Merge tag 'efi-2021-07-rc4' of https://source.denx.de/u-boot/custodians/u-boot-efi
Pull request for efi-2021-07-rc4
Documentation:
* correct mmc man-page
Bug fixes:
* reduce code size of efidebug command
* remove 31 character limit for file paths in efidebug command
* fix build warning in the TCG2 protocol implementation
diff --git a/cmd/efidebug.c b/cmd/efidebug.c
index 0bf7b88..c635271 100644
--- a/cmd/efidebug.c
+++ b/cmd/efidebug.c
@@ -12,6 +12,7 @@
#include <efi_load_initrd.h>
#include <efi_loader.h>
#include <efi_rng.h>
+#include <efi_variable.h>
#include <exports.h>
#include <hexdump.h>
#include <log.h>
@@ -227,8 +228,7 @@
{
int capsule_id;
char *endp;
- char var_name[12];
- u16 var_name16[12], *p;
+ u16 var_name16[12];
efi_guid_t guid;
struct efi_capsule_result_variable_header *result = NULL;
efi_uintn_t size;
@@ -240,8 +240,9 @@
guid = efi_guid_capsule_report;
if (argc == 1) {
size = sizeof(var_name16);
- ret = EFI_CALL(RT->get_variable(L"CapsuleLast", &guid, NULL,
- &size, var_name16));
+ ret = efi_get_variable_int(L"CapsuleLast", &guid, NULL,
+ &size, var_name16, NULL);
+
if (ret != EFI_SUCCESS) {
if (ret == EFI_NOT_FOUND)
printf("CapsuleLast doesn't exist\n");
@@ -259,19 +260,18 @@
if (capsule_id < 0 || capsule_id > 0xffff)
return CMD_RET_USAGE;
- sprintf(var_name, "Capsule%04X", capsule_id);
- p = var_name16;
- utf8_utf16_strncpy(&p, var_name, 9);
+ efi_create_indexed_name(var_name16, sizeof(var_name16),
+ "Capsule", capsule_id);
}
size = 0;
- ret = EFI_CALL(RT->get_variable(var_name16, &guid, NULL, &size, NULL));
+ ret = efi_get_variable_int(var_name16, &guid, NULL, &size, NULL, NULL);
if (ret == EFI_BUFFER_TOO_SMALL) {
result = malloc(size);
if (!result)
return CMD_RET_FAILURE;
- ret = EFI_CALL(RT->get_variable(var_name16, &guid, NULL, &size,
- result));
+ ret = efi_get_variable_int(var_name16, &guid, NULL, &size,
+ result, NULL);
}
if (ret != EFI_SUCCESS) {
free(result);
@@ -954,8 +954,7 @@
{
int id;
char *endp;
- char var_name[9];
- u16 var_name16[9], *p;
+ u16 var_name16[9];
efi_guid_t guid;
size_t label_len, label_len16;
u16 *label;
@@ -988,9 +987,8 @@
if (*endp != '\0' || id > 0xffff)
return CMD_RET_USAGE;
- sprintf(var_name, "Boot%04X", id);
- p = var_name16;
- utf8_utf16_strncpy(&p, var_name, 9);
+ efi_create_indexed_name(var_name16, sizeof(var_name16),
+ "Boot", id);
/* label */
label_len = strlen(argv[2]);
@@ -1066,11 +1064,11 @@
goto out;
}
- ret = EFI_CALL(efi_set_variable(var_name16, &guid,
- EFI_VARIABLE_NON_VOLATILE |
- EFI_VARIABLE_BOOTSERVICE_ACCESS |
- EFI_VARIABLE_RUNTIME_ACCESS,
- size, data));
+ ret = efi_set_variable_int(var_name16, &guid,
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS,
+ size, data, false);
if (ret != EFI_SUCCESS) {
printf("Cannot set %ls\n", var_name16);
r = CMD_RET_FAILURE;
@@ -1107,8 +1105,7 @@
efi_guid_t guid;
int id, i;
char *endp;
- char var_name[9];
- u16 var_name16[9], *p;
+ u16 var_name16[9];
efi_status_t ret;
if (argc == 1)
@@ -1120,11 +1117,10 @@
if (*endp != '\0' || id > 0xffff)
return CMD_RET_FAILURE;
- sprintf(var_name, "Boot%04X", id);
- p = var_name16;
- utf8_utf16_strncpy(&p, var_name, 9);
-
- ret = EFI_CALL(efi_set_variable(var_name16, &guid, 0, 0, NULL));
