This is preparation for PE/COFF measurement support.
PE/COFF image hash calculation is same in both
UEFI Secure Boot image verification and measurement in
measured boot. PE/COFF image parsing functions are
gathered into efi_image_loader.c, and exposed even if
UEFI Secure Boot is not enabled.
This commit also adds the EFI_SIGNATURE_SUPPORT option
to decide if efi_signature.c shall be compiled.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
select PKCS7_VERIFY
select IMAGE_SIGN_INFO
select HASH_CALCULATE
+ select EFI_SIGNATURE_SUPPORT
default n
help
Select this option if you want to enable capsule
select PKCS7_MESSAGE_PARSER
select PKCS7_VERIFY
select HASH_CALCULATE
+ select EFI_SIGNATURE_SUPPORT
default n
help
Select this option to enable EFI secure boot support.
it is signed with a trusted key. To do that, you need to install,
at least, PK, KEK and db.
+config EFI_SIGNATURE_SUPPORT
+ bool
+
config EFI_ESRT
bool "Enable the UEFI ESRT generation"
depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
obj-$(CONFIG_EFI_RNG_PROTOCOL) += efi_rng.o
obj-$(CONFIG_EFI_TCG2_PROTOCOL) += efi_tcg2.o
obj-$(CONFIG_EFI_LOAD_FILE2_INITRD) += efi_load_initrd.o
-obj-y += efi_signature.o
+obj-$(CONFIG_EFI_SIGNATURE_SUPPORT) += efi_signature.o
EFI_VAR_SEED_FILE := $(subst $\",,$(CONFIG_EFI_VAR_SEED_FILE))
$(obj)/efi_var_seed.o: $(srctree)/$(EFI_VAR_SEED_FILE)
}
}
-#ifdef CONFIG_EFI_SECURE_BOOT
+/**
+ * efi_image_region_add() - add an entry of region
+ * @regs: Pointer to array of regions
+ * @start: Start address of region (included)
+ * @end: End address of region (excluded)
+ * @nocheck: flag against overlapped regions
+ *
+ * Take one entry of region [@start, @end[ and insert it into the list.
+ *
+ * * If @nocheck is false, the list will be sorted ascending by address.
+ * Overlapping entries will not be allowed.
+ *
+ * * If @nocheck is true, the list will be sorted ascending by sequence
+ * of adding the entries. Overlapping is allowed.
+ *
+ * Return: status code
+ */
+efi_status_t efi_image_region_add(struct efi_image_regions *regs,
+ const void *start, const void *end,
+ int nocheck)
+{
+ struct image_region *reg;
+ int i, j;
+
+ if (regs->num >= regs->max) {
+ EFI_PRINT("%s: no more room for regions\n", __func__);
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ if (end < start)
+ return EFI_INVALID_PARAMETER;
+
+ for (i = 0; i < regs->num; i++) {
+ reg = ®s->reg[i];
+ if (nocheck)
+ continue;
+
+ /* new data after registered region */
+ if (start >= reg->data + reg->size)
+ continue;
+
+ /* new data preceding registered region */
+ if (end <= reg->data) {
+ for (j = regs->num - 1; j >= i; j--)
+ memcpy(®s->reg[j + 1], ®s->reg[j],
+ sizeof(*reg));
+ break;
+ }
+
+ /* new data overlapping registered region */
+ EFI_PRINT("%s: new region already part of another\n", __func__);
+ return EFI_INVALID_PARAMETER;
+ }
+
+ reg = ®s->reg[i];
+ reg->data = start;
+ reg->size = end - start;
+ regs->num++;
+
+ return EFI_SUCCESS;
+}
+
/**
* cmp_pe_section() - compare virtual addresses of two PE image sections
* @arg1: pointer to pointer to first section header
return false;
}
+#ifdef CONFIG_EFI_SECURE_BOOT
/**
* efi_image_unsigned_authenticate() - authenticate unsigned image with
* SHA256 hash
#include <crypto/public_key.h>
#include <linux/compat.h>
#include <linux/oid_registry.h>
+#include <u-boot/hash-checksum.h>
#include <u-boot/rsa.h>
#include <u-boot/sha256.h>
-const efi_guid_t efi_guid_image_security_database =
- EFI_IMAGE_SECURITY_DATABASE_GUID;
const efi_guid_t efi_guid_sha256 = EFI_CERT_SHA256_GUID;
const efi_guid_t efi_guid_cert_rsa2048 = EFI_CERT_RSA2048_GUID;
const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID;
const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID;
const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID;
-#if defined(CONFIG_EFI_SECURE_BOOT) || defined(CONFIG_EFI_CAPSULE_AUTHENTICATE)
static u8 pkcs7_hdr[] = {
/* SEQUENCE */
0x30, 0x82, 0x05, 0xc7,
return !revoked;
}
-/**
- * efi_image_region_add() - add an entry of region
- * @regs: Pointer to array of regions
- * @start: Start address of region (included)
- * @end: End address of region (excluded)
- * @nocheck: flag against overlapped regions
- *
- * Take one entry of region [@start, @end[ and insert it into the list.
- *
- * * If @nocheck is false, the list will be sorted ascending by address.
- * Overlapping entries will not be allowed.
- *
- * * If @nocheck is true, the list will be sorted ascending by sequence
- * of adding the entries. Overlapping is allowed.
- *
- * Return: status code
- */
-efi_status_t efi_image_region_add(struct efi_image_regions *regs,
- const void *start, const void *end,
- int nocheck)
-{
- struct image_region *reg;
- int i, j;
-
- if (regs->num >= regs->max) {
- EFI_PRINT("%s: no more room for regions\n", __func__);
- return EFI_OUT_OF_RESOURCES;
- }
-
- if (end < start)
- return EFI_INVALID_PARAMETER;
-
- for (i = 0; i < regs->num; i++) {
- reg = ®s->reg[i];
- if (nocheck)
- continue;
-
- /* new data after registered region */
- if (start >= reg->data + reg->size)
- continue;
-
- /* new data preceding registered region */
- if (end <= reg->data) {
- for (j = regs->num - 1; j >= i; j--)
- memcpy(®s->reg[j + 1], ®s->reg[j],
- sizeof(*reg));
- break;
- }
-
- /* new data overlapping registered region */
- EFI_PRINT("%s: new region already part of another\n", __func__);
- return EFI_INVALID_PARAMETER;
- }
-
- reg = ®s->reg[i];
- reg->data = start;
- reg->size = end - start;
- regs->num++;
-
- return EFI_SUCCESS;
-}
-
/**
* efi_sigstore_free - free signature store
* @sigstore: Pointer to signature store structure
return efi_build_signature_store(db, db_size);
}
-#endif /* CONFIG_EFI_SECURE_BOOT || CONFIG_EFI_CAPSULE_AUTHENTICATE */
const enum efi_auth_var_type type;
};
+const efi_guid_t efi_guid_image_security_database =
+ EFI_IMAGE_SECURITY_DATABASE_GUID;
+
static const struct efi_auth_var_name_type name_type[] = {
{u"PK", &efi_global_variable_guid, EFI_AUTH_VAR_PK},
{u"KEK", &efi_global_variable_guid, EFI_AUTH_VAR_KEK},
projects / u-boot.git / commitdiff