From 7b8b63fb8ead9bd4041ab5424deb465f14ee172a Mon Sep 17 00:00:00 2001 From: AKASHI Takahiro Date: Tue, 21 Apr 2020 09:37:52 +0900 Subject: lib/crypto, efi_loader: avoid multiple inclusions of header files By adding extra symbols, we can now avoid including x509_parser and pkcs7_parser.h files multiple times. Suggested-by: Heinrich Schuchardt Signed-off-by: AKASHI Takahiro Don't include include x509_parser.h twice. Reviewed-by: Heinrich Schuchardt --- lib/crypto/pkcs7_parser.h | 4 ++++ lib/crypto/x509_parser.h | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/lib/crypto/pkcs7_parser.h b/lib/crypto/pkcs7_parser.h index 6565fdc2d4..b8234da45a 100644 --- a/lib/crypto/pkcs7_parser.h +++ b/lib/crypto/pkcs7_parser.h @@ -5,6 +5,9 @@ * Written by David Howells (dhowells@redhat.com) */ +#ifndef _PKCS7_PARSER_H +#define _PKCS7_PARSER_H + #include #include #include "x509_parser.h" @@ -63,3 +66,4 @@ struct pkcs7_message { size_t data_hdrlen; /* Length of Data ASN.1 header */ const void *data; /* Content Data (or 0) */ }; +#endif /* _PKCS7_PARSER_H */ diff --git a/lib/crypto/x509_parser.h b/lib/crypto/x509_parser.h index c233f136fb..4cbdc1d661 100644 --- a/lib/crypto/x509_parser.h +++ b/lib/crypto/x509_parser.h @@ -5,6 +5,9 @@ * Written by David Howells (dhowells@redhat.com) */ +#ifndef _X509_PARSER_H +#define _X509_PARSER_H + #include #include #include @@ -55,3 +58,4 @@ extern int x509_decode_time(time64_t *_t, size_t hdrlen, */ extern int x509_get_sig_params(struct x509_certificate *cert); extern int x509_check_for_self_signed(struct x509_certificate *cert); +#endif /* _X509_PARSER_H */ -- cgit From e3f5c9cb0fcc95aa9287b5f8609294fe1a59b9da Mon Sep 17 00:00:00 2001 From: AKASHI Takahiro Date: Tue, 21 Apr 2020 09:38:17 +0900 Subject: lib/crypto, efi_loader: move some headers to include/crypto Pkcs7_parse.h and x509_parser.h are used in UEFI subsystem, in particular, secure boot. So move them to include/crypto to avoid relative paths. Suggested-by: Heinrich Schuchardt Signed-off-by: AKASHI Takahiro Don't include include x509_parser.h twice. Reviewed-by: Heinrich Schuchardt --- include/crypto/pkcs7_parser.h | 69 +++++++++++++++++++++++++++++++++++++++ include/crypto/x509_parser.h | 61 ++++++++++++++++++++++++++++++++++ lib/crypto/pkcs7_parser.c | 4 +++ lib/crypto/pkcs7_parser.h | 69 --------------------------------------- lib/crypto/x509_cert_parser.c | 4 +++ lib/crypto/x509_parser.h | 61 ---------------------------------- lib/crypto/x509_public_key.c | 6 ++-- lib/efi_loader/efi_image_loader.c | 2 +- lib/efi_loader/efi_signature.c | 2 +- lib/efi_loader/efi_variable.c | 2 +- test/lib/asn1.c | 4 +-- 11 files changed, 147 insertions(+), 137 deletions(-) create mode 100644 include/crypto/pkcs7_parser.h create mode 100644 include/crypto/x509_parser.h delete mode 100644 lib/crypto/pkcs7_parser.h delete mode 100644 lib/crypto/x509_parser.h diff --git a/include/crypto/pkcs7_parser.h b/include/crypto/pkcs7_parser.h new file mode 100644 index 0000000000..b8234da45a --- /dev/null +++ b/include/crypto/pkcs7_parser.h @@ -0,0 +1,69 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* PKCS#7 crypto data parser internal definitions + * + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + */ + +#ifndef _PKCS7_PARSER_H +#define _PKCS7_PARSER_H + +#include +#include +#include "x509_parser.h" + +#define kenter(FMT, ...) \ + pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__) +#define kleave(FMT, ...) \ + pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__) + +struct pkcs7_signed_info { + struct pkcs7_signed_info *next; + struct x509_certificate *signer; /* Signing certificate (in msg->certs) */ + unsigned index; + bool unsupported_crypto; /* T if not usable due to missing crypto */ + bool blacklisted; + + /* Message digest - the digest of the Content Data (or NULL) */ + const void *msgdigest; + unsigned msgdigest_len; + + /* Authenticated Attribute data (or NULL) */ + unsigned authattrs_len; + const void *authattrs; + unsigned long aa_set; +#define sinfo_has_content_type 0 +#define sinfo_has_signing_time 1 +#define sinfo_has_message_digest 2 +#define sinfo_has_smime_caps 3 +#define sinfo_has_ms_opus_info 4 +#define sinfo_has_ms_statement_type 5 + time64_t signing_time; + + /* Message signature. + * + * This contains the generated digest of _either_ the Content Data or + * the Authenticated Attributes [RFC2315 9.3]. If the latter, one of + * the attributes contains the digest of the the Content Data within + * it. + * + * THis also contains the issuing cert serial number and issuer's name + * [PKCS#7 or CMS ver 1] or issuing cert's SKID [CMS ver 3]. + */ + struct public_key_signature *sig; +}; + +struct pkcs7_message { + struct x509_certificate *certs; /* Certificate list */ + struct x509_certificate *crl; /* Revocation list */ + struct pkcs7_signed_info *signed_infos; + u8 version; /* Version of cert (1 -> PKCS#7 or CMS; 3 -> CMS) */ + bool have_authattrs; /* T if have authattrs */ + + /* Content Data (or NULL) */ + enum OID data_type; /* Type of Data */ + size_t data_len; /* Length of Data */ + size_t data_hdrlen; /* Length of Data ASN.1 header */ + const void *data; /* Content Data (or 0) */ +}; +#endif /* _PKCS7_PARSER_H */ diff --git a/include/crypto/x509_parser.h b/include/crypto/x509_parser.h new file mode 100644 index 0000000000..4cbdc1d661 --- /dev/null +++ b/include/crypto/x509_parser.h @@ -0,0 +1,61 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* X.509 