13 files changed, 256 insertions, 29 deletions
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 5cfff8c56bc..b8fb2701a74 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -385,6 +385,23 @@ config EFI_ESRT
 	help
 	  Enabling this option creates the ESRT UEFI system table.
 
+config EFI_ECPT
+	bool "Enable the UEFI ECPT generation"
+	default y
+	help
+	  Enabling this option created the ECPT UEFI table.
+
+config EFI_EBBR_2_0_CONFORMANCE
+	bool "Add the EBBRv2.0 conformance entry to the ECPT table"
+	depends on EFI_ECPT
+	depends on EFI_LOADER_HII
+	depends on EFI_RISCV_BOOT_PROTOCOL || !RISCV
+	depends on EFI_RNG_PROTOCOL || !DM_RNG
+	depends on EFI_UNICODE_COLLATION_PROTOCOL2
+	default y
+	help
+	  Enabling this option adds the EBBRv2.0 conformance entry to the ECPT UEFI table.
+
 config EFI_RISCV_BOOT_PROTOCOL
 	bool "RISCV_EFI_BOOT_PROTOCOL support"
 	default y
diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile
index f54c244c326..e187d2a914f 100644
--- a/lib/efi_loader/Makefile
+++ b/lib/efi_loader/Makefile
@@ -76,6 +76,7 @@ obj-$(CONFIG_EFI_TCG2_PROTOCOL) += efi_tcg2.o
 obj-$(CONFIG_EFI_RISCV_BOOT_PROTOCOL) += efi_riscv.o
 obj-$(CONFIG_EFI_LOAD_FILE2_INITRD) += efi_load_initrd.o
 obj-$(CONFIG_EFI_SIGNATURE_SUPPORT) += efi_signature.o
+obj-$(CONFIG_EFI_ECPT) += efi_conformance.o
 
 EFI_VAR_SEED_FILE := $(subst $\",,$(CONFIG_EFI_VAR_SEED_FILE))
 $(obj)/efi_var_seed.o: $(srctree)/$(EFI_VAR_SEED_FILE)
diff --git a/lib/efi_loader/efi_conformance.c b/lib/efi_loader/efi_conformance.c
new file mode 100644
index 00000000000..a49aae92497
--- /dev/null
+++ b/lib/efi_loader/efi_conformance.c
@@ -0,0 +1,60 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ *  EFI conformance profile table
+ *
+ *  Copyright (C) 2022 Arm Ltd.
+ */
+
+#include <common.h>
+#include <efi_loader.h>
+#include <log.h>
+#include <efi_api.h>
+#include <malloc.h>
+
+static const efi_guid_t efi_ecpt_guid = EFI_CONFORMANCE_PROFILES_TABLE_GUID;
+static const efi_guid_t efi_ebbr_2_0_guid =
+	EFI_CONFORMANCE_PROFILE_EBBR_2_0_GUID;
+
+/**
+ * efi_ecpt_register() - Install the ECPT system table.
+ *
+ * Return: status code
+ */
+efi_status_t efi_ecpt_register(void)
+{
+	int num_entries = 0;
+	struct efi_conformance_profiles_table *ecpt;
+	efi_status_t ret;
+	size_t ecpt_size;
+
+	ecpt_size = num_entries * sizeof(efi_guid_t)
+		+ sizeof(struct efi_conformance_profiles_table);
+	ret = efi_allocate_pool(EFI_BOOT_SERVICES_DATA, ecpt_size,
+				(void **)&ecpt);
+
+	if (ret != EFI_SUCCESS) {
+		log_err("Out of memory\n");
+
+		return ret;
+	}
+
+	if (CONFIG_IS_ENABLED(EFI_EBBR_2_0_CONFORMANCE))
+		guidcpy(&ecpt->conformance_profiles[num_entries++],
+			&efi_ebbr_2_0_guid);
+
+	ecpt->version = EFI_CONFORMANCE_PROFILES_TABLE_VERSION;
+	ecpt->number_of_profiles = num_entries;
+
+	/* Install the ECPT in the system configuration table. */
+	ret = efi_install_configuration_table(&efi_ecpt_guid, (void *)ecpt);
+	if (ret != EFI_SUCCESS) {
+		log_err("Failed to install ECPT\n");
+		efi_free_pool(ecpt);
+
+		return ret;
+	}
+
+	log_debug("ECPT created\n");
+
+	return EFI_SUCCESS;
+}
diff --git a/lib/efi_loader/efi_console.c b/lib/efi_loader/efi_console.c
index 3164fd484e2..ee9dc6bbd82 100644
--- a/lib/efi_loader/efi_console.c
+++ b/lib/efi_loader/efi_console.c
@@ -987,12 +987,14 @@ static efi_status_t EFIAPI efi_cin_read_key_stroke_ex(
 	efi_cin_check();
 
