diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/efi_loader/Kconfig | 5 | ||||
| -rw-r--r-- | lib/efi_loader/Makefile | 2 | ||||
| -rw-r--r-- | lib/efi_loader/efi_capsule.c | 10 | ||||
| -rw-r--r-- | lib/efi_loader/efi_device_path.c | 9 | ||||
| -rw-r--r-- | lib/efi_loader/efi_image_loader.c | 64 | ||||
| -rw-r--r-- | lib/efi_loader/efi_signature.c | 67 | ||||
| -rw-r--r-- | lib/efi_loader/efi_tcg2.c | 40 | ||||
| -rw-r--r-- | lib/efi_loader/efi_var_common.c | 3 |
8 files changed, 102 insertions, 98 deletions
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index eb5c4d6f29..98845b8ba3 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -175,6 +175,7 @@ config EFI_CAPSULE_AUTHENTICATE select PKCS7_VERIFY select IMAGE_SIGN_INFO select HASH_CALCULATE + select EFI_SIGNATURE_SUPPORT default n help Select this option if you want to enable capsule @@ -344,6 +345,7 @@ config EFI_SECURE_BOOT select PKCS7_MESSAGE_PARSER select PKCS7_VERIFY select HASH_CALCULATE + select EFI_SIGNATURE_SUPPORT default n help Select this option to enable EFI secure boot support. @@ -351,6 +353,9 @@ config EFI_SECURE_BOOT it is signed with a trusted key. To do that, you need to install, at least, PK, KEK and db. +config EFI_SIGNATURE_SUPPORT + bool + config EFI_ESRT bool "Enable the UEFI ESRT generation" depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile index 8bd343e258..fd344cea29 100644 --- a/lib/efi_loader/Makefile +++ b/lib/efi_loader/Makefile @@ -63,7 +63,7 @@ obj-$(CONFIG_GENERATE_SMBIOS_TABLE) += efi_smbios.o obj-$(CONFIG_EFI_RNG_PROTOCOL) += efi_rng.o obj-$(CONFIG_EFI_TCG2_PROTOCOL) += efi_tcg2.o obj-$(CONFIG_EFI_LOAD_FILE2_INITRD) += efi_load_initrd.o -obj-y += efi_signature.o +obj-$(CONFIG_EFI_SIGNATURE_SUPPORT) += efi_signature.o EFI_VAR_SEED_FILE := $(subst $\",,$(CONFIG_EFI_VAR_SEED_FILE)) $(obj)/efi_var_seed.o: $(srctree)/$(EFI_VAR_SEED_FILE) diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c index 6ee883d5b1..9ead0d2c78 100644 --- a/lib/efi_loader/efi_capsule.c +++ b/lib/efi_loader/efi_capsule.c @@ -208,16 +208,6 @@ skip: const efi_guid_t efi_guid_capsule_root_cert_guid = EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID; -__weak int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) -{ - /* The platform is supposed to provide - * a method for getting the public key - * stored in the form of efi signature - * list - */ - return 0; -} - efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size, void **image, efi_uintn_t *image_size) { diff --git a/lib/efi_loader/efi_device_path.c b/lib/efi_loader/efi_device_path.c index 4b20859b25..76c2f82fe6 100644 --- a/lib/efi_loader/efi_device_path.c +++ b/lib/efi_loader/efi_device_path.c @@ -1171,7 +1171,7 @@ efi_status_t efi_dp_from_name(const char *dev, const char *devnr, struct blk_desc *desc = NULL; struct disk_partition fs_partition; int part = 0; - char filename[32] = { 0 }; /* dp->str is u16[32] long */ + char *filename; char *s; if (path && !file) @@ -1198,12 +1198,17 @@ efi_status_t efi_dp_from_name(const char *dev, const char *devnr, if (!path) return EFI_SUCCESS; - snprintf(filename, sizeof(filename), "%s", path); + filename = calloc(1, strlen(path) + 1); + if (!filename) + return EFI_OUT_OF_RESOURCES; + + sprintf(filename, "%s", path); /* DOS style file path: */ s = filename; while ((s = strchr(s, '/'))) *s++ = '\\'; *file = efi_dp_from_file(desc, part, filename); + free(filename); if (!*file) return EFI_INVALID_PARAMETER; diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c index f53ef367ec..fe1ee198e2 100644 --- a/lib/efi_loader/efi_image_loader.c +++ b/lib/efi_loader/efi_image_loader.c @@ -213,7 +213,68 @@ static void efi_set_code_and_data_type( } } -#ifdef CONFIG_EFI_SECURE_BOOT +/** + * efi_image_region_add() - add an entry of region + * @regs: Pointer to array of regions + * @start: Start address of region (included) + * @end: End address of region (excluded) + * @nocheck: flag against overlapped regions + * + * Take one entry of region [@start, @end[ and insert it into the list. + * + * * If @nocheck is false, the list will be sorted ascending by address. + * Overlapping entries will not be allowed. + * + * * If @nocheck is true, the list will be sorted ascending by sequence + * of adding the entries. Overlapping