[PATCH 12/14] efi_loader: Enable uefi capsule authentication

Sat Dec 5 11:47:09 CET 2020

On 11/26/20 7:41 PM, Sughosh Ganu wrote:
> Add support for enabling uefi capsule authentication. This feature is
> enabled by setting the environment variable
> "capsule_authentication_enabled".
>
> The following configs are needed for enabling uefi capsule update and
> capsule authentication features on the platform.
>
> CONFIG_EFI_HAVE_CAPSULE_SUPPORT=y
> CONFIG_EFI_CAPSULE_ON_DISK=y
> CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y
> CONFIG_EFI_CAPSULE_FIRMWARE=y
> CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
> CONFIG_EFI_CAPSULE_AUTHENTICATE=y

Dear Takahiro, dear Sughosh,

could you, please, provide a documentation for capsule updates in /doc/uefi.

Best regards

Heinrich

>
> Signed-off-by: Sughosh Ganu <sughosh.ganu at linaro.org>
> ---
>   lib/efi_loader/efi_firmware.c | 37 ++++++++++++++++++++++++++++++++++-
>   1 file changed, 36 insertions(+), 1 deletion(-)
>
> diff --git a/lib/efi_loader/efi_firmware.c b/lib/efi_loader/efi_firmware.c
> index 6c97604d8b..5e17b2ab5a 100644
> --- a/lib/efi_loader/efi_firmware.c
> +++ b/lib/efi_loader/efi_firmware.c
> @@ -162,9 +162,16 @@ static efi_status_t efi_get_dfu_info(
>   		image_info[i].version_name = NULL; /* not supported */
>   		image_info[i].size = 0;
>   		image_info[i].attributes_supported =
> -				IMAGE_ATTRIBUTE_IMAGE_UPDATABLE;
> +			IMAGE_ATTRIBUTE_IMAGE_UPDATABLE |
> +			IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED;
>   		image_info[i].attributes_setting =
>   				IMAGE_ATTRIBUTE_IMAGE_UPDATABLE;
> +
> +		/* Check if the capsule authentication is enabled */
> +		if (env_get("capsule_authentication_enabled"))
> +			image_info[0].attributes_setting |=
> +				IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED;
> +
>   		image_info[i].lowest_supported_image_version = 0;
>   		image_info[i].last_attempt_version = 0;
>   		image_info[i].last_attempt_status = LAST_ATTEMPT_STATUS_SUCCESS;
> @@ -379,12 +386,40 @@ efi_status_t EFIAPI efi_firmware_raw_set_image(
>   	efi_status_t (*progress)(efi_uintn_t completion),
>   	u16 **abort_reason)
>   {
> +	void *capsule_payload;
> +	efi_status_t status;
> +	efi_uintn_t capsule_payload_size;
> +
>   	EFI_ENTRY("%p %d %p %ld %p %p %p\n", this, image_index, image,
>   		  image_size, vendor_code, progress, abort_reason);
>
>   	if (!image)
>   		return EFI_EXIT(EFI_INVALID_PARAMETER);
>
> +	/* Authenticate the capsule if authentication enabled */
> +	if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) &&
> +	    env_get("capsule_authentication_enabled")) {
> +		capsule_payload = NULL;
> +		capsule_payload_size = 0;
> +		status = efi_capsule_authenticate(image, image_size,
> +						  &capsule_payload,
> +						  &capsule_payload_size);
> +
> +		if (status == EFI_SECURITY_VIOLATION) {
> +			printf("Capsule authentication check failed. Aborting update\n");
> +			return EFI_EXIT(status);
> +		} else if (status != EFI_SUCCESS) {
> +			return EFI_EXIT(status);
> +		}
> +
> +		debug("Capsule authentication successfull\n");
> +		image = capsule_payload;
> +		image_size = capsule_payload_size;
> +	} else {
> +		debug("Capsule authentication disabled. ");
> +		debug("Updating capsule without authenticating.\n");
> +	}
> +
>   	if (CONFIG_IS_ENABLED(EFI_CAPSULE_FMP_HEADER)) {
>   		/*
>   		 * When building the capsule with the scripts in
>