From patchwork Wed Jul 1 18:11:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 1321129 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=badeba3b8450 header.b=Da0ir3s4; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49yBCh4nKYz9sR4 for ; Thu, 2 Jul 2020 18:32:00 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 50F95821B0; Thu, 2 Jul 2020 10:22:07 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="Da0ir3s4"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 3FE4381991; Wed, 1 Jul 2020 20:11:20 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 5FBD98006D for ; Wed, 1 Jul 2020 20:11:17 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=xypron.glpk@gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1593627075; bh=Zbu0u4Pt60XFXxysgvDaYiXY/wd6REPmIC2BENTWFF8=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=Da0ir3s4HIyiTBsBaGGefDEKb2Ec2r5lR+EMgxUW32MlbULBmzuzGcmX7YTFFXNUd q1GA+6aG+4FQBTkWlnH1fJVwLgTzSZGIBKQwAIF2wPjFOsTc9P8bLuyBWPg3okA6jh CHBwKBz/VzMAPFpSXCWnJdHjy9QBAk7hI3nsBfbA= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from workstation4.fritz.box ([88.152.145.75]) by mail.gmx.com (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MPXhA-1jVAB63ObK-00MaVA; Wed, 01 Jul 2020 20:11:14 +0200 From: Heinrich Schuchardt To: AKASHI Takahiro Cc: Alexander Graf , u-boot@lists.denx.de, Heinrich Schuchardt Subject: [PATCH 1/1] efi_loader: time based authentication Date: Wed, 1 Jul 2020 20:11:06 +0200 Message-Id: <20200701181106.167453-1-xypron.glpk@gmx.de> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 X-Provags-ID: V03:K1:ANYCmFJZ6d3jr7XCtzxCs6mrIAcnKnrSCfE5iKoc80NieuZLOqR rDSSN5NCkujFVFo7sObgXz4SdZOcsGOTI0OIvnBh2M1RSygngUp0UAEdgLS9A1enkd+XeAR d/vx9xhh7gx/PUzW3AZvEg7hQtwOcnX6zTCvwpmrw6PIwLvgy+0V18K1jkqZZoG8vFb2Y/9 19+Hzis72KEKnjjE1kOwQ== X-UI-Out-Filterresults: notjunk:1;V03:K0:I9CNJJ+wj30=:KqHVNapS1rJLDa1kxXDavd qF29u2Xr/nePGTypTuBeSKmKbdmpItzAfoDjRg1MY3AOkvqMmJC5ABO76hzIgkY5me12kzfpu FLs1ZW9hxQkkUQS8RGiCO9hWiMi4oUOXXCHLHYa0rafM1ZL3MDNbrd8mWAHujO4H5pPCs0GSR o919Pad/3vQ183ZOvswRoMQruyyEMOgRxZe1ETNR3S1wBAmcBOrFDrxVVREqzXz0vGBSc4nfR oLWR42KmWAKJezWDY558WQOxMJHIi0HXDxvWkyqdPB+vnu8rf8PHQ1IMExeOzfiLJwME392qY 6+k4PXF7xyyFLXGqbPV34aldfeFU1lPepDGg4WDMqelgr9OEYhUY0xLJ7PXdhGRtqZk/oMtRo BJqz3CQkuMGmj9xT3kc2uC97fRcyFClVbrLXZt9s5zKOo7lMdSqG43K/Y1FxH2yhYgFszcp8b d/CHOLeM5n5M9o9dB/laxqdRePqOU2vmsPN2L293FFDeEbPLu3goi9b4qiMLRdZ/NsEDNnNeV iw9pOBaniH7CI5txoUeYdrsfdWRR4/fDXXfubyGOd81yGEmUhkcyzLjv9HqhEVWSFhn0sc+lS WZl9yQKQt3aCJn7jkBa/bQk9/sjKJO1MURdSG/pZKO6MPrmZ89903guMwX0SV4jvgQSF1KkSM Hf2IHBz0uEa1ZI5PLWkcJbcnAlM6qmsLKuS7a/wRI8NgVhCNxiq57CoPlHWZdrUZxr0FdB9LW GHLuLtiFDY64HnaNDyJukD0WdT+SDtfO7ibzKWyrM+h+tu+2NFatR5NiOk5Wtf1+EJsRteDbo AMOl90WG3KtAe5ZSm5sSH2HpSnZIjgsSOu5CdZP+L3tahKRpjr62uB439DaehBsGPhn71IFFg 0BrVSk+GY1CMz5oHFq6IPQS55y+VJhZ3RxzCs+itKHy67PDcOEMQHShKFDz+2Q/JR1DJCLAzd