From a8062549d6ba81e41596adab83f80e8f819f491d Mon Sep 17 00:00:00 2001 From: Ilias Apalodimas Date: Mon, 6 Nov 2023 17:47:53 +0200 Subject: efi_loader: Increase default variable store size to 128K In commit 9fd3f881c6ed ("efi_loader: Increase default variable store size to 64KiB") Alper has a detailed explanation of why the size needs to be bumped to at least 64K. However enabling Secure boot, writing db, KEK, PK etc keys will further increase the size so bump it to 128K. It's worth noting that when U-Boot stores the EFI variables in an RPMB the available storage is defined statically in StandAloneMM at build time. The U-Boot code is detecting the available true size on the fly during writes. When StandAloneMM is present this size defines the reserved memory U-Boot can use to copy any runtime variables, before booting an OS. Signed-off-by: Ilias Apalodimas Reviewed-by: Heinrich Schuchardt --- lib/efi_loader/Kconfig | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'lib') diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 4ccd26f94a9..2e3935467c1 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -133,18 +133,20 @@ endif config EFI_VAR_BUF_SIZE int "Memory size of the UEFI variable store" - default 16384 if EFI_MM_COMM_TEE - default 65536 + default 131072 range 4096 2147483647 help This defines the size in bytes of the memory area reserved for keeping UEFI variables. - When using StandAloneMM (CONFIG_EFI_MM_COMM_TEE=y) this value should - match the value of PcdFlashNvStorageVariableSize used to compile the - StandAloneMM module. + When using StandAloneMM (CONFIG_EFI_MM_COMM_TEE=y) is used the + available size for storing variables is defined in + PcdFlashNvStorageVariableSize. + That value is probed at runtime from U-Boot. In that case, + EFI_VAR_BUF_SIZE represents the memory U-Boot reserves to present + runtime variables to the OS. - Minimum 4096, default 65536, or 16384 when using StandAloneMM. + Minimum 4096, default 131072 config EFI_GET_TIME bool "GetTime() runtime service" -- cgit v1.3.1 From 229f9e77fe46efb2516b7cfdc60db1d92721eac5 Mon Sep 17 00:00:00 2001 From: Ilias Apalodimas Date: Tue, 7 Nov 2023 13:31:34 +0200 Subject: efi_loader: Correctly account the SCRTM event creation The result of efi_append_scrtm_version() is overwritten before anyone checks its result. Check it and exit the function on failures Addresses-Coverity-ID: 467399 Code maintainability issues (UNUSED_VALUE) Fixes: commit 97707f12fdab ("tpm: Support boot measurements") Signed-off-by: Ilias Apalodimas Reviewed-by: Heinrich Schuchardt --- lib/efi_loader/efi_tcg2.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 2eaa12b83b1..463ea4c1541 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -944,8 +944,11 @@ static efi_status_t efi_init_event_log(void) * Add SCRTM version to the log if previous firmmware * doesn't pass an eventlog. */ - if (!elog.found) + if (!elog.found) { ret = efi_append_scrtm_version(dev); + if (ret != EFI_SUCCESS) + goto free_pool; + } ret = create_final_event(); if (ret != EFI_SUCCESS) -- cgit v1.3.1 From ce68a254483817f86f92ffef7c7bc44fee318fb5 Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Mon, 13 Nov 2023 15:50:16 +0100 Subject: efi_loader: improve efi_var_from_file() description It is unclear to developers why efi_var_from_file() returns EFI_SUCCESS if file ubootefi.var is missing or corrupted. Improve the description. Reported-by: Weizhao Ouyang Signed-off-by: Heinrich Schuchardt Reviewed-by: Weizhao Ouyang --- lib/efi_loader/efi_var_file.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/efi_loader/efi_var_file.c b/lib/efi_loader/efi_var_file.c index 62e071bd834..d7dba050710 100644 --- a/lib/efi_loader/efi_var_file.c +++ b/lib/efi_loader/efi_var_file.c @@ -204,8 +204,11 @@ efi_status_t efi_var_restore(struct efi_var_file *buf, bool safe) * File ubootefi.var is read from the EFI system partitions and the variables * stored in the file are created. * - * In case the file does not exist yet or a variable cannot be set EFI_SUCCESS - * is returned. + * On first boot the file ubootefi.var does not exist yet. This is why we must + * return EFI_SUCCESS in this case. + * + * If the variable file is corrupted, e.g. incorrect CRC32, we do not want to + * stop the boot process. We deliberately return EFI_SUCCESS in this case, too. * * Return: status code */ -- cgit v1.3.1