From patchwork Tue Nov 26 00:51:11 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 1200691 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Bli/hyDE"; dkim-atps=neutral Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 47MQRH1bnXz9s3Z for ; Tue, 26 Nov 2019 11:54:51 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id EC7C8C21E75; Tue, 26 Nov 2019 00:52:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 794FEC21E07; Tue, 26 Nov 2019 00:51:44 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 7E347C21E4F; Tue, 26 Nov 2019 00:50:55 +0000 (UTC) Received: from mail-pf1-f196.google.com (mail-pf1-f196.google.com [209.85.210.196]) by lists.denx.de (Postfix) with ESMTPS id 774F9C21D56 for ; Tue, 26 Nov 2019 00:50:52 +0000 (UTC) Received: by mail-pf1-f196.google.com with SMTP id c13so8272114pfp.5 for ; Mon, 25 Nov 2019 16:50:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=5aTZDvHhawTPyTWg/0UFKaClAnbYkdkxIr/AVmjNoyQ=; b=Bli/hyDEYu8/kr/egvdbzqYlOJy3Z50LG+4WucU1gtjQu49Cmeh3QDDev5zyn6ei8R YQ2+2Wd6Xut1Vlby0dha8wQg1cFnwbRBmncCDh6cI5MVeWGC+GqfxWfW53aT+RgcYrtq CzwuCa1UK6ZISu2SFwfpdbC6VfNBQlyU4SAw0YwFLkyuTTEu0NLJNN6Vie0JhvFmCh9e 8Hxejve2T+W6aoARrhk3xdlojD0oQkC8P69avVdn2XJTtob7pKixQh0+Rnd1hKW2Qfni TtqF4ik47y2eC0o+5NaHIeU3KNaITnkVqqq/hrkXXQDyeDhOFCn0sq9bNp2inFYrnoYS /kQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=5aTZDvHhawTPyTWg/0UFKaClAnbYkdkxIr/AVmjNoyQ=; b=Xq40I/V6BDf6B9cde9oOV1yjHFuL8JGLXL70yQ1h3kPSQfITWiwB/x0Dr92lEaYdTI Y4SUe9KFn+o4lFe6JLRQkZwvPPsVQGAgBd5z6ua0ZLy7+bOSyNkGf+kT1KH98WNnPf/C qYO1eCLz0S9D9u6ZJNRuYIIPxNHywmAQ2QAVNbiZpXrMUguBL7nTiGkNMyEPZEr8FUDy RFMjdnvNe2fBtkp0lHPb1MepQ9OXm5T+HSWMXAPA37aEjIpbHG2ok54nTMCVFKf0X0DP YO8f9MUkUDga2THInG+EOKcm7LQRu17TWAVhqhfdcEpF2EfWIFZymwYT/Q8tjL6Oqw7e c4hQ== X-Gm-Message-State: APjAAAVywtJrNhUZjSMLx552K7MdGGwKTEX9F4t8pxwbaJ1xOtDFLhdt VFN6rj2UVSvp4e0r+d+NpLYJeg== X-Google-Smtp-Source: APXvYqxDNzcvOUeHeql/ITJXamxlHIlIgKHZL11w7IXQnBXCtuCiMjRvUXPNVUTeWXiGHz1DDA6U0w== X-Received: by 2002:a62:447:: with SMTP id 68mr37636002pfe.70.1574729451152; Mon, 25 Nov 2019 16:50:51 -0800 (PST) Received: from linaro.org ([121.95.100.191]) by smtp.googlemail.com with ESMTPSA id y17sm9671361pfl.92.2019.11.25.16.50.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Nov 2019 16:50:50 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de, trini@konsulko.com Date: Tue, 26 Nov 2019 09:51:11 +0900 Message-Id: <20191126005120.31156-8-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191126005120.31156-1-takahiro.akashi@linaro.org> References: <20191126005120.31156-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 Cc: u-boot@lists.denx.de, mail@patrick-wildt.de Subject: [U-Boot] [PATCH v2 07/16] efi_loader: variable: add VendorKeys variable X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" The following variable is exported as UEFI specification defines: VendorKeys: whether the system is configured to use only vendor-provided keys or not The value will have to be modified