Pull request for efi-2021-07-rc3

Documentation: * add a man-page for the size command * add man-page for extension command to index Bug fixes: * avoid build failure due to missing SHA512 hardware acceleration * correct error handling in TCG2 protocol * don't let user disable capsule authentication * correct reading directories via UEFI API -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAmCjmakACgkQxIHbvCwF GsSP4Q//eVn72X0WpP0yMBj/lSl1S2vP5RW+5ThWKAGvzQ/iV6h2A5Z8qOHjOTOk pbm3ywDFpUiOYaN0+sdOzSwBEPOR3Brob4VKfM+aE/6r9X+qBzbBHK/X3e+I3moZ Uxffa+yrP6xjnLO3u9e2jAD6jYxMaGApq72DAojlb8pBZep8jaiW6BGUlf4in6nk 5AiGJc41Vv872JoZ/FnwXnL8MZYGO1FgzmJvUcq4HV+GwG9QRhUZV8o9p1vIQc1n rxE5CfpyOf8WvmVuD3SFU6VueeTBrp8+WV+u13ivwddCOERD0pAFkP5Md/s26Cvd UJ06il20BoHWMAgVOthnkUvc3eaaMvERghhCBFI++SoHX4Ly3r3p6loEj2d49RXa ddAoR4O8mdSwQ9aRjBAQZctECXmrHn/eAAFNkvbegueUDwlDWytucuvD7X2T450g dVTLjsleMplt+cWypChcG0YYgTfOEuYnHjbDjEZXEBier6vpIFKsFFmX9AX+0p+k 5rfdWA58gWYzrMfjq2rThv6GyqKOrjBO825esWEA8XH5SXV2UKbzw9BziMjtFZNo 6urSigMfmylhnG0fHacsD1jttrHTlLjLhqRNDB2fmmdXzsRKpPCJzhW68OxgaoF/ 56efvDLXUWrI9w7kMaPqyQNO/d5bJvKd1QzJouQxFbnp6vkd0oA= =h8yY -----END PGP SIGNATURE----- Merge tag 'efi-2021-07-rc3' of https://source.denx.de/u-boot/custodians/u-boot-efi Pull request for efi-2021-07-rc3 Documentation: * add a man-page for the size command * add man-page for extension command to index Bug fixes: * avoid build failure due to missing SHA512 hardware acceleration * correct error handling in TCG2 protocol * don't let user disable capsule authentication * correct reading directories via UEFI API
2021-05-18 11:10:00 -04:00 · 2021-05-18 11:10:00 -04:00 · 7a1638c263
commit 7a1638c263
parent 52993fcb76 87316da05f
11 changed files with 110 additions and 35 deletions
--- a/board/emulation/common/qemu_capsule.c
+++ b/board/emulation/common/qemu_capsule.c
@ -41,9 +41,3 @@ int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)

 	return 0;
 }
-
-bool efi_capsule_auth_enabled(void)
-{
-	return env_get("capsule_authentication_enabled") != NULL ?
-		true : false;
-}
--- a/common/Kconfig.boot
+++ b/common/Kconfig.boot
@ -80,6 +80,7 @@ config FIT_SIGNATURE
 	select RSA_VERIFY
 	select IMAGE_SIGN_INFO
 	select FIT_FULL_CHECK
+	select HASH_CALCULATE
 	help
 	  This option enables signature verification of FIT uImages,
 	  using a hash signed and verified using RSA. If
--- a/common/hash.c
+++ b/common/hash.c
@ -260,12 +260,12 @@ static struct hash_algo hash_algo[] = {
 		.name		= "sha384",
 		.digest_size	= SHA384_SUM_LEN,
 		.chunk_size	= CHUNKSZ_SHA384,
-#ifdef CONFIG_SHA_HW_ACCEL
+#ifdef CONFIG_SHA512_HW_ACCEL
 		.hash_func_ws	= hw_sha384,
 #else
 		.hash_func_ws	= sha384_csum_wd,
 #endif
-#ifdef CONFIG_SHA_PROG_HW_ACCEL
+#if defined(CONFIG_SHA512_HW_ACCEL) && defined(CONFIG_SHA_PROG_HW_ACCEL)
 		.hash_init	= hw_sha_init,
 		.hash_update	= hw_sha_update,
 		.hash_finish	= hw_sha_finish,
@ -281,12 +281,12 @@ static struct hash_algo hash_algo[] = {
 		.name		= "sha512",
 		.digest_size	= SHA512_SUM_LEN,
 		.chunk_size	= CHUNKSZ_SHA512,
-#ifdef CONFIG_SHA_HW_ACCEL
+#ifdef CONFIG_SHA512_HW_ACCEL
 		.hash_func_ws	= hw_sha512,
 #else
 		.hash_func_ws	= sha512_csum_wd,
 #endif
-#ifdef CONFIG_SHA_PROG_HW_ACCEL
+#if defined(CONFIG_SHA512_HW_ACCEL) && defined(CONFIG_SHA_PROG_HW_ACCEL)
 		.hash_init	= hw_sha_init,
 		.hash_update	= hw_sha_update,
 		.hash_finish	= hw_sha_finish,
--- a/doc/usage/index.rst
+++ b/doc/usage/index.rst
@ -26,6 +26,7 @@ Shell commands
   conitrace
   echo
   exception
+   extension
   exit
   false
   fatinfo
@ -38,6 +39,7 @@ Shell commands
   pstore
   qfw
   sbi
+   size
   true
   scp03
   reset
--- a/doc/usage/size.rst
+++ b/doc/usage/size.rst
@ -0,0 +1,40 @@
+.. SPDX-License-Identifier: GPL-2.0+
+
+size command
+============
+
+Synopsis
+--------
+
+::
+
+    size <interface> <dev[:part]> <filename>
+
+Description
+-----------
+
+The size command determines the size of a file and sets the environment variable
+filesize to this value. If filename points to a directory, the value is set to
+zero.
+
+If the command fails, the filesize environment variable is not changed.
+
+dev
+    device number
+
+part
+    partition number, defaults to 1
+
+filename
+    path to file
+
+Configuration
+-------------
+
+The size command is only available if CONFIG_CMD_FS_GENERIC=y.
+
+Return value
+------------
+
+The return value $? is set to 0 (true) if the command succeded and to 1 (false)
+otherwise.
--- a/lib/Kconfig
+++ b/lib/Kconfig
@ -389,21 +389,32 @@ config SHA384
 	  (digest).

