From patchwork Tue Feb 21 02:33:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 655353 Delivered-To: patch@linaro.org Received: by 2002:adf:9bcd:0:0:0:0:0 with SMTP id e13csp1728528wrc; Mon, 20 Feb 2023 18:32:10 -0800 (PST) X-Google-Smtp-Source: AK7set8MKUW8aPqp/52wfzPJ6W1I9AwBYw23ztja3n4aRHo6fYesd7zxIuqa+rdzoMOAQeOBVt0d X-Received: by 2002:a05:6870:c18b:b0:16e:800:9e05 with SMTP id h11-20020a056870c18b00b0016e08009e05mr4833260oad.12.1676946729998; Mon, 20 Feb 2023 18:32:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676946729; cv=none; d=google.com; s=arc-20160816; b=DFxQFbok1UcFjwnv50rEdPkS8eWHEeuL0NDWywm4c3K/6+mqmhzTcVboZT1TIlAHlC lIPc7Je0V4wSUKSRlq7XYb/5hK1PNYth5HYlFFeW+VPkmj9uCHV8/DlyHK1oUVut7qxw BNDVu96Hcxzq9ax3+jMjc/iBi179YO1FutA5sNLrj+krqVs+56ucbOLA/TTYV+ZkOzKp 1ihg0p+mnlXY3EzIENF50r2LtsDelQ6e/vHrB/CxCE5oajKA1YoyWa36fw2dUn3Es3qe wAsfNIhbi2hfVcrfAebmj9I9qL/gjmEhXR8qoDFfRDyPOFIqV+zYGEM7nOLNjN7jr9ac 4PiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature; bh=a46NcSH7XWnYWp3oaOYQ1XZ61ngWnJsqHnGkq/HIilw=; b=I0HZ8nDEg/9EbCJ3pQOTTSPctTleSxd70qJg3vfHUVBr9XVGxEcER4wf52WSFRsiZP IIdSbzHa1v6sxiYZFq0YBVhXkwbzd2jmw9JMQpQYjpKE3e4SuAHVjypwkNrKGO/Dg4Jn Y3mYKtZRdLWNTiUfrUxA17SufQzHgUVwuJX19u6hd5ONvz/eMuja3MaYqxGTYZ79QgR8 EPR3PrR8cmaQfsiopvjWglDv94ptfXlXkMz8yT/6HeesnTlWqkMwuJEqSje2QeM16J40 vd4Xk2QGX06ojwTuFfX7o/v81mXKbs8XG9n/dVVDJU+lVu9a4Lb/END0ZYbhtOOUwHvJ IdMA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=u7vIbsaf; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id h5-20020a056870c18500b00171df991c88si6325479oad.96.2023.02.20.18.32.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Feb 2023 18:32:09 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=u7vIbsaf; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 0611C8594B; Tue, 21 Feb 2023 03:32:05 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="u7vIbsaf"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 0BB1F8595C; Tue, 21 Feb 2023 03:32:03 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 392728594A for ; Tue, 21 Feb 2023 03:32:00 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pj1-x1030.google.com with SMTP id i1-20020a17090ad34100b00234463de251so3163248pjx.3 for ; Mon, 20 Feb 2023 18:32:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=a46NcSH7XWnYWp3oaOYQ1XZ61ngWnJsqHnGkq/HIilw=; b=u7vIbsafnjev9uBGOAXTGeHoTVrLNoPVNUShvEnvhwnwLCkZMHcwlJJN4GNJHpYM22 3ImvA8iaXrdy/SYm2X221/ajpjB73yxyGNG3+rZIl5HYCnpsxGK5l7OeCM5+zDs0vg/M kc/bGMbb5DgiKKskxMYe9vpDhpUG21PGV26ZvWrPMfFQkVuXudq0PpXLndUxvL+/Gh6I 04cMEFpusEGGd184UrXMBrsYhZORh4E7IcnRmLFjFL5NvYQZapYVgRsicYTMWlA2bheS ArIBJaDPS70JD8WdZWIcMEt1ppVqXnYTZQFg6HXszCJy5GMJ1LnEPTsjHDAK34D2rqKv 4q6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=a46NcSH7XWnYWp3oaOYQ1XZ61ngWnJsqHnGkq/HIilw=; b=vIMcV/9UA1ptBlrj5Hj2/LuEse5S1uZ8hMBadPzt7QSuEnFNWCrkV/fK0SJq/vsDh7 NLP0f2wpYROQtGch32VWgutaLQE9jvdL5vK5mYRRCo8q2RaatJr9hANV7ZR67LrnsUqQ sCdBz6O6plC/J3QTj3eMHHteA6qOKzYrUVlZ3cLCMaP8Ftf8cIjZlymm2wvBHGnzlL6B sOJuzyJ2xsizWnO/fuv9aJQbz2AGJRLGVNHi9owF1NVA6GsufAjpIMj8Pdbg1vzGZQHQ qaL54ioVTsvIQcjy6zVY1oJWDAPME188iHudtbLw26qPqoBv5t2tz6Dhg8Pa4YgyFxZ1 nvdg== X-Gm-Message-State: AO0yUKU3toD0LI/oGvhMS8DinAns05aF6j8gy19uLGnXNEjd+2Y69XP1 ywnES2oOrjwSdFpG+8q3DpyrvSiwWGzNf2sgtvQ= X-Received: by 2002:a17:90b:4f4e:b0:230:acb2:e3e8 with SMTP id pj14-20020a17090b4f4e00b00230acb2e3e8mr2655219pjb.23.1676946718080; Mon, 20 Feb 2023 18:31:58 -0800 (PST) Received: from localhost.localdomain ([240d:1a:cf7:5800:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id y15-20020a17090ad70f00b00233e7f0e7dfsm1660269pju.4.2023.02.20.18.31.