diff options
author | Tom Rini <trini@konsulko.com> | 2020-05-05 12:32:44 -0400 |
---|---|---|
committer | Tom Rini <trini@konsulko.com> | 2020-05-05 12:32:44 -0400 |
commit | 9a3cc7b6d416fddfa6058b731fe5c9055dba6918 (patch) | |
tree | d08f6b1c5c9707d03b9343ad4896ea4df749b9c6 | |
parent | 191ee8aac60d6b828ee5f933ab2c6aceda167082 (diff) | |
parent | 16ad946f41d3dc3e475d8313f4acbba0df527a2a (diff) | |
download | u-boot-9a3cc7b6d416fddfa6058b731fe5c9055dba6918.tar.gz |
Merge tag 'efi-2020-07-rc2-2' of https://gitlab.denx.de/u-boot/custodians/u-boot-efi
Pull request for UEFI sub-system for efi-2020-07-rc2-2
This patch contains error corrections and code simplifications for the UEFI
sub-system.
-rw-r--r-- | cmd/efidebug.c | 40 | ||||
-rw-r--r-- | include/crypto/pkcs7_parser.h (renamed from lib/crypto/pkcs7_parser.h) | 4 | ||||
-rw-r--r-- | include/crypto/x509_parser.h (renamed from lib/crypto/x509_parser.h) | 4 | ||||
-rw-r--r-- | include/efi_loader.h | 2 | ||||
-rw-r--r-- | lib/crypto/pkcs7_parser.c | 4 | ||||
-rw-r--r-- | lib/crypto/x509_cert_parser.c | 4 | ||||
-rw-r--r-- | lib/crypto/x509_public_key.c | 6 | ||||
-rw-r--r-- | lib/efi_loader/efi_disk.c | 29 | ||||
-rw-r--r-- | lib/efi_loader/efi_image_loader.c | 2 | ||||
-rw-r--r-- | lib/efi_loader/efi_setup.c | 12 | ||||
-rw-r--r-- | lib/efi_loader/efi_signature.c | 6 | ||||
-rw-r--r-- | lib/efi_loader/efi_variable.c | 325 | ||||
-rw-r--r-- | test/lib/asn1.c | 4 | ||||
-rw-r--r-- | test/py/tests/test_efi_secboot/test_authvar.py | 8 | ||||
-rw-r--r-- | test/py/tests/test_efi_secboot/test_signed.py | 4 | ||||
-rw-r--r-- | test/py/tests/test_efi_secboot/test_unsigned.py | 6 |
16 files changed, 174 insertions, 286 deletions
diff --git a/cmd/efidebug.c b/cmd/efidebug.c index d4030fee64..d8a76d78a3 100644 --- a/cmd/efidebug.c +++ b/cmd/efidebug.c @@ -17,7 +17,6 @@ #include <linux/ctype.h> #define BS systab.boottime -#define RT systab.runtime /** * efi_get_device_handle_info() - get information of UEFI device @@ -69,7 +68,7 @@ static int do_efi_show_devices(cmd_tbl_t *cmdtp, int flag, u16 *dev_path_text; efi_status_t ret; - ret = EFI_CALL(BS->locate_handle_buffer(ALL_HANDLES, NULL, NULL, + ret = EFI_CALL(efi_locate_handle_buffer(ALL_HANDLES, NULL, NULL, &num, &handles)); if (ret != EFI_SUCCESS) return CMD_RET_FAILURE; @@ -86,7 +85,7 @@ static int do_efi_show_devices(cmd_tbl_t *cmdtp, int flag, } } - EFI_CALL(BS->free_pool(handles)); + efi_free_pool(handles); return CMD_RET_SUCCESS; } @@ -148,7 +147,7 @@ static int do_efi_show_drivers(cmd_tbl_t *cmdtp, int flag, u16 *driver_name, *image_path_text; efi_status_t ret; - ret = EFI_CALL(BS->locate_handle_buffer( + ret = EFI_CALL(efi_locate_handle_buffer( BY_PROTOCOL, &efi_guid_driver_binding_protocol, NULL, &num, &handles)); if (ret != EFI_SUCCESS) @@ -170,12 +169,12 @@ static int do_efi_show_drivers(cmd_tbl_t *cmdtp, int flag, else printf("%p %-20ls <built-in>\n", handles[i], driver_name); - EFI_CALL(BS->free_pool(driver_name)); - EFI_CALL(BS->free_pool(image_path_text)); + efi_free_pool(driver_name); + efi_free_pool(image_path_text); } } - EFI_CALL(BS->free_pool(handles)); + efi_free_pool(handles); return CMD_RET_SUCCESS; } @@ -321,7 +320,7 @@ static int do_efi_show_handles(cmd_tbl_t *cmdtp, int flag, const char *guid_text; efi_status_t ret; - ret = EFI_CALL(BS->locate_handle_buffer(ALL_HANDLES, NULL, NULL, + ret = EFI_CALL(efi_locate_handle_buffer(ALL_HANDLES, NULL, NULL, &num, &handles)); if (ret != EFI_SUCCESS) return CMD_RET_FAILURE; @@ -355,7 +354,7 @@ static int do_efi_show_handles(cmd_tbl_t *cmdtp, int flag, putc('\n'); } - EFI_CALL(BS->free_pool(handles)); + efi_free_pool(handles); return CMD_RET_SUCCESS; } @@ -463,18 +462,17 @@ static int do_efi_show_memmap(cmd_tbl_t *cmdtp, int flag, int i; efi_status_t ret; - ret = EFI_CALL(BS->get_memory_map(&map_size, memmap, NULL, NULL, NULL)); + ret = efi_get_memory_map(&map_size, memmap, NULL, NULL, NULL); if (ret == EFI_BUFFER_TOO_SMALL) { map_size += sizeof(struct efi_mem_desc); /* for my own */ - ret = EFI_CALL(BS->allocate_pool(EFI_LOADER_DATA, - map_size, (void *)&memmap)); + ret = efi_allocate_pool(EFI_LOADER_DATA, map_size, + (void *)&memmap); if (ret != EFI_SUCCESS) return CMD_RET_FAILURE; - ret = EFI_CALL(BS->get_memory_map(&map_size, memmap, - NULL, NULL, NULL)); + ret = efi_get_memory_map(&map_size, memmap, NULL, NULL, NULL); } if (ret != EFI_SUCCESS) { - EFI_CALL(BS->free_pool(memmap)); + efi_free_pool(memmap); return CMD_RET_FAILURE; } @@ -501,7 +499,7 @@ static int do_efi_show_memmap(cmd_tbl_t *cmdtp, int flag, putc('\n'); } - EFI_CALL(BS->free_pool(memmap)); + efi_free_pool(memmap); return CMD_RET_SUCCESS; } @@ -615,7 +613,7 @@ static int do_efi_boot_add(cmd_tbl_t *cmdtp, int flag, goto out; } - ret = EFI_CALL(RT->set_variable(var_name16, &guid, + ret = EFI_CALL(efi_set_variable(var_name16, &guid, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, @@ -670,7 +668,7 @@ static int do_efi_boot_rm(cmd_tbl_t *cmdtp, int flag, p = var_name16; utf8_utf16_strncpy(&p, var_name, 9); - ret = EFI_CALL(RT->set_variable(var_name16, &guid, 0, 0, NULL)); + ret = EFI_CALL(efi_set_variable(var_name16, &guid, 0, 0, NULL)); if (ret) { printf("Cannot remove %ls\n", var_name16); return CMD_RET_FAILURE; @@ -864,7 +862,7 @@ static int show_efi_boot_order(void) efi_status_t ret; size = 0; - ret = EFI_CALL(RT->get_variable(L"BootOrder", &efi_global_variable_guid, + ret = EFI_CALL(efi_get_variable(L"BootOrder", &efi_global_variable_guid, NULL, &size, NULL)); if (ret != EFI_BUFFER_TOO_SMALL) { if (ret == EFI_NOT_FOUND) { @@ -975,7 +973,7 @@ static int do_efi_boot_next(cmd_tbl_t *cmdtp, int flag, guid = efi_global_variable_guid; size = sizeof(u16); - ret = EFI_CALL(RT->set_variable(L"BootNext", &guid, + ret = EFI_CALL(efi_set_variable(L"BootNext", &guid, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, @@ -1036,7 +1034,7 @@ static int do_efi_boot_order(cmd_tbl_t *cmdtp, int flag, } guid = efi_global_variable_guid; - ret = EFI_CALL(RT->set_variable(L"BootOrder", &guid, + ret = EFI_CALL(efi_set_variable(L"BootOrder", &guid, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, diff --git a/lib/crypto/pkcs7_parser.h b/include/crypto/pkcs7_parser.h index 6565fdc2d4..b8234da45a 100644 --- a/lib/crypto/pkcs7_parser.h +++ b/include/crypto/pkcs7_parser.h @@ -5,6 +5,9 @@ * Written by David Howells (dhowells@redhat.com) */ +#ifndef _PKCS7_PARSER_H +#define _PKCS7_PARSER_H + #include <linux/oid_registry.h> #include <crypto/pkcs7.h> #include "x509_parser.h" @@ -63,3 +66,4 @@ struct pkcs7_message { size_t data_hdrlen; /* Length of Data ASN.1 header */ const void *data; /* Content