From: Masahisa Kojima <masahisa.kojima@linaro.org>
To: u-boot@lists.denx.de
Subject: [PATCH v5 1/3] efi_loader: expose efi_image_parse() even if UEFI Secure Boot is disabled
Date: Wed, 12 May 2021 20:32:26 +0900 [thread overview]
Message-ID: <20210512113228.29354-2-masahisa.kojima@linaro.org> (raw)
In-Reply-To: <20210512113228.29354-1-masahisa.kojima@linaro.org>
This is preparation for PE/COFF measurement support.
PE/COFF image hash calculation is same in both
UEFI Secure Boot image verification and measurement in
measured boot. PE/COFF image parsing functions are
gathered into efi_image_loader.c, and exposed even if
UEFI Secure Boot is not enabled.
This commit also adds the EFI_SIGNATURE_SUPPORT option
to decide if efi_signature.c shall be compiled.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
---
(no changes since v4)
Changes in v4:
- revert #ifdef instead of using "if (!IS_ENABLED())" statement,
not to rely on the compiler optimization.
Changes in v3:
- hide EFI_SIGNATURE_SUPPORT option
Changes in v2:
- Remove all #ifdef from efi_image_loader.c and efi_signature.c
- Add EFI_SIGNATURE_SUPPORT option
- Explicitly include <u-boot/hash-checksum.h>
- Gather PE/COFF parsing functions into efi_image_loader.c
- Move efi_guid_t efi_guid_image_security_database in efi_var_common.c
lib/efi_loader/Kconfig | 6 +++
lib/efi_loader/Makefile | 2 +-
lib/efi_loader/efi_image_loader.c | 64 ++++++++++++++++++++++++++++-
lib/efi_loader/efi_signature.c | 67 +------------------------------
lib/efi_loader/efi_var_common.c | 3 ++
5 files changed, 74 insertions(+), 68 deletions(-)
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index c259abe033..385a81d7d9 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -174,6 +174,7 @@ config EFI_CAPSULE_AUTHENTICATE
select PKCS7_MESSAGE_PARSER
select PKCS7_VERIFY
select IMAGE_SIGN_INFO
+ select EFI_SIGNATURE_SUPPORT
default n
help
Select this option if you want to enable capsule
@@ -342,6 +343,7 @@ config EFI_SECURE_BOOT
select X509_CERTIFICATE_PARSER
select PKCS7_MESSAGE_PARSER
select PKCS7_VERIFY
+ select EFI_SIGNATURE_SUPPORT
default n
help
Select this option to enable EFI secure boot support.
@@ -349,6 +351,10 @@ config EFI_SECURE_BOOT
it is signed with a trusted key. To do that, you need to install,
at least, PK, KEK and db.
+config EFI_SIGNATURE_SUPPORT
+ bool
+ depends on EFI_SECURE_BOOT || EFI_CAPSULE_AUTHENTICATE
+
config EFI_ESRT
bool "Enable the UEFI ESRT generation"
depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile
index 8bd343e258..fd344cea29 100644
--- a/lib/efi_loader/Makefile
+++ b/lib/efi_loader/Makefile
@@ -63,7 +63,7 @@ obj-$(CONFIG_GENERATE_SMBIOS_TABLE) += efi_smbios.o
obj-$(CONFIG_EFI_RNG_PROTOCOL) += efi_rng.o
obj-$(CONFIG_EFI_TCG2_PROTOCOL) += efi_tcg2.o
obj-$(CONFIG_EFI_LOAD_FILE2_INITRD) += efi_load_initrd.o
-obj-y += efi_signature.o
+obj-$(CONFIG_EFI_SIGNATURE_SUPPORT) += efi_signature.o
EFI_VAR_SEED_FILE := $(subst $\",,$(CONFIG_EFI_VAR_SEED_FILE))
$(obj)/efi_var_seed.o: $(srctree)/$(EFI_VAR_SEED_FILE)
diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c
index f53ef367ec..fe1ee198e2 100644
--- a/lib/efi_loader/efi_image_loader.c
+++ b/lib/efi_loader/efi_image_loader.c
@@ -213,7 +213,68 @@ static void efi_set_code_and_data_type(
}
}
-#ifdef CONFIG_EFI_SECURE_BOOT
+/**
+ * efi_image_region_add() - add an entry of region
+ * @regs: Pointer to array of regions
+ * @start: Start address of region (included)
+ * @end: End address of region (excluded)
+ * @nocheck: flag against overlapped regions
+ *
+ * Take one entry of region [@start, @end[ and insert it into the list.
+ *
+ * * If @nocheck is false, the list will be sorted ascending by address.
+ * Overlapping entries will not be allowed.
+ *
+ * * If @nocheck is true, the list will be sorted ascending by sequence
+ * of adding the entries. Overlapping is allowed.