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Feb 2023 18:31:57 -0800 (PST) From: Masahisa Kojima To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Masahisa Kojima Subject: [PATCH v5] efi_loader: update SetVariable attribute check Date: Tue, 21 Feb 2023 11:33:17 +0900 Message-Id: <20230221023317.7766-1-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean UEFI specification v2.10 says that EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS is deprecated and EFI_UNSUPPORTED should be returned in SetVariable variable service. Current implementation returns EFI_INVALID_PARAMETER, let's fix the return value. Together with above change, this commit also updates the SetVariable attribute check to be aligned with the EDK2 reference implementation. Signed-off-by: Masahisa Kojima --- Changes in v5: - remove HwErrRecSupport check added in v4 Changes in v4: - update HR attribute check(need NV,BS,RT) - check HwErrRecSupport variable for HR variables Changes in v3: - accept no access attribute for deletion Changes in v2: - fix coding style - HR must be set with NV lib/efi_loader/efi_variable.c | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index 5804f69954..be95ed44e6 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -230,8 +230,30 @@ efi_status_t efi_set_variable_int(const u16 *variable_name, u64 time = 0; enum efi_auth_var_type var_type; - if (!variable_name || !*variable_name || !vendor || - ((attributes & EFI_VARIABLE_RUNTIME_ACCESS) && + if (!variable_name || !*variable_name || !vendor) + return EFI_INVALID_PARAMETER; + + if (data_size && !data) + return EFI_INVALID_PARAMETER; + + /* EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS is deprecated */ + if (attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) + return EFI_UNSUPPORTED; + + /* Make sure if runtime bit is set, boot service bit is set also */ + if ((attributes & + (EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS)) == + EFI_VARIABLE_RUNTIME_ACCESS) + return EFI_INVALID_PARAMETER; + + /* only EFI_VARIABLE_NON_VOLATILE attribute is invalid */ + if ((attributes & EFI_VARIABLE_MASK) == EFI_VARIABLE_NON_VOLATILE) + return EFI_INVALID_PARAMETER; + + /* Make sure HR is set with NV, BS and RT */ + if (attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD && + (!(attributes & EFI_VARIABLE_NON_VOLATILE) || + !(attributes & EFI_VARIABLE_RUNTIME_ACCESS) || !(attributes & EFI_VARIABLE_BOOTSERVICE_ACCESS))) return EFI_INVALID_PARAMETER; @@ -281,8 +303,6 @@ efi_status_t efi_set_variable_int(const u16 *variable_name, /* authenticate a variable */ if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT)) { - if (attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) - return EFI_INVALID_PARAMETER; if (attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) { u32 env_attr; @@ -300,8 +320,7 @@ efi_status_t efi_set_variable_int(const u16 *variable_name, } } else { if (attributes & - (EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS | - EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)) { + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) { EFI_PRINT("Secure boot is not configured\n"); return EFI_INVALID_PARAMETER; }