From patchwork Tue Oct 4 14:35:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 1685989 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=MzZVL0oj; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MhgH317vQz1ypH for ; Wed, 5 Oct 2022 01:35:42 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 51C3984D5C; Tue, 4 Oct 2022 16:35:32 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="MzZVL0oj"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id B479284D5C; Tue, 4 Oct 2022 16:35:29 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id B174084D3D for ; Tue, 4 Oct 2022 16:35:26 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pl1-x62d.google.com with SMTP id f23so12831355plr.6 for ; Tue, 04 Oct 2022 07:35:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=references:in-reply-to:message-id:date:subject:cc:to:from:from:to :cc:subject:date; bh=dysblzSqAwPzdIh4hR4QLLUToYZULRuJDPwRm1zxtXQ=; b=MzZVL0ojkVqAFZewxhxGNXL3Zlnoa0zhY46CtVcsq8kU+mnP666kalLa1HO2Wr5Gf/ ITysl9wwwL2FaMoWAoXW7ov9DAgcuUzADVk5Kp9dg0f068JAnYopuN45itGo1NTbepXq BG9KiGOTnT+iqZHE5JkbIPpYzuhlBj5rkYH+yTFF+XzQ2wslfl9IwCDUG1qxum+/LK66 gAZUP8IkLH0M3K2H3Ad6okLqOBBpvzf24fvdn3rCcDSa29FNmOcZfpTbWX3L7+58Jkjz t6710vJbYqw30Piov4ok0ofBeijuOyKLxNytBeQHb+1PZd+h4n/HzVyvjLvIiVBxlhKB OTNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:in-reply-to:message-id:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date; bh=dysblzSqAwPzdIh4hR4QLLUToYZULRuJDPwRm1zxtXQ=; b=AObLOW19l3B+F8prZOGQcPhDd0Ja3KslZMK41DYDhpR0LzoQbW9JLQEEL33vfkdPst uk9z9AY619mOlgkRPEyI3qQndzMa4eFYc09t0ePbhC9vxR6LJZEQTNpA96ushVSbzrJO QRgVoZ6X+7Uhgoxgpxc7lxZGmbde7SOv/x7y/nRAAn54T3Kp/G14WuOW743HW1YE1og9 HBMCpqbQPCDMsGXJO9a75qURqI0/q49hy1soJUeeq6TgViy41BKgcCAoc/MAHKm/avt3 3ew1tde020Q1JzBGq81JcbcMySDqdW5DvNz/cO97XBKB19du7aCsNfjXN9jsocEvXF6v dmhg== X-Gm-Message-State: ACrzQf3RrSmD0psGmwm3u3Fg+pquXOF4LK6nyi8cLYd/y+Y+D/l5fKQ2 /kN4qjTccnKDYlFpKYuagTCXiSQzXzazxw== X-Google-Smtp-Source: AMsMyM6QyCQQYdSRztCyRi5AfNajPf7OYzn32VxJDsd/CRIRTRZzh+CLah0QX6sj37qJO+DrOwlN/Q== X-Received: by 2002:a17:90b:4c03:b0:20a:919d:44a3 with SMTP id na3-20020a17090b4c0300b0020a919d44a3mr82289pjb.146.1664894124652; Tue, 04 Oct 2022 07:35:24 -0700 (PDT) Received: from localhost.localdomain ([240d:1a:cf7:5800:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id u6-20020a170902e80600b001783a917b9asm9044119plg.127.2022.10.04.07.35.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Oct 2022 07:35:24 -0700 (PDT) From: Masahisa Kojima To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Takahiro Akashi , Masahisa Kojima Subject: [PATCH v2 1/6] eficonfig: refactor eficonfig_select_file_handler() Date: Tue, 4 Oct 2022 23:35:37 +0900 Message-Id: <20221004143543.30000-2-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20221004143543.30000-1-masahisa.kojima@linaro.org> References: <20221004143543.30000-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean eficonfig_select_file_handler() is commonly used to select the file. eficonfig_display_select_file_option() intends to add the additional menu mainly to clear the selected file information. eficonfig_display_select_file_option() is not necessary for the file selection process, so it should be outside of eficonfig_select_file_handler(). Signed-off-by: Masahisa Kojima --- newly created in v2 cmd/eficonfig.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/cmd/eficonfig.c b/cmd/eficonfig.c index 2595dd9563..f6a99bd01a 100644 --- a/cmd/eficonfig.c +++ b/cmd/eficonfig.c @@ -968,7 +968,7 @@ efi_status_t eficonfig_process_clear_file_selection(void *data) } static struct eficonfig_item select_file_menu_items[] = { - {"Select File", eficonfig_process_select_file}, + {"Select File", eficonfig_select_file_handler}, {"Clear", eficonfig_process_clear_file_selection}, {"Quit", eficonfig_process_quit}, }; @@ -980,12 +980,13 @@ static struct eficonfig_item select_file_menu_items[] = { * @file_info: pointer to the file information structure * Return: status code */ -efi_status_t eficonfig_display_select_file_option(struct eficonfig_select_file_info *file_info) +efi_status_t eficonfig_display_select_file_option(void *data) { efi_status_t ret; struct efimenu *efi_menu; - select_file_menu_items[1].data = file_info; + select_file_menu_items[0].data = data; + select_file_menu_items[1].data = data; efi_menu = eficonfig_create_fixed_menu(select_file_menu_items, ARRAY_SIZE(select_file_menu_items)); if (!efi_menu) @@ -1016,10 +1017,6 @@ efi_status_t eficonfig_select_file_handler(void *data) struct eficonfig_select_file_info *tmp = NULL; struct eficonfig_select_file_info *file_info = data; - ret = eficonfig_display_select_file_option(file_info); - if (ret != EFI_SUCCESS) - return ret; - tmp = calloc(1, sizeof(struct eficonfig_select_file_info)); if (!tmp) return EFI_OUT_OF_RESOURCES; @@ -1284,7 +1281,7 @@ static efi_status_t prepare_file_selection_entry(struct efimenu *efi_menu, char utf8_utf16_strcpy(&p, devname); u16_strlcat(file_name, file_info->current_path, len); ret = create_boot_option_entry(efi_menu, title, file_name, - eficonfig_select_file_handler, file_info); + eficonfig_display_select_file_option, file_info); out: free(devname); free(file_name); From patchwork Tue Oct 4 14:35:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 1685990 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=vfli1UAY; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MhgHK1SbKz1ypH for ; Wed, 5 Oct 2022 01:35:57 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 99C3084DFD; Tue, 4 Oct 2022 16:35:37 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="vfli1UAY"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 3685D84DAF; Tue, 4 Oct 2022 16:35:34 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 148EB84C2D for ; Tue, 4 Oct 2022 16:35:30 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pg1-x531.google.com with SMTP id r185so4115278pgr.12 for ; Tue, 04 Oct 2022 07:35:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=references:in-reply-to:message-id:date:subject:cc:to:from:from:to :cc:subject:date; bh=UGVZSQUZBN+SbeNcrd98tAXAovEH5vUFCoA1wVQ+Tzg=; b=vfli1UAY3e6ArkS6CSGz/b3SOkC2pWEYDcbfzPnLzBJQVPaghq16SlxHpEE9jKR2dY FrOatpG4OVIt7Q0Ov/RW7ttWB4UWieKu5N5ZzR01rJE4wLYuIuiKBfRNouk+h3ZwUsAz Md999lFqaOgLs6HNtZT7+NhdKruHdv0iJesF+wCe26g24h/HCoF1CIEhMkG3QHVbml1B FYUY4R54zywoGH8tJFn0vN0V3DgD3Bx8dsEBryM/t+YGFeJs7k8mBODXVcEdsy2+QL3m BMtVCHsMKkWT1bpXtN6U0jj+pquzEzuXL31Fya8jKPiQs5gC7vJPOeDI6Rri0346dngV N4+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:in-reply-to:message-id:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date; bh=UGVZSQUZBN+SbeNcrd98tAXAovEH5vUFCoA1wVQ+Tzg=; b=wCIMcYADo6Az8nnRRMcTS2Bl9eJN384G3feG02TtXh5+foORiRbPHspkcBAHJ8XSXd v0RFYJ2o9w2ib7Ndyrs9QhlVpm+QZwAfTmL1F/OBeL1QLLLovt/6v8zUes2wibRAVhTG FKMni4UdSV+fxIdfy8Pu0dXPIl791J+sxJWoHqQWyrL7JLFqWEH9z/304StH+t8vWu2Q z19E9W2H69XFM+7hG1aoz8NK6WLBh4jBFBTQVTV6LsFypRKkCdGWoJS9a0ugDeMFAT2m +euNMAEm0v1gs25MnlIGQraGbNm6rukBPeZcb1umfW7FqLXs72C2rnLEAvxTJvENpQGv yv+g== X-Gm-Message-State: ACrzQf1HTf7jJkSKUnj4UF4GmzOcDFRJxSMVpq11DRSCba/OY58xsHvH hRsoiqo9G55AM4XO9ledAFiCQvOl34jr6w== X-Google-Smtp-Source: AMsMyM42ZgxjsUMBxT7hCyltzf7fYXMlRpia5AVLv13LI7jKtOxyQSe5NhCtc8tZPJHnA4nYmJ2vLQ== X-Received: by 2002:a05:6a00:1748:b0:55a:ddbe:85d7 with SMTP id j8-20020a056a00174800b0055addbe85d7mr28544314pfc.68.1664894127907; Tue, 04 Oct 2022 07:35:27 -0700 (PDT) Received: from localhost.localdomain ([240d:1a:cf7:5800:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id u6-20020a170902e80600b001783a917b9asm9044119plg.127.2022.10.04.07.35.