From patchwork Tue Apr 14 02:51:43 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: AKASHI Takahiro <takahiro.akashi@linaro.org>
X-Patchwork-Id: 1270033
X-Patchwork-Delegate: xypron.glpk@gmx.de
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=85.214.62.61; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256
 header.s=google header.b=Gh3k5g8p;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 491VRQ5PSFz9sSq
	for <incoming@patchwork.ozlabs.org>; Tue, 14 Apr 2020 12:53:21 +1000 (AEST)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 25FD681819;
	Tue, 14 Apr 2020 04:53:17 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key;
 unprotected) header.d=linaro.org header.i=@linaro.org header.b="Gh3k5g8p";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 52B8281759; Tue, 14 Apr 2020 04:52:49 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham
 autolearn_force=no version=3.4.2
Received: from mail-pj1-x1043.google.com (mail-pj1-x1043.google.com
 [IPv6:2607:f8b0:4864:20::1043])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id BFAAC81819
 for <u-boot@lists.denx.de>; Tue, 14 Apr 2020 04:52:39 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=takahiro.akashi@linaro.org
Received: by mail-pj1-x1043.google.com with SMTP id t40so4623674pjb.3
 for <u-boot@lists.denx.de>; Mon, 13 Apr 2020 19:52:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=33BF95YzXeRCaBOOpY3cA+qRMkn9Mj2cWT7+bMQRvNI=;
 b=Gh3k5g8pemDXUC/g5AdeCn9N39chSVtPVx97Rzsz/YjjEeZ8AX6bPH/F+rxeDX2DmM
 FSirXEp3aaaLyf2pPGJI/Ca3GuN8MGtkU8y21rv9nOlyMqPqvqSQ2zcbJHdNOc3hK3Yz
 mKrKdXALZrH/Onr/8C70hDkX9tDRJHcIe7pELUNFFjaA50rcCJ8golKyyfOvPHMDo50q
 53jw1ISCX8HQUhoAyyKDp5AniQYZ7oieS1qwd3MfM8pOCpoifeQ8CFzUogQqdfQG9JhB
 CBAfQQSHv+vMaS/1UzvGI1T59sVDwkTgS796MdXpwnyk73hGTb2TiecdkjCquefAzywl
 E8BQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=33BF95YzXeRCaBOOpY3cA+qRMkn9Mj2cWT7+bMQRvNI=;
 b=hVqyZTlpH8SS4A5OeHxk1N9NPqvMN4OVX6+5DkLkyJznrUaVBLGnpd+6DzCJaxwx50
 1nIdyvUEbo8mPGyUohG/ZiF/FbGF3UNgm+ROtla9D2ASFUWUwOXuO3ZzO7Hw+IUA3+iZ
 fsB1OwwSJ6XFCu9+TAKK5UBeEneXenuKsb2b6Jgs/RnL7jVQ6il6FH84pzAyc/jvpNcF
 SXftjSfF/oWloyIhPma2cAv9K0MXrIBd9JldF1GOJVvfpL1/CmJoOKByNBNooW/1zk7D
 vakW2ar8UDrpKZyN6oTbHhePuiB+9BBWs5sen1bERJVVV3DsWhf5N4BGQ8EEOC0QzNs4
 HAHQ==
X-Gm-Message-State: AGi0PubJvQ0XcVRMrDt/r1nPaYj0qopgbgmLWXjEJe+WXKEVRVYjCRQg
 7IaHh/+sIYoVb3l1x7og7BPksg==
X-Google-Smtp-Source: 
 APiQypLopT5q1NWb7ohGURy1+n0mn0T10OWpF7OVKEkYIVIgp+HnyTkSWL5VDQu4k5xNv4Nhcwg4zw==
X-Received: by 2002:a17:902:ea8a:: with SMTP id
 x10mr20664083plb.328.1586832758308;
 Mon, 13 Apr 2020 19:52:38 -0700 (PDT)
Received: from localhost.localdomain (p73a21dd7.tkyea130.ap.so-net.ne.jp.
 [115.162.29.215])
 by smtp.gmail.com with ESMTPSA id mq6sm10686103pjb.38.2020.04.13.19.52.35
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 13 Apr 2020 19:52:37 -0700 (PDT)
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: xypron.glpk@gmx.de,
	agraf@csgraf.de,
	trini@konsulko.com
Cc: sjg@chromium.org, ilias.apalodimas@linaro.org, mail@patrick-wildt.de,
 u-boot@lists.denx.de, AKASHI Takahiro <takahiro.akashi@linaro.org>
Subject: [PATCH v7 06/17] efi_loader: variable: add VendorKeys variable
Date: Tue, 14 Apr 2020 11:51:43 +0900
Message-Id: <20200414025154.27283-7-takahiro.akashi@linaro.org>
X-Mailer: git-send-email 2.25.2
In-Reply-To: <20200414025154.27283-1-takahiro.akashi@linaro.org>
References: <20200414025154.27283-1-takahiro.akashi@linaro.org>
MIME-Version: 1.0
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.30rc1
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.102.2 at phobos.denx.de
X-Virus-Status: Clean

