With this commit, EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
is supported for authenticated variables and the system secure state
will transfer between setup mode and user mode as UEFI specification
section 32.3 describes.

Internally, authentication data is stored as part of authenticated
variable's value. It is nothing but a pkcs7 message (but we need some
wrapper, see efi_variable_parse_signature()) and will be validated by
efi_variable_authenticate(), hence efi_signature_verify_with_db().

Associated time value will be encoded in "{...,time=...}" along with
other UEFI variable's attributes.
Signed-off-by: NAKASHI Takahiro <takahiro.akashi@linaro.org>

efi_signature_parse_sigdb() is a helper function will be used to parse
signature database variable and instantiate a signature store structure
in later patches.
Signed-off-by: NAKASHI Takahiro <takahiro.akashi@linaro.org>

In this commit, implemented are a couple of helper functions which will be
used to materialize variable authentication as well as image authentication
in later patches.
Signed-off-by: NAKASHI Takahiro <takahiro.akashi@linaro.org>

'vendor' is both an input and an output parameter. So it cannot be
constant.

Fixes: 0bda81bf ("efi_loader: use const efi_guid_t * for variable services")
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

This is a preparatory patch.
Those functions will be used in an implementation of UEFI firmware
management protocol as part of my capsule update patch.
Signed-off-by: NAKASHI Takahiro <takahiro.akashi@linaro.org>

Following kernel's proposal for an arch-agnostic initrd loading
mechanism [1] let's implement the U-boot counterpart.
This new approach has a number of advantages compared to what we did up
to now. The file is loaded into memory only when requested limiting the
area of TOCTOU attacks. Users will be allowed to place the initramfs
file on any u-boot accessible partition instead of just the ESP one.
Finally this is an attempt of a generic interface across architectures
in the linux kernel so it makes sense to support that.

The file location is intentionally only supported as a config option
argument(CONFIG_EFI_INITRD_FILESPEC), in an effort to enhance security.
Although U-boot is not responsible for verifying the integrity of the
initramfs, we can enhance the offered security by only accepting a
built-in option, which will be naturally verified by UEFI Secure Boot.
This can easily change in the future if needed and configure that via ENV
or UEFI variable.

[1] https://lore.kernel.org/linux-efi/20200207202637.GA3464906@rani.riverdale.lan/T/#m4a25eb33112fab7a22faa0fd65d4d663209af32fSigned-off-by: NIlias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

Install the EFI_RNG_PROTOCOL implementation for it's subsequent use by
the kernel for features like kaslr.
Signed-off-by: NSughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

Add guidcpy function to copy the source guid to the destination
guid. Use this function instead of memcpy for copying to the
destination guid.
Signed-off-by: NSughosh Ganu <sughosh.ganu@linaro.org>

Use void * instead of efi_guid_t * for arguments to allow copying unaligned
GUIDs. The GUIDs of configuration tables are __packed.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

Use a pointer to addressable memory instead of a "physical" address in the
virtual address space of the sandbox to efi_install_fdt().

Export the efi_install_fdt() function.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

Provide public function efi_run_imager() which can be used to run an UEFI
image from memory.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

As part of moving the parsing of command line arguments to do_bootefi()
call efi_install_fdt() with the address of the device tree instead of a
string.

If the address is EFI_FDT_USE_INTERNAL (= 0), the internal device tree
is used.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

Function efi_dp_from_dev() is not used anywhere. Remove it.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

At present these two functions are defined in efi_loader.h but only if
CONFIG_EFI_LOADER is enabled. But these are functions that are useful to
other code, such as that which deals with Intel Handoff Blocks (HOBs).

Move these to the top of the function.

Possibly ascii2unicode() should not be an inline function, since this
might impact code size.
Signed-off-by: NSimon Glass <sjg@chromium.org>
Reviewed-by: NBin Meng <bmeng.cn@gmail.com>

Sandbox's "host" devices are currently described as UCLASS_ROOT udevice
with DEV_IF_HOST block device. As the current implementation of
efi_device_path doesn't support such a type, any "host" device
on sandbox cannot be seen as a distinct object.