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Oct 2022 07:35:27 -0700 (PDT) From: Masahisa Kojima To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Takahiro Akashi , Masahisa Kojima Subject: [PATCH v2 2/6] eficonfig: expose append entry function Date: Tue, 4 Oct 2022 23:35:38 +0900 Message-Id: <20221004143543.30000-3-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20221004143543.30000-1-masahisa.kojima@linaro.org> References: <20221004143543.30000-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean This commit exposes the eficonfig menu entry append function. Signed-off-by: Masahisa Kojima --- newly created in v2 cmd/eficonfig.c | 32 +++++++++++++++++--------------- include/efi_config.h | 5 +++++ 2 files changed, 22 insertions(+), 15 deletions(-) diff --git a/cmd/eficonfig.c b/cmd/eficonfig.c index f6a99bd01a..0cb0770ac3 100644 --- a/cmd/eficonfig.c +++ b/cmd/eficonfig.c @@ -263,7 +263,7 @@ efi_status_t eficonfig_process_quit(void *data) } /** - * append_entry() - append menu item + * eficonfig_append_menu_entry() - append menu item * * @efi_menu: pointer to the efimenu structure * @title: pointer to the entry title @@ -271,8 +271,9 @@ efi_status_t eficonfig_process_quit(void *data) * @data: pointer to the data to be passed to each entry callback * Return: status code */ -static efi_status_t append_entry(struct efimenu *efi_menu, - char *title, eficonfig_entry_func func, void *data) +efi_status_t eficonfig_append_menu_entry(struct efimenu *efi_menu, + char *title, eficonfig_entry_func func, + void *data) { struct eficonfig_entry *entry; @@ -295,12 +296,12 @@ static efi_status_t append_entry(struct efimenu *efi_menu, } /** - * append_quit_entry() - append quit entry + * eficonfig_append_quit_entry() - append quit entry * * @efi_menu: pointer to the efimenu structure * Return: status code */ -static efi_status_t append_quit_entry(struct efimenu *efi_menu) +efi_status_t eficonfig_append_quit_entry(struct efimenu *efi_menu) { char *title; efi_status_t ret; @@ -309,7 +310,7 @@ static efi_status_t append_quit_entry(struct efimenu *efi_menu) if (!title) return EFI_OUT_OF_RESOURCES; - ret = append_entry(efi_menu, title, eficonfig_process_quit, NULL); + ret = eficonfig_append_menu_entry(efi_menu, title, eficonfig_process_quit, NULL); if (ret != EFI_SUCCESS) free(title); @@ -341,7 +342,7 @@ void *eficonfig_create_fixed_menu(const struct eficonfig_item *items, int count) if (!title) goto out; - ret = append_entry(efi_menu, title, iter->func, iter->data); + ret = eficonfig_append_menu_entry(efi_menu, title, iter->func, iter->data); if (ret != EFI_SUCCESS) { free(title); goto out; @@ -634,14 +635,15 @@ static efi_status_t eficonfig_select_volume(struct eficonfig_select_file_info *f info->v = v; info->dp = device_path; info->file_info = file_info; - ret = append_entry(efi_menu, devname, eficonfig_volume_selected, info); + ret = eficonfig_append_menu_entry(efi_menu, devname, eficonfig_volume_selected, + info); if (ret != EFI_SUCCESS) { free(info); goto out; } } - ret = append_quit_entry(efi_menu); + ret = eficonfig_append_quit_entry(efi_menu); if (ret != EFI_SUCCESS) goto out; @@ -745,8 +747,8 @@ eficonfig_create_file_entry(struct efimenu *efi_menu, u32 count, (int (*)(const void *, const void *))sort_file); for (i = 0; i < entry_num; i++) { - ret = append_entry(efi_menu, tmp_infos[i]->file_name, - eficonfig_file_selected, tmp_infos[i]); + ret = eficonfig_append_menu_entry(efi_menu, tmp_infos[i]->file_name, + eficonfig_file_selected, tmp_infos[i]); if (ret != EFI_SUCCESS) goto out; } @@ -815,7 +817,7 @@ static efi_status_t eficonfig_select_file(struct eficonfig_select_file_info *fil if (ret != EFI_SUCCESS) goto err; - ret = append_quit_entry(efi_menu); + ret = eficonfig_append_quit_entry(efi_menu); if (ret != EFI_SUCCESS) goto err; @@ -1218,7 +1220,7 @@ static efi_status_t create_boot_option_entry(struct efimenu *efi_menu, char *tit utf16_utf8_strcpy(&p, val); } - return append_entry(efi_menu, buf, func, data); + return eficonfig_append_menu_entry(efi_menu, buf, func, data); } /** @@ -1677,7 +1679,7 @@ static efi_status_t eficonfig_add_boot_selection_entry(struct efimenu *efi_menu, utf16_utf8_strcpy(&p, lo.label); info->boot_index = boot_index; info->selected = selected; - ret = append_entry(efi_menu, buf, eficonfig_process_boot_selected, info); + ret = eficonfig_append_menu_entry(efi_menu, buf, eficonfig_process_boot_selected, info); if (ret != EFI_SUCCESS) { free(load_option); free(info); @@ -1736,7 +1738,7 @@ static efi_status_t eficonfig_show_boot_selection(unsigned int *selected) break; } - ret = append_quit_entry(efi_menu); + ret = eficonfig_append_quit_entry(efi_menu); if (ret != EFI_SUCCESS) goto out; diff --git a/include/efi_config.h b/include/efi_config.h index 098cac2115..86bc801211 100644 --- a/include/efi_config.h +++ b/include/efi_config.h @@ -95,4 +95,9 @@ efi_status_t eficonfig_get_unused_bootoption(u16 *buf, efi_status_t eficonfig_append_bootorder(u16 index); efi_status_t eficonfig_generate_media_device_boot_option(void); +efi_status_t eficonfig_append_menu_entry(struct efimenu *efi_menu, + char *title, eficonfig_entry_func func, + void *data); +efi_status_t eficonfig_append_quit_entry(struct efimenu *efi_menu); + #endif From patchwork Tue Oct 4 14:35:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 1685993 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=iCT9MOoh; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MhgHy5L38z1ypH for ; Wed, 5 Oct 2022 01:36:30 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4B71384E0C; Tue, 4 Oct 2022 16:35:53 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="iCT9MOoh"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 6673A84DCD; Tue, 4 Oct 2022 16:35:46 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 8B82284DD9 for ; Tue, 4 Oct 2022 16:35:35 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pf1-x430.google.com with SMTP id w191so3859511pfc.5 for ; Tue, 04 Oct 2022 07:35:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=references:in-reply-to:message-id:date:subject:cc:to:from:from:to :cc:subject:date; bh=0CD/YTgC3zgk38qq6YEVXxxcEceVpiUn/bzUsOXTuNc=; b=iCT9MOohhfsq6eeLzSQsJwbppZXIzwkZJuRbAdSAIcjn2Pn1gQBK+ZNrRMFWozW/vg AESEYbHymzSVduqL+4m9VSisspkJG10AkfwgEJnQkZcXPaDSmK44K7F8LHVxfK0znzqs CxMJMghRUKOW0pK4qrLSD94ykcntpTxJJ9yNWgNeZB17MIbExBafS9n0hSrrhwK9cv7s cWW4ajiaFEEzgwzPGXIoRTh8kiOyF+w8Xhge+VibfHBrBKRX1J2JH+Bx4zdIdxJWpxm7 qa2JQsMWe6b8wa2y2j8tQdYiEV+z3fr/sEMOtUz9zG3veTdXJh5JUFmhauxFg81J6RIs eOIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:in-reply-to:message-id:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date; bh=0CD/YTgC3zgk38qq6YEVXxxcEceVpiUn/bzUsOXTuNc=; b=O14fMM9uLMk7audOC+dUdgsaj4Xo77p1L4dAHWBDjZzkbu7sdZy97eSPug1XreKkXC T/jOP2EnBrVC9AUyhNajohbWg9X6AVXcnmvHQz+uUVYeYhfklSfahWFjj2yfZLrS/ukW ZMY9lqEJtTmwCULOHQkc6VE7HMfcoP/5XLzBUQlJKf6OnCFpn3Z3YGyatP+3ZtB3BqEz /GkxSaX98ymecqbhlOwYdF8jJ1gzPCMp5JkhPXo2t0b+het2teyRGCDm/331WCFQUBGN +nA8s19RJHV6LN1d9kfBZFLpPS7a9BA3PfWi0DJOrKNLMFGeZwYngstW3yW7bDYVqMoa qCkA== X-Gm-Message-State: ACrzQf1B7XmBlWtedHHRfcp63DpryVD6fmoAUMkFs0LyUJ7IO6Pdo6JN m3G6BQsXf7jFKff/jUE99OcZXaopCpApwQ== X-Google-Smtp-Source: AMsMyM5tp/P+z0jnCfSSTa4I9NMzR5ESEzso/SPGXTsZAev6+1uXFimuN1WEurJ5hWospYZNI6/rig== X-Received: by 2002:a05:6a00:298a:b0:55f:e8ca:f257 with SMTP id cj10-20020a056a00298a00b0055fe8caf257mr15832573pfb.75.1664894133293; Tue, 04 Oct 2022 07:35:33 -0700 (PDT) Received: from localhost.localdomain ([240d:1a:cf7:5800:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id u6-20020a170902e80600b001783a917b9asm9044119plg.127.2022.10.04.07.35.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Oct 2022 07:35:32 -0700 (PDT) From: Masahisa Kojima To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Takahiro Akashi , Masahisa Kojima , Simon Glass , Ashok Reddy Soma , Stefan Roese , Michal Simek , Samuel Dionne-Riel , Ovidiu Panait , Chris Morgan , Huang Jianan Subject: [PATCH v2 3/6] eficonfig: add UEFI Secure Boot Key enrollment interface Date: Tue, 4 Oct 2022 23:35:39 +0900 Message-Id: <20221004143543.30000-4-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20221004143543.30000-1-masahisa.kojima@linaro.org> References: <20221004143543.30000-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean This commit adds the menu-driven UEFI Secure Boot Key enrollment interface. User can enroll the PK, KEK, db and dbx by selecting EFI Signature Lists file. After the PK is enrolled, UEFI Secure Boot is enabled and EFI Signature Lists file must be signed by KEK or PK. Signed-off-by: Masahisa Kojima --- Changes in v2: - allow to enroll .esl file - fix typos - add function comments cmd/Makefile | 3 + cmd/eficonfig.c | 3 + cmd/eficonfig_sbkey.c | 349 ++++++++++++++++++++++++++++++++++++++++++ include/efi_config.h | 5 + 4 files changed, 360 insertions(+) create mode 100644 cmd/eficonfig_sbkey.c diff --git a/cmd/Makefile b/cmd/Makefile index cf6ce1bd6f..9eac6496dd 100644 --- a/cmd/Makefile +++ b/cmd/Makefile @@ -65,6 +65,9 @@ obj-$(CONFIG_CMD_EEPROM) += eeprom.o obj-$(CONFIG_EFI) += efi.o obj-$(CONFIG_CMD_EFIDEBUG) += efidebug.o obj-$(CONFIG_CMD_EFICONFIG) += eficonfig.o +ifdef CONFIG_CMD_EFICONFIG +obj-$(CONFIG_EFI_SECURE_BOOT) += eficonfig_sbkey.o +endif obj-$(CONFIG_CMD_ELF) += elf.o obj-$(CONFIG_CMD_EROFS) += erofs.o obj-$(CONFIG_HUSH_PARSER) += exit.o diff --git a/cmd/eficonfig.c b/cmd/eficonfig.c index 0cb0770ac3..a72f07e671 100644 --- a/cmd/eficonfig.c +++ b/cmd/eficonfig.c @@ -2442,6 +2442,9 @@ static const struct eficonfig_item maintenance_menu_items[] = { {"Edit Boot Option", eficonfig_process_edit_boot_option}, {"Change Boot Order", eficonfig_process_change_boot_order}, {"Delete Boot Option", eficonfig_process_delete_boot_option}, +#if (CONFIG_IS_ENABLED(EFI_SECURE_BOOT)) + {"Secure Boot Configuration", eficonfig_process_secure_boot_config}, +#endif {"Quit", eficonfig_process_quit}, }; diff --git a/cmd/eficonfig_sbkey.c b/cmd/eficonfig_sbkey.c new file mode 100644 index 0000000000..e7f0545446 --- /dev/null +++ b/cmd/eficonfig_sbkey.c @@ -0,0 +1,349 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Menu-driven UEFI Secure Boot Key Maintenance + * + * Copyright (c) 2022 Masahisa Kojima, Linaro Limited + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +enum efi_sbkey_signature_type { + SIG_TYPE_X509 = 0, + SIG_TYPE_HASH, + SIG_TYPE_CRL, + SIG_TYPE_RSA2048, +}; + +struct eficonfig_sigtype_to_str { + efi_guid_t sig_type; + char *str; + enum efi_sbkey_signature_type type; +}; + +static const struct eficonfig_sigtype_to_str sigtype_to_str[] = { + {EFI_CERT_X509_GUID, "X509", SIG_TYPE_X509}, + {EFI_CERT_SHA256_GUID, "SHA256", SIG_TYPE_HASH}, + {EFI_CERT_X509_SHA256_GUID, "X509_SHA256 CRL", SIG_TYPE_CRL}, + {EFI_CERT_X509_SHA384_GUID, "X509_SHA384 CRL", SIG_TYPE_CRL}, + {EFI_CERT_X509_SHA512_GUID, "X509_SHA512 CRL", SIG_TYPE_CRL}, + /* U-Boot does not support the following signature types */ +/* {EFI_CERT_RSA2048_GUID, "RSA2048", SIG_TYPE_RSA2048}, */ +/* {EFI_CERT_RSA2048_SHA256_GUID, "RSA2048_SHA256", SIG_TYPE_RSA2048}, */ +/* {EFI_CERT_SHA1_GUID, "SHA1", SIG_TYPE_HASH}, */ +/* {EFI_CERT_RSA2048_SHA_GUID, "RSA2048_SHA", SIG_TYPE_RSA2048 }, */ +/* {EFI_CERT_SHA224_GUID, "SHA224", SIG_TYPE_HASH}, */ +/* {EFI_CERT_SHA384_GUID, "SHA384", SIG_TYPE_HASH}, */ +/* {EFI_CERT_SHA512_GUID, "SHA512", SIG_TYPE_HASH}, */ +}; + +/** + * is_secureboot_enabled() - check UEFI Secure Boot is enabled + * + * Return: true when UEFI Secure Boot is enabled, false otherwise + */ +static bool is_secureboot_enabled(void) +{ + efi_status_t ret; + u8 secure_boot; + efi_uintn_t size; + + size = sizeof(secure_boot); + ret = efi_get_variable_int(u"SecureBoot", &efi_global_variable_guid, + NULL, &size, &secure_boot, NULL); + + return secure_boot == 1; +} + +/** + * create_time_based_payload() - create payload for time based authenticate variable + * + * @db: pointer to the original signature database + * @new_db: pointer to the authenticated variable payload + * @size: pointer to payload size + * Return: status code + */ +static efi_status_t create_time_based_payload(void *db, void **new_db, efi_uintn_t *size) +{ + efi_status_t ret; + struct efi_time time; + efi_uintn_t total_size; + struct efi_variable_authentication_2 *auth; + + *new_db = NULL; + + /* + * SetVariable() call with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS + * attribute requires EFI_VARIABLE_AUTHENTICATED_2 descriptor, prepare it + * without certificate data in it. + */ + total_size = sizeof(struct efi_variable_authentication_2) + *size; + + auth = calloc(1, total_size); + if (!auth) + return EFI_OUT_OF_RESOURCES; + + ret = EFI_CALL((*efi_runtime_services.get_time)(&time, NULL)); + if (ret != EFI_SUCCESS) { + free(auth); + return EFI_OUT_OF_RESOURCES; + } + time.pad1 = 0; + time.nanosecond = 0; + time.timezone = 0; + time.daylight = 0; + time.pad2 = 0; + memcpy(&auth->time_stamp, &time, sizeof(time)); + auth->auth_info.hdr.dwLength = sizeof(struct win_certificate_uefi_guid); + auth->auth_info.hdr.wRevision = 0x0200; + auth->auth_info.hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID; + guidcpy(&auth->auth_info.cert_type, &efi_guid_cert_type_pkcs7); + if (db) + memcpy((u8 *)auth + sizeof(struct efi_variable_authentication_2), db, *size); + + *new_db = auth; + *size = total_size; + + return EFI_SUCCESS; +} + +/** + * file_have_auth_header() - check file has EFI_VARIABLE_AUTHENTICATION_2 header + * @buf: pointer to file + * @size: file size + * Return: true if file has auth header, false otherwise + */ +static bool file_have_auth_header(void *buf, efi_uintn_t size) +{ + struct efi_variable_authentication_2 *auth = buf; + + if (auth->auth_info.hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) + return false; + + if (guidcmp(&auth->auth_info.cert_type, &efi_guid_cert_type_pkcs7)) + return false; + + return true; +} + +/** + * file_is_efi_signature_list() - check the file is efi signature list + * @buf: pointer to file + * Return: true if file is efi signature list, false otherwise + */ +static bool file_is_efi_signature_list(void *buf) +{ + u32 i; + struct efi_signature_list *sig_list = buf; + + for (i = 0; i < ARRAY_SIZE(sigtype_to_str); i++) { + if (!guidcmp(&sig_list->signature_type, &sigtype_to_str[i].sig_type)) + return true; + } + + return false; +} + +/** + * eficonfig_process_enroll_key() - enroll key into signature database + * + * @data: pointer to the data for each entry + * Return: status code + */ +static efi_status_t eficonfig_process_enroll_key(void *data) +{ + u32 attr; + char *buf = NULL; + efi_uintn_t size; + efi_status_t ret; + void *new_db = NULL; + struct efi_file_handle *f; + struct efi_file_handle *root; + struct eficonfig_select_file_info file_info; + + file_info.current_path = calloc(1, EFICONFIG_FILE_PATH_BUF_SIZE); + if (!file_info.current_path) + goto out; + + ret = eficonfig_select_file_handler(&file_info); + if (ret != EFI_SUCCESS) + goto out; + + ret = efi_open_volume_int(file_info.current_volume, &root); + if (ret != EFI_SUCCESS) + goto out; + + ret = efi_file_open_int(root, &f, file_info.current_path, EFI_FILE_MODE_READ, 0); + if (ret != EFI_SUCCESS) + goto out; + + size = 0; + ret = EFI_CALL(f->getinfo(f, &efi_file_info_guid, &size, NULL)); + if (ret != EFI_BUFFER_TOO_SMALL) + goto out; + + buf = calloc(1, size); + if (!buf) { + ret = EFI_OUT_OF_RESOURCES; + goto out; + } + ret = EFI_CALL(f->getinfo(f, &efi_file_info_guid, &size, buf)); + if (ret != EFI_SUCCESS) + goto out; + + size = ((struct efi_file_info *)buf)->file_size; + free(buf); + + buf = calloc(1, size); + if (!buf) + goto out; + + ret = efi_file_read_int(f, &size, buf); + if (ret != EFI_SUCCESS || size == 0) + goto out; + + /* We expect that file is EFI Signature Lists or signed EFI Signature Lists */ + if (!file_have_auth_header(buf, size)) { + if (!file_is_efi_signature_list(buf)) { + eficonfig_print_msg("ERROR! Invalid file format."); + ret = EFI_INVALID_PARAMETER; + goto out; + } + + ret = create_time_based_payload(buf, &new_db, &size); + if (ret != EFI_SUCCESS) { + eficonfig_print_msg("ERROR! Failed to create payload with timestamp."); + goto out; + } + + free(buf); + buf = new_db; + } + + attr = EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS | + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; + + /* PK can enroll only one certificate */ + if (u16_strcmp(data, u"PK")) { + efi_uintn_t db_size = 0; + + /* check the variable exists. If exists, add APPEND_WRITE attribute */ + ret = efi_get_variable_int(data, efi_auth_var_get_guid(data), NULL, + &db_size, NULL, NULL); + if (ret == EFI_BUFFER_TOO_SMALL) + attr |= EFI_VARIABLE_APPEND_WRITE; + } + + ret = efi_set_variable_int((u16 *)data, efi_auth_var_get_guid((u16 *)data), + attr, size, buf, false); + if (ret != EFI_SUCCESS) { + eficonfig_print_msg("ERROR! Failed to update signature database"); + goto out; + } + +out: + free(file_info.current_path); + free(buf); + + /* to stay the parent menu */ + ret = (ret == EFI_ABORTED) ? EFI_NOT_READY : ret; + + return ret; +} + +static struct eficonfig_item key_config_menu_items[] = { + {"Enroll New Key", eficonfig_process_enroll_key}, + {"Quit", eficonfig_process_quit}, +}; + +/** + * eficonfig_process_set_secure_boot_key() - display the key configuration menu + * + * @data: pointer to the data for each entry + * Return: status code + */ +static efi_status_t eficonfig_process_set_secure_boot_key(void *data) +{ + u32 i; + efi_status_t ret; + char header_str[32]; + struct efimenu *efi_menu; + + for (i = 0; i < ARRAY_SIZE(key_config_menu_items); i++) + key_config_menu_items[i].data = data; + + snprintf(header_str, sizeof(header_str), " ** Configure %ls **", (u16 *)data); + + while (1) { + efi_menu = eficonfig_create_fixed_menu(key_config_menu_items, + ARRAY_SIZE(key_config_menu_items)); + + ret = eficonfig_process_common(efi_menu, header_str); + eficonfig_destroy(efi_menu); + + if (ret == EFI_ABORTED) + break; + } + + /* to stay the parent menu */ + ret = (ret == EFI_ABORTED) ? EFI_NOT_READY : ret; + + return ret; +} + +static const struct eficonfig_item secure_boot_menu_items[] = { + {"PK", eficonfig_process_set_secure_boot_key, u"PK"}, + {"KEK", eficonfig_process_set_secure_boot_key, u"KEK"}, + {"db", eficonfig_process_set_secure_boot_key, u"db"}, + {"dbx", eficonfig_process_set_secure_boot_key, u"dbx"}, + {"Quit", eficonfig_process_quit}, +}; + +/** + * eficonfig_process_secure_boot_config() - display