is allowed. + * + * Return: status code + */ +efi_status_t efi_image_region_add(struct efi_image_regions *regs, + const void *start, const void *end, + int nocheck) +{ + struct image_region *reg; + int i, j; + + if (regs->num >= regs->max) { + EFI_PRINT("%s: no more room for regions\n", __func__); + return EFI_OUT_OF_RESOURCES; + } + + if (end < start) + return EFI_INVALID_PARAMETER; + + for (i = 0; i < regs->num; i++) { + reg = ®s->reg[i]; + if (nocheck) + continue; + + /* new data after registered region */ + if (start >= reg->data + reg->size) + continue; + + /* new data preceding registered region */ + if (end <= reg->data) { + for (j = regs->num - 1; j >= i; j--) + memcpy(®s->reg[j + 1], ®s->reg[j], + sizeof(*reg)); + break; + } + + /* new data overlapping registered region */ + EFI_PRINT("%s: new region already part of another\n", __func__); + return EFI_INVALID_PARAMETER; + } + + reg = ®s->reg[i]; + reg->data = start; + reg->size = end - start; + regs->num++; + + return EFI_SUCCESS; +} + /** * cmp_pe_section() - compare virtual addresses of two PE image sections * @arg1: pointer to pointer to first section header @@ -422,6 +483,7 @@ err: return false; } +#ifdef CONFIG_EFI_SECURE_BOOT /** * efi_image_unsigned_authenticate() - authenticate unsigned image with * SHA256 hash diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index c7ec275414..bdd09881fc 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -15,18 +15,16 @@ #include <crypto/public_key.h> #include <linux/compat.h> #include <linux/oid_registry.h> +#include <u-boot/hash-checksum.h> #include <u-boot/rsa.h> #include <u-boot/sha256.h> -const efi_guid_t efi_guid_image_security_database = - EFI_IMAGE_SECURITY_DATABASE_GUID; const efi_guid_t efi_guid_sha256 = EFI_CERT_SHA256_GUID; const efi_guid_t efi_guid_cert_rsa2048 = EFI_CERT_RSA2048_GUID; const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID; const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID; const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; -#if defined(CONFIG_EFI_SECURE_BOOT) || defined(CONFIG_EFI_CAPSULE_AUTHENTICATE) static u8 pkcs7_hdr[] = { /* SEQUENCE */ 0x30, 0x82, 0x05, 0xc7, @@ -540,68 +538,6 @@ out: } /** - * efi_image_region_add() - add an entry of region - * @regs: Pointer to array of regions - * @start: Start address of region (included) - * @end: End address of region (excluded) - * @nocheck: flag against overlapped regions - * - * Take one entry of region [@start, @end[ and insert it into the list. - * - * * If @nocheck is false, the list will be sorted ascending by address. - * Overlapping entries will not be allowed. - * - * * If @nocheck is true, the list will be sorted ascending by sequence - * of adding the entries. Overlapping is allowed. - * - * Return: status code - */ -efi_status_t efi_image_region_add(struct efi_image_regions *regs, - const void *start, const void *end, - int nocheck) -{ - struct image_region *reg; - int i, j; - - if (regs->num >= regs->max) { - EFI_PRINT("%s: no more room for regions\n", __func__); - return EFI_OUT_OF_RESOURCES; - } - - if (end < start) - return EFI_INVALID_PARAMETER; - - for (i = 0; i < regs->num; i++) { - reg = ®s->reg[i]; - if (nocheck) - continue; - - /* new data after registered region */ - if (start >= reg->data + reg->size) - continue; - - /* new data preceding registered region */ - if (end <= reg->data) { - for (j = regs->num - 1; j >= i; j--) - memcpy(®s->reg[j + 1], ®s->reg[j], - sizeof(*reg)); - break; - } - - /* new data overlapping registered region */ - EFI_PRINT("%s: new region already part of another\n", __func__); - return EFI_INVALID_PARAMETER; - } - - reg = ®s->reg[i]; - reg->data = start; - reg->size = end - start; - regs->num++; - - return EFI_SUCCESS; -} - -/** * efi_sigstore_free - free signature store * @sigstore: Pointer to signature store structure * @@ -846,4 +782,3 @@ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name) return efi_build_signature_store(db, db_size); } -#endif /* CONFIG_EFI_SECURE_BOOT || CONFIG_EFI_CAPSULE_AUTHENTICATE */ diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 39ef250bf9..39074f7547 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -53,7 +53,7 @@ struct digest_info { u16 hash_len; }; -const static struct digest_info