zz38owqW0x4gLaYVOBgzzDRZweZqo666bYtOsOAhAopL4vHyQRBCzAYZWzpaC9WYGAzD6GpjF UuY9FgCEifFNfMoEQpByBnw0t6P1Vx1YfPazmFY749W8hhRmnDiH3JI6LkvKpTi0vevKuAjGE OUGYWvbCRimLa7E7506ON7I+rAdIm0KQyNjnVFNHWw/vf0RuHw8Bmbl7bDUwmzm+HtgvB0Ci4 mTEA9xw0r7A/TW8jCyZWrOLUH+3tis6++cS3EesLuLf43TVipoYMlcLrSCif2OwTqwlmo= X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean When overwriting an existing time base authenticated variable we should compare to the preceding time value and not to the start of the epoch. Signed-off-by: Heinrich Schuchardt --- lib/efi_loader/efi_variable.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) -- 2.27.0 diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index c262cb5972..974b710fec 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -35,7 +35,8 @@ static u8 efi_vendor_keys; static efi_status_t efi_get_variable_common(u16 *variable_name, const efi_guid_t *vendor, u32 *attributes, - efi_uintn_t *data_size, void *data); + efi_uintn_t *data_size, void *data, + u64 *timep); static efi_status_t efi_set_variable_common(u16 *variable_name, const efi_guid_t *vendor, @@ -308,7 +309,7 @@ static efi_status_t efi_init_secure_state(void) size = 0; ret = efi_get_variable_common(L"PK", &efi_global_variable_guid, - NULL, &size, NULL); + NULL, &size, NULL, NULL); if (ret == EFI_BUFFER_TOO_SMALL) { if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT)) mode = EFI_MODE_USER; @@ -596,7 +597,8 @@ static efi_status_t efi_variable_authenticate(u16 *variable, static efi_status_t efi_get_variable_common(u16 *variable_name, const efi_guid_t *vendor, u32 *attributes, - efi_uintn_t *data_size, void *data) + efi_uintn_t *data_size, void *data, + u64 *timep) { char *native_name; efi_status_t ret; @@ -621,6 +623,9 @@ static efi_status_t efi_get_variable_common(u16 *variable_name, val = parse_attr(val, &attr, &time); + if (timep) + *timep = time; + in_size = *data_size; if ((s = prefix(val, "(blob)"))) { @@ -704,7 +709,7 @@ efi_status_t EFIAPI efi_get_variable(u16 *variable_name, data_size, data); ret = efi_get_variable_common(variable_name, vendor, attributes, - data_size, data); + data_size, data, NULL); return EFI_EXIT(ret); } @@ -900,7 +905,7 @@ static efi_status_t efi_set_variable_common(u16 *variable_name, old_size = 0; attr = 0; ret = efi_get_variable_common(variable_name, vendor, &attr, - &old_size, NULL); + &old_size, NULL, &time); append = !!(attributes & EFI_VARIABLE_APPEND_WRITE); attributes &= ~(u32)EFI_VARIABLE_APPEND_WRITE; delete = !append && (!data_size || !attributes); @@ -991,7 +996,7 @@ static efi_status_t efi_set_variable_common(u16 *variable_name, goto err; } ret = efi_get_variable_common(variable_name, vendor, - &attr, &old_size, old_data); + &attr, &old_size, old_data, NULL); if (ret != EFI_SUCCESS) goto err; } else {