summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Rini <trini@konsulko.com>2020-05-05 12:32:44 -0400
committerTom Rini <trini@konsulko.com>2020-05-05 12:32:44 -0400
commit9a3cc7b6d416fddfa6058b731fe5c9055dba6918 (patch)
treed08f6b1c5c9707d03b9343ad4896ea4df749b9c6
parent191ee8aac60d6b828ee5f933ab2c6aceda167082 (diff)
parent16ad946f41d3dc3e475d8313f4acbba0df527a2a (diff)
downloadu-boot-9a3cc7b6d416fddfa6058b731fe5c9055dba6918.tar.gz
Merge tag 'efi-2020-07-rc2-2' of https://gitlab.denx.de/u-boot/custodians/u-boot-efi
Pull request for UEFI sub-system for efi-2020-07-rc2-2 This patch contains error corrections and code simplifications for the UEFI sub-system.
-rw-r--r--cmd/efidebug.c40
-rw-r--r--include/crypto/pkcs7_parser.h (renamed from lib/crypto/pkcs7_parser.h)4
-rw-r--r--include/crypto/x509_parser.h (renamed from lib/crypto/x509_parser.h)4
-rw-r--r--include/efi_loader.h2
-rw-r--r--lib/crypto/pkcs7_parser.c4
-rw-r--r--lib/crypto/x509_cert_parser.c4
-rw-r--r--lib/crypto/x509_public_key.c6
-rw-r--r--lib/efi_loader/efi_disk.c29
-rw-r--r--lib/efi_loader/efi_image_loader.c2
-rw-r--r--lib/efi_loader/efi_setup.c12
-rw-r--r--lib/efi_loader/efi_signature.c6
-rw-r--r--lib/efi_loader/efi_variable.c325
-rw-r--r--test/lib/asn1.c4
-rw-r--r--test/py/tests/test_efi_secboot/test_authvar.py8
-rw-r--r--test/py/tests/test_efi_secboot/test_signed.py4
-rw-r--r--test/py/tests/test_efi_secboot/test_unsigned.py6
16 files changed, 174 insertions, 286 deletions
diff --git a/cmd/efidebug.c b/cmd/efidebug.c
index d4030fee64..d8a76d78a3 100644
--- a/cmd/efidebug.c
+++ b/cmd/efidebug.c
@@ -17,7 +17,6 @@
#include <linux/ctype.h>
#define BS systab.boottime
-#define RT systab.runtime
/**
* efi_get_device_handle_info() - get information of UEFI device
@@ -69,7 +68,7 @@ static int do_efi_show_devices(cmd_tbl_t *cmdtp, int flag,
u16 *dev_path_text;
efi_status_t ret;
- ret = EFI_CALL(BS->locate_handle_buffer(ALL_HANDLES, NULL, NULL,
+ ret = EFI_CALL(efi_locate_handle_buffer(ALL_HANDLES, NULL, NULL,
&num, &handles));
if (ret != EFI_SUCCESS)
return CMD_RET_FAILURE;
@@ -86,7 +85,7 @@ static int do_efi_show_devices(cmd_tbl_t *cmdtp, int flag,
}
}
- EFI_CALL(BS->free_pool(handles));
+ efi_free_pool(handles);
return CMD_RET_SUCCESS;
}
@@ -148,7 +147,7 @@ static int do_efi_show_drivers(cmd_tbl_t *cmdtp, int flag,
u16 *driver_name, *image_path_text;
efi_status_t ret;
- ret = EFI_CALL(BS->locate_handle_buffer(
+ ret = EFI_CALL(efi_locate_handle_buffer(
BY_PROTOCOL, &efi_guid_driver_binding_protocol,
NULL, &num, &handles));
if (ret != EFI_SUCCESS)
@@ -170,12 +169,12 @@ static int do_efi_show_drivers(cmd_tbl_t *cmdtp, int flag,
else
printf("%p %-20ls <built-in>\n",
handles[i], driver_name);
- EFI_CALL(BS->free_pool(driver_name));
- EFI_CALL(BS->free_pool(image_path_text));
+ efi_free_pool(driver_name);
+ efi_free_pool(image_path_text);
}
}
- EFI_CALL(BS->free_pool(handles));
+ efi_free_pool(handles);
return CMD_RET_SUCCESS;
}
@@ -321,7 +320,7 @@ static int do_efi_show_handles(cmd_tbl_t *cmdtp, int flag,
const char *guid_text;
efi_status_t ret;
- ret = EFI_CALL(BS->locate_handle_buffer(ALL_HANDLES, NULL, NULL,
+ ret = EFI_CALL(efi_locate_handle_buffer(ALL_HANDLES, NULL, NULL,
&num, &handles));
if (ret != EFI_SUCCESS)
return CMD_RET_FAILURE;
@@ -355,7 +354,7 @@ static int do_efi_show_handles(cmd_tbl_t *cmdtp, int flag,
putc('\n');
}
- EFI_CALL(BS->free_pool(handles));
+ efi_free_pool(handles);
return CMD_RET_SUCCESS;
}
@@ -463,18 +462,17 @@ static int do_efi_show_memmap(cmd_tbl_t *cmdtp, int flag,
