From 73c9a352705a29e3af6ea08c7075efeb12980f1d Mon Sep 17 00:00:00 2001 From: Adriano Cordova Date: Wed, 19 Mar 2025 11:44:59 -0300 Subject: efi_loader: efi_load_initrd: provide a memory mapped initrd U-Boot can pass an initrd to subsequent boot stages via the EFI_LOAD_FILE2_PROTOCOL. The current implementation only supports this functionality via the efi boot manager: the initrd is taken from the load options of the BootCurrent variable. This commit adds support for registering a memory mapped initrd, e.g. loaded from a FIT image. For now this new method takes precedence over loading the initrd from the BootCurrent variable (if both are present) because the BootCurrent variable is not cleared on exiting the boot manager. Signed-off-by: Adriano Cordova Reviewed-by: Ilias Apalodimas --- include/efi_loader.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include') diff --git a/include/efi_loader.h b/include/efi_loader.h index 5f769786786..72bee60abaf 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -667,7 +667,7 @@ efi_status_t efi_http_register(const efi_handle_t handle, struct efi_service_binding_protocol *http_service_binding); /* Called by bootefi to make the watchdog available */ efi_status_t efi_watchdog_register(void); -efi_status_t efi_initrd_register(void); +efi_status_t efi_initrd_register(struct efi_device_path *dp_initrd); efi_status_t efi_initrd_deregister(void); /* Called by bootefi to make SMBIOS tables available */ /** -- cgit v1.3.1 From 36835a9105cf14a72556731e54300f8225190b17 Mon Sep 17 00:00:00 2001 From: Adriano Cordova Date: Wed, 19 Mar 2025 11:45:00 -0300 Subject: efi_loader: binary_run: register an initrd Add support to install an initrd when running an EFI binary with efi_binary_run Signed-off-by: Adriano Cordova Acked-by: Ilias Apalodimas --- boot/bootm_os.c | 3 ++- cmd/bootefi.c | 2 +- include/efi_loader.h | 2 +- lib/efi_loader/efi_bootbin.c | 20 +++++++++++++++++--- 4 files changed, 21 insertions(+), 6 deletions(-) (limited to 'include') diff --git a/boot/bootm_os.c b/boot/bootm_os.c index e9522cd3299..f403f352be1 100644 --- a/boot/bootm_os.c +++ b/boot/bootm_os.c @@ -507,7 +507,8 @@ static int do_bootm_efi(int flag, struct bootm_info *bmi) ret = efi_binary_run(image_buf, images->os.image_len, images->ft_len - ? images->ft_addr : EFI_FDT_USE_INTERNAL); + ? images->ft_addr : EFI_FDT_USE_INTERNAL, + NULL, 0); return ret; } diff --git a/cmd/bootefi.c b/cmd/bootefi.c index c1454ffb948..dce8285b047 100644 --- a/cmd/bootefi.c +++ b/cmd/bootefi.c @@ -211,7 +211,7 @@ static int do_bootefi(struct cmd_tbl *cmdtp, int flag, int argc, } } - ret = efi_binary_run(image_buf, size, fdt); + ret = efi_binary_run(image_buf, size, fdt, NULL, 0); if (ret != EFI_SUCCESS) return CMD_RET_FAILURE; diff --git a/include/efi_loader.h b/include/efi_loader.h index 72bee60abaf..144b749278a 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -600,7 +600,7 @@ efi_status_t efi_install_fdt(void *fdt); /* Execute loaded UEFI image */ efi_status_t do_bootefi_exec(efi_handle_t handle, void *load_options); /* Run loaded UEFI image with given fdt */ -efi_status_t efi_binary_run(void *image, size_t size, void *fdt); +efi_status_t efi_binary_run(void *image, size_t size, void *fdt, void *initrd, size_t initrd_sz); /** * efi_bootflow_run() - Run a bootflow containing an EFI application diff --git a/lib/efi_loader/efi_bootbin.c b/lib/efi_loader/efi_bootbin.c index deafb2ce1c2..2cf972343a4 100644 --- a/lib/efi_loader/efi_bootbin.c +++ b/lib/efi_loader/efi_bootbin.c @@ -204,6 +204,8 @@ out: * @image: memory address of the UEFI image * @size: size of the UEFI image * @fdt: device-tree + * @initrd: initrd + * @initrd_sz: initrd size * @dp_dev: EFI device-path * @dp_img: EFI