certificate parser internal definitions + * + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + */ + +#ifndef _X509_PARSER_H +#define _X509_PARSER_H + +#include +#include +#include + +struct x509_certificate { + struct x509_certificate *next; + struct x509_certificate *signer; /* Certificate that signed this one */ + struct public_key *pub; /* Public key details */ + struct public_key_signature *sig; /* Signature parameters */ + char *issuer; /* Name of certificate issuer */ + char *subject; /* Name of certificate subject */ + struct asymmetric_key_id *id; /* Issuer + Serial number */ + struct asymmetric_key_id *skid; /* Subject + subjectKeyId (optional) */ + time64_t valid_from; + time64_t valid_to; + const void *tbs; /* Signed data */ + unsigned tbs_size; /* Size of signed data */ + unsigned raw_sig_size; /* Size of sigature */ + const void *raw_sig; /* Signature data */ + const void *raw_serial; /* Raw serial number in ASN.1 */ + unsigned raw_serial_size; + unsigned raw_issuer_size; + const void *raw_issuer; /* Raw issuer name in ASN.1 */ + const void *raw_subject; /* Raw subject name in ASN.1 */ + unsigned raw_subject_size; + unsigned raw_skid_size; + const void *raw_skid; /* Raw subjectKeyId in ASN.1 */ + unsigned index; + bool seen; /* Infinite recursion prevention */ + bool verified; + bool self_signed; /* T if self-signed (check unsupported_sig too) */ + bool unsupported_key; /* T if key uses unsupported crypto */ + bool unsupported_sig; /* T if signature uses unsupported crypto */ + bool blacklisted; +}; + +/* + * x509_cert_parser.c + */ +extern void x509_free_certificate(struct x509_certificate *cert); +extern struct x509_certificate *x509_cert_parse(const void *data, size_t datalen); +extern int x509_decode_time(time64_t *_t, size_t hdrlen, + unsigned char tag, + const unsigned char *value, size_t vlen); + +/* + * x509_public_key.c + */ +extern int x509_get_sig_params(struct x509_certificate *cert); +extern int x509_check_for_self_signed(struct x509_certificate *cert); +#endif /* _X509_PARSER_H */ diff --git a/lib/crypto/pkcs7_parser.c b/lib/crypto/pkcs7_parser.c index f5dda1179f..0ee207b6b1 100644 --- a/lib/crypto/pkcs7_parser.c +++ b/lib/crypto/pkcs7_parser.c @@ -20,7 +20,11 @@ #include #include #include +#ifdef __UBOOT__ +#include +#else #include "pkcs7_parser.h" +#endif #include "pkcs7.asn1.h" MODULE_DESCRIPTION("PKCS#7 parser"); diff --git a/lib/crypto/pkcs7_parser.h b/lib/crypto/pkcs7_parser.h deleted file mode 100644 index b8234da45a..0000000000 --- a/lib/crypto/pkcs7_parser.h +++ /dev/null @@ -1,69 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-or-later */ -/* PKCS#7 crypto data parser internal definitions - * - * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. - * Written by David Howells (dhowells@redhat.com) - */ - -#ifndef _PKCS7_PARSER_H -#define _PKCS7_PARSER_H - -#include -#include -#include "x509_parser.h" - -#define kenter(FMT, ...) \ - pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__) -#define kleave(FMT, ...) \ - pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__) - -struct pkcs7_signed_info { - struct pkcs7_signed_info *next; - struct x509_certificate *signer; /* Signing certificate (in msg->certs) */ - unsigned index; - bool unsupported_crypto; /* T if not usable due to missing crypto */ - bool blacklisted; - - /* Message digest - the digest of the Content Data (or NULL) */ - const void *msgdigest; - unsigned msgdigest_len; - - /* Authenticated Attribute data (or NULL) */ - unsigned authattrs_len; - const void *authattrs; - unsigned long aa_set; -#define sinfo_has_content_type 0 -#define sinfo_has_signing_time 1 -#define sinfo_has_message_digest 2 -#define sinfo_has_smime_caps 3 -#define sinfo_has_ms_opus_info 4 -#define sinfo_has_ms_statement_type 5 - time64_t signing_time; - - /* Message signature. - * - * This contains the generated digest of _either_ the Content Data or - * the Authenticated Attributes [RFC2315 9.3]. If the latter, one of - * the attributes contains the digest of the the Content Data within - * it. - * - * THis also contains the issuing cert serial number and issuer's name - * [PKCS#7 or CMS ver 1] or issuing cert's SKID [CMS ver 3]. - */ - struct public_key_signature *sig; -}; - -struct pkcs7_message { - struct x509_certificate *certs; /* Certificate list */ - struct x509_certificate *crl; /* Revocation list */ - struct pkcs7_signed_info *signed_infos; - u8 version; /* Version of cert (1 -> PKCS#7 or CMS; 3 -> CMS) */ - bool have_authattrs; /* T if have authattrs */ - - /* Content Data (or NULL) */ - enum OID data_type; /* Type of Data */ - size_t data_len; /* Length of Data */ - size_t data_hdrlen; /* Length of Data ASN.1 header */ - const void *data; /* Content Data (or 0) */ -}; -#endif /* _PKCS7_PARSER_H */ diff --git a/lib/crypto/x509_cert_parser.c b/lib/crypto/x509_cert_parser.c index 4e41cffd23..18f5407a07 100644 --- a/lib/crypto/x509_cert_parser.c +++ b/lib/crypto/x509_cert_parser.c @@ -18,7 +18,11 @@ #include #endif #include +#ifdef __UBOOT__ +#include +#else #include "x509_parser.h" +#endif #include "x509.asn1.h" #include "x509_akid.asn1.h" diff --git a/lib/crypto/x509_parser.h b/lib/crypto/x509_parser.h deleted file mode 100644 index 4cbdc1d661..0000000000 --- a/lib/crypto/x509_parser.h +++ /dev/null @@ -1,61 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-or-later */ -/* X.509 certificate parser internal definitions - * - * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. - * Written