 	if (!key_available) {
+		memset(key_data, 0, sizeof(struct efi_key_data));
 		ret = EFI_NOT_READY;
 		goto out;
 	}
 	/*
 	 * CTRL+A - CTRL+Z have to be signaled as a - z.
 	 * SHIFT+CTRL+A - SHIFT+CTRL+Z have to be signaled as A - Z.
+	 * CTRL+\ - CTRL+_ have to be signaled as \ - _.
 	 */
 	switch (next_key.key.unicode_char) {
 	case 0x01 ... 0x07:
@@ -1005,6 +1007,9 @@ static efi_status_t EFIAPI efi_cin_read_key_stroke_ex(
 			next_key.key.unicode_char += 0x40;
 		else
 			next_key.key.unicode_char += 0x60;
+		break;
+	case 0x1c ... 0x1f:
+			next_key.key.unicode_char += 0x40;
 	}
 	*key_data = next_key;
 	key_available = false;
diff --git a/lib/efi_loader/efi_device_path_to_text.c b/lib/efi_loader/efi_device_path_to_text.c
index 6c428ee061f..9062058ac22 100644
--- a/lib/efi_loader/efi_device_path_to_text.c
+++ b/lib/efi_loader/efi_device_path_to_text.c
@@ -190,13 +190,14 @@ static char *dp_msging(char *s, struct efi_device_path *dp)
 		struct efi_device_path_nvme *ndp =
 			(struct efi_device_path_nvme *)dp;
 		u32 ns_id;
-		int i;
 
 		memcpy(&ns_id, &ndp->ns_id, sizeof(ns_id));
 		s += sprintf(s, "NVMe(0x%x,", ns_id);
-		for (i = 0; i < sizeof(ndp->eui64); ++i)
+
+		/* Display byte 7 first, byte 0 last */
+		for (int i = 0; i < 8; ++i)
 			s += sprintf(s, "%s%02x", i ? "-" : "",
-				     ndp->eui64[i]);
+				     ndp->eui64[i ^ 7]);
 		s += sprintf(s, ")");
 
 		break;
diff --git a/lib/efi_loader/efi_disk.c b/lib/efi_loader/efi_disk.c
index f269abf1354..5feeb52ccb4 100644
--- a/lib/efi_loader/efi_disk.c
+++ b/lib/efi_loader/efi_disk.c
@@ -760,3 +760,20 @@ efi_status_t efi_disk_init(void)
 
 	return EFI_SUCCESS;
 }
+
+/**
+ * efi_disks_register() - ensure all block devices are available in UEFI
+ *
+ * The function probes all block devices. As we store UEFI variables on the
+ * EFI system partition this function has to be called before enabling
+ * variable services.
+ */
+efi_status_t efi_disks_register(void)
+{
+	struct udevice *dev;
+
+	uclass_foreach_dev_probe(UCLASS_BLK, dev) {
+	}
+
+	return EFI_SUCCESS;
+}
diff --git a/lib/efi_loader/efi_setup.c b/lib/efi_loader/efi_setup.c
index 751beda5902..c633fcd91e3 100644
--- a/lib/efi_loader/efi_setup.c
+++ b/lib/efi_loader/efi_setup.c
@@ -246,6 +246,14 @@ efi_status_t efi_init_obj_list(void)
 	/* Set up console modes */
 	efi_setup_console_size();
 
