From: Jan Kiszka <jan.kiszka@siemens.com> To: Matt Fleming <matt@codeblueprint.co.uk>, Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: linux-efi@vger.kernel.org, Linux Kernel Mailing List <linux-kernel@vger.kernel.org>, Andy Shevchenko <andy.shevchenko@gmail.com>, "Bryan O'Donoghue" <pure.logic@nexus-software.ie>, Hock Leong Kweh <hock.leong.kweh@intel.com>, Borislav Petkov <bp@alien8.de>, Sascha Weisenberger <sascha.weisenberger@siemens.com> Subject: [PATCH v2 7/7] efi/capsule: Add support for Quark security header Date: Fri, 24 Mar 2017 18:34:20 +0100 [thread overview] Message-ID: <cab06bccee2d89d7bd0e0408d9541bfd262212a9.1490376860.git.jan.kiszka@siemens.com> (raw) In-Reply-To: <cover.1490376860.git.jan.kiszka@siemens.com> In-Reply-To: <cover.1490376860.git.jan.kiszka@siemens.com> The firmware for Quark X102x prepends a security header to the capsule which is needed to support the mandatory secure boot on this processor. The header can be detected by checking for the "_CSH" signature and - to avoid any GUID conflict - validating its size field to contain the expected value. Then we need to look for the EFI header right after the security header and pass the image displacement in cap_info. To be minimal invasive and maximal safe, the quirk version of efi_capsule_identify_image is only effective on Quark processors. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> --- arch/x86/platform/efi/quirks.c | 95 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) diff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c index 30031d5..7f16295 100644 --- a/arch/x86/platform/efi/quirks.c +++ b/arch/x86/platform/efi/quirks.c @@ -13,12 +13,66 @@ #include <linux/dmi.h> #include <asm/efi.h> #include <asm/uv/uv.h> +#include <asm/cpu_device_id.h> #define EFI_MIN_RESERVE 5120 #define EFI_DUMMY_GUID \ EFI_GUID(0x4424ac57, 0xbe4b, 0x47dd, 0x9e, 0x97, 0xed, 0x50, 0xf0, 0x9f, 0x92, 0xa9) +#define QUARK_CSH_SIGNATURE 0x5f435348 /* _CSH */ +#define QUARK_SECURITY_HEADER_SIZE 0x400 + +/* + * Header prepended to the standard EFI capsule on Quark systems the are based + * on Intel firmware BSP. + * @csh_signature: Unique identifier to sanity check signed module + * presence ("_CSH"). + * @version: Current version of CSH used. Should be one for Quark A0. + * @modulesize: Size of the entire module including the module header + * and payload. + * @security_version_number_index: Index of SVN to use for validation of signed + * module. + * @security_version_number: Used to prevent against roll back of modules. + * @rsvd_module_id: Currently unused for Clanton (Quark). + * @rsvd_module_vendor: Vendor Identifier. For Intel products value is + * 0x00008086. + * @rsvd_date: BCD representation of build date as yyyymmdd, where + * yyyy=4 digit year, mm=1-12, dd=1-31. + * @headersize: Total length of the header including including any + * padding optionally added by the signing tool. + * @hash_algo: What Hash is used in the module signing. + * @cryp_algo: What Crypto is used in the module signing. + * @keysize: Total length of the key data including including any + * padding optionally added by the signing tool. + * @signaturesize: Total length of the signature including including any + * padding optionally added by the signing tool. + * @rsvd_next_header: 32-bit pointer to the next Secure Boot Module in the + * chain, if there is a next header. + * @rsvd: Reserved, padding structure to required size. + * + * See also QuartSecurityHeader_t in + * Quark_EDKII_v1.2.1.1/QuarkPlatformPkg/Include/QuarkBootRom.h + * from https://downloadcenter.intel.com/download/23197/Intel-Quark-SoC-X1000-Board-Support-Package-BSP + */ +struct quark_security_header { + u32 csh_signature; + u32 version; + u32 modulesize; + u32 security_version_number_index; + u32 security_version_number; + u32 rsvd_module_id; + u32 rsvd_module_vendor; + u32 rsvd_date; + u32 headersize; + u32 hash_algo; + u32 cryp_algo; + u32 keysize; + u32 signaturesize; + u32 rsvd_next_header; + u32 rsvd[2]; +}; + static efi_char16_t efi_dummy_name[6] = { 'D', 'U', 'M', 'M', 'Y', 0 }; static bool efi_no_storage_paranoia; @@ -495,3 +549,44 @@ bool efi_poweroff_required(void) { return acpi_gbl_reduced_hardware || acpi_no_s5; } + +static const struct x86_cpu_id quark_ids[] = { + { X86_VENDOR_INTEL, 5, 9 }, /* Intel Quark X1000 */ + { } +}; + +int efi_capsule_identify_image(struct efi_capsule_info *cap_info, void *header, + size_t hdr_bytes) +{ + struct quark_security_header *csh = header; + + if (!x86_match_cpu(quark_ids)) + return __efi_capsule_identify_image(cap_info, header, + hdr_bytes); + + /* Only process data block that is larger than the security header */ + if (hdr_bytes < sizeof(struct quark_security_header)) + return 0; + + if (csh->csh_signature != QUARK_CSH_SIGNATURE || + csh->headersize != QUARK_SECURITY_HEADER_SIZE) + return __efi_capsule_identify_image(cap_info, header, + hdr_bytes); + + /* Only process data block if EFI header is included */ + if (hdr_bytes < QUARK_SECURITY_HEADER_SIZE + + sizeof(efi_capsule_header_t)) + return 0; + + pr_debug("Quark security header detected\n"); + + if (csh->rsvd_next_header != 0) { + pr_err("multiple Quark security headers not supported\n"); + return -EINVAL; + } + + cap_info->total_size = csh->modulesize; + cap_info->efi_hdr_displacement = csh->headersize; + + return 1; +} -- 2.10.2
WARNING: multiple messages have this Message-ID (diff)
From: Jan Kiszka <jan.kiszka-kv7WeFo6aLtBDgjK7y7TUQ@public.gmane.org> To: Matt Fleming <matt-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org>, Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org> Cc: linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Linux Kernel Mailing List <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>, Andy Shevchenko <andy.shevchenko-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>, Bryan O'Donoghue <pure.logic-SyKdqv6vbfZdzvEItQ6vdLNAH6kLmebB@public.gmane.org>, Hock Leong Kweh <hock.leong.kweh-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>, Borislav Petkov <bp-Gina5bIWoIWzQB+pC5nmwQ@public.gmane.org>, Sascha Weisenberger <sascha.weisenberger-kv7WeFo6aLtBDgjK7y7TUQ@public.gmane.org> Subject: [PATCH v2 7/7] efi/capsule: Add support for Quark security header Date: Fri, 24 Mar 2017 18:34:20 +0100 [thread overview] Message-ID: <cab06bccee2d89d7bd0e0408d9541bfd262212a9.1490376860.git.jan.kiszka@siemens.com> (raw) In-Reply-To: <cover.1490376860.git.jan.kiszka-kv7WeFo6aLtBDgjK7y7TUQ@public.gmane.org> In-Reply-To: <cover.1490376860.git.jan.kiszka-kv7WeFo6aLtBDgjK7y7TUQ@public.gmane.org> The firmware for Quark X102x prepends a security header to the capsule which is needed to support the mandatory secure boot on this processor. The header can be detected by checking for the "_CSH" signature and - to avoid any GUID conflict - validating its size field to contain the expected value. Then we need to look for the EFI header right after the security header and pass the image displacement in cap_info. To be minimal invasive and maximal safe, the quirk version of