 config SHA_HW_ACCEL
-	bool "Enable hashing using hardware"
+	bool "Enable hardware acceleration for SHA hash functions"
 	help
-	  This option enables hardware acceleration for SHA hashing.
-	  This affects the 'hash' command and also the hash_lookup_algo()
-	  function.
+	  This option enables hardware acceleration for the SHA1 and SHA256
+	  hashing algorithms. This affects the 'hash' command and also the
+	  hash_lookup_algo() function.
+
+if SHA_HW_ACCEL
+
+config SHA512_HW_ACCEL
+	bool "Enable hardware acceleration for SHA512"
+	depends on SHA512_ALGO
+	help
+	  This option enables hardware acceleration for the SHA384 and SHA512
+	  hashing algorithms. This affects the 'hash' command and also the
+	  hash_lookup_algo() function.

 config SHA_PROG_HW_ACCEL
 	bool "Enable Progressive hashing support using hardware"
-	depends on SHA_HW_ACCEL
 	help
 	  This option enables hardware-acceleration for SHA progressive
 	  hashing.
 	  Data can be streamed in a block at a time and the hashing is
 	  performed in hardware.

+endif
+
 config MD5
 	bool "Support MD5 algorithm"
 	help
@ -428,6 +439,9 @@ config CRC32C
 config XXHASH
 	bool

+config HASH_CALCULATE
+	bool
+
 endmenu

 menu "Compression Support"
--- a/lib/Makefile
+++ b/lib/Makefile
@ -61,7 +61,7 @@ endif
 obj-$(CONFIG_$(SPL_)ACPIGEN) += acpi/
 obj-$(CONFIG_$(SPL_)MD5) += md5.o
 obj-$(CONFIG_$(SPL_)RSA) += rsa/
-obj-$(CONFIG_FIT_SIGNATURE) += hash-checksum.o
+obj-$(CONFIG_HASH_CALCULATE) += hash-checksum.o
 obj-$(CONFIG_SHA1) += sha1.o
 obj-$(CONFIG_SHA256) += sha256.o
 obj-$(CONFIG_SHA512_ALGO) += sha512.o
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@ -174,6 +174,7 @@ config EFI_CAPSULE_AUTHENTICATE
 	select PKCS7_MESSAGE_PARSER
 	select PKCS7_VERIFY
 	select IMAGE_SIGN_INFO
+	select HASH_CALCULATE
 	default n
 	help
 	  Select this option if you want to enable capsule
@ -300,7 +301,13 @@ config EFI_RNG_PROTOCOL

 config EFI_TCG2_PROTOCOL
 	bool "EFI_TCG2_PROTOCOL support"
+	default y
 	depends on TPM_V2
+	select SHA1
+	select SHA256
+	select SHA512_ALGO
+	select SHA384
+	select SHA512
 	help
 	  Provide a EFI_TCG2_PROTOCOL implementation using the TPM hardware
 	  of the platform.
@ -336,6 +343,7 @@ config EFI_SECURE_BOOT
 	select X509_CERTIFICATE_PARSER
 	select PKCS7_MESSAGE_PARSER
 	select PKCS7_VERIFY
+	select HASH_CALCULATE
 	default n
 	help
 	  Select this option to enable EFI secure boot support.
--- a/lib/efi_loader/efi_file.c
+++ b/lib/efi_loader/efi_file.c
@ -554,7 +554,7 @@ static efi_status_t efi_file_read_int(struct efi_file_handle *this,
 	efi_status_t ret = EFI_SUCCESS;
 	u64 bs;

