| Age | Commit message (Collapse) | Author |
|
Update the LZ4 compression module based on LZ4 v1.8.3 in order to
use the newest LZ4_decompress_safe_partial() which can now decode
exactly the nb of bytes requested.
Signed-off-by: Huang Jianan <[email protected]>
|
|
InstallProtocolInterface() is called with a pointer to the protocol GUID.
There is not guarantee that the memory used by the caller for the protocol
GUID stays allocated. To play it safe the GUID should be copied to U-Boot's
internal structures.
Reported-by: Joerie de Gram <[email protected]>
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
Since OpenSSL 1.1.0, EVP_MD_CTX_create() is EVP_MD_CTX_new()
EVP_MD_CTX_destroy() is EVP_MD_CTX_free()
EVP_MD_CTX_init() is EVP_MD_CTX_reset()
As there's no need to reset a newly created EVP_MD_CTX, moreover
EVP_DigestSignInit() does the reset, thus call to EVP_MD_CTX_init()
can be dropped.
As there's no need to reset an EVP_MD_CTX before it's destroyed,
as it will be reset by EVP_MD_CTX_free(), call to EVP_MD_CTX_reset()
is not needed and can be dropped.
Signed-off-by: Yann Droneaud <[email protected]>
|
|
UEFI specification requires that 5 minutes watchdog timer is
armed before the firmware's boot manager invokes an EFI boot option.
This watchdog timer is updated as follows, according to the
UEFI specification.
1) The EFI Image may reset or disable the watchdog timer as needed.
2) If control is returned to the firmware's boot manager,
the watchdog timer must be disabled.
3) On successful completion of EFI_BOOT_SERVICES.ExitBootServices()
the watchdog timer is disabled.
1) is up to the EFI image, and 3) is already implemented in U-Boot.
This patch implements 2), the watchdog is disabled when control is
returned to U-Boot.
In addition, current implementation arms the EFI watchdog at only
the first "bootefi" invocation. The EFI watchdog must be armed
in every EFI boot option invocation.
Signed-off-by: Masahisa Kojima <[email protected]>
Reviewed-by: Heinrich Schuchardt <[email protected]>
|
|
Add a cold reset soon after processing capsule update on disk.
This is required in UEFI specification 2.9 Section 8.5.5
"Delivery of Capsules via file on Mass Storage device" as;
In all cases that a capsule is identified for processing the system is
restarted after capsule processing is completed.
This also reports the result of each capsule update so that the user can
notice that the capsule update has been succeeded or not from console log.
Signed-off-by: Masami Hiramatsu <[email protected]>
Reviewed-by: Heinrich Schuchardt <[email protected]>
|
|
Since the efi_update_capsule() represents the UpdateCapsule() runtime
service, it has to handle the capsule flags and update ESRT. However
the capsule-on-disk doesn't need to care about such things.
Thus, the capsule-on-disk should use the efi_capsule_update_firmware()
directly instead of calling efi_update_capsule().
This means the roles of the efi_update_capsule() and capsule-on-disk
are different. We have to keep the efi_update_capsule() for providing
runtime service API at boot time.
Suggested-by: AKASHI Takahiro <[email protected]>
Signed-off-by: Masami Hiramatsu <[email protected]>
Reviewed-by: Heinrich Schuchardt <[email protected]>
|
|
The general rule of accepting or rejecting an image is
1. Is the sha256 of the image in dbx
2. Is the image signed with a certificate that's found in db and
not in dbx
3. The image carries a cert which is signed by a cert in db (and
not in dbx) and the image can be verified against the former
4. Is the sha256 of the image in db
For example SHIM is signed by "CN=Microsoft Windows UEFI Driver Publisher",
which is issued by "CN=Microsoft Corporation UEFI CA 2011", which in it's
turn is issued by "CN=Microsoft Corporation Third Party Marketplace Root".
The latter is a self-signed CA certificate and with our current implementation
allows shim to execute if we insert it in db.
However it's the CA cert in the middle of the chain which usually ends up
in the system's db. pkcs7_verify_one() might or might not return the root
certificate for a given chain. But when verifying executables in UEFI, the
trust anchor can be in the middle of the chain, as long as that certificate
is present in db. Currently we only allow this check on self-signed
certificates, so let's remove that check and allow all certs to try a
match an entry in db.
Open questions:
- Does this break any aspect of variable authentication since
efi_signature_verify() is used on those as well?
Signed-off-by: Ilias Apalodimas <[email protected]>
|
|
The EFI spec allows for images to carry multiple signatures. Currently
we don't adhere to the verification process for such images.
The spec says:
"Multiple signatures are allowed to exist in the binary's certificate
table (as per PE/COFF Section "Attribute Certificate Table"). Only one
hash or signature is required to be present in db in order to pass
validation, so long as neither the SHA-256 hash of the binary nor any
present signature is reflected in dbx."
