Merge tag 'efi-2020-10-rc3-3' of https://gitlab.denx.de/u-boot/custodians/u-boot-efi

Pull request for UEFI sub-system for efi-2020-10-rc3 (3)

The following bug fixes are contained in this pull-request:

* ResetSystem() should no hang if not implemented.
* Device paths in Bootxxxx variables should be verified.
* Use ':' as separator for command setenv -e -i instead of ','.
* Correct comments for functions.
* Update UEFI documentation.

cmd/bootefi.c

@@ -304,7 +304,11 @@ efi_status_t efi_install_fdt(void *fdt)
 /**
  * do_bootefi_exec() - execute EFI binary
  *
+ * The image indicated by @handle is started. When it returns the allocated
+ * memory for the @load_options is freed.
+ *
  * @handle:		handle of loaded image
+ * @load_options:	load options
  * Return:		status code
  *
  * Load the EFI binary into a newly assigned memory unwinding the relocation

cmd/nvedit_efi.c

@@ -473,7 +473,7 @@ int do_env_set_efi(struct cmd_tbl *cmdtp, int flag, int argc,
 			argc--;
 			argv++;
 			addr = simple_strtoul(argv[0], &ep, 16);
-			if (*ep != ',')
+			if (*ep != ':')
 				return CMD_RET_USAGE;
 
 			/* 0 should be allowed for delete */

doc/uefi/uefi.rst

@@ -59,6 +59,10 @@ Below you find the output of an example session starting GRUB::
     120832 bytes read in 7 ms (16.5 MiB/s)
     => bootefi ${kernel_addr_r} ${fdt_addr_r}
 
+The bootefi command uses the device, the file name, and the file size
+(environment variable 'filesize') of the most recently loaded file when setting
+up the binary for execution. So the UEFI binary should be loaded last.
+
 The environment variable 'bootargs' is passed as load options in the UEFI system
 table. The Linux kernel EFI stub uses the load options as command line
 arguments.
@@ -169,11 +173,11 @@ Sign an image with one of the keys in "db" on your host
 Now in U-Boot install the keys on your board::
 
     fatload mmc 0:1 <tmpaddr> PK.auth
-    setenv -e -nv -bs -rt -at -i <tmpaddr>,$filesize PK
+    setenv -e -nv -bs -rt -at -i <tmpaddr>:$filesize PK
     fatload mmc 0:1 <tmpaddr> KEK.auth
-    setenv -e -nv -bs -rt -at -i <tmpaddr>,$filesize KEK
+    setenv -e -nv -bs -rt -at -i <tmpaddr>:$filesize KEK
     fatload mmc 0:1 <tmpaddr> db.auth
-    setenv -e -nv -bs -rt -at -i <tmpaddr>,$filesize db
+    setenv -e -nv -bs -rt -at -i <tmpaddr>:$filesize db
 
 Set up boot parameters on your board::
 
@@ -217,13 +221,13 @@ which has to be enabled via CONFIG_SUPPORT_EMMC_RPMB=y.
 Executing the boot manager
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-The UEFI specification foresees to define boot entries and boot sequence via UEFI
+The UEFI specification foresees to define boot entries and boot sequence via
-variables. Booting according to these variables is possible via::
+UEFI variables. Booting according to these variables is possible via::
 
     bootefi bootmgr [fdt address]
 
-As of U-Boot v2018.03 UEFI variables are not persisted and cannot be set at
+As of U-Boot v2020.10 UEFI variables cannot be set at runtime. The U-Boot
-runtime.
+command 'efidebug' can be used to set the variables.
 
