All of lore.kernel.org
 help / color / mirror / Atom feed
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: [PATCH v6 08/16] efi_loader: set up secure boot
Date: Wed, 26 Feb 2020 13:54:40 +0900	[thread overview]
Message-ID: <20200226045448.2453-9-takahiro.akashi@linaro.org> (raw)
In-Reply-To: <20200226045448.2453-1-takahiro.akashi@linaro.org>

The following variable is exported as UEFI specification defines:
SignatureSupport: array of GUIDs representing the type of signatures
                      supported by the platform firmware

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 lib/efi_loader/efi_setup.c | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/lib/efi_loader/efi_setup.c b/lib/efi_loader/efi_setup.c
index de7b616c6daa..50cef1b4dfde 100644
--- a/lib/efi_loader/efi_setup.c
+++ b/lib/efi_loader/efi_setup.c
@@ -82,6 +82,39 @@ out:
 	return ret;
 }
 
+#ifdef CONFIG_EFI_SECURE_BOOT
+/**
+ * efi_init_secure_boot - initialize secure boot state
+ *
+ * Return:	EFI_SUCCESS on success, status code (negative) on error
+ */
+static efi_status_t efi_init_secure_boot(void)
+{
+	efi_guid_t signature_types[] = {
+		EFI_CERT_SHA256_GUID,
+		EFI_CERT_X509_GUID,
+	};
+	efi_status_t ret;
+
+	/* TODO: read-only */
+	ret = EFI_CALL(efi_set_variable(L"SignatureSupport",
+					&efi_global_variable_guid,
+					EFI_VARIABLE_BOOTSERVICE_ACCESS
+					 | EFI_VARIABLE_RUNTIME_ACCESS,
+					sizeof(signature_types),
+					&signature_types));
+	if (ret != EFI_SUCCESS)
+		printf("EFI: cannot initialize SignatureSupport variable\n");
+
+	return ret;
+}
+#else
+static efi_status_t efi_init_secure_boot(void)
+{
+	return EFI_SUCCESS;
+}
+#endif /* CONFIG_EFI_SECURE_BOOT */
+
 /**
  * efi_init_obj_list() - Initialize and populate EFI object list
  *
@@ -122,6 +155,11 @@ efi_status_t efi_init_obj_list(void)
 	if (ret != EFI_SUCCESS)
 		goto out;
 
+	/* Secure boot */
+	ret = efi_init_secure_boot();
+	if (ret != EFI_SUCCESS)
+		goto out;
+
 	/* Indicate supported runtime services */
 	ret = efi_init_runtime_supported();
 	if (ret != EFI_SUCCESS)
-- 
2.24.0

  parent reply	other threads:[~2020-02-26  4:54 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-26  4:54 [PATCH v6 00/16] efi_loader: add secure boot support AKASHI Takahiro
2020-02-26  4:54 ` [PATCH v6 01/16] efi_loader: add CONFIG_EFI_SECURE_BOOT config option AKASHI Takahiro
2020-02-26  4:54 ` [PATCH v6 02/16] efi_loader: add signature verification functions AKASHI Takahiro
2020-02-26  4:54 ` [PATCH v6 03/16] efi_loader: add signature database parser AKASHI Takahiro
2020-02-26  4:54 ` [PATCH v6 04/16] efi_loader: variable: support variable authentication AKASHI Takahiro
2020-02-26  4:54 ` [PATCH v6 05/16] efi_loader: variable: add secure boot state transition AKASHI Takahiro
2020-02-26  4:54 ` [PATCH v6 06/16] efi_loader: variable: add VendorKeys variable AKASHI Takahiro
2020-02-26  4:54 ` [PATCH v6 07/16] efi_loader: image_loader: support image authentication AKASHI Takahiro
2020-02-26  4:54 ` AKASHI Takahiro [this message]
2020-02-26  4:54 ` [PATCH v6 09/16] cmd: env: use appropriate guid for authenticated UEFI variable AKASHI Takahiro
2020-02-26  4:54 ` [PATCH v6 10/16] cmd: env: add "-at" option to "env set -e" command AKASHI Takahiro
2020-02-26  4:54 ` [PATCH v6 11/16] cmd: efidebug: add "test bootmgr" sub-command AKASHI Takahiro
2020-02-26  4:54 ` [PATCH v6 12/16] efi_loader, pytest: set up secure boot environment AKASHI Takahiro
2020-02-26  4:54 ` [PATCH v6 13/16] efi_loader, pytest: add UEFI secure boot tests (authenticated variables) AKASHI Takahiro
2020-02-26  4:54 ` [PATCH v6 14/16] efi_loader, pytest: add UEFI secure boot tests (image) AKASHI Takahiro
2020-02-26  4:54 ` [PATCH v6 15/16] sandbox: add extra configurations for UEFI and related tests AKASHI Takahiro
2020-02-26  4:54 ` [PATCH v6 16/16] travis: add packages for UEFI secure boot test AKASHI Takahiro
2020-02-26 14:28   ` Tom Rini
2020-02-27  5:17     ` AKASHI Takahiro

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200226045448.2453-9-takahiro.akashi@linaro.org \
    --to=takahiro.akashi@linaro.org \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.