dany/u-boot-megous
1
0
Fork 0
mirror of https://xff.cz/git/u-boot/ synced 2025-10-27 16:43:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

efi_loader: Enable uefi capsule authentication

Browse Source 
Add support for enabling uefi capsule authentication. This feature is
enabled by setting the environment variable
"capsule_authentication_enabled".

The following configs are needed for enabling uefi capsule update and
capsule authentication features on the platform.

CONFIG_EFI_HAVE_CAPSULE_SUPPORT=y
CONFIG_EFI_CAPSULE_ON_DISK=y
CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y
CONFIG_EFI_CAPSULE_FIRMWARE=y
CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
CONFIG_EFI_CAPSULE_AUTHENTICATE=y

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
This commit is contained in:
Sughosh Ganu
2020-12-30 19:27:10 +05:30
committed by Heinrich Schuchardt
parent 04be98bd6b
commit 88a2ef2720
1 changed files with 35 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
lib/efi_loader/efi_firmware.c
View File

@@ -184,9 +184,16 @@ static efi_status_t efi_get_dfu_info(
image_info[i].version_name = NULL; /* not supported */ image_info[i].version_name = NULL; /* not supported */
image_info[i].size = 0; image_info[i].size = 0;
image_info[i].attributes_supported = image_info[i].attributes_supported =
IMAGE_ATTRIBUTE_IMAGE_UPDATABLE; IMAGE_ATTRIBUTE_IMAGE_UPDATABLE |
IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED;
image_info[i].attributes_setting = image_info[i].attributes_setting =
IMAGE_ATTRIBUTE_IMAGE_UPDATABLE; IMAGE_ATTRIBUTE_IMAGE_UPDATABLE;
/* Check if the capsule authentication is enabled */
if (env_get("capsule_authentication_enabled"))
image_info[0].attributes_setting |=
IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED;
image_info[i].lowest_supported_image_version = 0; image_info[i].lowest_supported_image_version = 0;
image_info[i].last_attempt_version = 0; image_info[i].last_attempt_version = 0;
image_info[i].last_attempt_status = LAST_ATTEMPT_STATUS_SUCCESS; image_info[i].last_attempt_status = LAST_ATTEMPT_STATUS_SUCCESS;
@@ -403,6 +410,9 @@ efi_status_t EFIAPI efi_firmware_raw_set_image(
{ {
u32 fmp_hdr_signature; u32 fmp_hdr_signature;
struct fmp_payload_header *header; struct fmp_payload_header *header;
void *capsule_payload;
efi_status_t status;
efi_uintn_t capsule_payload_size;
EFI_ENTRY("%p %d %p %ld %p %p %p\n", this, image_index, image, EFI_ENTRY("%p %d %p %ld %p %p %p\n", this, image_index, image,
image_size, vendor_code, progress, abort_reason); image_size, vendor_code, progress, abort_reason);
@@ -410,6 +420,30 @@ efi_status_t EFIAPI efi_firmware_raw_set_image(
if (!image) if (!image)
return EFI_EXIT(EFI_INVALID_PARAMETER); return EFI_EXIT(EFI_INVALID_PARAMETER);
/* Authenticate the capsule if authentication enabled */
if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) &&
env_get("capsule_authentication_enabled")) {
capsule_payload = NULL;
capsule_payload_size = 0;
status = efi_capsule_authenticate(image, image_size,
&capsule_payload,
&capsule_payload_size);
if (status == EFI_SECURITY_VIOLATION) {
printf("Capsule authentication check failed. Aborting update\n");
return EFI_EXIT(status);
} else if (status != EFI_SUCCESS) {
return EFI_EXIT(status);
}
debug("Capsule authentication successfull\n");
image = capsule_payload;
image_size = capsule_payload_size;
} else {
debug("Capsule authentication disabled. ");
debug("Updating capsule without authenticating.\n");
}
fmp_hdr_signature = FMP_PAYLOAD_HDR_SIGNATURE; fmp_hdr_signature = FMP_PAYLOAD_HDR_SIGNATURE;
header = (void *)image; header = (void *)image;