-	if (!this || !buffer_size || !buffer)
+	if (!this || !buffer_size)
 		return EFI_INVALID_PARAMETER;

 	bs = *buffer_size;
--- a/lib/efi_loader/efi_firmware.c
+++ b/lib/efi_loader/efi_firmware.c
@ -190,7 +190,7 @@ static efi_status_t efi_get_dfu_info(
 				IMAGE_ATTRIBUTE_IMAGE_UPDATABLE;

 		/* Check if the capsule authentication is enabled */
-		if (env_get("capsule_authentication_enabled"))
+		if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE))
 			image_info[0].attributes_setting |=
 				IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED;

@ -421,8 +421,7 @@ efi_status_t EFIAPI efi_firmware_raw_set_image(
 		return EFI_EXIT(EFI_INVALID_PARAMETER);

 	/* Authenticate the capsule if authentication enabled */
-	if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) &&
-	    env_get("capsule_authentication_enabled")) {
+	if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE)) {
 		capsule_payload = NULL;
 		capsule_payload_size = 0;
 		status = efi_capsule_authenticate(image, image_size,
--- a/lib/efi_loader/efi_tcg2.c
+++ b/lib/efi_loader/efi_tcg2.c
@ -771,8 +771,8 @@ efi_tcg2_hash_log_extend_event(struct efi_tcg2_protocol *this, u64 flags,
 	pcr_index = efi_tcg_event->header.pcr_index;
 	event_type = efi_tcg_event->header.event_type;

-	ret = tcg2_create_digest((u8 *)data_to_hash, data_to_hash_len,
-				 &digest_list);
+	ret = tcg2_create_digest((u8 *)(uintptr_t)data_to_hash,
+				 data_to_hash_len, &digest_list);
 	if (ret != EFI_SUCCESS)
 		goto out;

@ -999,6 +999,11 @@ static efi_status_t create_final_event(void)
 	event_log.final_pos = sizeof(*final_event);
 	ret = efi_install_configuration_table(&efi_guid_final_events,
 					      final_event);
+	if (ret != EFI_SUCCESS) {
+		efi_free_pool(event_log.final_buffer);
+		event_log.final_buffer = NULL;
+	}
+
 out:
 	return ret;
 }
@ -1047,18 +1052,21 @@ static efi_status_t efi_init_event_log(void)
 	ret = create_specid_event(dev, (void *)((uintptr_t)event_log.buffer + sizeof(*event_header)),
 				  &spec_event_size);
 	if (ret != EFI_SUCCESS)
-		goto out;
+		goto free_pool;
 	put_unaligned_le32(spec_event_size, &event_header->event_size);
 	event_log.pos = spec_event_size + sizeof(*event_header);
 	event_log.last_event_size = event_log.pos;

 	ret = create_final_event();
 	if (ret != EFI_SUCCESS)
-		goto out;
+		goto free_pool;

-	return EFI_SUCCESS;
 out:
-	tcg2_uninit();
+	return ret;
+
+free_pool:
+	efi_free_pool(event_log.buffer);
+	event_log.buffer = NULL;
 	return ret;
 }

@ -1107,8 +1115,7 @@ efi_status_t efi_tcg2_register(void)
 	ret = platform_get_tpm2_device(&dev);
 	if (ret != EFI_SUCCESS) {
 		log_warning("Unable to find TPMv2 device\n");
-		ret = EFI_SUCCESS;
-		goto out;
+		return EFI_SUCCESS;
 	}

 	ret = efi_init_event_log();
@ -1116,19 +1123,29 @@ efi_status_t efi_tcg2_register(void)
 		goto fail;

 	ret = efi_append_scrtm_version(dev);
-	if (ret != EFI_SUCCESS)
-		goto out;
+	if (ret != EFI_SUCCESS) {
+		tcg2_uninit();
+		goto fail;
+	}

 	ret = efi_add_protocol(efi_root, &efi_guid_tcg2_protocol,
 			       (void *)&efi_tcg2_protocol);
 	if (ret != EFI_SUCCESS) {
-		log_err("Cannot install EFI_TCG2_PROTOCOL\n");
+		tcg2_uninit();
 		goto fail;
 	}
+	return ret;

-out:
-	return ret;
 fail:
-	tcg2_uninit();
-	return ret;
+	log_err("Cannot install EFI_TCG2_PROTOCOL\n");
+	/*
+	 * Return EFI_SUCCESS and don't stop the EFI subsystem.
+	 * That's done for 2 reasons
+	 * - If the protocol is not installed the PCRs won't be extended.  So
+	 *   someone later in the boot flow will notice that and take the
+	 *   necessary actions.
+	 * - The TPM sandbox is limited and we won't be able to run any efi
+	 *   related tests with TCG2 enabled
+	 */
+	return EFI_SUCCESS;
 }