From 75fe571a4194ac26de7deffb2aa6db494596f58f Mon Sep 17 00:00:00 2001 From: AKASHI Takahiro Date: Tue, 26 Nov 2019 09:51:05 +0900 Subject: include: pe.h: add signature-related definitions The index (IMAGE_DIRECTORY_ENTRY_SECURITY) in a table points to a region containing authentication information (image's signature) in PE format. WIN_CERTIFICATE structure defines an embedded signature format. Those definitions will be used in my UEFI secure boot patch. Signed-off-by: AKASHI Takahiro Reviewed-by: Heinrich Schuchardt --- include/pe.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'include') diff --git a/include/pe.h b/include/pe.h index bff3b0aa7a6..086f2b860e9 100644 --- a/include/pe.h +++ b/include/pe.h @@ -155,6 +155,8 @@ typedef struct _IMAGE_SECTION_HEADER { uint32_t Characteristics; } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER; +/* Indices for Optional Header Data Directories */ +#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 #define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 typedef struct _IMAGE_BASE_RELOCATION @@ -252,4 +254,20 @@ typedef struct _IMAGE_RELOCATION #define IMAGE_REL_AMD64_PAIR 0x000F #define IMAGE_REL_AMD64_SSPAN32 0x0010 +/* certificate appended to PE image */ +typedef struct _WIN_CERTIFICATE { + uint32_t dwLength; + uint16_t wRevision; + uint16_t wCertificateType; + uint8_t bCertificate[]; +} WIN_CERTIFICATE, *LPWIN_CERTIFICATE; + +/* Definitions for the contents of the certs data block */ +#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002 +#define WIN_CERT_TYPE_EFI_OKCS115 0x0EF0 +#define WIN_CERT_TYPE_EFI_GUID 0x0EF1 + +#define WIN_CERT_REVISION_1_0 0x0100 +#define WIN_CERT_REVISION_2_0 0x0200 + #endif /* _PE_H */ -- cgit v1.2.3 From 7a597259d26f84a63350b6a1af5b29445e9d451b Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Thu, 28 Nov 2019 06:46:09 +0100 Subject: efi_loader: pass address to efi_install_fdt() As part of moving the parsing of command line arguments to do_bootefi() call efi_install_fdt() with the address of the device tree instead of a string. If the address is EFI_FDT_USE_INTERNAL (= 0), the internal device tree is used. Signed-off-by: Heinrich Schuchardt --- include/efi_loader.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'include') diff --git a/include/efi_loader.h b/include/efi_loader.h index 16a1b258b17..3a220893298 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -34,6 +34,9 @@ static inline int guidcmp(const void *g1, const void *g2) EFI_GUID(0xbbe4e671, 0x5773, 0x4ea1, \ 0x9a, 0xab, 0x3a, 0x7d, 0xbf, 0x40, 0xc4, 0x82) +/* Use internal device tree when starting UEFI application */ +#define EFI_FDT_USE_INTERNAL 0UL + /* Root node */ extern efi_handle_t efi_root; -- cgit v1.2.3 From f9ceb6ac1443b824e94a9df9ec1dfb2bc742e451 Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Sat, 7 Dec 2019 20:51:06 +0100 Subject: efi_loader: carve out efi_run_image() Provide public function efi_run_imager() which can be used to run an UEFI image from memory. Signed-off-by: Heinrich Schuchardt --- include/efi_loader.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'include') diff --git a/include/efi_loader.h b/include/efi_loader.h index 3a220893298..1e1fe52bc0f 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -341,6 +341,8 @@ extern struct list_head efi_register_notify_events; /* Initialize efi execution environment */ efi_status_t efi_init_obj_list(void); +/* Run loaded UEFI image */ +efi_status_t efi_run_image(void *source_buffer, efi_uintn_t source_size); /* Initialize variable services */ efi_status_t efi_init_variables(void); /* Notify ExitBootServices() is called */ -- cgit v1.2.3 From f64f223256f32e86d97ec32eea7dc36d5e9c5fd9 Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Sun, 8 Dec 2019 01:07:01 +0100 Subject: efi_loader: export efi_install_fdt() Use a pointer to addressable memory instead of a "physical" address in the virtual address space of the sandbox to efi_install_fdt(). Export the efi_install_fdt() function. Signed-off-by: Heinrich Schuchardt --- include/efi_loader.