[U-Boot] [PATCH 12/16] cmd: env: use appropriate guid for authenticated UEFI variable

Heinrich Schuchardt xypron.glpk at gmx.de
Sat Nov 16 20:10:35 UTC 2019


On 11/13/19 1:53 AM, AKASHI Takahiro wrote:
> A signature database variable is associated with a specific guid.
> For convenience, if user doesn't supply any guid info, "env set|print -e"
> should complement it.

If secure boot is enforced, users should not be able to change any
security relevant variables. Instead we need a way to compile the
security relevant data into the U-Boot binary and add a signature to the
U-Boot binary which can be checked by the primary boot loader.

Best regards

Heinrich

>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
> ---
>   cmd/nvedit_efi.c | 18 ++++++++++++++----
>   1 file changed, 14 insertions(+), 4 deletions(-)
>
> diff --git a/cmd/nvedit_efi.c b/cmd/nvedit_efi.c
> index 8ea0da01283f..579cf430593c 100644
> --- a/cmd/nvedit_efi.c
> +++ b/cmd/nvedit_efi.c
> @@ -41,6 +41,11 @@ static const struct {
>   } efi_guid_text[] = {
>   	/* signature database */
>   	{EFI_GLOBAL_VARIABLE_GUID, "EFI_GLOBAL_VARIABLE_GUID"},
> +	{EFI_IMAGE_SECURITY_DATABASE_GUID, "EFI_IMAGE_SECURITY_DATABASE_GUID"},
> +	/* certificate type */
> +	{EFI_CERT_SHA256_GUID, "EFI_CERT_SHA256_GUID"},
> +	{EFI_CERT_X509_GUID, "EFI_CERT_X509_GUID"},
> +	{EFI_CERT_TYPE_PKCS7_GUID, "EFI_CERT_TYPE_PKCS7_GUID"},
>   };
>
>   /* "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" */
> @@ -525,9 +530,9 @@ int do_env_set_efi(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
>   			if (*ep != ',')
>   				return CMD_RET_USAGE;
>
> +			/* 0 should be allowed for delete */
>   			size = simple_strtoul(++ep, NULL, 16);
> -			if (!size)
> -				return CMD_RET_FAILURE;
> +
>   			value_on_memory = true;
>   		} else if (!strcmp(argv[0], "-v")) {
>   			verbose = true;
> @@ -539,8 +544,13 @@ int do_env_set_efi(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
>   		return CMD_RET_USAGE;
>
>   	var_name = argv[0];
> -	if (default_guid)
> -		guid = efi_global_variable_guid;
> +	if (default_guid) {
> +		if (!strcmp(var_name, "db") || !strcmp(var_name, "dbx") ||
> +		    !strcmp(var_name, "dbt"))
> +			guid = efi_guid_image_security_database;
> +		else
> +			guid = efi_global_variable_guid;
> +	}
>
>   	if (verbose) {
>   		printf("GUID: %s\n", efi_guid_to_str((const efi_guid_t *)
>



More information about the U-Boot mailing list