 Executing the built in hello world application
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

include/efi_loader.h

@@ -631,6 +631,8 @@ efi_status_t efi_dp_from_name(const char *dev, const char *devnr,
 			      const char *path,
 			      struct efi_device_path **device,
 			      struct efi_device_path **file);
+ssize_t efi_dp_check_length(const struct efi_device_path *dp,
+			    const size_t maxlen);
 
 #define EFI_DP_TYPE(_dp, _type, _subtype) \
 	(((_dp)->type == DEVICE_PATH_TYPE_##_type) && \

include/efi_variable.h

@@ -274,7 +274,6 @@ efi_get_next_variable_name_mem(efi_uintn_t *variable_name_size, u16 *variable_na
  * @data:		buffer to which the variable value is copied
  * @timep:		authentication time (seconds since start of epoch)
  * Return:		status code
-
  */
 efi_status_t __efi_runtime
 efi_get_variable_mem(u16 *variable_name, const efi_guid_t *vendor, u32 *attributes,

include/linux/kernel.h

@@ -19,6 +19,9 @@
 #ifndef SIZE_MAX
 #define SIZE_MAX	(~(size_t)0)
 #endif
+#ifndef SSIZE_MAX
+#define SSIZE_MAX	((ssize_t)(SIZE_MAX >> 1))
+#endif
 
 #define U8_MAX		((u8)~0U)
 #define S8_MAX		((s8)(U8_MAX>>1))

lib/efi_loader/efi_bootmgr.c

@@ -105,10 +105,8 @@ efi_status_t efi_deserialize_load_option(struct efi_load_option *lo, u8 *data,
 	if (*size < len)
 		return EFI_INVALID_PARAMETER;
 	lo->file_path = (struct efi_device_path *)data;
-	 /*
+	if (efi_dp_check_length(lo->file_path, len) < 0)
-	  * TODO: validate device path. There should be an end node within
+		return EFI_INVALID_PARAMETER;
-	  * the indicated file_path_length.
-	  */
 	data += len;
 	*size -= len;
 

lib/efi_loader/efi_device_path.c

@@ -1127,3 +1127,36 @@ efi_status_t efi_dp_from_name(const char *dev, const char *devnr,
 
 	return EFI_SUCCESS;
 }
+
+/**
+ * efi_dp_check_length() - check length of a device path
+ *
+ * @dp:		pointer to device path
+ * @maxlen:	maximum length of the device path
+ * Return:
+ * * length of the device path if it is less or equal @maxlen
+ * * -1 if the device path is longer then @maxlen
+ * * -1 if a device path node has a length of less than 4
+ * * -EINVAL if maxlen exceeds SSIZE_MAX
+ */
+ssize_t efi_dp_check_length(const struct efi_device_path *dp,
+			    const size_t maxlen)
+{
+	ssize_t ret = 0;
+	u16 len;
+
+	if (maxlen > SSIZE_MAX)
+		return -EINVAL;
+	for (;;) {
+		len = dp->length;
+		if (len < 4)
+			return -1;
+		ret += len;
+		if (ret > maxlen)
+			return -1;
+		if (dp->type == DEVICE_PATH_TYPE_END &&
+		    dp->sub_type == DEVICE_PATH_SUB_TYPE_END)
+			return ret;
+		dp = (const struct efi_device_path *)((const u8 *)dp + len);
+	}
+}

lib/efi_loader/efi_runtime.c

@@ -365,7 +365,9 @@ out:
  * efi_reset_system() - reset system
  *
  * This function implements the ResetSystem() runtime service after
- * SetVirtualAddressMap() is called. It only executes an endless loop.
+ * SetVirtualAddressMap() is called. As this placeholder cannot reset the
+ * system it simply return to the caller.
+ *
  * Boards may override the helpers below to implement reset functionality.
  *
  * See the Unified Extensible Firmware Interface (UEFI) specification for
@@ -381,8 +383,7 @@ void __weak __efi_runtime EFIAPI efi_reset_system(
 			efi_status_t reset_status,
 			unsigned long data_size, void *reset_data)
 {
-	/* Nothing we can do */
+	return;
-	while (1) { }
 }
 
