Merge tag 'efi-2021-07-rc4' of https://source.denx.de/u-boot/custodians/u-boot-efi

Pull request for efi-2021-07-rc4

Documentation:

* correct mmc man-page

Bug fixes:

* reduce code size of efidebug command
* remove 31 character limit for file paths in efidebug command
* fix build warning in the TCG2 protocol implementation

8 files changed, 102 insertions, 98 deletions

diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index eb5c4d6f29..98845b8ba3 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -175,6 +175,7 @@ config EFI_CAPSULE_AUTHENTICATE
 	select PKCS7_VERIFY
 	select IMAGE_SIGN_INFO
 	select HASH_CALCULATE
+	select EFI_SIGNATURE_SUPPORT
 	default n
 	help
 	  Select this option if you want to enable capsule
@@ -344,6 +345,7 @@ config EFI_SECURE_BOOT
 	select PKCS7_MESSAGE_PARSER
 	select PKCS7_VERIFY
 	select HASH_CALCULATE
+	select EFI_SIGNATURE_SUPPORT
 	default n
 	help
 	  Select this option to enable EFI secure boot support.
@@ -351,6 +353,9 @@ config EFI_SECURE_BOOT
 	  it is signed with a trusted key. To do that, you need to install,
 	  at least, PK, KEK and db.
 
+config EFI_SIGNATURE_SUPPORT
+	bool
+
 config EFI_ESRT
 	bool "Enable the UEFI ESRT generation"
 	depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile
index 8bd343e258..fd344cea29 100644
--- a/lib/efi_loader/Makefile
+++ b/lib/efi_loader/Makefile
@@ -63,7 +63,7 @@ obj-$(CONFIG_GENERATE_SMBIOS_TABLE) += efi_smbios.o
 obj-$(CONFIG_EFI_RNG_PROTOCOL) += efi_rng.o
 obj-$(CONFIG_EFI_TCG2_PROTOCOL) += efi_tcg2.o
 obj-$(CONFIG_EFI_LOAD_FILE2_INITRD) += efi_load_initrd.o
-obj-y += efi_signature.o
+obj-$(CONFIG_EFI_SIGNATURE_SUPPORT) += efi_signature.o
 
 EFI_VAR_SEED_FILE := $(subst $\",,$(CONFIG_EFI_VAR_SEED_FILE))
 $(obj)/efi_var_seed.o: $(srctree)/$(EFI_VAR_SEED_FILE)
diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c
index 6ee883d5b1..9ead0d2c78 100644
--- a/lib/efi_loader/efi_capsule.c
+++ b/lib/efi_loader/efi_capsule.c
@@ -208,16 +208,6 @@ skip:
 const efi_guid_t efi_guid_capsule_root_cert_guid =
 	EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID;
 
-__weak int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)
-{
-	/* The platform is supposed to provide
-	 * a method for getting the public key
-	 * stored in the form of efi signature
-	 * list
-	 */
-	return 0;
-}
-
 efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size,
 				      void **image, efi_uintn_t *image_size)
 {
diff --git a/lib/efi_loader/efi_device_path.c b/lib/efi_loader/efi_device_path.c
index 4b20859b25..76c2f82fe6 100644
--- a/lib/efi_loader/efi_device_path.c
+++ b/lib/efi_loader/efi_device_path.c
@@ -1171,7 +1171,7 @@ efi_status_t efi_dp_from_name(const char *dev, const char *devnr,
 	struct blk_desc *desc = NULL;
 	struct disk_partition fs_partition;
 	int part = 0;
-	char filename[32] = { 0 }; /* dp->str is u16[32] long */
+	char *filename;
 	char *s;
 
 	if (path && !file)
@@ -1198,12 +1198,17 @@ efi_status_t efi_dp_from_name(const char *dev, const char *devnr,
 	if (!path)
 		return EFI_SUCCESS;
 
