From mboxrd@z Thu Jan 1 00:00:00 1970 From: Heinrich Schuchardt Date: Thu, 15 Apr 2021 15:58:17 +0200 Subject: [PATCH 1/2] efi_loader: expose efi_image_parse() even if UEFI Secure Boot is disabled In-Reply-To: <20210415133020.29175-2-masahisa.kojima@linaro.org> References: <20210415133020.29175-1-masahisa.kojima@linaro.org> <20210415133020.29175-2-masahisa.kojima@linaro.org> Message-ID: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On 15.04.21 15:30, Masahisa Kojima wrote: > This is preparation for PE/COFF measurement support. > PE/COFF image hash calculation is same in both > UEFI Secure Boot image verification and measurement in > measured boot. This commit exposes the hash calculation > functions even if UEFI Secure Boot is not enabled. > > Signed-off-by: Masahisa Kojima > --- > lib/efi_loader/efi_image_loader.c | 2 +- > lib/efi_loader/efi_signature.c | 2 ++ > 2 files changed, 3 insertions(+), 1 deletion(-) > > diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c > index f53ef367ec..2c35cb5651 100644 > --- a/lib/efi_loader/efi_image_loader.c > +++ b/lib/efi_loader/efi_image_loader.c > @@ -213,7 +213,6 @@ static void efi_set_code_and_data_type( > } > } > > -#ifdef CONFIG_EFI_SECURE_BOOT > /** > * cmp_pe_section() - compare virtual addresses of two PE image sections > * @arg1: pointer to pointer to first section header > @@ -422,6 +421,7 @@ err: > return false; > } > > +#ifdef CONFIG_EFI_SECURE_BOOT Please, remove the #ifdef and replace it by if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT)) { in function efi_image_authenticate(). The advantage of using 'if' instead of '#ifdef' is that all branches are parsed by GCC. This allows us to catch code problems more easily. > /** > * efi_image_unsigned_authenticate() - authenticate unsigned image with > * SHA256 hash > diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c > index c7ec275414..1dd9d0e130 100644 > --- a/lib/efi_loader/efi_signature.c > +++ b/lib/efi_loader/efi_signature.c > @@ -538,6 +538,7 @@ out: > EFI_PRINT("%s: Exit, revoked: %d\n", __func__, revoked); > return !revoked; > } > +#endif The #if is superfluous. Just add the missing header #include efi_guid_t efi_guid_image_security_database should be moved to efi_var_common.c. This allows us to decide if lib/efi_loader/efi_signature.c shall be compiled in the Makefile. Best regards Heinrich > > /** > * efi_image_region_add() - add an entry of region > @@ -601,6 +602,7 @@ efi_status_t efi_image_region_add(struct efi_image_regions *regs, > return EFI_SUCCESS; > } > > +#if defined(CONFIG_EFI_SECURE_BOOT) || defined(CONFIG_EFI_CAPSULE_AUTHENTICATE) > /** > * efi_sigstore_free - free signature store > * @sigstore: Pointer to signature store structure >