For example,
  => host bind 0 /foo/disk.img

  => efi devices
  Scanning disk host0...
  Found 1 disks
  Device           Device Path
  ================ ====================
  0000000015c19970 /VenHw(e61d73b9-a384-4acc-aeab-82e828f3628b)
  0000000015c19d70 /VenHw(e61d73b9-a384-4acc-aeab-82e828f3628b)

  => efi dh
  Handle           Protocols
  ================ ====================
  0000000015c19970 Device Path, Device Path To Text, Device Path Utilities, Unicode Collation 2, HII String, HII Database, HII Config Routing
  0000000015c19ba0 Driver Binding
  0000000015c19c10 Simple Text Output
  0000000015c19c80 Simple Text Input, Simple Text Input Ex
  0000000015c19d70 Block IO, Device Path, Simple File System

As you can see here, efi_root (0x0000000015c19970) and host0 device
(0x0000000015c19d70) have the same representation of device path.

This is not only inconvenient, but also confusing since two different
efi objects are associated with the same device path and
efi_dp_find_obj() will possibly return a wrong result.

Solution:
Each "host" device should be given an additional device path node
of "vendor device path" to make it distinguishable.
Signed-off-by: NAKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

ascii2unicode() can only convert characters 0x00-0x7f from UTF-8 to UTF-16.
Use utf8_utf16_strcpy() instead.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

Adding a conventional memory region to the memory map may require ram_top
limitation and it can be also commonly used. Extract adding a conventional
memory to the memory map in a separate routine for generic use.
Signed-off-by: NAiden Park <aiden.park@intel.com>
Tested-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

In packed structures GUIDs are not aligned. Avoid a build error with
GCC 9.1 by using const void * as argument for guidcmp().
Reported-by: NRamon Fried <rfried.dev@gmail.com>
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

We currently have some inconsistent use of efi_add_memory_map()
throughout the code. In particular the return value of efi_add_memory_map()
is not interpreted the same way by various users in the codebase.

This patch does the following:

- Changes efi_add_memory_map() to return efi_status_t.
- Adds a method description to efi_add_memory_map().
- Changes efi_add_memory_map() to return EFI_SUCCESS
- Returns non-zero for error in efi_add_memory_map()
- Updates efi_allocate_pages() to new efi_add_memory_map()
- Updates efi_free_pages() to new efi_add_memory_map()
- Updates efi_carve_out_dt_rsv() to new efi_add_memory_map()
- Updates efi_add_runtime_mmio()  to new efi_add_memory_map()

Fixes: 5d00995c ("efi_loader: Implement memory allocation and map")
Fixes: 74c16acc ("efi_loader: Don't allocate from memory holes")
Suggested-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Alexander Graf <agraf@csgraf.de>
Signed-off-by: NBryan O'Donoghue <pure.logic@nexus-software.ie>
Reviewed-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

Linux can be called with a command line parameter efi=novamap, cf.
commit 4e46c2a95621 ("efi/arm/arm64: Allow SetVirtualAddressMap() to be
omitted"). In this case SetVirtualAddressMap() is not called after
ExitBootServices().

OpenBSD 32bit does not call SetVirtualAddressMap() either.

Runtime services must be set to an implementation supported at runtime
in ExitBootServices().
Reported-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
Suggested-by: NAlexander Graf <agraf@csgraf.de>
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

Our variable services are only provided at boottime. Therefore when
leaving boottime the variable function are replaced by dummy functions
returning EFI_UNSUPPORTED. Move this patching of the runtime table to the
variable services implementation. Executed it in ExitBootServices().
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

Provide an initialization routine for variable services.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

Let's keep similar things together.

Move efi_query_variable_info() to lib/efi_loader/efi_variable.c
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

This variable is defined in UEFI specification 2.8, section 8.1.
Its value should be updated whenever we add any usable runtime services
function.

Currently we only support SetVirtualAddress() for all systems and
ResetSystem() for some.
Signed-off-by: NAKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

Up to now we have only been using a flag queued for events. But this does
not satisfy the requirements of the UEFI spec. Events must be notified in
the sequence of decreasing TPL level and within a TPL level in the sequence
of signaling.

Implement a queue for signaled events.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

ExitBootServices() has to stop timer related activity before calling the
events of the EFI_EVENT_GROUP_EXIT_BOOT_SERVICES event group. But our
current implementation was stopping all other events.