hash_algo_list[] = { +static const struct digest_info hash_algo_list[] = { { TPM2_ALG_SHA1, EFI_TCG2_BOOT_HASH_ALG_SHA1, @@ -87,7 +87,7 @@ const static struct digest_info hash_algo_list[] = { */ static u32 alg_to_mask(u16 hash_alg) { - int i; + size_t i; for (i = 0; i < MAX_HASH_COUNT; i++) { if (hash_algo_list[i].hash_alg == hash_alg) @@ -106,7 +106,7 @@ static u32 alg_to_mask(u16 hash_alg) */ static u16 alg_to_len(u16 hash_alg) { - int i; + size_t i; for (i = 0; i < MAX_HASH_COUNT; i++) { if (hash_algo_list[i].hash_alg == hash_alg) @@ -119,7 +119,7 @@ static u16 alg_to_len(u16 hash_alg) static u32 tcg_event_final_size(struct tpml_digest_values *digest_list) { u32 len; - int i; + size_t i; len = offsetof(struct tcg_pcr_event2, digests); len += offsetof(struct tpml_digest_values, digests); @@ -145,7 +145,7 @@ static efi_status_t tcg2_pcr_extend(struct udevice *dev, u32 pcr_index, struct tpml_digest_values *digest_list) { u32 rc; - int i; + size_t i; for (i = 0; i < digest_list->count; i++) { u32 alg = digest_list->digests[i].hash_alg; @@ -178,7 +178,7 @@ static efi_status_t tcg2_agile_log_append(u32 pcr_index, u32 event_type, { void *log = (void *)((uintptr_t)event_log.buffer + event_log.pos); size_t pos; - int i; + size_t i; u32 event_size; if (event_log.get_event_called) @@ -400,7 +400,8 @@ static int tpm2_get_pcr_info(struct udevice *dev, u32 *supported_pcr, u8 response[TPM2_RESPONSE_BUFFER_SIZE]; struct tpml_pcr_selection pcrs; u32 ret, num_pcr; - int i, tpm_ret; + size_t i; + int tpm_ret; memset(response, 0, sizeof(response)); ret = tpm2_get_capability(dev, TPM2_CAP_PCRS, 0, response, 1); @@ -518,7 +519,7 @@ static efi_status_t tcg2_create_digest(const u8 *input, u32 length, u8 final[TPM2_SHA512_DIGEST_SIZE]; efi_status_t ret; u32 active; - int i; + size_t i; ret = __get_active_pcr_banks(&active); if (ret != EFI_SUCCESS) @@ -749,8 +750,7 @@ efi_tcg2_hash_log_extend_event(struct efi_tcg2_protocol *this, u64 flags, goto out; } - if (efi_tcg_event->header.pcr_index < 0 || - efi_tcg_event->header.pcr_index > TPM2_MAX_PCRS) { + if (efi_tcg_event->header.pcr_index > TPM2_MAX_PCRS) { ret = EFI_INVALID_PARAMETER; goto out; } @@ -810,9 +810,11 @@ out: * Return: status code */ static efi_status_t EFIAPI -efi_tcg2_submit_command(struct efi_tcg2_protocol *this, - u32 input_param_block_size, u8 *input_param_block, - u32 output_param_block_size, u8 *output_param_block) +efi_tcg2_submit_command(__maybe_unused struct efi_tcg2_protocol *this, + u32 __maybe_unused input_param_block_size, + u8 __maybe_unused *input_param_block, + u32 __maybe_unused output_param_block_size, + u8 __maybe_unused *output_param_block) { return EFI_UNSUPPORTED; } @@ -847,8 +849,8 @@ efi_tcg2_get_active_pcr_banks(struct efi_tcg2_protocol *this, * Return: status code */ static efi_status_t EFIAPI -efi_tcg2_set_active_pcr_banks(struct efi_tcg2_protocol *this, - u32 active_pcr_banks) +efi_tcg2_set_active_pcr_banks(__maybe_unused struct efi_tcg2_protocol *this, + u32 __maybe_unused active_pcr_banks) { return EFI_UNSUPPORTED; } @@ -866,8 +868,9 @@ efi_tcg2_set_active_pcr_banks(struct efi_tcg2_protocol *this, * Return: status code */ static efi_status_t EFIAPI -efi_tcg2_get_result_of_set_active_pcr_banks(struct efi_tcg2_protocol *this, - u32 *operation_present, u32 *response) +efi_tcg2_get_result_of_set_active_pcr_banks(__maybe_unused struct efi_tcg2_protocol *this, + u32 __maybe_unused *operation_present, + u32 __maybe_unused *response) { return EFI_UNSUPPORTED; } @@ -898,7 +901,8 @@ static efi_status_t create_specid_event(struct udevice *dev, void *buffer, size_t spec_event_size; efi_status_t ret = EFI_DEVICE_ERROR; u32 active, supported; - int err, i; + int err; + size_t i; /* * Create Spec event. This needs to be the first event in the log diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c index b11ed91a74..83479dd142 100644 --- a/lib/efi_loader/efi_var_common.c +++ b/lib/efi_loader/efi_var_common.c @@ -24,6 +24,9 @@ struct efi_auth_var_name_type { const enum efi_auth_var_type type; }; +const efi_guid_t efi_guid_image_security_database = + EFI_IMAGE_SECURITY_DATABASE_GUID; + static const struct efi_auth_var_name_type name_type[] = { {u"PK", &efi_global_variable_guid, EFI_AUTH_VAR_PK}, {u"KEK", &efi_global_variable_guid, EFI_AUTH_VAR_KEK}, |