From patchwork Wed Apr 28 12:19:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 428603 Delivered-To: patch@linaro.org Received: by 2002:a02:c901:0:0:0:0:0 with SMTP id t1csp555803jao; Wed, 28 Apr 2021 05:20:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyKosRMhKGm0CMMw30qzAGZ3C4QLVCIlCkF1SMAtTnwjYyaUGH4TgsPAdX4j5a475C8pUfn X-Received: by 2002:a17:906:34da:: with SMTP id h26mr28079731ejb.496.1619612420544; Wed, 28 Apr 2021 05:20:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619612420; cv=none; d=google.com; s=arc-20160816; b=SZII0GsdE7IzD5W0kLhHoBVJzVIRtluO6IUkxu9eqiwG91DBwpH4OZzjRtSRFtdZVH OXc42tlo5++sZchhkFcOTFTim2ya6nUPtW6fSPSMgu0colnGDjMbDcfxea6rYI5cm898 54sTZb92NB90uT7ZrZ7bMR970dlmuhk4XesiajChsSsbH3d44S7yZA1sOqw2jxfhxyHS cCwqZOo+9WL9nSkjZKWMbGQ5QcBrlWQLHHezZwdjh65R0GmzZZmKrsmWjESPllFMpFUv +CsNKT4qXKj7xZpFx5GW/aqDTpcAZEeNXaRjhIVpWaxYo3uwh1iWPIqpd1HjOornnl+8 azeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=CjOfCDcbs5PLKY8WNeQhSwu+kgZyyBtxIve+th0G+Hg=; b=WiF+Q9w8V1qmI8Kz6XyVbSvet8bsOh0vLHcYpihn/aKwHnrMgLei11IhboMgXeANIm ATeaN7AEeh4V7Yv8prX2QbCZ5VYo34D9C0ummLHh3Ixr317Lxgd2eQaMSo4Kr00CkX/e x/JtluB81bkMyL+5glMeJCjwWNb9IJd78BrB083U0QF7bf5TNQV2MzjGtJ3IToRyENx6 DlvqM7ToLbsnSBjL1YsIyAdf4Hfgf73x3N4nXYE1XRjw0rSg4Qa+BWBNhvhH/Owx7pr3 0XdsP0StQR/2juhFroAZDjs9pwBr9+FRk1s0QVrkASpMrdS/8g2in0pST+aUC+dDGndU SDcQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=TWIHgZwF; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id v5si5752314edi.582.2021.04.28.05.20.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 Apr 2021 05:20:20 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=TWIHgZwF; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 7962E82CB5; Wed, 28 Apr 2021 14:20:16 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="TWIHgZwF"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id AEB3682CB0; Wed, 28 Apr 2021 14:20:10 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 08A0382BB2 for ; Wed, 28 Apr 2021 14:20:02 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pj1-x102d.google.com with SMTP id m6-20020a17090a8586b02901507e1acf0fso9035560pjn.3 for ; Wed, 28 Apr 2021 05:20:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=CjOfCDcbs5PLKY8WNeQhSwu+kgZyyBtxIve+th0G+Hg=; b=TWIHgZwFl4pbTm77IZtre1YxrgMqiD2XqZLlUNr/ddAHuZrELJetxqyfcf3seprYV8 PfvDLRNLJPWCJ5eT6o/50L+WnMdrhzsZKmBL5t9vFry6dDwIgL3dx66u0FpDouWtmLVP Ps7pDxQhG9Punx9rao8YQzuWf4dhDkOQK45HwQ+/cZGpmKUUwmqYmrpJ9LKuXVtD1E8O IIYUB4Ske/6aCQP94cDrSIbyi9j2sMMQMQ9alrb1I3V8n2MSEibTxEF2ggRDWCFtzfHc +dw/Mbk5DYEP32sJGYOd2FE3JREFOfG3dXAXZKk1GrpBp0id17qM4b7eD8ShilxaKrpp 9jaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=CjOfCDcbs5PLKY8WNeQhSwu+kgZyyBtxIve+th0G+Hg=; b=QnTl49stC1oZi/UJoruK3gKr9JrFwKgaUSQ34pbvOfA7iQLU0Ctde37lDtontKULOg HNE1QqNhvnFlLFbK512NhEp3aYOc1HqaQIijrfPxj13RohkTM9jB9KnhbbtUaSNflDar WisftHhgsGyUTbGar7SG0ZCH+RHD7G7BHyVOr3JDbITC2Y8YeOIrDnZk4ZmaHGsSmU7H qowdeXqSqj9OBHv5wGWWQw9jpf9sMV1nFWKaz5DL4e7sgdf46tbQlikFLCNb4GUHKWbD 0UI2agANVvOJbbCVZCF3L/qLwQ7zMggYKDF5G7NlqoMm0G3f2KdTmfqYSsu4qz80tVSP Xorg== X-Gm-Message-State: AOAM533K5p0bgrnUy3i6dCAfRajDoJR6t8veEVkqUh3UWH2rwOjbVlCe cYxm2egI6dds589d+4OXZUMrjg== X-Received: by 2002:a17:902:ab86:b029:e9:47c1:93de with SMTP id f6-20020a170902ab86b02900e947c193demr29777290plr.69.1619612400338; Wed, 28 Apr 2021 05:20:00 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id z62sm4910266pfb.110.2021.04.28.05.19.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 Apr 2021 05:19:59 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt Cc: Alexander Graf , Simon Glass , Ilias Apalodimas , Masahisa Kojima , Dhananjay Phadke , Takahiro Akashi , u-boot@lists.denx.de Subject: [PATCH v3 1/2] efi_loader: expose efi_image_parse() even if UEFI Secure Boot is disabled Date: Wed, 28 Apr 2021 21:19:44 +0900 Message-Id: <20210428121945.12586-2-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210428121945.12586-1-masahisa.kojima@linaro.org> References: <20210428121945.12586-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean This is preparation