With our current implementation signing the image with two certificates
and inserting both of them in db and one of them dbx doesn't always reject
the image. The rejection depends on the order that the image was signed
and the order the certificates are read (and checked) in db.
While at it move the sha256 hash verification outside the signature
checking loop, since it only needs to run once per image and get simplify
the logic for authenticating an unsigned imahe using sha256 hashes.
Signed-off-by: Ilias Apalodimas <[email protected]>
|
|
MCFG tables are used on multiple arches. Move to common ACPI lib.
Cc: Simon Glass <[email protected]>
Signed-off-by: Moritz Fischer <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Use sizeof(*mcfg) instead of sizeof(*header)
Signed-off-by: Simon Glass <[email protected]>
|
|
When we have the block descriptor we can simply access the device. Drop
the unnecessary function call.
Signed-off-by: Simon Glass <[email protected]>
Reviewed-by: Heinrich Schuchardt <[email protected]>
|
|
Use this function rather than following the pointers, since it is there
for this purpose.
Add the uclass name to the debug call at the end of dp_fill() since it is
quite useful.
Signed-off-by: Simon Glass <[email protected]>
Reviewed-by: Heinrich Schuchardt <[email protected]>
|
|
When loading an EFI binary via the UART we assign a UART device path to it.
But we lack a handle with that device path.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
The UEFI specification concerning Uart() device path nodes has been
clarified:
Parity and stop bits can either both use keywords or both use
numbers but numbers and keywords should not be mixed.
Let's go for keywords as this is what EDK II does. For illegal
values fall back to numbers.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
For printing an unsigned value we should use %u and not %d.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
efi_uintnt_t is an unsigned type. We should avoid showing negative numbers.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
The printing of a file path node must properly handle:
* odd length of the device path node
* UTF-16 character only partially contained in device path node
* buffer overflow due to very long file path
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
snprintf() must return the required buffer length.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
The test for the RISCV_EFI_BOOT_PROTOCOL retrieves the boot hart id via the
protocol and compares it to the value of the boot hart id in the device
tree. The boot hart id is already retrieved from the device tree in the FDT
test.
Merge the two tests to avoid code duplication.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
Add a test for the RISCV_EFI_BOOT_PROTOCOL.
Signed-off-by: Sunil V L <[email protected]>
|
|
At present we use wide characters for Unicode but this is not necessary.
Change the code to use the 'u' literal instead. This helps to fix build
warnings for sandbox on the Raspberry Pi.
Signed-off-by: Simon Glass <[email protected]>
Reviewed-by: Heinrich Schuchardt <[email protected]>
|
|
At present we use wide characters for unicode but this is not necessary.
Change the code to use the 'u' literal instead. This helps to fix build
warnings for sandbox on rpi.
Signed-off-by: Simon Glass <[email protected]>
Suggested-by: Heinrich Schuchardt <[email protected]>
Reviewed-by: Heinrich Schuchardt <[email protected]>
|
|
https://source.denx.de/u-boot/custodians/u-boot-efi
Pull request for efi-2022-04-rc1-3
Documentation:
* update Nokia RX-51 documentation and move it to rst
* describe boot switch settings for HiFive Unmatched board
UEFI:
* fix the checking of images hashes and signatures
* provide the RISCV_EFI_BOOT_PROTOCOL
|
|
We don't have to recalculate the image hash every time we check against a
new db/dbx entry. So let's add a flag forcing it to run once since we only
support sha256 hashes
Suggested-by: Heinrich Schuchardt <[email protected]>
Signed-off-by: Ilias Apalodimas <[email protected]>
Reviewed-by: Heinrich Schuchardt <[email protected]>
|
|
A mix of signatures and hashes in db doesn't always work as intended.
Currently if the digest algorithm is not explicitly set to sha256 we
stop walking the security database and reject the image.
That's problematic in case we find and try to check a signature before
inspecting the sha256 hash. If the image is unsigned we will reject it
even if the digest matches.
Since we no longer reject the image on unknown algorithms add an explicit
check and reject the image if any other hash algorithm apart from sha256
is detected on dbx.
Suggested-by: Heinrich Schuchardt <[email protected]>
Signed-off-by: Ilias Apalodimas <[email protected]>
Reviewed-by: Heinrich Schuchardt <[email protected]>
|
|
On RISC-V a new UEFI protocol has been introduced. Support printing
its GUID using %pUs.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
This adds support for new RISCV_EFI_BOOT_PROTOCOL to
communicate the boot hart ID to bootloader/kernel on RISC-V
UEFI platforms.
The specification of the protocol is hosted at:
https://github.com/riscv-non-isa/riscv-uefi
Signed-off-by: Sunil V L <[email protected]>
Reviewed-by: Heinrich Schuchardt <[email protected]>
|
|
Replace @return and @param.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
Add to support rsa 3072 bits algorithm in tools
for image sign at host side and adds rsa 3072 bits
verification in the image binary.
Add test case in vboot for sha384 with rsa3072 algorithm testing.