int i;
efi_status_t ret;
- ret = EFI_CALL(BS->get_memory_map(&map_size, memmap, NULL, NULL, NULL));
+ ret = efi_get_memory_map(&map_size, memmap, NULL, NULL, NULL);
if (ret == EFI_BUFFER_TOO_SMALL) {
map_size += sizeof(struct efi_mem_desc); /* for my own */
- ret = EFI_CALL(BS->allocate_pool(EFI_LOADER_DATA,
- map_size, (void *)&memmap));
+ ret = efi_allocate_pool(EFI_LOADER_DATA, map_size,
+ (void *)&memmap);
if (ret != EFI_SUCCESS)
return CMD_RET_FAILURE;
- ret = EFI_CALL(BS->get_memory_map(&map_size, memmap,
- NULL, NULL, NULL));
+ ret = efi_get_memory_map(&map_size, memmap, NULL, NULL, NULL);
}
if (ret != EFI_SUCCESS) {
- EFI_CALL(BS->free_pool(memmap));
+ efi_free_pool(memmap);
return CMD_RET_FAILURE;
}
@@ -501,7 +499,7 @@ static int do_efi_show_memmap(cmd_tbl_t *cmdtp, int flag,
putc('\n');
}
- EFI_CALL(BS->free_pool(memmap));
+ efi_free_pool(memmap);
return CMD_RET_SUCCESS;
}
@@ -615,7 +613,7 @@ static int do_efi_boot_add(cmd_tbl_t *cmdtp, int flag,
goto out;
}
- ret = EFI_CALL(RT->set_variable(var_name16, &guid,
+ ret = EFI_CALL(efi_set_variable(var_name16, &guid,
EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS |
EFI_VARIABLE_RUNTIME_ACCESS,
@@ -670,7 +668,7 @@ static int do_efi_boot_rm(cmd_tbl_t *cmdtp, int flag,
p = var_name16;
utf8_utf16_strncpy(&p, var_name, 9);
- ret = EFI_CALL(RT->set_variable(var_name16, &guid, 0, 0, NULL));
+ ret = EFI_CALL(efi_set_variable(var_name16, &guid, 0, 0, NULL));
if (ret) {
printf("Cannot remove %ls\n", var_name16);
return CMD_RET_FAILURE;
@@ -864,7 +862,7 @@ static int show_efi_boot_order(void)
efi_status_t ret;
size = 0;
- ret = EFI_CALL(RT->get_variable(L"BootOrder", &efi_global_variable_guid,
+ ret = EFI_CALL(efi_get_variable(L"BootOrder", &efi_global_variable_guid,
NULL, &size, NULL));
if (ret != EFI_BUFFER_TOO_SMALL) {
if (ret == EFI_NOT_FOUND) {
@@ -975,7 +973,7 @@ static int do_efi_boot_next(cmd_tbl_t *cmdtp, int flag,
guid = efi_global_variable_guid;
size = sizeof(u16);
- ret = EFI_CALL(RT->set_variable(L"BootNext", &guid,
+ ret = EFI_CALL(efi_set_variable(L"BootNext", &guid,
EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS |
EFI_VARIABLE_RUNTIME_ACCESS,
@@ -1036,7 +1034,7 @@ static int do_efi_boot_order(cmd_tbl_t *cmdtp, int flag,
}
guid = efi_global_variable_guid;
- ret = EFI_CALL(RT->set_variable(L"BootOrder", &guid,
+ ret = EFI_CALL(efi_set_variable(L"BootOrder", &guid,
EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS |
EFI_VARIABLE_RUNTIME_ACCESS,
diff --git a/lib/crypto/pkcs7_parser.h b/include/crypto/pkcs7_parser.h
index 6565fdc2d4..b8234da45a 100644
--- a/lib/crypto/pkcs7_parser.h
+++ b/include/crypto/pkcs7_parser.h
@@ -5,6 +5,9 @@
* Written by David Howells (dhowells@redhat.com)
*/
+#ifndef _PKCS7_PARSER_H
+#define _PKCS7_PARSER_H
+
#include <linux/oid_registry.h>
#include <crypto/pkcs7.h>
#include "x509_parser.h"
@@ -63,3 +66,4 @@ struct pkcs7_message {
size_t data_hdrlen; /* Length of Data ASN.1 header */
const void *data; /* Content Data (or 0) */
};
+#endif /* _PKCS7_PARSER_H */
diff --git a/lib/crypto/x509_parser.h b/include/crypto/x509_parser.h
index c233f136fb..4cbdc1d661 100644
--- a/lib/crypto/x509_parser.h
+++ b/include/crypto/x509_parser.h
@@ -5,6 +5,9 @@
* Written by David Howells (dhowells@redhat.com)
*/
+#ifndef _X509_PARSER_H
+#define _X509_PARSER_H
+
#include <linux/time.h>
#include <crypto/public_key.h>
#include <keys/asymmetric-type.h>
@@ -55,3 +58,4 @@ extern int x509_decode_time(time64_t *_t, size_t hdrlen,
*/
extern int x509_get_sig_params(struct x509_certificate *cert);