for PE/COFF measurement support. PE/COFF image hash calculation is same in both UEFI Secure Boot image verification and measurement in measured boot. PE/COFF image parsing functions are gathered into efi_image_loader.c, and exposed even if UEFI Secure Boot is not enabled. This commit also adds the EFI_SIGNATURE_SUPPORT option to decide if efi_signature.c shall be compiled. Signed-off-by: Masahisa Kojima --- Changes in v3: - hide EFI_SIGNATURE_SUPPORT option Changes in v2: - Remove all #ifdef from efi_image_loader.c and efi_signature.c - Add EFI_SIGNATURE_SUPPORT option - Explicitly include - Gather PE/COFF parsing functions into efi_image_loader.c - Move efi_guid_t efi_guid_image_security_database in efi_var_common.c lib/efi_loader/Kconfig | 6 +++ lib/efi_loader/Makefile | 2 +- lib/efi_loader/efi_image_loader.c | 73 +++++++++++++++++++++++++++---- lib/efi_loader/efi_signature.c | 67 +--------------------------- lib/efi_loader/efi_var_common.c | 3 ++ 5 files changed, 76 insertions(+), 75 deletions(-) -- 2.17.1 diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 0b99d7c774..b76e77180e 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -174,6 +174,7 @@ config EFI_CAPSULE_AUTHENTICATE select PKCS7_MESSAGE_PARSER select PKCS7_VERIFY select IMAGE_SIGN_INFO + select EFI_SIGNATURE_SUPPORT default n help Select this option if you want to enable capsule @@ -336,6 +337,7 @@ config EFI_SECURE_BOOT select X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER select PKCS7_VERIFY + select EFI_SIGNATURE_SUPPORT default n help Select this option to enable EFI secure boot support. @@ -343,6 +345,10 @@ config EFI_SECURE_BOOT it is signed with a trusted key. To do that, you need to install, at least, PK, KEK and db. +config EFI_SIGNATURE_SUPPORT + bool + depends on EFI_SECURE_BOOT || EFI_CAPSULE_AUTHENTICATE + config EFI_ESRT bool "Enable the UEFI ESRT generation" depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile index 8bd343e258..fd344cea29 100644 --- a/lib/efi_loader/Makefile +++ b/lib/efi_loader/Makefile @@ -63,7 +63,7 @@ obj-$(CONFIG_GENERATE_SMBIOS_TABLE) += efi_smbios.o obj-$(CONFIG_EFI_RNG_PROTOCOL) += efi_rng.o obj-$(CONFIG_EFI_TCG2_PROTOCOL) += efi_tcg2.o obj-$(CONFIG_EFI_LOAD_FILE2_INITRD) += efi_load_initrd.o -obj-y += efi_signature.o +obj-$(CONFIG_EFI_SIGNATURE_SUPPORT) += efi_signature.o EFI_VAR_SEED_FILE := $(subst $\",,$(CONFIG_EFI_VAR_SEED_FILE)) $(obj)/efi_var_seed.o: $(srctree)/$(EFI_VAR_SEED_FILE) diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c index f53ef367ec..b8a790bcb9 100644 --- a/lib/efi_loader/efi_image_loader.c +++ b/lib/efi_loader/efi_image_loader.c @@ -213,7 +213,68 @@ static void efi_set_code_and_data_type( } } -#ifdef CONFIG_EFI_SECURE_BOOT +/** + * efi_image_region_add() - add an entry of region + * @regs: Pointer to array of regions + * @start: Start address of region (included) + * @end: End address of region (excluded) + * @nocheck: flag against overlapped regions + * + * Take one entry of region [@start, @end[ and insert it into the list. + * + * * If @nocheck is false, the list will be sorted ascending by address. + * Overlapping entries will not be allowed. + * + * * If @nocheck is true, the list will be sorted ascending by sequence + * of adding the entries. Overlapping is allowed. + * + * Return: status code + */ +efi_status_t efi_image_region_add(struct efi_image_regions *regs, + const void *start, const void *end, + int nocheck) +{ + struct image_region *reg; + int i, j; + + if (regs->num >= regs->max) { + EFI_PRINT("%s: no more room for regions\n", __func__); + return EFI_OUT_OF_RESOURCES; + } + + if (end < start) + return EFI_INVALID_PARAMETER; + + for (i = 0; i < regs->num; i++) { + reg = ®s->reg[i]; + if (nocheck) + continue; + + /* new data after registered region */ + if (start >= reg->data + reg->size) + continue; + + /* new data preceding registered region */ + if (end <= reg->data) { + for (j = regs->num - 1; j >= i; j--) + memcpy(®s->reg[j + 1], ®s->reg[j], + sizeof(*reg)); + break; + } + + /* new data overlapping