| Age | Commit message (Collapse) | Author |
|---|
|
Persist non-volatile UEFI variables in a file on the EFI system partition.
The file is written whenever a non-volatile UEFI variable is changed after
initialization of the UEFI sub-system.
The file is read during the UEFI sub-system initialization to restore
non-volatile UEFI variables.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
In audit mode the UEFI variable SecureBoot is set to zero but the
efi_secure_boot flag is set to true.
The efi_secure_boot flag should match the UEFIvariable SecureBoot.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
Set the read only property of the UEFI variables AuditMode and DeployedMode
conforming to the UEFI specification.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
According to the UEFI specification the variable VendorKeys is 1 if the
"system is configured to use only vendor-provided keys".
As we do not supply any vendor keys yet the variable VendorKeys must be
zero.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
Do not change the value of parameter attributes in function
efi_set_variable_int(). This allows to use it later.
Do not use variable attr for different purposes but declare separate
variables (attr and old_attr).
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
Simplify the implementation of the UEFI boot manager:
* avoid EFI_CALL for SetVariable() and GetVariable()
* remove unnecessary type conversions
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
UEFI variables OsIndicationsSupported, PlatformLangCodes should be read
only.
Avoid EFI_CALL() for SetVariable().
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
Separate the remaining UEFI variable API functions GetNextVariableName and
QueryVariableInfo() from internal functions implementing them.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
We currently have two implementations of UEFI variables:
* variables provided via an OP-TEE module
* variables stored in the U-Boot environment
Read only variables are up to now only implemented in the U-Boot
environment implementation.
Provide a common interface for both implementations that allows handling
read-only variables.
As variable access is limited to very few source files put variable
related definitions into new include efi_variable.h instead of efi_loader.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
Avoid a possible NULL pointer dereference in efi_convert_pointer().
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
Don't call calloc(0, ..).
Consider return value of efi_get_child_controllers().
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
Commit 1b6c08548c85 ("efi_loader: image_loader: replace debug to
EFI_PRINT") leads to a build warning on 32bit systems:
lib/efi_loader/efi_image_loader.c: In function ‘efi_image_parse’:
include/efi_loader.h:123:8: warning: format ‘%lu’ expects argument
of type ‘long unsigned int’, but argument 8 has
type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]
Use %zu for printing size_t.
Fixes: 1b6c08548c85 ("efi_loader: image_loader: replace debug to
EFI_PRINT")
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
There's 2 variables in efi_get_next_variable_name() checking the size of
the variable name. Let's get rid of the reduntant definition and
simplitfy the code a bit.
Signed-off-by: Ilias Apalodimas <[email protected]>
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
This function will be used to implement public_key_verify_signature()
in a later patch. rsa_verify() is not suitable here because calculation
of message digest is not necessary.
Signed-off-by: AKASHI Takahiro <[email protected]>
Reviewed-by: Heinrich Schuchardt <[email protected]>
|
|
In case that a type of certificate in "db" or "dbx" is
EFI_CERT_X509_SHA256_GUID, it is actually not a certificate which contains
a public key for RSA decryption, but a digest of image to be loaded.
If the value matches to a value calculated from a given binary image, it is
granted for loading.
With this patch, common digest check code, which used to be used for
unsigned image verification, will be extracted from
efi_signature_verify_with_sigdb() into efi_signature_lookup_digest(), and
extra step for digest check will be added to efi_image_authenticate().
Signed-off-by: AKASHI Takahiro <[email protected]>
|
|
A signed image may have multiple signatures in
- each WIN_CERTIFICATE in authenticode, and/or
- each SignerInfo in pkcs7 SignedData (of WIN_CERTIFICATE)
In the initial implementation of efi_image_authenticate(), the criteria
of verification check for multiple signatures case is a bit ambiguous
and it may cause inconsistent result.
With this patch, we will make sure that verification check in
efi_image_authenticate() should pass against all the signatures.
The only exception would be
- the case where a digest algorithm used in signature is not supported by
U-Boot, or
- the case where parsing some portion of authenticode has failed
In those cases, we don't know how the signature be handled and should
just ignore them.
Please note that, due to this change, efi_signature_verify_with_sigdb()'s
function prototype will be modified, taking "dbx" as well as "db"
instead of outputing a "certificate." If "dbx" is null, the behavior would
be the exact same as before.
The function's name will be changed to efi_signature_verify() once
current efi_signature_verify() has gone due to further improvement
in intermediate certificates support.
Signed-off-by: AKASHI Takahiro <[email protected]>
|
|
There are a couple of occurrences of hash calculations in which a new
efi_hash_regions will be commonly used.
Signed-off-by: AKASHI Takahiro <[email protected]>
|
|
Since the size check against an entry in efi_search_siglist() is
incorrect, this function will never find out a to-be-matched certificate
and its associated revocation time in the signature list.
