aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Rini2021-05-18 11:10:00 -0400
committerTom Rini2021-05-18 11:10:00 -0400
commit7a1638c263508f7ff67fc82af5ea8072dcb783e2 (patch)
treeac020306e87c134b562ab5314fee7d6f2768e670
parent52993fcb7672885ea827ef3f24927d650bca2e4e (diff)
parent87316da05f2fd49d3709275e64ef0c5980366ade (diff)
Merge tag 'efi-2021-07-rc3' of https://source.denx.de/u-boot/custodians/u-boot-efi
Pull request for efi-2021-07-rc3 Documentation: * add a man-page for the size command * add man-page for extension command to index Bug fixes: * avoid build failure due to missing SHA512 hardware acceleration * correct error handling in TCG2 protocol * don't let user disable capsule authentication * correct reading directories via UEFI API
-rw-r--r--board/emulation/common/qemu_capsule.c6
-rw-r--r--common/Kconfig.boot1
-rw-r--r--common/hash.c8
-rw-r--r--doc/usage/index.rst2
-rw-r--r--doc/usage/size.rst40
-rw-r--r--lib/Kconfig24
-rw-r--r--lib/Makefile2
-rw-r--r--lib/efi_loader/Kconfig8
-rw-r--r--lib/efi_loader/efi_file.c2
-rw-r--r--lib/efi_loader/efi_firmware.c5
-rw-r--r--lib/efi_loader/efi_tcg2.c47
11 files changed, 110 insertions, 35 deletions
diff --git a/board/emulation/common/qemu_capsule.c b/board/emulation/common/qemu_capsule.c
index 5cb461d52bc..6b8a87022a4 100644
--- a/board/emulation/common/qemu_capsule.c
+++ b/board/emulation/common/qemu_capsule.c
@@ -41,9 +41,3 @@ int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)
return 0;
}
-
-bool efi_capsule_auth_enabled(void)
-{
- return env_get("capsule_authentication_enabled") != NULL ?
- true : false;
-}
diff --git a/common/Kconfig.boot b/common/Kconfig.boot
index 5a18d62d780..56608226cc6 100644
--- a/common/Kconfig.boot
+++ b/common/Kconfig.boot
@@ -80,6 +80,7 @@ config FIT_SIGNATURE
select RSA_VERIFY
select IMAGE_SIGN_INFO
select FIT_FULL_CHECK
+ select HASH_CALCULATE
help
This option enables signature verification of FIT uImages,
using a hash signed and verified using RSA. If
diff --git a/common/hash.c b/common/hash.c
index 10dff7ddb0e..90cf46bcba5 100644
--- a/common/hash.c
+++ b/common/hash.c
@@ -260,12 +260,12 @@ static struct hash_algo hash_algo[] = {
.name = "sha384",
.digest_size = SHA384_SUM_LEN,
.chunk_size = CHUNKSZ_SHA384,
-#ifdef CONFIG_SHA_HW_ACCEL
+#ifdef CONFIG_SHA512_HW_ACCEL
.hash_func_ws = hw_sha384,
#else
.hash_func_ws = sha384_csum_wd,
#endif
-#ifdef CONFIG_SHA_PROG_HW_ACCEL
+#if defined(CONFIG_SHA512_HW_ACCEL) && defined(CONFIG_SHA_PROG_HW_ACCEL)
.hash_init = hw_sha_init,
.hash_update = hw_sha_update,
.hash_finish = hw_sha_finish,
@@ -281,12 +281,12 @@ static struct hash_algo hash_algo[] = {
.name = "sha512",
.digest_size = SHA512_SUM_LEN,
.chunk_size = CHUNKSZ_SHA512,
-#ifdef CONFIG_SHA_HW_ACCEL
+#ifdef CONFIG_SHA512_HW_ACCEL
.hash_func_ws = hw_sha512,
#else
.hash_func_ws = sha512_csum_wd,
#endif
-#ifdef CONFIG_SHA_PROG_HW_ACCEL
+#if defined(CONFIG_SHA512_HW_ACCEL) && defined(CONFIG_SHA_PROG_HW_ACCEL)
.hash_init = hw_sha_init,
.hash_update = hw_sha_update,
.hash_finish = hw_sha_finish,
diff --git a/doc/usage/index.rst b/doc/usage/index.rst
index 528b3c745e7..c1f9b6a53b3 100644
--- a/doc/usage/index.rst
+++ b/doc/usage/index.rst
@@ -26,6 +26,7 @@ Shell commands
conitrace
echo
exception
+ extension
exit
false
fatinfo
@@ -38,6 +39,7 @@ Shell commands
pstore
qfw
sbi
+ size
true
scp03
reset
diff --git a/doc/usage/size.rst b/doc/usage/size.rst
new file mode 100644
index 00000000000..f0c35e48265
--- /dev/null
+++ b/doc/usage/size.rst
@@ -0,0 +1,40 @@
+.. SPDX-License-Identifier: GPL-2.0+
+
+size command
+============
+
+Synopsis
+--------
+
+::
+
+ size <interface> <dev[:part]> <filename>
+
+Description
+-----------
+
+The size command determines the size of a file and sets the environment variable
+filesize to this value. If filename points to a directory, the value is set to
+zero.
+
+If the command fails, the filesize environment variable is not changed.
+
+dev
+ device number
+
+part
+ partition number, defaults to 1
+
+filename
+ path to file
+
+Configuration
+-------------
+
+The size command is only available if CONFIG_CMD_FS_GENERIC=y.
+
+Return value
+------------
+
+The return value $? is set to 0 (true) if the command succeded and to 1 (false)
+otherwise.
diff --git a/lib/Kconfig b/lib/Kconfig
index 6d2d41de301..b057b9d73bc 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -389,21 +389,32 @@ config SHA384
(digest).
config SHA_HW_ACCEL
- bool "Enable hashing using hardware"
+ bool "Enable hardware acceleration for SHA hash functions"
help
- This option enables hardware acceleration for SHA hashing.
- This affects the 'hash' command and also the hash_lookup_algo()
- function.
+ This option enables hardware acceleration for the SHA1 and SHA256
+ hashing algorithms. This affects the 'hash' command and also the
+ hash_lookup_algo() function.
+
+if SHA_HW_ACCEL
+
+config SHA512_HW_ACCEL
+ bool "Enable hardware acceleration for SHA512"
+ depends on SHA512_ALGO
+ help
+ This option enables hardware acceleration for the SHA384 and SHA512
+ hashing algorithms. This affects the 'hash' command and also the
+ hash_lookup_algo() function.
config SHA_PROG_HW_ACCEL
bool "Enable Progressive hashing support using hardware"
- depends on SHA_HW_ACCEL
help
This option enables hardware-acceleration for SHA progressive
hashing.
Data can be streamed in a block at a time and the hashing is
performed in hardware.
+endif
+
config MD5
bool "Support MD5 algorithm"
help
@@ -428,6 +439,9 @@ config CRC32C
config XXHASH
bool
+config HASH_CALCULATE
+ bool
+
endmenu
menu "Compression Support"
diff --git a/lib/Makefile b/lib/Makefile
index 68256719555..0835ea292cd 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -61,7 +61,7 @@ endif
obj-$(CONFIG_$(SPL_)ACPIGEN) += acpi/
obj-$(CONFIG_$(SPL_)MD5) += md5.o
obj-$(CONFIG_$(SPL_)RSA) += rsa/
-obj-$(CONFIG_FIT_SIGNATURE) += hash-checksum.o
+obj-$(CONFIG_HASH_CALCULATE) += hash-checksum.o
obj-$(CONFIG_SHA1) += sha1.o
obj-$(CONFIG_SHA256) += sha256.o
obj-$(CONFIG_SHA512_ALGO) += sha512.o
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 0b99d7c7749..eb5c4d6f294 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -174,6 +174,7 @@ config EFI_CAPSULE_AUTHENTICATE
select PKCS7_MESSAGE_PARSER
select PKCS7_VERIFY
select IMAGE_SIGN_INFO
+ select HASH_CALCULATE
default n
help
Select this option if you want to enable capsule
@@ -300,7 +301,13 @@ config EFI_RNG_PROTOCOL
config EFI_TCG2_PROTOCOL
bool "EFI_TCG2_PROTOCOL support"
+ default y
depends on TPM_V2
+ select SHA1
+ select SHA256
+ select SHA512_ALGO
+ select SHA384
+ select SHA512
help
Provide a EFI_TCG2_PROTOCOL implementation using the TPM hardware
of the platform.
@@ -336,6 +343,7 @@ config EFI_SECURE_BOOT
select X509_CERTIFICATE_PARSER
select PKCS7_MESSAGE_PARSER
select PKCS7_VERIFY
+ select HASH_CALCULATE
default n
help
Select this option to enable EFI secure boot support.