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/efi_loader.h b/include/efi_loader.h index 1e1fe52bc0f..4d401f69d75 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -35,7 +35,7 @@ static inline int guidcmp(const void *g1, const void *g2) 0x9a, 0xab, 0x3a, 0x7d, 0xbf, 0x40, 0xc4, 0x82) /* Use internal device tree when starting UEFI application */ -#define EFI_FDT_USE_INTERNAL 0UL +#define EFI_FDT_USE_INTERNAL NULL /* Root node */ extern efi_handle_t efi_root; @@ -341,6 +341,8 @@ extern struct list_head efi_register_notify_events; /* Initialize efi execution environment */ efi_status_t efi_init_obj_list(void); +/* Install device tree */ +efi_status_t efi_install_fdt(void *fdt); /* Run loaded UEFI image */ efi_status_t efi_run_image(void *source_buffer, efi_uintn_t source_size); /* Initialize variable services */ -- cgit v1.2.3 From 9b8d264b5af801a56e06aceab34dc74cb66121b1 Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Tue, 24 Dec 2019 08:11:01 +0100 Subject: part: efi: comment for GPT_HEADER_SIGNATURE_UBOOT Add a comment indicating that the value of GPT_HEADER_SIGNATURE_UBOOT equals the ASCII string 'EFI PART'. Signed-off-by: Heinrich Schuchardt --- include/part_efi.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include') diff --git a/include/part_efi.h b/include/part_efi.h index eb5797af745..1929e4400f1 100644 --- a/include/part_efi.h +++ b/include/part_efi.h @@ -24,7 +24,7 @@ #define EFI_PMBR_OSTYPE_EFI 0xEF #define EFI_PMBR_OSTYPE_EFI_GPT 0xEE -#define GPT_HEADER_SIGNATURE_UBOOT 0x5452415020494645ULL +#define GPT_HEADER_SIGNATURE_UBOOT 0x5452415020494645ULL // 'EFI PART' #define GPT_HEADER_CHROMEOS_IGNORE 0x454d45524f4e4749ULL // 'IGNOREME' #define GPT_HEADER_REVISION_V1 0x00010000 -- cgit v1.2.3 From 61e42d9465ef36857693cc3db615438241a06bf6 Mon Sep 17 00:00:00 2001 From: Sughosh Ganu Date: Sun, 29 Dec 2019 00:01:04 +0530 Subject: efi_loader: Add guidcpy function Add guidcpy function to copy the source guid to the destination guid. Use this function instead of memcpy for copying to the destination guid. Signed-off-by: Sughosh Ganu Use void * instead of efi_guid_t * for arguments to allow copying unaligned GUIDs. The GUIDs of configuration tables are __packed. Signed-off-by: Heinrich Schuchardt --- include/efi_loader.h | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'include') diff --git a/include/efi_loader.h b/include/efi_loader.h index 4d401f69d75..e1c9b1fd6a9 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -17,6 +17,11 @@ static inline int guidcmp(const void *g1, const void *g2) return memcmp(g1, g2, sizeof(efi_guid_t)); } +static inline void *guidcpy(void *dst, const void *src) +{ + return memcpy(dst, src, sizeof(efi_guid_t)); +} + /* No need for efi loader support in SPL */ #if CONFIG_IS_ENABLED(EFI_LOADER) -- cgit v1.2.3 From 7b31efc54c3fba33d1305a0f9b730472bb0f63eb Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Fri, 3 Jan 2020 22:47:19 +0100 Subject: efi_loader: define all known warning status codes Of all warning status codes up to now only EFI_WARN_DELETE_FAILURE is defined. The patch adds the missing definitions for later usage. Signed-off-by: Heinrich Schuchardt --- include/efi.