summaryrefslogtreecommitdiff
path: root/lib/efi_loader
diff options
context:
space:
mode:
Diffstat (limited to 'lib/efi_loader')
-rw-r--r--lib/efi_loader/Kconfig8
-rw-r--r--lib/efi_loader/efi_file.c2
-rw-r--r--lib/efi_loader/efi_firmware.c5
-rw-r--r--lib/efi_loader/efi_tcg2.c47
4 files changed, 43 insertions, 19 deletions
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 0b99d7c7749..eb5c4d6f294 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -174,6 +174,7 @@ config EFI_CAPSULE_AUTHENTICATE
select PKCS7_MESSAGE_PARSER
select PKCS7_VERIFY
select IMAGE_SIGN_INFO
+ select HASH_CALCULATE
default n
help
Select this option if you want to enable capsule
@@ -300,7 +301,13 @@ config EFI_RNG_PROTOCOL
config EFI_TCG2_PROTOCOL
bool "EFI_TCG2_PROTOCOL support"
+ default y
depends on TPM_V2
+ select SHA1
+ select SHA256
+ select SHA512_ALGO
+ select SHA384
+ select SHA512
help
Provide a EFI_TCG2_PROTOCOL implementation using the TPM hardware
of the platform.
@@ -336,6 +343,7 @@ config EFI_SECURE_BOOT
select X509_CERTIFICATE_PARSER
select PKCS7_MESSAGE_PARSER
select PKCS7_VERIFY
+ select HASH_CALCULATE
default n
help
Select this option to enable EFI secure boot support.
diff --git a/lib/efi_loader/efi_file.c b/lib/efi_loader/efi_file.c
index 204105e25af..6b3f5962be2 100644
--- a/lib/efi_loader/efi_file.c
+++ b/lib/efi_loader/efi_file.c
@@ -554,7 +554,7 @@ static efi_status_t efi_file_read_int(struct efi_file_handle *this,
efi_status_t ret = EFI_SUCCESS;
u64 bs;
- if (!this || !buffer_size || !buffer)
+ if (!this || !buffer_size)
return EFI_INVALID_PARAMETER;
bs = *buffer_size;
diff --git a/lib/efi_loader/efi_firmware.c b/lib/efi_loader/efi_firmware.c
index 7a3cca27936..a1b88dbfc28 100644
--- a/lib/efi_loader/efi_firmware.c
+++ b/lib/efi_loader/efi_firmware.c
@@ -190,7 +190,7 @@ static efi_status_t efi_get_dfu_info(
IMAGE_ATTRIBUTE_IMAGE_UPDATABLE;
/* Check if the capsule authentication is enabled */
- if (env_get("capsule_authentication_enabled"))
+ if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE))
image_info[0].attributes_setting |=
IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED;
@@ -421,8 +421,7 @@ efi_status_t EFIAPI efi_firmware_raw_set_image(
return EFI_EXIT(EFI_INVALID_PARAMETER);
/* Authenticate the capsule if authentication enabled */
- if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) &&
- env_get("capsule_authentication_enabled")) {
+ if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE)) {
capsule_payload = NULL;
capsule_payload_size = 0;
status = efi_capsule_authenticate(image, image_size,
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
index 94e8f22bbb6..39ef250bf9c 100644
--- a/lib/efi_loader/efi_tcg2.c
+++ b/lib/efi_loader/efi_tcg2.c
@@ -771,8 +771,8 @@ efi_tcg2_hash_log_extend_event(struct efi_tcg2_protocol *this, u64 flags,
pcr_index = efi_tcg_event->header.pcr_index;
event_type = efi_tcg_event->header.event_type;
- ret = tcg2_create_digest((u8 *)data_to_hash, data_to_hash_len,
- &digest_list);
+ ret = tcg2_create_digest((u8 *)(uintptr_t)data_to_hash,
+ data_to_hash_len, &digest_list);
if (ret != EFI_SUCCESS)
goto out;
@@ -999,6 +999,11 @@ static efi_status_t create_final_event(void)
event_log.final_pos = sizeof(*final_event);
ret = efi_install_configuration_table(&efi_guid_final_events,
final_event);
+ if (ret != EFI_SUCCESS) {
+ efi_free_pool(event_log.final_buffer);
+ event_log.final_buffer = NULL;
+ }
+
out:
return ret;
}
@@ -1047,18 +1052,21 @@ static efi_status_t efi_init_event_log(void)
ret = create_specid_event(dev, (void *)((uintptr_t)event_log.buffer + sizeof(*event_header)),
&spec_event_size);
if (ret != EFI_SUCCESS)
- goto out;
+ goto free_pool;
put_unaligned_le32(spec_event_size, &event_header->event_size);
event_log.pos = spec_event_size + sizeof(*event_header);
event_log.last_event_size = event_log.pos;
ret = create_final_event();
if (ret != EFI_SUCCESS)
- goto out;
+ goto free_pool;
- return EFI_SUCCESS;
out:
- tcg2_uninit();
+ return ret;
+
+free_pool:
+ efi_free_pool(event_log.buffer);
+ event_log.buffer = NULL;
return ret;
}
@@ -1107,8 +1115,7 @@ efi_status_t efi_tcg2_register(void)
ret = platform_get_tpm2_device(&dev);
if (ret != EFI_SUCCESS) {
log_warning("Unable to find TPMv2 device\n");
- ret = EFI_SUCCESS;
- goto out;
+ return EFI_SUCCESS;
}
ret = efi_init_event_log();
@@ -1116,19 +1123,29 @@ efi_status_t efi_tcg2_register(void)
goto fail;
ret = efi_append_scrtm_version(dev);
- if (ret != EFI_SUCCESS)
- goto out;
+ if (ret != EFI_SUCCESS) {
+ tcg2_uninit();
+ goto fail;
+ }
ret = efi_add_protocol(efi_root, &efi_guid_tcg2_protocol,
(void *)&efi_tcg2_protocol);
if (ret != EFI_SUCCESS) {
- log_err("Cannot install EFI_TCG2_PROTOCOL\n");
+ tcg2_uninit();
goto fail;
}
-
-out:
return ret;
+
fail:
- tcg2_uninit();
- return ret;
+ log_err("Cannot install EFI_TCG2_PROTOCOL\n");
+ /*
+ * Return EFI_SUCCESS and don't stop the EFI subsystem.
+ * That's done for 2 reasons
+ * - If the protocol is not installed the PCRs won't be extended. So
+ * someone later in the boot flow will notice that and take the
+ * necessary actions.
+ * - The TPM sandbox is limited and we won't be able to run any efi
+ * related tests with TCG2 enabled
+ */
+ return EFI_SUCCESS;
}
generated by cgit v1.2.3 (git 2.0.4) at 2025-08-04 12:01:36 +0000