Signed-off-by: AKASHI Takahiro <[email protected]>
|
|
Since the certificate table, which is indexed by
IMAGE_DIRECTORY_ENTRY_SECURITY and contains authenticode in PE image,
doesn't always exist, we should make sure that we will retrieve its pointer
only if it exists.
Signed-off-by: AKASHI Takahiro <[email protected]>
|
|
UEFI specification requires that we shall support three type of
certificates of authenticode in PE image:
WIN_CERT_TYPE_EFI_GUID with the guid, EFI_CERT_TYPE_PCKS7_GUID
WIN_CERT_TYPE_PKCS_SIGNED_DATA
WIN_CERT_TYPE_EFI_PKCS1_15
As EDK2 does, we will support the first two that are pkcs7 SignedData.
Signed-off-by: AKASHI Takahiro <[email protected]>
|
|
Move ADDR_MAP related config options from include/configs/*.h to the
proper place in lib/Kconfig. This has been done using
./tools/moveconfig.py and manual inspection of the generated changes.
This is a preparation to use ADDR_MAP helper on ARM 32bit Raspberry Pi4
board for mapping the PCIe XHCI MMIO, which is above the 4GiB identity
mapping limit.
Signed-off-by: Marek Szyprowski <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
rsa_verify() expects a memory region and wants to do the hashing itself,
but there may be cases where the hashing is done via other means,
like hashing a squashfs rootfs.
So add rsa_verify_hash() to allow verifiying a signature against
an existing hash. As this entails the same verification routines
we can just move the relevant code over from rsa_verify() and also
call rsa_verify_hash() from there.
Signed-off-by: Heiko Stuebner <[email protected]>
|
|
This is defined only when __lp64__ is defined. That means that ulong is
64 bits long. Therefore we don't need to use a separate u64 type on those
architectures.
Fix up the code to take advantage of that, removing the preprocessor
conditions.
Also include the missing header file that defines MEM_SUPPORT_64BIT_DATA
Fixes: 09140113108 ("command: Remove the cmd_tbl_t typedef")
Signed-off-by: Simon Glass <[email protected]>
|
|
Define this macro always so we don't need the preprocessor to check it.
Convert the users to #if instead of #ifdef.
Note that '#if MEM_SUPPORT_64BIT_DATA' does not give an error if the
macro is not define. It just assumes zero.
Signed-off-by: Simon Glass <[email protected]>
Reviewed-by: Stefan Roese <[email protected]>
|
|
padding_pss_verify only works with the default pss salt setting of -2
(length to be automatically determined based on the PSS block structure)
not -1 (salt length set to the maximum permissible value), which makes
verifications of signatures with that saltlen fail.
Until this gets implemented at least document this behaviour.
Signed-off-by: Heiko Stuebner <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
n, rr and rrtmp are used for internal calculations, but in the end
the results are copied into separately allocated elements of the
actual key_prop, so the n, rr and rrtmp elements are not used anymore
when returning from the function and should of course be freed.
Signed-off-by: Heiko Stuebner <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
When calculating rrtmp/rr rsa_gen_key_prop() tries to make
(((rlen + 31) >> 5) + 1) steps in the rr uint32_t array and
(((rlen + 7) >> 3) + 1) / 4 steps in uint32_t rrtmp[]
with rlen being num_bits * 2
On a 4096bit key this comes down to to 257 uint32_t elements
in rr and 256 elements in rrtmp but with the current allocation
rr and rrtmp only have 129 uint32_t elements.
On 2048bit keys this works by chance as the defined max_rsa_size=4096
allocates a suitable number of elements, but with an actual 4096bit key
this results in other memory parts getting overwritten.
So as suggested by Heinrich Schuchardt just use the actual bit-size
of the key as base for the size calculation, in turn making the code
compatible to any future keysizes.
Suggested-by: Heinrich Schuchardt <[email protected]>
Signed-off-by: Heiko Stuebner <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
rrtmp needs 2 + (((*prop)->num_bits * 2) >> 5) array elements.
Reviewed-by: Heinrich Schuchardt <[email protected]>
|
|
The exponent field of struct key_prop gets allocated an uint64_t,
and the contents are positioned from the back, so an exponent of
"0x01 0x00 0x01" becomes 0x0 0x0 0x0 0x0 0x0 0x1 0x0 0x1"
Right now rsa_gen_key_prop() allocates a uint64_t but sets exp_len
to the size returned from the parser, while on the other hand the
when getting the key from the devicetree exp_len always gets set to
sizeof(uint64_t).
So bring that in line with the established code.
Signed-off-by: Heiko Stuebner <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Right now in multiple places there are only checks for the full
CONFIG_RSA_VERIFY_WITH_PKEY option, not split into main,spl,tpl variants.
This breaks when the rsa functions get enabled for SPL, for example to
verify u-boot proper from spl.
So fix this by using the existing helpers to distinguis between
build-steps.
Signed-off-by: Heiko Stuebner <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
While the SPL may want to do signature checking this won't be
the case for TPL in all cases, as TPL is mostly used when the
amount of initial memory is not enough for a full SPL.
