efi_loader: Enable uefi capsule authentication

Add support for enabling uefi capsule authentication. This feature is
enabled by setting the environment variable
"capsule_authentication_enabled".

The following configs are needed for enabling uefi capsule update and
capsule authentication features on the platform.

CONFIG_EFI_HAVE_CAPSULE_SUPPORT=y
CONFIG_EFI_CAPSULE_ON_DISK=y
CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y
CONFIG_EFI_CAPSULE_FIRMWARE=y
CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
CONFIG_EFI_CAPSULE_AUTHENTICATE=y

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>

diff --git a/lib/efi_loader/efi_firmware.c b/lib/efi_loader/efi_firmware.c
index 5d2ecde2f152efeffeda79f2c822f2703bcc32d6..5e401bbca2b376fafb225a451ffec122303b6ba6 100644 (file)
--- a/lib/efi_loader/efi_firmware.c
+++ b/lib/efi_loader/efi_firmware.c
@@ -184,9 +184,16 @@ static efi_status_t efi_get_dfu_info(
                image_info[i].version_name = NULL; /* not supported */
                image_info[i].size = 0;
                image_info[i].attributes_supported =
-                               IMAGE_ATTRIBUTE_IMAGE_UPDATABLE;
+                       IMAGE_ATTRIBUTE_IMAGE_UPDATABLE |
+                       IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED;
                image_info[i].attributes_setting =
                                IMAGE_ATTRIBUTE_IMAGE_UPDATABLE;
+
+               /* Check if the capsule authentication is enabled */
+               if (env_get("capsule_authentication_enabled"))
+                       image_info[0].attributes_setting |=
+                               IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED;
+
                image_info[i].lowest_supported_image_version = 0;
                image_info[i].last_attempt_version = 0;
                image_info[i].last_attempt_status = LAST_ATTEMPT_STATUS_SUCCESS;
@@ -403,6 +410,9 @@ efi_status_t EFIAPI efi_firmware_raw_set_image(
 {
        u32 fmp_hdr_signature;
        struct fmp_payload_header *header;
+       void *capsule_payload;
+       efi_status_t status;
+       efi_uintn_t capsule_payload_size;
 
        EFI_ENTRY("%p %d %p %ld %p %p %p\n", this, image_index, image,
                  image_size, vendor_code, progress, abort_reason);
@@ -410,6 +420,30 @@ efi_status_t EFIAPI efi_firmware_raw_set_image(
        if (!image)
                return EFI_EXIT(EFI_INVALID_PARAMETER);
 
+       /* Authenticate the capsule if authentication enabled */
+       if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) &&
+           env_get("capsule_authentication_enabled")) {
+               capsule_payload = NULL;
+               capsule_payload_size = 0;
+               status = efi_capsule_authenticate(image, image_size,
+                                                 &capsule_payload,
+                                                 &capsule_payload_size);
+
+               if (status == EFI_SECURITY_VIOLATION) {
+                       printf("Capsule authentication check failed. Aborting update\n");
+                       return EFI_EXIT(status);
+               } else if (status != EFI_SUCCESS) {
+                       return EFI_EXIT(status);
+               }
+
+               debug("Capsule authentication successfull\n");
+               image = capsule_payload;
+               image_size = capsule_payload_size;
+       } else {
+               debug("Capsule authentication disabled. ");
+               debug("Updating capsule without authenticating.\n");
+       }
+
        fmp_hdr_signature = FMP_PAYLOAD_HDR_SIGNATURE;
        header = (void *)image;