 /**

lib/efi_selftest/Makefile

@@ -31,6 +31,7 @@ efi_selftest_mem.o \
 efi_selftest_memory.o \
 efi_selftest_open_protocol.o \
 efi_selftest_register_notify.o \
+efi_selftest_reset.o \
 efi_selftest_set_virtual_address_map.o \
 efi_selftest_textinput.o \
 efi_selftest_textinputex.o \

lib/efi_selftest/efi_selftest.c

@@ -5,6 +5,7 @@
  * Copyright (c) 2017 Heinrich Schuchardt <xypron.glpk@gmx.de>
  */
 
+#include <command.h>
 #include <efi_selftest.h>
 #include <vsprintf.h>
 
@@ -309,8 +310,13 @@ efi_status_t EFIAPI efi_selftest(efi_handle_t image_handle,
 	/* Reset system */
 	efi_st_printf("Preparing for reset. Press any key...\n");
 	efi_st_get_key();
+
+	if (IS_ENABLED(CONFIG_EFI_HAVE_RUNTIME_RESET))
 		runtime->reset_system(EFI_RESET_WARM, EFI_NOT_READY,
 				      sizeof(reset_message), reset_message);
+	else
+		do_reset(NULL, 0, 0, NULL);
+
 	efi_st_printf("\n");
 	efi_st_error("Reset failed\n");
 

lib/efi_selftest/efi_selftest_reset.c

@@ -0,0 +1,58 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * efi_selftest_reset
+ *
+ * Copyright (c) 2020 Heinrich Schuchardt <xypron.glpk@gmx.de>
+ *
+ * This test checks the following service at boot time or runtime:
+ * ResetSystem()
+ */
+
+#include <efi_selftest.h>
+
+static struct efi_runtime_services *runtime;
+
+/*
+ * Setup unit test.
+ *
+ * @handle:	handle of the loaded image
+ * @systable:	system table
+ * @return:	EFI_ST_SUCCESS for success
+ */
+static int setup(const efi_handle_t handle,
+		 const struct efi_system_table *systable)
+{
+	runtime = systable->runtime;
+	return EFI_ST_SUCCESS;
+}
+
+/*
+ * Execute unit test.
+ *
+ * @return:	EFI_ST_SUCCESS for success
+ */
+static int execute(void)
+{
+	u16 reset_data[] = L"Reset by selftest";
+
+	runtime->reset_system(EFI_RESET_COLD, EFI_SUCCESS,
+			      sizeof(reset_data), reset_data);
+	efi_st_error("Reset failed.\n");
+	return EFI_ST_FAILURE;
+}
+
+EFI_UNIT_TEST(reset) = {
+	.name = "reset system",
+	.phase = EFI_EXECUTE_BEFORE_BOOTTIME_EXIT,
+	.setup = setup,
+	.execute = execute,
+	.on_request = true,
+};
+
+EFI_UNIT_TEST(resetrt) = {
+	.name = "reset system runtime",
+	.phase = EFI_SETUP_BEFORE_BOOTTIME_EXIT,
+	.setup = setup,
+	.execute = execute,
+	.on_request = true,
+};

test/lib/Makefile

@@ -3,6 +3,7 @@
 # (C) Copyright 2018
 # Mario Six, Guntermann & Drunck GmbH, mario.six@gdsys.cc
 obj-y += cmd_ut_lib.o
+obj-$(CONFIG_EFI_LOADER) += efi_device_path.o
 obj-$(CONFIG_EFI_SECURE_BOOT) += efi_image_region.o
 obj-y += hexdump.o
 obj-y += lmb.o

