[PATCH 1/1] efi_loader: add missing check in FMP.GetImageInfo()

Wed Jul 9 13:55:26 CEST 2025

On Tue, 8 Jul 2025 at 18:21, Ilias Apalodimas
<ilias.apalodimas at linaro.org> wrote:
>
> On Tue, 8 Jul 2025 at 15:20, Heinrich Schuchardt
> <heinrich.schuchardt at canonical.com> wrote:
> >
> > On 08.07.25 13:56, Ilias Apalodimas wrote:
> > > Hi Heinrich
> > >
> > > On Tue, 8 Jul 2025 at 14:48, Heinrich Schuchardt
> > > <heinrich.schuchardt at canonical.com> wrote:
> > >>
> > >> The UEFI 2.11 specification, chapter 23.1.3 requires
> > >> EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo() to return
> > >> EFI_INVALID_PARAMETER if *ImageInfoSize is not too small
> > >> and ImageInfo is NULL.
> > >>
> > >> Fixes: f27c20148511 ("efi_loader: add firmware management protocol for FIT image")
> > >> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
> > >> ---
> > >
> > > Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> > >
> > > That being said, we need to double check the FIT capsule users. I
> > > think we can probably remove it in the future.
> >
> > It is not clear if you mean the check or the FIT version of the protocol.
>
> I mean EFI_CAPSULE_FIRMWARE_FIT and the code that manages that
>
> >
> > efi_firmware_get_image_info() is a protocol implementation that may be
> > called from anywhere outside of U-Boot. We should not remove checks
> > required by the UEFI specification even if our internal usage of the
> > protocol would not require them.
> >
> > > Are you aware of use cases that FIT supports, which we don't support
> > > from the RAW variant?
> >
> > Maybe Takahiro remembers, why both RAW and FIT were implemented.
>
> It's been a few years and maybe my memory fails me but....
> I remember we added FIT for the authentication since we didn't have
> authenticated capsule update support. But we do now

I had proposed earlier, when I had added support for capsule
authentication, to remove support for FIT capsules. But Takahiro and
Simon preferred having this supported as FIT is used extensively in
U-Boot. IIRC, the FIT based capsule update is pretty unique in the way
the components of the FIT get written to the storage media.

-sughosh

>
> Cheers
> /Ilias
> >
> > Best regards
> >
> > Heinrich
> >
> > >
> > > Thanks
> > > /Ilias
> > >>   lib/efi_loader/efi_firmware.c | 2 ++
> > >>   1 file changed, 2 insertions(+)
> > >>
> > >> diff --git a/lib/efi_loader/efi_firmware.c b/lib/efi_loader/efi_firmware.c
> > >> index 75501e21557..216df83de67 100644
> > >> --- a/lib/efi_loader/efi_firmware.c
> > >> +++ b/lib/efi_loader/efi_firmware.c
> > >> @@ -332,6 +332,8 @@ static efi_status_t efi_fill_image_desc_array(
> > >>
> > >>                  return EFI_BUFFER_TOO_SMALL;
> > >>          }
> > >> +       if (!image_info)
> > >> +               return EFI_INVALID_PARAMETER;
> > >>          *image_info_size = total_size;
> > >>
> > >>          ret = efi_gen_capsule_guids();
> > >> --
> > >> 2.48.1
> > >>
> >