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/efi.h b/include/efi.h index 5f415a99cc9..e12697a5d5b 100644 --- a/include/efi.h +++ b/include/efi.h @@ -91,7 +91,13 @@ typedef struct { #define EFI_IP_ADDRESS_CONFLICT (EFI_ERROR_MASK | 34) #define EFI_HTTP_ERROR (EFI_ERROR_MASK | 35) -#define EFI_WARN_DELETE_FAILURE 2 +#define EFI_WARN_UNKNOWN_GLYPH 1 +#define EFI_WARN_DELETE_FAILURE 2 +#define EFI_WARN_WRITE_FAILURE 3 +#define EFI_WARN_BUFFER_TOO_SMALL 4 +#define EFI_WARN_STALE_DATA 5 +#define EFI_WARN_FILE_SYSTEM 6 +#define EFI_WARN_RESET_REQUIRED 7 typedef unsigned long efi_status_t; typedef u64 efi_physical_addr_t; -- cgit v1.2.3 From a031b03f6448fafba46d08f7a88fa33690d50858 Mon Sep 17 00:00:00 2001 From: Cristian Ciocaltea Date: Tue, 24 Dec 2019 18:05:38 +0200 Subject: image: Add IH_OS_EFI for EFI chain-load boot Add a new OS type to be used for chain-loading an EFI compatible firmware or boot loader like GRUB2, possibly in a verified boot scenario. Bellow is sample ITS file that generates a FIT image supporting secure boot. Please note the presence of 'os = "efi";' line, which identifies the currently introduced OS type: / { #address-cells = <1>; images { efi-grub { description = "GRUB EFI"; data = /incbin/("bootarm.efi"); type = "kernel_noload"; arch = "arm"; os = "efi"; compression = "none"; load = <0x0>; entry = <0x0>; hash-1 { algo = "sha256"; }; }; }; configurations { default = "config-grub"; config-grub { kernel = "efi-grub"; signature-1 { algo = "sha256,rsa2048"; sign-images = "kernel"; }; }; }; }; Signed-off-by: Cristian Ciocaltea Reviewed-by: Heinrich Schuchardt --- include/image.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include') diff --git a/include/image.h b/include/image.h index f4d2aaf53e8..4a280b78e74 100644 --- a/include/image.h +++ b/include/image.h @@ -157,6 +157,7 @@ enum { IH_OS_ARM_TRUSTED_FIRMWARE, /* ARM Trusted Firmware */ IH_OS_TEE, /* Trusted Execution Environment */ IH_OS_OPENSBI, /* RISC-V OpenSBI */ + IH_OS_EFI, /* EFI Firmware (e.g. GRUB2) */ IH_OS_COUNT, }; -- cgit v1.2.3 From a2487684003b0bc380955e1a38cdd71da3ca4366 Mon Sep 17 00:00:00 2001 From: Sughosh Ganu Date: Sat, 28 Dec 2019 23:58:27 +0530 Subject: dm: rng: Add random number generator(rng) uclass Add a uclass for reading a random number seed from a random number generator device. Signed-off-by: Sughosh Ganu Reviewed-by: Patrice Chotard Reviewed-by: Heinrich Schuchardt Reviewed-by: Simon Glass --- include/dm/uclass-id.h | 1 + include/rng.h | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 include/rng.h (limited to 'include') diff --git a/include/dm/uclass-id.h b/include/dm/uclass-id.h index c1bab17ad11..67f5d673cb8 100644 --- a/include/dm/uclass-id.h +++ b/include/dm/uclass-id.h @@ -88,6 +88,7 @@ enum uclass_id { UCLASS_REGULATOR, /* Regulator device */ UCLASS_REMOTEPROC, /* Remote Processor device */ UCLASS_RESET, /* Reset controller device */ + UCLASS_RNG, /* Random Number Generator */ UCLASS_RTC, /* Real time clock device */ UCLASS_SCSI, /* SCSI device */ UCLASS_SERIAL, /* Serial UART */ diff --git a/include/rng.h b/include/rng.h new file mode 100644 index 00000000000..d2c0f9af62c --- /dev/null +++ b/include/rng.h @@ -0,0 +1,33 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Copyright (c) 2019, Linaro Limited + */ + +#if !defined _RNG_H_ +#define _RNG_H_ + +struct udevice; + +/** + * dm_rng_read() - read a random number seed from the rng device + * @buffer: input buffer to put the read random seed into + * @size: number of bytes of random seed read + * + * Return: 0 if OK, -ve on error + */ +int dm_rng_read(struct udevice *dev, void *buffer, size_t size); + +/* struct dm_rng_ops - Operations for the hwrng uclass */ +struct dm_rng_ops { + /** + * @read() - read a random number seed + * + * @data: input buffer to read the random seed + * @max: total number of bytes to read + * + * Return: 0 if OK, -ve on error + */ + int (*read)(struct udevice *dev, void *data, size_t max); +}; + +#endif /* _RNG_H_ */ -- cgit v1.2.3 From 03018ea8fd09b3dffb63830e5c0e445de42f572a Mon Sep 17 00:00:00 2001 From: Sughosh Ganu Date: Sun, 29 Dec 2019 15:30:14 +0530 Subject: virtio: rng: Add a random number generator(rng) driver Add a driver for the virtio-rng device on the qemu platform. The device uses pci as a transport medium. The driver can be enabled with the following configs CONFIG_VIRTIO CONFIG_DM_RNG CONFIG_VIRTIO_PCI CONFIG_VIRTIO_RNG Signed-off-by: Sughosh Ganu --- include/virtio.