[PATCH v7 2/3] efi_loader: expose efi_image_parse() even if UEFI Secure Boot is disabled

Masahisa Kojima masahisa.kojima at linaro.org
Fri May 14 02:39:48 CEST 2021


On Fri, 14 May 2021 at 00:33, Heinrich Schuchardt <xypron.glpk at gmx.de> wrote:
>
> On 5/13/21 4:48 PM, Masahisa Kojima wrote:
> > This is preparation for PE/COFF measurement support.
> > PE/COFF image hash calculation is same in both
> > UEFI Secure Boot image verification and measurement in
> > measured boot. PE/COFF image parsing functions are
> > gathered into efi_image_loader.c, and exposed even if
> > UEFI Secure Boot is not enabled.
> >
> > This commit also adds the EFI_SIGNATURE_SUPPORT option
> > to decide if efi_signature.c shall be compiled.
> >
> > Signed-off-by: Masahisa Kojima <masahisa.kojima at linaro.org>
> > ---
> >
> > (no changes since v4)
> >
> > Changes in v4:
> > - revert #ifdef instead of using "if (!IS_ENABLED())" statement,
> >    not to rely on the compiler optimization.
> >
> > Changes in v3:
> > - hide EFI_SIGNATURE_SUPPORT option
> >
> > Changes in v2:
> > - Remove all #ifdef from efi_image_loader.c and efi_signature.c
> > - Add EFI_SIGNATURE_SUPPORT option
> > - Explicitly include <u-boot/hash-checksum.h>
> > - Gather PE/COFF parsing functions into efi_image_loader.c
> > - Move efi_guid_t efi_guid_image_security_database in efi_var_common.c
> >
> >   lib/efi_loader/Kconfig            |  6 +++
> >   lib/efi_loader/Makefile           |  2 +-
> >   lib/efi_loader/efi_image_loader.c | 64 ++++++++++++++++++++++++++++-
> >   lib/efi_loader/efi_signature.c    | 67 +------------------------------
> >   lib/efi_loader/efi_var_common.c   |  3 ++
> >   5 files changed, 74 insertions(+), 68 deletions(-)
> >
> > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> > index eb5c4d6f29..dff85cea26 100644
> > --- a/lib/efi_loader/Kconfig
> > +++ b/lib/efi_loader/Kconfig
> > @@ -175,6 +175,7 @@ config EFI_CAPSULE_AUTHENTICATE
> >       select PKCS7_VERIFY
> >       select IMAGE_SIGN_INFO
> >       select HASH_CALCULATE
> > +     select EFI_SIGNATURE_SUPPORT
> >       default n
> >       help
> >         Select this option if you want to enable capsule
> > @@ -344,6 +345,7 @@ config EFI_SECURE_BOOT
> >       select PKCS7_MESSAGE_PARSER
> >       select PKCS7_VERIFY
> >       select HASH_CALCULATE
> > +     select EFI_SIGNATURE_SUPPORT
> >       default n
> >       help
> >         Select this option to enable EFI secure boot support.
> > @@ -351,6 +353,10 @@ config EFI_SECURE_BOOT
> >         it is signed with a trusted key. To do that, you need to install,
> >         at least, PK, KEK and db.
> >
> > +config EFI_SIGNATURE_SUPPORT
> > +     bool
> > +     depends on EFI_SECURE_BOOT || EFI_CAPSULE_AUTHENTICATE
>
> This line is superfluous. As it has no label the symbol will be false if
> not selected by EFI_SECURE_BOOT or EFI_CAPSULE_AUTHENTICATE.

I will remove this "depends on" line.

Thanks,
Masahisa Kojima

>
> Best regards
>
> Heinrich
>
> > +
> >   config EFI_ESRT
> >       bool "Enable the UEFI ESRT generation"
> >       depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
> > diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile
> > index 8bd343e258..fd344cea29 100644
> > --- a/lib/efi_loader/Makefile
> > +++ b/lib/efi_loader/Makefile
> > @@ -63,7 +63,7 @@ obj-$(CONFIG_GENERATE_SMBIOS_TABLE) += efi_smbios.o
> >   obj-$(CONFIG_EFI_RNG_PROTOCOL) += efi_rng.o
> >   obj-$(CONFIG_EFI_TCG2_PROTOCOL) += efi_tcg2.o
> >   obj-$(CONFIG_EFI_LOAD_FILE2_INITRD) += efi_load_initrd.o
> > -obj-y += efi_signature.o
> > +obj-$(CONFIG_EFI_SIGNATURE_SUPPORT) += efi_signature.o
> >
> >   EFI_VAR_SEED_FILE := $(subst $\",,$(CONFIG_EFI_VAR_SEED_FILE))
> >   $(obj)/efi_var_seed.o: $(srctree)/$(EFI_VAR_SEED_FILE)
> > diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c
> > index f53ef367ec..fe1ee198e2 100644
> > --- a/lib/efi_loader/efi_image_loader.c
> > +++ b/lib/efi_loader/efi_image_loader.c
> > @@ -213,7 +213,68 @@ static void efi_set_code_and_data_type(
> >       }
> >   }
> >
> > -#ifdef CONFIG_EFI_SECURE_BOOT
> > +/**
> > + * efi_image_region_add() - add an entry of region
> > + * @regs:    Pointer to array of regions
> > + * @start:   Start address of region (included)
> > + * @end:     End address of region (excluded)
> > + * @nocheck: flag against overlapped regions
> > + *
> > + * Take one entry of region [@start, @end[ and insert it into the list.
> > + *
> > + * * If @nocheck is false, the list will be sorted ascending by address.
> > + *   Overlapping entries will not be allowed.
> > + *
> > + * * If @nocheck is true, the list will be sorted ascending by sequence
> > + *   of adding the entries. Overlapping is allowed.
> > + *
> > + * Return:   status code
> > + */
> > +efi_status_t efi_image_region_add(struct efi_image_regions *regs,
> > +                               const void *start, const void *end,
> > +                               int nocheck)
> > +{
> > +     struct image_region *reg;
> > +     int i, j;
> > +
> > +     if (regs->num >= regs->max) {
> > +             EFI_PRINT("%s: no more room for regions\n", __func__);
> > +             return EFI_OUT_OF_RESOURCES;
> > +     }
> > +
> > +     if (end < start)
> > +             return EFI_INVALID_PARAMETER;
> > +
> > +     for (i = 0; i < regs->num; i++) {
> > +             reg = &regs->reg[i];
> > +             if (nocheck)
> > +                     continue;
> > +
> > +             /* new data after registered region */
> > +             if (start >= reg->data + reg->size)
> > +                     continue;
> > +
> > +             /* new data preceding registered region */
> > +             if (end <= reg->data) {
> > +                     for (j = regs->num - 1; j >= i; j--)
> > +                             memcpy(&regs->reg[j + 1], &regs->reg[j],
> > +                                    sizeof(*reg));
> > +                     break;
> > +             }
> > +
> > +             /* new data overlapping registered region */
> > +             EFI_PRINT("%s: new region already part of another\n", __func__);
> > +             return EFI_INVALID_PARAMETER;
> > +     }
> > +
> > +     reg = &regs->reg[i];
> > +     reg->data = start;
> > +     reg->size = end - start;
> > +     regs->num++;
> > +
> > +     return EFI_SUCCESS;
> > +}
> > +
> >   /**
> >    * cmp_pe_section() - compare virtual addresses of two PE image sections
> >    * @arg1:   pointer to pointer to first section header
> > @@ -422,6 +483,7 @@ err:
> >       return false;
> >   }
> >
> > +#ifdef CONFIG_EFI_SECURE_BOOT
> >   /**
> >    * efi_image_unsigned_authenticate() - authenticate unsigned image with
> >    * SHA256 hash
> > diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
> > index c7ec275414..bdd09881fc 100644
> > --- a/lib/efi_loader/efi_signature.c
> > +++ b/lib/efi_loader/efi_signature.c
> > @@ -15,18 +15,16 @@
> >   #include <crypto/public_key.h>
> >   #include <linux/compat.h>
> >   #include <linux/oid_registry.h>
> > +#include <u-boot/hash-checksum.h>
> >   #include <u-boot/rsa.h>
> >   #include <u-boot/sha256.h>
> >
> > -const efi_guid_t efi_guid_image_security_database =
> > -             EFI_IMAGE_SECURITY_DATABASE_GUID;
> >   const efi_guid_t efi_guid_sha256 = EFI_CERT_SHA256_GUID;
> >   const efi_guid_t efi_guid_cert_rsa2048 = EFI_CERT_RSA2048_GUID;
> >   const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID;
> >   const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID;
> >   const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID;
> >
> > -#if defined(CONFIG_EFI_SECURE_BOOT) || defined(CONFIG_EFI_CAPSULE_AUTHENTICATE)
> >   static u8 pkcs7_hdr[] = {
> >       /* SEQUENCE */
> >       0x30, 0x82, 0x05, 0xc7,
> > @@ -539,68 +537,6 @@ out:
> >       return !revoked;
> >   }
> >
> > -/**
> > - * efi_image_region_add() - add an entry of region
> > - * @regs:    Pointer to array of regions
> > - * @start:   Start address of region (included)
> > - * @end:     End address of region (excluded)
> > - * @nocheck: flag against overlapped regions
> > - *
> > - * Take one entry of region [@start, @end[ and insert it into the list.
> > - *
> > - * * If @nocheck is false, the list will be sorted ascending by address.
> > - *   Overlapping entries will not be allowed.
> > - *
> > - * * If @nocheck is true, the list will be sorted ascending by sequence
> > - *   of adding the entries. Overlapping is allowed.
> > - *
> > - * Return:   status code
> > - */
> > -efi_status_t efi_image_region_add(struct efi_image_regions *regs,
> > -                               const void *start, const void *end,
> > -                               int nocheck)
> > -{
> > -     struct image_region *reg;
> > -     int i, j;
> > -
> > -     if (regs->num >= regs->max) {
> > -             EFI_PRINT("%s: no more room for regions\n", __func__);
> > -             return EFI_OUT_OF_RESOURCES;
> > -     }
> > -
> > -     if (end < start)
> > -             return EFI_INVALID_PARAMETER;
> > -
> > -     for (i = 0; i < regs->num; i++) {
> > -             reg = &regs->reg[i];
> > -             if (nocheck)
> > -                     continue;
> > -
> > -             /* new data after registered region */
> > -             if (start >= reg->data + reg->size)
> > -                     continue;
> > -
> > -             /* new data preceding registered region */
> > -             if (end <= reg->data) {
> > -                     for (j = regs->num - 1; j >= i; j--)
> > -                             memcpy(&regs->reg[j + 1], &regs->reg[j],
> > -                                    sizeof(*reg));
> > -                     break;
> > -             }
> > -
> > -             /* new data overlapping registered region */
> > -             EFI_PRINT("%s: new region already part of another\n", __func__);
> > -             return EFI_INVALID_PARAMETER;
> > -     }
> > -
> > -     reg = &regs->reg[i];
> > -     reg->data = start;
> > -     reg->size = end - start;
> > -     regs->num++;
> > -
> > -     return EFI_SUCCESS;
> > -}
> > -
> >   /**
> >    * efi_sigstore_free - free signature store
> >    * @sigstore:       Pointer to signature store structure
> > @@ -846,4 +782,3 @@ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name)
> >
> >       return efi_build_signature_store(db, db_size);
> >   }
> > -#endif /* CONFIG_EFI_SECURE_BOOT || CONFIG_EFI_CAPSULE_AUTHENTICATE */
> > diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c
> > index b11ed91a74..83479dd142 100644
> > --- a/lib/efi_loader/efi_var_common.c
> > +++ b/lib/efi_loader/efi_var_common.c
> > @@ -24,6 +24,9 @@ struct efi_auth_var_name_type {
> >       const enum efi_auth_var_type type;
> >   };
> >
> > +const efi_guid_t efi_guid_image_security_database =
> > +             EFI_IMAGE_SECURITY_DATABASE_GUID;
> > +
> >   static const struct efi_auth_var_name_type name_type[] = {
> >       {u"PK", &efi_global_variable_guid, EFI_AUTH_VAR_PK},
> >       {u"KEK", &efi_global_variable_guid, EFI_AUTH_VAR_KEK},
> >
>


More information about the U-Boot mailing list