From f757d045981779f026ce181404ac4ccc869bc47a Mon Sep 17 00:00:00 2001 From: AKASHI Takahiro Date: Tue, 14 Apr 2020 11:51:46 +0900 Subject: cmd: env: use appropriate guid for authenticated UEFI variable A signature database variable is associated with a specific guid. For convenience, if user doesn't supply any guid info, "env set|print -e" should complement it. Signed-off-by: AKASHI Takahiro --- cmd/nvedit_efi.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) (limited to 'cmd') diff --git a/cmd/nvedit_efi.c b/cmd/nvedit_efi.c index 8ea0da0..579cf43 100644 --- a/cmd/nvedit_efi.c +++ b/cmd/nvedit_efi.c @@ -41,6 +41,11 @@ static const struct { } efi_guid_text[] = { /* signature database */ {EFI_GLOBAL_VARIABLE_GUID, "EFI_GLOBAL_VARIABLE_GUID"}, + {EFI_IMAGE_SECURITY_DATABASE_GUID, "EFI_IMAGE_SECURITY_DATABASE_GUID"}, + /* certificate type */ + {EFI_CERT_SHA256_GUID, "EFI_CERT_SHA256_GUID"}, + {EFI_CERT_X509_GUID, "EFI_CERT_X509_GUID"}, + {EFI_CERT_TYPE_PKCS7_GUID, "EFI_CERT_TYPE_PKCS7_GUID"}, }; /* "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" */ @@ -525,9 +530,9 @@ int do_env_set_efi(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]) if (*ep != ',') return CMD_RET_USAGE; + /* 0 should be allowed for delete */ size = simple_strtoul(++ep, NULL, 16); - if (!size) - return CMD_RET_FAILURE; + value_on_memory = true; } else if (!strcmp(argv[0], "-v")) { verbose = true; @@ -539,8 +544,13 @@ int do_env_set_efi(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]) return CMD_RET_USAGE; var_name = argv[0]; - if (default_guid) - guid = efi_global_variable_guid; + if (default_guid) { + if (!strcmp(var_name, "db") || !strcmp(var_name, "dbx") || + !strcmp(var_name, "dbt")) + guid = efi_guid_image_security_database; + else + guid = efi_global_variable_guid; + } if (verbose) { printf("GUID: %s\n", efi_guid_to_str((const efi_guid_t *) -- cgit v1.1 From e50e2878b26a2081da7b57edcf0db1cea80b8007 Mon Sep 17 00:00:00 2001 From: AKASHI Takahiro Date: Tue, 14 Apr 2020 11:51:47 +0900 Subject: cmd: env: add "-at" option to "env set -e" command With "-at" option, EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS will be passed to SetVariable() to authenticate the variable. Signed-off-by: AKASHI Takahiro --- cmd/nvedit.c | 5 +++-- cmd/nvedit_efi.c | 5 ++++- 2 files changed, 7 insertions(+), 3 deletions(-) (limited to 'cmd') diff --git a/cmd/nvedit.c b/cmd/nvedit.c index 81d94cd..966c134 100644 --- a/cmd/nvedit.c +++ b/cmd/nvedit.c @@ -1417,7 +1417,7 @@ static char env_help_text[] = #endif #endif #if defined(CONFIG_CMD_NVEDIT_EFI) - "env set -e [-nv][-bs][-rt][-a][-i addr,size][-v] name [arg ...]\n" + "env set -e [-nv][-bs][-rt][-at][-a][-i addr,size][-v] name [arg ...]\n" " - set UEFI variable; unset if '-i' or 'arg' not specified\n" #endif "env set [-f] name [arg ...]\n"; @@ -1479,13 +1479,14 @@ U_BOOT_CMD_COMPLETE( setenv, CONFIG_SYS_MAXARGS, 0, do_env_set, "set environment variables", #if defined(CONFIG_CMD_NVEDIT_EFI) - "-e [-guid guid][-nv][-bs][-rt][-a][-v]\n" + "-e [-guid guid][-nv][-bs][-rt][-at][-a][-v]\n" " [-i addr,size name], or [name [value ...]]\n" " - set UEFI variable 'name' to 'value' ...'\n" " \"-guid\": set vendor guid\n" " \"-nv\": set non-volatile attribute\n" " \"-bs\": set boot-service attribute\n" " \"-rt\": set runtime attribute\n" + " \"-at\": set time-based authentication attribute\n" " \"-a\": append-write\n" " \"-i addr,size\": use as variable's value\n" " \"-v\": verbose message\n" diff --git a/cmd/nvedit_efi.c b/cmd/nvedit_efi.c index 579cf43..837e39e 100644 --- a/cmd/nvedit_efi.c +++ b/cmd/nvedit_efi.c @@ -458,7 +458,7 @@ out: * Return: CMD_RET_SUCCESS on success, or CMD_RET_RET_FAILURE * * This function is for "env set -e" or "setenv -e" command: - * => env set -e [-guid guid][-nv][-bs][-rt][-a][-v] + * => env set -e [-guid guid][-nv][-bs][-rt][-at][-a][-v] * [-i address,size] var, or * var [value ...] * Encode values