-	snprintf(filename, sizeof(filename), "%s", path);
+	filename = calloc(1, strlen(path) + 1);
+	if (!filename)
+		return EFI_OUT_OF_RESOURCES;
+
+	sprintf(filename, "%s", path);
 	/* DOS style file path: */
 	s = filename;
 	while ((s = strchr(s, '/')))
 		*s++ = '\\';
 	*file = efi_dp_from_file(desc, part, filename);
+	free(filename);
 
 	if (!*file)
 		return EFI_INVALID_PARAMETER;
diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c
index f53ef367ec..fe1ee198e2 100644
--- a/lib/efi_loader/efi_image_loader.c
+++ b/lib/efi_loader/efi_image_loader.c
@@ -213,7 +213,68 @@ static void efi_set_code_and_data_type(
 	}
 }
 
-#ifdef CONFIG_EFI_SECURE_BOOT
+/**
+ * efi_image_region_add() - add an entry of region
+ * @regs:	Pointer to array of regions
+ * @start:	Start address of region (included)
+ * @end:	End address of region (excluded)
+ * @nocheck:	flag against overlapped regions
+ *
+ * Take one entry of region [@start, @end[ and insert it into the list.
+ *
+ * * If @nocheck is false, the list will be sorted ascending by address.
+ *   Overlapping entries will not be allowed.
+ *
+ * * If @nocheck is true, the list will be sorted ascending by sequence
+ *   of adding the entries. Overlapping is allowed.
+ *
+ * Return:	status code
+ */
+efi_status_t efi_image_region_add(struct efi_image_regions *regs,
+				  const void *start, const void *end,
+				  int nocheck)
+{
+	struct image_region *reg;
+	int i, j;
+
+	if (regs->num >= regs->max) {
+		EFI_PRINT("%s: no more room for regions\n", __func__);
+		return EFI_OUT_OF_RESOURCES;
+	}
+
+	if (end < start)
+		return EFI_INVALID_PARAMETER;
+
+	for (i = 0; i < regs->num; i++) {
+		reg = &regs->reg[i];
+		if (nocheck)
+			continue;
+
+		/* new data after registered region */
+		if (start >= reg->data + reg->size)
+			continue;
+
+		/* new data preceding registered region */
+		if (end <= reg->data) {
+			for (j = regs->num - 1; j >= i; j--)
+				memcpy(&regs->reg[j + 1], &regs->reg[j],
+				       sizeof(*reg));
+			break;
+		}
+
+		/* new data overlapping registered region */
+		EFI_PRINT("%s: new region already part of another\n", __func__);
+		return EFI_INVALID_PARAMETER;
+	}
+
+	reg = &regs->reg[i];
+	reg->data = start;
+	reg->size = end - start;
+	regs->num++;
+
+	return EFI_SUCCESS;
+}
+
 /**
  * cmp_pe_section() - compare virtual addresses of two PE image sections
  * @arg1:	pointer to pointer to first section header
@@ -422,6 +483,7 @@ err:
 	return false;
 }
 
+#ifdef CONFIG_EFI_SECURE_BOOT
 /**
  * efi_image_unsigned_authenticate() - authenticate unsigned image with
  * SHA256 hash
diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
index c7ec275414..bdd09881fc 100644
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@@ -15,18 +15,16 @@
 #include <crypto/public_key.h>
 #include <linux/compat.h>
 #include <linux/oid_registry.h>
+#include <u-boot/hash-checksum.h>
 #include <u-boot/rsa.h>
 #include <u-boot/sha256.h>
 
-const efi_guid_t efi_guid_image_security_database =
-		EFI_IMAGE_SECURITY_DATABASE_GUID;
 const efi_guid_t efi_guid_sha256 = EFI_CERT_SHA256_GUID;
 const efi_guid_t efi_guid_cert_rsa2048 = EFI_CERT_RSA2048_GUID;
 const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID;
 const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID;
 const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID;
 
-#if defined(CONFIG_EFI_SECURE_BOOT) || defined(CONFIG_EFI_CAPSULE_AUTHENTICATE)
 static u8 pkcs7_hdr[] = {
 	/* SEQUENCE */
 	0x30, 0x82, 0x05, 0xc7,
@@ -540,68 +538,6 @@ out:
 }
 
 /**
- * efi_image_region_add() - add an entry of region
- * @regs:	Pointer to array of regions
- * @start:	Start address of region (included)
- * @end:	End address of region (excluded)
- * @nocheck:	flag against overlapped regions
- *
- * Take one entry of region [@start, @end[ and insert it into the list.
- *
- * * If @nocheck is false, the list will be sorted ascending by address.
- *   Overlapping entries will not be allowed.
- *
- * * If @nocheck is true, the list will be sorted ascending by sequence
- *   of adding the entries. Overlapping is allowed.
- *
- * Return:	status code
- */
-efi_status_t efi_image_region_add(struct efi_image_regions *regs,
-				  const void *start, const void *end,
-				  int nocheck)
-{
-	struct image_region *reg;
-	int i, j;
-
-	if (regs->num >= regs->max) {
-		EFI_PRINT("%s: no more room for regions\n", __func__);
-		return EFI_OUT_OF_RESOURCES;
-	}
-
-	if (end < start)
-		return EFI_INVALID_PARAMETER;
-
-	for (i = 0; i < regs->num; i++) {
-		reg = &regs->reg[i];
-		if (nocheck)
-			continue;
-
-		/* new data after registered region */
-		if (start >= reg->data + reg->size)
-			continue;
-
-		/* new data preceding registered region */
-		if (end <= reg->data) {
-			for (j = regs->num - 1; j >= i; j--)
-				memcpy(&regs->reg[j + 1], &regs->reg[j],
-				       sizeof(*reg));
-			break;
-		}
-
-		/* new data overlapping registered region */
-		EFI_PRINT("%s: new region already part of another\n", __func__);
-		return EFI_INVALID_PARAMETER;
-	}
-
-	reg = &regs->reg[i];
-	reg->data = start;
-	reg->size = end - start;
-	regs->num++;
-
-	return EFI_SUCCESS;
-}
-
-/**
  * efi_sigstore_free - free signature store
  * @sigstore:	Pointer to signature store structure
  *
@@ -846,4 +782,3 @@ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name)
 
 	return efi_build_signature_store(db, db_size);
 }
-#endif /* CONFIG_EFI_SECURE_BOOT || CONFIG_EFI_CAPSULE_AUTHENTICATE */
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
index 39ef250bf9..39074f7547 100644
--- a/lib/efi_loader/efi_tcg2.c
+++ b/lib/efi_loader/efi_tcg2.c
@@ -53,7 +53,7 @@ struct digest_info {
 	u16 hash_len;
 };
 
-const static struct digest_info hash_algo_list[] = {
+static const struct digest_info hash_algo_list[] = {
 	{
 		TPM2_ALG_SHA1,
 		EFI_TCG2_BOOT_HASH_ALG_SHA1,
@@ -87,7 +87,7 @@ const static struct digest_info hash_algo_list[] = {
  */
 static u32 alg_to_mask(u16 hash_alg)
 {
-	int i;
+	size_t i;
 
 	for (i = 0; i < MAX_HASH_COUNT; i++) {
 		if (hash_algo_list[i].hash_alg == hash_alg)
@@ -106,7 +106,7 @@ static u32 alg_to_mask(u16 hash_alg)
  */
 static u16 alg_to_len(u16 hash_alg)
 {
-	int i;
+	size_t i;
 
 	for (i = 0; i < MAX_HASH_COUNT; i++) {
 		if (hash_algo_list[i].hash_alg == hash_alg)
@@ -119,7 +119,7 @@ static u16 alg_to_len(u16 hash_alg)
 static u32 tcg_event_final_size(struct tpml_digest_values *digest_list)
 {
 	u32 len;
-	int i;
+	size_t i;
 
 	len = offsetof(struct tcg_pcr_event2, digests);
 	len += offsetof(struct tpml_digest_values, digests);
@@ -145,7 +145,7 @@ static efi_status_t tcg2_pcr_extend(struct udevice *dev, u32 pcr_index,
 				    struct tpml_digest_values *digest_list)
 {
 	u32 rc;
-	int i;
+	size_t i;
 
 	for (i = 0; i < digest_list->count; i++) {
 		u32 alg = digest_list->digests[i].hash_alg;
@@ -178,7 +178,7 @@ static efi_status_t tcg2_agile_log_append(u32 pcr_index, u32 event_type,
 {
 	void *log = (void *)((uintptr_t)event_log.buffer + event_log.pos);
 	size_t pos;
-	int i;
+	size_t i;
 	u32 event_size;
 