+	/*
+	 * Probe block devices to find the ESP.
+	 * efi_disks_register() must be called before efi_init_variables().
+	 */
+	ret = efi_disks_register();
+	if (ret != EFI_SUCCESS)
+		goto out;
+
 	/* Initialize variable services */
 	ret = efi_init_variables();
 	if (ret != EFI_SUCCESS)
@@ -266,6 +274,12 @@ efi_status_t efi_init_obj_list(void)
 	if (ret != EFI_SUCCESS)
 		goto out;
 
+	if (IS_ENABLED(CONFIG_EFI_ECPT)) {
+		ret = efi_ecpt_register();
+		if (ret != EFI_SUCCESS)
+			goto out;
+	}
+
 	if (IS_ENABLED(CONFIG_EFI_ESRT)) {
 		ret = efi_esrt_register();
 		if (ret != EFI_SUCCESS)
diff --git a/lib/efi_loader/helloworld.c b/lib/efi_loader/helloworld.c
index 10666dc0f22..d565f327457 100644
--- a/lib/efi_loader/helloworld.c
+++ b/lib/efi_loader/helloworld.c
@@ -29,24 +29,66 @@ static struct efi_system_table *systable;
 static struct efi_boot_services *boottime;
 static struct efi_simple_text_output_protocol *con_out;
 
+/*
+ * Print an unsigned 32bit value as decimal number to an u16 string
+ *
+ * @value:	value to be printed
+ * @buf:	pointer to buffer address
+ *		on return position of terminating zero word
+ */
+static void uint2dec(u32 value, u16 **buf)
+{
+	u16 *pos = *buf;
+	int i;
+	u16 c;
+	u64 f;
+
+	/*
+	 * Increment by .5 and multiply with
+	 * (2 << 60) / 1,000,000,000 = 0x44B82FA0.9B5A52CC
+	 * to move the first digit to bit 60-63.
+	 */
+	f = 0x225C17D0;
+	f += (0x9B5A52DULL * value) >> 28;
+	f += 0x44B82FA0ULL * value;
+
+	for (i = 0; i < 10; ++i) {
+		/* Write current digit */
+		c = f >> 60;
+		if (c || pos != *buf)
+			*pos++ = c + '0';
+		/* Eliminate current digit */
+		f &= 0xfffffffffffffff;
+		/* Get next digit */
+		f *= 0xaULL;
+	}
+	if (pos == *buf)
+		*pos++ = '0';
+	*pos = 0;
+	*buf = pos;
+}
+
 /**
  * print_uefi_revision() - print UEFI revision number
  */
 static void print_uefi_revision(void)
 {
-	u16 rev[] = u"0.0.0";
-
-	rev[0] = (systable->hdr.revision >> 16) + '0';
-	rev[4] = systable->hdr.revision & 0xffff;
-	for (; rev[4] >= 10;) {
-		rev[4] -= 10;
-		++rev[2];
+	u16 rev[13] = {0};
+	u16 *buf = rev;
+	u16 digit;
+
+	uint2dec(systable->hdr.revision >> 16, &buf);
+	*buf++ = '.';
+	uint2dec(systable->hdr.revision & 0xffff, &buf);
+
+	/* Minor revision is only to be shown if non-zero */
+	digit = *--buf;
+	if (digit == '0') {
+		*buf = 0;
+	} else {
+		*buf++ = '.';
+		*buf = digit;
 	}
-	/* Third digit is only to be shown if non-zero */
-	if (rev[4])
-		rev[4] += '0';
-	else
-		rev[3] = 0;
 
 	con_out->output_string(con_out, u"Running on UEFI ");
 	con_out->output_string(con_out, rev);
diff --git a/lib/efi_selftest/efi_selftest_miniapp_exception.c b/lib/efi_selftest/efi_selftest_miniapp_exception.c
index 79f9a67859b..a9ad381001f 100644
--- a/lib/efi_selftest/efi_selftest_miniapp_exception.c
+++ b/lib/efi_selftest/efi_selftest_miniapp_exception.c
@@ -9,6 +9,7 @@
 