if a platform has its own way of initializing signature database, in particular, PK. Signed-off-by: AKASHI Takahiro --- lib/efi_loader/efi_variable.c | 69 ++++++++++++++++++++++++++++++++--- 1 file changed, 63 insertions(+), 6 deletions(-) diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index eb6135be6154..c7138183b0b0 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -25,6 +25,7 @@ enum efi_secure_mode { const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; static bool efi_secure_boot; static int efi_secure_mode; +static u8 efi_vendor_keys; #define READ_ONLY BIT(31) @@ -342,6 +343,8 @@ static efi_status_t efi_transfer_secure_state(enum efi_secure_mode mode) return EFI_INVALID_PARAMETER; } + efi_secure_mode = mode; + return EFI_SUCCESS; err: @@ -357,16 +360,46 @@ err: */ static efi_status_t efi_init_secure_state(void) { - efi_uintn_t size = 0; + enum efi_secure_mode mode; + efi_uintn_t size; efi_status_t ret; + /* + * TODO: + * Since there is currently no "platform-specific" installation + * method of Platform Key, we can't say if VendorKeys is 0 or 1 + * precisely. + */ + + size = 0; ret = EFI_CALL(efi_get_variable(L"PK", &efi_global_variable_guid, NULL, &size, NULL)); - if (ret == EFI_BUFFER_TOO_SMALL && IS_ENABLED(CONFIG_EFI_SECURE_BOOT)) - ret = efi_transfer_secure_state(EFI_MODE_USER); - else - ret = efi_transfer_secure_state(EFI_MODE_SETUP); + if (ret == EFI_BUFFER_TOO_SMALL) { + if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT)) + mode = EFI_MODE_USER; + else + mode = EFI_MODE_SETUP; + + efi_vendor_keys = 0; + } else if (ret == EFI_NOT_FOUND) { + mode = EFI_MODE_SETUP; + efi_vendor_keys = 1; + } else { + goto err; + } + ret = efi_transfer_secure_state(mode); + if (ret == EFI_SUCCESS) + ret = efi_set_variable_internal(L"VendorKeys", + &efi_global_variable_guid, + EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_RUNTIME_ACCESS + | READ_ONLY, + sizeof(efi_vendor_keys), + &efi_vendor_keys, + false); + +err: return ret; } @@ -1121,6 +1154,8 @@ out: if (env_set(native_name, val)) { ret = EFI_DEVICE_ERROR; } else { + bool vendor_keys_modified = false; + if ((u16_strcmp(variable_name, L"PK") == 0 && guidcmp(vendor, &efi_global_variable_guid) == 0)) { ret = efi_transfer_secure_state( @@ -1128,8 +1163,30 @@ out: EFI_MODE_USER)); if (ret != EFI_SUCCESS) goto err; + + if (efi_secure_mode != EFI_MODE_SETUP) + vendor_keys_modified = true; + } else if ((u16_strcmp(variable_name, L"KEK") == 0 && + guidcmp(vendor, &efi_global_variable_guid) == 0)) { + if (efi_secure_mode != EFI_MODE_SETUP) + vendor_keys_modified = true; + } + + /* update VendorKeys */ + if (vendor_keys_modified & efi_vendor_keys) { + efi_vendor_keys = 0; + ret = efi_set_variable_internal( + L"VendorKeys", + &efi_global_variable_guid, + EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_RUNTIME_ACCESS + | READ_ONLY, + sizeof(efi_vendor_keys), + &efi_vendor_keys, + false); + } else { + ret = EFI_SUCCESS; } - ret = EFI_SUCCESS; } err: