[PATCH 1/2] efi_loader: expose efi_image_parse() even if UEFI Secure Boot is disabled
Heinrich Schuchardt
xypron.glpk at gmx.de
Thu Apr 15 15:58:17 CEST 2021
On 15.04.21 15:30, Masahisa Kojima wrote:
> This is preparation for PE/COFF measurement support.
> PE/COFF image hash calculation is same in both
> UEFI Secure Boot image verification and measurement in
> measured boot. This commit exposes the hash calculation
> functions even if UEFI Secure Boot is not enabled.
>
> Signed-off-by: Masahisa Kojima <masahisa.kojima at linaro.org>
> ---
> lib/efi_loader/efi_image_loader.c | 2 +-
> lib/efi_loader/efi_signature.c | 2 ++
> 2 files changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c
> index f53ef367ec..2c35cb5651 100644
> --- a/lib/efi_loader/efi_image_loader.c
> +++ b/lib/efi_loader/efi_image_loader.c
> @@ -213,7 +213,6 @@ static void efi_set_code_and_data_type(
> }
> }
>
> -#ifdef CONFIG_EFI_SECURE_BOOT
> /**
> * cmp_pe_section() - compare virtual addresses of two PE image sections
> * @arg1: pointer to pointer to first section header
> @@ -422,6 +421,7 @@ err:
> return false;
> }
>
> +#ifdef CONFIG_EFI_SECURE_BOOT
Please, remove the #ifdef and replace it by
if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT)) {
in function efi_image_authenticate().
The advantage of using 'if' instead of '#ifdef' is that all branches are
parsed by GCC. This allows us to catch code problems more easily.
> /**
> * efi_image_unsigned_authenticate() - authenticate unsigned image with
> * SHA256 hash
> diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
> index c7ec275414..1dd9d0e130 100644
> --- a/lib/efi_loader/efi_signature.c
> +++ b/lib/efi_loader/efi_signature.c
> @@ -538,6 +538,7 @@ out:
> EFI_PRINT("%s: Exit, revoked: %d\n", __func__, revoked);
> return !revoked;
> }
> +#endif
The #if is superfluous. Just add the missing header
#include <u-boot/rsa-checksum.h>
efi_guid_t efi_guid_image_security_database should be moved to
efi_var_common.c. This allows us to decide if
lib/efi_loader/efi_signature.c shall be compiled in the Makefile.
Best regards
Heinrich
>
> /**
> * efi_image_region_add() - add an entry of region
> @@ -601,6 +602,7 @@ efi_status_t efi_image_region_add(struct efi_image_regions *regs,
> return EFI_SUCCESS;
> }
>
> +#if defined(CONFIG_EFI_SECURE_BOOT) || defined(CONFIG_EFI_CAPSULE_AUTHENTICATE)
> /**
> * efi_sigstore_free - free signature store
> * @sigstore: Pointer to signature store structure
>
More information about the U-Boot
mailing list