 #include <common.h>
 #include <efi_api.h>
+#include <host_arch.h>
 
 /*
  * Entry point of the EFI application.
@@ -33,11 +34,17 @@ efi_status_t EFIAPI efi_main(efi_handle_t handle,
 	asm volatile (".word 0xe7f7defb\n");
 #elif defined(CONFIG_RISCV)
 	asm volatile (".word 0xffffffff\n");
+#elif defined(CONFIG_X86)
+	asm volatile (".word 0xffff\n");
 #elif defined(CONFIG_SANDBOX)
+#if (HOST_ARCH == HOST_ARCH_ARM || HOST_ARCH == HOST_ARCH_AARCH64)
+	asm volatile (".word 0xe7f7defb\n");
+#elif (HOST_ARCH == HOST_ARCH_RISCV32 || HOST_ARCH == HOST_ARCH_RISCV64)
 	asm volatile (".word 0xffffffff\n");
-#elif defined(CONFIG_X86)
+#elif (HOST_ARCH == HOST_ARCH_X86 || HOST_ARCH == HOST_ARCH_X86_64)
 	asm volatile (".word 0xffff\n");
 #endif
+#endif
 	con_out->output_string(con_out, u"Exception not triggered.\n");
 	return EFI_ABORTED;
 }
diff --git a/lib/tpm-v1.c b/lib/tpm-v1.c
index 22a769c5874..d0e3ab1b21d 100644
--- a/lib/tpm-v1.c
+++ b/lib/tpm-v1.c
@@ -456,12 +456,13 @@ u32 tpm1_get_permissions(struct udevice *dev, u32 index, u32 *perm)
 		0x0, 0x0, 0x0, 0x4,
 	};
 	const size_t index_offset = 18;
-	const size_t perm_offset = 60;
+	const size_t perm_offset = 74;
 	u8 buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE];
 	size_t response_length = sizeof(response);
 	u32 err;
 
-	if (pack_byte_string(buf, sizeof(buf), "d", 0, command, sizeof(command),
+	if (pack_byte_string(buf, sizeof(buf), "sd",
+			     0, command, sizeof(command),
 			     index_offset, index))
 		return TPM_LIB_ERROR;
 	err = tpm_sendrecv_command(dev, buf, response, &response_length);
diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
index 1bf627853af..697b982e079 100644
--- a/lib/tpm-v2.c
+++ b/lib/tpm-v2.c
@@ -89,14 +89,18 @@ u32 tpm2_nv_define_space(struct udevice *dev, u32 space_index,
 	 * Calculate the offset of the nv_policy piece by adding each of the
 	 * chunks below.
 	 */
-	uint offset = 10 + 8 + 13 + 14;
+	const int platform_len = sizeof(u32);
+	const int session_hdr_len = 13;
+	const int message_len = 14;
+	uint offset = TPM2_HDR_LEN + platform_len + session_hdr_len +
+		message_len;
 	u8 command_v2[COMMAND_BUFFER_SIZE] = {
 		/* header 10 bytes */
 		tpm_u16(TPM2_ST_SESSIONS),	/* TAG */
-		tpm_u32(offset + nv_policy_size),/* Length */
+		tpm_u32(offset + nv_policy_size + 2),/* Length */
 		tpm_u32(TPM2_CC_NV_DEFINE_SPACE),/* Command code */
 
-		/* handles 8 bytes */
+		/* handles 4 bytes */
 		tpm_u32(TPM2_RH_PLATFORM),	/* Primary platform seed */
 
 		/* session header 13 bytes */
@@ -107,12 +111,15 @@ u32 tpm2_nv_define_space(struct udevice *dev, u32 space_index,
 		tpm_u16(0),			/* auth_size */
 
 		/* message 14 bytes + policy */
-		tpm_u16(12 + nv_policy_size),	/* size */
+		tpm_u16(message_len + nv_policy_size),	/* size */
 		tpm_u32(space_index),
 		tpm_u16(TPM2_ALG_SHA256),
 		tpm_u32(nv_attributes),
 		tpm_u16(nv_policy_size),
-		/* nv_policy */
+		/*
+		 * nv_policy
+		 * space_size
+		 */
 	};
 	int ret;
 
@@ -120,8 +127,9 @@ u32 tpm2_nv_define_space(struct udevice *dev, u32 space_index,
 	 * Fill the command structure starting from the first buffer:
 	 *     - the password (if any)
 	 */
-	ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
-			       offset, nv_policy, nv_policy_size);
+	ret = pack_byte_string(command_v2, sizeof(command_v2), "sw",
+			       offset, nv_policy, nv_policy_size,
+			       offset + nv_policy_size, space_size);
 	if (ret)
 		return TPM_LIB_ERROR;
 