So on a system where SPL uses DM but TPL does not we currently
end up with a TPL compile error of:
lib/rsa/rsa-verify.c:48:25: error: dereferencing pointer to incomplete type ‘struct checksum_algo’
To prevent that change the $(SPL_) to $(SPL_TPL_) to distinguish
between both. If someone really needs FIT signature checking in
TPL as well, a new TPL_RSA_VERIFY config symbol needs to be added.
Signed-off-by: Heiko Stuebner <[email protected]>
Reviewed-by: Philipp Tomsich <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Add support for TPM2 GetRandom command
Signed-off-by: Dhananjay Phadke <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
On ARM systems gd is stored in register r9 or x18. When compiling with
clang gd is defined as a macro calling function gd_ptr(). So we can not
make assignments to gd.
Use function set_gd() for setting the register on ARM.
Signed-off-by: Heinrich Schuchardt <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
https://gitlab.denx.de/u-boot/custodians/u-boot-efi into next
Pull request for UEFI sub-system for efi-2020-10-rc1
This series comprises error corrections for the UEFI subsystem:
* correct consideration of timestamps for variable authentication
* correct collection of data regions for code authentication
* correct unit tests to test loading dbx
* enable FAT_WRITE as required by the UEFI spec
The boot manager uses log functions instead of printf() and debug().
The UEFI intialization state is exported.
|
|
- Resync Kconfiglib with the v14.1.0 release.
- Re-sync our <linux/compiler*h> files with v5.7-rc5 from upstream.
- Fully resync checkpatch.pl with v5.7 release.
To safely to all of the above, we have a few bugfixes about functions
that need a 'static inline' but weren't. We also stop setting
CROSS_COMPILE in arch/*/config.mk. Finally, with the above changes
boards can now opt-in to optimizing inlining and we do this for the
socfpga stratix10 platform for space savings.
|
|
The UEFI spec requires support for the FAT file system.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
Export the UEFI sub-system initialization state. This will allow to treat
the setting of UEFI variables during and after initialization differently.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
Don't call rtc_mktime() twice with the same argument in
efi_variable_authenticate().
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
When booting via the boot manager use log function for user messages
instead of printf() and debug().
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
When overwriting an existing time base authenticated variable we should
compare to the preceding time value and not to the start of the epoch.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
The UEFI specification requires that when UEFI variables are set using time
based authentication we have to check that unused fields of the timestamp
are zero
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
Use start and end address consistently as half-open interval.
Simplify the code.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
Just for style consistency, replace all the uses of debug() to
EFI_PRINT() in efi_image_loader.c.
Signed-off-by: AKASHI Takahiro <[email protected]>
Reviewed-by: Heinrich Schuchardt <[email protected]>
|
|
Just for style consistency, replace all the uses of debug() to
EFI_PRINT in efi_variable.c.
Signed-off-by: AKASHI Takahiro <[email protected]>
Reviewed-by: Heinrich Schuchardt <[email protected]>
|
|
Just for style consistency, replace all the uses of debug to
EFI_PRINT in efi_signature.c
Signed-off-by: AKASHI Takahiro <[email protected]>
Reviewed-by: Heinrich Schuchardt <[email protected]>
|
|
The simplest solution to revert the commit b32ac16f9a32 ("test/py: fix
test_efi_secboot/conftest.py") is to move efi_console_register()
forward before efi_disk_register().
Signed-off-by: AKASHI Takahiro <[email protected]>
Reviewed by: Heinrich Schuchardt <[email protected]>
|
|
Copy these from Linux v5.7-rc5 tag.
This brings in some handy new attributes and is otherwise important to
keep in sync.
We drop the reference to smp_read_barrier_depends() as it is not
relevant on the architectures we support at this time, based on where
it's implemented in Linux today. We drop the call to kasan_check_read()
as that is not relevant to U-Boot as well.
Cc: Masahiro Yamada <[email protected]>
Signed-off-by: Tom Rini <[email protected]>
|
|
This could give a confusing error message if it failed and didn't set
errno.
Signed-off-by: Sean Anderson <[email protected]>
Reviewed-by: Bin Meng <[email protected]>
|
|
https://gitlab.denx.de/u-boot/custodians/u-boot-mips into next
- net: pcnet: cleanup and add DM support
- Makefile: add rule to build an endian-swapped U-Boot image
used by MIPS Malta EL variants
- CI: add Qemu tests for MIPS Malta
|
|
efi_get_variable_common() does not use EFI_ENTRY(). So we should not use
EFI_EXIT() either.
Fixes: 767f6eeb01d3 ("efi_loader: variable: support variable authentication")
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
The variables SetupMode, AuditMode, DeployedMode are explicitly defined as
UINT8 in the UEFI specification. The type of SecureBoot is UINT8 in EDK2.
Use variable name secure_boot instead of sec_boot for the value of the
UEFI variable SecureBoot.
Avoid abbreviations in function descriptions.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
