From patchwork Thu Apr 30 17:36:29 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 239032 List-Id: U-Boot discussion From: sughosh.ganu at linaro.org (Sughosh Ganu) Date: Thu, 30 Apr 2020 23:06:29 +0530 Subject: [PATCH 7/8] qemu: arm64: Add support for uefi capsule authentication In-Reply-To: <20200430173630.15608-1-sughosh.ganu@linaro.org> References: <20200430173630.15608-1-sughosh.ganu@linaro.org> Message-ID: <20200430173630.15608-8-sughosh.ganu@linaro.org> Add support for uefi capsule authentication feature for the qemu arm64 platform. This feature is enabled by setting the environment variable "capsule_authentication_enabled". The following configs are needed for enabling uefi capsule update and capsule authentication features on the platform. CONFIG_EFI_CAPSULE_ON_DISK=y CONFIG_EFI_FIRMWARE_MANAGEMENT_PROTOCOL=y CONFIG_EFI_CAPSULE_AUTHENTICATE=y Signed-off-by: Sughosh Ganu --- board/emulation/qemu-arm/qemu_efi_fmp.c | 49 +++++++++++++++++++++---- 1 file changed, 41 insertions(+), 8 deletions(-) diff --git a/board/emulation/qemu-arm/qemu_efi_fmp.c b/board/emulation/qemu-arm/qemu_efi_fmp.c index 9baea94e6c..b58843f8fb 100644 --- a/board/emulation/qemu-arm/qemu_efi_fmp.c +++ b/board/emulation/qemu-arm/qemu_efi_fmp.c @@ -101,9 +101,15 @@ static efi_status_t EFIAPI qemu_arm64_fmp_get_image_info( image_info[0].size = 0; image_info[0].attributes_supported = - EFI_IMAGE_ATTRIBUTE_IMAGE_UPDATABLE; + EFI_IMAGE_ATTRIBUTE_IMAGE_UPDATABLE | + EFI_IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED; image_info[0].attributes_setting = EFI_IMAGE_ATTRIBUTE_IMAGE_UPDATABLE; + /* Check if the capsule authentication is enabled */ + if (env_get("capsule_authentication_enabled")) + image_info[0].attributes_setting |= + EFI_IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED; + image_info[0].lowest_supported_image_version = 1; image_info[0].last_attempt_version = 0; image_info[0].last_attempt_status = LAST_ATTEMPT_STATUS_SUCCESS; @@ -142,17 +148,12 @@ static efi_status_t EFIAPI qemu_arm64_fmp_set_image( long fd, ret; efi_status_t status = EFI_SUCCESS; char *mode = "w+b"; + void *capsule_payload; + efi_uintn_t capsule_payload_size; EFI_ENTRY("%p %d %p %ld %p %p %p\n", this, image_index, image, image_size, vendor_code, progress, abort_reason); - /* - * Put a hack here to offset the size of - * the FMP_PAYLOAD_HEADER that gets added - * by the GenerateCapsule script in edk2. - */ - image += 0x10; - image_size -= 0x10; /* Do all the sanity checks first */ if (!image) { @@ -170,6 +171,38 @@ static efi_status_t EFIAPI qemu_arm64_fmp_set_image( goto back; } + /* Authenticate the capsule if authentication enabled */ + if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) && + env_get("capsule_authentication_enabled")) { + capsule_payload = NULL; + capsule_payload_size = 0; + status = efi_capsule_authenticate(image, image_size, + &capsule_payload, + &capsule_payload_size); + + if (status == EFI_SECURITY_VIOLATION) { + printf("Capsule authentication check failed. Aborting update\n"); + goto back; + } else if (status != EFI_SUCCESS) { + goto back; + } + + debug("Capsule authentication successfull\n"); + image = capsule_payload; + image_size = capsule_payload_size; + } else { + debug("Capsule authentication disabled. "); + debug("Updating capsule without authenticating.\n"); + } + + /* + * Put a hack here to offset the size of + * the FMP_PAYLOAD_HEADER that gets added + * by the GenerateCapsule script in edk2. + */ + image += 0x10; + image_size -= 0x10; + /* Do the update */ fd = smh_open(UBOOT_FILE, mode); if (fd == -1) {