+ *
+ * Return: status code
+ */
+efi_status_t efi_image_region_add(struct efi_image_regions *regs,
+ const void *start, const void *end,
+ int nocheck)
+{
+ struct image_region *reg;
+ int i, j;
+
+ if (regs->num >= regs->max) {
+ EFI_PRINT("%s: no more room for regions\n", __func__);
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ if (end < start)
+ return EFI_INVALID_PARAMETER;
+
+ for (i = 0; i < regs->num; i++) {
+ reg = ®s->reg[i];
+ if (nocheck)
+ continue;
+
+ /* new data after registered region */
+ if (start >= reg->data + reg->size)
+ continue;
+
+ /* new data preceding registered region */
+ if (end <= reg->data) {
+ for (j = regs->num - 1; j >= i; j--)
+ memcpy(®s->reg[j + 1], ®s->reg[j],
+ sizeof(*reg));
+ break;
+ }
+
+ /* new data overlapping registered region */
+ EFI_PRINT("%s: new region already part of another\n", __func__);
+ return EFI_INVALID_PARAMETER;
+ }
+
+ reg = ®s->reg[i];
+ reg->data = start;
+ reg->size = end - start;
+ regs->num++;
+
+ return EFI_SUCCESS;
+}
+
/**
* cmp_pe_section() - compare virtual addresses of two PE image sections
* @arg1: pointer to pointer to first section header
@@ -422,6 +483,7 @@ err:
return false;
}
+#ifdef CONFIG_EFI_SECURE_BOOT
/**
* efi_image_unsigned_authenticate() - authenticate unsigned image with
* SHA256 hash
diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
index c7ec275414..bdd09881fc 100644
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@@ -15,18 +15,16 @@
#include <crypto/public_key.h>
#include <linux/compat.h>
#include <linux/oid_registry.h>
+#include <u-boot/hash-checksum.h>
#include <u-boot/rsa.h>
#include <u-boot/sha256.h>
-const efi_guid_t efi_guid_image_security_database =
- EFI_IMAGE_SECURITY_DATABASE_GUID;
const efi_guid_t efi_guid_sha256 = EFI_CERT_SHA256_GUID;
const efi_guid_t efi_guid_cert_rsa2048 = EFI_CERT_RSA2048_GUID;
const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID;
const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID;
const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID;
-#if defined(CONFIG_EFI_SECURE_BOOT) || defined(CONFIG_EFI_CAPSULE_AUTHENTICATE)
static u8 pkcs7_hdr[] = {
/* SEQUENCE */
0x30, 0x82, 0x05, 0xc7,
@@ -539,68 +537,6 @@ out:
return !revoked;
}
-/**
- * efi_image_region_add() - add an entry of region
- * @regs: Pointer to array of regions
- * @start: Start address of region (included)
- * @end: End address of region (excluded)
- * @nocheck: flag against overlapped regions
- *
- * Take one entry of region [@start, @end[ and insert it into the list.
- *
- * * If @nocheck is false, the list will be sorted ascending by address.
- * Overlapping entries will not be allowed.
- *
- * * If @nocheck is true, the list will be sorted ascending by sequence
- * of adding the entries. Overlapping is allowed.
- *
- * Return: status code
- */
-efi_status_t efi_image_region_add(struct efi_image_regions *regs,
- const void *start, const void *end,
- int nocheck)
-{
- struct image_region *reg;
- int i, j;
-
- if (regs->num >= regs->max) {
- EFI_PRINT("%s: no more room for regions\n", __func__);
- return EFI_OUT_OF_RESOURCES;
- }
-
- if (end < start)
- return EFI_INVALID_PARAMETER;
-
- for (i = 0; i < regs->num; i++) {
- reg = ®s->reg[i];
- if (nocheck)
- continue;
-
- /* new data after registered region */
- if (start >= reg->data + reg->size)
- continue;
-
- /* new data preceding registered region */
- if (end <= reg->data) {
- for (j = regs->num - 1; j >= i; j--)
- memcpy(®s->reg[j + 1], ®s->reg[j],
- sizeof(*reg));
- break;
- }
-
- /* new data overlapping registered region */
- EFI_PRINT("%s: new region already part of another\n", __func__);
- return EFI_INVALID_PARAMETER;
- }
-
- reg = ®s->reg[i];
- reg->data = start;
- reg->size = end - start;
- regs->num++;
-
- return EFI_SUCCESS;
-}
-
/**
* efi_sigstore_free - free signature store
* @sigstore: Pointer to signature store structure
@@ -846,4 +782,3 @@ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name)
return efi_build_signature_store(db, db_size);
}
-#endif /* CONFIG_EFI_SECURE_BOOT || CONFIG_EFI_CAPSULE_AUTHENTICATE */
diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c
index b11ed91a74..83479dd142 100644
--- a/lib/efi_loader/efi_var_common.c
+++ b/lib/efi_loader/efi_var_common.c
@@ -24,6 +24,9 @@ struct efi_auth_var_name_type {
const enum efi_auth_var_type type;
};
+const efi_guid_t efi_guid_image_security_database =
+ EFI_IMAGE_SECURITY_DATABASE_GUID;
+
static const struct efi_auth_var_name_type name_type[] = {
{u"PK", &efi_global_variable_guid, EFI_AUTH_VAR_PK},
{u"KEK", &efi_global_variable_guid, EFI_AUTH_VAR_KEK},
--
2.17.1
next prev parent reply other threads:[~2021-05-12 11:32 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-12 11:32 [PATCH v5 0/3] PE/COFF measurement support Masahisa Kojima
2021-05-12 11:32 ` Masahisa Kojima [this message]
2021-05-13 4:35 ` [PATCH v5 1/3] efi_loader: expose efi_image_parse() even if UEFI Secure Boot is disabled Heinrich Schuchardt
2021-05-13 5:10 ` Masahisa Kojima
2021-05-12 11:32 ` [PATCH v5 2/3] efi_loader: add PE/COFF image measurement Masahisa Kojima
2021-05-12 14:08 ` Ilias Apalodimas
2021-05-12 11:32 ` [PATCH v5 3/3] efi_loader: add FIT_SIGNATURE option to use hash_calculate() Masahisa Kojima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210512113228.29354-2-masahisa.kojima@linaro.org \
--to=masahisa.kojima@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.