Merge tag 'efi-2021-07-rc3' of https://source.denx.de/u-boot/custodians/u-boot-efi
Pull request for efi-2021-07-rc3
Documentation:
* add a man-page for the size command
* add man-page for extension command to index
Bug fixes:
* avoid build failure due to missing SHA512 hardware acceleration
* correct error handling in TCG2 protocol
* don't let user disable capsule authentication
* correct reading directories via UEFI API
diff --git a/board/emulation/common/qemu_capsule.c b/board/emulation/common/qemu_capsule.c
index 5cb461d..6b8a870 100644
--- a/board/emulation/common/qemu_capsule.c
+++ b/board/emulation/common/qemu_capsule.c
@@ -41,9 +41,3 @@
return 0;
}
-
-bool efi_capsule_auth_enabled(void)
-{
- return env_get("capsule_authentication_enabled") != NULL ?
- true : false;
-}
diff --git a/common/Kconfig.boot b/common/Kconfig.boot
index 5a18d62..5660822 100644
--- a/common/Kconfig.boot
+++ b/common/Kconfig.boot
@@ -80,6 +80,7 @@
select RSA_VERIFY
select IMAGE_SIGN_INFO
select FIT_FULL_CHECK
+ select HASH_CALCULATE
help
This option enables signature verification of FIT uImages,
using a hash signed and verified using RSA. If
diff --git a/common/hash.c b/common/hash.c
index 10dff7d..90cf46b 100644
--- a/common/hash.c
+++ b/common/hash.c
@@ -260,12 +260,12 @@
.name = "sha384",
.digest_size = SHA384_SUM_LEN,
.chunk_size = CHUNKSZ_SHA384,
-#ifdef CONFIG_SHA_HW_ACCEL
+#ifdef CONFIG_SHA512_HW_ACCEL
.hash_func_ws = hw_sha384,
#else
.hash_func_ws = sha384_csum_wd,
#endif
-#ifdef CONFIG_SHA_PROG_HW_ACCEL
+#if defined(CONFIG_SHA512_HW_ACCEL) && defined(CONFIG_SHA_PROG_HW_ACCEL)
.hash_init = hw_sha_init,
.hash_update = hw_sha_update,
.hash_finish = hw_sha_finish,
@@ -281,12 +281,12 @@
.name = "sha512",
.digest_size = SHA512_SUM_LEN,
.chunk_size = CHUNKSZ_SHA512,
-#ifdef CONFIG_SHA_HW_ACCEL
+#ifdef CONFIG_SHA512_HW_ACCEL
.hash_func_ws = hw_sha512,
#else
.hash_func_ws = sha512_csum_wd,
#endif
-#ifdef CONFIG_SHA_PROG_HW_ACCEL
+#if defined(CONFIG_SHA512_HW_ACCEL) && defined(CONFIG_SHA_PROG_HW_ACCEL)
.hash_init = hw_sha_init,
.hash_update = hw_sha_update,
.hash_finish = hw_sha_finish,
diff --git a/doc/usage/index.rst b/doc/usage/index.rst
index 528b3c7..c1f9b6a 100644
--- a/doc/usage/index.rst
+++ b/doc/usage/index.rst
@@ -26,6 +26,7 @@
conitrace
echo
exception
+ extension
exit
false
fatinfo
@@ -38,6 +39,7 @@
pstore
qfw
sbi
+ size
true
scp03
reset
diff --git a/doc/usage/size.rst b/doc/usage/size.rst
new file mode 100644
index 0000000..f0c35e4
--- /dev/null
+++ b/doc/usage/size.rst
@@ -0,0 +1,40 @@
+.. SPDX-License-Identifier: GPL-2.0+
+
+size command
+============
+
+Synopsis
+--------
+
+::
+
+ size <interface> <dev[:part]> <filename>
+
+Description
+-----------
+
+The size command determines the size of a file and sets the environment variable
+filesize to this value. If filename points to a directory, the value is set to
+zero.
+
+If the command fails, the filesize environment variable is not changed.