@@ -157,6 +165,8 @@ u32 tpm2_pcr_extend(struct udevice *dev, u32 index, u32 algorithm,
 	};
 	int ret;
 
+	if (!digest)
+		return -EINVAL;
 	/*
 	 * Fill the command structure starting from the first buffer:
 	 *     - the digest
@@ -669,3 +679,49 @@ u32 tpm2_submit_command(struct udevice *dev, const u8 *sendbuf,
 {
 	return tpm_sendrecv_command(dev, sendbuf, recvbuf, recv_size);
 }
+
+u32 tpm2_report_state(struct udevice *dev, uint vendor_cmd, uint vendor_subcmd,
+		      u8 *recvbuf, size_t *recv_size)
+{
+	u8 command_v2[COMMAND_BUFFER_SIZE] = {
+		/* header 10 bytes */
+		tpm_u16(TPM2_ST_NO_SESSIONS),		/* TAG */
+		tpm_u32(10 + 2),			/* Length */
+		tpm_u32(vendor_cmd),	/* Command code */
+
+		tpm_u16(vendor_subcmd),
+	};
+	int ret;
+
+	ret = tpm_sendrecv_command(dev, command_v2, recvbuf, recv_size);
+	log_debug("ret=%s, %x\n", dev->name, ret);
+	if (ret)
+		return ret;
+	if (*recv_size < 12)
+		return -ENODATA;
+	*recv_size -= 12;
+	memcpy(recvbuf, recvbuf + 12, *recv_size);
+
+	return 0;
+}
+
+u32 tpm2_enable_nvcommits(struct udevice *dev, uint vendor_cmd,
+			  uint vendor_subcmd)
+{
+	u8 command_v2[COMMAND_BUFFER_SIZE] = {
+		/* header 10 bytes */
+		tpm_u16(TPM2_ST_NO_SESSIONS),		/* TAG */
+		tpm_u32(10 + 2),			/* Length */
+		tpm_u32(vendor_cmd),	/* Command code */
+
+		tpm_u16(vendor_subcmd),
+	};
+	int ret;
+
+	ret = tpm_sendrecv_command(dev, command_v2, NULL, NULL);
+	log_debug("ret=%s, %x\n", dev->name, ret);
+	if (ret)
+		return ret;
+
+	return 0;
+}
diff --git a/lib/tpm_api.c b/lib/tpm_api.c
index 032f383ca04..7e8df8795ef 100644
--- a/lib/tpm_api.c
+++ b/lib/tpm_api.c
@@ -140,15 +140,17 @@ u32 tpm_write_lock(struct udevice *dev, u32 index)
 }
 
 u32 tpm_pcr_extend(struct udevice *dev, u32 index, const void *in_digest,
-		   void *out_digest)
+		   uint size, void *out_digest, const char *name)
 {
-	if (tpm_is_v1(dev))
+	if (tpm_is_v1(dev)) {
 		return tpm1_extend(dev, index, in_digest, out_digest);
-	else if (tpm_is_v2(dev))
+	} else if (tpm_is_v2(dev)) {
 		return tpm2_pcr_extend(dev, index, TPM2_ALG_SHA256, in_digest,
 				       TPM2_DIGEST_LEN);
-	else
+		/* @name is ignored as we do not support the TPM log here */
+	} else {
 		return -ENOSYS;
+	}
 }
 
 u32 tpm_pcr_read(struct udevice *dev, u32 index, void *data, size_t count)
diff --git a/lib/uuid.c b/lib/uuid.c
index 284f8113ff8..465e1ac38f5 100644
--- a/lib/uuid.c
+++ b/lib/uuid.c
@@ -220,6 +220,10 @@ static const struct {
 		"TCG2 Final Events Table",
 		EFI_TCG2_FINAL_EVENTS_TABLE_GUID,
 	},
+	{
+		"EFI Conformance Profiles Table",
+		EFI_CONFORMANCE_PROFILES_TABLE_GUID,
+	},
 #ifdef CONFIG_EFI_RISCV_BOOT_PROTOCOL
 	{
 		"RISC-V Boot",