All events have to observe the task priority level.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

To let a board implement the runtime version of SetTime() we have to
provide the definition of the weak function in an include.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

When a protocol is installed the handle should be queued for the
registration key of each registered event. LocateHandle() should return the
first handle from the queue for the registration key and delete it from the
queue.

Implement the queueing.

Correct the selftest.

With the patch the UEFI SCT tests for LocateHandle() are passed without
failure.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

Change comments for struct efi_open_protocol_info_item and
struct efi_handler to Sphinx format.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

In EFI 1.10 a version of the Unicode collation protocol using ISO 639-2
language codes existed. This protocol is not part of the UEFI specification
any longer. Unfortunately it is required to run the UEFI Self Certification
Test (SCT) II, version 2.6, 2017. So we implement it here for the sole
purpose of running the SCT. It can be removed once a compliant SCT is
available.

The configuration option defaults to no.
Signed-off-by: NRob Clark <robdclark@gmail.com>

Most of Rob's original patch is already merged. Only the deprecated
protocol is missing. Rebase it and make it configurable.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

Rename variables to make it clear they refer to the Unicode collation
protocol identified by the EFI_UNICODE_PROTOCOL2_GUID.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

If the parent image handle does not refer to a loaded image return
EFI_INVALID_PARAMETER.
(UEFI SCT II 2017: 3.4.1 LoadImage() - 5.1.4.1.1)

Mark our root node as a loaded image to avoid an error when using it as
parent image.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

The RegisterProtocolNotify() boot service registers an event to be
notified upon the installation of a protocol interface with the
specified GUID.

Add the missing implementation.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

Implement unloading of images in the Exit() boot services:

* unload images that are not yet started,
* unload started applications,
* unload drivers returning an error.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

In UnloadImage() we need to know if an image is already started.

Add a field to the handle structure identifying loaded and started images.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

In case of a failure exit data may be passed to Exit() which in turn is
returned by StartImage().

Let the `bootefi` command print the exit data string in case of an error.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

The field boot OptionalData in structure _EFI_LOAD_OPTIONS is for binary
data.

When we use `efidebug boot add` we should convert the 5th argument from
UTF-8 to UTF-16 before putting it into the BootXXXX variable.

When printing boot variables with `efidebug boot dump` we should support
the OptionalData being arbitrary binary data. So let's dump the data as
hexadecimal values.

Here is an example session protocol:

=> efidebug boot add 00a1 label1 scsi 0:1 doit1 'my option'
=> efidebug boot add 00a2 label2 scsi 0:1 doit2
=> efidebug boot dump
Boot00A0:
  attributes: A-- (0x00000001)
  label: label1
  file_path: .../HD(1,MBR,0xeac4e18b,0x800,0x3fffe)/doit1
  data:
    00000000: 6d 00 79 00 20 00 6f 00 70 00 74 00 69 00 6f 00  m.y. .o.p.t.i.o.
    00000010: 6e 00 00 00                                      n...
Boot00A1:
  attributes: A-- (0x00000001)
  label: label2
  file_path: .../HD(1,MBR,0xeac4e18b,0x800,0x3fffe)/doit2
  data:
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

In the current implementation, bootefi command and EFI boot manager
don't use load_image API, instead, use more primitive and internal
functions. This will introduce duplicated code and potentially
unknown bugs as well as inconsistent behaviours.

With this patch, do_efibootmgr() and do_boot_efi() are completely
overhauled and re-implemented using load_image API.
Signed-off-by: NAKASHI Takahiro <takahiro.akashi@linaro.org>

Use efi_root as parent handle for the loaded image.
LoadImage() should be called with BootPolicy = true by the boot manager.
Avoid duplicate free_pool().
Eliminate variable memdp which is not needed after anymore due to
"efi_loader: correctly split device path of loaded image".
Reviewed-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

This is a preparatory patch.
The root node handle will be used as a dummy parent handle when invoking
an EFI image from bootefi/bootmgr command.
Signed-off-by: NAKASHI Takahiro <takahiro.akashi@linaro.org>

Rebased.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

Export function efi_install_multiple_protocol_interfaces() so that we can
call it in others parts of the UEFI subsystem.
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>

Those two functions will be used later to re-implement do_bootefi_exec().
Signed-off-by: NAKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>