 	if (event_log.get_event_called)
@@ -400,7 +400,8 @@ static int tpm2_get_pcr_info(struct udevice *dev, u32 *supported_pcr,
 	u8 response[TPM2_RESPONSE_BUFFER_SIZE];
 	struct tpml_pcr_selection pcrs;
 	u32 ret, num_pcr;
-	int i, tpm_ret;
+	size_t i;
+	int tpm_ret;
 
 	memset(response, 0, sizeof(response));
 	ret = tpm2_get_capability(dev, TPM2_CAP_PCRS, 0, response, 1);
@@ -518,7 +519,7 @@ static efi_status_t tcg2_create_digest(const u8 *input, u32 length,
 	u8 final[TPM2_SHA512_DIGEST_SIZE];
 	efi_status_t ret;
 	u32 active;
-	int i;
+	size_t i;
 
 	ret = __get_active_pcr_banks(&active);
 	if (ret != EFI_SUCCESS)
@@ -749,8 +750,7 @@ efi_tcg2_hash_log_extend_event(struct efi_tcg2_protocol *this, u64 flags,
 		goto out;
 	}
 
-	if (efi_tcg_event->header.pcr_index < 0 ||
-	    efi_tcg_event->header.pcr_index > TPM2_MAX_PCRS) {
+	if (efi_tcg_event->header.pcr_index > TPM2_MAX_PCRS) {
 		ret = EFI_INVALID_PARAMETER;
 		goto out;
 	}
@@ -810,9 +810,11 @@ out:
  * Return:	status code
  */
 static efi_status_t EFIAPI
-efi_tcg2_submit_command(struct efi_tcg2_protocol *this,
-			u32 input_param_block_size, u8 *input_param_block,
-			u32 output_param_block_size, u8 *output_param_block)
+efi_tcg2_submit_command(__maybe_unused struct efi_tcg2_protocol *this,
+			u32 __maybe_unused input_param_block_size,
+			u8 __maybe_unused *input_param_block,
+			u32 __maybe_unused output_param_block_size,
+			u8 __maybe_unused *output_param_block)
 {
 	return EFI_UNSUPPORTED;
 }
@@ -847,8 +849,8 @@ efi_tcg2_get_active_pcr_banks(struct efi_tcg2_protocol *this,
  * Return:	status code
  */
 static efi_status_t EFIAPI
-efi_tcg2_set_active_pcr_banks(struct efi_tcg2_protocol *this,
-			      u32 active_pcr_banks)
+efi_tcg2_set_active_pcr_banks(__maybe_unused struct efi_tcg2_protocol *this,
+			      u32 __maybe_unused active_pcr_banks)
 {
 	return EFI_UNSUPPORTED;
 }
@@ -866,8 +868,9 @@ efi_tcg2_set_active_pcr_banks(struct efi_tcg2_protocol *this,
  * Return:	status code
  */
 static efi_status_t EFIAPI
-efi_tcg2_get_result_of_set_active_pcr_banks(struct efi_tcg2_protocol *this,
-					    u32 *operation_present, u32 *response)
+efi_tcg2_get_result_of_set_active_pcr_banks(__maybe_unused struct efi_tcg2_protocol *this,
+					    u32 __maybe_unused *operation_present,
+					    u32 __maybe_unused *response)
 {
 	return EFI_UNSUPPORTED;
 }
@@ -898,7 +901,8 @@ static efi_status_t create_specid_event(struct udevice *dev, void *buffer,
 	size_t spec_event_size;
 	efi_status_t ret = EFI_DEVICE_ERROR;
 	u32 active, supported;
-	int err, i;
+	int err;
+	size_t i;
 
 	/*
 	 * Create Spec event. This needs to be the first event in the log
diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c
index b11ed91a74..83479dd142 100644
--- a/lib/efi_loader/efi_var_common.c
+++ b/lib/efi_loader/efi_var_common.c
@@ -24,6 +24,9 @@ struct efi_auth_var_name_type {
 	const enum efi_auth_var_type type;
 };
 
+const efi_guid_t efi_guid_image_security_database =
+		EFI_IMAGE_SECURITY_DATABASE_GUID;
+
 static const struct efi_auth_var_name_type name_type[] = {
 	{u"PK", &efi_global_variable_guid, EFI_AUTH_VAR_PK},
 	{u"KEK", &efi_global_variable_guid, EFI_AUTH_VAR_KEK},