[PATCH v7 2/3] efi_loader: expose efi_image_parse() even if UEFI Secure Boot is disabled
Masahisa Kojima
masahisa.kojima at linaro.org
Fri May 14 02:39:48 CEST 2021
On Fri, 14 May 2021 at 00:33, Heinrich Schuchardt <xypron.glpk at gmx.de> wrote:
>
> On 5/13/21 4:48 PM, Masahisa Kojima wrote:
> > This is preparation for PE/COFF measurement support.
> > PE/COFF image hash calculation is same in both
> > UEFI Secure Boot image verification and measurement in
> > measured boot. PE/COFF image parsing functions are
> > gathered into efi_image_loader.c, and exposed even if
> > UEFI Secure Boot is not enabled.
> >
> > This commit also adds the EFI_SIGNATURE_SUPPORT option
> > to decide if efi_signature.c shall be compiled.
> >
> > Signed-off-by: Masahisa Kojima <masahisa.kojima at linaro.org>
> > ---
> >
> > (no changes since v4)
> >
> > Changes in v4:
> > - revert #ifdef instead of using "if (!IS_ENABLED())" statement,
> > not to rely on the compiler optimization.
> >
> > Changes in v3:
> > - hide EFI_SIGNATURE_SUPPORT option
> >
> > Changes in v2:
> > - Remove all #ifdef from efi_image_loader.c and efi_signature.c
> > - Add EFI_SIGNATURE_SUPPORT option
> > - Explicitly include <u-boot/hash-checksum.h>
> > - Gather PE/COFF parsing functions into efi_image_loader.c
> > - Move efi_guid_t efi_guid_image_security_database in efi_var_common.c
> >
> > lib/efi_loader/Kconfig | 6 +++
> > lib/efi_loader/Makefile | 2 +-
> > lib/efi_loader/efi_image_loader.c | 64 ++++++++++++++++++++++++++++-
> > lib/efi_loader/efi_signature.c | 67 +------------------------------
> > lib/efi_loader/efi_var_common.c | 3 ++
> > 5 files changed, 74 insertions(+), 68 deletions(-)
> >
> > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> > index eb5c4d6f29..dff85cea26 100644
> > --- a/lib/efi_loader/Kconfig
> > +++ b/lib/efi_loader/Kconfig
> > @@ -175,6 +175,7 @@ config EFI_CAPSULE_AUTHENTICATE
> > select PKCS7_VERIFY
> > select IMAGE_SIGN_INFO
> > select HASH_CALCULATE
> > + select EFI_SIGNATURE_SUPPORT
> > default n
> > help
> > Select this option if you want to enable capsule
> > @@ -344,6 +345,7 @@ config EFI_SECURE_BOOT
> > select PKCS7_MESSAGE_PARSER
> > select PKCS7_VERIFY
> > select HASH_CALCULATE
> > + select EFI_SIGNATURE_SUPPORT
> > default n
> > help
> > Select this option to enable EFI secure boot support.
> > @@ -351,6 +353,10 @@ config EFI_SECURE_BOOT
> > it is signed with a trusted key. To do that, you need to install,
> > at least, PK, KEK and db.
> >
> > +config EFI_SIGNATURE_SUPPORT
> > + bool
> > + depends on EFI_SECURE_BOOT || EFI_CAPSULE_AUTHENTICATE
>
> This line is superfluous. As it has no label the symbol will be false if
> not selected by EFI_SECURE_BOOT or EFI_CAPSULE_AUTHENTICATE.
I will remove this "depends on" line.
Thanks,
Masahisa Kojima
>
> Best regards
>
> Heinrich
>
> > +
> > config EFI_ESRT
> > bool "Enable the UEFI ESRT generation"
> > depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
> > diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile
> > index 8bd343e258..fd344cea29 100644
> > --- a/lib/efi_loader/Makefile
> > +++ b/lib/efi_loader/Makefile
> > @@ -63,7 +63,7 @@ obj-$(CONFIG_GENERATE_SMBIOS_TABLE) += efi_smbios.o
> > obj-$(CONFIG_EFI_RNG_PROTOCOL) += efi_rng.o
> > obj-$(CONFIG_EFI_TCG2_PROTOCOL) += efi_tcg2.o
> > obj-$(CONFIG_EFI_LOAD_FILE2_INITRD) += efi_load_initrd.o
> > -obj-y += efi_signature.o
> > +obj-$(CONFIG_EFI_SIGNATURE_SUPPORT) += efi_signature.o
> >
> > EFI_VAR_SEED_FILE := $(subst $\",,$(CONFIG_EFI_VAR_SEED_FILE))
> > $(obj)/efi_var_seed.o: $(srctree)/$(EFI_VAR_SEED_FILE)
> > diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c
> > index f53ef367ec..fe1ee198e2 100644
> > --- a/lib/efi_loader/efi_image_loader.c
> > +++ b/lib/efi_loader/efi_image_loader.c
> > @@ -213,7 +213,68 @@ static void efi_set_code_and_data_type(
> > }
> > }
> >
> > -#ifdef CONFIG_EFI_SECURE_BOOT
> > +/**
> > + * efi_image_region_add() - add an entry of region
> > + * @regs: Pointer to array of regions
> > + * @start: Start address of region (included)
> > + * @end: End address of region (excluded)
> > + * @nocheck: flag against overlapped regions
> > + *
> > + * Take one entry of region [@start, @end[ and insert it into the list.
> > + *
> > + * * If @nocheck is false, the list will be sorted ascending by address.
> > + * Overlapping entries will not be allowed.
> > + *
> > + * * If @nocheck is true, the list will be sorted ascending by sequence
> > + * of adding the entries. Overlapping is allowed.
> > + *
> > + * Return: status code
> > + */
> > +efi_status_t efi_image_region_add(struct efi_image_regions *regs,
> > + const void *start, const void *end,
> > + int nocheck)
> > +{
> > + struct image_region *reg;
> > + int i, j;
> > +
> > + if (regs->num >= regs->max) {
> > + EFI_PRINT("%s: no more room for regions\n", __func__);
> > + return EFI_OUT_OF_RESOURCES;
> > + }
> > +
> > + if (end < start)
> > + return EFI_INVALID_PARAMETER;
> > +
> > + for (i = 0; i < regs->num; i++) {
> > + reg = ®s->reg[i];
> > + if (nocheck)
> > + continue;
> > +
> > + /* new data after registered region */
> > + if (start >= reg->data + reg->size)
> > + continue;
> > +
> > + /* new data preceding registered region */
> > + if (end <= reg->data) {
> > + for (j = regs->num - 1; j >= i; j--)
> > + memcpy(®s->reg[j + 1], ®s->reg[j],
> > + sizeof(*reg));
> > + break;
> > + }
> > +
> > + /* new data overlapping registered region */
> > + EFI_PRINT("%s: new region already part of another\n", __func__);
> > + return EFI_INVALID_PARAMETER;
> > + }
> > +
> > + reg = ®s->reg[i];
> > + reg->data = start;
> > + reg->size = end - start;
> > + regs->num++;
> > +
> > + return EFI_SUCCESS;
> > +}
> > +
> > /**
> > * cmp_pe_section() - compare virtual addresses of two PE image sections
> > * @arg1: pointer to pointer to first section header
> > @@ -422,6 +483,7 @@ err:
> > return false;
> > }
> >
> > +#ifdef CONFIG_EFI_SECURE_BOOT
> > /**
> > * efi_image_unsigned_authenticate() - authenticate unsigned image with
> > * SHA256 hash
> > diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
> > index c7ec275414..bdd09881fc 100644
> > --- a/lib/efi_loader/efi_signature.c
> > +++ b/lib/efi_loader/efi_signature.c
> > @@ -15,18 +15,16 @@
> > #include <crypto/public_key.h>
> > #include <linux/compat.h>
> > #include <linux/oid_registry.h>
> > +#include <u-boot/hash-checksum.h>
> > #include <u-boot/rsa.h>
> > #include <u-boot/sha256.h>
> >
> > -const efi_guid_t efi_guid_image_security_database =
> > - EFI_IMAGE_SECURITY_DATABASE_GUID;
> > const efi_guid_t efi_guid_sha256 = EFI_CERT_SHA256_GUID;
> > const efi_guid_t efi_guid_cert_rsa2048 = EFI_CERT_RSA2048_GUID;
> > const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID;
> > const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID;
> > const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID;
> >
> > -#if defined(CONFIG_EFI_SECURE_BOOT) || defined(CONFIG_EFI_CAPSULE_AUTHENTICATE)
> > static u8 pkcs7_hdr[] = {
> > /* SEQUENCE */
> > 0x30, 0x82, 0x05, 0xc7,
> > @@ -539,68 +537,6 @@ out:
> > return !revoked;
> > }
> >
> > -/**
> > - * efi_image_region_add() - add an entry of region
> > - * @regs: Pointer to array of regions
> > - * @start: Start address of region (included)
> > - * @end: End address of region (excluded)
> > - * @nocheck: flag against overlapped regions
> > - *
> > - * Take one entry of region [@start, @end[ and insert it into the list.
> > - *
> > - * * If @nocheck is false, the list will be sorted ascending by address.
> > - * Overlapping entries will not be allowed.
> > - *
> > - * * If @nocheck is true, the list will be sorted ascending by sequence
> > - * of adding the entries. Overlapping is allowed.
> > - *
> > - * Return: status code
> > - */
> > -efi_status_t efi_image_region_add(struct efi_image_regions *regs,
> > - const void *start, const void *end,
> > - int nocheck)
> > -{
> > - struct image_region *reg;
> > - int i, j;
> > -
> > - if (regs->num >= regs->max) {
> > - EFI_PRINT("%s: no more room for regions\n", __func__);
> > - return EFI_OUT_OF_RESOURCES;
> > - }
> > -
> > - if (end < start)
> > - return EFI_INVALID_PARAMETER;
> > -
> > - for (i = 0; i < regs->num; i++) {
> > - reg = ®s->reg[i];
> > - if (nocheck)
> > - continue;
> > -
> > - /* new data after registered region */
> > - if (start >= reg->data + reg->size)
> > - continue;
> > -
> > - /* new data preceding registered region */
> > - if (end <= reg->data) {
> > - for (j = regs->num - 1; j >= i; j--)
> > - memcpy(®s->reg[j + 1], ®s->reg[j],
> > - sizeof(*reg));
> > - break;
> > - }
> > -
> > - /* new data overlapping registered region */
> > - EFI_PRINT("%s: new region already part of another\n", __func__);
> > - return EFI_INVALID_PARAMETER;
> > - }
> > -
> > - reg = ®s->reg[i];
> > - reg->data = start;
> > - reg->size = end - start;
> > - regs->num++;
> > -
> > - return EFI_SUCCESS;
> > -}
> > -
> > /**
> > * efi_sigstore_free - free signature store
> > * @sigstore: Pointer to signature store structure
> > @@ -846,4 +782,3 @@ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name)
> >
> > return efi_build_signature_store(db, db_size);
> > }
> > -#endif /* CONFIG_EFI_SECURE_BOOT || CONFIG_EFI_CAPSULE_AUTHENTICATE */
> > diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c
> > index b11ed91a74..83479dd142 100644
> > --- a/lib/efi_loader/efi_var_common.c
> > +++ b/lib/efi_loader/efi_var_common.c
> > @@ -24,6 +24,9 @@ struct efi_auth_var_name_type {
> > const enum efi_auth_var_type type;
> > };
> >
> > +const efi_guid_t efi_guid_image_security_database =
> > + EFI_IMAGE_SECURITY_DATABASE_GUID;
> > +
> > static const struct efi_auth_var_name_type name_type[] = {
> > {u"PK", &efi_global_variable_guid, EFI_AUTH_VAR_PK},
> > {u"KEK", &efi_global_variable_guid, EFI_AUTH_VAR_KEK},
> >
>
More information about the U-Boot
mailing list