diff --git a/lib/efi_loader/efi_file.c b/lib/efi_loader/efi_file.c
index 204105e25af..6b3f5962be2 100644
--- a/lib/efi_loader/efi_file.c
+++ b/lib/efi_loader/efi_file.c
@@ -554,7 +554,7 @@ static efi_status_t efi_file_read_int(struct efi_file_handle *this,
efi_status_t ret = EFI_SUCCESS;
u64 bs;
- if (!this || !buffer_size || !buffer)
+ if (!this || !buffer_size)
return EFI_INVALID_PARAMETER;
bs = *buffer_size;
diff --git a/lib/efi_loader/efi_firmware.c b/lib/efi_loader/efi_firmware.c
index 7a3cca27936..a1b88dbfc28 100644
--- a/lib/efi_loader/efi_firmware.c
+++ b/lib/efi_loader/efi_firmware.c
@@ -190,7 +190,7 @@ static efi_status_t efi_get_dfu_info(
IMAGE_ATTRIBUTE_IMAGE_UPDATABLE;
/* Check if the capsule authentication is enabled */
- if (env_get("capsule_authentication_enabled"))
+ if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE))
image_info[0].attributes_setting |=
IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED;
@@ -421,8 +421,7 @@ efi_status_t EFIAPI efi_firmware_raw_set_image(
return EFI_EXIT(EFI_INVALID_PARAMETER);
/* Authenticate the capsule if authentication enabled */
- if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) &&
- env_get("capsule_authentication_enabled")) {
+ if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE)) {
capsule_payload = NULL;
capsule_payload_size = 0;
status = efi_capsule_authenticate(image, image_size,
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
index 94e8f22bbb6..39ef250bf9c 100644
--- a/lib/efi_loader/efi_tcg2.c
+++ b/lib/efi_loader/efi_tcg2.c
@@ -771,8 +771,8 @@ efi_tcg2_hash_log_extend_event(struct efi_tcg2_protocol *this, u64 flags,
pcr_index = efi_tcg_event->header.pcr_index;
event_type = efi_tcg_event->header.event_type;
- ret = tcg2_create_digest((u8 *)data_to_hash, data_to_hash_len,
- &digest_list);
+ ret = tcg2_create_digest((u8 *)(uintptr_t)data_to_hash,
+ data_to_hash_len, &digest_list);
if (ret != EFI_SUCCESS)
goto out;
@@ -999,6 +999,11 @@ static efi_status_t create_final_event(void)
event_log.final_pos = sizeof(*final_event);
ret = efi_install_configuration_table(&efi_guid_final_events,
final_event);
+ if (ret != EFI_SUCCESS) {
+ efi_free_pool(event_log.final_buffer);
+ event_log.final_buffer = NULL;
+ }
+
out:
return ret;
}
@@ -1047,18 +1052,21 @@ static efi_status_t efi_init_event_log(void)
ret = create_specid_event(dev, (void *)((uintptr_t)event_log.buffer + sizeof(*event_header)),
&spec_event_size);
if (ret != EFI_SUCCESS)
- goto out;
+ goto free_pool;
put_unaligned_le32(spec_event_size, &event_header->event_size);
event_log.pos = spec_event_size + sizeof(*event_header);
event_log.last_event_size = event_log.pos;
ret = create_final_event();
if (ret != EFI_SUCCESS)
- goto out;
+ goto free_pool;
- return EFI_SUCCESS;
out:
- tcg2_uninit();
+ return ret;
+
+free_pool:
+ efi_free_pool(event_log.buffer);
+ event_log.buffer = NULL;
return ret;
}
@@ -1107,8 +1115,7 @@ efi_status_t efi_tcg2_register(void)
ret = platform_get_tpm2_device(&dev);
if (ret != EFI_SUCCESS) {
log_warning("Unable to find TPMv2 device\n");
- ret = EFI_SUCCESS;
- goto out;
+ return EFI_SUCCESS;
}
ret = efi_init_event_log();
@@ -1116,19 +1123,29 @@ efi_status_t efi_tcg2_register(void)
goto fail;
ret = efi_append_scrtm_version(dev);
- if (ret != EFI_SUCCESS)
- goto out;
+ if (ret != EFI_SUCCESS) {
+ tcg2_uninit();
+ goto fail;
+ }
ret = efi_add_protocol(efi_root, &efi_guid_tcg2_protocol,
(void *)&efi_tcg2_protocol);
if (ret != EFI_SUCCESS) {
- log_err("Cannot install EFI_TCG2_PROTOCOL\n");
+ tcg2_uninit();
goto fail;
}
-
-out:
return ret;
+
fail:
- tcg2_uninit();
- return ret;
+ log_err("Cannot install EFI_TCG2_PROTOCOL\n");
+ /*
+ * Return EFI_SUCCESS and don't stop the EFI subsystem.
+ * That's done for 2 reasons
+ * - If the protocol is not installed the PCRs won't be extended. So
+ * someone later in the boot flow will notice that and take the
+ * necessary actions.
+ * - The TPM sandbox is limited and we won't be able to run any efi
+ * related tests with TCG2 enabled
+ */
+ return EFI_SUCCESS;
}