aboutsummaryrefslogtreecommitdiff
path: root/lib/efi_loader
diff options
context:
space:
mode:
Diffstat (limited to 'lib/efi_loader')
-rw-r--r--lib/efi_loader/capsule_esl.dtsi.in4
-rw-r--r--lib/efi_loader/efi_tcg2.c128
-rw-r--r--lib/efi_loader/efi_variable.c6
3 files changed, 75 insertions, 63 deletions
diff --git a/lib/efi_loader/capsule_esl.dtsi.in b/lib/efi_loader/capsule_esl.dtsi.in
index 61a9f2b25e9..bc7db836faa 100644
--- a/lib/efi_loader/capsule_esl.dtsi.in
+++ b/lib/efi_loader/capsule_esl.dtsi.in
@@ -1,9 +1,9 @@
// SPDX-License-Identifier: GPL-2.0+
-/**
+/*
* Devicetree file with the public key EFI Signature List(ESL)
* node. This file is used to generate the dtsi file to be
* included into the DTB.
-*/
+ */
/ {
signature {
capsule-key = /incbin/("ESL_BIN_FILE");
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
index 51264c1b998..1400e675704 100644
--- a/lib/efi_loader/efi_tcg2.c
+++ b/lib/efi_loader/efi_tcg2.c
@@ -254,8 +254,8 @@ efi_tcg2_get_capability(struct efi_tcg2_protocol *this,
capability->protocol_version.major = 1;
capability->protocol_version.minor = 1;
- efi_ret = tcg2_platform_get_tpm2(&dev);
- if (efi_ret != EFI_SUCCESS) {
+ ret = tcg2_platform_get_tpm2(&dev);
+ if (ret) {
capability->supported_event_logs = 0;
capability->hash_algorithm_bitmap = 0;
capability->tpm_present_flag = false;
@@ -350,8 +350,7 @@ efi_tcg2_get_eventlog(struct efi_tcg2_protocol *this,
goto out;
}
- ret = tcg2_platform_get_tpm2(&dev);
- if (ret != EFI_SUCCESS) {
+ if (tcg2_platform_get_tpm2(&dev)) {
event_log_location = NULL;
event_log_last_entry = NULL;
*event_log_truncated = false;
@@ -386,7 +385,7 @@ static efi_status_t tcg2_hash_pe_image(void *efi, u64 efi_size,
void *new_efi = NULL;
u8 hash[TPM2_SHA512_DIGEST_SIZE];
struct udevice *dev;
- efi_status_t ret;
+ efi_status_t ret = EFI_SUCCESS;
u32 active;
int i;
@@ -401,12 +400,13 @@ static efi_status_t tcg2_hash_pe_image(void *efi, u64 efi_size,
goto out;
}
- ret = tcg2_platform_get_tpm2(&dev);
- if (ret != EFI_SUCCESS)
+ if (tcg2_platform_get_tpm2(&dev)) {
+ ret = EFI_DEVICE_ERROR;
goto out;
+ }
- ret = tcg2_get_active_pcr_banks(dev, &active);
- if (ret != EFI_SUCCESS) {
+ if (tcg2_get_active_pcr_banks(dev, &active)) {
+ ret = EFI_DEVICE_ERROR;
goto out;
}
@@ -470,12 +470,12 @@ efi_status_t tcg2_measure_pe_image(void *efi, u64 efi_size,
IMAGE_DOS_HEADER *dos;
IMAGE_NT_HEADERS32 *nt;
struct efi_handler *handler;
+ int rc;
if (!is_tcg2_protocol_installed())
return EFI_SUCCESS;
- ret = tcg2_platform_get_tpm2(&dev);
- if (ret != EFI_SUCCESS)
+ if (tcg2_platform_get_tpm2(&dev))
return EFI_SECURITY_VIOLATION;
switch (handle->image_type) {
@@ -499,9 +499,9 @@ efi_status_t tcg2_measure_pe_image(void *efi, u64 efi_size,
if (ret != EFI_SUCCESS)
return ret;
- ret = tcg2_pcr_extend(dev, pcr_index, &digest_list);
- if (ret != EFI_SUCCESS)
- return ret;