efi_capsule_identify_image is only effective on Quark processors. Signed-off-by: Jan Kiszka <jan.kiszka-kv7WeFo6aLtBDgjK7y7TUQ@public.gmane.org> --- arch/x86/platform/efi/quirks.c | 95 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) diff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c index 30031d5..7f16295 100644 --- a/arch/x86/platform/efi/quirks.c +++ b/arch/x86/platform/efi/quirks.c @@ -13,12 +13,66 @@ #include <linux/dmi.h> #include <asm/efi.h> #include <asm/uv/uv.h> +#include <asm/cpu_device_id.h> #define EFI_MIN_RESERVE 5120 #define EFI_DUMMY_GUID \ EFI_GUID(0x4424ac57, 0xbe4b, 0x47dd, 0x9e, 0x97, 0xed, 0x50, 0xf0, 0x9f, 0x92, 0xa9) +#define QUARK_CSH_SIGNATURE 0x5f435348 /* _CSH */ +#define QUARK_SECURITY_HEADER_SIZE 0x400 + +/* + * Header prepended to the standard EFI capsule on Quark systems the are based + * on Intel firmware BSP. + * @csh_signature: Unique identifier to sanity check signed module + * presence ("_CSH"). + * @version: Current version of CSH used. Should be one for Quark A0. + * @modulesize: Size of the entire module including the module header + * and payload. + * @security_version_number_index: Index of SVN to use for validation of signed + * module. + * @security_version_number: Used to prevent against roll back of modules. + * @rsvd_module_id: Currently unused for Clanton (Quark). + * @rsvd_module_vendor: Vendor Identifier. For Intel products value is + * 0x00008086. + * @rsvd_date: BCD representation of build date as yyyymmdd, where + * yyyy=4 digit year, mm=1-12, dd=1-31. + * @headersize: Total length of the header including including any + * padding optionally added by the signing tool. + * @hash_algo: What Hash is used in the module signing. + * @cryp_algo: What Crypto is used in the module signing. + * @keysize: Total length of the key data including including any + * padding optionally added by the signing tool. + * @signaturesize: Total length of the signature including including any + * padding optionally added by the signing tool. + * @rsvd_next_header: 32-bit pointer to the next Secure Boot Module in the + * chain, if there is a next header. + * @rsvd: Reserved, padding structure to required size. + * + * See also QuartSecurityHeader_t in + * Quark_EDKII_v1.2.1.1/QuarkPlatformPkg/Include/QuarkBootRom.h + * from https://downloadcenter.intel.com/download/23197/Intel-Quark-SoC-X1000-Board-Support-Package-BSP + */ +struct quark_security_header { + u32 csh_signature; + u32 version; + u32 modulesize; + u32 security_version_number_index; + u32 security_version_number; + u32 rsvd_module_id; + u32 rsvd_module_vendor; + u32 rsvd_date; + u32 headersize; + u32 hash_algo; + u32 cryp_algo; + u32 keysize; + u32 signaturesize; + u32 rsvd_next_header; + u32 rsvd[2]; +}; + static efi_char16_t efi_dummy_name[6] = { 'D', 'U', 'M', 'M', 'Y', 0 }; static bool efi_no_storage_paranoia; @@ -495,3 +549,44 @@ bool efi_poweroff_required(void) { return acpi_gbl_reduced_hardware || acpi_no_s5; } + +static const struct x86_cpu_id quark_ids[] = { + { X86_VENDOR_INTEL, 5, 9 }, /* Intel Quark X1000 */ + { } +}; + +int efi_capsule_identify_image(struct efi_capsule_info *cap_info, void *header, + size_t hdr_bytes) +{ + struct quark_security_header *csh = header; + + if (!x86_match_cpu(quark_ids)) + return __efi_capsule_identify_image(cap_info, header, + hdr_bytes); + + /* Only process data block that is larger than the security header */ + if (hdr_bytes < sizeof(struct quark_security_header)) + return 0; + + if (csh->csh_signature != QUARK_CSH_SIGNATURE || + csh->headersize != QUARK_SECURITY_HEADER_SIZE) + return __efi_capsule_identify_image(cap_info, header, + hdr_bytes); + + /* Only process data block if EFI header is included */ + if (hdr_bytes < QUARK_SECURITY_HEADER_SIZE + + sizeof(efi_capsule_header_t)) + return 0; + + pr_debug("Quark security header detected\n"); + + if (csh->rsvd_next_header != 0) { + pr_err("multiple Quark security headers not supported\n"); + return -EINVAL; + } + + cap_info->total_size = csh->modulesize; + cap_info->efi_hdr_displacement = csh->headersize; + + return 1; +} -- 2.10.2
next prev parent reply other threads:[~2017-03-24 17:35 UTC|newest] Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-03-24 17:34 [PATCH v2 0/7] efi: Enhance capsule loader to support signed Quark images Jan Kiszka 2017-03-24 17:34 ` Jan Kiszka 2017-03-24 17:34 ` [PATCH v2 1/7] efi/capsule: Fix return code on failing kmap/vmap Jan Kiszka 2017-03-24 17:34 ` Jan Kiszka 2017-03-24 18:14 ` Ard Biesheuvel 2017-03-24 17:34 ` [PATCH v2 2/7] efi/capsule: Remove pr_debug on ENOMEM or EFAULT Jan Kiszka 2017-03-24 17:34 ` Jan Kiszka 2017-03-24 18:15 ` Ard Biesheuvel 2017-03-24 18:15 ` Ard Biesheuvel 2017-03-24 17:34 ` [PATCH v2 3/7] efi/capsule: Clean up pr_err/info messages Jan Kiszka 2017-03-24 17:34 ` Jan Kiszka 2017-03-24 18:17 ` Ard Biesheuvel 2017-03-24 18:17 ` Ard Biesheuvel 2017-03-24 17:34 ` [PATCH v2 4/7] efi/capsule: Adjust return type of efi_capsule_setup_info Jan Kiszka 2017-03-24 17:34 ` Jan Kiszka 2017-03-24 18:42 ` Ard Biesheuvel 2017-03-24 18:42 ` Ard Biesheuvel 2017-03-24 17:34 ` [PATCH v2 5/7] efi/capsule: Prepare for loading images with security header Jan Kiszka 2017-03-24 17:34 ` Jan Kiszka 2017-03-24 20:25 ` Andy Shevchenko 2017-03-24 20:25 ` Andy Shevchenko 2017-03-28 13:49 ` Ard Biesheuvel 2017-03-28 13:49 ` Ard Biesheuvel 2017-03-28 15:13 ` Jan Kiszka 2017-03-28 15:13 ` Jan Kiszka 2017-03-28 15:43 ` Jan Kiszka 2017-03-28 15:52 ` Ard Biesheuvel 2017-03-28 16:18 ` Jan Kiszka 2017-03-28 16:18 ` Jan Kiszka 2017-03-28 17:17 ` Ard Biesheuvel 2017-03-28 17:17 ` Ard Biesheuvel 2017-03-28 17:23 ` Ard Biesheuvel 2017-03-28 17:23 ` Ard Biesheuvel 2017-03-30 9:06 ` Jan Kiszka 2017-04-04 17:39 ` Jan Kiszka 2017-04-04 17:39 ` Jan Kiszka 2017-03-24 17:34 ` [PATCH v2 6/7] efi/capsule: Factor out overloadable efi_capsule_identify_image Jan Kiszka 2017-03-24 17:34 ` Jan Kiszka 2017-03-24 17:34 ` Jan Kiszka [this message] 2017-03-24 17:34 ` [PATCH v2 7/7] efi/capsule: Add support for Quark security header Jan Kiszka 2017-03-24 20:36 ` Andy Shevchenko 2017-03-24 20:36 ` Andy Shevchenko 2017-03-25 23:33 ` kbuild test robot 2017-03-24 20:39 ` [PATCH v2 0/7] efi: Enhance capsule loader to support signed Quark images Andy Shevchenko 2017-03-24 20:39 ` Andy Shevchenko 2017-03-27 11:19 ` Jan Kiszka 2017-03-27 11:19 ` Jan Kiszka 2017-03-27 10:29 ` Bryan O'Donoghue 2017-03-27 10:29 ` Bryan O'Donoghue 2017-03-27 11:01 ` Jan Kiszka 2017-03-27 11:01 ` Jan Kiszka 2017-03-28 0:48 ` Bryan O'Donoghue 2017-03-28 0:48 ` Bryan O'Donoghue
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=cab06bccee2d89d7bd0e0408d9541bfd262212a9.1490376860.git.jan.kiszka@siemens.com \ --to=jan.kiszka@siemens.com \ --cc=andy.shevchenko@gmail.com \ --cc=ard.biesheuvel@linaro.org \ --cc=bp@alien8.de \ --cc=hock.leong.kweh@intel.com \ --cc=linux-efi@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=matt@codeblueprint.co.uk \ --cc=pure.logic@nexus-software.ie \ --cc=sascha.weisenberger@siemens.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.