test/lib/efi_device_path.c

@@ -0,0 +1,50 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Test device path functions
+ *
+ * Copyright (c) 2020 Heinrich Schuchardt <xypron.glpk@gmx.de>
+ */
+
+#include <common.h>
+#include <efi_loader.h>
+#include <test/lib.h>
+#include <test/test.h>
+#include <test/ut.h>
+
+static int lib_test_efi_dp_check_length(struct unit_test_state *uts)
+{
+	/* end of device path */
+	u8 d1[] __aligned(2) = {
+		0x7f, 0xff, 0x04, 0x00 };
+	/* device path node with length less then 4 */
+	u8 d2[] __aligned(2) = {
+		0x01, 0x02, 0x02, 0x00, 0x04, 0x00, 0x7f, 0xff, 0x04, 0x00 };
+	/* well formed device path */
+	u8 d3[] __aligned(2) = {
+		0x03, 0x02, 0x08, 0x00, 0x01, 0x00, 0x01, 0x00,
+		0x7f, 0xff, 0x04, 0x00 };
+
+	struct efi_device_path *p1 = (struct efi_device_path *)d1;
+	struct efi_device_path *p2 = (struct efi_device_path *)d2;
+	struct efi_device_path *p3 = (struct efi_device_path *)d3;
+
+	ut_asserteq((ssize_t)-EINVAL, efi_dp_check_length(p1, SIZE_MAX));
+	ut_asserteq((ssize_t)sizeof(d1), efi_dp_check_length(p1, sizeof(d1)));
+	ut_asserteq((ssize_t)sizeof(d1),
+		    efi_dp_check_length(p1, sizeof(d1) + 4));
+	ut_asserteq((ssize_t)-1, efi_dp_check_length(p1, sizeof(d1) - 1));
+
+	ut_asserteq((ssize_t)-1, efi_dp_check_length(p2, sizeof(d2)));
+
+	ut_asserteq((ssize_t)-1, efi_dp_check_length(p3, sizeof(d3) - 1));
+	ut_asserteq((ssize_t)sizeof(d3), efi_dp_check_length(p3, sizeof(d3)));
+	ut_asserteq((ssize_t)sizeof(d3), efi_dp_check_length(p3, SSIZE_MAX));
+	ut_asserteq((ssize_t)-EINVAL,
+		    efi_dp_check_length(p3, (size_t)SSIZE_MAX + 1));
+	ut_asserteq((ssize_t)sizeof(d3),
+		    efi_dp_check_length(p3, sizeof(d3) + 4));
+
+	return 0;
+}
+
+LIB_TEST(lib_test_efi_dp_check_length, 0);

test/py/tests/test_efi_secboot/test_authvar.py

@@ -38,14 +38,14 @@ class TestEfiAuthVar(object):
             # Test Case 1b, PK without AUTHENTICATED_WRITE_ACCESS
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 PK.auth',
-                'setenv -e -nv -bs -rt -i 4000000,$filesize PK'])
+                'setenv -e -nv -bs -rt -i 4000000:$filesize PK'])
             assert 'Failed to set EFI variable' in ''.join(output)
 
         with u_boot_console.log.section('Test Case 1c'):
             # Test Case 1c, install PK
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 PK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
                 'printenv -e -n PK'])
             assert 'PK:' in ''.join(output)
 
@@ -60,24 +60,24 @@ class TestEfiAuthVar(object):
             # Test Case 1d, db/dbx without KEK
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 db.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db'])
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db'])
             assert 'Failed to set EFI variable' in ''.join(output)
 
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 db.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx'])
             assert 'Failed to set EFI variable' in ''.join(output)
 
         with u_boot_console.log.section('Test Case 1e'):
             # Test Case 1e, install KEK
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 KEK.auth',
-                'setenv -e -nv -bs -rt -i 4000000,$filesize KEK'])
+                'setenv -e -nv -bs -rt -i 4000000:$filesize KEK'])
             assert 'Failed to set EFI variable' in ''.join(output)
 
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 KEK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
                 'printenv -e -n KEK'])
             assert 'KEK:' in ''.join(output)
 
@@ -89,12 +89,12 @@ class TestEfiAuthVar(object):
             # Test Case 1f, install db
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 db.auth',
-                'setenv -e -nv -bs -rt -i 4000000,$filesize db'])
+                'setenv -e -nv -bs -rt -i 4000000:$filesize db'])
             assert 'Failed to set EFI variable' in ''.join(output)
 