+ rc = tcg2_pcr_extend(dev, pcr_index, &digest_list);
+ if (rc)
+ return EFI_DEVICE_ERROR;
ret = efi_search_protocol(&handle->header,
&efi_guid_loaded_image_device_path, &handler);
@@ -571,9 +571,10 @@ efi_tcg2_hash_log_extend_event(struct efi_tcg2_protocol *this, u64 flags,
struct efi_tcg2_event *efi_tcg_event)
{
struct udevice *dev;
- efi_status_t ret;
+ efi_status_t ret = EFI_SUCCESS;
u32 event_type, pcr_index, event_size;
struct tpml_digest_values digest_list;
+ int rc = 0;
EFI_ENTRY("%p, %llu, %llu, %llu, %p", this, flags, data_to_hash,
data_to_hash_len, efi_tcg_event);
@@ -583,9 +584,10 @@ efi_tcg2_hash_log_extend_event(struct efi_tcg2_protocol *this, u64 flags,
goto out;
}
- ret = tcg2_platform_get_tpm2(&dev);
- if (ret != EFI_SUCCESS)
+ if (tcg2_platform_get_tpm2(&dev)) {
+ ret = EFI_DEVICE_ERROR;
goto out;
+ }
if (efi_tcg_event->size < efi_tcg_event->header.header_size +
sizeof(u32)) {
@@ -618,8 +620,10 @@ efi_tcg2_hash_log_extend_event(struct efi_tcg2_protocol *this, u64 flags,
ret = tcg2_hash_pe_image((void *)(uintptr_t)data_to_hash,
data_to_hash_len, &digest_list);
} else {
- ret = tcg2_create_digest(dev, (u8 *)(uintptr_t)data_to_hash,
- data_to_hash_len, &digest_list);
+ rc = tcg2_create_digest(dev, (u8 *)(uintptr_t)data_to_hash,
+ data_to_hash_len, &digest_list);
+ if (rc)
+ ret = EFI_DEVICE_ERROR;
}
if (ret != EFI_SUCCESS)
@@ -628,9 +632,11 @@ efi_tcg2_hash_log_extend_event(struct efi_tcg2_protocol *this, u64 flags,
pcr_index = efi_tcg_event->header.pcr_index;
event_type = efi_tcg_event->header.event_type;
- ret = tcg2_pcr_extend(dev, pcr_index, &digest_list);
- if (ret != EFI_SUCCESS)
+ rc = tcg2_pcr_extend(dev, pcr_index, &digest_list);
+ if (rc) {
+ ret = EFI_DEVICE_ERROR;
goto out;
+ }
if (flags & EFI_TCG2_EXTEND_ONLY) {
if (event_log.truncated)
@@ -669,7 +675,7 @@ efi_tcg2_submit_command(struct efi_tcg2_protocol *this,
u8 *output_param_block)
{
struct udevice *dev;
- efi_status_t ret;
+ efi_status_t ret = EFI_SUCCESS;
u32 rc;
size_t resp_buf_size = output_param_block_size;
@@ -681,9 +687,10 @@ efi_tcg2_submit_command(struct efi_tcg2_protocol *this,
goto out;
}
- ret = tcg2_platform_get_tpm2(&dev);
- if (ret != EFI_SUCCESS)
+ if (tcg2_platform_get_tpm2(&dev)) {
+ ret = EFI_DEVICE_ERROR;
goto out;
+ }
rc = tpm2_submit_command(dev, input_param_block,
output_param_block, &resp_buf_size);
@@ -711,19 +718,25 @@ efi_tcg2_get_active_pcr_banks(struct efi_tcg2_protocol *this,
u32 *active_pcr_banks)
{
struct udevice *dev;
- efi_status_t ret;
+ efi_status_t ret = EFI_INVALID_PARAMETER;
EFI_ENTRY("%p, %p", this, active_pcr_banks);
- if (!this || !active_pcr_banks) {
- ret = EFI_INVALID_PARAMETER;
+ if (!this || !active_pcr_banks)
goto out;
- }
- ret = tcg2_platform_get_tpm2(&dev);
- if (ret != EFI_SUCCESS)
+
+ if (tcg2_platform_get_tpm2(&dev))
+ goto out;
+
+ /*
+ * EFI_INVALID_PARAMETER does not convey the problem type.
