mirror of
				https://xff.cz/git/u-boot/
				synced 2025-10-26 16:13:55 +01:00 
			
		
		
		
	efi_loader: Enable uefi capsule authentication
Add support for enabling uefi capsule authentication. This feature is enabled by setting the environment variable "capsule_authentication_enabled". The following configs are needed for enabling uefi capsule update and capsule authentication features on the platform. CONFIG_EFI_HAVE_CAPSULE_SUPPORT=y CONFIG_EFI_CAPSULE_ON_DISK=y CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y CONFIG_EFI_CAPSULE_FIRMWARE=y CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y CONFIG_EFI_CAPSULE_AUTHENTICATE=y Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
This commit is contained in:
		
				
					committed by
					
						 Heinrich Schuchardt
						Heinrich Schuchardt
					
				
			
			
				
	
			
			
			
						parent
						
							04be98bd6b
						
					
				
				
					commit
					88a2ef2720
				
			| @@ -184,9 +184,16 @@ static efi_status_t efi_get_dfu_info( | ||||
| 		image_info[i].version_name = NULL; /* not supported */ | ||||
| 		image_info[i].size = 0; | ||||
| 		image_info[i].attributes_supported = | ||||
| 				IMAGE_ATTRIBUTE_IMAGE_UPDATABLE; | ||||
| 			IMAGE_ATTRIBUTE_IMAGE_UPDATABLE | | ||||
| 			IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED; | ||||
| 		image_info[i].attributes_setting = | ||||
| 				IMAGE_ATTRIBUTE_IMAGE_UPDATABLE; | ||||
|  | ||||
| 		/* Check if the capsule authentication is enabled */ | ||||
| 		if (env_get("capsule_authentication_enabled")) | ||||
| 			image_info[0].attributes_setting |= | ||||
| 				IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED; | ||||
|  | ||||
| 		image_info[i].lowest_supported_image_version = 0; | ||||
| 		image_info[i].last_attempt_version = 0; | ||||
| 		image_info[i].last_attempt_status = LAST_ATTEMPT_STATUS_SUCCESS; | ||||
| @@ -403,6 +410,9 @@ efi_status_t EFIAPI efi_firmware_raw_set_image( | ||||
| { | ||||
| 	u32 fmp_hdr_signature; | ||||
| 	struct fmp_payload_header *header; | ||||
| 	void *capsule_payload; | ||||
| 	efi_status_t status; | ||||
| 	efi_uintn_t capsule_payload_size; | ||||
|  | ||||
| 	EFI_ENTRY("%p %d %p %ld %p %p %p\n", this, image_index, image, | ||||
| 		  image_size, vendor_code, progress, abort_reason); | ||||
| @@ -410,6 +420,30 @@ efi_status_t EFIAPI efi_firmware_raw_set_image( | ||||
| 	if (!image) | ||||
| 		return EFI_EXIT(EFI_INVALID_PARAMETER); | ||||
|  | ||||
| 	/* Authenticate the capsule if authentication enabled */ | ||||
| 	if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) && | ||||
| 	    env_get("capsule_authentication_enabled")) { | ||||
| 		capsule_payload = NULL; | ||||
| 		capsule_payload_size = 0; | ||||
| 		status = efi_capsule_authenticate(image, image_size, | ||||
| 						  &capsule_payload, | ||||
| 						  &capsule_payload_size); | ||||
|  | ||||
| 		if (status == EFI_SECURITY_VIOLATION) { | ||||
| 			printf("Capsule authentication check failed. Aborting update\n"); | ||||
| 			return EFI_EXIT(status); | ||||
| 		} else if (status != EFI_SUCCESS) { | ||||
| 			return EFI_EXIT(status); | ||||
| 		} | ||||
|  | ||||
| 		debug("Capsule authentication successfull\n"); | ||||
| 		image = capsule_payload; | ||||
| 		image_size = capsule_payload_size; | ||||
| 	} else { | ||||
| 		debug("Capsule authentication disabled. "); | ||||
| 		debug("Updating capsule without authenticating.\n"); | ||||
| 	} | ||||
|  | ||||
| 	fmp_hdr_signature = FMP_PAYLOAD_HDR_SIGNATURE; | ||||
| 	header = (void *)image; | ||||
|  | ||||
|   | ||||
		Reference in New Issue
	
	Block a user