahisa Kojima <masahisa.kojima@linaro.org> 
Brackets '[' need to be escaped to avoid a build warning

    lib/efi_loader/efi_image_loader.c:223:
    WARNING: Inline strong start-string without end-string.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Masahisa Kojima <masahisa.kojima@linaro.org>
efi_loader: add PE/COFF image measurement 2021-05-28T14:17:01+00:00 Masahisa Kojima masahisa.kojima@linaro.org 2021-05-26T03:09:58+00:00 163a0d7e2cbdbdf26d90ac8d30c0495b814f3245 "TCG PC Client Platform Firmware Profile Specification" requires to measure every attempt to load and execute a OS Loader(a UEFI application) into PCR[4]. This commit adds the PE/COFF image measurement, extends PCR, and appends measurement into Event Log. Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> Replace CONFIG_HASH_CALCULATE by CONFIG_HASH Fix conversions between pointers and u64. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
"TCG PC Client Platform Firmware Profile Specification"
requires to measure every attempt to load and execute
a OS Loader(a UEFI application) into PCR[4].
This commit adds the PE/COFF image measurement, extends PCR,
and appends measurement into Event Log.

Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Replace CONFIG_HASH_CALCULATE by CONFIG_HASH
Fix conversions between pointers and u64.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
efi_loader: expose efi_image_parse() even if UEFI Secure Boot is disabled 2021-05-25T11:06:57+00:00 Masahisa Kojima masahisa.kojima@linaro.org 2021-05-14T00:53:36+00:00 f6081a8a1e45e4864e36d83ccc236eef62478b1f This is preparation for PE/COFF measurement support. PE/COFF image hash calculation is same in both UEFI Secure Boot image verification and measurement in measured boot. PE/COFF image parsing functions are gathered into efi_image_loader.c, and exposed even if UEFI Secure Boot is not enabled. This commit also adds the EFI_SIGNATURE_SUPPORT option to decide if efi_signature.c shall be compiled. Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
This is preparation for PE/COFF measurement support.
PE/COFF image hash calculation is same in both
UEFI Secure Boot image verification and measurement in
measured boot. PE/COFF image parsing functions are
gathered into efi_image_loader.c, and exposed even if
UEFI Secure Boot is not enabled.

This commit also adds the EFI_SIGNATURE_SUPPORT option
to decide if efi_signature.c shall be compiled.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: don't load beyond VirtualSize 2021-02-14T09:34:15+00:00 Asherah Connor ashe@kivikakk.ee 2021-02-09T06:19:48+00:00 9d30a941cce5ed055da18398f4deba18830d00d6 PE section table entries' SizeOfRawData must be a multiple of FileAlignment, and thus may be rounded up and larger than their VirtualSize. We should not load beyond the VirtualSize, which is "the total size of the section when loaded into memory" -- we may clobber real data at the target in some other section, since we load sections in reverse order and sections are usually laid out sequentially. Signed-off-by: Asherah Connor <ashe@kivikakk.ee> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
PE section table entries' SizeOfRawData must be a multiple of
FileAlignment, and thus may be rounded up and larger than their
VirtualSize.

We should not load beyond the VirtualSize, which is "the total size of
the section when loaded into memory" -- we may clobber real data at the
target in some other section, since we load sections in reverse order
and sections are usually laid out sequentially.

Signed-off-by: Asherah Connor <ashe@kivikakk.ee>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: carve out efi_check_pe() 2021-01-13T01:38:00+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2021-01-12T11:40:32+00:00 5dad05a0e61d759af2df8cf900d044a8485bd747 Carve out a function to check that a buffer contains a PE-COFF image. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Carve out a function to check that a buffer contains a PE-COFF image.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: error message if image not authenticated 2020-09-06T19:21:41+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-08-27T15:51:32+00:00 0f7878b853bdc363a930381c42b709b7d24066b5 Currently if the bootefi command fails due to missing authentication, the user gets no feedback. Write a log message 'Image not authenticated' if LoadImage() fails due to missing authentication. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Currently if the bootefi command fails due to missing authentication, the
user gets no feedback.