Data (or 0) */ }; +#endif /* _PKCS7_PARSER_H */ diff --git a/lib/crypto/x509_parser.h b/include/crypto/x509_parser.h index c233f136fb..4cbdc1d661 100644 --- a/lib/crypto/x509_parser.h +++ b/include/crypto/x509_parser.h @@ -5,6 +5,9 @@ * Written by David Howells (dhowells@redhat.com) */ +#ifndef _X509_PARSER_H +#define _X509_PARSER_H + #include <linux/time.h> #include <crypto/public_key.h> #include <keys/asymmetric-type.h> @@ -55,3 +58,4 @@ extern int x509_decode_time(time64_t *_t, size_t hdrlen, */ extern int x509_get_sig_params(struct x509_certificate *cert); extern int x509_check_for_self_signed(struct x509_certificate *cert); +#endif /* _X509_PARSER_H */ diff --git a/include/efi_loader.h b/include/efi_loader.h index f92bfe57e6..0e924ad109 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -394,6 +394,8 @@ efi_status_t efi_disk_register(void); int efi_disk_create_partitions(efi_handle_t parent, struct blk_desc *desc, const char *if_typename, int diskid, const char *pdevname); +/* Check if it is EFI system partition */ +bool efi_disk_is_system_part(efi_handle_t handle); /* Called by bootefi to make GOP (graphical) interface available */ efi_status_t efi_gop_register(void); /* Called by bootefi to make the network interface available */ diff --git a/lib/crypto/pkcs7_parser.c b/lib/crypto/pkcs7_parser.c index f5dda1179f..0ee207b6b1 100644 --- a/lib/crypto/pkcs7_parser.c +++ b/lib/crypto/pkcs7_parser.c @@ -20,7 +20,11 @@ #include <linux/err.h> #include <linux/oid_registry.h> #include <crypto/public_key.h> +#ifdef __UBOOT__ +#include <crypto/pkcs7_parser.h> +#else #include "pkcs7_parser.h" +#endif #include "pkcs7.asn1.h" MODULE_DESCRIPTION("PKCS#7 parser"); diff --git a/lib/crypto/x509_cert_parser.c b/lib/crypto/x509_cert_parser.c index 4e41cffd23..18f5407a07 100644 --- a/lib/crypto/x509_cert_parser.c +++ b/lib/crypto/x509_cert_parser.c @@ -18,7 +18,11 @@ #include <linux/string.h> #endif #include <crypto/public_key.h> +#ifdef __UBOOT__ +#include <crypto/x509_parser.h> +#else #include "x509_parser.h" +#endif #include "x509.asn1.h" #include "x509_akid.asn1.h" diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c index 676c0df174..571af9a0ad 100644 --- a/lib/crypto/x509_public_key.c +++ b/lib/crypto/x509_public_key.c @@ -16,15 +16,17 @@ #include <linux/module.h> #endif #include <linux/kernel.h> -#ifndef __UBOOT__ +#ifdef __UBOOT__ +#include <crypto/x509_parser.h> +#else #include <linux/slab.h> #include <keys/asymmetric-subtype.h> #include <keys/asymmetric-parser.h> #include <keys/system_keyring.h> #include <crypto/hash.h> #include "asymmetric_keys.h" -#endif #include "x509_parser.h" +#endif /* * Set up the signature parameters in an X.509 certificate. This involves diff --git a/lib/efi_loader/efi_disk.c b/lib/efi_loader/efi_disk.c index fd3df80b0b..0582e02158 100644 --- a/lib/efi_loader/efi_disk.c +++ b/lib/efi_loader/efi_disk.c @@ -588,3 +588,32 @@ efi_status_t efi_disk_register(void) return EFI_SUCCESS; } + +/** + * efi_disk_is_system_part() - check if handle refers to an EFI system partition + * + * @handle: handle of partition + * + * Return: true if handle refers to an EFI system partition + */ +bool efi_disk_is_system_part(efi_handle_t handle) +{ + struct efi_handler *handler; + struct efi_disk_obj *diskobj; + disk_partition_t info; + efi_status_t ret; + int r; + + /* check if this is a block device */ + ret = efi_search_protocol(handle, &efi_block_io_guid, &handler); + if (ret != EFI_SUCCESS) + return false; + + diskobj = container_of(handle, struct efi_disk_obj, header); + + r = part_get_info(diskobj->desc, diskobj->part, &info); + if (r) + return false; + + return !!(info.bootable & PART_EFI_SYSTEM_PARTITION); +} diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c index 6c270ce94f..5a9a6424cc 100644 --- a/lib/efi_loader/efi_image_loader.c +++ b/lib/efi_loader/efi_image_loader.c @@ -13,7 +13,7 @@ #include <malloc.h> #include <pe.h> #include <sort.h> -#include "../lib/crypto/pkcs7_parser.h" +#include "crypto/pkcs7_parser.h" const efi_guid_t efi_global_variable_guid = EFI_GLOBAL_VARIABLE_GUID; const efi_guid_t efi_guid_device_path = EFI_DEVICE_PATH_PROTOCOL_GUID; diff --git a/lib/efi_loader/efi_setup.c b/lib/efi_loader/efi_setup.c index 1b648c8467..26a7423203 100644 --- a/lib/efi_loader/efi_setup.c +++ b/lib/efi_loader/efi_setup.c @@ -86,7 +86,7 @@ out: /** * efi_init_secure_boot - initialize secure boot state * - * Return: EFI_SUCCESS on success, status code (negative) on error + * Return: status code */ static efi_status_t efi_init_secure_boot(void) { @@ -135,6 +135,11 @@ efi_status_t efi_init_obj_list(void) /* On ARM switch from EL3 or secure mode to EL2 or non-secure mode */ switch_to_non_secure_mode(); +#ifdef CONFIG_PARTITIONS + ret = efi_disk_register(); + if (ret != EFI_SUCCESS) + goto out; +#endif /* Initialize variable services */ ret = efi_init_variables(); if (ret != EFI_SUCCESS) @@ -183,11 +188,6 @@ efi_status_t efi_init_obj_list(void) ret = efi_console_register(); if (ret != EFI_SUCCESS) goto out; -#ifdef CONFIG_PARTITIONS - ret = efi_disk_register(); - if (ret != EFI_SUCCESS) - goto out; -#endif #if defined(CONFIG_LCD) || defined(CONFIG_DM_VIDEO) ret = efi_gop_register(); if (ret != EFI_SUCCESS) diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 658e3547da..adcb8c9cca 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -10,11 +10,11 @@ #include <image.h> #include <hexdump.h> #include <malloc.h> +#include <crypto/pkcs7_parser.h> #include <linux/compat.h> #include <linux/oid_registry.h> #include <u-boot/rsa.h> #include <u-boot/sha256.h> -#include "../lib/crypto/pkcs7_parser.h" const efi_guid_t efi_guid_image_security_database = EFI_IMAGE_SECURITY_DATABASE_GUID; @@ -528,7 +528,7 @@ out: * pointed to by @regs. If @nocheck is false, overlapping among entries * will be checked first. * - * Return: 0 on success, status code (negative) on error + * Return: status code */ efi_status_t efi_image_region_add(struct efi_image_regions *regs, const void *start, const void *end, @@ -667,7 +667,7 @@ efi_sigstore_parse_siglist(struct efi_signature_list *esl) esd = (struct efi_signature_data *) ((u8 *)esl + sizeof(*esl) + esl->signature_header_size); - while ((left > 0) && left >= esl->signature_size) { + while (left > 0) { /* Signature must exist if there is remaining data. */ if (left < esl->signature_size) { debug("Certificate is too small\n"); diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index 7df881a74b..58f8fae358 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -12,9 +12,9 @@ #include <malloc.h> #include <rtc.h> #include <search.h> +#include <crypto/pkcs7_parser.h> #include <linux/compat.h> #include <u-boot/crc.h> -#include "../lib/crypto/pkcs7_parser.h" enum efi_secure_mode { EFI_MODE_SETUP, @@ -169,176 +169,102 @@ static const char *parse_attr(const char *str, u32 *attrp, u64 *timep) return str; } -static efi_status_t efi_set_variable_internal(u16 *variable_name, - const efi_guid_t *vendor, - u32 attributes, - efi_uintn_t data_size, - const void *data, - bool ro_check); +static efi_status_t efi_set_variable_common(u16 *variable_name, + const efi_guid_t *vendor, + u32 attributes, + efi_uintn_t data_size, + const void *data, + bool ro_check); + +/** + * efi_set_secure_state - modify secure boot state variables + * @sec_boot: value of SecureBoot + * @setup_mode: value of SetupMode + * @audit_mode: value of AuditMode + * @deployed_mode: value of DeployedMode + * + * Modify secure boot stat-related variables as indicated. + * + * Return: status code + */ +static efi_status_t efi_set_secure_state(int sec_boot, int setup_mode, + int audit_mode, int deployed_mode) +{ + u32 attributes; + efi_status_t ret; + + attributes = EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS | + READ_ONLY; + ret = efi_set_variable_common(L"SecureBoot", &efi_global_variable_guid, + attributes, sizeof(sec_boot), &sec_boot, + false); + if (ret != EFI_SUCCESS) + goto err; + + ret = efi_set_variable_common(L"SetupMode", &efi_global_variable_guid, + attributes, sizeof(setup_mode), + &setup_mode, false); + if (ret != EFI_SUCCESS) + goto err; + + ret = efi_set_variable_common(L"AuditMode", &efi_global_variable_guid, + attributes, sizeof(audit_mode), + &audit_mode, false); + if (ret != EFI_SUCCESS) + goto err; + + ret = efi_set_variable_common(L"DeployedMode", + &efi_global_variable_guid, attributes, + sizeof(deployed_mode), &deployed_mode, + false); +err: + return ret; +} /** * efi_transfer_secure_state - handle a secure boot state transition * @mode: new state * * Depending on @mode, secure boot related variables are updated. - * Those variables are *read-only* for users, efi_set_variable_internal() + * Those variables are *read-only* for users, efi_set_variable_common() * is called here. * - * Return: EFI_SUCCESS on success, status code (negative) on error + * Return: status code */ static efi_status_t efi_transfer_secure_state(enum efi_secure_mode mode) { - u32 attributes; - u8 val; efi_status_t ret; - debug("Secure state from %d to %d\n", efi_secure_mode, mode); + debug("Switching secure state from %d to %d\n", efi_secure_mode, mode); - attributes = EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_RUNTIME_ACCESS; if (mode == EFI_MODE_DEPLOYED) { - val = 1; - ret = efi_set_variable_internal(L"SecureBoot", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"SetupMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"AuditMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 1; - ret = efi_set_variable_internal(L"DeployedMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); + ret = efi_set_secure_state(1, 0, 0, 1); if (ret != EFI_SUCCESS) goto err; efi_secure_boot = true; } else if (mode == EFI_MODE_AUDIT) { - ret = efi_set_variable_internal(L"PK", - &efi_global_variable_guid, - attributes, - 0, NULL, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"SecureBoot", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 