by David Howells (dhowells@redhat.com) - */ - -#ifndef _X509_PARSER_H -#define _X509_PARSER_H - -#include -#include -#include - -struct x509_certificate { - struct x509_certificate *next; - struct x509_certificate *signer; /* Certificate that signed this one */ - struct public_key *pub; /* Public key details */ - struct public_key_signature *sig; /* Signature parameters */ - char *issuer; /* Name of certificate issuer */ - char *subject; /* Name of certificate subject */ - struct asymmetric_key_id *id; /* Issuer + Serial number */ - struct asymmetric_key_id *skid; /* Subject + subjectKeyId (optional) */ - time64_t valid_from; - time64_t valid_to; - const void *tbs; /* Signed data */ - unsigned tbs_size; /* Size of signed data */ - unsigned raw_sig_size; /* Size of sigature */ - const void *raw_sig; /* Signature data */ - const void *raw_serial; /* Raw serial number in ASN.1 */ - unsigned raw_serial_size; - unsigned raw_issuer_size; - const void *raw_issuer; /* Raw issuer name in ASN.1 */ - const void *raw_subject; /* Raw subject name in ASN.1 */ - unsigned raw_subject_size; - unsigned raw_skid_size; - const void *raw_skid; /* Raw subjectKeyId in ASN.1 */ - unsigned index; - bool seen; /* Infinite recursion prevention */ - bool verified; - bool self_signed; /* T if self-signed (check unsupported_sig too) */ - bool unsupported_key; /* T if key uses unsupported crypto */ - bool unsupported_sig; /* T if signature uses unsupported crypto */ - bool blacklisted; -}; - -/* - * x509_cert_parser.c - */ -extern void x509_free_certificate(struct x509_certificate *cert); -extern struct x509_certificate *x509_cert_parse(const void *data, size_t datalen); -extern int x509_decode_time(time64_t *_t, size_t hdrlen, - unsigned char tag, - const unsigned char *value, size_t vlen); - -/* - * x509_public_key.c - */ -extern int x509_get_sig_params(struct x509_certificate *cert); -extern int x509_check_for_self_signed(struct x509_certificate *cert); -#endif /* _X509_PARSER_H */ diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c index 676c0df174..571af9a0ad 100644 --- a/lib/crypto/x509_public_key.c +++ b/lib/crypto/x509_public_key.c @@ -16,15 +16,17 @@ #include #endif #include -#ifndef __UBOOT__ +#ifdef __UBOOT__ +#include +#else #include #include #include #include #include #include "asymmetric_keys.h" -#endif #include "x509_parser.h" +#endif /* * Set up the signature parameters in an X.509 certificate. This involves diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c index 6c270ce94f..5a9a6424cc 100644 --- a/lib/efi_loader/efi_image_loader.c +++ b/lib/efi_loader/efi_image_loader.c @@ -13,7 +13,7 @@ #include #include #include -#include "../lib/crypto/pkcs7_parser.h" +#include "crypto/pkcs7_parser.h" const efi_guid_t efi_global_variable_guid = EFI_GLOBAL_VARIABLE_GUID; const efi_guid_t efi_guid_device_path = EFI_DEVICE_PATH_PROTOCOL_GUID; diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 658e3547da..150ce41f36 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -10,11 +10,11 @@ #include #include #include +#include #include #include #include #include -#include "../lib/crypto/pkcs7_parser.h" const efi_guid_t efi_guid_image_security_database = EFI_IMAGE_SECURITY_DATABASE_GUID; diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index 7df881a74b..0c6d1deb58 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -12,9 +12,9 @@ #include #include #include +#include #include #include -#include "../lib/crypto/pkcs7_parser.h" enum efi_secure_mode { EFI_MODE_SETUP, diff --git a/test/lib/asn1.c b/test/lib/asn1.c index d2b3f67e68..8661fdd306 100644 --- a/test/lib/asn1.c +++ b/test/lib/asn1.c @@ -13,10 +13,10 @@ #include #ifdef CONFIG_PKCS7_MESSAGE_PARSER -#include "../../lib/crypto/pkcs7_parser.h" +#include #else #ifdef CONFIG_X509_CERTIFICATE_PARSER -#include "../../lib/crypto/x509_parser.h" +#include #endif #endif -- cgit From 964d5326c91ab1fd891a26cbd7a1c98b7fc42014 Mon Sep 17 00:00:00 2001 From: AKASHI Takahiro Date: Tue, 21 Apr 2020 09:38:57 +0900 Subject: efi_loader: fix unreachable statement in efi_sigstore_parse_siglist "if (left < esl->signature_size)" is not reachable in a while loop. But it is still valuable in case that a given signature database is somehow corrupted. So fix the while loop condition. Reported-by: Heinrich Schuchardt Signed-off-by: AKASHI Takahiro Reviewed-by: Heinrich Schuchardt --- lib/efi_loader/efi_signature.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 150ce41f36..4ad818d5ee 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -667,7 +667,7 @@ efi_sigstore_parse_siglist(struct efi_signature_list *esl) esd = (struct efi_signature_data *) ((u8 *)esl + sizeof(*esl) + esl->signature_header_size); - while ((left > 0) && left >= esl->signature_size) { + while (left > 0) { /* Signature must exist if there is remaining data. */ if (left < esl->signature_size) { debug("Certificate is too small\n"); -- cgit From f0ff75f2491ba27c04bb1f94e502a2be8fc0e78e Mon Sep 17 00:00:00 2001 From: AKASHI Takahiro Date: Tue, 21 Apr 2020 09:39:20 +0900 Subject: efi_loader: factor out the common code from efi_transfer_secure_state() efi_set_secure_stat() provides the common code for each stat transition caused by efi_transfer_secure_state(). Suggested-by: Heinrich Schuchardt Signed-off-by: AKASHI Takahiro Correct description of return value. Reviewed-by: Heinrich Schuchardt --- lib/efi_loader/efi_variable.c | 194 ++++++++++++++---------------------------- 1 file changed, 64 insertions(+), 130 deletions(-) diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index 0c6d1deb58..9a3f1f3d2e 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -176,6 +176,59 @@ static efi_status_t efi_set_variable_internal(u16 *variable_name, const void *data, bool ro_check); +/** + * efi_set_secure_state - modify secure boot state variables + * @sec_boot: value of SecureBoot + * @setup_mode: value of SetupMode + * @audit_mode: value of AuditMode + * @deployed_mode: value of DeployedMode + * + * Modify secure boot stat-related variables as indicated. + * + * Return: status code + */ +static efi_status_t efi_set_secure_state(int sec_boot, int setup_mode, + int audit_mode, int deployed_mode) +{ + u32 attributes; + efi_status_t ret; + + attributes = EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS | + READ_ONLY; + ret = efi_set_variable_internal(L"SecureBoot", + &efi_global_variable_guid, + attributes, + sizeof(sec_boot), &sec_boot, + false); + if (ret != EFI_SUCCESS) + goto err; + + ret = efi_set_variable_internal(L"SetupMode", + &efi_global_variable_guid, + attributes, + sizeof(setup_mode), &setup_mode, + false); + if (ret != EFI_SUCCESS) + goto err; + + ret = efi_set_variable_internal(L"AuditMode", + &efi_global_variable_guid, + attributes, + sizeof(audit_mode), &audit_mode, + false); + if (ret != EFI_SUCCESS) + goto err; + + ret = efi_set_variable_internal(L"DeployedMode", + &efi_global_variable_guid, + attributes, + sizeof(deployed_mode), &deployed_mode, + false); +err: + return ret; +} + /** * efi_transfer_secure_state - handle a secure boot state transition * @mode: new state @@ -188,157 +241,38 @@ static efi_status_t efi_set_variable_internal(u16 *variable_name, */ static efi_status_t efi_transfer_secure_state(enum efi_secure_mode mode) { - u32 attributes; - u8 val; efi_status_t ret; - debug("Secure state from %d to %d\n", efi_secure_mode, mode); + debug("Switching secure state from %d to %d\n", efi_secure_mode, mode); - attributes = EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_RUNTIME_ACCESS; if (mode == EFI_MODE_DEPLOYED) { - val = 1; - ret = efi_set_variable_internal(L"SecureBoot", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"SetupMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"AuditMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 1; - ret = efi_set_variable_internal(L"DeployedMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); + ret = efi_set_secure_state(1, 0, 0, 1); if (ret != EFI_SUCCESS) goto err; efi_secure_boot = true; } else if (mode == EFI_MODE_AUDIT) { - ret = efi_set_variable_internal(L"PK", - &efi_global_variable_guid, - attributes, - 0, NULL, - false); + ret = efi_set_variable_internal( + L"PK", &efi_global_variable_guid, + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS, + 0, NULL, false); if (ret != EFI_SUCCESS) goto err; - val = 0; - ret = efi_set_variable_internal(L"SecureBoot", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 1; - ret = efi_set_variable_internal(L"SetupMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 1; - ret = efi_set_variable_internal(L"AuditMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"DeployedMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); + + ret = efi_set_secure_state(0, 1, 1, 0); if (ret != EFI_SUCCESS) goto err; efi_secure_boot = true; } else if (mode == EFI_MODE_USER) { - val = 1; - ret = efi_set_variable_internal(L"SecureBoot", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"SetupMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"AuditMode", - &efi_global_variable_guid, - attributes, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"DeployedMode", - &efi_global_variable_guid, - attributes, - sizeof(val), &val, - false); + ret = efi_set_secure_state(1, 0, 0, 0); if (ret != EFI_SUCCESS) goto err; efi_secure_boot = true; } else if (mode == EFI_MODE_SETUP) { - val = 0; - ret = efi_set_variable_internal(L"SecureBoot", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 1; - ret = efi_set_variable_internal(L"SetupMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"AuditMode", - &efi_global_variable_guid, - attributes, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"DeployedMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); + ret = efi_set_secure_state(0, 1, 0, 0); if (ret != EFI_SUCCESS) goto err; } else { -- cgit From 41fd506842c2d9385d940cffe8ceeb8456c29fc5 Mon Sep 17 00:00:00 2001 From: AKASHI Takahiro Date: Mon, 27 Apr 2020 18:48:20 +0900 Subject: efi_loader: disk: add efi_disk_is_system_part() This function will check if a given handle to device is an EFI system partition. It will be utilised in implementing capsule-on-disk feature. Signed-off-by: AKASHI Takahiro Add function description. Return bool. Reviewed-off-by: Heinrich Schuchardt --- include/efi_loader.h | 2 ++ lib/efi_loader/efi_disk.c | 29 +++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/include/efi_loader.h b/include/efi_loader.h index f92bfe57e6..0e924ad109 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -394,6 +394,8 @@ efi_status_t efi_disk_register(void); int efi_disk_create_partitions(efi_handle_t parent, struct blk_desc *desc, const char *if_typename, int diskid, const char *pdevname); +/* Check if it is EFI system partition */ +bool efi_disk_is_system_part(efi_handle_t handle); /* Called by bootefi to make GOP (graphical) interface available */ efi_status_t