registered region */ + EFI_PRINT("%s: new region already part of another\n", __func__); + return EFI_INVALID_PARAMETER; + } + + reg = ®s->reg[i]; + reg->data = start; + reg->size = end - start; + regs->num++; + + return EFI_SUCCESS; +} + /** * cmp_pe_section() - compare virtual addresses of two PE image sections * @arg1: pointer to pointer to first section header @@ -504,6 +565,9 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) EFI_PRINT("%s: Enter, %d\n", __func__, ret); + if (!IS_ENABLED(CONFIG_EFI_SECURE_BOOT)) + return true; + if (!efi_secure_boot_enabled()) return true; @@ -668,13 +732,6 @@ err: EFI_PRINT("%s: Exit, %d\n", __func__, ret); return ret; } -#else -static bool efi_image_authenticate(void *efi, size_t efi_size) -{ - return true; -} -#endif /* CONFIG_EFI_SECURE_BOOT */ - /** * efi_check_pe() - check if a memory buffer contains a PE-COFF image diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index c7ec275414..bdd09881fc 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -15,18 +15,16 @@ #include #include #include +#include #include #include -const efi_guid_t efi_guid_image_security_database = - EFI_IMAGE_SECURITY_DATABASE_GUID; const efi_guid_t efi_guid_sha256 = EFI_CERT_SHA256_GUID; const efi_guid_t efi_guid_cert_rsa2048 = EFI_CERT_RSA2048_GUID; const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID; const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID; const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; -#if defined(CONFIG_EFI_SECURE_BOOT) || defined(CONFIG_EFI_CAPSULE_AUTHENTICATE) static u8 pkcs7_hdr[] = { /* SEQUENCE */ 0x30, 0x82, 0x05, 0xc7, @@ -539,68 +537,6 @@ out: return !revoked; } -/** - * efi_image_region_add() - add an entry of region - * @regs: Pointer to array of regions - * @start: Start address of region (included) - * @end: End address of region (excluded) - * @nocheck: flag against overlapped regions - * - * Take one entry of region [@start, @end[ and insert it into the list. - * - * * If @nocheck is false, the list will be sorted ascending by address. - * Overlapping entries will not be allowed. - * - * * If @nocheck is true, the list will be sorted ascending by sequence - * of adding the entries. Overlapping is allowed. - * - * Return: status code - */ -efi_status_t efi_image_region_add(struct efi_image_regions *regs, - const void *start, const void *end, - int nocheck) -{ - struct image_region *reg; - int i, j; - - if (regs->num >= regs->max) { - EFI_PRINT("%s: no more room for regions\n", __func__); - return EFI_OUT_OF_RESOURCES; - } - - if (end < start) - return EFI_INVALID_PARAMETER; - - for (i = 0; i < regs->num; i++) { - reg = ®s->reg[i]; - if (nocheck) - continue; - - /* new data after registered region */ - if (start >= reg->data + reg->size) - continue; - - /* new data preceding registered region */ - if (end <= reg->data) { - for (j = regs->num - 1; j >= i; j--) - memcpy(®s->reg[j + 1], ®s->reg[j], - sizeof(*reg)); - break; - } - - /* new data overlapping registered region */ - EFI_PRINT("%s: new region already part of another\n", __func__); - return EFI_INVALID_PARAMETER; - } - - reg = ®s->reg[i]; - reg->data = start; - reg->size = end - start; - regs->num++; - - return EFI_SUCCESS; -} - /** * efi_sigstore_free - free signature store * @sigstore: Pointer to signature store structure @@ -846,4 +782,3 @@ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name) return efi_build_signature_store(db, db_size); } -#endif /* CONFIG_EFI_SECURE_BOOT || CONFIG_EFI_CAPSULE_AUTHENTICATE */ diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c index b11ed91a74..83479dd142 100644 --- a/lib/efi_loader/efi_var_common.c +++ b/lib/efi_loader/efi_var_common.c @@ -24,6 +24,9 @@ struct efi_auth_var_name_type { const enum efi_auth_var_type type; }; +const efi_guid_t efi_guid_image_security_database = + EFI_IMAGE_SECURITY_DATABASE_GUID; + static const struct efi_auth_var_name_type name_type[] = { {u"PK", &efi_global_variable_guid, EFI_AUTH_VAR_PK}, {u"KEK", &efi_global_variable_guid, EFI_AUTH_VAR_KEK},