1; - ret = efi_set_variable_internal(L"SetupMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 1; - ret = efi_set_variable_internal(L"AuditMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); + ret = efi_set_variable_common(L"PK", &efi_global_variable_guid, + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS, + 0, NULL, false); if (ret != EFI_SUCCESS) goto err; - val = 0; - ret = efi_set_variable_internal(L"DeployedMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); + + ret = efi_set_secure_state(0, 1, 1, 0); if (ret != EFI_SUCCESS) goto err; efi_secure_boot = true; } else if (mode == EFI_MODE_USER) { - val = 1; - ret = efi_set_variable_internal(L"SecureBoot", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"SetupMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"AuditMode", - &efi_global_variable_guid, - attributes, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"DeployedMode", - &efi_global_variable_guid, - attributes, - sizeof(val), &val, - false); + ret = efi_set_secure_state(1, 0, 0, 0); if (ret != EFI_SUCCESS) goto err; efi_secure_boot = true; } else if (mode == EFI_MODE_SETUP) { - val = 0; - ret = efi_set_variable_internal(L"SecureBoot", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 1; - ret = efi_set_variable_internal(L"SetupMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"AuditMode", - &efi_global_variable_guid, - attributes, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"DeployedMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); + ret = efi_set_secure_state(0, 1, 0, 0); if (ret != EFI_SUCCESS) goto err; } else { @@ -358,7 +284,7 @@ err: /** * efi_init_secure_state - initialize secure boot state * - * Return: EFI_SUCCESS on success, status code (negative) on error + * Return: status code */ static efi_status_t efi_init_secure_state(void) { @@ -392,14 +318,13 @@ static efi_status_t efi_init_secure_state(void) ret = efi_transfer_secure_state(mode); if (ret == EFI_SUCCESS) - ret = efi_set_variable_internal(L"VendorKeys", - &efi_global_variable_guid, - EFI_VARIABLE_BOOTSERVICE_ACCESS - | EFI_VARIABLE_RUNTIME_ACCESS - | READ_ONLY, - sizeof(efi_vendor_keys), - &efi_vendor_keys, - false); + ret = efi_set_variable_common(L"VendorKeys", + &efi_global_variable_guid, + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS | + READ_ONLY, + sizeof(efi_vendor_keys), + &efi_vendor_keys, false); err: return ret; @@ -513,7 +438,7 @@ out: * attributes and signed time will also be returned in @env_attr and @time, * respectively. * - * Return: EFI_SUCCESS on success, status code (negative) on error + * Return: status code */ static efi_status_t efi_variable_authenticate(u16 *variable, const efi_guid_t *vendor, @@ -666,8 +591,7 @@ static efi_status_t EFIAPI efi_get_variable_common(u16 *variable_name, const efi_guid_t *vendor, u32 *attributes, - efi_uintn_t *data_size, void *data, - bool is_non_volatile) + efi_uintn_t *data_size, void *data) { char *native_name; efi_status_t ret; @@ -750,27 +674,6 @@ out: return ret; } -static -efi_status_t EFIAPI efi_get_volatile_variable(u16 *variable_name, - const efi_guid_t *vendor, - u32 *attributes, - efi_uintn_t *data_size, - void *data) -{ - return efi_get_variable_common(variable_name, vendor, attributes, - data_size, data, false); -} - -efi_status_t EFIAPI