+ * but that's what currently the spec specifies.
+ * EFI_DEVICE_ERROR would be better
+ */
+ if (tcg2_get_active_pcr_banks(dev, active_pcr_banks))
goto out;
- ret = tcg2_get_active_pcr_banks(dev, active_pcr_banks);
+ ret = EFI_SUCCESS;
out:
return EFI_EXIT(ret);
@@ -849,14 +862,15 @@ static efi_status_t measure_event(struct udevice *dev, u32 pcr_index,
u32 event_type, u32 size, u8 event[])
{
struct tpml_digest_values digest_list;
- efi_status_t ret;
+ efi_status_t ret = EFI_DEVICE_ERROR;
+ int rc;
- ret = tcg2_create_digest(dev, event, size, &digest_list);
- if (ret != EFI_SUCCESS)
+ rc = tcg2_create_digest(dev, event, size, &digest_list);
+ if (rc)
goto out;
- ret = tcg2_pcr_extend(dev, pcr_index, &digest_list);
- if (ret != EFI_SUCCESS)
+ rc = tcg2_pcr_extend(dev, pcr_index, &digest_list);
+ if (rc)
goto out;
ret = tcg2_agile_log_append(pcr_index, event_type, &digest_list,
@@ -898,10 +912,10 @@ static efi_status_t efi_init_event_log(void)
struct tcg2_event_log elog;
struct udevice *dev;
efi_status_t ret;
+ int rc;
- ret = tcg2_platform_get_tpm2(&dev);
- if (ret != EFI_SUCCESS)
- return ret;
+ if (tcg2_platform_get_tpm2(&dev))
+ return EFI_DEVICE_ERROR;
ret = efi_allocate_pool(EFI_BOOT_SERVICES_DATA, TPM2_EVENT_LOG_SIZE,
(void **)&event_log.buffer);
@@ -930,9 +944,11 @@ static efi_status_t efi_init_event_log(void)
*/
elog.log = event_log.buffer;
elog.log_size = TPM2_EVENT_LOG_SIZE;
- ret = tcg2_log_prepare_buffer(dev, &elog, false);
- if (ret != EFI_SUCCESS)
+ rc = tcg2_log_prepare_buffer(dev, &elog, false);
+ if (rc) {
+ ret = (rc == -ENOBUFS) ? EFI_BUFFER_TOO_SMALL : EFI_DEVICE_ERROR;
goto free_pool;
+ }
event_log.pos = elog.log_position;
@@ -1303,8 +1319,7 @@ efi_status_t efi_tcg2_measure_dtb(void *dtb)
if (!is_tcg2_protocol_installed())
return EFI_SUCCESS;
- ret = tcg2_platform_get_tpm2(&dev);
- if (ret != EFI_SUCCESS)
+ if (tcg2_platform_get_tpm2(&dev))
return EFI_SECURITY_VIOLATION;
rsvmap_size = size_of_rsvmap(dtb);
@@ -1328,7 +1343,7 @@ efi_status_t efi_tcg2_measure_dtb(void *dtb)
sha256_update(&hash_ctx, (u8 *)dtb + fdt_off_mem_rsvmap(dtb), rsvmap_size);
sha256_finish(&hash_ctx, blob->data + blob->blob_description_size);
- ret = measure_event(dev, 0, EV_POST_CODE, event_size, (u8 *)blob);
+ ret = measure_event(dev, 1, EV_POST_CODE, event_size, (u8 *)blob);
free(blob);
return ret;
@@ -1353,8 +1368,7 @@ efi_status_t efi_tcg2_measure_efi_app_invocation(struct efi_loaded_image_obj *ha
if (tcg2_efi_app_invoked)
return EFI_SUCCESS;
- ret = tcg2_platform_get_tpm2(&dev);
- if (ret != EFI_SUCCESS)
+ if (tcg2_platform_get_tpm2(&dev))
return EFI_SECURITY_VIOLATION;
ret = tcg2_measure_boot_variable(dev);
@@ -1403,9 +1417,8 @@ efi_status_t efi_tcg2_measure_efi_app_exit(void)
if (!is_tcg2_protocol_installed())
return EFI_SUCCESS;
- ret = tcg2_platform_get_tpm2(&dev);
- if (ret != EFI_SUCCESS)
- return ret;
+ if (tcg2_platform_get_tpm2(&dev))
+ return EFI_SECURITY_VIOLATION;