extern int x509_check_for_self_signed(struct x509_certificate *cert);
+#endif /* _X509_PARSER_H */
diff --git a/include/efi_loader.h b/include/efi_loader.h
index f92bfe57e6..0e924ad109 100644
--- a/include/efi_loader.h
+++ b/include/efi_loader.h
@@ -394,6 +394,8 @@ efi_status_t efi_disk_register(void);
int efi_disk_create_partitions(efi_handle_t parent, struct blk_desc *desc,
const char *if_typename, int diskid,
const char *pdevname);
+/* Check if it is EFI system partition */
+bool efi_disk_is_system_part(efi_handle_t handle);
/* Called by bootefi to make GOP (graphical) interface available */
efi_status_t efi_gop_register(void);
/* Called by bootefi to make the network interface available */
diff --git a/lib/crypto/pkcs7_parser.c b/lib/crypto/pkcs7_parser.c
index f5dda1179f..0ee207b6b1 100644
--- a/lib/crypto/pkcs7_parser.c
+++ b/lib/crypto/pkcs7_parser.c
@@ -20,7 +20,11 @@
#include <linux/err.h>
#include <linux/oid_registry.h>
#include <crypto/public_key.h>
+#ifdef __UBOOT__
+#include <crypto/pkcs7_parser.h>
+#else
#include "pkcs7_parser.h"
+#endif
#include "pkcs7.asn1.h"
MODULE_DESCRIPTION("PKCS#7 parser");
diff --git a/lib/crypto/x509_cert_parser.c b/lib/crypto/x509_cert_parser.c
index 4e41cffd23..18f5407a07 100644
--- a/lib/crypto/x509_cert_parser.c
+++ b/lib/crypto/x509_cert_parser.c
@@ -18,7 +18,11 @@
#include <linux/string.h>
#endif
#include <crypto/public_key.h>
+#ifdef __UBOOT__
+#include <crypto/x509_parser.h>
+#else
#include "x509_parser.h"
+#endif
#include "x509.asn1.h"
#include "x509_akid.asn1.h"
diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c
index 676c0df174..571af9a0ad 100644
--- a/lib/crypto/x509_public_key.c
+++ b/lib/crypto/x509_public_key.c
@@ -16,15 +16,17 @@
#include <linux/module.h>
#endif
#include <linux/kernel.h>
-#ifndef __UBOOT__
+#ifdef __UBOOT__
+#include <crypto/x509_parser.h>
+#else
#include <linux/slab.h>
#include <keys/asymmetric-subtype.h>
#include <keys/asymmetric-parser.h>
#include <keys/system_keyring.h>
#include <crypto/hash.h>
#include "asymmetric_keys.h"
-#endif
#include "x509_parser.h"
+#endif
/*
* Set up the signature parameters in an X.509 certificate. This involves
diff --git a/lib/efi_loader/efi_disk.c b/lib/efi_loader/efi_disk.c
index fd3df80b0b..0582e02158 100644
--- a/lib/efi_loader/efi_disk.c
+++ b/lib/efi_loader/efi_disk.c
@@ -588,3 +588,32 @@ efi_status_t efi_disk_register(void)
return EFI_SUCCESS;
}
+
+/**
+ * efi_disk_is_system_part() - check if handle refers to an EFI system partition
+ *
+ * @handle: handle of partition
+ *
+ * Return: true if handle refers to an EFI system partition
+ */
+bool efi_disk_is_system_part(efi_handle_t handle)
+{
+ struct efi_handler *handler;
+ struct efi_disk_obj *diskobj;
+ disk_partition_t info;
+ efi_status_t ret;
+ int r;
+
+ /* check if this is a block device */
+ ret = efi_search_protocol(handle, &efi_block_io_guid, &handler);
+ if (ret != EFI_SUCCESS)
+ return false;
+
+ diskobj = container_of(handle, struct efi_disk_obj, header);
+
+ r = part_get_info(diskobj->desc, diskobj->part, &info);
+ if (r)
+ return false;
+
+ return !!(info.bootable & PART_EFI_SYSTEM_PARTITION);
+}
diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c
index 6c270ce94f..5a9a6424cc 100644
--- a/lib/efi_loader/efi_image_loader.c
+++ b/lib/efi_loader/efi_image_loader.c
@@ -13,7 +13,7 @@
#include <malloc.h>
#include <pe.h>
#include <sort.h>
-#include "../lib/crypto/pkcs7_parser.h"
+#include "crypto/pkcs7_parser.h"
