This helper function will be used to determine if the device is
removable media, initially for handling a short-path loading.
Signed-off-by: NAKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

Currently we don't support sha384/512 for the X.509 certificate
in dbx.  Moreover if we come across such a hash we skip the check
and approve the image,  although the image might needs to be rejected.

Rework the code a bit and fix it by adding an array of structs with the
supported GUIDs, len and literal used in the U-Boot crypto APIs instead
of hardcoding the GUID types.

It's worth noting here that efi_hash_regions() can now be reused from
efi_signature_lookup_digest() and add sha348/512 support there as well
Signed-off-by: NIlias Apalodimas <ilias.apalodimas@linaro.org>

This function will be used in the next commit where some behavior
of EFI boot manager will be expanded.
Signed-off-by: NAKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: NIlias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: NHeinrich Schuchardt <heinrich.schuchardt@canonical.com>

Add efi_disk_probe() function.
This function creates an efi_disk object for a raw disk device (UCLASS_BLK)
and additional objects for related partitions (UCLASS_PARTITION).

So this function is expected to be called through driver model's "probe"
interface every time one raw disk device is detected and activated.
We assume that partition devices (UCLASS_PARTITION) have been created
when this function is invoked.
Signed-off-by: NAKASHI Takahiro <takahiro.akashi@linaro.org>

In the next commit, CONFIG_EFI_SETUP_EARLY will become mandated
in order to support dynamic enumeration of efi_disk objects.

This can, however, be problematic particularly in case of file-based
variable storage (efi_variable.c, default).
Non-volatile variables are to be restored from EFI system partition
by efi_init_variables() in efi_init_obj_list(). When efi_init_obj_list()
is called in board_init_r(), we don't know yet what disk devices
we have since none of device probing commands (say, scsi rescan) has not
been executed at that stage.

So in this commit, a preparatory change is made; efi_init_obj_list() is
broken into the two functions;
   * efi_init_early(), and
   * new efi_init_obj_list()

Only efi_init_early() will be called in board_init_r(), which allows
us to execute any of device probing commands, either though "preboot"
variable or normal command line, before calling efi_init_obj_list() which
is to be invoked at the first execution of an efi-related command
(or at efi_launch_capsules()) as used to be.
Signed-off-by: NAKASHI Takahiro <takahiro.akashi@linaro.org>

Add a structure which defines the information that is needed for
executing capsule updates on a platform. Some information in the
structure like the dfu string is used for making the update process
more robust while some information like the per platform image GUIDs
is used for fixing issues. Initialise this structure in the board
file, and use the information for the capsule updates.
Signed-off-by: NSughosh Ganu <sughosh.ganu@linaro.org>

The block IO protocol may be installed on any handle. We should make
no assumption about the structure the handle points to.

efi_disk_is_system_part() makes an illegal widening cast from a handle
to a struct efi_disk_obj. Remove the function.

Fixes: Fixes: 41fd5068 ("efi_loader: disk: add efi_disk_is_system_part()")
Signed-off-by: NHeinrich Schuchardt <heinrich.schuchardt@canonical.com>

The efi_system_partition_guid is needed in multiple places. Export it.
Signed-off-by: NHeinrich Schuchardt <heinrich.schuchardt@canonical.com>

Let function efi_dp_find_obj() additionally check if a given protocol is
installed on the handle relating to the device-path.
Signed-off-by: NHeinrich Schuchardt <heinrich.schuchardt@canonical.com>

efi_dp_find_obj() should not return any handle with a partially matching
device path but the handle with the maximum matching device path.
Signed-off-by: NHeinrich Schuchardt <heinrich.schuchardt@canonical.com>

Rename function shorten_path() to efi_dp_shorten() and export it.
Signed-off-by: NHeinrich Schuchardt <heinrich.schuchardt@canonical.com>

InstallProtocolInterface() is called with a pointer to the protocol GUID.
There is not guarantee that the memory used by the caller for the protocol
GUID stays allocated. To play it safe the GUID should be copied to U-Boot's
internal structures.
Reported-by: NJoerie de Gram <j.de.gram@gmail.com>
Signed-off-by: NHeinrich Schuchardt <heinrich.schuchardt@canonical.com>

When loading an EFI binary via the UART we assign a UART device path to it.
But we lack a handle with that device path.
Signed-off-by: NHeinrich Schuchardt <heinrich.schuchardt@canonical.com>

At present we use wide characters for unicode but this is not necessary.
Change the code to use the 'u' literal instead. This helps to fix build
warnings for sandbox on rpi.
Signed-off-by: NSimon Glass <sjg@chromium.org>
Suggested-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

A mix of signatures and hashes in db doesn't always work as intended.
Currently if the digest algorithm is not explicitly set to sha256 we
stop walking the security database and reject the image.