ret = measure_event(dev, 4, EV_EFI_ACTION,
strlen(EFI_RETURNING_FROM_EFI_APPLICATION),
@@ -1434,9 +1447,10 @@ efi_tcg2_notify_exit_boot_services(struct efi_event *event, void *context)
goto out;
}
- ret = tcg2_platform_get_tpm2(&dev);
- if (ret != EFI_SUCCESS)
+ if (tcg2_platform_get_tpm2(&dev)) {
+ ret = EFI_SECURITY_VIOLATION;
goto out;
+ }
ret = measure_event(dev, 5, EV_EFI_ACTION,
strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION),
@@ -1466,9 +1480,8 @@ efi_status_t efi_tcg2_notify_exit_boot_services_failed(void)
if (!is_tcg2_protocol_installed())
return EFI_SUCCESS;
- ret = tcg2_platform_get_tpm2(&dev);
- if (ret != EFI_SUCCESS)
- goto out;
+ if (tcg2_platform_get_tpm2(&dev))
+ return EFI_SECURITY_VIOLATION;
ret = measure_event(dev, 5, EV_EFI_ACTION,
strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION),
@@ -1548,8 +1561,7 @@ efi_status_t efi_tcg2_do_initial_measurement(void)
if (!is_tcg2_protocol_installed())
return EFI_SUCCESS;
- ret = tcg2_platform_get_tpm2(&dev);
- if (ret != EFI_SUCCESS)
+ if (tcg2_platform_get_tpm2(&dev))
return EFI_SECURITY_VIOLATION;
ret = tcg2_measure_secure_boot_variable(dev);
@@ -1574,8 +1586,7 @@ efi_status_t efi_tcg2_register(void)
struct efi_event *event;
u32 err;
- ret = tcg2_platform_get_tpm2(&dev);
- if (ret != EFI_SUCCESS) {
+ if (tcg2_platform_get_tpm2(&dev)) {
log_warning("Missing TPMv2 device for EFI_TCG_PROTOCOL\n");
return EFI_SUCCESS;
}
@@ -1583,6 +1594,7 @@ efi_status_t efi_tcg2_register(void)
/* initialize the TPM as early as possible. */
err = tpm_auto_start(dev);
if (err) {
+ ret = EFI_DEVICE_ERROR;
log_err("TPM startup failed\n");
goto fail;
}
diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c
index 1cc02acb3b2..09651d4675b 100644
--- a/lib/efi_loader/efi_variable.c
+++ b/lib/efi_loader/efi_variable.c
@@ -288,7 +288,6 @@ efi_status_t efi_set_variable_int(const u16 *variable_name,
/* check if a variable exists */
var = efi_var_mem_find(vendor, variable_name, NULL);
append = !!(attributes & EFI_VARIABLE_APPEND_WRITE);
- attributes &= ~EFI_VARIABLE_APPEND_WRITE;
delete = !append && (!data_size || !attributes);
/* check attributes */
@@ -304,7 +303,7 @@ efi_status_t efi_set_variable_int(const u16 *variable_name,
/* attributes won't be changed */
if (!delete &&
- ((ro_check && var->attr != attributes) ||
+ ((ro_check && var->attr != (attributes & ~EFI_VARIABLE_APPEND_WRITE)) ||
(!ro_check && ((var->attr & ~EFI_VARIABLE_READ_ONLY)
!= (attributes & ~EFI_VARIABLE_READ_ONLY))))) {
return EFI_INVALID_PARAMETER;
@@ -378,7 +377,8 @@ efi_status_t efi_set_variable_int(const u16 *variable_name,
for (; *old_data; ++old_data)
;
++old_data;
- ret = efi_var_mem_ins(variable_name, vendor, attributes,
+ ret = efi_var_mem_ins(variable_name, vendor,
+ attributes & ~EFI_VARIABLE_APPEND_WRITE,
var->length, old_data, data_size, data,
time);
} else {
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-20 10:46:36 +0000