image-path * @@ -213,10 +215,12 @@ out: * Return: status code */ static efi_status_t efi_binary_run_dp(void *image, size_t size, void *fdt, + void *initrd, size_t initd_sz, struct efi_device_path *dp_dev, struct efi_device_path *dp_img) { efi_status_t ret; + struct efi_device_path *dp_initrd; /* Initialize EFI drivers */ ret = efi_init_obj_list(); @@ -230,6 +234,14 @@ static efi_status_t efi_binary_run_dp(void *image, size_t size, void *fdt, if (ret != EFI_SUCCESS) return ret; + dp_initrd = efi_dp_from_mem(EFI_LOADER_DATA, (uintptr_t)initrd, initd_sz); + if (!dp_initrd) + return EFI_OUT_OF_RESOURCES; + + ret = efi_initrd_register(dp_initrd); + if (ret != EFI_SUCCESS) + return ret; + return efi_run_image(image, size, dp_dev, dp_img); } @@ -239,13 +251,15 @@ static efi_status_t efi_binary_run_dp(void *image, size_t size, void *fdt, * @image: memory address of the UEFI image * @size: size of the UEFI image * @fdt: device-tree + * @initrd: initrd + * @initrd_sz: initrd size * * Execute an EFI binary image loaded at @image. * @size may be zero if the binary is loaded with U-Boot load command. * * Return: status code */ -efi_status_t efi_binary_run(void *image, size_t size, void *fdt) +efi_status_t efi_binary_run(void *image, size_t size, void *fdt, void *initrd, size_t initrd_sz) { efi_handle_t mem_handle = NULL; struct efi_device_path *file_path = NULL; @@ -273,7 +287,7 @@ efi_status_t efi_binary_run(void *image, size_t size, void *fdt) log_debug("Loaded from disk\n"); } - ret = efi_binary_run_dp(image, size, fdt, bootefi_device_path, + ret = efi_binary_run_dp(image, size, fdt, initrd, initrd_sz, bootefi_device_path, bootefi_image_path); out: if (mem_handle) { @@ -355,7 +369,7 @@ efi_status_t efi_bootflow_run(struct bootflow *bflow) log_debug("Booting with external fdt\n"); fdt = map_sysmem(bflow->fdt_addr, 0); } - ret = efi_binary_run_dp(bflow->buf, bflow->size, fdt, device, image); + ret = efi_binary_run_dp(bflow->buf, bflow->size, fdt, NULL, 0, device, image); return ret; } -- cgit v1.3.1 From fd58c275f6ba524101ba0990e53f5a11ac390bd0 Mon Sep 17 00:00:00 2001 From: Ilias Apalodimas Date: Tue, 1 Apr 2025 14:27:25 +0300 Subject: efi_loader: Move public cert for capsules to .rodata commit ddf67daac39d ("efi_capsule: Move signature from DTB to .rodata") was reverted in commit 47a25e81d35c ("Revert "efi_capsule: Move signature from DTB to .rodata"") because that's what U-Boot was usually doing -- using the DT to store configuration and data. Some of the discussions can be found here [0]. (Ab)using the device tree to store random data isn't ideal though. On top of that with new features introduced over the years, keeping the certificates in the DT has proven to be problematic. One of the reasons is that platforms might send U-Boot a DTB from the previous stage loader using a transfer list which won't contain the signatures since other loaders are not aware of internal U-Boot ABIs. On top of that QEMU creates the DTB on the fly, so adding the capsule certificate there does not work and requires users to dump it and re-create it injecting the public keys. Now that we have proper memory permissions for arm64, move the certificate to .rodata and read it from there. [0] https://lore.kernel.org/u-boot/CAPnjgZ2uM=n8Qo-a=DUkx5VW5Bzp5Xy8=Wgmrw8ESqUBK00YJQ@mail.gmail.com/ Signed-off-by: Ilias Apalodimas Tested-by: Jonathan Humphreys # on TI sk-am62p-lp Tested-by: Neil Armstrong # on AML-A311D-CC Tested-by: Raymond Mao --- Makefile | 2 +- include/asm-generic/sections.h | 2 ++ lib/efi_loader/Makefile | 18 ++++++++++++++++++ lib/efi_loader/capsule_esl.dtsi.in | 11 ----------- lib/efi_loader/efi_capsule.c | 37 +++++++++---------------------------- lib/efi_loader/efi_capsule_key.S | 17 +++++++++++++++++ scripts/Makefile.lib | 27 --------------------------- 7 files changed, 47 insertions(+), 67 deletions(-) delete mode 100644 lib/efi_loader/capsule_esl.dtsi.in create mode 100644 lib/efi_loader/efi_capsule_key.S (limited to 'include') diff --git a/Makefile b/Makefile index e83672b1823..bb9ef67ddc8 100644 --- a/Makefile +++ b/Makefile @@ -2231,7 +2231,7 @@ CLEAN_FILES += include/autoconf.mk* include/bmp_logo.h include/bmp_logo_data.h \ itb.fit.fit itb.fit.itb itb.map spl.map mkimage-out.rom.mkimage \ mkimage.rom.mkimage mkimage-in-simple-bin* rom.map simple-bin* \ idbloader-spi.img lib/efi_loader/helloworld_efi.S *.itb \ - Test* capsule*.*.efi-capsule capsule*.map + Test* capsule*.*.efi-capsule capsule*.map capsule_esl_file # Directories & files removed with 'make mrproper' MRPROPER_DIRS += include/config include/generated spl tpl vpl \ diff --git a/include/asm-generic/sections.h b/include/asm-generic/sections.h index 024b1adde27..d59787948fd 100644 --- a/include/asm-generic/sections.h +++ b/include/asm-generic/sections.h @@ -28,6 +28,8 @@ extern char __efi_helloworld_begin[]; extern char __efi_helloworld_end[]; extern char __efi_var_file_begin[]; extern char __efi_var_file_end[]; +extern char __efi_capsule_sig_begin[]; +extern char __efi_capsule_sig_end[]; /* Private data used by of-platdata devices/uclasses */ extern char __priv_data_start[], __priv_data_end[]; diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile index 2a0b4172bd7..dc291214895 100644 --- a/lib/efi_loader/Makefile +++ b/lib/efi_loader/Makefile @@ -29,6 +29,7 @@ obj-y += efi_boottime.o obj-y += efi_helper.o obj-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += efi_capsule.o obj-$(CONFIG_EFI_CAPSULE_FIRMWARE) += efi_firmware.o +obj-$(CONFIG_EFI_CAPSULE_AUTHENTICATE) += efi_capsule_key.o obj-y += efi_console.o obj-y += efi_device_path.o obj-$(CONFIG_EFI_DEVICE_PATH_TO_TEXT) += efi_device_path_to_text.o @@ -73,6 +74,23 @@ obj-$(CONFIG_EFI_ECPT) += efi_conformance.o EFI_VAR_SEED_FILE := $(subst $\",,$(CONFIG_EFI_VAR_SEED_FILE)) $(obj)/efi_var_seed.o: $(srctree)/$(EFI_VAR_SEED_FILE) +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y) +capsule_crt_path=($(subst $(quote),,$(CONFIG_EFI_CAPSULE_CRT_FILE))) +capsule_crt_full=$(srctree)/$(subst $(quote),,$(CONFIG_EFI_CAPSULE_CRT_FILE)) +quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@ +cmd_capsule_esl_gen = cert-to-efi-sig-list $(capsule_crt_full) $@ +$(srctree)/capsule_esl_file: FORCE + @if [ ! -e "$(capsule_crt_full)" ]; then \ + echo "ERROR: path $(capsule_crt_full) is invalid." >&2; \ + echo "EFI CONFIG_EFI_CAPSULE_CRT_FILE must be specified when CONFIG_EFI_CAPSULE_AUTHENTICATE is enabled." >&2; \ + exit 1; \ + fi + $(call cmd,capsule_esl_gen) + +$(obj)/efi_capsule.o: $(srctree)/capsule_esl_file FORCE +asflags-y += -DCAPSULE_ESL_PATH=\"$(srctree)/capsule_esl_file\" +endif + # Set the C flags to add and remove for each app $(foreach f,$(apps-y),\ $(eval CFLAGS_$(f).o := $(CFLAGS_EFI) -Os -ffreestanding)\ diff --git a/lib/efi_loader/capsule_esl.dtsi.in b/lib/efi_loader/capsule_esl.dtsi.in deleted file mode 100644 index bc7db836faa..00000000000 --- a/lib/efi_loader/capsule_esl.dtsi.in +++ /dev/null @@ -1,11 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0+ -/* - * Devicetree file with the public key EFI Signature List(ESL) - * node. This file is used to generate the dtsi file to be - * included into the DTB. - */ -/ { - signature { - capsule-key = /incbin/("ESL_BIN_FILE"); - }; -}; diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c index f8a4a7c6ef4..1aa52ac7bb6 100644 --- a/lib/efi_loader/efi_capsule.c +++ b/lib/efi_loader/efi_capsule.c @@ -22,6 +22,7 @@ #include #include +#include #include #include #include @@ -284,33 +285,12 @@ out: } #if defined(CONFIG_EFI_CAPSULE_AUTHENTICATE) -int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) +static int efi_get_public_key_data(const void **pkey, efi_uintn_t *pkey_len) { - const void *fdt_blob = gd->fdt_blob; - const void *blob; - const char *cnode_name = "capsule-key"; - const char *snode_name = "signature"; - int sig_node; - int len; - - sig_node = fdt_subnode_offset(fdt_blob, 0, snode_name); - if (sig_node < 0) { - log_err("Unable to get signature node offset\n"); - - return -FDT_ERR_NOTFOUND; - } - - blob = fdt_getprop(fdt_blob, sig_node, cnode_name, &len); - - if (!blob || len < 0) { - log_err("Unable to get capsule-key value\n"); - *pkey = NULL; - *pkey_len = 0; - - return -FDT_ERR_NOTFOUND; - } + const void *blob = __efi_capsule_sig_begin; + const int len = __efi_capsule_sig_end - __efi_capsule_sig_begin; - *pkey = (void *)blob; + *pkey = blob; *pkey_len = len; return 0; @@ -321,7 +301,8 @@ efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_s { u8 *buf; int ret; - void *fdt_pkey, *pkey; + void *pkey; + const void *stored_pkey; efi_uintn_t pkey_len; uint64_t monotonic_count; struct efi_signature_store *truststore; @@ -373,7 +354,7 @@ efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_s goto out; } - ret = efi_get_public_key_data(&fdt_pkey, &pkey_len); + ret = efi_get_public_key_data(&stored_pkey, &pkey_len); if (ret < 0) goto out; @@ -381,7 +362,7 @@ efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_s if (!pkey) goto out; - memcpy(pkey, fdt_pkey, pkey_len); + memcpy(pkey, stored_pkey, pkey_len); truststore = efi_build_signature_store(pkey, pkey_len); if (!truststore) goto out; diff --git a/lib/efi_loader/efi_capsule_key.S b/lib/efi_loader/efi_capsule_key.S new file mode 100644 index 00000000000..80cefbe16ae --- /dev/null +++ b/lib/efi_loader/efi_capsule_key.S @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * .esl cert for capsule authentication + * + * Copyright (c) 2021, Ilias Apalodimas + */ + +#include + +.section .rodata.capsule_key.init,"a" +.balign 16 +.global __efi_capsule_sig_begin +__efi_capsule_sig_begin: +.incbin CAPSULE_ESL_PATH +__efi_capsule_sig_end: +.global __efi_capsule_sig_end +.balign 16 diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index 275c308154b..83fd5ff6c31 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -377,35 +377,8 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \ ; \ sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp > $(depfile) -capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in -capsule_crt_file=$(subst $(quote),,$(CONFIG_EFI_CAPSULE_CRT_FILE)) -capsule_esl_dtsi=.capsule_esl.dtsi - -quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@ -cmd_capsule_esl_gen = cert-to-efi-sig-list $< $@ - -$(obj)/capsule_esl_file: $(capsule_crt_file) FORCE -ifeq ($(CONFIG_EFI_CAPSULE_CRT_FILE),"") - $(error "CONFIG_EFI_CAPSULE_CRT_FILE is empty, EFI capsule authentication \ - public key must be specified when CONFIG_EFI_CAPSULE_AUTHENTICATE is enabled") -else - $(call cmd,capsule_esl_gen) -endif - -quiet_cmd_capsule_dtsi_gen = CAPSULE_DTSI_GEN $@ -cmd_capsule_dtsi_gen = \ - $(shell sed "s:ESL_BIN_FILE:$(abspath $<):" $(capsule_esl_input_file) > $@) - -$(obj)/$(capsule_esl_dtsi): $(obj)/capsule_esl_file FORCE - $(call cmd,capsule_dtsi_gen) - dtsi_include_list_deps := $(addprefix $(u_boot_dtsi_loc),$(subst $(quote),,$(dtsi_include_list))) -ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE -dtsi_include_list += $(capsule_esl_dtsi) -dtsi_include_list_deps += $(obj)/$(capsule_esl_dtsi) -endif - ifneq ($(CHECK_DTBS),) DT_CHECKER ?= dt-validate DT_CHECKER_FLAGS ?= $(if $(DT_SCHEMA_FILES),-l $(DT_SCHEMA_FILES),-m) -- cgit v1.3.1