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/virtio.h b/include/virtio.h index 654fdf154b6..561dcc34baf 100644 --- a/include/virtio.h +++ b/include/virtio.h @@ -22,10 +22,12 @@ #define VIRTIO_ID_NET 1 /* virtio net */ #define VIRTIO_ID_BLOCK 2 /* virtio block */ -#define VIRTIO_ID_MAX_NUM 3 +#define VIRTIO_ID_RNG 4 /* virtio rng */ +#define VIRTIO_ID_MAX_NUM 5 #define VIRTIO_NET_DRV_NAME "virtio-net" #define VIRTIO_BLK_DRV_NAME "virtio-blk" +#define VIRTIO_RNG_DRV_NAME "virtio-rng" /* Status byte for guest to report progress, and synchronize features */ -- cgit v1.2.3 From f552fa496c9e738afa069dd33578558fe4eb41ee Mon Sep 17 00:00:00 2001 From: Sughosh Ganu Date: Sun, 29 Dec 2019 00:01:05 +0530 Subject: efi: qemu: arm64: Add efi_rng_protocol implementation for the platform Add support for the EFI_RNG_PROTOCOL routines for the qemu arm64 platform. EFI_RNG_PROTOCOL is an uefi boottime service which is invoked by the efi stub in the kernel for getting random seed for kaslr. The routines are platform specific, and use the virtio-rng device on the platform to get random data. The feature can be enabled through the following config CONFIG_EFI_RNG_PROTOCOL Signed-off-by: Sughosh Ganu Changed SPDX header to use /* instead of //. Reviewed-by: Heinrich Schuchardt --- include/efi_rng.h | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 include/efi_rng.h (limited to 'include') diff --git a/include/efi_rng.h b/include/efi_rng.h new file mode 100644 index 00000000000..35f59678c7a --- /dev/null +++ b/include/efi_rng.h @@ -0,0 +1,32 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * Copyright (c) 2019, Linaro Limited + */ + +#if !defined _EFI_RNG_H_ +#define _EFI_RNG_H_ + +#include +#include + +/* EFI random number generation protocol related GUID definitions */ +#define EFI_RNG_PROTOCOL_GUID \ + EFI_GUID(0x3152bca5, 0xeade, 0x433d, 0x86, 0x2e, \ + 0xc0, 0x1c, 0xdc, 0x29, 0x1f, 0x44) + +#define EFI_RNG_ALGORITHM_RAW \ + EFI_GUID(0xe43176d7, 0xb6e8, 0x4827, 0xb7, 0x84, \ + 0x7f, 0xfd, 0xc4, 0xb6, 0x85, 0x61) + +struct efi_rng_protocol { + efi_status_t (EFIAPI *get_info)(struct efi_rng_protocol *protocol, + efi_uintn_t *rng_algorithm_list_size, + efi_guid_t *rng_algorithm_list); + efi_status_t (EFIAPI *get_rng)(struct efi_rng_protocol *protocol, + efi_guid_t *rng_algorithm, + efi_uintn_t rng_value_length, uint8_t *rng_value); +}; + +efi_status_t platform_get_rng_device(struct udevice **dev); + +#endif /* _EFI_RNG_H_ */ -- cgit v1.2.3 From 33c37d9784168ac75be91e890329712d9a849539 Mon Sep 17 00:00:00 2001 From: Sughosh Ganu Date: Sun, 29 Dec 2019 00:01:06 +0530 Subject: efi_rng_protocol: Install the efi_rng_protocol on the root node Install the EFI_RNG_PROTOCOL implementation for it's subsequent use by the kernel for features like kaslr. Signed-off-by: Sughosh Ganu Reviewed-by: Heinrich Schuchardt --- include/efi_loader.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'include') diff --git a/include/efi_loader.h b/include/efi_loader.h index e1c9b1fd6a9..d4c59b54c48 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -133,6 +133,7 @@ extern const struct efi_hii_config_routing_protocol efi_hii_config_routing; extern const struct efi_hii_config_access_protocol efi_hii_config_access; extern const struct efi_hii_database_protocol efi_hii_database; extern const struct efi_hii_string_protocol efi_hii_string; +extern const struct efi_rng_protocol efi_rng_protocol; uint16_t *efi_dp_str(struct efi_device_path *dp); @@ -178,6 +179,9 @@ extern const efi_guid_t efi_guid_hii_config_access_protocol; extern const efi_guid_t efi_guid_hii_database_protocol; extern const efi_guid_t efi_guid_hii_string_protocol; +/* GUID of RNG protocol */ +extern const efi_guid_t efi_guid_rng_protocol; + extern unsigned int __efi_runtime_start, __efi_runtime_stop; extern unsigned int __efi_runtime_rel_start, __efi_runtime_rel_stop; -- cgit v1.2.3