const efi_guid_t efi_global_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
const efi_guid_t efi_guid_device_path = EFI_DEVICE_PATH_PROTOCOL_GUID;
diff --git a/lib/efi_loader/efi_setup.c b/lib/efi_loader/efi_setup.c
index 1b648c8467..26a7423203 100644
--- a/lib/efi_loader/efi_setup.c
+++ b/lib/efi_loader/efi_setup.c
@@ -86,7 +86,7 @@ out:
/**
* efi_init_secure_boot - initialize secure boot state
*
- * Return: EFI_SUCCESS on success, status code (negative) on error
+ * Return: status code
*/
static efi_status_t efi_init_secure_boot(void)
{
@@ -135,6 +135,11 @@ efi_status_t efi_init_obj_list(void)
/* On ARM switch from EL3 or secure mode to EL2 or non-secure mode */
switch_to_non_secure_mode();
+#ifdef CONFIG_PARTITIONS
+ ret = efi_disk_register();
+ if (ret != EFI_SUCCESS)
+ goto out;
+#endif
/* Initialize variable services */
ret = efi_init_variables();
if (ret != EFI_SUCCESS)
@@ -183,11 +188,6 @@ efi_status_t efi_init_obj_list(void)
ret = efi_console_register();
if (ret != EFI_SUCCESS)
goto out;
-#ifdef CONFIG_PARTITIONS
- ret = efi_disk_register();
- if (ret != EFI_SUCCESS)
- goto out;
-#endif
#if defined(CONFIG_LCD) || defined(CONFIG_DM_VIDEO)
ret = efi_gop_register();
if (ret != EFI_SUCCESS)
diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
index 658e3547da..adcb8c9cca 100644
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@@ -10,11 +10,11 @@
#include <image.h>
#include <hexdump.h>
#include <malloc.h>
+#include <crypto/pkcs7_parser.h>
#include <linux/compat.h>
#include <linux/oid_registry.h>
#include <u-boot/rsa.h>
#include <u-boot/sha256.h>
-#include "../lib/crypto/pkcs7_parser.h"
const efi_guid_t efi_guid_image_security_database =
EFI_IMAGE_SECURITY_DATABASE_GUID;
@@ -528,7 +528,7 @@ out:
* pointed to by @regs. If @nocheck is false, overlapping among entries
* will be checked first.
*
- * Return: 0 on success, status code (negative) on error
+ * Return: status code
*/
efi_status_t efi_image_region_add(struct efi_image_regions *regs,
const void *start, const void *end,
@@ -667,7 +667,7 @@ efi_sigstore_parse_siglist(struct efi_signature_list *esl)
esd = (struct efi_signature_data *)
((u8 *)esl + sizeof(*esl) + esl->signature_header_size);
- while ((left > 0) && left >= esl->signature_size) {
+ while (left > 0) {
/* Signature must exist if there is remaining data. */
if (left < esl->signature_size) {
debug("Certificate is too small\n");
diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c
index 7df881a74b..58f8fae358 100644
--- a/lib/efi_loader/efi_variable.c
+++ b/lib/efi_loader/efi_variable.c
@@ -12,9 +12,9 @@
#include <malloc.h>
#include <rtc.h>
#include <search.h>
+#include <crypto/pkcs7_parser.h>
#include <linux/compat.h>
#include <u-boot/crc.h>
-#include "../lib/crypto/pkcs7_parser.h"
enum efi_secure_mode {
EFI_MODE_SETUP,
@@ -169,176 +169,102 @@ static const char *parse_attr(const char *str, u32 *attrp, u64 *timep)
return str;
}
-static efi_status_t efi_set_variable_internal(u16 *variable_name,
- const efi_guid_t *vendor,
- u32 attributes,
- efi_uintn_t data_size,
- const void *data,
- bool ro_check);
+static efi_status_t efi_set_variable_common(u16 *variable_name,
+ const efi_guid_t *vendor,
+ u32 attributes,
+ efi_uintn_t data_size,
+ const void *data,
+ bool ro_check);
+
+/**
+ * efi_set_secure_state - modify secure boot state variables
+ * @sec_boot: value of SecureBoot
+ * @setup_mode: value of SetupMode
+ * @audit_mode: value of AuditMode
+ * @deployed_mode: value of DeployedMode
+ *
+ * Modify secure boot stat-related variables as indicated.
+ *
+ * Return: status code
+ */
+static efi_status_t efi_set_secure_state(int sec_boot, int setup_mode,
+ int audit_mode, int deployed_mode)
+{
+ u32 attributes;
+ efi_status_t ret;
+
+ attributes = EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS |
+ READ_ONLY;
+ ret = efi_set_variable_common(L"SecureBoot", &efi_global_variable_guid,
+ attributes, sizeof(sec_boot), &sec_boot,
+ false);
+ if (ret != EFI_SUCCESS)
+ goto err;
+
+ ret = efi_set_variable_common(L"SetupMode", &efi_global_variable_guid,
+ attributes, sizeof(setup_mode),
+ &setup_mode, false);
+ if (ret != EFI_SUCCESS)
+ goto err;
+
+ ret = efi_set_variable_common(L"AuditMode", &efi_global_variable_guid,
+ attributes, sizeof(audit_mode),
+ &audit_mode, false);
+ if (ret != EFI_SUCCESS)
+ goto err;
+
+ ret = efi_set_variable_common(L"DeployedMode",
+ &efi_global_variable_guid, attributes,
+ sizeof(deployed_mode), &deployed_mode,
+ false);
+err:
+ return ret;
+}
/**
* efi_transfer_secure_state - handle a secure boot state transition
* @mode: new state
*
* Depending on @mode, secure boot related variables are updated.
- * Those variables are *read-only* for users, efi_set_variable_internal()
+ * Those variables are *read-only* for users, efi_set_variable_common()
* is called here.
*
- * Return: EFI_SUCCESS on success, status code (negative) on error
+ * Return: status code
*/
static efi_status_t efi_transfer_secure_state(enum efi_secure_mode mode)
{
- u32 attributes;
- u8 val;
efi_status_t ret;
- debug("Secure state from %d to %d\n", efi_secure_mode, mode);
+ debug("Switching secure state from %d to %d\n", efi_secure_mode, mode);
- attributes = EFI_VARIABLE_BOOTSERVICE_ACCESS |
- EFI_VARIABLE_RUNTIME_ACCESS;
if (mode == EFI_MODE_DEPLOYED) {
- val = 1;
- ret = efi_set_variable_internal(L"SecureBoot",
- &efi_global_variable_guid,
- attributes | READ_ONLY,
- sizeof(val), &val,
- false);
- if (ret != EFI_SUCCESS)
- goto err;
- val = 0;
- ret = efi_set_variable_internal(L"SetupMode",
- &efi_global_variable_guid,
- attributes | READ_ONLY,
- sizeof(val), &val,
- false);
- if (ret != EFI_SUCCESS)
- goto err;
- val = 0;
- ret = efi_set_variable_internal(L"AuditMode",
- &efi_global_variable_guid,
- attributes | READ_ONLY,
- sizeof(val), &val,
- false);
- if (ret != EFI_SUCCESS)
- goto err;
- val = 1;
- ret = efi_set_variable_internal(L"DeployedMode",
- &efi_global_variable_guid,
- attributes | READ_ONLY,
- sizeof(val), &val,
- false);
+ ret = efi_set_secure_state(1, 0, 0, 1);
if (ret != EFI_SUCCESS)
goto err;
efi_secure_boot = true;
} else if (mode == EFI_MODE_AUDIT) {
- ret = efi_set_variable_internal(L"PK",
- &efi_global_variable_guid,
- attributes,
- 0, NULL,
- false);
- if (ret != EFI_SUCCESS)
- goto err;
- val = 0;
- ret = efi_set_variable_internal(L"SecureBoot",
- &efi_global_variable_guid,
- attributes | READ_ONLY,
- sizeof(val), &val,
- false);
- if (ret != EFI_SUCCESS)
- goto err;
- val = 1;
- ret = efi_set_variable_internal(L"SetupMode",
- &efi_global_variable_guid,
- attributes | READ_ONLY,
- sizeof(val), &val,
- false);
- if (ret != EFI_SUCCESS)
- goto err;
- val = 1;
- ret = efi_set_variable_internal(L"AuditMode",
- &efi_global_variable_guid,
- attributes | READ_ONLY,
- sizeof(val), &val,
- false);
+ ret = efi_set_variable_common(L"PK", &efi_global_variable_guid,
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS,
+ 0, NULL, false);
if (ret != EFI_SUCCESS)
goto err;
- val = 0;
- ret = efi_set_variable_internal(L"DeployedMode",
- &efi_global_variable_guid,
- attributes | READ_ONLY,
- sizeof(val), &val,
- false);
+
+ ret = efi_set_secure_state(0, 1, 1, 0);
if (ret != EFI_SUCCESS)
goto err;
efi_secure_boot = true;
} else if (mode == EFI_MODE_USER) {
- val = 1;
- ret = efi_set_variable_internal(L"SecureBoot",
- &efi_global_variable_guid,
- attributes | READ_ONLY,
- sizeof(val), &val,
- false);
- if (ret != EFI_SUCCESS)
- goto err;
- val = 0;
- ret = efi_set_variable_internal(L"SetupMode",
- &efi_global_variable_guid,
- attributes | READ_ONLY,
- sizeof(val), &val,
- false);
- if (ret != EFI_SUCCESS)
- goto err;
- val = 0;
- ret = efi_set_variable_internal(L"AuditMode",
- &efi_global_variable_guid,
- attributes,
- sizeof(val), &val,
- false);
- if (ret != EFI_SUCCESS)
- goto err;
- val = 0;
- ret = efi_set_variable_internal(L"DeployedMode",
- &efi_global_variable_guid,
- attributes,
- sizeof(val), &val,
- false);
+ ret = efi_set_secure_state(1, 0, 0, 0);
if (ret != EFI_SUCCESS)
goto err;
efi_secure_boot = true;
} else if (mode == EFI_MODE_SETUP) {
- val = 0;
- ret = efi_set_variable_internal(L"SecureBoot",
- &efi_global_variable_guid,
- attributes | READ_ONLY,
- sizeof(val), &val,
- false);
- if (ret != EFI_SUCCESS)
- goto err;
- val = 1;
- ret = efi_set_variable_internal(L"SetupMode",
- &efi_global_variable_guid,
- attributes | READ_ONLY,
- sizeof(val), &val,
- false);
- if (ret != EFI_SUCCESS)
- goto err;
- val = 0;
- ret = efi_set_variable_internal(L"AuditMode",
- &efi_global_variable_guid,
- attributes,
- sizeof(val), &val,
- false);
- if (ret != EFI_SUCCESS)
- goto err;
- val = 0;
- ret = efi_set_variable_internal(L"DeployedMode",
- &efi_global_variable_guid,
- attributes | READ_ONLY,
- sizeof(val), &val,
- false);
+ ret = efi_set_secure_state(0, 1, 0, 0);
if (ret != EFI_SUCCESS)
goto err;
} else {
@@ -358,7 +284,7 @@ err:
/**
* efi_init_secure_state - initialize secure boot state
*
- * Return: EFI_SUCCESS on success, status code (negative) on error
+ * Return: status code
*/
static efi_status_t efi_init_secure_state(void)
{
@@ -392,14 +318,13 @@ static efi_status_t efi_init_secure_state(void)
ret = efi_transfer_secure_state(mode);
if (ret == EFI_SUCCESS)
- ret = efi_set_variable_internal(L"VendorKeys",
- &efi_global_variable_guid,
- EFI_VARIABLE_BOOTSERVICE_ACCESS
- | EFI_VARIABLE_RUNTIME_ACCESS
- | READ_ONLY,
- sizeof(efi_vendor_keys),
- &efi_vendor_keys,
- false);
+ ret = efi_set_variable_common(L"VendorKeys",
+ &efi_global_variable_guid,
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS |
+ READ_ONLY,
+ sizeof(efi_vendor_keys),
+ &efi_vendor_keys, false);
err:
return ret;
@@ -513,7 +438,7 @@ out:
* attributes and signed time will also be returned in @env_attr and @time,
* respectively.
*
- * Return: EFI_SUCCESS on success, status code (negative) on error
+ * Return: status code
*/
static efi_status_t efi_variable_authenticate(u16 *variable,
const efi_guid_t *vendor,
@@ -666,8 +591,7 @@ static
efi_status_t EFIAPI efi_get_variable_common(u16 *variable_name,
const efi_guid_t *vendor,
u32 *attributes,
- efi_uintn_t *data_size, void *data,
- bool is_non_volatile)
+ efi_uintn_t *data_size, void *data)
{
char *native_name;
efi_status_t ret;
@@ -750,27 +674,6 @@ out:
return ret;
}
-static
-efi_status_t EFIAPI efi_get_volatile_variable(u16 *variable_name,
- const efi_guid_t *vendor,
- u32 *attributes,
- efi_uintn_t *data_size,
- void *data)
-{
- return efi_get_variable_common(variable_name, vendor, attributes,
- data_size, data, false);
-}
-
-efi_status_t EFIAPI efi_get_nonvolatile_variable(u16 *variable_name,
- const efi_guid_t *vendor,
- u32 *attributes,
- efi_uintn_t *data_size,
- void *data)
-{
- return efi_get_variable_common(variable_name, vendor, attributes,
- data_size, data, true);
-}
-
/**
* efi_efi_get_variable() - retrieve value of a UEFI variable
*
@@ -795,12 +698,8 @@ efi_status_t EFIAPI efi_get_variable(u16 *variable_name,
EFI_ENTRY("\"%ls\" %pUl %p %p %p", variable_name, vendor, attributes,
data_size, data);
- ret = efi_get_volatile_variable(variable_name, vendor, attributes,
- data_size, data);
- if (ret == EFI_NOT_FOUND)
- ret = efi_get_nonvolatile_variable(variable_name, vendor,
- attributes, data_size, data);
-
+ ret = efi_get_variable_common(variable_name, vendor, attributes,
+ data_size, data);
return EFI_EXIT(ret);
}
@@ -964,14 +863,12 @@ efi_status_t EFIAPI efi_get_next_variable_name(efi_uintn_t *variable_name_size,
return EFI_EXIT(ret);
}
-static
-efi_status_t EFIAPI efi_set_variable_common(u16 *variable_name,
+static efi_status_t efi_set_variable_common(u16 *variable_name,
const efi_guid_t *vendor,
u32 attributes,
efi_uintn_t data_size,
const void *data,
- bool ro_check,
- bool is_non_volatile)
+ bool ro_check)
{
char *native_name = NULL, *old_data = NULL, *val = NULL, *s;
efi_uintn_t old_size;
@@ -998,14 +895,6 @@ efi_status_t EFIAPI efi_set_variable_common(u16 *variable_name,
attr = 0;
ret = EFI_CALL(efi_get_variable(variable_name, vendor, &attr,
&old_size, NULL));
- if (ret == EFI_BUFFER_TOO_SMALL) {
- if ((is_non_volatile && !(attr & EFI_VARIABLE_NON_VOLATILE)) ||
- (!is_non_volatile && (attr & EFI_VARIABLE_NON_VOLATILE))) {
- ret = EFI_INVALID_PARAMETER;
- goto err;
- }
- }
-
append = !!(attributes & EFI_VARIABLE_APPEND_WRITE);
attributes &= ~(u32)EFI_VARIABLE_APPEND_WRITE;
delete = !append && (!data_size || !attributes);
@@ -1179,7 +1068,7 @@ out:
/* update VendorKeys */
if (vendor_keys_modified & efi_vendor_keys) {
efi_vendor_keys = 0;
- ret = efi_set_variable_internal(
+ ret = efi_set_variable_common(
L"VendorKeys",
&efi_global_variable_guid,
EFI_VARIABLE_BOOTSERVICE_ACCESS
@@ -1201,54 +1090,6 @@ err:
return ret;
}
-static
-efi_status_t EFIAPI efi_set_volatile_variable(u16 *variable_name,
- const efi_guid_t *vendor,
- u32 attributes,
- efi_uintn_t data_size,
- const void *data,
- bool ro_check)
-{
- return efi_set_variable_common(variable_name, vendor, attributes,
- data_size, data, ro_check, false);
-}
-
-efi_status_t EFIAPI efi_set_nonvolatile_variable(u16 *variable_name,
- const efi_guid_t *vendor,
- u32 attributes,
- efi_uintn_t data_size,
- const void *data,
- bool ro_check)
-{
- efi_status_t ret;
-
- ret = efi_set_variable_common(variable_name, vendor, attributes,
- data_size, data, ro_check, true);
-
- return ret;
-}
-
-static efi_status_t efi_set_variable_internal(u16 *variable_name,
- const efi_guid_t *vendor,
- u32 attributes,
- efi_uintn_t data_size,
- const void *data,
- bool ro_check)
-{
- efi_status_t ret;
-
- if (attributes & EFI_VARIABLE_NON_VOLATILE)
- ret = efi_set_nonvolatile_variable(variable_name, vendor,
- attributes,
- data_size, data, ro_check);
- else
- ret = efi_set_volatile_variable(variable_name, vendor,
- attributes, data_size, data,
- ro_check);
-
- return ret;
-}
-
/**
* efi_set_variable() - set value of a UEFI variable
*
@@ -1274,9 +1115,9 @@ efi_status_t EFIAPI efi_set_variable(u16 *variable_name,
/* READ_ONLY bit is not part of API */
attributes &= ~(u32)READ_ONLY;
- return EFI_EXIT(efi_set_variable_internal(variable_name, vendor,
- attributes, data_size, data,
- true));
+ return EFI_EXIT(efi_set_variable_common(variable_name, vendor,
+ attributes, data_size, data,
+ true));
}
/**
diff --git a/test/lib/asn1.c b/test/lib/asn1.c
index d2b3f67e68..8661fdd306 100644
--- a/test/lib/asn1.c
+++ b/test/lib/asn1.c
@@ -13,10 +13,10 @@
#include <test/ut.h>
#ifdef CONFIG_PKCS7_MESSAGE_PARSER
-#include "../../lib/crypto/pkcs7_parser.h"
+#include <crypto/pkcs7_parser.h>
#else
#ifdef CONFIG_X509_CERTIFICATE_PARSER
-#include "../../lib/crypto/x509_parser.h"
+#include <crypto/x509_parser.h>
#endif
#endif
diff --git a/test/py/tests/test_efi_secboot/test_authvar.py b/test/py/tests/test_efi_secboot/test_authvar.py
index 55dcaa95f1..9912694a3e 100644
--- a/test/py/tests/test_efi_secboot/test_authvar.py
+++ b/test/py/tests/test_efi_secboot/test_authvar.py
@@ -133,7 +133,7 @@ class TestEfiAuthVar(object):
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatload host 0:1 4000000 PK.auth',
- 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK; echo',
'fatload host 0:1 4000000 KEK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
'fatload host 0:1 4000000 db.auth',
@@ -174,7 +174,7 @@ class TestEfiAuthVar(object):
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatload host 0:1 4000000 PK.auth',
- 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK; echo',
'fatload host 0:1 4000000 KEK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
'fatload host 0:1 4000000 db.auth',
@@ -215,7 +215,7 @@ class TestEfiAuthVar(object):
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatload host 0:1 4000000 PK.auth',
- 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK; echo',
'fatload host 0:1 4000000 KEK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
'fatload host 0:1 4000000 db.auth',
@@ -249,7 +249,7 @@ class TestEfiAuthVar(object):
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatload host 0:1 4000000 PK.auth',
- 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK; echo',
'fatload host 0:1 4000000 KEK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
'fatload host 0:1 4000000 db.auth',
diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py
index 584282b338..fc722ab506 100644
--- a/test/py/tests/test_efi_secboot/test_signed.py
+++ b/test/py/tests/test_efi_secboot/test_signed.py
@@ -29,7 +29,7 @@ class TestEfiSignedImage(object):
# Test Case 1a, run signed image if no db/dbx
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
- 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""',
+ 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""; echo',
'efidebug boot next 1',
'bootefi bootmgr'])
assert(re.search('Hello, world!', ''.join(output)))
@@ -81,7 +81,7 @@ class TestEfiSignedImage(object):
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatload host 0:1 4000000 db.auth',
- 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx; echo',
'fatload host 0:1 4000000 KEK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
'fatload host 0:1 4000000 PK.auth',
diff --git a/test/py/tests/test_efi_secboot/test_unsigned.py b/test/py/tests/test_efi_secboot/test_unsigned.py
index 22d849afb8..a4af845c51 100644
--- a/test/py/tests/test_efi_secboot/test_unsigned.py
+++ b/test/py/tests/test_efi_secboot/test_unsigned.py
@@ -30,7 +30,7 @@ class TestEfiUnsignedImage(object):
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatload host 0:1 4000000 KEK.auth',
- 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK; echo',
'fatload host 0:1 4000000 PK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
assert(not re.search('Failed to set EFI variable', ''.join(output)))
@@ -58,7 +58,7 @@ class TestEfiUnsignedImage(object):
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatload host 0:1 4000000 db_hello.auth',
- 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db; echo',
'fatload host 0:1 4000000 KEK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
'fatload host 0:1 4000000 PK.auth',
@@ -82,7 +82,7 @@ class TestEfiUnsignedImage(object):
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatload host 0:1 4000000 db_hello.auth',
- 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx; echo',
'fatload host 0:1 4000000 KEK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
'fatload host 0:1 4000000 PK.auth',