Merge tag 'v2021.10-rc5' into next

Prepare v2021.10-rc5

5 files changed, 26 insertions, 64 deletions

diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 14bf5f7e92e..3d5a5cd189e 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -207,13 +207,6 @@ config EFI_CAPSULE_AUTHENTICATE
 	  Select this option if you want to enable capsule
 	  authentication
 
-config EFI_CAPSULE_KEY_PATH
-	string "Path to .esl cert for capsule authentication"
-	depends on EFI_CAPSULE_AUTHENTICATE
-	help
-	  Provide the EFI signature list (esl) certificate used for capsule
-	  authentication
-
 config EFI_DEVICE_PATH_TO_TEXT
 	bool "Device path to text protocol"
 	default y
diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile
index 08469d9cd95..fd344cea29b 100644
--- a/lib/efi_loader/Makefile
+++ b/lib/efi_loader/Makefile
@@ -20,19 +20,11 @@ always += helloworld.efi
 targets += helloworld.o
 endif
 
-ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y)
-EFI_CAPSULE_KEY_PATH := $(subst $\",,$(CONFIG_EFI_CAPSULE_KEY_PATH))
-ifeq ("$(wildcard $(EFI_CAPSULE_KEY_PATH))","")
-$(error .esl certificate not found. Configure your CONFIG_EFI_CAPSULE_KEY_PATH)
-endif
-endif
-
 obj-$(CONFIG_CMD_BOOTEFI_HELLO) += helloworld_efi.o
 obj-$(CONFIG_CMD_BOOTEFI_BOOTMGR) += efi_bootmgr.o
 obj-y += efi_boottime.o
 obj-y += efi_helper.o
 obj-$(CONFIG_EFI_HAVE_CAPSULE_SUPPORT) += efi_capsule.o
-obj-$(CONFIG_EFI_CAPSULE_AUTHENTICATE) += efi_capsule_key.o
 obj-$(CONFIG_EFI_CAPSULE_FIRMWARE) += efi_firmware.o
 obj-y += efi_console.o
 obj-y += efi_device_path.o
diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c
index 26990bc2df4..b75e4bcba1a 100644
--- a/lib/efi_loader/efi_capsule.c
+++ b/lib/efi_loader/efi_capsule.c
@@ -16,7 +16,6 @@
 #include <mapmem.h>
 #include <sort.h>
 
-#include <asm/sections.h>
 #include <crypto/pkcs7.h>
 #include <crypto/pkcs7_parser.h>
 #include <linux/err.h>
@@ -253,23 +252,12 @@ out:
 
 #if defined(CONFIG_EFI_CAPSULE_AUTHENTICATE)
 
-static int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)
-{
-	const void *blob = __efi_capsule_sig_begin;
-	const int len = __efi_capsule_sig_end - __efi_capsule_sig_begin;
-
-	*pkey = (void *)blob;
-	*pkey_len = len;
-
-	return 0;
-}
-
 efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size,
 				      void **image, efi_uintn_t *image_size)
 {
 	u8 *buf;
 	int ret;
-	void *stored_pkey, *pkey;
+	void *fdt_pkey, *pkey;
 	efi_uintn_t pkey_len;
 	uint64_t monotonic_count;
 	struct efi_signature_store *truststore;
@@ -322,7 +310,7 @@ efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_s
 		goto out;
 	}
 
-	ret = efi_get_public_key_data(&stored_pkey, &pkey_len);
+	ret = efi_get_public_key_data(&fdt_pkey, &pkey_len);
 	if (ret < 0)
 		goto out;
 
@@ -330,7 +318,7 @@ efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_s
 	if (!pkey)
 		goto out;
 
-	memcpy(pkey, stored_pkey, pkey_len);
+	memcpy(pkey, fdt_pkey, pkey_len);
 	truststore = efi_build_signature_store(pkey, pkey_len);
 	if (!truststore)
 		goto out;
diff --git a/lib/efi_loader/efi_capsule_key.S b/lib/efi_loader/efi_capsule_key.S
deleted file mode 100644
index 58f00b8e4bc..00000000000
--- a/lib/efi_loader/efi_capsule_key.S
+++ /dev/null
@@ -1,17 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0+ */
-/*
- * .esl cert for capsule authentication
- *
- * Copyright (c) 2021, Ilias Apalodimas <ilias.apalodimas@linaro.org>
- */
-
-#include <config.h>
-
-.section .rodata.capsule_key.init,"a"
-.balign 16
-.global __efi_capsule_sig_begin
-__efi_capsule_sig_begin:
-.incbin CONFIG_EFI_CAPSULE_KEY_PATH
-__efi_capsule_sig_end:
-.global __efi_capsule_sig_end
-.balign 16
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
index 7bacf9ce29b..74f0bef2396 100644
--- a/lib/efi_loader/efi_tcg2.c
+++ b/lib/efi_loader/efi_tcg2.c
@@ -575,9 +575,10 @@ static efi_status_t tcg2_create_digest(const u8 *input, u32 length,
 			EFI_PRINT("Unsupported algorithm %x\n", hash_alg);
 			return EFI_INVALID_PARAMETER;
 		}
+		digest_list->digests[digest_list->count].hash_alg = hash_alg;
+		memcpy(&digest_list->digests[digest_list->count].digest, final,
+		       (u32)alg_to_len(hash_alg));
 		digest_list->count++;
-		digest_list->digests[i].hash_alg = hash_alg;
-		memcpy(&digest_list->digests[i].digest, final, (u32)alg_to_len(hash_alg));
 	}
 
 	return EFI_SUCCESS;
@@ -798,8 +799,9 @@ static efi_status_t tcg2_hash_pe_image(void *efi, u64 efi_size,
 			EFI_PRINT("Unsupported algorithm %x\n", hash_alg);
 			return EFI_INVALID_PARAMETER;
 		}
-		digest_list->digests[i].hash_alg = hash_alg;
-		memcpy(&digest_list->digests[i].digest, hash, (u32)alg_to_len(hash_alg));
+		digest_list->digests[digest_list->count].hash_alg = hash_alg;
+		memcpy(&digest_list->digests[digest_list->count].digest, hash,
+		       (u32)alg_to_len(hash_alg));
 		digest_list->count++;
 	}
 
@@ -1120,7 +1122,7 @@ static efi_status_t create_specid_event(struct udevice *dev, void *buffer,
 	struct tcg_efi_spec_id_event *spec_event;
 	size_t spec_event_size;
 	efi_status_t ret = EFI_DEVICE_ERROR;
-	u32 active = 0, supported = 0;
+	u32 active = 0, supported = 0, pcr_count = 0, alg_count = 0;
 	int err;
 	size_t i;
 
@@ -1142,25 +1144,29 @@ static efi_status_t create_specid_event(struct udevice *dev, void *buffer,
 		TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_ERRATA_TPM2;
 	spec_event->uintn_size = sizeof(efi_uintn_t) / sizeof(u32);
 
-	err = tpm2_get_pcr_info(dev, &supported, &active,
-				&spec_event->number_of_algorithms);
+	err = tpm2_get_pcr_info(dev, &supported, &active, &pcr_count);
+
 	if (err)
 		goto out;
-	if (spec_event->number_of_algorithms > MAX_HASH_COUNT ||
-	    spec_event->number_of_algorithms < 1)
-		goto out;
 
-	for (i = 0; i < spec_event->number_of_algorithms; i++) {
+	for (i = 0; i < pcr_count; i++) {
 		u16 hash_alg = hash_algo_list[i].hash_alg;
 		u16 hash_len = hash_algo_list[i].hash_len;
 
-		if (active && alg_to_mask(hash_alg)) {
+		if (active & alg_to_mask(hash_alg)) {
 			put_unaligned_le16(hash_alg,
-					   &spec_event->digest_sizes[i].algorithm_id);
+					   &spec_event->digest_sizes[alg_count].algorithm_id);
 			put_unaligned_le16(hash_len,
-					   &spec_event->digest_sizes[i].digest_size);
+					   &spec_event->digest_sizes[alg_count].digest_size);
+			alg_count++;
 		}
 	}
+
+	spec_event->number_of_algorithms = alg_count;
+	if (spec_event->number_of_algorithms > MAX_HASH_COUNT ||
+	    spec_event->number_of_algorithms < 1)
+		goto out;
+
 	/*
 	 * the size of the spec event and placement of vendor_info_size
 	 * depends on supported algoriths
@@ -1169,9 +1175,9 @@ static efi_status_t create_specid_event(struct udevice *dev, void *buffer,
 		offsetof(struct tcg_efi_spec_id_event, digest_sizes) +
 		spec_event->number_of_algorithms * sizeof(spec_event->digest_sizes[0]);
 	/* no vendor info for us */
-	memset(buffer + spec_event_size, 0,
-	       sizeof(spec_event->vendor_info_size));
-	spec_event_size += sizeof(spec_event->vendor_info_size);
+	memset(buffer + spec_event_size, 0, 1);
+	/* add a byte for vendor_info_size in the spec event */
+	spec_event_size += 1;
 	*event_size = spec_event_size;
 
 	return EFI_SUCCESS;