the key list menu + * + * @data: pointer to the data for each entry + * Return: status code + */ +efi_status_t eficonfig_process_secure_boot_config(void *data) +{ + efi_status_t ret; + struct efimenu *efi_menu; + + while (1) { + char header_str[64]; + + snprintf(header_str, sizeof(header_str), + " ** UEFI Secure Boot Key Configuration (SecureBoot : %s) **", + (is_secureboot_enabled() ? "ON" : "OFF")); + + efi_menu = eficonfig_create_fixed_menu(secure_boot_menu_items, + ARRAY_SIZE(secure_boot_menu_items)); + if (!efi_menu) { + ret = EFI_OUT_OF_RESOURCES; + break; + } + + ret = eficonfig_process_common(efi_menu, header_str); + eficonfig_destroy(efi_menu); + + if (ret == EFI_ABORTED) + break; + } + + /* to stay the parent menu */ + ret = (ret == EFI_ABORTED) ? EFI_NOT_READY : ret; + + return ret; +} diff --git a/include/efi_config.h b/include/efi_config.h index 86bc801211..6db8e123f0 100644 --- a/include/efi_config.h +++ b/include/efi_config.h @@ -99,5 +99,10 @@ efi_status_t eficonfig_append_menu_entry(struct efimenu *efi_menu, char *title, eficonfig_entry_func func, void *data); efi_status_t eficonfig_append_quit_entry(struct efimenu *efi_menu); +void *eficonfig_create_fixed_menu(const struct eficonfig_item *items, int count); + +#ifdef CONFIG_EFI_SECURE_BOOT +efi_status_t eficonfig_process_secure_boot_config(void *data); +#endif #endif From patchwork Tue Oct 4 14:35:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 1685991 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=vg3TKKGu; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MhgHS6bzRz1ypH for ; Wed, 5 Oct 2022 01:36:04 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 5709284DEA; Tue, 4 Oct 2022 16:35:49 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="vg3TKKGu"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E1BCE84E0A; Tue, 4 Oct 2022 16:35:44 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 8DA1784E08 for ; Tue, 4 Oct 2022 16:35:38 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pf1-x429.google.com with SMTP id 83so6309055pfw.10 for ; Tue, 04 Oct 2022 07:35:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=references:in-reply-to:message-id:date:subject:cc:to:from:from:to :cc:subject:date; bh=IZbKgCUm5Ybo1JK23Eo943kpOO3b6d/7Qg0GCz9FmjM=; b=vg3TKKGuoYwb8ICqwq3gB0Idmz0vJMVfLewHsB4SNoM8tMw6yWNigqsjD1Jh9qywKi 1S93AsenSAE5Si15/b8OQKtbVNE4QKLBTD6BgyM0Wyvbh9UfGuMpvmmu9EbXa38iWbeQ V6MqWrEybbKIAHwNW2aglZJlFvJ6nqFtIuHMi1drjhszwt5jOi2DazIj5fC8Rn+Ny9Uw BxPgMMaX3mAtsrDbG24t2cKr5Aqcoh4fI9IzPB0hLFqoqH1IVXrl3JAmCxo5Gp4CW6/v Xzzbrt8TcwmtNFpXBbYmHZk3pYeqgtZ5L/sXF9IoyPbZtKQYb0jNEQT9aFg+t9hw7e7G k7SA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:in-reply-to:message-id:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date; bh=IZbKgCUm5Ybo1JK23Eo943kpOO3b6d/7Qg0GCz9FmjM=; b=w72AmwL9t/3FEjutEd09t2h711WSKt2Lw33gAHFCjBi43KKBwrviiym8x7D1lZWWVu Ct7kQOnhWYy3JtlCWCMvAIR+U1EWUhnDDmQDv78afzUERK3Ejh9TSXH3XsOW7SG0Aj34 EDNua9MTXvhjZu1KMChRsrleFZD4P71k5I3EjoJmMzm3OULngJGcazBgFA2xsmZHYN0i MpZwXXNtE3I8q8lLljDsABGwnhg7W9eNNXyS7242gfjQOG65h0hJq5J8dHk/JOx7azjO P9hxiNdM9dLhckxeScZLPsyO6hIzBXXycJjg+4iON8dc0MNnoFyWNyCcheu0mJFe77bU kzag== X-Gm-Message-State: ACrzQf0xZDcpyiXDGuwOwDif2uluAwo5nOsQ7+u0c1ziiBdYalp+UCaS 7pRgZJYhEqyz7/56LW9XA2K5JxYr28TTVA== X-Google-Smtp-Source: AMsMyM5gLncdgcG8MXL0NV05vDUieyIPubQ7CwMRHDhh0e1hSqhDWOt0SYGOLEGtIxw/0kJqoMOvkQ== X-Received: by 2002:a05:6a00:24d4:b0:544:abd7:c944 with SMTP id d20-20020a056a0024d400b00544abd7c944mr28555210pfv.44.1664894136387; Tue, 04 Oct 2022 07:35:36 -0700 (PDT) Received: from localhost.localdomain ([240d:1a:cf7:5800:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id u6-20020a170902e80600b001783a917b9asm9044119plg.127.2022.10.04.07.35.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Oct 2022 07:35:35 -0700 (PDT) From: Masahisa Kojima To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Takahiro Akashi , Masahisa Kojima Subject: [PATCH v2 4/6] eficonfig: add "Show/Delete Signature Database" menu entry Date: Tue, 4 Oct 2022 23:35:40 +0900 Message-Id: <20221004143543.30000-5-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20221004143543.30000-1-masahisa.kojima@linaro.org> References: <20221004143543.30000-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean This commit adds the menu-driven interface to show and delete the signature database. EFI Signature Lists can contain the multiple signature entries, this menu can delete the indivisual entry. If the PK is enrolled and UEFI Secure Boot is in User Mode or Deployed Mode, user can not delete the existing signature lists since the signature lists must be signed by KEK or PK but signing information is not stored in the signature database. To delete PK, user needs to enroll the new key with an empty value and this new key must be signed with the old PK. Signed-off-by: Masahisa Kojima --- Changes in v2: - integrate show and delete signature database menu - add confirmation message before delete - add function comment cmd/eficonfig_sbkey.c | 394 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 394 insertions(+) diff --git a/cmd/eficonfig_sbkey.c b/cmd/eficonfig_sbkey.c index e7f0545446..21f52d8578 100644 --- a/cmd/eficonfig_sbkey.c +++ b/cmd/eficonfig_sbkey.c @@ -17,6 +17,14 @@ #include #include +struct eficonfig_sig_data { + struct efi_signature_list *esl; + struct efi_signature_data *esd; + struct list_head list; + struct eficonfig_sig_data **selected; + u16 *varname; +}; + enum efi_sbkey_signature_type { SIG_TYPE_X509 = 0, SIG_TYPE_HASH, @@ -46,6 +54,32 @@ static const struct eficonfig_sigtype_to_str sigtype_to_str[] = { /* {EFI_CERT_SHA512_GUID, "SHA512", SIG_TYPE_HASH}, */ }; +/** + * eficonfig_console_wait_enter() - wait ENTER key press + * + * Return: 1 if ENTER key is pressed, 0 if user selects to quit + */ +static int eficonfig_console_wait_enter(void) +{ + int esc = 0; + enum bootmenu_key key = KEY_NONE; + + puts(ANSI_CURSOR_HIDE); + + while (1) { + bootmenu_loop(NULL, &key, &esc); + + switch (key) { + case KEY_SELECT: + return 1; + case KEY_QUIT: + return 0; + default: + break; + } + } +} + /** * is_secureboot_enabled() - check UEFI Secure Boot is enabled * @@ -262,8 +296,368 @@ out: return ret; } +/** + * delete_selected_signature_data() - delete the signature data from signature list + * + * @db: pointer to the signature database + * @db_size: pointer to the signature database size + * @target: pointer to the signature data to be deleted + * Return: status code + */ +static void delete_selected_signature_data(void *db, efi_uintn_t *db_size, + struct eficonfig_sig_data *target) +{ + u32 remain; + u8 *dest, *start, *end; + efi_uintn_t total_size, esd_size, size; + struct efi_signature_list *esl; + struct efi_signature_data *esd; + + esl = db; + total_size = *db_size; + size = *db_size; + end = (u8 *)db + *db_size; + while (total_size > 0) { + esd = (struct efi_signature_data *)((u8 *)esl + + sizeof(struct efi_signature_list) + esl->signature_header_size); + esd_size = esl->signature_list_size - sizeof(struct efi_signature_list) - + esl->signature_header_size; + for (; esd_size > 0; esd_size -= esl->signature_size) { + if (esl == target->esl && esd == target->esd) { + remain = esl->signature_list_size - + (sizeof(struct efi_signature_list) - + esl->signature_header_size) - + esl->signature_size; + if (remain > 0) { + /* only delete the single signature data */ + esl->signature_list_size -= esl->signature_size; + size -= esl->signature_size; + dest = (u8 *)esd; + start = (u8 *)esd + esl->signature_size; + } else { + /* delete entire signature list */ + dest = (u8 *)esl; + start = (u8 *)esl + esl->signature_list_size; + size -= esl->signature_list_size; + } + memmove(dest, start, (end - start)); + goto out; + } + esd = (struct efi_signature_data *)((u8 *)esd + esl->signature_size); + } + total_size -= esl->signature_list_size; + esl = (struct efi_signature_list *)((u8 *)esl + esl->signature_list_size); + } +out: + *db_size = size; +} + +/** + * display_sigdata_info() - display signature data information + * + * @sg: pointer to the internal signature data structure + * Return: status code + */ +static void display_sigdata_info(struct eficonfig_sig_data *sg) +{ + u32 i; + + puts(ANSI_CURSOR_HIDE); + puts(ANSI_CLEAR_CONSOLE); + printf(ANSI_CURSOR_POSITION, 1, 1); + + *sg->selected = sg; + printf("\n ** Show/Delete Signature Database (%ls) **\n\n" + " Owner GUID:\n" + " %pUL\n", + sg->varname, sg->esd->signature_owner.b); + + for (i = 0; i < ARRAY_SIZE(sigtype_to_str); i++) { + if (!guidcmp(&sg->esl->signature_type, &sigtype_to_str[i].sig_type)) { + printf(" Signature Type:\n" + " %s\n", sigtype_to_str[i].str); + + switch (sigtype_to_str[i].type) { + case SIG_TYPE_X509: + { + struct x509_certificate *cert_tmp; + + cert_tmp = x509_cert_parse(sg->esd->signature_data, + sg->esl->signature_size); + printf(" Subject:\n" + " %s\n" + " Issuer:\n" + " %s\n", + cert_tmp->subject, cert_tmp->issuer); + break; + } + case SIG_TYPE_CRL: + { + u32 hash_size = sg->esl->signature_size - sizeof(efi_guid_t) - + sizeof(struct efi_time); + struct efi_time *time = + (struct efi_time *)((u8 *)sg->esd->signature_data + + hash_size); + + printf(" ToBeSignedHash:\n"); + print_hex_dump(" ", DUMP_PREFIX_NONE, 16, 1, + sg->esd->signature_data, hash_size, false); + printf(" TimeOfRevocation:\n" + " %d-%d-%d %02d:%02d:%02d\n", + time->year, time->month, time->day, + time->hour, time->minute, time->second); + break; + } + case SIG_TYPE_HASH: + { + u32 hash_size = sg->esl->signature_size - sizeof(efi_guid_t); + + printf(" Hash:\n"); + print_hex_dump(" ", DUMP_PREFIX_NONE, 16, 1, + sg->esd->signature_data, hash_size, false); + break; + } + default: + eficonfig_print_msg("ERROR! Unsupported format."); + break; + } + } + } +} + +/** + * eficonfig_process_sigdata_delete() - delete signature data + * + * @data: pointer to the data for each entry + * Return: status code + */ +static efi_status_t eficonfig_process_sigdata_delete(void *data) +{ + int delete; + efi_status_t ret; + efi_uintn_t size; + u8 setup_mode = 0; + u8 audit_mode = 0; + + struct eficonfig_sig_data *sg = data; + + display_sigdata_info(sg); + + if (!u16_strcmp(sg->varname, u"PK")) { + while (tstc()) + getchar(); + + printf("\n\n Can not delete PK, Press any key to continue"); + getchar(); + return EFI_NOT_READY; + } + + printf("\n\n Press ENTER to delete, ESC/CTRL+C to quit"); + delete = eficonfig_console_wait_enter(); + if (!delete) + return EFI_NOT_READY; + + size = sizeof(setup_mode); + ret = efi_get_variable_int(u"SetupMode", &efi_global_variable_guid, + NULL, &size, &setup_mode, NULL); + size = sizeof(audit_mode); + ret = efi_get_variable_int(u"AuditMode", &efi_global_variable_guid, + NULL, &size, &audit_mode, NULL); + + if (!setup_mode && !audit_mode) { + eficonfig_print_msg("Not in the SetupMode or AuditMode, can not delete."); + return EFI_NOT_READY; + } + + return EFI_SUCCESS; +} + +/** + * prepare_signature_db_list() - create the signature data menu entry + * + * @efimenu: pointer to the efimenu structure + * @varname: pointer to the variable name + * @db: pointer to the variable raw data + * @db_size: variable data size + * @func: callback of each entry + * @selected: pointer to selected signature data + * Return: status code + */ +static efi_status_t prepare_signature_db_list(struct efimenu *efi_menu, void *varname, + void *db, efi_uintn_t db_size, + eficonfig_entry_func func, + struct eficonfig_sig_data **selected) +{ + u32 num = 0; + efi_uintn_t size; + struct eficonfig_sig_data *sg; + struct efi_signature_list *esl; + struct efi_signature_data *esd; + efi_status_t ret = EFI_SUCCESS; + + INIT_LIST_HEAD(&efi_menu->list); + + esl = db; + size = db_size; + while (size > 0) { + u32 remain; + + esd = (struct efi_signature_data *)((u8 *)esl + + (sizeof(struct efi_signature_list) + + esl->signature_header_size)); + remain = esl->signature_list_size - sizeof(struct efi_signature_list) - + esl->signature_header_size; + for (; remain > 0; remain -= esl->signature_size) { + char buf[40]; + char *title; + + if (num >= EFICONFIG_ENTRY_NUM_MAX - 1) { + ret = EFI_OUT_OF_RESOURCES; + goto out; + } + + sg = calloc(1, sizeof(struct eficonfig_sig_data)); + if (!sg) { + ret = EFI_OUT_OF_RESOURCES; + goto err; + } + + snprintf(buf, sizeof(buf), "%pUL", &esd->signature_owner); + title = calloc(1, (strlen(buf) + 1)); + if (!title) { + free(sg); + ret = EFI_OUT_OF_RESOURCES; + goto err; + } + strlcpy(title, buf, strlen(buf) + 1); + + sg->esl = esl; + sg->esd = esd; + sg->selected = selected; + sg->varname = varname; + ret = eficonfig_append_menu_entry(efi_menu, title, func, sg); + if (ret != EFI_SUCCESS) { + free(sg); + free(title); + goto err; + } + esd = (struct efi_signature_data *)((u8 *)esd + esl->signature_size); + num++; + } + + size -= esl->signature_list_size; + esl = (struct efi_signature_list *)((u8 *)esl + esl->signature_list_size); + } +out: + ret = eficonfig_append_quit_entry(efi_menu); +err: + return ret; +} + +/** + * process_show_signature_db() - display the signature data list + * + * @data: pointer to the data for each entry + * Return: status code + */ +static efi_status_t process_show_signature_db(void *varname) +{ + char buf[50]; + efi_status_t ret; + efi_uintn_t db_size; + void *db, *new_db = NULL; + struct efimenu *efi_menu; + struct list_head *pos, *n; + struct eficonfig_entry *entry; + struct eficonfig_sig_data *selected; + + db = efi_get_var(varname, efi_auth_var_get_guid(varname), &db_size); + if (!db) { + eficonfig_print_msg("There is no entry in the signature database."); + return EFI_NOT_FOUND; + } + + efi_menu = calloc(1, sizeof(struct efimenu)); + if (!efi_menu) { + free(db); + return EFI_OUT_OF_RESOURCES; + } + + ret = prepare_signature_db_list(efi_menu, varname, db, db_size, + eficonfig_process_sigdata_delete, &selected); + if (ret != EFI_SUCCESS) + goto out; + + snprintf(buf, sizeof(buf), " ** Show/Delete Signature Database (%ls) **", + (u16 *)varname); + ret = eficonfig_process_common(efi_menu, buf); + if (ret == EFI_SUCCESS) { + u32 attr; + int delete; + + printf(ANSI_CURSOR_HIDE + "\n\n Are you sure you want to delete this item?\n\n" + " Press ENTER to delete, ESC/CTRL+C to quit"); + delete = eficonfig_console_wait_enter(); + if (!delete) + goto out; + + delete_selected_signature_data(db, &db_size, selected); + + ret = create_time_based_payload(db, &new_db, &db_size); + if (ret != EFI_SUCCESS) { + eficonfig_print_msg("ERROR! Failed to create payload with timestamp."); + goto out; + } + + attr = EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS | + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; + ret = efi_set_variable_int((u16 *)varname, efi_auth_var_get_guid((u16 *)varname), + attr, db_size, new_db, false); + if (ret != EFI_SUCCESS) { + eficonfig_print_msg("ERROR! Failed to delete signature database"); + goto out; + } + } +out: + list_for_each_safe(pos, n, &efi_menu->list) { + entry = list_entry(pos, struct eficonfig_entry, list); + free(entry->data); + } + eficonfig_destroy(efi_menu); + free(new_db); + free(db); + + return ret; +} + +/** + * eficonfig_process_set_secure_boot_key() - display the key configuration menu + * + * @data: pointer to the data for each entry + * Return: status code + */ +static efi_status_t eficonfig_process_show_signature_db(void *data) +{ + efi_status_t ret; + + while (1) { + ret = process_show_signature_db(data); + if (ret != EFI_SUCCESS && ret != EFI_NOT_READY) + break; + } + + /* to stay the parent menu */ + ret = (ret == EFI_ABORTED) ? EFI_NOT_READY : ret; + + return ret; +} + static struct eficonfig_item key_config_menu_items[] = { {"Enroll New Key", eficonfig_process_enroll_key}, + {"Show/Delete Signature Database", eficonfig_process_show_signature_db}, {"Quit", eficonfig_process_quit}, }; From patchwork Tue Oct 4 14:35:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 1685992 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=MrAfDIem; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MhgHl0t6jz1ypH for ; Wed, 5 Oct 2022 01:36:19 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4E17D84E08; Tue, 4 Oct 2022 16:35:51 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="MrAfDIem"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 78CB884E08; Tue, 4 Oct 2022 16:35:45 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id B311184D3D for ; Tue, 4 Oct 2022 16:35:41 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pf1-x42e.google.com with SMTP id i6so13319977pfb.2 for ; Tue, 04 Oct 2022 07:35:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=references:in-reply-to:message-id:date:subject:cc:to:from:from:to :cc:subject:date; bh=fzUmK719xPG68TqfZ75SsQJTlX/yTGki8xwdjaqZRFY=; b=MrAfDIem8oeHTtPPx6sk/lIGhcwbqk0lGgpnRH6nq6A5kogixqRcNsGuaPY7SjsbIb cItUZEHAWUhOa/ufQR+Sw49CYPhvVltfX07cz/Kh5fAiQN+tb2nizroN1y7KnebfMlDD /SuWHKg1xtvlk2eP91AyAFAj6lDITLGSe3JG/waV9mNgG/TMFdf5y4tgJAdqPvIf+k3j YJW/Hu+GI9NjEfoANqKAt+wpDmf0ys6GKKQNrwa1Nm5IZh3o46mAjTRMBCaldhxhai2n XuSI7qDOeH4LtsJGgCnt9xvfpfc1iHmZ4PIa6DONvwAhmyDq0UhMaV2LcB7uDjgEcb5A lZSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:in-reply-to:message-id:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date; bh=fzUmK719xPG68TqfZ75SsQJTlX/yTGki8xwdjaqZRFY=; b=6VyeJ06ZNl3xIdp0rgQ9ocQ7fcteJXYGfM1joLUkbb5s3n38hgOuidefUlVfrZhxab VfsmOTNH7smEb51i41uNQpmDFSWn+A0cwa/o0umGc2FzahpqaOpNdHGhI4KVIHrlvMlN wYJzTSeNDHfcMID9QsS4xddDUvqe0OeyBtiPvE8MNJLRLUk/mEifG2Nk6GfYou87hsU+ DLWexUBIBd3zTx34laMB8omDMgX22UfE4+go06Q2NFzAr+C4WTRto7FKUol7CEE8gJJJ 3vnKWy5ASjhdJ7R44HSoNEm8QkNFtJJKCiIKF3a38q8PZUQ/c4wdFhDCHrzqHk3n5cfL By7A== X-Gm-Message-State: ACrzQf1u1tgSQXKNSCe+cHa4qtadcJw3MFH05QIuudQQ8xYi5Z8MM5+w w8Grjpcc3NF9HUr2TV7rKV/OGaQviRTjBQ== X-Google-Smtp-Source: AMsMyM54fIwMNPzeSRfxmZBKeSB6IM0e0CZbjnbwOHRx3EBPQZfzwh+agkfmw7x3X4YNec2F6lc7iQ== X-Received: by 2002:a05:6a00:1141:b0:561:e46e:ffa8 with SMTP id b1-20020a056a00114100b00561e46effa8mr1677094pfm.41.1664894138901; Tue, 04 Oct 2022 07:35:38 -0700 (PDT) Received: from localhost.localdomain ([240d:1a:cf7:5800:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id u6-20020a170902e80600b001783a917b9asm9044119plg.127.2022.10.04.07.35.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Oct 2022 07:35:38 -0700 (PDT) From: Masahisa Kojima To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Takahiro Akashi , Masahisa Kojima Subject: [PATCH v2 5/6] test/eficonfig: support secure boot key maintenance menu Date: Tue, 4 Oct 2022 23:35:41 +0900 Message-Id: <20221004143543.30000-6-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20221004143543.30000-1-masahisa.kojima@linaro.org> References: <20221004143543.30000-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean eficonfig test is get aligned with the addition of secure boot key management menu. Signed-off-by: Masahisa Kojima --- newly created in v2 test/py/tests/test_eficonfig/test_eficonfig.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test/py/tests/test_eficonfig/test_eficonfig.py b/test/py/tests/test_eficonfig/test_eficonfig.py index 99606d9c4b..f7cb031af2 100644 --- a/test/py/tests/test_eficonfig/test_eficonfig.py +++ b/test/py/tests/test_eficonfig/test_eficonfig.py @@ -8,6 +8,7 @@ import time @pytest.mark.boardspec('sandbox') @pytest.mark.buildconfigspec('cmd_eficonfig') @pytest.mark.buildconfigspec('cmd_bootefi_bootmgr') +@pytest.mark.buildconfigspec('efi_secure_boot') def test_efi_eficonfig(u_boot_console, efi_eficonfig_data): def send_user_input_and_wait(user_str, expect_str): @@ -47,7 +48,7 @@ def test_efi_eficonfig(u_boot_console, efi_eficonfig_data): def check_current_is_maintenance_menu(): for i in ('UEFI Maintenance Menu', 'Add Boot Option', 'Edit Boot Option', - 'Change Boot Order', 'Delete Boot Option', 'Quit'): + 'Change Boot Order', 'Delete Boot Option', 'Secure Boot Configuration', 'Quit'): u_boot_console.p.expect([i]) """ Unit test for "eficonfig" command @@ -349,6 +350,7 @@ def test_efi_eficonfig(u_boot_console, efi_eficonfig_data): press_up_down_enter_and_wait(0, 1, True, 'Quit') press_up_down_enter_and_wait(0, 0, True, 'No block device found!') press_escape_key(False) + press_escape_key(False) check_current_is_maintenance_menu() # Return to U-Boot console press_escape_key(True) From patchwork Tue Oct 4 14:35:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 1685994 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=x7xx+qfj; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MhgJC1QF4z1ypH for ; Wed, 5 Oct 2022 01:36:43 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 548DE84DCD; Tue, 4 Oct 2022 16:35:59 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="x7xx+qfj"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 6B15A84E16; Tue, 4 Oct 2022 16:35:56 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 536E784DE4 for ; Tue, 4 Oct 2022 16:35:44 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pf1-x432.google.com with SMTP id w2so13324471pfb.0 for ; Tue, 04 Oct 2022 07:35:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=references:in-reply-to:message-id:date:subject:cc:to:from:from:to :cc:subject:date; bh=PvMCjzL+2/SPTzLiKohrd0WRx4TKUvaMMRyrlNc5MMM=; b=x7xx+qfj8GZwzpdD1EkEaJQdDhwDJTLlZEqtflCXz2dHgrdUJmKBUUc5xYSMWA1Peg kmS7rIrYciH8iYHnAMwO7y6ro8HBPTXqPdpJYfaUEY+3hBMXCWepgLwgvOSa8BleAfEC 8KUPB0aJXzhj7RZynoApsZSi9f0tpj4Jt8XdMctVVWZhIu3ioSQX9gfip5b4Qcmcs+Bh MRTUPJpa1XaJvkiWM3xixQLuTrAEhFNl76yYs7hYlh+Q4S9g/2mZm/f2gcytX+2vjnQR p9yhojqcSkSaRKhC/lu/Wo5qylqLoaSesaWKZCHH3Il6tmiPWD4ZEmFXxmT1a6IGnwru KKoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:in-reply-to:message-id:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date; bh=PvMCjzL+2/SPTzLiKohrd0WRx4TKUvaMMRyrlNc5MMM=; b=QboyoRfLC9rdJv4gA0gL7awAvrhgr7+QP6hVxcPuq9sHA83oyRbZ/V/aTQK15TCvJF QAOs0CaO3aPVLz1xEaGhpLpxjie6BmOylafto41ODmc9njm8xTl7Bu0tijoJVi1HbKR2 53oISzuxE4anImr7zO3p26u6XMNjp2QJGaSTjl277KGbAaPhIO9d1Gd5cjfCrDTPXEJx XWUcHqrepssn3cYjdHMdK/QXbk37uk5hahhXEhax/Eb5EtA4VJCeM+VxfXb5zXTYnE4M VVYNJg54o6MxrupiZM/6uRXreIY9YESZNUJazG0oLHotz8NgBWqQ+Pw/0l/x/oI+rd7G 1Krw== X-Gm-Message-State: ACrzQf2BkSTf0GV4dYWeByS6QO48wkaUUD5jHMWPEGpE/Xky1SdDgz/w axjhvSR/5PCdUkR3F3G44rjdPi1o3yRy9w== X-Google-Smtp-Source: AMsMyM4rk7ct3BWe065MysQHiDHgr5fpblJOVn6G/6psjBdeP2MSK9ZYJLoZgRuyJVo1rMm5TDsbtA== X-Received: by 2002:a63:5955:0:b0:438:8287:6a43 with SMTP id j21-20020a635955000000b0043882876a43mr15206909pgm.495.1664894141727; Tue, 04 Oct 2022 07:35:41 -0700 (PDT) Received: from localhost.localdomain ([240d:1a:cf7:5800:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id u6-20020a170902e80600b001783a917b9asm9044119plg.127.2022.10.04.07.35.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Oct 2022 07:35:41 -0700 (PDT) From: Masahisa Kojima To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Takahiro Akashi , Masahisa Kojima Subject: [PATCH v2 6/6] test: add test for eficonfig secure boot key management Date: Tue, 4 Oct 2022 23:35:42 +0900 Message-Id: <20221004143543.30000-7-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20221004143543.30000-1-masahisa.kojima@linaro.org> References: <20221004143543.30000-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean Provide a unit test for the eficonfig secure boot key management menu. Signed-off-by: Masahisa Kojima --- newly created in v2 test/py/tests/test_eficonfig/conftest.py | 84 +++- test/py/tests/test_eficonfig/defs.py | 14 + .../test_eficonfig/test_eficonfig_sbkey.py | 472 ++++++++++++++++++ 3 files changed, 568 insertions(+), 2 deletions(-) create mode 100644 test/py/tests/test_eficonfig/defs.py create mode 100644 test/py/tests/test_eficonfig/test_eficonfig_sbkey.py diff --git a/test/py/tests/test_eficonfig/conftest.py b/test/py/tests/test_eficonfig/conftest.py index f289df0362..6750d33989 100644 --- a/test/py/tests/test_eficonfig/conftest.py +++ b/test/py/tests/test_eficonfig/conftest.py @@ -2,11 +2,12 @@ """Fixture for UEFI eficonfig test """ - import os +import os.path import shutil -from subprocess import check_call +from subprocess import call, check_call, check_output, CalledProcessError import pytest +from defs import * @pytest.fixture(scope='session') def efi_eficonfig_data(u_boot_config): @@ -38,3 +39,82 @@ def efi_eficonfig_data(u_boot_config): shell=True) return image_path + +@pytest.fixture(scope='session') +def efi_boot_env(request, u_boot_config): + """Set up a file system to be used in UEFI secure boot test. + + Args: + request: Pytest request object. + u_boot_config: U-boot configuration. + + Return: + A path to disk image to be used for testing + """ + image_path = u_boot_config.persistent_data_dir + image_path = image_path + '/test_eficonfig_sb.img' + + try: + mnt_point = u_boot_config.build_dir + '/mnt_eficonfig_sb' + check_call('rm -rf {}'.format(mnt_point), shell=True) + check_call('mkdir -p {}'.format(mnt_point), shell=True) + + # suffix + # *.key: RSA private key in PEM + # *.crt: X509 certificate (self-signed) in PEM + # *.esl: signature list + # *.hash: message digest of image as signature list + # *.auth: signed signature list in signature database format + # *.efi: UEFI image + # *.efi.signed: signed UEFI image + + # Create signature database + # PK + check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ -keyout PK.key -out PK.crt -nodes -days 365' + % mnt_point, shell=True) + check_call('cd %s; %scert-to-efi-sig-list -g %s PK.crt PK.esl; %ssign-efi-sig-list -t "2020-04-01" -c PK.crt -k PK.key PK PK.esl PK.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + # PK_null for deletion + check_call('cd %s; touch PK_null.esl; %ssign-efi-sig-list -t "2020-04-02" -c PK.crt -k PK.key PK PK_null.esl PK_null.auth' + % (mnt_point, EFITOOLS_PATH), shell=True) + # KEK + check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ -keyout KEK.key -out KEK.crt -nodes -days 365' + % mnt_point, shell=True) + check_call('cd %s; %scert-to-efi-sig-list -g %s KEK.crt KEK.esl; %ssign-efi-sig-list -t "2020-04-03" -c PK.crt -k PK.key KEK KEK.esl KEK.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + # db + check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db/ -keyout db.key -out db.crt -nodes -days 365' + % mnt_point, shell=True) + check_call('cd %s; %scert-to-efi-sig-list -g %s db.crt db.esl; %ssign-efi-sig-list -t "2020-04-04" -c KEK.crt -k KEK.key db db.esl db.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + + # dbx_hash (digest of TEST_db certificate) + check_call('cd %s; %scert-to-efi-hash-list -g %s -t "2013-05-27 01:02:03" -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + + # Copy image + check_call('cp %s/lib/efi_loader/helloworld.efi %s' % + (u_boot_config.build_dir, mnt_point), shell=True) + + # Sign image + check_call('cd %s; sbsign --key db.key --cert db.crt helloworld.efi' + % mnt_point, shell=True) + + check_call('cd %s; rm -f *.key' % mnt_point, shell=True) + check_call('cd %s; rm -f *.crt' % mnt_point, shell=True) + check_call('cd %s; rm -f *.hash' % mnt_point, shell=True) + check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat {} {}'.format( + mnt_point, image_path), shell=True) + check_call('rm -rf {}'.format(mnt_point), shell=True) + + except CalledProcessError as exception: + pytest.skip('Setup failed: %s' % exception.cmd) + return + else: + yield image_path + finally: + call('rm -f %s' % image_path, shell=True) diff --git a/test/py/tests/test_eficonfig/defs.py b/test/py/tests/test_eficonfig/defs.py new file mode 100644 index 0000000000..b7a2a11851 --- /dev/null +++ b/test/py/tests/test_eficonfig/defs.py @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: GPL-2.0+ + +# Owner guid +GUID = '11111111-2222-3333-4444-123456789abc' + +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and +# you need build a newer version on your own. +# The path must terminate with '/'. +EFITOOLS_PATH = '' + +# "--addcert" option of sbsign must be available, otherwise +# you need build a newer version on your own. +# The path must terminate with '/'. +SBSIGN_PATH = '' diff --git a/test/py/tests/test_eficonfig/test_eficonfig_sbkey.py b/test/py/tests/test_eficonfig/test_eficonfig_sbkey.py new file mode 100644 index 0000000000..727288964d --- /dev/null +++ b/test/py/tests/test_eficonfig/test_eficonfig_sbkey.py @@ -0,0 +1,472 @@ +# SPDX-License-Identifier: GPL-2.0+ +""" Unit test for UEFI menu-driven configuration +""" + +import pytest +import time +from defs import * + +@pytest.mark.boardspec('sandbox') +@pytest.mark.buildconfigspec('cmd_eficonfig') +@pytest.mark.buildconfigspec('cmd_bootefi_bootmgr') +@pytest.mark.buildconfigspec('efi_secure_boot') +def test_efi_eficonfig_sbkey(u_boot_config, u_boot_console, efi_boot_env): + def send_user_input_and_wait(user_str, expect_str): + time.sleep(0.1) # TODO: does not work correctly without sleep + u_boot_console.run_command(cmd=user_str, wait_for_prompt=False, + wait_for_echo=True, send_nl=False) + u_boot_console.run_command(cmd='\x0d', wait_for_prompt=False, + wait_for_echo=False, send_nl=False) + if expect_str is not None: + for i in expect_str: + u_boot_console.p.expect([i]) + + def press_up_down_enter_and_wait(up_count, down_count, enter, expect_str): + # press UP key + for i in range(up_count): + u_boot_console.run_command(cmd='\x1b\x5b\x41', wait_for_prompt=False, + wait_for_echo=False, send_nl=False) + # press DOWN key + for i in range(down_count): + u_boot_console.run_command(cmd='\x1b\x5b\x42', wait_for_prompt=False, + wait_for_echo=False, send_nl=False) + # press ENTER if requested + if enter: + u_boot_console.run_command(cmd='\x0d', wait_for_prompt=False, + wait_for_echo=False, send_nl=False) + # wait expected output + if expect_str is not None: + for i in expect_str: + u_boot_console.p.expect([i]) + + def press_escape_key(wait_prompt): + u_boot_console.run_command(cmd='\x1b', wait_for_prompt=wait_prompt, wait_for_echo=False, send_nl=False) + + def press_enter_key(wait_prompt): + u_boot_console.run_command(cmd='\x0d', wait_for_prompt=wait_prompt, + wait_for_echo=False, send_nl=False) + + def check_current_is_maintenance_menu(): + for i in ('UEFI Maintenance Menu', 'Add Boot Option', 'Edit Boot Option', + 'Change Boot Order', 'Delete Boot Option', 'Secure Boot Configuration', 'Quit'): + u_boot_console.p.expect([i]) + + # Restart the system to clean the previous state + u_boot_console.restart_uboot() + # bind the test disk image for succeeding tests + u_boot_console.run_command(cmd = f'host bind 0 {efi_boot_env}') + + # + # Test Case 1: Enroll non-signed ESL(.esl or .crl) in order of KEK, DB, DBX and PK + # + with u_boot_console.temporary_timeout(500): + u_boot_console.run_command('eficonfig', wait_for_prompt=False) + check_current_is_maintenance_menu() + press_up_down_enter_and_wait(0, 4, True, 'Quit') + for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'OFF'): + u_boot_console.p.expect([i]) + + # set KEK.esl to KEK + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 7, True, 'Quit') + # check KEK is expected value + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, None) + for i in ('Show/Delete Signature Database', 'KEK', + 'Owner GUID:', '11111111-2222-3333-4444-123456789ABC', + 'Signature Type:', 'X509', 'Subject:', 'TEST_KEK', 'Issuer:', 'TEST_KEK'): + u_boot_console.p.expect([i]) + press_escape_key(False) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + + # set db.esl to db + press_up_down_enter_and_wait(0, 2, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 1, True, 'Quit') + # check db is expected value + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, None) + for i in ('Show/Delete Signature Database', 'db', + 'Owner GUID:', '11111111-2222-3333-4444-123456789ABC', + 'Signature Type:', 'X509', 'Subject:', 'TEST_db', 'Issuer:', 'TEST_db'): + u_boot_console.p.expect([i]) + press_escape_key(False) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + + # set dbx_hash.crl to dbx + press_up_down_enter_and_wait(0, 3, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 3, True, 'Quit') + # check dbx is expected value + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, None) + # verify CRL, skip hash comparison because it varies in every test + for i in ('Show/Delete Signature Database', 'dbx', + 'Owner GUID:', '11111111-2222-3333-4444-123456789ABC', + 'Signature Type:', 'X509_SHA256 CRL', + 'TimeOfRevocation:', '2013-5-27 01:02:03'): + u_boot_console.p.expect([i]) + press_escape_key(False) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + + # set PK.esl to PK + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 9, True, 'Quit') + # check PK is expected value + press_up_down_enter_and_wait(0, 1, True, None) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 0, True, None) + for i in ('Show/Delete Signature Database', 'PK', + 'Owner GUID', '11111111-2222-3333-4444-123456789ABC', + 'Signature Type', 'X509', 'Subject', 'TEST_PK', 'Issuer', 'TEST_PK', + 'Can not delete PK, Press any key to continue'): + u_boot_console.p.expect([i]) + press_escape_key(False) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'ON'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 4, True, 'Quit') + check_current_is_maintenance_menu() + + # + # Test Case 2: Enroll PK first, then non-signed esl fails to enroll + # + + # Restart the system to clean the previous state + u_boot_console.restart_uboot() + # bind the test disk image for succeeding tests + u_boot_console.run_command(cmd = f'host bind 0 {efi_boot_env}') + + with u_boot_console.temporary_timeout(500): + u_boot_console.run_command('eficonfig', wait_for_prompt=False) + check_current_is_maintenance_menu() + press_up_down_enter_and_wait(0, 4, True, 'Quit') + for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'OFF'): + u_boot_console.p.expect([i]) + + # set PK.auth to PK + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 8, True, 'Quit') + # check PK is expected value + press_up_down_enter_and_wait(0, 1, True, None) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 0, True, None) + for i in ('Show/Delete Signature Database', 'PK', + 'Owner GUID', '11111111-2222-3333-4444-123456789ABC', + 'Signature Type', 'X509', 'Subject', 'TEST_PK', 'Issuer', 'TEST_PK', + 'Can not delete PK, Press any key to continue'): + u_boot_console.p.expect([i]) + + press_escape_key(False) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'ON'): + u_boot_console.p.expect([i]) + + # fail to set KEK.esl + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 7, True, 'Quit') + for i in ('ERROR! Failed to update signature database', + 'Press any key to continue'): + u_boot_console.p.expect([i]) + press_escape_key(False) + press_up_down_enter_and_wait(0, 2, True, 'Quit') + + # fail to set db.esl + press_up_down_enter_and_wait(0, 2, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 1, True, 'Quit') + for i in ('ERROR! Failed to update signature database', + 'Press any key to continue'): + u_boot_console.p.expect([i]) + press_escape_key(False) + press_up_down_enter_and_wait(0, 2, True, 'Quit') + + # fail to set dbx_hash.crl + press_up_down_enter_and_wait(0, 3, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 3, True, 'Quit') + for i in ('ERROR! Failed to update signature database', + 'Press any key to continue'): + u_boot_console.p.expect([i]) + press_escape_key(False) + press_up_down_enter_and_wait(0, 2, True, 'Quit') + + # + # Test Case 3: Enroll signed ESL(.auth) in order of PK, KEK, and db, then check status + # + + # Restart the system to clean the previous state + u_boot_console.restart_uboot() + # bind the test disk image for succeeding tests + u_boot_console.run_command(cmd = f'host bind 0 {efi_boot_env}') + + with u_boot_console.temporary_timeout(500): + u_boot_console.run_command('eficonfig', wait_for_prompt=False) + check_current_is_maintenance_menu() + press_up_down_enter_and_wait(0, 4, True, 'Quit') + for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'OFF'): + u_boot_console.p.expect([i]) + + # set PK.auth to PK + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 8, True, 'Quit') + # check PK is expected value + press_up_down_enter_and_wait(0, 1, True, None) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 0, True, None) + for i in ('Show/Delete Signature Database', 'PK', + 'Owner GUID', '11111111-2222-3333-4444-123456789ABC', + 'Signature Type', 'X509', 'Subject', 'TEST_PK', 'Issuer', 'TEST_PK', + 'Can not delete PK, Press any key to continue'): + u_boot_console.p.expect([i]) + + press_escape_key(False) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + + # set KEK.auth to KEK + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 6, True, 'Quit') + # check KEK is expected value + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, None) + for i in ('Show/Delete Signature Database', 'KEK', + 'Owner GUID:', '11111111-2222-3333-4444-123456789ABC', + 'Signature Type:', 'X509', 'Subject:', 'TEST_KEK', 'Issuer:', 'TEST_KEK'): + u_boot_console.p.expect([i]) + + press_escape_key(False) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + + # set db.auth to db + press_up_down_enter_and_wait(0, 2, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + # check db is expected value + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, None) + for i in ('Show/Delete Signature Database', 'db', + 'Owner GUID:', '11111111-2222-3333-4444-123456789ABC', + 'Signature Type:', 'X509', 'Subject:', 'TEST_db', 'Issuer:', 'TEST_db'): + u_boot_console.p.expect([i]) + press_escape_key(False) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + + for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'ON'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 4, True, 'Quit') + check_current_is_maintenance_menu() + + # + # Test Case 4: start signed image allowed in db + # + + # Select 'Add Boot Option' + press_up_down_enter_and_wait(0, 0, True, 'Quit') + # Press the enter key to select 'Description:' entry, then enter Description + press_up_down_enter_and_wait(0, 0, True, 'enter description:') + # Send Description user input, press ENTER key to complete + send_user_input_and_wait('hello', 'Quit') + + # Set EFI image(helloworld.efi.signed) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'host 0:1') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 5, True, 'Quit') + for i in ('Description: hello', 'File: host 0:1/helloworld.efi.signed', + 'Initrd File:', 'Optional Data:', 'Save', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 4, True, 'Quit') + press_escape_key(False) + check_current_is_maintenance_menu() + press_escape_key(True) + response = u_boot_console.run_command(cmd = 'bootefi bootmgr') + assert 'Hello, world!' in response + + # + # Test Case 5: can not start the image if it is not signed + # + + u_boot_console.run_command('eficonfig', wait_for_prompt=False) + check_current_is_maintenance_menu() + # Select 'Edit Boot Option' + press_up_down_enter_and_wait(0, 1, True, None) + # Check the curren BootOrder + for i in ('hello', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 0, True, None) + # Set EFI image(helloworld.efi) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'host 0:1') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 4, True, 'Quit') + for i in ('Description: hello', 'File: host 0:1/helloworld.efi', + 'Initrd File:', 'Optional Data:', 'Save', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 4, True, 'Quit') + press_escape_key(False) + check_current_is_maintenance_menu() + press_escape_key(True) + response = u_boot_console.run_command(cmd = 'bootefi bootmgr') + assert 'Image not authenticated' in response + + # + # Test Case 6: can not start the signed image if dbx revokes db certificate + # + + u_boot_console.run_command('eficonfig', wait_for_prompt=False) + check_current_is_maintenance_menu() + # Select 'Edit Boot Option' + press_up_down_enter_and_wait(0, 1, True, None) + # Check the curren BootOrder + for i in ('hello', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 0, True, 'Quit') + # Set EFI image(helloworld.efi.signed) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'host 0:1') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 5, True, 'Quit') + for i in ('Description: hello', 'File: host 0:1/helloworld.efi.signed', + 'Initrd File:', 'Optional Data:', 'Save', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 4, True, 'Quit') + press_escape_key(False) + check_current_is_maintenance_menu() + press_up_down_enter_and_wait(0, 4, True, 'Quit') + # set dbx_hash.auth to dbx + press_up_down_enter_and_wait(0, 3, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + # check db is expected value + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, None) + # verify CRL, skip hash comparison because it varies in every test + for i in ('Show/Delete Signature Database', 'dbx', + 'Owner GUID:', '11111111-2222-3333-4444-123456789ABC', + 'Signature Type:', 'X509_SHA256 CRL', + 'TimeOfRevocation:', '2013-5-27 01:02:03'): + u_boot_console.p.expect([i]) + press_escape_key(False) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + press_escape_key(False) + check_current_is_maintenance_menu() + press_escape_key(True) + response = u_boot_console.run_command(cmd = 'bootefi bootmgr') + assert 'Image not authenticated' in response + + # + # Test Case 7: clear PK with null key, check secure boot is OFF + # + + u_boot_console.run_command('eficonfig', wait_for_prompt=False) + check_current_is_maintenance_menu() + press_up_down_enter_and_wait(0, 4, True, 'Quit') + for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'ON'): + u_boot_console.p.expect([i]) + + # clear PK with null key + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 10, True, 'Quit') + + press_up_down_enter_and_wait(0, 1, True, None) + for i in ('There is no entry in the signature database.', 'Press any key to continue'): + u_boot_console.p.expect([i]) + + press_enter_key(False) + press_up_down_enter_and_wait(0, 2, True, 'Quit') + for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'OFF'): + u_boot_console.p.expect([i]) + + # delete dbx + press_up_down_enter_and_wait(0, 3, True, 'Quit') + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_enter_key(False) + for i in ('TimeOfRevocation:', '2013-5-27 01:02:03'): + u_boot_console.p.expect([i]) + press_enter_key(False) + for i in ('Are you sure you want to delete this item?', 'Press ENTER to delete'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 0, True, None) + for i in ('There is no entry in the signature database.', + 'Press any key to continue'): + u_boot_console.p.expect([i]) + press_enter_key(False) + press_up_down_enter_and_wait(0, 2, True, 'Quit') + + # set PK.auth to PK + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 8, True, 'Quit') + # check PK is expected value + press_up_down_enter_and_wait(0, 1, True, None) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 0, True, None) + for i in ('Show/Delete Signature Database', 'PK', + 'Owner GUID', '11111111-2222-3333-4444-123456789ABC', + 'Signature Type', 'X509', 'Subject', 'TEST_PK', 'Issuer', 'TEST_PK', + 'Can not delete PK, Press any key to continue'): + u_boot_console.p.expect([i]) + press_escape_key(False) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'ON'): + u_boot_console.p.expect([i]) + press_escape_key(False) + check_current_is_maintenance_menu() + press_escape_key(True) + response = u_boot_console.run_command(cmd = 'bootefi bootmgr') + assert 'Hello, world!' in response