That's problematic in case we find and try to check a signature before
inspecting the sha256 hash.  If the image is unsigned we will reject it
even if the digest matches.

Since we no longer reject the image on unknown algorithms add an explicit
check and reject the image if any other hash algorithm apart from sha256
is detected on dbx.
Suggested-by: NHeinrich Schuchardt <heinrich.schuchardt@canonical.com>
Signed-off-by: NIlias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: NHeinrich Schuchardt <heinrich.schuchardt@canonical.com>

This adds support for new RISCV_EFI_BOOT_PROTOCOL to
communicate the boot hart ID to bootloader/kernel on RISC-V
UEFI platforms.

The specification of the protocol is hosted at:
https://github.com/riscv-non-isa/riscv-uefiSigned-off-by: NSunil V L <sunilvl@ventanamicro.com>
Reviewed-by: NHeinrich Schuchardt <heinrich.schuchardt@canonical.com>

Sphinx expects Return: and not @return to indicate a return value.

find . -name '*.c' -exec \
sed -i 's/^\(\s\)\*\(\s*\)@return\(\s\)/\1*\2Return:\3/' {} \;

find . -name '*.h' -exec \
sed -i 's/^\(\s\)\*\(\s*\)@return\(\s\)/\1*\2Return:\3/' {} \;
Signed-off-by: NHeinrich Schuchardt <heinrich.schuchardt@canonical.com>

U-Boot, in some occasions, injects a 'kaslr-seed' property on the /chosen
node. That would be problematic in case we want to measure the DTB we
install in the configuration table, since it would change across reboots.

The Linux kernel EFI-stub completely ignores it and only relies on
EFI_RNG_PROTOCOL for it's own randomness needs (i.e the randomization
of the physical placement of the kernel). In fact it (blindly) overwrites
the existing seed if the protocol is installed. However it still uses it
for randomizing it's virtual placement.
So let's get rid of it in the presence of the RNG protocol.

It's worth noting that TPMs also provide an RNG.  So if we tweak our
EFI_RNG_PROTOCOL slightly and install the protocol when a TPM device
is present the 'kaslr-seed' property will always be removed, allowing
us to reliably measure our DTB.
Acked-by: NArd Biesheuvel <ardb@kernel.org>
Signed-off-by: NIlias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: NMark Kettenis <kettenis@openbsd.org>

This commit modify efi_tcg2_register() to return the
appropriate error.
With this fix, sandbox will not boot because efi_tcg2_register()
fails due to some missing feature in GetCapabilities.
So disable sandbox if EFI_TCG2_PROTOCOL is enabled.

UEFI secure boot variable measurement is not directly related
to TCG2 protocol installation, tcg2_measure_secure_boot_variable()
is moved to the separate function.
Signed-off-by: NMasahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: NIlias Apalodimas <ilias.apalodimas@linaro.org>

Platforms may have support to measure their initial firmware components
and pass the event log to u-boot. The event log address can be passed
in property tpm_event_log_addr and tpm_event_log_size of the tpm node.
Platforms may choose their own specific mechanism to do so. A weak
function is added to check if even log has been passed to u-boot
from earlier firmware components. If available, the eventlog is parsed
to check for its correctness and further event logs are appended to the
passed log.
Signed-off-by: NRuchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: NIlias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: NIlias Apalodimas <ilias.apalodimas@linaro.org>

This commit adds the UEFI GPT disk partition topology
measurement required in TCG PC Client Platform Firmware
Profile Specification
Signed-off-by: NMasahisa Kojima <masahisa.kojima@linaro.org>

TCG PC Client Platform Firmware Profile Specification
requires to measure the SMBIOS table that contains static
configuration information (e.g. Platform Manufacturer
Enterprise Number assigned by IANA, platform model number,
Vendor and Device IDs for each SMBIOS table).

The device- and environment-dependent information such as
serial number is cleared to zero or space character for
the measurement.

Existing smbios_string() function returns pointer to the string
with const qualifier, but exisintg use case is updating version
string and const qualifier must be removed.
This commit removes const qualifier from smbios_string()
return value and reuses to clear the strings for the measurement.