+
+dev
+ device number
+
+part
+ partition number, defaults to 1
+
+filename
+ path to file
+
+Configuration
+-------------
+
+The size command is only available if CONFIG_CMD_FS_GENERIC=y.
+
+Return value
+------------
+
+The return value $? is set to 0 (true) if the command succeded and to 1 (false)
+otherwise.
diff --git a/lib/Kconfig b/lib/Kconfig
index 6d2d41d..b057b9d 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -389,21 +389,32 @@
(digest).
config SHA_HW_ACCEL
- bool "Enable hashing using hardware"
+ bool "Enable hardware acceleration for SHA hash functions"
help
- This option enables hardware acceleration for SHA hashing.
- This affects the 'hash' command and also the hash_lookup_algo()
- function.
+ This option enables hardware acceleration for the SHA1 and SHA256
+ hashing algorithms. This affects the 'hash' command and also the
+ hash_lookup_algo() function.
+
+if SHA_HW_ACCEL
+
+config SHA512_HW_ACCEL
+ bool "Enable hardware acceleration for SHA512"
+ depends on SHA512_ALGO
+ help
+ This option enables hardware acceleration for the SHA384 and SHA512
+ hashing algorithms. This affects the 'hash' command and also the
+ hash_lookup_algo() function.
config SHA_PROG_HW_ACCEL
bool "Enable Progressive hashing support using hardware"
- depends on SHA_HW_ACCEL
help
This option enables hardware-acceleration for SHA progressive
hashing.
Data can be streamed in a block at a time and the hashing is
performed in hardware.
+endif
+
config MD5
bool "Support MD5 algorithm"
help
@@ -428,6 +439,9 @@
config XXHASH
bool
+config HASH_CALCULATE
+ bool
+
endmenu
menu "Compression Support"
diff --git a/lib/Makefile b/lib/Makefile
index 6825671..0835ea2 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -61,7 +61,7 @@
obj-$(CONFIG_$(SPL_)ACPIGEN) += acpi/
obj-$(CONFIG_$(SPL_)MD5) += md5.o
obj-$(CONFIG_$(SPL_)RSA) += rsa/
-obj-$(CONFIG_FIT_SIGNATURE) += hash-checksum.o
+obj-$(CONFIG_HASH_CALCULATE) += hash-checksum.o
obj-$(CONFIG_SHA1) += sha1.o
obj-$(CONFIG_SHA256) += sha256.o
obj-$(CONFIG_SHA512_ALGO) += sha512.o
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 0b99d7c..eb5c4d6 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -174,6 +174,7 @@
select PKCS7_MESSAGE_PARSER
select PKCS7_VERIFY
select IMAGE_SIGN_INFO
+ select HASH_CALCULATE
default n
help
Select this option if you want to enable capsule
@@ -300,7 +301,13 @@
config EFI_TCG2_PROTOCOL
bool "EFI_TCG2_PROTOCOL support"
+ default y
depends on TPM_V2
+ select SHA1
+ select SHA256
+ select SHA512_ALGO
+ select SHA384
+ select SHA512
help
Provide a EFI_TCG2_PROTOCOL implementation using the TPM hardware
of the platform.
@@ -336,6 +343,7 @@
select X509_CERTIFICATE_PARSER
select PKCS7_MESSAGE_PARSER
select PKCS7_VERIFY
+ select HASH_CALCULATE
default n
help
Select this option to enable EFI secure boot support.
diff --git a/lib/efi_loader/efi_file.c b/lib/efi_loader/efi_file.c
index 204105e..6b3f596 100644
--- a/lib/efi_loader/efi_file.c
+++ b/lib/efi_loader/efi_file.c
@@ -554,7 +554,7 @@
efi_status_t ret = EFI_SUCCESS;
u64 bs;
- if (!this || !buffer_size || !buffer)
+ if (!this || !buffer_size)
return EFI_INVALID_PARAMETER;
bs = *buffer_size;
diff --git a/lib/efi_loader/efi_firmware.c b/lib/efi_loader/efi_firmware.c
index 7a3cca2..a1b88db 100644
--- a/lib/efi_loader/efi_firmware.c
+++ b/lib/efi_loader/efi_firmware.c
@@ -190,7 +190,7 @@
IMAGE_ATTRIBUTE_IMAGE_UPDATABLE;
/* Check if the capsule authentication is enabled */
- if (env_get("capsule_authentication_enabled"))
+ if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE))
image_info[0].attributes_setting |=
IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED;
@@ -421,8 +421,7 @@
return EFI_EXIT(EFI_INVALID_PARAMETER);
/* Authenticate the capsule if authentication enabled */
- if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) &&
- env_get("capsule_authentication_enabled")) {
+ if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE)) {
capsule_payload = NULL;
capsule_payload_size = 0;
status = efi_capsule_authenticate(image, image_size,
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
index 94e8f22..39ef250 100644
--- a/lib/efi_loader/efi_tcg2.c
+++ b/lib/efi_loader/efi_tcg2.c
@@ -771,8 +771,8 @@
pcr_index = efi_tcg_event->header.pcr_index;
event_type = efi_tcg_event->header.event_type;
- ret = tcg2_create_digest((u8 *)data_to_hash, data_to_hash_len,
- &digest_list);
+ ret = tcg2_create_digest((u8 *)(uintptr_t)data_to_hash,
+ data_to_hash_len, &digest_list);
if (ret != EFI_SUCCESS)
goto out;
@@ -999,6 +999,11 @@
event_log.final_pos = sizeof(*final_event);
ret = efi_install_configuration_table(&efi_guid_final_events,
final_event);
+ if (ret != EFI_SUCCESS) {
+ efi_free_pool(event_log.final_buffer);
+ event_log.final_buffer = NULL;
+ }
+
out:
return ret;
}
@@ -1047,18 +1052,21 @@
ret = create_specid_event(dev, (void *)((uintptr_t)event_log.buffer + sizeof(*event_header)),
&spec_event_size);
if (ret != EFI_SUCCESS)
- goto out;
+ goto free_pool;
put_unaligned_le32(spec_event_size, &event_header->event_size);
event_log.pos = spec_event_size + sizeof(*event_header);
event_log.last_event_size = event_log.pos;
ret = create_final_event();
if (ret != EFI_SUCCESS)
- goto out;
+ goto free_pool;
- return EFI_SUCCESS;
out:
- tcg2_uninit();
+ return ret;
+
+free_pool:
+ efi_free_pool(event_log.buffer);
+ event_log.buffer = NULL;
return ret;
}
@@ -1107,8 +1115,7 @@
ret = platform_get_tpm2_device(&dev);
if (ret != EFI_SUCCESS) {
log_warning("Unable to find TPMv2 device\n");
- ret = EFI_SUCCESS;
- goto out;
+ return EFI_SUCCESS;
}
ret = efi_init_event_log();
@@ -1116,19 +1123,29 @@
goto fail;
ret = efi_append_scrtm_version(dev);
- if (ret != EFI_SUCCESS)
- goto out;
+ if (ret != EFI_SUCCESS) {
+ tcg2_uninit();
+ goto fail;
+ }
ret = efi_add_protocol(efi_root, &efi_guid_tcg2_protocol,
(void *)&efi_tcg2_protocol);
if (ret != EFI_SUCCESS) {
- log_err("Cannot install EFI_TCG2_PROTOCOL\n");
+ tcg2_uninit();
goto fail;
}
+ return ret;
-out:
- return ret;
fail:
- tcg2_uninit();
- return ret;
+ log_err("Cannot install EFI_TCG2_PROTOCOL\n");
+ /*
+ * Return EFI_SUCCESS and don't stop the EFI subsystem.
+ * That's done for 2 reasons
+ * - If the protocol is not installed the PCRs won't be extended. So
+ * someone later in the boot flow will notice that and take the
+ * necessary actions.
+ * - The TPM sandbox is limited and we won't be able to run any efi
+ * related tests with TCG2 enabled
+ */
+ return EFI_SUCCESS;
}