efi_get_nonvolatile_variable(u16 *variable_name, - const efi_guid_t *vendor, - u32 *attributes, - efi_uintn_t *data_size, - void *data) -{ - return efi_get_variable_common(variable_name, vendor, attributes, - data_size, data, true); -} - /** * efi_efi_get_variable() - retrieve value of a UEFI variable * @@ -795,12 +698,8 @@ efi_status_t EFIAPI efi_get_variable(u16 *variable_name, EFI_ENTRY("\"%ls\" %pUl %p %p %p", variable_name, vendor, attributes, data_size, data); - ret = efi_get_volatile_variable(variable_name, vendor, attributes, - data_size, data); - if (ret == EFI_NOT_FOUND) - ret = efi_get_nonvolatile_variable(variable_name, vendor, - attributes, data_size, data); - + ret = efi_get_variable_common(variable_name, vendor, attributes, + data_size, data); return EFI_EXIT(ret); } @@ -964,14 +863,12 @@ efi_status_t EFIAPI efi_get_next_variable_name(efi_uintn_t *variable_name_size, return EFI_EXIT(ret); } -static -efi_status_t EFIAPI efi_set_variable_common(u16 *variable_name, +static efi_status_t efi_set_variable_common(u16 *variable_name, const efi_guid_t *vendor, u32 attributes, efi_uintn_t data_size, const void *data, - bool ro_check, - bool is_non_volatile) + bool ro_check) { char *native_name = NULL, *old_data = NULL, *val = NULL, *s; efi_uintn_t old_size; @@ -998,14 +895,6 @@ efi_status_t EFIAPI efi_set_variable_common(u16 *variable_name, attr = 0; ret = EFI_CALL(efi_get_variable(variable_name, vendor, &attr, &old_size, NULL)); - if (ret == EFI_BUFFER_TOO_SMALL) { - if ((is_non_volatile && !(attr & EFI_VARIABLE_NON_VOLATILE)) || - (!is_non_volatile && (attr & EFI_VARIABLE_NON_VOLATILE))) { - ret = EFI_INVALID_PARAMETER; - goto err; - } - } - append = !!(attributes & EFI_VARIABLE_APPEND_WRITE); attributes &= ~(u32)EFI_VARIABLE_APPEND_WRITE; delete = !append && (!data_size || !attributes); @@ -1179,7 +1068,7 @@ out: /* update VendorKeys */ if (vendor_keys_modified & efi_vendor_keys) { efi_vendor_keys = 0; - ret = efi_set_variable_internal( + ret = efi_set_variable_common( L"VendorKeys", &efi_global_variable_guid, EFI_VARIABLE_BOOTSERVICE_ACCESS @@ -1201,54 +1090,6 @@ err: return ret; } -static -efi_status_t EFIAPI efi_set_volatile_variable(u16 *variable_name, - const efi_guid_t *vendor, - u32 attributes, - efi_uintn_t data_size, - const void *data, - bool ro_check) -{ - return efi_set_variable_common(variable_name, vendor, attributes, - data_size, data, ro_check, false); -} - -efi_status_t EFIAPI efi_set_nonvolatile_variable(u16 *variable_name, - const efi_guid_t *vendor, - u32 attributes, - efi_uintn_t data_size, - const void *data, - bool ro_check) -{ - efi_status_t ret; - - ret = efi_set_variable_common(variable_name, vendor, attributes, - data_size, data, ro_check, true); - - return ret; -} - -static efi_status_t efi_set_variable_internal(u16 *variable_name, - const efi_guid_t *vendor, - u32 attributes, - efi_uintn_t data_size, - const void *data, - bool ro_check) -{ - efi_status_t ret; - - if (attributes & EFI_VARIABLE_NON_VOLATILE) - ret = efi_set_nonvolatile_variable(variable_name, vendor, - attributes, - data_size, data, ro_check); - else - ret = efi_set_volatile_variable(variable_name, vendor, - attributes, data_size, data, - ro_check); - - return ret; -} - /** * efi_set_variable() - set value of a UEFI variable * @@ -1274,9 +1115,9 @@ efi_status_t