u-boot.git/lib/efi_loader, branch v2020.10-rc4 Unnamed repository; edit this file 'description' to name the repository. efi_loader: remove duplicate image size check 2020-09-06T19:21:41+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-08-27T15:54:53+00:00 578d7cc8fa11f938a110bfea769c1dd311af0d75 The image size is checked in efi_load_pe(). Avoid checking it twice. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
The image size is checked in efi_load_pe(). Avoid checking it twice.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: error message if image not authenticated 2020-09-06T19:21:41+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-08-27T15:51:32+00:00 0f7878b853bdc363a930381c42b709b7d24066b5 Currently if the bootefi command fails due to missing authentication, the user gets no feedback. Write a log message 'Image not authenticated' if LoadImage() fails due to missing authentication. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Currently if the bootefi command fails due to missing authentication, the
user gets no feedback.

Write a log message 'Image not authenticated' if LoadImage() fails due to
missing authentication.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: log function in image loader 2020-09-06T19:21:41+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-08-25T17:51:20+00:00 24586059d3818d812300c77257c5134ddd7e2935 Use log_err() for error messages. Replace debug() by EFI_PRINT(). Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Use log_err() for error messages.
Replace debug() by EFI_PRINT().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: validate device path length in boot manager 2020-08-24T14:37:53+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-08-23T08:59:17+00:00 15d8f008dc577bbef6ad98494c28553558941420 Bootxxxx variables are provided by the user and therefore cannot be trusted. We have to validate them before usage. A device path provided by a Bootxxxx variable must have an end node within the indicated device path length. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Bootxxxx variables are provided by the user and therefore cannot be
trusted. We have to validate them before usage.

A device path provided by a Bootxxxx variable must have an end node within
the indicated device path length.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: efi_dp_check_length() 2020-08-24T14:37:53+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-08-23T08:49:46+00:00 5cad4a30932a31f1646510d35af7e9e36f71708a We need to check that device paths provided via UEFI variables are not malformed. Provide function efi_dp_check_length() to check if a device path has an end node within a given number of bytes. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
We need to check that device paths provided via UEFI variables are not
malformed.

Provide function efi_dp_check_length() to check if a device path has an
end node within a given number of bytes.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: ResetSystem() should not hang 2020-08-24T14:37:53+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-08-22T06:29:53+00:00 f03a879d67261b587a88e8e475596c1bbe7e6111 If ResetSystem() is not implemented at runtime, it should return instead of hanging in an endless loop. This allows the operating system to reset the system by other means as Linux does. It also matches what EDK II suggests in comments for functions ResetShutdown() and ResetWarm() in OvmfPkg/Library/ResetSystemLib/ResetSystemLib.c. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
If ResetSystem() is not implemented at runtime, it should return instead
of hanging in an endless loop. This allows the operating system to reset
the system by other means as Linux does. It also matches what EDK II
suggests in comments for functions ResetShutdown() and ResetWarm() in
OvmfPkg/Library/ResetSystemLib/ResetSystemLib.c.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: signature: correct a behavior against multiple signatures 2020-08-14T10:28:25+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-08-14T05:39:23+00:00 52956e535e65c852b1f95d2ca5044cb7c4fc6bbe Under the current implementation, all the signatures, if any, in a signed image must be verified before loading it. Meanwhile, UEFI specification v2.8b section 32.5.3.3 says, Multiple signatures are allowed to exist in the binary’s certificate table (as per PE/COFF Section “Attribute Certificate Table”). Only one hash or signature is required to be present in db in order to pass validation, so long as neither the SHA-256 hash of the binary nor any present signature is reflected in dbx. This patch makes the semantics of signature verification compliant with the specification mentioned above. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Under the current implementation, all the signatures, if any, in
a signed image must be verified before loading it.

Meanwhile, UEFI specification v2.8b section 32.5.3.3 says,
    Multiple signatures are allowed to exist in the binary’s certificate
    table (as per PE/COFF Section “Attribute Certificate Table”). Only
    one hash or signature is required to be present in db in order to pass
    validation, so long as neither the SHA-256 hash of the binary nor any
    present signature is reflected in dbx.

This patch makes the semantics of signature verification compliant with
the specification mentioned above.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: variable: fix secure state initialization 2020-08-13T20:37:42+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-08-13T08:05:29+00:00 f68a6d583578799ec2011476ebd1e10590c6eb3c Under the new file-based variable implementation, the secure state is always and falsely set to 0 (hence, the secure boot gets disabled) after the reboot even if PK (and other signature database) has already been enrolled in the previous boot. This is because the secure state is set up *before* loading non-volatile variables' values from saved data. This patch fixes the order of variable initialization and secure state initialization. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Fixes: 5f7dcf079de8 ("efi_loader: UEFI variable persistence") 
Under the new file-based variable implementation, the secure state
is always and falsely set to 0 (hence, the secure boot gets disabled)
after the reboot even if PK (and other signature database) has already
been enrolled in the previous boot.

This is because the secure state is set up *before* loading non-volatile
variables' values from saved data.

This patch fixes the order of variable initialization and secure state
initialization.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Fixes: 5f7dcf079de8 ("efi_loader: UEFI variable persistence")
efi_loader: signature: rework for intermediate certificates support 2020-08-13T20:37:36+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-07-21T10:35:22+00:00 1115edd8462b047f83fcca4abcf89b68f2d87041 In this commit, efi_signature_verify(with_sigdb) will be re-implemented using pcks7_verify_one() in order to support certificates chain, where the signer's certificate will be signed by an intermediate CA (certificate authority) and the latter's certificate will also be signed by another CA and so on. What we need to do here is to search for certificates in a signature, build up a chain of certificates and verify one by one. pkcs7_verify_one() handles most of these steps except the last one. pkcs7_verify_one() returns, if succeeded, the last certificate to verify, which can be either a self-signed one or one that should be signed by one of certificates in "db". Re-worked efi_signature_verify() will take care of this step. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
In this commit, efi_signature_verify(with_sigdb) will be re-implemented
using pcks7_verify_one() in order to support certificates chain, where
the signer's certificate will be signed by an intermediate CA (certificate
authority) and the latter's certificate will also be signed by another CA
and so on.

What we need to do here is to search for certificates in a signature,
build up a chain of certificates and verify one by one. pkcs7_verify_one()
handles most of these steps except the last one.

pkcs7_verify_one() returns, if succeeded, the last certificate to verify,
which can be either a self-signed one or one that should be signed by one
of certificates in "db". Re-worked efi_signature_verify() will take care
of this step.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
efi_loader: variable: keep temporary buffer during the authentication 2020-08-13T20:37:36+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-08-12T00:37:50+00:00 0658bb29b026a6af434b9e0cdeced5d25bdd206f This is a bug fix; Setting an authenticated variable may fail due to a memory corruption in the authentication. A temporary buffer will, if needed, be allocated to parse a variable's authentication data, and some portion of buffer, specifically signer's certificates, will be referenced by efi_signature_verify(). So the buffer should be kept valid until the authentication process is finished. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Tested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
This is a bug fix; Setting an authenticated variable may fail due to
a memory corruption in the authentication.

A temporary buffer will, if needed, be allocated to parse a variable's
authentication data, and some portion of buffer, specifically signer's
certificates, will be referenced by efi_signature_verify().

So the buffer should be kept valid until the authentication process
is finished.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Tested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>