u-boot.git/lib/efi_loader, branch v2020.07-rc1 Unnamed repository; edit this file 'description' to name the repository. Merge tag 'efi-2020-07-rc1' of https://gitlab.denx.de/u-boot/custodians/u-boot-efi 2020-04-16T20:41:40+00:00 Tom Rini trini@konsulko.com 2020-04-16T20:41:40+00:00 cf87f7cd8cdb35761103720a102df9bf5b88c1b2 Pull request for UEFI sub-system for efi-2020-07-rc1 This pull request * provides an implementation of UEFI secure booting * fixes a problem with the rsa_mod_exp driver which stops some boards from booting when CONFIG_RSA is enabled which is needed for UEFI secure booting * enables the EFI_RNG_PROTOCOL if DM_RNG is enabled * fixes some function comments 
Pull request for UEFI sub-system for efi-2020-07-rc1

This pull request

* provides an implementation of UEFI secure booting
* fixes a problem with the rsa_mod_exp driver which stops some boards
  from booting when CONFIG_RSA is enabled which is needed for UEFI
  secure booting
* enables the EFI_RNG_PROTOCOL if DM_RNG is enabled
* fixes some function comments
x86: Move acpi_table header to main include/ directory 2020-04-16T06:36:28+00:00 Simon Glass sjg@chromium.org 2020-04-08T22:57:36+00:00 776cc2019467567b9a834f80cc5b03128efa372a This file is potentially useful to other architectures saddled with ACPI so move most of its contents to a common location. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Bin Meng <bmeng.cn@gmail.com> Reviewed-by: Wolfgang Wallner <wolfgang.wallner@br-automation.com> 
This file is potentially useful to other architectures saddled with ACPI
so move most of its contents to a common location.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Wolfgang Wallner <wolfgang.wallner@br-automation.com>
efi_loader: set up secure boot 2020-04-16T06:12:46+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-04-14T02:51:45+00:00 d0f07949cc390b06e6ee36a0b5e5a9f70ea3dae1 The following variable is exported as UEFI specification defines: SignatureSupport: array of GUIDs representing the type of signatures supported by the platform firmware Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
The following variable is exported as UEFI specification defines:
SignatureSupport: array of GUIDs representing the type of signatures
                      supported by the platform firmware

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
efi_loader: image_loader: support image authentication 2020-04-16T06:12:46+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-04-14T02:51:44+00:00 4540dabdcacaea50bf874115f28adc103966d25a With this commit, image validation can be enforced, as UEFI specification section 32.5 describes, if CONFIG_EFI_SECURE_BOOT is enabled. Currently we support * authentication based on db and dbx, so dbx-validated image will always be rejected. * following signature types: EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images) EFI_CERT_X509_GUID (x509 certificate for signed images) Timestamp-based certificate revocation is not supported here. Internally, authentication data is stored in one of certificates tables of PE image (See efi_image_parse()) and will be verified by efi_image_authenticate() before loading a given image. It seems that UEFI specification defines the verification process in a bit ambiguous way. I tried to implement it as closely to as EDK2 does. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
With this commit, image validation can be enforced, as UEFI specification
section 32.5 describes, if CONFIG_EFI_SECURE_BOOT is enabled.

Currently we support
* authentication based on db and dbx,
  so dbx-validated image will always be rejected.
* following signature types:
    EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images)
    EFI_CERT_X509_GUID (x509 certificate for signed images)
Timestamp-based certificate revocation is not supported here.

Internally, authentication data is stored in one of certificates tables
of PE image (See efi_image_parse()) and will be verified by
efi_image_authenticate() before loading a given image.

It seems that UEFI specification defines the verification process
in a bit ambiguous way. I tried to implement it as closely to as
EDK2 does.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
efi_loader: variable: add VendorKeys variable 2020-04-16T06:12:46+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-04-14T02:51:43+00:00 8353516f4a7e31ee655050033b65218c9733c65a The following variable is exported as UEFI specification defines: VendorKeys: whether the system is configured to use only vendor-provided keys or not The value will have to be modified if a platform has its own way of initializing signature database, in particular, PK. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
The following variable is exported as UEFI specification defines:
VendorKeys: whether the system is configured to use only vendor-provided
	    keys or not
The value will have to be modified if a platform has its own way of
initializing signature database, in particular, PK.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
efi_loader: variable: add secure boot state transition 2020-04-16T06:12:46+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-04-14T02:51:42+00:00 434ffb642240132ab6ecc04c3e8804b8693ace75 UEFI specification defines several global variables which are related to the current secure boot state. In this commit, those values will be maintained according to operations. Currently, AuditMode and DeployedMode are defined but not implemented. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
UEFI specification defines several global variables which are related to
the current secure boot state. In this commit, those values will be
maintained according to operations. Currently, AuditMode and DeployedMode
are defined but not implemented.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
efi_loader: variable: support variable authentication 2020-04-16T06:12:46+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-04-14T02:51:41+00:00 767f6eeb01d331a7570a1a5e89010b09e5499bfb With this commit, EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is supported for authenticated variables and the system secure state will transfer between setup mode and user mode as UEFI specification section 32.3 describes. Internally, authentication data is stored as part of authenticated variable's value. It is nothing but a pkcs7 message (but we need some wrapper, see efi_variable_parse_signature()) and will be validated by efi_variable_authenticate(), hence efi_signature_verify_with_db(). Associated time value will be encoded in "{...,time=...}" along with other UEFI variable's attributes. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
With this commit, EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
is supported for authenticated variables and the system secure state
will transfer between setup mode and user mode as UEFI specification
section 32.3 describes.

Internally, authentication data is stored as part of authenticated
variable's value. It is nothing but a pkcs7 message (but we need some
wrapper, see efi_variable_parse_signature()) and will be validated by
efi_variable_authenticate(), hence efi_signature_verify_with_db().

Associated time value will be encoded in "{...,time=...}" along with
other UEFI variable's attributes.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
efi_loader: add signature database parser 2020-04-16T06:12:46+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-04-14T02:51:40+00:00 be6296d05b072f312a20587cf2de8e4456bcb8ff efi_signature_parse_sigdb() is a helper function will be used to parse signature database variable and instantiate a signature store structure in later patches. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
efi_signature_parse_sigdb() is a helper function will be used to parse
signature database variable and instantiate a signature store structure
in later patches.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
efi_loader: add signature verification functions 2020-04-16T06:12:46+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-04-14T02:51:39+00:00 593e17d673abe8e903412e6d55b2eb54b159b096 In this commit, implemented are a couple of helper functions which will be used to materialize variable authentication as well as image authentication in later patches. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
In this commit, implemented are a couple of helper functions which will be
used to materialize variable authentication as well as image authentication
in later patches.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
efi_loader: add CONFIG_EFI_SECURE_BOOT config option 2020-04-16T06:12:46+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-04-14T02:51:38+00:00 9bf09b5120da6d21d9e7774d958b98116828f907 Under this configuration, UEFI secure boot support will be added in later patches. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
Under this configuration, UEFI secure boot support will be added
in later patches.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>