This commit also fixes the following compiler warning:

lib/smbios-parser.c:59:39: warning: cast to pointer from integer of
different size [-Wint-to-pointer-cast]
  const struct smbios_header *header = (struct smbios_header *)entry->struct_table_address;
Signed-off-by: NMasahisa Kojima <masahisa.kojima@linaro.org>

UEFI variable names are typically constants and hence should be defined as
const. Unfortunately some of our API functions do not define the parameters
for UEFI variable names as const. This requires unnecessary conversions.

Adjust parameters of several internal functions to tre UEFI variable names
as const.
Signed-off-by: NHeinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: NIlias Apalodimas <ilias.apalodimas@linaro.org>

Parameter size is never used in function efi_dp_from_lo(). Remove it.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: NIlias Apalodimas <ilias.apalodimas@linaro.org>

Instead of copying a GUID and then using a pointer to the copy for calling
guidcmp(), just pass the pointer to the orginal GUID.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

We are ignoring the alignment communicated via the PE/COFF header.
Starting 5.10 the Linux kernel will loudly complain about it. For more
details look at [1] (in linux kernel).

So add a function that can allocate aligned EFI memory and use it for our
relocated loaded image.

[1] c32ac11da3f83 ("efi/libstub: arm64: Double check image alignment at entry")
Signed-off-by: NIlias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: NVincent Stehlé <vincent.stehle@arm.com>
Acked-by: NArd Biesheuvel <ardb@kernel.org>
Reviewed-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

Use enum efi_memory_type and enum_allocate_type in the definitions of the
efi_allocate_pages(), efi_allocate_pool().

In the external UEFI API leave the type as int as the UEFI specification
explicitely requires that enums use a 32bit type.
Signed-off-by: NHeinrich Schuchardt <heinrich.schuchardt@canonical.com>

TCG PC Client PFP spec requires to measure
"Exit Boot Services Invocation" if ExitBootServices() is invoked.
Depending upon the return code from the ExitBootServices() call,
"Exit Boot Services Returned with Success" or "Exit Boot Services
Returned with Failure" is also measured.
Signed-off-by: NMasahisa Kojima <masahisa.kojima@linaro.org>

Swap two ifs in efi_exit_boot_services().
efi_tcg2_notify_exit_boot_services must have EFIAPI signature.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

TCG PC Client PFP spec requires to measure "Boot####"
and "BootOrder" variables, EV_SEPARATOR event prior
to the Ready to Boot invocation.
Since u-boot does not implement Ready to Boot event,
these measurements are performed when efi_start_image() is called.

TCG spec also requires to measure "Calling EFI Application from
Boot Option" for each boot attempt, and "Returning from EFI
Application from Boot Option" if a boot device returns control
back to the Boot Manager.
Signed-off-by: NMasahisa Kojima <masahisa.kojima@linaro.org>

It is bad practice to put function declarations behind an #ifdef since
it makes it impossible to use IS_ENABLED() in the C code. The main reason
for doing this is when an empty static inline function is desired when
the feature is disabled.

To this end, this header provides two different versions of various
functions and macros. Collect them together in one place for clarity.
Allow all the rest of the header to be included, regardless of the
setting of EFI_LOADER.

With the inclusion of blk.h the 'struct blk_desc' declaration is
unnecessary. Drop it while we are here.
Signed-off-by: NSimon Glass <sjg@chromium.org>

In the commit c982874e ("efi_loader: refactor
efi_setup_loaded_image()"), setjmp-related definitions were moved to
efi_loaded_image_obj in efi_loader.h. So setjmp.h is no longer
refererenced in efi_api.h.

This also fixes some error when efi_api.h will be included in
mkeficapsule.c.

Fixes: c982874e ("efi_loader: refactor efi_setup_loaded_image()")
Signed-off-by: NAKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

We only install FMPs if a CapsuleUpdate is requested.  Since we now have an
ESRT table which relies on FMPs to build the required information, it
makes more sense to unconditionally install them. This will allow userspace
applications (e.g fwupd) to make use of the ERST and provide us with files
we can use to run CapsuleUpdate on-disk
Signed-off-by: NIlias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

"TCG PC Client Platform Firmware Profile Specification"
requires to measure every attempt to load and execute
a OS Loader(a UEFI application) into PCR[4].
This commit adds the PE/COFF image measurement, extends PCR,
and appends measurement into Event Log.
Acked-by: NIlias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: NIlias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: NMasahisa Kojima <masahisa.kojima@linaro.org>
Replace CONFIG_HASH_CALCULATE by CONFIG_HASH
Fix conversions between pointers and u64.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: NIlias Apalodimas <ilias.apalodimas@linaro.org>