efi_gop_register(void); /* Called by bootefi to make the network interface available */ diff --git a/lib/efi_loader/efi_disk.c b/lib/efi_loader/efi_disk.c index fd3df80b0b..0582e02158 100644 --- a/lib/efi_loader/efi_disk.c +++ b/lib/efi_loader/efi_disk.c @@ -588,3 +588,32 @@ efi_status_t efi_disk_register(void) return EFI_SUCCESS; } + +/** + * efi_disk_is_system_part() - check if handle refers to an EFI system partition + * + * @handle: handle of partition + * + * Return: true if handle refers to an EFI system partition + */ +bool efi_disk_is_system_part(efi_handle_t handle) +{ + struct efi_handler *handler; + struct efi_disk_obj *diskobj; + disk_partition_t info; + efi_status_t ret; + int r; + + /* check if this is a block device */ + ret = efi_search_protocol(handle, &efi_block_io_guid, &handler); + if (ret != EFI_SUCCESS) + return false; + + diskobj = container_of(handle, struct efi_disk_obj, header); + + r = part_get_info(diskobj->desc, diskobj->part, &info); + if (r) + return false; + + return !!(info.bootable & PART_EFI_SYSTEM_PARTITION); +} -- cgit From a30c72319cc1e486a680efe2d0c94d58f4957e85 Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Sat, 2 May 2020 16:08:37 +0200 Subject: cmd: efidebug: simplify UEFI protocol calls We should not to refer to a function via the run-time or boot services tables if the function is exported. Signed-off-by: Heinrich Schuchardt --- cmd/efidebug.c | 40 +++++++++++++++++++--------------------- 1 file changed, 19 insertions(+), 21 deletions(-) diff --git a/cmd/efidebug.c b/cmd/efidebug.c index d4030fee64..d8a76d78a3 100644 --- a/cmd/efidebug.c +++ b/cmd/efidebug.c @@ -17,7 +17,6 @@ #include #define BS systab.boottime -#define RT systab.runtime /** * efi_get_device_handle_info() - get information of UEFI device @@ -69,7 +68,7 @@ static int do_efi_show_devices(cmd_tbl_t *cmdtp, int flag, u16 *dev_path_text; efi_status_t ret; - ret = EFI_CALL(BS->locate_handle_buffer(ALL_HANDLES, NULL, NULL, + ret = EFI_CALL(efi_locate_handle_buffer(ALL_HANDLES, NULL, NULL, &num, &handles)); if (ret != EFI_SUCCESS) return CMD_RET_FAILURE; @@ -86,7 +85,7 @@ static int do_efi_show_devices(cmd_tbl_t *cmdtp, int flag, } } - EFI_CALL(BS->free_pool(handles)); + efi_free_pool(handles); return CMD_RET_SUCCESS; } @@ -148,7 +147,7 @@ static int do_efi_show_drivers(cmd_tbl_t *cmdtp, int flag, u16 *driver_name, *image_path_text; efi_status_t ret; - ret = EFI_CALL(BS->locate_handle_buffer( + ret = EFI_CALL(efi_locate_handle_buffer( BY_PROTOCOL, &efi_guid_driver_binding_protocol, NULL, &num, &handles)); if (ret != EFI_SUCCESS) @@ -170,12 +169,12 @@ static int do_efi_show_drivers(cmd_tbl_t *cmdtp, int flag, else printf("%p %-20ls \n", handles[i], driver_name); - EFI_CALL(BS->free_pool(driver_name)); - EFI_CALL(BS->free_pool(image_path_text)); + efi_free_pool(driver_name); + efi_free_pool(image_path_text); } } - EFI_CALL(BS->free_pool(handles)); + efi_free_pool(handles); return CMD_RET_SUCCESS; } @@ -321,7 +320,7 @@ static int do_efi_show_handles(cmd_tbl_t *cmdtp, int flag, const char *guid_text; efi_status_t ret; - ret = EFI_CALL(BS->locate_handle_buffer(ALL_HANDLES, NULL, NULL, + ret = EFI_CALL(efi_locate_handle_buffer(ALL_HANDLES, NULL, NULL, &num, &handles)); if (ret != EFI_SUCCESS) return CMD_RET_FAILURE; @@ -355,7 +354,7 @@ static int do_efi_show_handles(cmd_tbl_t *cmdtp, int flag, putc('\n'); } - EFI_CALL(BS->free_pool(handles)); + efi_free_pool(handles); return CMD_RET_SUCCESS; } @@ -463,18 +462,17 @@ static int do_efi_show_memmap(cmd_tbl_t *cmdtp, int flag, int i; efi_status_t ret; - ret = EFI_CALL(BS->get_memory_map(&map_size, memmap, NULL, NULL, NULL)); + ret = efi_get_memory_map(&map_size, memmap, NULL, NULL, NULL); if (ret == EFI_BUFFER_TOO_SMALL) { map_size += sizeof(struct efi_mem_desc); /* for my own */ - ret = EFI_CALL(BS->allocate_pool(EFI_LOADER_DATA, - map_size, (void *)&memmap)); + ret = efi_allocate_pool(EFI_LOADER_DATA, map_size, + (void *)&memmap); if (ret != EFI_SUCCESS) return CMD_RET_FAILURE; - ret = EFI_CALL(BS->get_memory_map(&map_size, memmap, - NULL, NULL, NULL)); + ret = efi_get_memory_map(&map_size, memmap, NULL, NULL, NULL); } if (ret != EFI_SUCCESS) { - EFI_CALL(BS->free_pool(memmap)); + efi_free_pool(memmap); return CMD_RET_FAILURE; } @@ -501,7 +499,7 @@ static int do_efi_show_memmap(cmd_tbl_t *cmdtp, int flag, putc('\n'); } - EFI_CALL(BS->free_pool(memmap)); + efi_free_pool(memmap); return CMD_RET_SUCCESS; } @@ -615,7 +613,7 @@ static int do_efi_boot_add(cmd_tbl_t *cmdtp, int flag, goto out; } - ret = EFI_CALL(RT->set_variable(var_name16, &guid, + ret = EFI_CALL(efi_set_variable(var_name16, &guid, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, @@ -670,7 +668,7 @@ static int do_efi_boot_rm(cmd_tbl_t *cmdtp, int flag, p = var_name16; utf8_utf16_strncpy(&p, var_name, 9); - ret = EFI_CALL(RT->set_variable(var_name16, &guid, 0, 0, NULL)); + ret = EFI_CALL(efi_set_variable(var_name16, &guid, 0, 0, NULL)); if (ret) { printf("Cannot remove %ls\n", var_name16); return CMD_RET_FAILURE; @@ -864,7 +862,7 @@ static int show_efi_boot_order(void) efi_status_t ret; size = 0; - ret = EFI_CALL(RT->get_variable(L"BootOrder", &efi_global_variable_guid, + ret = EFI_CALL(efi_get_variable(L"BootOrder", &efi_global_variable_guid, NULL, &size, NULL)); if (ret != EFI_BUFFER_TOO_SMALL) { if (ret == EFI_NOT_FOUND) { @@ -975,7 +973,7 @@ static int do_efi_boot_next(cmd_tbl_t *cmdtp, int flag, guid = efi_global_variable_guid; size = sizeof(u16); - ret = EFI_CALL(RT->set_variable(L"BootNext", &guid, + ret = EFI_CALL(efi_set_variable(L"BootNext", &guid, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, @@ -1036,7 +1034,7 @@ static int do_efi_boot_order(cmd_tbl_t *cmdtp, int flag, } guid = efi_global_variable_guid; - ret = EFI_CALL(RT->set_variable(L"BootOrder", &guid, + ret = EFI_CALL(efi_set_variable(L"BootOrder", &guid, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, -- cgit From c08cac0edc17f0d3c74425e5d41efa3c92686322 Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Sat, 18 Apr 2020 12:31:17 +0200 Subject: efi_loader: eliminate efi_get_(non)volatile_variable Eliminate superfluous functions efi_get_volatile_variable() and efi_get_nonvolatile_variable(). Signed-off-by: Heinrich Schuchardt --- lib/efi_loader/efi_variable.c | 32 +++----------------------------- 1 file changed, 3 insertions(+), 29 deletions(-) diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index 9a3f1f3d2e..ceb6b17b00 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -600,8 +600,7 @@ static efi_status_t EFIAPI efi_get_variable_common(u16 *variable_name, const efi_guid_t *vendor, u32 *attributes, - efi_uintn_t *data_size, void *data, - bool is_non_volatile) + efi_uintn_t *data_size, void *data) { char *native_name; efi_status_t ret; @@ -684,27 +683,6 @@ out: return ret; } -static -efi_status_t EFIAPI efi_get_volatile_variable(u16 *variable_name, - const efi_guid_t *vendor, - u32 *attributes, - efi_uintn_t *data_size, - void *data) -{ - return efi_get_variable_common(variable_name, vendor, attributes, - data_size, data, false); -} - -efi_status_t EFIAPI efi_get_nonvolatile_variable(u16 *variable_name, - const efi_guid_t *vendor, - u32 *attributes, - efi_uintn_t *data_size, - void *data) -{ - return efi_get_variable_common(variable_name, vendor, attributes, - data_size, data, true); -} - /** * efi_efi_get_variable() - retrieve value of a UEFI variable * @@ -729,12 +707,8 @@ efi_status_t EFIAPI efi_get_variable(u16 *variable_name, EFI_ENTRY("\"%ls\" %pUl %p %p %p", variable_name, vendor, attributes, data_size, data); - ret = efi_get_volatile_variable(variable_name, vendor, attributes, - data_size, data); - if (ret == EFI_NOT_FOUND) - ret = efi_get_nonvolatile_variable(variable_name, vendor, - attributes, data_size, data); - + ret = efi_get_variable_common(variable_name, vendor, attributes, + data_size, data); return EFI_EXIT(ret); } -- cgit From bb0e585c71e724d26eaeede7fdaaaa46ed26f930 Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Sun, 3 May 2020 10:02:20 +0200 Subject: efi_loader: eliminate efi_set_(non)volatile_variable Eliminate superfluous functions efi_set_volatile_variable() and efi_set_nonvolatile_variable(). Signed-off-by: Heinrich Schuchardt --- lib/efi_loader/efi_variable.c | 141 +++++++++++------------------------------- 1 file changed, 37 insertions(+), 104 deletions(-) diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index ceb6b17b00..b9c2e4ebf6 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -169,12 +169,12 @@ static const char *parse_attr(const char *str, u32 *attrp, u64 *timep) return str; } -static efi_status_t efi_set_variable_internal(u16 *variable_name, - const efi_guid_t *vendor, - u32 attributes, - efi_uintn_t data_size, - const void *data, - bool ro_check); +static efi_status_t efi_set_variable_common(u16 *variable_name, + const efi_guid_t *vendor, + u32 attributes, + efi_uintn_t data_size, + const void *data, + bool ro_check); /** * efi_set_secure_state - modify secure boot state variables @@ -196,35 +196,28 @@ static efi_status_t efi_set_secure_state(int sec_boot, int setup_mode, attributes = EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS | READ_ONLY; - ret = efi_set_variable_internal(L"SecureBoot", - &efi_global_variable_guid, - attributes, - sizeof(sec_boot), &sec_boot, - false); + ret = efi_set_variable_common(L"SecureBoot", &efi_global_variable_guid, + attributes, sizeof(sec_boot), &sec_boot, + false); if (ret != EFI_SUCCESS) goto err; - ret = efi_set_variable_internal(L"SetupMode", - &efi_global_variable_guid, - attributes, - sizeof(setup_mode), &setup_mode, - false); + ret = efi_set_variable_common(L"SetupMode", &efi_global_variable_guid, + attributes, sizeof(setup_mode), + &setup_mode, false); if (ret != EFI_SUCCESS) goto err; - ret = efi_set_variable_internal(L"AuditMode", - &efi_global_variable_guid, - attributes, - sizeof(audit_mode), &audit_mode, - false); + ret = efi_set_variable_common(L"AuditMode", &efi_global_variable_guid, + attributes, sizeof(audit_mode), + &audit_mode, false); if (ret != EFI_SUCCESS) goto err; - ret = efi_set_variable_internal(L"DeployedMode", - &efi_global_variable_guid, - attributes, - sizeof(deployed_mode), &deployed_mode, - false); + ret = efi_set_variable_common(L"DeployedMode", + &efi_global_variable_guid, attributes, + sizeof(deployed_mode), &deployed_mode, + false); err: return ret; } @@ -234,7 +227,7 @@ err: * @mode: new state * * Depending on @mode, secure boot related variables are updated. - * Those variables are *read-only* for users, efi_set_variable_internal() + * Those variables are *read-only* for users, efi_set_variable_common() * is called here. * * Return: EFI_SUCCESS on success, status code (negative) on error @@ -252,11 +245,10 @@ static efi_status_t efi_transfer_secure_state(enum efi_secure_mode mode) efi_secure_boot = true; } else if (mode == EFI_MODE_AUDIT) { - ret = efi_set_variable_internal( - L"PK", &efi_global_variable_guid, - EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_RUNTIME_ACCESS, - 0, NULL, false); + ret = efi_set_variable_common(L"PK", &efi_global_variable_guid, + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS, + 0, NULL, false); if (ret != EFI_SUCCESS) goto err; @@ -326,14 +318,13 @@ static efi_status_t efi_init_secure_state(void) ret = efi_transfer_secure_state(mode); if (ret == EFI_SUCCESS) - ret = efi_set_variable_internal(L"VendorKeys", - &efi_global_variable_guid, - EFI_VARIABLE_BOOTSERVICE_ACCESS - | EFI_VARIABLE_RUNTIME_ACCESS - | READ_ONLY, - sizeof(efi_vendor_keys), - &efi_vendor_keys, - false); + ret = efi_set_variable_common(L"VendorKeys", + &efi_global_variable_guid, + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS | + READ_ONLY, + sizeof(efi_vendor_keys), + &efi_vendor_keys, false); err: return ret; @@ -872,14 +863,12 @@ efi_status_t EFIAPI efi_get_next_variable_name(efi_uintn_t *variable_name_size, return EFI_EXIT(ret); } -static -efi_status_t EFIAPI efi_set_variable_common(u16 *variable_name, +static efi_status_t efi_set_variable_common(u16 *variable_name, const efi_guid_t *vendor, u32 attributes, efi_uintn_t data_size, const void *data, - bool ro_check, - bool is_non_volatile) + bool ro_check) { char *native_name = NULL, *old_data = NULL, *val = NULL, *s; efi_uintn_t old_size; @@ -906,14 +895,6 @@ efi_status_t EFIAPI efi_set_variable_common(u16 *variable_name, attr = 0; ret = EFI_CALL(efi_get_variable(variable_name, vendor, &attr, &old_size, NULL)); - if (ret == EFI_BUFFER_TOO_SMALL) { - if ((is_non_volatile && !(attr & EFI_VARIABLE_NON_VOLATILE)) || - (!is_non_volatile && (attr & EFI_VARIABLE_NON_VOLATILE))) { - ret = EFI_INVALID_PARAMETER; - goto err; - } - } - append = !!(attributes & EFI_VARIABLE_APPEND_WRITE); attributes &= ~(u32)EFI_VARIABLE_APPEND_WRITE; delete = !append && (!data_size || !attributes); @@ -1087,7 +1068,7 @@ out: /* update VendorKeys */ if (vendor_keys_modified & efi_vendor_keys) { efi_vendor_keys = 0; - ret = efi_set_variable_internal( + ret = efi_set_variable_common( L"VendorKeys", &efi_global_variable_guid, EFI_VARIABLE_BOOTSERVICE_ACCESS @@ -1109,54 +1090,6 @@ err: return ret; } -static -efi_status_t EFIAPI efi_set_volatile_variable(u16 *variable_name, - const efi_guid_t *vendor, - u32 attributes, - efi_uintn_t data_size, - const void *data, - bool ro_check) -{ - return efi_set_variable_common(variable_name, vendor, attributes, - data_size, data, ro_check, false); -} - -efi_status_t EFIAPI efi_set_nonvolatile_variable(u16 *variable_name, - const efi_guid_t *vendor, - u32 attributes, - efi_uintn_t data_size, - const void *data, - bool ro_check) -{ - efi_status_t ret; - - ret = efi_set_variable_common(variable_name, vendor, attributes, - data_size, data, ro_check, true); - - return ret; -} - -static efi_status_t efi_set_variable_internal(u16 *variable_name, - const efi_guid_t *vendor, - u32 attributes, - efi_uintn_t data_size, - const void *data, - bool ro_check) -{ - efi_status_t ret; - - if (attributes & EFI_VARIABLE_NON_VOLATILE) - ret = efi_set_nonvolatile_variable(variable_name, vendor, - attributes, - data_size, data, ro_check); - else - ret = efi_set_volatile_variable(variable_name, vendor, - attributes, data_size, data, - ro_check); - - return ret; -} - /** * efi_set_variable() - set value of a UEFI variable * @@ -1182,9 +1115,9 @@ efi_status_t EFIAPI efi_set_variable(u16 *variable_name, /* READ_ONLY bit is not part of API */ attributes &= ~(u32)READ_ONLY; - return EFI_EXIT(efi_set_variable_internal(variable_name, vendor, - attributes, data_size, data, - true)); + return EFI_EXIT(efi_set_variable_common(variable_name, vendor, + attributes, data_size, data, + true)); } /** -- cgit From 30f92ce9d5e895336f73cc1132a7fdc42e378353 Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Sun, 3 May 2020 16:29:00 +0200 Subject: efi_loader: correct comments for efi_status_t EFI_STATUS is unsigned (UINTN). Hence it cannot be negative. Correct comments for 'Return:'. Signed-off-by: Heinrich Schuchardt --- lib/efi_loader/efi_setup.c | 2 +- lib/efi_loader/efi_signature.c | 2 +- lib/efi_loader/efi_variable.c | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/efi_loader/efi_setup.c b/lib/efi_loader/efi_setup.c index 1b648c8467..65739aca49 100644 --- a/lib/efi_loader/efi_setup.c +++ b/lib/efi_loader/efi_setup.c @@ -86,7 +86,7 @@ out: /** * efi_init_secure_boot - initialize secure boot state * - * Return: EFI_SUCCESS on success, status code (negative) on error + * Return: status code */ static efi_status_t efi_init_secure_boot(void) { diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 4ad818d5ee..adcb8c9cca 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -528,7 +528,7 @@ out: * pointed to by @regs. If @nocheck is false, overlapping among entries * will be checked first. * - * Return: 0 on success, status code (negative) on error + * Return: status code */ efi_status_t efi_image_region_add(struct efi_image_regions *regs, const void *start, const void *end, diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index b9c2e4ebf6..58f8fae358 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -230,7 +230,7 @@ err: * Those variables are *read-only* for users, efi_set_variable_common() * is called here. * - * Return: EFI_SUCCESS on success, status code (negative) on error + * Return: status code */ static efi_status_t efi_transfer_secure_state(enum efi_secure_mode mode) { @@ -284,7 +284,7 @@ err: /** * efi_init_secure_state - initialize secure boot state * - * Return: EFI_SUCCESS on success, status code (negative) on error + * Return: status code */ static efi_status_t efi_init_secure_state(void) { @@ -438,7 +438,7 @@ out: * attributes and signed time will also be returned in @env_attr and @time, * respectively. * - * Return: EFI_SUCCESS on success, status code (negative) on error + * Return: status code */ static efi_status_t efi_variable_authenticate(u16 *variable, const efi_guid_t *vendor, -- cgit From 5827c2545849441dd60467565aac11964259972f Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Mon, 4 May 2020 12:21:51 +0200 Subject: test: stabilize test_efi_secboot When setting up the console via function efi_console_register() we call query_console_serial(). This functions sends an escape sequence to the terminal to query the display size. The response is another escape sequence. console.run_command_list() is looking for a regular expression '^==>'. If the escape sequence for the screen size precedes the prompt without a line break, no match is found. When efi_disk_register() is called before efi_console_register() this leads to a test failuere of the UEFI secure boot tests. We can avoid the problem if the first UEFI command passed to u_boot_console.run_command_list() produces output. This patch achieves this by appending '; echo' to the first UEFI related command of the problematic tests. Signed-off-by: Heinrich Schuchardt --- test/py/tests/test_efi_secboot/test_authvar.py | 8 ++++---- test/py/tests/test_efi_secboot/test_signed.py | 4 ++-- test/py/tests/test_efi_secboot/test_unsigned.py | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/test/py/tests/test_efi_secboot/test_authvar.py b/test/py/tests/test_efi_secboot/test_authvar.py index 55dcaa95f1..9912694a3e 100644 --- a/test/py/tests/test_efi_secboot/test_authvar.py +++ b/test/py/tests/test_efi_secboot/test_authvar.py @@ -133,7 +133,7 @@ class TestEfiAuthVar(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK; echo', 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 db.auth', @@ -174,7 +174,7 @@ class TestEfiAuthVar(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK; echo', 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 db.auth', @@ -215,7 +215,7 @@ class TestEfiAuthVar(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK; echo', 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 db.auth', @@ -249,7 +249,7 @@ class TestEfiAuthVar(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK; echo', 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 db.auth', diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 584282b338..fc722ab506 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -29,7 +29,7 @@ class TestEfiSignedImage(object): # Test Case 1a, run signed image if no db/dbx output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, - 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""', + 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""; echo', 'efidebug boot next 1', 'bootefi bootmgr']) assert(re.search('Hello, world!', ''.join(output))) @@ -81,7 +81,7 @@ class TestEfiSignedImage(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx; echo', 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 PK.auth', diff --git a/test/py/tests/test_efi_secboot/test_unsigned.py b/test/py/tests/test_efi_secboot/test_unsigned.py index 22d849afb8..a4af845c51 100644 --- a/test/py/tests/test_efi_secboot/test_unsigned.py +++ b/test/py/tests/test_efi_secboot/test_unsigned.py @@ -30,7 +30,7 @@ class TestEfiUnsignedImage(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK; echo', 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) assert(not re.search('Failed to set EFI variable', ''.join(output))) @@ -58,7 +58,7 @@ class TestEfiUnsignedImage(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db_hello.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db; echo', 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 PK.auth', @@ -82,7 +82,7 @@ class TestEfiUnsignedImage(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db_hello.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx; echo', 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 PK.auth', -- cgit From 16ad946f41d3dc3e475d8313f4acbba0df527a2a Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Thu, 19 Mar 2020 18:21:58 +0000 Subject: efi_loader: change setup sequence If we want to restore variables from disk, we need to initialize block devices before variables. Signed-off-by: Heinrich Schuchardt --- lib/efi_loader/efi_setup.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/efi_loader/efi_setup.c b/lib/efi_loader/efi_setup.c index 65739aca49..26a7423203 100644 --- a/lib/efi_loader/efi_setup.c +++ b/lib/efi_loader/efi_setup.c @@ -135,6 +135,11 @@ efi_status_t efi_init_obj_list(void) /* On ARM switch from EL3 or secure mode to EL2 or non-secure mode */ switch_to_non_secure_mode(); +#ifdef CONFIG_PARTITIONS + ret = efi_disk_register(); + if (ret != EFI_SUCCESS) + goto out; +#endif /* Initialize variable services */ ret = efi_init_variables(); if (ret != EFI_SUCCESS) @@ -183,11 +188,6 @@ efi_status_t efi_init_obj_list(void) ret = efi_console_register(); if (ret != EFI_SUCCESS) goto out; -#ifdef CONFIG_PARTITIONS - ret = efi_disk_register(); - if (ret != EFI_SUCCESS) - goto out; -#endif #if defined(CONFIG_LCD) || defined(CONFIG_DM_VIDEO) ret = efi_gop_register(); if (ret != EFI_SUCCESS) -- cgit