+ efi_create_indexed_name(var_name16, sizeof(var_name16),
+ "Boot", id);
+ ret = efi_set_variable_int(var_name16, &guid, 0, 0, NULL,
+ false);
if (ret) {
printf("Cannot remove %ls\n", var_name16);
return CMD_RET_FAILURE;
@@ -1147,8 +1143,6 @@
{
struct efi_device_path *initrd_path = NULL;
struct efi_load_option lo;
- char *label, *p;
- size_t label_len16, label_len;
u16 *dp_str;
efi_status_t ret;
efi_uintn_t initrd_dp_size;
@@ -1160,14 +1154,6 @@
return;
}
- label_len16 = u16_strlen(lo.label);
- label_len = utf16_utf8_strnlen(lo.label, label_len16);
- label = malloc(label_len + 1);
- if (!label)
- return;
- p = label;
- utf16_utf8_strncpy(&p, lo.label, label_len16);
-
printf("%ls:\nattributes: %c%c%c (0x%08x)\n",
varname16,
/* ACTIVE */
@@ -1177,7 +1163,7 @@
/* HIDDEN */
lo.attributes & LOAD_OPTION_HIDDEN ? 'H' : '-',
lo.attributes);
- printf(" label: %s\n", label);
+ printf(" label: %ls\n", lo.label);
dp_str = efi_dp_str(lo.file_path);
printf(" file_path: %ls\n", dp_str);
@@ -1194,7 +1180,6 @@
printf(" data:\n");
print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1,
lo.optional_data, *size, true);
- free(label);
}
/**
@@ -1324,12 +1309,9 @@
u16 *bootorder;
efi_uintn_t size;
int num, i;
- char var_name[9];
- u16 var_name16[9], *p16;
+ u16 var_name16[9];
void *data;
struct efi_load_option lo;
- char *label, *p;
- size_t label_len16, label_len;
efi_status_t ret;
size = 0;
@@ -1357,16 +1339,15 @@
num = size / sizeof(u16);
for (i = 0; i < num; i++) {
- sprintf(var_name, "Boot%04X", bootorder[i]);
- p16 = var_name16;
- utf8_utf16_strncpy(&p16, var_name, 9);
+ efi_create_indexed_name(var_name16, sizeof(var_name16),
+ "Boot", i);
size = 0;
ret = EFI_CALL(efi_get_variable(var_name16,
&efi_global_variable_guid, NULL,
&size, NULL));
if (ret != EFI_BUFFER_TOO_SMALL) {
- printf("%2d: %s: (not defined)\n", i + 1, var_name);
+ printf("%2d: %ls: (not defined)\n", i + 1, var_name16);
continue;
}
@@ -1391,18 +1372,7 @@
goto out;
}
- label_len16 = u16_strlen(lo.label);
- label_len = utf16_utf8_strnlen(lo.label, label_len16);
- label = malloc(label_len + 1);
- if (!label) {
- free(data);
- ret = CMD_RET_FAILURE;
- goto out;
- }
- p = label;
- utf16_utf8_strncpy(&p, lo.label, label_len16);
- printf("%2d: %s: %s\n", i + 1, var_name, label);
- free(label);
+ printf("%2d: %ls: %ls\n", i + 1, var_name16, lo.label);
free(data);
}
@@ -1449,11 +1419,11 @@
guid = efi_global_variable_guid;
size = sizeof(u16);
- ret = EFI_CALL(efi_set_variable(L"BootNext", &guid,
+ ret = efi_set_variable_int(L"BootNext", &guid,
EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS |
EFI_VARIABLE_RUNTIME_ACCESS,
- size, &bootnext));
+ size, &bootnext, false);
if (ret != EFI_SUCCESS) {
printf("Cannot set BootNext\n");
r = CMD_RET_FAILURE;
@@ -1510,11 +1480,11 @@
}
guid = efi_global_variable_guid;
- ret = EFI_CALL(efi_set_variable(L"BootOrder", &guid,
+ ret = efi_set_variable_int(L"BootOrder", &guid,
EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS |
EFI_VARIABLE_RUNTIME_ACCESS,
- size, bootorder));
+ size, bootorder, true);
if (ret != EFI_SUCCESS) {
printf("Cannot set BootOrder\n");
r = CMD_RET_FAILURE;
diff --git a/doc/usage/mmc.rst b/doc/usage/mmc.rst
index 57284ed..458c764 100644
--- a/doc/usage/mmc.rst
+++ b/doc/usage/mmc.rst
@@ -40,7 +40,7 @@
cnt
block count
-The 'mmc erase' command erases MMC device from block offset until count.
+The 'mmc erase' command erases *cnt* blocks on the MMC device starting at block *blk#*.
blk#
start block offset
@@ -110,6 +110,7 @@
partitions to access
The 'mmc bootpart-resize' command changes sizes of boot and RPMB partitions.
+
dev
device number
boot part size MB
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index eb5c4d6..98845b8 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -175,6 +175,7 @@
select PKCS7_VERIFY
select IMAGE_SIGN_INFO
select HASH_CALCULATE
+ select EFI_SIGNATURE_SUPPORT
default n
help
Select this option if you want to enable capsule
@@ -344,6 +345,7 @@
select PKCS7_MESSAGE_PARSER
select PKCS7_VERIFY
select HASH_CALCULATE
+ select EFI_SIGNATURE_SUPPORT
default n
help
Select this option to enable EFI secure boot support.
@@ -351,6 +353,9 @@
it is signed with a trusted key. To do that, you need to install,
at least, PK, KEK and db.
+config EFI_SIGNATURE_SUPPORT
+ bool
+
config EFI_ESRT
bool "Enable the UEFI ESRT generation"
depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile
index 8bd343e..fd344ce 100644
--- a/lib/efi_loader/Makefile
+++ b/lib/efi_loader/Makefile
@@ -63,7 +63,7 @@
obj-$(CONFIG_EFI_RNG_PROTOCOL) += efi_rng.o
obj-$(CONFIG_EFI_TCG2_PROTOCOL) += efi_tcg2.o
obj-$(CONFIG_EFI_LOAD_FILE2_INITRD) += efi_load_initrd.o
-obj-y += efi_signature.o
+obj-$(CONFIG_EFI_SIGNATURE_SUPPORT) += efi_signature.o
EFI_VAR_SEED_FILE := $(subst $\",,$(CONFIG_EFI_VAR_SEED_FILE))
$(obj)/efi_var_seed.o: $(srctree)/$(EFI_VAR_SEED_FILE)
diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c
index 6ee883d..9ead0d2 100644
--- a/lib/efi_loader/efi_capsule.c
+++ b/lib/efi_loader/efi_capsule.c
@@ -208,16 +208,6 @@
const efi_guid_t efi_guid_capsule_root_cert_guid =
EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID;
-__weak int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)
-{
- /* The platform is supposed to provide
- * a method for getting the public key
- * stored in the form of efi signature
- * list
- */
- return 0;
-}
-
efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size,
void **image, efi_uintn_t *image_size)
{
diff --git a/lib/efi_loader/efi_device_path.c b/lib/efi_loader/efi_device_path.c
index 4b20859..76c2f82 100644
--- a/lib/efi_loader/efi_device_path.c
+++ b/lib/efi_loader/efi_device_path.c
@@ -1171,7 +1171,7 @@
struct blk_desc *desc = NULL;
struct disk_partition fs_partition;
int part = 0;
- char filename[32] = { 0 }; /* dp->str is u16[32] long */
+ char *filename;
char *s;
if (path && !file)
@@ -1198,12 +1198,17 @@
if (!path)
return EFI_SUCCESS;
- snprintf(filename, sizeof(filename), "%s", path);
+ filename = calloc(1, strlen(path) + 1);
+ if (!filename)
+ return EFI_OUT_OF_RESOURCES;
+
+ sprintf(filename, "%s", path);
/* DOS style file path: */
s = filename;
while ((s = strchr(s, '/')))
*s++ = '\\';
*file = efi_dp_from_file(desc, part, filename);
+ free(filename);
if (!*file)
return EFI_INVALID_PARAMETER;
diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c
index f53ef36..fe1ee19 100644
--- a/lib/efi_loader/efi_image_loader.c
+++ b/lib/efi_loader/efi_image_loader.c
@@ -213,7 +213,68 @@
}
}
-#ifdef CONFIG_EFI_SECURE_BOOT
+/**
+ * efi_image_region_add() - add an entry of region
+ * @regs: Pointer to array of regions
+ * @start: Start address of region (included)
+ * @end: End address of region (excluded)
+ * @nocheck: flag against overlapped regions
+ *
+ * Take one entry of region [@start, @end[ and insert it into the list.
+ *
+ * * If @nocheck is false, the list will be sorted ascending by address.
+ * Overlapping entries will not be allowed.
+ *
+ * * If @nocheck is true, the list will be sorted ascending by sequence
+ * of adding the entries. Overlapping is allowed.
+ *
+ * Return: status code
+ */
+efi_status_t efi_image_region_add(struct efi_image_regions *regs,
+ const void *start, const void *end,
+ int nocheck)
+{
+ struct image_region *reg;
+ int i, j;
+
+ if (regs->num >= regs->max) {
+ EFI_PRINT("%s: no more room for regions\n", __func__);
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ if (end < start)
+ return EFI_INVALID_PARAMETER;
+
+ for (i = 0; i < regs->num; i++) {
+ reg = ®s->reg[i];
+ if (nocheck)
+ continue;
+
+ /* new data after registered region */
+ if (start >= reg->data + reg->size)
+ continue;
+
+ /* new data preceding registered region */
+ if (end <= reg->data) {
+ for (j = regs->num - 1; j >= i; j--)
+ memcpy(®s->reg[j + 1], ®s->reg[j],
+ sizeof(*reg));
+ break;
+ }
+
+ /* new data overlapping registered region */
+ EFI_PRINT("%s: new region already part of another\n", __func__);
+ return EFI_INVALID_PARAMETER;
+ }
+
+ reg = ®s->reg[i];
+ reg->data = start;
+ reg->size = end - start;
+ regs->num++;
+
+ return EFI_SUCCESS;
+}
+
/**
* cmp_pe_section() - compare virtual addresses of two PE image sections
* @arg1: pointer to pointer to first section header
@@ -422,6 +483,7 @@
return false;
}
+#ifdef CONFIG_EFI_SECURE_BOOT
/**
* efi_image_unsigned_authenticate() - authenticate unsigned image with
* SHA256 hash
diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
index c7ec275..bdd0988 100644
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@@ -15,18 +15,16 @@
#include <crypto/public_key.h>
#include <linux/compat.h>
#include <linux/oid_registry.h>
+#include <u-boot/hash-checksum.h>
#include <u-boot/rsa.h>
#include <u-boot/sha256.h>
-const efi_guid_t efi_guid_image_security_database =
- EFI_IMAGE_SECURITY_DATABASE_GUID;
const efi_guid_t efi_guid_sha256 = EFI_CERT_SHA256_GUID;
const efi_guid_t efi_guid_cert_rsa2048 = EFI_CERT_RSA2048_GUID;
const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID;
const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID;
const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID;
-#if defined(CONFIG_EFI_SECURE_BOOT) || defined(CONFIG_EFI_CAPSULE_AUTHENTICATE)
static u8 pkcs7_hdr[] = {
/* SEQUENCE */
0x30, 0x82, 0x05, 0xc7,
@@ -540,68 +538,6 @@
}
/**
- * efi_image_region_add() - add an entry of region
- * @regs: Pointer to array of regions
- * @start: Start address of region (included)
- * @end: End address of region (excluded)
- * @nocheck: flag against overlapped regions
- *
- * Take one entry of region [@start, @end[ and insert it into the list.
- *
- * * If @nocheck is false, the list will be sorted ascending by address.
- * Overlapping entries will not be allowed.
- *
- * * If @nocheck is true, the list will be sorted ascending by sequence
- * of adding the entries. Overlapping is allowed.
- *
- * Return: status code
- */
-efi_status_t efi_image_region_add(struct efi_image_regions *regs,
- const void *start, const void *end,
- int nocheck)
-{
- struct image_region *reg;
- int i, j;
-
- if (regs->num >= regs->max) {
- EFI_PRINT("%s: no more room for regions\n", __func__);
- return EFI_OUT_OF_RESOURCES;
- }
-
- if (end < start)
- return EFI_INVALID_PARAMETER;
-
- for (i = 0; i < regs->num; i++) {
- reg = ®s->reg[i];
- if (nocheck)
- continue;
-
- /* new data after registered region */
- if (start >= reg->data + reg->size)
- continue;
-
- /* new data preceding registered region */
- if (end <= reg->data) {
- for (j = regs->num - 1; j >= i; j--)
- memcpy(®s->reg[j + 1], ®s->reg[j],
- sizeof(*reg));
- break;
- }
-
- /* new data overlapping registered region */
- EFI_PRINT("%s: new region already part of another\n", __func__);
- return EFI_INVALID_PARAMETER;
- }
-
- reg = ®s->reg[i];
- reg->data = start;
- reg->size = end - start;
- regs->num++;
-
- return EFI_SUCCESS;
-}
-
-/**
* efi_sigstore_free - free signature store
* @sigstore: Pointer to signature store structure
*
@@ -846,4 +782,3 @@
return efi_build_signature_store(db, db_size);
}
-#endif /* CONFIG_EFI_SECURE_BOOT || CONFIG_EFI_CAPSULE_AUTHENTICATE */
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
index 39ef250..39074f7 100644
--- a/lib/efi_loader/efi_tcg2.c
+++ b/lib/efi_loader/efi_tcg2.c
@@ -53,7 +53,7 @@
u16 hash_len;
};
-const static struct digest_info hash_algo_list[] = {
+static const struct digest_info hash_algo_list[] = {
{
TPM2_ALG_SHA1,
EFI_TCG2_BOOT_HASH_ALG_SHA1,
@@ -87,7 +87,7 @@
*/
static u32 alg_to_mask(u16 hash_alg)
{
- int i;
+ size_t i;
for (i = 0; i < MAX_HASH_COUNT; i++) {
if (hash_algo_list[i].hash_alg == hash_alg)
@@ -106,7 +106,7 @@
*/
static u16 alg_to_len(u16 hash_alg)
{
- int i;
+ size_t i;
for (i = 0; i < MAX_HASH_COUNT; i++) {
if (hash_algo_list[i].hash_alg == hash_alg)
@@ -119,7 +119,7 @@
static u32 tcg_event_final_size(struct tpml_digest_values *digest_list)
{
u32 len;
- int i;
+ size_t i;
len = offsetof(struct tcg_pcr_event2, digests);
len += offsetof(struct tpml_digest_values, digests);
@@ -145,7 +145,7 @@
struct tpml_digest_values *digest_list)
{
u32 rc;
- int i;
+ size_t i;
for (i = 0; i < digest_list->count; i++) {
u32 alg = digest_list->digests[i].hash_alg;
@@ -178,7 +178,7 @@
{
void *log = (void *)((uintptr_t)event_log.buffer + event_log.pos);
size_t pos;
- int i;
+ size_t i;
u32 event_size;
if (event_log.get_event_called)
@@ -400,7 +400,8 @@
u8 response[TPM2_RESPONSE_BUFFER_SIZE];
struct tpml_pcr_selection pcrs;
u32 ret, num_pcr;
- int i, tpm_ret;
+ size_t i;
+ int tpm_ret;
memset(response, 0, sizeof(response));
ret = tpm2_get_capability(dev, TPM2_CAP_PCRS, 0, response, 1);
@@ -518,7 +519,7 @@
u8 final[TPM2_SHA512_DIGEST_SIZE];
efi_status_t ret;
u32 active;
- int i;
+ size_t i;
ret = __get_active_pcr_banks(&active);
if (ret != EFI_SUCCESS)
@@ -749,8 +750,7 @@
goto out;
}
- if (efi_tcg_event->header.pcr_index < 0 ||
- efi_tcg_event->header.pcr_index > TPM2_MAX_PCRS) {
+ if (efi_tcg_event->header.pcr_index > TPM2_MAX_PCRS) {
ret = EFI_INVALID_PARAMETER;
goto out;
}
@@ -810,9 +810,11 @@
* Return: status code
*/
static efi_status_t EFIAPI
-efi_tcg2_submit_command(struct efi_tcg2_protocol *this,
- u32 input_param_block_size, u8 *input_param_block,
- u32 output_param_block_size, u8 *output_param_block)
+efi_tcg2_submit_command(__maybe_unused struct efi_tcg2_protocol *this,
+ u32 __maybe_unused input_param_block_size,
+ u8 __maybe_unused *input_param_block,
+ u32 __maybe_unused output_param_block_size,
+ u8 __maybe_unused *output_param_block)
{
return EFI_UNSUPPORTED;
}
@@ -847,8 +849,8 @@
* Return: status code
*/
static efi_status_t EFIAPI
-efi_tcg2_set_active_pcr_banks(struct efi_tcg2_protocol *this,
- u32 active_pcr_banks)
+efi_tcg2_set_active_pcr_banks(__maybe_unused struct efi_tcg2_protocol *this,
+ u32 __maybe_unused active_pcr_banks)
{
return EFI_UNSUPPORTED;
}
@@ -866,8 +868,9 @@
* Return: status code
*/
static efi_status_t EFIAPI
-efi_tcg2_get_result_of_set_active_pcr_banks(struct efi_tcg2_protocol *this,
- u32 *operation_present, u32 *response)
+efi_tcg2_get_result_of_set_active_pcr_banks(__maybe_unused struct efi_tcg2_protocol *this,
+ u32 __maybe_unused *operation_present,
+ u32 __maybe_unused *response)
{
return EFI_UNSUPPORTED;
}
@@ -898,7 +901,8 @@
size_t spec_event_size;
efi_status_t ret = EFI_DEVICE_ERROR;
u32 active, supported;
- int err, i;
+ int err;
+ size_t i;
/*
* Create Spec event. This needs to be the first event in the log
diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c
index b11ed91..83479dd 100644
--- a/lib/efi_loader/efi_var_common.c
+++ b/lib/efi_loader/efi_var_common.c
@@ -24,6 +24,9 @@
const enum efi_auth_var_type type;
};
+const efi_guid_t efi_guid_image_security_database =
+ EFI_IMAGE_SECURITY_DATABASE_GUID;
+
static const struct efi_auth_var_name_type name_type[] = {
{u"PK", &efi_global_variable_guid, EFI_AUTH_VAR_PK},
{u"KEK", &efi_global_variable_guid, EFI_AUTH_VAR_KEK},