Signed-off-by: Jamin Lin <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
https://source.denx.de/u-boot/custodians/u-boot-dm
acpi refactoring to allow non-x86 use
binman support for bintools (binary tools)
minor tools improvements in preparation for FDT signing
various minor fixes and improvements
|
|
It is currenly only used from usbtty driver but make it properly
selectable via Kconfig symbol, for future usage.
Signed-off-by: Loic Poulain <[email protected]>
|
|
It is useful to know where the verification data was written. Update the
API to return this.
Signed-off-by: Simon Glass <[email protected]>
|
|
Add some more debugging to make it easier to see what is being tried and
what fails. Fix a few comment styles while here.
Signed-off-by: Simon Glass <[email protected]>
|
|
At present this list is used to collect items within the DSDT and SSDT
tables. It is useful for it to collect the whole tables as well, so there
is a list of what was created and which write created each one.
Refactor the code accordingly.
Signed-off-by: Simon Glass <[email protected]>
|
|
Move this over to use a writer file, moving the code from the x86
implementation.
There is no need to store a separate variable since we can simply access
the ACPI context.
With this, the original monolithic x86 function for writing ACPI tables
is gone.
Note that QEMU has its own implementation.
Signed-off-by: Simon Glass <[email protected]>
|
|
Move this over to use a writer function, moving the code from the x86
implementation.
Signed-off-by: Simon Glass <[email protected]>
|
|
Update this function to the newer style, so we can avoid passing and
returning an address through this function.
Also move this function out of the x86 code so it can be used by other
archs.
Signed-off-by: Simon Glass <[email protected]>
Reviewed-by: Andy Shevchenko <[email protected]>
|
|
Move this table over to use a writer function, moving the code from the
x86 implementation.
Signed-off-by: Simon Glass <[email protected]>
|
|
Move this table over to use a writer function, moving the code from the
x86 implementation.
Signed-off-by: Simon Glass <[email protected]>
|
|
Move this table over to use a writer function, moving the code from the
x86 implementation.
Add a pointer to the DSDT in struct acpi_ctx so we can reference it later.
Disable this table for sandbox since we don't actually compile real ASL
code.
Signed-off-by: Simon Glass <[email protected]>
|
|
Move this table over to use a writer function, moving the code from the
x86 implementation.
Add a pointer to the DSDT in struct acpi_ctx so we can reference it later.
Signed-off-by: Simon Glass <[email protected]>
|
|
Use the new ACPI writer to write the base tables at the start of the area,
moving this code from the x86 implementation.
Signed-off-by: Simon Glass <[email protected]>
|
|
Use the new ACPI writer to write the ACPI tables. At present this is all
done in one monolithic function. Future work will split this out.
Unfortunately the QFW write_acpi_tables() function conflicts with the
'writer' version, so disable that for sandbox.
Signed-off-by: Simon Glass <[email protected]>
|
|
At present acpi_setup_base_tables() both sets up the ACPI context and
writes out the base tables.
We want to use an ACPI writer to write the base tables, so split this
function into two, with acpi_setup_ctx() doing the context set, and
acpi_setup_base_tables() just doing the base tables.
Disable the writer's write_acpi_tables() function for now, to avoid
build errors. It is enabled in a following patch.
Signed-off-by: Simon Glass <[email protected]>
|
|
At present we call lots of functions to generate the required ACPI tables.
It would be better to standardise these functions and allow them to be
automatically collected and used when needed.
Add a linker list to handle this.
Signed-off-by: Simon Glass <[email protected]>
|
|
Rather than keying everything off ACPIGEN, use the main
GENERATE_ACPI_TABLE option to determine whether the core ACPI code
is included. Make sure these option are not enabled in SPL/TPL since we
never generate tables there.
Signed-off-by: Simon Glass <[email protected]>
|
|
The current EFI implementation confuses pointers and addresses. Normally
we can get away with this but in the case of sandbox it causes failures.
Despite the fact that efi_allocate_pages() returns a u64, it is actually
a pointer, not an address. Add special handling to avoid a crash when
running 'bootefi hello'.
Signed-off-by: Simon Glass <[email protected]>
|
|
This must be passed a ulong, not a u64. Fix it to avoid LTO warnings on
sandbox.
Signed-off-by: Simon Glass <[email protected]>
|
|
Allow this to be used on any arch. Also convert to using macros so that
we can check the CONFIG option in C code.
Signed-off-by: Simon Glass <[email protected]>
|
|
These have sadly found their way to ARM now. Allow any arch to support
generating ACPI tables.
Disable this for the tools build.
Signed-off-by: Simon Glass <[email protected]>
|
|
https://source.denx.de/u-boot/custodians/u-boot-efi
Pull request for efi-2022-04-rc1-2
Documentation:
* describe printf() format codes
UEFI
* enable more algorithms for UEFI image verification, e.g. SHA256-RSA2048
General
* simplify printing short texts for GUIDs
* provide a unit test for printing GUIDs
|