diff options
author | Tom Rini | 2021-05-18 11:10:00 -0400 |
---|---|---|
committer | Tom Rini | 2021-05-18 11:10:00 -0400 |
commit | 7a1638c263508f7ff67fc82af5ea8072dcb783e2 (patch) | |
tree | ac020306e87c134b562ab5314fee7d6f2768e670 | |
parent | 52993fcb7672885ea827ef3f24927d650bca2e4e (diff) | |
parent | 87316da05f2fd49d3709275e64ef0c5980366ade (diff) |
Merge tag 'efi-2021-07-rc3' of https://source.denx.de/u-boot/custodians/u-boot-efi
Pull request for efi-2021-07-rc3
Documentation:
* add a man-page for the size command
* add man-page for extension command to index
Bug fixes:
* avoid build failure due to missing SHA512 hardware acceleration
* correct error handling in TCG2 protocol
* don't let user disable capsule authentication
* correct reading directories via UEFI API
-rw-r--r-- | board/emulation/common/qemu_capsule.c | 6 | ||||
-rw-r--r-- | common/Kconfig.boot | 1 | ||||
-rw-r--r-- | common/hash.c | 8 | ||||
-rw-r--r-- | doc/usage/index.rst | 2 | ||||
-rw-r--r-- | doc/usage/size.rst | 40 | ||||
-rw-r--r-- | lib/Kconfig | 24 | ||||
-rw-r--r-- | lib/Makefile | 2 | ||||
-rw-r--r-- | lib/efi_loader/Kconfig | 8 | ||||
-rw-r--r-- | lib/efi_loader/efi_file.c | 2 | ||||
-rw-r--r-- | lib/efi_loader/efi_firmware.c | 5 | ||||
-rw-r--r-- | lib/efi_loader/efi_tcg2.c | 47 |
11 files changed, 110 insertions, 35 deletions
diff --git a/board/emulation/common/qemu_capsule.c b/board/emulation/common/qemu_capsule.c index 5cb461d52bc..6b8a87022a4 100644 --- a/board/emulation/common/qemu_capsule.c +++ b/board/emulation/common/qemu_capsule.c @@ -41,9 +41,3 @@ int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len) return 0; } - -bool efi_capsule_auth_enabled(void) -{ - return env_get("capsule_authentication_enabled") != NULL ? - true : false; -} diff --git a/common/Kconfig.boot b/common/Kconfig.boot index 5a18d62d780..56608226cc6 100644 --- a/common/Kconfig.boot +++ b/common/Kconfig.boot @@ -80,6 +80,7 @@ config FIT_SIGNATURE select RSA_VERIFY select IMAGE_SIGN_INFO select FIT_FULL_CHECK + select HASH_CALCULATE help This option enables signature verification of FIT uImages, using a hash signed and verified using RSA. If diff --git a/common/hash.c b/common/hash.c index 10dff7ddb0e..90cf46bcba5 100644 --- a/common/hash.c +++ b/common/hash.c @@ -260,12 +260,12 @@ static struct hash_algo hash_algo[] = { .name = "sha384", .digest_size = SHA384_SUM_LEN, .chunk_size = CHUNKSZ_SHA384, -#ifdef CONFIG_SHA_HW_ACCEL +#ifdef CONFIG_SHA512_HW_ACCEL .hash_func_ws = hw_sha384, #else .hash_func_ws = sha384_csum_wd, #endif -#ifdef CONFIG_SHA_PROG_HW_ACCEL +#if defined(CONFIG_SHA512_HW_ACCEL) && defined(CONFIG_SHA_PROG_HW_ACCEL) .hash_init = hw_sha_init, .hash_update = hw_sha_update, .hash_finish = hw_sha_finish, @@ -281,12 +281,12 @@ static struct hash_algo hash_algo[] = { .name = "sha512", .digest_size = SHA512_SUM_LEN, .chunk_size = CHUNKSZ_SHA512, -#ifdef CONFIG_SHA_HW_ACCEL +#ifdef CONFIG_SHA512_HW_ACCEL .hash_func_ws = hw_sha512, #else .hash_func_ws = sha512_csum_wd, #endif -#ifdef CONFIG_SHA_PROG_HW_ACCEL +#if defined(CONFIG_SHA512_HW_ACCEL) && defined(CONFIG_SHA_PROG_HW_ACCEL) .hash_init = hw_sha_init, .hash_update = hw_sha_update, .hash_finish = hw_sha_finish, diff --git a/doc/usage/index.rst b/doc/usage/index.rst index 528b3c745e7..c1f9b6a53b3 100644 --- a/doc/usage/index.rst +++ b/doc/usage/index.rst @@ -26,6 +26,7 @@ Shell commands conitrace echo exception + extension exit false fatinfo @@ -38,6 +39,7 @@ Shell commands pstore qfw sbi + size true scp03 reset diff --git a/doc/usage/size.rst b/doc/usage/size.rst new file mode 100644 index 00000000000..f0c35e48265 --- /dev/null +++ b/doc/usage/size.rst @@ -0,0 +1,40 @@ +.. SPDX-License-Identifier: GPL-2.0+ + +size command +============ + +Synopsis +-------- + +:: + + size <interface> <dev[:part]> <filename> + +Description +----------- + +The size command determines the size of a file and sets the environment variable +filesize to this value. If filename points to a directory, the value is set to +zero. + +If the command fails, the filesize environment variable is not changed. + +dev + device number + +part + partition number, defaults to 1 + +filename + path to file + +Configuration +------------- + +The size command is only available if CONFIG_CMD_FS_GENERIC=y. + +Return value +------------ + +The return value $? is set to 0 (true) if the command succeded and to 1 (false) +otherwise. diff --git a/lib/Kconfig b/lib/Kconfig index 6d2d41de301..b057b9d73bc 100644 --- a/lib/Kconfig +++ b/lib/Kconfig @@ -389,21 +389,32 @@ config SHA384 (digest). config SHA_HW_ACCEL - bool "Enable hashing using hardware" + bool "Enable hardware acceleration for SHA hash functions" help - This option enables hardware acceleration for SHA hashing. - This affects the 'hash' command and also the hash_lookup_algo() - function. + This option enables hardware acceleration for the SHA1 and SHA256 + hashing algorithms. This affects the 'hash' command and also the + hash_lookup_algo() function. + +if SHA_HW_ACCEL + +config SHA512_HW_ACCEL + bool "Enable hardware acceleration for SHA512" + depends on SHA512_ALGO + help + This option enables hardware acceleration for the SHA384 and SHA512 + hashing algorithms. This affects the 'hash' command and also the + hash_lookup_algo() function. config SHA_PROG_HW_ACCEL bool "Enable Progressive hashing support using hardware" - depends on SHA_HW_ACCEL help This option enables hardware-acceleration for SHA progressive hashing. Data can be streamed in a block at a time and the hashing is performed in hardware. +endif + config MD5 bool "Support MD5 algorithm" help @@ -428,6 +439,9 @@ config CRC32C config XXHASH bool +config HASH_CALCULATE + bool + endmenu menu "Compression Support" diff --git a/lib/Makefile b/lib/Makefile index 68256719555..0835ea292cd 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -61,7 +61,7 @@ endif obj-$(CONFIG_$(SPL_)ACPIGEN) += acpi/ obj-$(CONFIG_$(SPL_)MD5) += md5.o obj-$(CONFIG_$(SPL_)RSA) += rsa/ -obj-$(CONFIG_FIT_SIGNATURE) += hash-checksum.o +obj-$(CONFIG_HASH_CALCULATE) += hash-checksum.o obj-$(CONFIG_SHA1) += sha1.o obj-$(CONFIG_SHA256) += sha256.o obj-$(CONFIG_SHA512_ALGO) += sha512.o diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 0b99d7c7749..eb5c4d6f294 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -174,6 +174,7 @@ config EFI_CAPSULE_AUTHENTICATE select PKCS7_MESSAGE_PARSER select PKCS7_VERIFY select IMAGE_SIGN_INFO + select HASH_CALCULATE default n help Select this option if you want to enable capsule @@ -300,7 +301,13 @@ config EFI_RNG_PROTOCOL config EFI_TCG2_PROTOCOL bool "EFI_TCG2_PROTOCOL support" + default y depends on TPM_V2 + select SHA1 + select SHA256 + select SHA512_ALGO + select SHA384 + select SHA512 help Provide a EFI_TCG2_PROTOCOL implementation using the TPM hardware of the platform. @@ -336,6 +343,7 @@ config EFI_SECURE_BOOT select X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER select PKCS7_VERIFY + select HASH_CALCULATE default n help Select this option to enable EFI secure boot support. diff --git a/lib/efi_loader/efi_file.c b/lib/efi_loader/efi_file.c index 204105e25af..6b3f5962be2 100644 --- a/lib/efi_loader/efi_file.c +++ b/lib/efi_loader/efi_file.c @@ -554,7 +554,7 @@ static efi_status_t efi_file_read_int(struct efi_file_handle *this, efi_status_t ret = EFI_SUCCESS; u64 bs; - if (!this || !buffer_size || !buffer) + if (!this || !buffer_size) return EFI_INVALID_PARAMETER; bs = *buffer_size; diff --git a/lib/efi_loader/efi_firmware.c b/lib/efi_loader/efi_firmware.c index 7a3cca27936..a1b88dbfc28 100644 --- a/lib/efi_loader/efi_firmware.c +++ b/lib/efi_loader/efi_firmware.c @@ -190,7 +190,7 @@ static efi_status_t efi_get_dfu_info( IMAGE_ATTRIBUTE_IMAGE_UPDATABLE; /* Check if the capsule authentication is enabled */ - if (env_get("capsule_authentication_enabled")) + if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE)) image_info[0].attributes_setting |= IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED; @@ -421,8 +421,7 @@ efi_status_t EFIAPI efi_firmware_raw_set_image( return EFI_EXIT(EFI_INVALID_PARAMETER); /* Authenticate the capsule if authentication enabled */ - if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) && - env_get("capsule_authentication_enabled")) { + if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE)) { capsule_payload = NULL; capsule_payload_size = 0; status = efi_capsule_authenticate(image, image_size, diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 94e8f22bbb6..39ef250bf9c 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -771,8 +771,8 @@ efi_tcg2_hash_log_extend_event(struct efi_tcg2_protocol *this, u64 flags, pcr_index = efi_tcg_event->header.pcr_index; event_type = efi_tcg_event->header.event_type; - ret = tcg2_create_digest((u8 *)data_to_hash, data_to_hash_len, - &digest_list); + ret = tcg2_create_digest((u8 *)(uintptr_t)data_to_hash, + data_to_hash_len, &digest_list); if (ret != EFI_SUCCESS) goto out; @@ -999,6 +999,11 @@ static efi_status_t create_final_event(void) event_log.final_pos = sizeof(*final_event); ret = efi_install_configuration_table(&efi_guid_final_events, final_event); + if (ret != EFI_SUCCESS) { + efi_free_pool(event_log.final_buffer); + event_log.final_buffer = NULL; + } + out: return ret; } @@ -1047,18 +1052,21 @@ static efi_status_t efi_init_event_log(void) ret = create_specid_event(dev, (void *)((uintptr_t)event_log.buffer + sizeof(*event_header)), &spec_event_size); if (ret != EFI_SUCCESS) - goto out; + goto free_pool; put_unaligned_le32(spec_event_size, &event_header->event_size); event_log.pos = spec_event_size + sizeof(*event_header); event_log.last_event_size = event_log.pos; ret = create_final_event(); if (ret != EFI_SUCCESS) - goto out; + goto free_pool; - return EFI_SUCCESS; out: - tcg2_uninit(); + return ret; + +free_pool: + efi_free_pool(event_log.buffer); + event_log.buffer = NULL; return ret; } @@ -1107,8 +1115,7 @@ efi_status_t efi_tcg2_register(void) ret = platform_get_tpm2_device(&dev); if (ret != EFI_SUCCESS) { log_warning("Unable to find TPMv2 device\n"); - ret = EFI_SUCCESS; - goto out; + return EFI_SUCCESS; } ret = efi_init_event_log(); @@ -1116,19 +1123,29 @@ efi_status_t efi_tcg2_register(void) goto fail; ret = efi_append_scrtm_version(dev); - if (ret != EFI_SUCCESS) - goto out; + if (ret != EFI_SUCCESS) { + tcg2_uninit(); + goto fail; + } ret = efi_add_protocol(efi_root, &efi_guid_tcg2_protocol, (void *)&efi_tcg2_protocol); if (ret != EFI_SUCCESS) { - log_err("Cannot install EFI_TCG2_PROTOCOL\n"); + tcg2_uninit(); goto fail; } - -out: return ret; + fail: - tcg2_uninit(); - return ret; + log_err("Cannot install EFI_TCG2_PROTOCOL\n"); + /* + * Return EFI_SUCCESS and don't stop the EFI subsystem. + * That's done for 2 reasons + * - If the protocol is not installed the PCRs won't be extended. So + * someone later in the boot flow will notice that and take the + * necessary actions. + * - The TPM sandbox is limited and we won't be able to run any efi + * related tests with TCG2 enabled + */ + return EFI_SUCCESS; } |