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 db.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
                 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             assert 'db:' in ''.join(output)
@@ -107,12 +107,12 @@ class TestEfiAuthVar(object):
             # Test Case 1g, install dbx
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 dbx.auth',
-                'setenv -e -nv -bs -rt -i 4000000,$filesize dbx'])
+                'setenv -e -nv -bs -rt -i 4000000:$filesize dbx'])
             assert 'Failed to set EFI variable' in ''.join(output)
 
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 dbx.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx',
                 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f dbx'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             assert 'dbx:' in ''.join(output)
@@ -132,32 +132,32 @@ class TestEfiAuthVar(object):
             output = u_boot_console.run_command_list([
                 'host bind 0 %s' % disk_img,
                 'fatload host 0:1 4000000 PK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
                 'fatload host 0:1 4000000 KEK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
                 'fatload host 0:1 4000000 db.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
                 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             assert 'db:' in ''.join(output)
 
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 db1.auth',
-                'setenv -e -nv -bs -rt -i 4000000,$filesize db'])
+                'setenv -e -nv -bs -rt -i 4000000:$filesize db'])
             assert 'Failed to set EFI variable' in ''.join(output)
 
         with u_boot_console.log.section('Test Case 2b'):
             # Test Case 2b, update without correct signature
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 db.esl',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db'])
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db'])
             assert 'Failed to set EFI variable' in ''.join(output)
 
         with u_boot_console.log.section('Test Case 2c'):
             # Test Case 2c, update with correct signature
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 db1.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
                 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             assert 'db:' in ''.join(output)
@@ -173,32 +173,32 @@ class TestEfiAuthVar(object):
             output = u_boot_console.run_command_list([
                 'host bind 0 %s' % disk_img,
                 'fatload host 0:1 4000000 PK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
                 'fatload host 0:1 4000000 KEK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
                 'fatload host 0:1 4000000 db.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
                 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             assert 'db:' in ''.join(output)
 
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 db1.auth',
-                'setenv -e -nv -bs -rt -a -i 4000000,$filesize db'])
+                'setenv -e -nv -bs -rt -a -i 4000000:$filesize db'])
             assert 'Failed to set EFI variable' in ''.join(output)
 
         with u_boot_console.log.section('Test Case 3b'):
             # Test Case 3b, update without correct signature
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 db.esl',
-                'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db'])
+                'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db'])
             assert 'Failed to set EFI variable' in ''.join(output)
 
         with u_boot_console.log.section('Test Case 3c'):
             # Test Case 3c, update with correct signature
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 db1.auth',
-                'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db',
+                'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db',
                 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             assert 'db:' in ''.join(output)
@@ -214,11 +214,11 @@ class TestEfiAuthVar(object):
             output = u_boot_console.run_command_list([
                 'host bind 0 %s' % disk_img,
                 'fatload host 0:1 4000000 PK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
                 'fatload host 0:1 4000000 KEK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
                 'fatload host 0:1 4000000 db.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
                 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             assert 'db:' in ''.join(output)
@@ -248,18 +248,18 @@ class TestEfiAuthVar(object):
             output = u_boot_console.run_command_list([
                 'host bind 0 %s' % disk_img,
                 'fatload host 0:1 4000000 PK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
                 'fatload host 0:1 4000000 KEK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
                 'fatload host 0:1 4000000 db.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
                 'printenv -e -n PK'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             assert 'PK:' in ''.join(output)
 