EFIAPI efi_set_variable(u16 *variable_name, /* READ_ONLY bit is not part of API */ attributes &= ~(u32)READ_ONLY; - return EFI_EXIT(efi_set_variable_internal(variable_name, vendor, - attributes, data_size, data, - true)); + return EFI_EXIT(efi_set_variable_common(variable_name, vendor, + attributes, data_size, data, + true)); } /** diff --git a/test/lib/asn1.c b/test/lib/asn1.c index d2b3f67e68..8661fdd306 100644 --- a/test/lib/asn1.c +++ b/test/lib/asn1.c @@ -13,10 +13,10 @@ #include <test/ut.h> #ifdef CONFIG_PKCS7_MESSAGE_PARSER -#include "../../lib/crypto/pkcs7_parser.h" +#include <crypto/pkcs7_parser.h> #else #ifdef CONFIG_X509_CERTIFICATE_PARSER -#include "../../lib/crypto/x509_parser.h" +#include <crypto/x509_parser.h> #endif #endif diff --git a/test/py/tests/test_efi_secboot/test_authvar.py b/test/py/tests/test_efi_secboot/test_authvar.py index 55dcaa95f1..9912694a3e 100644 --- a/test/py/tests/test_efi_secboot/test_authvar.py +++ b/test/py/tests/test_efi_secboot/test_authvar.py @@ -133,7 +133,7 @@ class TestEfiAuthVar(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK; echo', 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 db.auth', @@ -174,7 +174,7 @@ class TestEfiAuthVar(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK; echo', 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 db.auth', @@ -215,7 +215,7 @@ class TestEfiAuthVar(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK; echo', 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 db.auth', @@ -249,7 +249,7 @@ class TestEfiAuthVar(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK; echo', 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 db.auth', diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 584282b338..fc722ab506 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -29,7 +29,7 @@ class TestEfiSignedImage(object): # Test Case 1a, run signed image if no db/dbx output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, - 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""', + 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""; echo', 'efidebug boot next 1', 'bootefi bootmgr']) assert(re.search('Hello, world!', ''.join(output))) @@ -81,7 +81,7 @@ class TestEfiSignedImage(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx; echo', 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 PK.auth', diff --git a/test/py/tests/test_efi_secboot/test_unsigned.py b/test/py/tests/test_efi_secboot/test_unsigned.py index 22d849afb8..a4af845c51 100644 --- a/test/py/tests/test_efi_secboot/test_unsigned.py +++ b/test/py/tests/test_efi_secboot/test_unsigned.py @@ -30,7 +30,7 @@ class TestEfiUnsignedImage(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK; echo', 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) assert(not re.search('Failed to set EFI variable', ''.join(output))) @@ -58,7 +58,7 @@ class TestEfiUnsignedImage(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db_hello.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db; echo', 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 PK.auth', @@ -82,7 +82,7 @@ class TestEfiUnsignedImage(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db_hello.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx; echo', 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 PK.auth', |