The following variable is exported as UEFI specification defines:
VendorKeys: whether the system is configured to use only vendor-provided
	    keys or not
The value will have to be modified if a platform has its own way of
initializing signature database, in particular, PK.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 lib/efi_loader/efi_variable.c | 69 ++++++++++++++++++++++++++++++++---
 1 file changed, 63 insertions(+), 6 deletions(-)

diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c
index fd5c41f830b1..7df881a74b44 100644
--- a/lib/efi_loader/efi_variable.c
+++ b/lib/efi_loader/efi_variable.c
@@ -26,6 +26,7 @@ enum efi_secure_mode {
 const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID;
 static bool efi_secure_boot;
 static int efi_secure_mode;
+static u8 efi_vendor_keys;
 
 #define READ_ONLY BIT(31)
 
@@ -344,6 +345,8 @@ static efi_status_t efi_transfer_secure_state(enum efi_secure_mode mode)
 		return EFI_INVALID_PARAMETER;
 	}
 
+	efi_secure_mode = mode;
+
 	return EFI_SUCCESS;
 
 err:
@@ -359,16 +362,46 @@ err:
  */
 static efi_status_t efi_init_secure_state(void)
 {
-	efi_uintn_t size = 0;
+	enum efi_secure_mode mode;
+	efi_uintn_t size;
 	efi_status_t ret;
 
+	/*
+	 * TODO:
+	 * Since there is currently no "platform-specific" installation
+	 * method of Platform Key, we can't say if VendorKeys is 0 or 1
+	 * precisely.
+	 */
+
+	size = 0;
 	ret = EFI_CALL(efi_get_variable(L"PK", &efi_global_variable_guid,
 					NULL, &size, NULL));
-	if (ret == EFI_BUFFER_TOO_SMALL && IS_ENABLED(CONFIG_EFI_SECURE_BOOT))
-		ret = efi_transfer_secure_state(EFI_MODE_USER);
-	else
-		ret = efi_transfer_secure_state(EFI_MODE_SETUP);
+	if (ret == EFI_BUFFER_TOO_SMALL) {
+		if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT))
+			mode = EFI_MODE_USER;
+		else
+			mode = EFI_MODE_SETUP;
+
+		efi_vendor_keys = 0;
+	} else if (ret == EFI_NOT_FOUND) {
+		mode = EFI_MODE_SETUP;
+		efi_vendor_keys = 1;
+	} else {
+		goto err;
+	}
 
+	ret = efi_transfer_secure_state(mode);
+	if (ret == EFI_SUCCESS)
+		ret = efi_set_variable_internal(L"VendorKeys",
+						&efi_global_variable_guid,
+						EFI_VARIABLE_BOOTSERVICE_ACCESS
+						 | EFI_VARIABLE_RUNTIME_ACCESS
+						 | READ_ONLY,
+						sizeof(efi_vendor_keys),
+						&efi_vendor_keys,
+						false);
+
+err:
 	return ret;
 }
 
@@ -1125,6 +1158,8 @@ out:
 	if (env_set(native_name, val)) {
 		ret = EFI_DEVICE_ERROR;
 	} else {
+		bool vendor_keys_modified = false;
+
 		if ((u16_strcmp(variable_name, L"PK") == 0 &&
 		     guidcmp(vendor, &efi_global_variable_guid) == 0)) {
 			ret = efi_transfer_secure_state(
@@ -1132,8 +1167,30 @@ out:
 						  EFI_MODE_USER));
 			if (ret != EFI_SUCCESS)
 				goto err;
+
+			if (efi_secure_mode != EFI_MODE_SETUP)
+				vendor_keys_modified = true;
+		} else if ((u16_strcmp(variable_name, L"KEK") == 0 &&
+		     guidcmp(vendor, &efi_global_variable_guid) == 0)) {
+			if (efi_secure_mode != EFI_MODE_SETUP)
+				vendor_keys_modified = true;
+		}
+
+		/* update VendorKeys */
+		if (vendor_keys_modified & efi_vendor_keys) {
+			efi_vendor_keys = 0;
+			ret = efi_set_variable_internal(
+						L"VendorKeys",
+						&efi_global_variable_guid,
+						EFI_VARIABLE_BOOTSERVICE_ACCESS
+						 | EFI_VARIABLE_RUNTIME_ACCESS
+						 | READ_ONLY,
+						sizeof(efi_vendor_keys),
+						&efi_vendor_keys,
+						false);
+		} else {
+			ret = EFI_SUCCESS;
 		}
-		ret = EFI_SUCCESS;
 	}
 
 err: