summaryrefslogtreecommitdiff
path: root/include/efi_loader.h
AgeCommit message (Collapse)Author
2020-08-14efi_loader: signature: correct a behavior against multiple signaturesAKASHI Takahiro
Under the current implementation, all the signatures, if any, in a signed image must be verified before loading it. Meanwhile, UEFI specification v2.8b section 32.5.3.3 says, Multiple signatures are allowed to exist in the binary’s certificate table (as per PE/COFF Section “Attribute Certificate Table”). Only one hash or signature is required to be present in db in order to pass validation, so long as neither the SHA-256 hash of the binary nor any present signature is reflected in dbx. This patch makes the semantics of signature verification compliant with the specification mentioned above. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-13efi_loader: signature: rework for intermediate certificates supportAKASHI Takahiro
In this commit, efi_signature_verify(with_sigdb) will be re-implemented using pcks7_verify_one() in order to support certificates chain, where the signer's certificate will be signed by an intermediate CA (certificate authority) and the latter's certificate will also be signed by another CA and so on. What we need to do here is to search for certificates in a signature, build up a chain of certificates and verify one by one. pkcs7_verify_one() handles most of these steps except the last one. pkcs7_verify_one() returns, if succeeded, the last certificate to verify, which can be either a self-signed one or one that should be signed by one of certificates in "db". Re-worked efi_signature_verify() will take care of this step. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-08-08efi_loader: set load options in boot managerHeinrich Schuchardt
Up to now we used the value of the bootargs environment variable as load options in the boot manager. This is not correct. The data has to be taken from the Boot#### variable. Let the boot manager copy the optional data of the EFI_LOAD_OPTION as load options to the loaded image protocol. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-08efi_loader: factor out efi_set_load_options()Heinrich Schuchardt
The bootefi bootmgr command has to set the load options for a loaded image from the value of BootXXXX variable. If the boot manager is not used, the value is set from the environment variable bootargs (or efi_selftest). Factor out a common function efi_set_load_options(). Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11efi_loader: new function efi_memcpy_runtime()Heinrich Schuchardt
Provide a memcpy() function that we can use at UEFI runtime. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11efi_loader: export efi_convert_pointer()Heinrich Schuchardt
We need ConvertPointer() to adjust pointers when implementing runtime services within U-Boot. After ExitBootServices() gd is not available anymore. So we should not use EFI_ENTRY() and EFI_EXIT(). Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-11efi_loader: image_loader: add digest-based verification for signed imageAKASHI Takahiro
In case that a type of certificate in "db" or "dbx" is EFI_CERT_X509_SHA256_GUID, it is actually not a certificate which contains a public key for RSA decryption, but a digest of image to be loaded. If the value matches to a value calculated from a given binary image, it is granted for loading. With this patch, common digest check code, which used to be used for unsigned image verification, will be extracted from efi_signature_verify_with_sigdb() into efi_signature_lookup_digest(), and extra step for digest check will be added to efi_image_authenticate(). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-07-11efi_loader: image_loader: verification for all signatures should passAKASHI Takahiro
A signed image may have multiple signatures in - each WIN_CERTIFICATE in authenticode, and/or - each SignerInfo in pkcs7 SignedData (of WIN_CERTIFICATE) In the initial implementation of efi_image_authenticate(), the criteria of verification check for multiple signatures case is a bit ambiguous and it may cause inconsistent result. With this patch, we will make sure that verification check in efi_image_authenticate() should pass against all the signatures. The only exception would be - the case where a digest algorithm used in signature is not supported by U-Boot, or - the case where parsing some portion of authenticode has failed In those cases, we don't know how the signature be handled and should just ignore them. Please note that, due to this change, efi_signature_verify_with_sigdb()'s function prototype will be modified, taking "dbx" as well as "db" instead of outputing a "certificate." If "dbx" is null, the behavior would be the exact same as before. The function's name will be changed to efi_signature_verify() once current efi_signature_verify() has gone due to further improvement in intermediate certificates support. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-07-03efi_loader: export initialization stateHeinrich Schuchardt
Export the UEFI sub-system initialization state. This will allow to treat the setting of UEFI variables during and after initialization differently. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-06-03efi_loader: validate load optionHeinrich Schuchardt
For passing the optional data of the load option to the loaded imaged protocol we need its size. efi_deserialize_load_option() is changed to return the size of the optional data. As a by-product we get a partial validation of the load option. Checking the length of the device path remains to be implemented. Some Coverity defects identified the load options as user input because get_unaligned_le32() and get_unaligned_le16() is called. But non of these Coverity defects can be resolved without marking functions with Coverity specific tags. Reported-by: Coverity (CID 303760) Reported-by: Coverity (CID 303768) Reported-by: Coverity (CID 303776) Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-21efi_loader: device path for virtio block devicesHeinrich Schuchardt