Write a log message 'Image not authenticated' if LoadImage() fails due to
missing authentication.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: log function in image loader 2020-09-06T19:21:41+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-08-25T17:51:20+00:00 24586059d3818d812300c77257c5134ddd7e2935 Use log_err() for error messages. Replace debug() by EFI_PRINT(). Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Use log_err() for error messages.
Replace debug() by EFI_PRINT().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: signature: correct a behavior against multiple signatures 2020-08-14T10:28:25+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-08-14T05:39:23+00:00 52956e535e65c852b1f95d2ca5044cb7c4fc6bbe Under the current implementation, all the signatures, if any, in a signed image must be verified before loading it. Meanwhile, UEFI specification v2.8b section 32.5.3.3 says, Multiple signatures are allowed to exist in the binary’s certificate table (as per PE/COFF Section “Attribute Certificate Table”). Only one hash or signature is required to be present in db in order to pass validation, so long as neither the SHA-256 hash of the binary nor any present signature is reflected in dbx. This patch makes the semantics of signature verification compliant with the specification mentioned above. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Under the current implementation, all the signatures, if any, in
a signed image must be verified before loading it.

Meanwhile, UEFI specification v2.8b section 32.5.3.3 says,
    Multiple signatures are allowed to exist in the binary’s certificate
    table (as per PE/COFF Section “Attribute Certificate Table”). Only
    one hash or signature is required to be present in db in order to pass
    validation, so long as neither the SHA-256 hash of the binary nor any
    present signature is reflected in dbx.

This patch makes the semantics of signature verification compliant with
the specification mentioned above.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: signature: rework for intermediate certificates support 2020-08-13T20:37:36+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-07-21T10:35:22+00:00 1115edd8462b047f83fcca4abcf89b68f2d87041 In this commit, efi_signature_verify(with_sigdb) will be re-implemented using pcks7_verify_one() in order to support certificates chain, where the signer's certificate will be signed by an intermediate CA (certificate authority) and the latter's certificate will also be signed by another CA and so on. What we need to do here is to search for certificates in a signature, build up a chain of certificates and verify one by one. pkcs7_verify_one() handles most of these steps except the last one. pkcs7_verify_one() returns, if succeeded, the last certificate to verify, which can be either a self-signed one or one that should be signed by one of certificates in "db". Re-worked efi_signature_verify() will take care of this step. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
In this commit, efi_signature_verify(with_sigdb) will be re-implemented
using pcks7_verify_one() in order to support certificates chain, where
the signer's certificate will be signed by an intermediate CA (certificate
authority) and the latter's certificate will also be signed by another CA
and so on.

What we need to do here is to search for certificates in a signature,
build up a chain of certificates and verify one by one. pkcs7_verify_one()
handles most of these steps except the last one.

pkcs7_verify_one() returns, if succeeded, the last certificate to verify,
which can be either a self-signed one or one that should be signed by one
of certificates in "db". Re-worked efi_signature_verify() will take care
of this step.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
efi_loader: wrong printf format in efi_image_parse 2020-07-11T21:14:16+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-07-07T05:23:44+00:00 39a75f5af139eaa53758a8cb0e0788cfafdaf54c Commit 1b6c08548c85 ("efi_loader: image_loader: replace debug to EFI_PRINT") leads to a build warning on 32bit systems: lib/efi_loader/efi_image_loader.c: In function ‘efi_image_parse’: include/efi_loader.h:123:8: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 8 has type ‘size_t’ {aka ‘unsigned int’} [-Wformat=] Use %zu for printing size_t. Fixes: 1b6c08548c85 ("efi_loader: image_loader: replace debug to EFI_PRINT") Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Commit 1b6c08548c85 ("efi_loader: image_loader: replace debug to
EFI_PRINT") leads to a build warning on 32bit systems:

lib/efi_loader/efi_image_loader.c: In function ‘efi_image_parse’:
include/efi_loader.h:123:8: warning: format ‘%lu’ expects argument
of type ‘long unsigned int’, but argument 8 has
type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]

Use %zu for printing size_t.

Fixes: 1b6c08548c85 ("efi_loader: image_loader: replace debug to
EFI_PRINT")

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>