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 PK_null.esl',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
                 'printenv -e -n PK'])
             assert 'Failed to set EFI variable' in ''.join(output)
             assert 'PK:' in ''.join(output)
@@ -268,7 +268,7 @@ class TestEfiAuthVar(object):
             # Test Case 5b, Uninstall PK with correct signature
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 PK_null.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
                 'printenv -e -n PK'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             assert '\"PK\" not defined' in ''.join(output)

test/py/tests/test_efi_secboot/test_signed.py

@@ -53,9 +53,9 @@ class TestEfiSignedImage(object):
             output = u_boot_console.run_command_list([
                 'host bind 0 %s' % disk_img,
                 'fatload host 0:1 4000000 KEK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
                 'fatload host 0:1 4000000 PK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             output = u_boot_console.run_command_list([
                 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""',
@@ -74,7 +74,7 @@ class TestEfiSignedImage(object):
             # Test Case 2b, authenticated by db
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 db.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db'])
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             output = u_boot_console.run_command_list([
                 'efidebug boot next 2',
@@ -97,11 +97,11 @@ class TestEfiSignedImage(object):
             output = u_boot_console.run_command_list([
                 'host bind 0 %s' % disk_img,
                 'fatload host 0:1 4000000 db.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx',
                 'fatload host 0:1 4000000 KEK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
                 'fatload host 0:1 4000000 PK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             output = u_boot_console.run_command_list([
                 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""',
@@ -114,7 +114,7 @@ class TestEfiSignedImage(object):
             # Test Case 3b, rejected by dbx even if db allows
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 db.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db'])
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             output = u_boot_console.run_command_list([
                 'efidebug boot next 1',
@@ -133,13 +133,13 @@ class TestEfiSignedImage(object):
             output = u_boot_console.run_command_list([
                 'host bind 0 %s' % disk_img,
                 'fatload host 0:1 4000000 dbx_hash.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx',
                 'fatload host 0:1 4000000 db.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
                 'fatload host 0:1 4000000 KEK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
                 'fatload host 0:1 4000000 PK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             output = u_boot_console.run_command_list([
                 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""',
@@ -162,11 +162,11 @@ class TestEfiSignedImage(object):
             output = u_boot_console.run_command_list([
                 'host bind 0 %s' % disk_img,
                 'fatload host 0:1 4000000 db.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
                 'fatload host 0:1 4000000 KEK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
                 'fatload host 0:1 4000000 PK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             output = u_boot_console.run_command_list([
                 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""',
@@ -178,7 +178,7 @@ class TestEfiSignedImage(object):
             # Test Case 5b, authenticated if both signatures are verified
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 db1.auth',
-                'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db'])
+                'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             output = u_boot_console.run_command_list([
                 'efidebug boot next 1',
@@ -190,7 +190,7 @@ class TestEfiSignedImage(object):
             # certificate) is revoked
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 dbx_hash.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             output = u_boot_console.run_command_list([
                 'efidebug boot next 1',
@@ -201,7 +201,7 @@ class TestEfiSignedImage(object):
             # Test Case 5d, rejected if both of signatures are revoked
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 dbx_hash1.auth',
-                'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize dbx'])
+                'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize dbx'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             output = u_boot_console.run_command_list([
                 'efidebug boot next 1',
@@ -220,11 +220,11 @@ class TestEfiSignedImage(object):
             output = u_boot_console.run_command_list([
                 'host bind 0 %s' % disk_img,
                 'fatload host 0:1 4000000 db_hello_signed.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
                 'fatload host 0:1 4000000 KEK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
                 'fatload host 0:1 4000000 PK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             output = u_boot_console.run_command_list([
                 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""',
@@ -236,7 +236,7 @@ class TestEfiSignedImage(object):
             # Test Case 6b, rejected by TEST_db certificate in dbx
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 dbx_db.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             output = u_boot_console.run_command_list([
                 'efidebug boot next 1',
@@ -248,9 +248,9 @@ class TestEfiSignedImage(object):
             # Test Case 6c, rejected by image's digest in dbx
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 db.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
                 'fatload host 0:1 4000000 dbx_hello_signed.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx'])
             assert 'Failed to set EFI variable' not in ''.join(output)
             output = u_boot_console.run_command_list([
                 'efidebug boot next 1',