Add macro __efi_runtime_rodata, for const variables with similar purpose
as those using __efi_runtime_data.
Signed-off-by: NMarek Behún <marek.behun@nic.cz>
Reviewed-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

Document the macros __efi_runtime and __efi_runtime_data in Sphinx
style.
Signed-off-by: NMarek Behún <marek.behun@nic.cz>
Reviewed-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

When linking with LTO, the compiler complains about type mismatch of
variables `__efi_runtime_start`, `__efi_runtime_stop`,
`__efi_runtime_rel_start` and `__efi_runtime_rel_stop`:

 include/efi_loader.h:218:21: warning: type of ‘__efi_runtime_start’
                                       does not match original
                                       declaration [-Wlto-type-mismatch]
    218 | extern unsigned int __efi_runtime_start, __efi_runtime_stop;
        |                     ^
  arch/sandbox/lib/sections.c:7:6: note: ‘__efi_runtime_start’ was
                                         previously declared here
      7 | char __efi_runtime_start[0] __attribute__((section(".__efi_run
        |      ^

Change the type to char[] in include/efi_loader.h.
Signed-off-by: NMarek Behún <marek.behun@nic.cz>
Reviewed-by: NBin Meng <bmeng.cn@gmail.com>

This commit does the same thing as Linux commit 33def8498fdd.

Use a more generic form for __section that requires quotes to avoid
complications with clang and gcc differences.

Remove the quote operator # from compiler_attributes.h __section macro.

Convert all unquoted __section(foo) uses to quoted __section("foo").
Also convert __attribute__((section("foo"))) uses to __section("foo")
even if the __attribute__ has multiple list entry forms.
Signed-off-by: NMarek Behún <marek.behun@nic.cz>
Reviewed-by: NBin Meng <bmeng.cn@gmail.com>
Reviewed-by: NSimon Glass <sjg@chromium.org>

The ESRT is initialised during efi_init_objlist after
efi_initialize_system_table().

The ESRT is recreated from scratch at the following events:
- successful UpdateCapsule;
- FMP instance install.

The code ensures that every ESRT entry has a unique fw_class value.

Limitations:
- The ESRT is not updated if an FMP instance is uninstalled;
- the fields image_type and flags are in the current implementation left
undefined. Setting these values will require a per-platform function
that returns the image_type/flags as a function of the image fw_class.

CC: Heinrich Schuchardt	<xypron.glpk@gmx.de>
CC: Sughosh Ganu <sughosh.ganu@linaro.org>
CC: AKASHI Takahiro <takahiro.akashi@linaro.org>
CC: Ilias Apalodimas <ilias.apalodimas@linaro.org>
CC: Andre Przywara <andre.przywara@arm.com>
CC: Alexander Graf <agraf@csgraf.de>
CC: nd@arm.com
Signed-off-by: NJose Marinho <jose.marinho@arm.com>

Remove two EFI_CALL() indirections.
Move ESRT GUID in efidebug's list of GUIDs.
Reviewed-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

Up to now we install EFI_LOAD_FILE2_PROTOCOL to load an initrd
unconditionally. Although we correctly return various EFI exit codes
depending on the file status (i.e EFI_NO_MEDIA, EFI_NOT_FOUND etc), the
kernel loader, only falls back to the cmdline interpreted initrd if the
protocol is not installed.

This creates a problem for EFI installers, since they won't be able to
load their own initrd and continue the installation. It also makes the
feature hard to use, since we can either have a single initrd or we have
to recompile u-boot if the filename changes.

So let's introduce a different logic that will decouple the initrd
path from the config option we currently have.
When defining a UEFI BootXXXX we can use the filepathlist and store
a file path pointing to our initrd. Specifically the EFI spec describes:

"The first element of the array is a device path that describes the device
and location of the Image for this load option. Other device paths may
optionally exist in the FilePathList, but their usage is OSV specific"

When the EFI application is launched through the bootmgr, we'll try to
interpret the extra device path. If that points to a file that exists on
our disk, we'll now install the load_file2 and the efi-stub will be able
to use it.

This opens up another path using U-Boot and defines a new boot flow.
A user will be able to control the kernel/initrd pairs without explicit
cmdline args or GRUB.
Signed-off-by: NIlias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

A following patch introduces a different logic for loading initrd's
based on the EFI_LOAD_FILE2_PROTOCOL.
Since similar logic can be applied in the future for other system files
(i.e DTBs), let's add some helper functions which will retrieve and
parse file paths stored in EFI variables.
Signed-off-by: NIlias Apalodimas <ilias.apalodimas@linaro.org>