specified and set given UEFI variable. @@ -517,6 +517,9 @@ int do_env_set_efi(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]) attributes |= EFI_VARIABLE_RUNTIME_ACCESS; } else if (!strcmp(argv[0], "-nv")) { attributes |= EFI_VARIABLE_NON_VOLATILE; + } else if (!strcmp(argv[0], "-at")) { + attributes |= + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; } else if (!strcmp(argv[0], "-a")) { attributes |= EFI_VARIABLE_APPEND_WRITE; } else if (!strcmp(argv[0], "-i")) { -- cgit v1.1 From 525fc06744b0942dc95dbbf982a90badcfa8aa14 Mon Sep 17 00:00:00 2001 From: AKASHI Takahiro Date: Tue, 14 Apr 2020 11:51:48 +0900 Subject: cmd: efidebug: add "test bootmgr" sub-command This sub-command will be used to test image authentication, in particular, a case where efi_load_image() failed with EFI_SECURITY_VIOLATION but we still want to try efi_start_image(). We won't run such a case under normal bootmgr because it simply refuses to call efi_start_image() if anything but EFI_SUCCESS is returned when loading an image. Signed-off-by: AKASHI Takahiro --- cmd/efidebug.c | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 77 insertions(+), 1 deletion(-) (limited to 'cmd') diff --git a/cmd/efidebug.c b/cmd/efidebug.c index c1bb764..02ef019 100644 --- a/cmd/efidebug.c +++ b/cmd/efidebug.c @@ -1089,6 +1089,78 @@ static int do_efi_boot_opt(cmd_tbl_t *cmdtp, int flag, return cp->cmd(cmdtp, flag, argc, argv); } +/** + * do_efi_test_bootmgr() - run simple bootmgr for test + * + * @cmdtp: Command table + * @flag: Command flag + * @argc: Number of arguments + * @argv: Argument array + * Return: CMD_RET_SUCCESS on success, + * CMD_RET_USAGE or CMD_RET_RET_FAILURE on failure + * + * Implement efidebug "test bootmgr" sub-command. + * Run simple bootmgr for test. + * + * efidebug test bootmgr + */ +static int do_efi_test_bootmgr(cmd_tbl_t *cmdtp, int flag, + int argc, char * const argv[]) +{ + efi_handle_t image; + efi_uintn_t exit_data_size = 0; + u16 *exit_data = NULL; + efi_status_t ret; + + ret = efi_bootmgr_load(&image); + printf("efi_bootmgr_load() returned: %ld\n", ret & ~EFI_ERROR_MASK); + + /* We call efi_start_image() even if error for test purpose. */ + ret = EFI_CALL(efi_start_image(image, &exit_data_size, &exit_data)); + printf("efi_start_image() returned: %ld\n", ret & ~EFI_ERROR_MASK); + if (ret && exit_data) + efi_free_pool(exit_data); + + efi_restore_gd(); + + return CMD_RET_SUCCESS; +} + +static cmd_tbl_t cmd_efidebug_test_sub[] = { + U_BOOT_CMD_MKENT(bootmgr, CONFIG_SYS_MAXARGS, 1, do_efi_test_bootmgr, + "", ""), +}; + +/** + * do_efi_test() - manage UEFI load options + * + * @cmdtp: Command table + * @flag: Command flag + * @argc: Number of arguments + * @argv: Argument array + * Return: CMD_RET_SUCCESS on success, + * CMD_RET_USAGE or CMD_RET_RET_FAILURE on failure + * + * Implement efidebug "test" sub-command. + */ +static int do_efi_test(cmd_tbl_t *cmdtp, int flag, + int argc, char * const argv[]) +{ + cmd_tbl_t *cp; + + if (argc < 2) + return CMD_RET_USAGE; + + argc--; argv++; + + cp = find_cmd_tbl(argv[0], cmd_efidebug_test_sub, + ARRAY_SIZE(cmd_efidebug_test_sub)); + if (!cp) + return CMD_RET_USAGE; + + return cp->cmd(cmdtp, flag, argc, argv); +} + static cmd_tbl_t cmd_efidebug_sub[] = { U_BOOT_CMD_MKENT(boot, CONFIG_SYS_MAXARGS, 1, do_efi_boot_opt, "", ""), U_BOOT_CMD_MKENT(devices, CONFIG_SYS_MAXARGS, 1, do_efi_show_devices, @@ -1103,6 +1175,8 @@ static cmd_tbl_t cmd_efidebug_sub[] = { "", ""), U_BOOT_CMD_MKENT(tables, CONFIG_SYS_MAXARGS, 1, do_efi_show_tables, "", ""), + U_BOOT_CMD_MKENT(test, CONFIG_SYS_MAXARGS, 1, do_efi_test, + "", ""), }; /** @@ -1172,7 +1246,9 @@ static char efidebug_help_text[] = "efidebug memmap\n" " - show UEFI memory map\n" "efidebug tables\n" - " - show UEFI configuration tables\n"; + " - show UEFI configuration tables\n" + "efidebug test bootmgr\n" + " - run simple bootmgr for test\n"; #endif U_BOOT_CMD( -- cgit v1.1