test/py/tests/test_efi_secboot/test_signed_intca.py

@@ -31,11 +31,11 @@ class TestEfiSignedImageIntca(object):
             output = u_boot_console.run_command_list([
                 'host bind 0 %s' % disk_img,
                 'fatload host 0:1 4000000 db_c.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
                 'fatload host 0:1 4000000 KEK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
                 'fatload host 0:1 4000000 PK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
             assert 'Failed to set EFI variable' not in ''.join(output)
 
             output = u_boot_console.run_command_list([
@@ -64,9 +64,9 @@ class TestEfiSignedImageIntca(object):
             output = u_boot_console.run_command_list([
                 'host bind 0 %s' % disk_img,
                 'fatload host 0:1 4000000 KEK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
                 'fatload host 0:1 4000000 PK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
             assert 'Failed to set EFI variable' not in ''.join(output)
 
             output = u_boot_console.run_command_list([
@@ -80,7 +80,7 @@ class TestEfiSignedImageIntca(object):
             # Test Case 2b, signed and authenticated by root CA
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 db_b.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
                 'efidebug boot next 1',
                 'efidebug test bootmgr'])
             assert '\'HELLO_abc\' failed' in ''.join(output)
@@ -90,7 +90,7 @@ class TestEfiSignedImageIntca(object):
             # Test Case 2c, signed and authenticated by root CA
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 db_c.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
                 'efidebug boot next 1',
                 'efidebug test bootmgr'])
             assert 'Hello, world!' in ''.join(output)
@@ -106,13 +106,13 @@ class TestEfiSignedImageIntca(object):
             output = u_boot_console.run_command_list([
                 'host bind 0 %s' % disk_img,
                 'fatload host 0:1 4000000 dbx_b.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx',
                 'fatload host 0:1 4000000 db_c.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
                 'fatload host 0:1 4000000 KEK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
                 'fatload host 0:1 4000000 PK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
             assert 'Failed to set EFI variable' not in ''.join(output)
 
             output = u_boot_console.run_command_list([
@@ -128,7 +128,7 @@ class TestEfiSignedImageIntca(object):
             # Test Case 3b, revoked by root CA in dbx
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 dbx_c.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx',
                 'efidebug boot next 1',
                 'efidebug test bootmgr'])
             assert '\'HELLO_abc\' failed' in ''.join(output)

test/py/tests/test_efi_secboot/test_unsigned.py

@@ -29,9 +29,9 @@ class TestEfiUnsignedImage(object):
             output = u_boot_console.run_command_list([
                 'host bind 0 %s' % disk_img,
                 'fatload host 0:1 4000000 KEK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
                 'fatload host 0:1 4000000 PK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
             assert 'Failed to set EFI variable' not in ''.join(output)
 
             output = u_boot_console.run_command_list([
@@ -56,11 +56,11 @@ class TestEfiUnsignedImage(object):
             output = u_boot_console.run_command_list([
                 'host bind 0 %s' % disk_img,
                 'fatload host 0:1 4000000 db_hello.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
                 'fatload host 0:1 4000000 KEK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
                 'fatload host 0:1 4000000 PK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
             assert 'Failed to set EFI variable' not in ''.join(output)
 
             output = u_boot_console.run_command_list([
@@ -80,11 +80,11 @@ class TestEfiUnsignedImage(object):
             output = u_boot_console.run_command_list([
                 'host bind 0 %s' % disk_img,
                 'fatload host 0:1 4000000 db_hello.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx',
                 'fatload host 0:1 4000000 KEK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
                 'fatload host 0:1 4000000 PK.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
             assert 'Failed to set EFI variable' not in ''.join(output)
 
             output = u_boot_console.run_command_list([
@@ -102,7 +102,7 @@ class TestEfiUnsignedImage(object):
             # Test Case 3b, rejected by dbx even if db allows
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 db_hello.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db'])
+                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db'])
             assert 'Failed to set EFI variable' not in ''.join(output)
 
             output = u_boot_console.run_command_list([