The UEFI specification does not define a device sub-type for virtio. Let's use a vendor hardware node here. This avoids creation of two handles with the same device path indicating our root node. Reported-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-18common: Drop log.h from common headerSimon Glass
Move this header out of the common header. Signed-off-by: Simon Glass <sjg@chromium.org>
2020-05-18common: Drop part.h from common headerSimon Glass
Move this uncommon header out of the common header. Signed-off-by: Simon Glass <sjg@chromium.org>
2020-05-17efi_loader: round the memory area in efi_add_memory_map()Michael Walle
Virtually all callers of this function do the rounding on their own. Some do it right, some don't. Instead of doing this in each caller, do the rounding in efi_add_memory_map(). Change the size parameter to bytes instead of pages and remove aligning and size calculation in all callers. There is no more need to make the original efi_add_memory_map() (which takes pages as size) available outside the module. Thus rename it to efi_add_memory_map_pg() and make it static to prevent further misuse outside the module. Signed-off-by: Michael Walle <michael@walle.cc> Add missing comma in sunxi_display.c. Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-05-04efi_loader: disk: add efi_disk_is_system_part()AKASHI Takahiro
This function will check if a given handle to device is an EFI system partition. It will be utilised in implementing capsule-on-disk feature. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Add function description. Return bool. Reviewed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-04-30efi_loader: remove CONFIG_EFI_SECURE_BOOT in efi_loader.hAKASHI Takahiro
The guard doesn't make any difference, so remove it. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-04-30efi_loader: identify EFI system partitionHeinrich Schuchardt
In subsequent patches UEFI variables shalled be stored on the EFI system partition. Hence we need to identify the EFI system partition. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-04-16efi_loader: image_loader: support image authenticationAKASHI Takahiro
With this commit, image validation can be enforced, as UEFI specification section 32.5 describes, if CONFIG_EFI_SECURE_BOOT is enabled. Currently we support * authentication based on db and dbx, so dbx-validated image will always be rejected. * following signature types: EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images) EFI_CERT_X509_GUID (x509 certificate for signed images) Timestamp-based certificate revocation is not supported here. Internally, authentication data is stored in one of certificates tables of PE image (See efi_image_parse()) and will be verified by efi_image_authenticate() before loading a given image. It seems that UEFI specification defines the verification process in a bit ambiguous way. I tried to implement it as closely to as EDK2 does. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-04-16efi_loader: variable: support variable authenticationAKASHI Takahiro
With this commit, EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is supported for authenticated variables and the system secure state will transfer between setup mode and user mode as UEFI specification section 32.3 describes. Internally, authentication data is stored as part of authenticated variable's value. It is nothing but a pkcs7 message (but we need some wrapper, see efi_variable_parse_signature()) and will be validated by efi_variable_authenticate(), hence efi_signature_verify_with_db(). Associated time value will be encoded in "{...,time=...}" along with other UEFI variable's attributes. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-04-16efi_loader: add signature database parserAKASHI Takahiro
efi_signature_parse_sigdb() is a helper function will be used to parse signature database variable and instantiate a signature store structure in later patches. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-04-16efi_loader: add signature verification functionsAKASHI Takahiro
In this commit, implemented are a couple of helper functions which will be used to materialize variable authentication as well as image authentication in later patches. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-03-22efi_loader: definition of GetNextVariableName()Heinrich Schuchardt
'vendor' is both an input and an output parameter. So it cannot be constant. Fixes: 0bda81bfdc5c ("efi_loader: use const efi_guid_t * for variable services") Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-03-17efi_loader: export a couple of protocol related functionsAKASHI Takahiro
This is a preparatory patch. Those functions will be used in an implementation of UEFI firmware management protocol as part of my capsule update patch. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-02-28efi_loader: Implement FileLoad2 for initramfs loadingIlias Apalodimas
Following kernel's proposal for an arch-agnostic initrd loading mechanism [1] let's implement the U-boot counterpart. This new approach has a number of advantages compared to what we did up to now. The file is loaded into memory only when requested limiting the area of TOCTOU attacks. Users will be allowed to place the initramfs file on any u-boot accessible partition instead of just the ESP one. Finally this is an attempt of a generic interface across architectures in the linux kernel so it makes sense to support that. The file location is intentionally only supported as a config option argument(CONFIG_EFI_INITRD_FILESPEC), in an effort to enhance security. Although U-boot is not responsible for verifying the integrity of the initramfs, we can enhance the offered security by only accepting a built-in option, which will be naturally verified by UEFI Secure Boot. This can easily change in the future if needed and configure that via ENV or UEFI variable. [1] https://lore.kernel.org/linux-efi/20200207202637.GA3464906@rani.riverdale.lan/T/#m4a25eb33112fab7a22faa0fd65d4d663209af32f Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-01-07efi_rng_protocol: Install the efi_rng_protocol on the root nodeSughosh Ganu
Install the EFI_RNG_PROTOCOL implementation for it's subsequent use by the kernel for features like kaslr. Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-01-07efi_loader: Add guidcpy functionSughosh Ganu
Add guidcpy function to copy the source guid to the destination guid. Use this function instead of memcpy for copying to the destination guid. Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> Use void * instead of efi_guid_t * for arguments to allow copying unaligned GUIDs. The GUIDs of configuration tables are __packed. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-01-07efi_loader: export efi_install_fdt()Heinrich Schuchardt
Use a pointer to addressable memory instead of a "physical" address in the virtual address space of the sandbox to efi_install_fdt(). Export the efi_install_fdt() function. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-01-07efi_loader: carve out efi_run_image()Heinrich Schuchardt
Provide public function efi_run_imager() which can be used to run an UEFI image from memory. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-01-07efi_loader: pass address to efi_install_fdt()Heinrich Schuchardt
As part of moving the parsing of command line arguments to do_bootefi() call efi_install_fdt() with the address of the device tree instead of a string. If the address is EFI_FDT_USE_INTERNAL (= 0), the internal device tree is used. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-11-19efi_loader: remove unused function efi_dp_from_dev()Heinrich Schuchardt
Function efi_dp_from_dev() is not used anywhere. Remove it. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-10-08efi: Move inline functions to unconditional part of headerSimon Glass
At present these two functions are defined in efi_loader.h but only if CONFIG_EFI_LOADER is enabled. But these are functions that are useful to other code, such as that which deals with Intel Handoff Blocks (HOBs). Move these to the top of the function. Possibly ascii2unicode() should not be an inline function, since this might impact code size. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
2019-09-20efi_loader: device_path: support Sandbox's "host" devicesAKASHI Takahiro
Sandbox's "host" devices are currently described as UCLASS_ROOT udevice with DEV_IF_HOST block device. As the current implementation of efi_device_path doesn't support such a type, any "host" device on sandbox cannot be seen as a distinct object. For example, => host bind 0 /foo/disk.img => efi devices Scanning disk host0... Found 1 disks Device Device Path ================ ==================== 0000000015c19970 /VenHw(e61d73b9-a384-4acc-aeab-82e828f3628b) 0000000015c19d70 /VenHw(e61d73b9-a384-4acc-aeab-82e828f3628b) => efi dh Handle Protocols ================ ==================== 0000000015c19970 Device Path, Device Path To Text, Device Path Utilities, Unicode Collation 2, HII String, HII Database, HII Config Routing 0000000015c19ba0 Driver Binding 0000000015c19c10 Simple Text Output 0000000015c19c80 Simple Text Input, Simple Text Input Ex 0000000015c19d70 Block IO, Device Path, Simple File System As you can see here, efi_root (0x0000000015c19970) and host0 device (0x0000000015c19d70) have the same representation of device path. This is not only inconvenient, but also confusing since two different efi objects are associated with the same device path and efi_dp_find_obj() will possibly return a wrong result. Solution: Each "host" device should be given an additional device path node of "vendor device path" to make it distinguishable. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-09-09efi_loader: eliminate inline function ascii2unicode()Heinrich Schuchardt
ascii2unicode() can only convert characters 0x00-0x7f from UTF-8 to UTF-16. Use utf8_utf16_strcpy() instead. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-09-05efi_loader: Extract adding a conventional memory in separate routinePark, Aiden
Adding a conventional memory region to the memory map may require ram_top limitation and it can be also commonly used. Extract adding a conventional memory to the memory map in a separate routine for generic use. Signed-off-by: Aiden Park <aiden.park@intel.com> Tested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-07-16efi_loader: avoid alignment errorHeinrich Schuchardt
In packed structures GUIDs are not aligned. Avoid a build error with GCC 9.1 by using const void * as argument for guidcmp(). Reported-by: Ramon Fried <rfried.dev@gmail.com> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-07-16efi_loader: Change return type of efi_add_memory_map()Bryan O'Donoghue
We currently have some inconsistent use of efi_add_memory_map() throughout the code. In particular the return value of efi_add_memory_map() is not interpreted the same way by various users in the codebase. This patch does the following: - Changes efi_add_memory_map() to return efi_status_t. - Adds a method description to efi_add_memory_map(). - Changes efi_add_memory_map() to return EFI_SUCCESS - Returns non-zero for error in efi_add_memory_map() - Updates efi_allocate_pages() to new efi_add_memory_map() - Updates efi_free_pages() to new efi_add_memory_map() - Updates efi_carve_out_dt_rsv() to new efi_add_memory_map() - Updates efi_add_runtime_mmio() to new efi_add_memory_map() Fixes: 5d00995c361c ("efi_loader: Implement memory allocation and map") Fixes: 74c16acce30b ("efi_loader: Don't allocate from memory holes") Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Cc: Alexander Graf <agraf@csgraf.de> Signed-off-by: Bryan O'Donoghue <pure.logic@nexus-software.ie> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-07-06efi_loader: detach runtime in ExitBootServices()Heinrich Schuchardt
Linux can be called with a command line parameter efi=novamap, cf. commit 4e46c2a95621 ("efi/arm/arm64: Allow SetVirtualAddressMap() to be omitted"). In this case SetVirtualAddressMap() is not called after ExitBootServices(). OpenBSD 32bit does not call SetVirtualAddressMap() either. Runtime services must be set to an implementation supported at runtime in ExitBootServices(). Reported-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Suggested-by: Alexander Graf <agraf@csgraf.de> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-07-06efi_loader: let the variable driver patch out the runtimeHeinrich Schuchardt
Our variable services are only provided at boottime. Therefore when leaving boottime the variable function are replaced by dummy functions returning EFI_UNSUPPORTED. Move this patching of the runtime table to the variable services implementation. Executed it in ExitBootServices(). Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-07-06efi_loader: initialization of variable servicesHeinrich Schuchardt
Provide an initialization routine for variable services. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-07-06efi_loader: move efi_query_variable_info()Heinrich Schuchardt
Let's keep similar things together. Move efi_query_variable_info() to lib/efi_loader/efi_variable.c Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-06-14efi_loader: add RuntimeServicesSupported variableAKASHI Takahiro
This variable is defined in UEFI specification 2.8, section 8.1. Its value should be updated whenever we add any usable runtime services function. Currently we only support SetVirtualAddress() for all systems and ResetSystem() for some. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-06-10efi_loader: implement event queueHeinrich Schuchardt
Up to now we have only been using a flag queued for events. But this does not satisfy the requirements of the UEFI spec. Events must be notified in the sequence of decreasing TPL level and within a TPL level in the sequence of signaling. Implement a queue for signaled events. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-06-10efi_loader: event signaling in ExitBootServicesHeinrich Schuchardt
ExitBootServices() has to stop timer related activity before calling the events of the EFI_EVENT_GROUP_EXIT_BOOT_SERVICES event group. But our current implementation was stopping all other events. All events have to observe the task priority level. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-05-31efi_loader: export efi_set_time()Heinrich Schuchardt
To let a board implement the runtime version of SetTime() we have to provide the definition of the weak function in an include. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-05-31efi_loader: correct notification of protocol installationHeinrich Schuchardt
When a protocol is installed the handle should be queued for the registration key of each registered event. LocateHandle() should return the first handle from the queue for the registration key and delete it from the queue. Implement the queueing. Correct the selftest. With the patch the UEFI SCT tests for LocateHandle() are passed without failure. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-05-24efi_loader: comments for structsHeinrich Schuchardt
Change comments for struct efi_open_protocol_info_item and struct efi_handler to Sphinx format. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-05-19efi_loader: implement deprecated Unicode collation protocolHeinrich Schuchardt
In EFI 1.10 a version of the Unicode collation protocol using ISO 639-2 language codes existed. This protocol is not part of the UEFI specification any longer. Unfortunately it is required to run the UEFI Self Certification Test (SCT) II, version 2.6, 2017. So we implement it here for the sole purpose of running the SCT. It can be removed once a compliant SCT is available. The configuration option defaults to no. Signed-off-by: Rob Clark <robdclark@gmail.com> Most of Rob's original patch is already merged. Only the deprecated protocol is missing. Rebase it and make it configurable. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-05-19efi_loader: rename Unicode collation protocol 2 variablesHeinrich Schuchardt
Rename variables to make it clear they refer to the Unicode collation protocol identified by the EFI_UNICODE_PROTOCOL2_GUID. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-05-07efi_loader: LoadImage() check parent imageHeinrich Schuchardt
If the parent image handle does not refer to a loaded image return EFI_INVALID_PARAMETER. (UEFI SCT II 2017: 3.4.1 LoadImage() - 5.1.4.1.1) Mark our root node as a loaded image to avoid an error when using it as parent image. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-05-07efi_loader: implement RegisterProtocolNotify()Heinrich Schuchardt
The RegisterProtocolNotify() boot service registers an event to be notified upon the installation of a protocol interface with the specified GUID. Add the missing implementation. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>