From 1ccf87165e38cb32f2444d8fd4b3e4d8ea13928e Mon Sep 17 00:00:00 2001 From: Sunil V L Date: Fri, 28 Jan 2022 20:48:44 +0530 Subject: efi_loader: Enable RISCV_EFI_BOOT_PROTOCOL support This adds support for new RISCV_EFI_BOOT_PROTOCOL to communicate the boot hart ID to bootloader/kernel on RISC-V UEFI platforms. The specification of the protocol is hosted at: https://github.com/riscv-non-isa/riscv-uefi Signed-off-by: Sunil V L Reviewed-by: Heinrich Schuchardt --- include/efi_api.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'include/efi_api.h') diff --git a/include/efi_api.h b/include/efi_api.h index 8d5d835bd01..f123d0557c6 100644 --- a/include/efi_api.h +++ b/include/efi_api.h @@ -438,6 +438,10 @@ struct efi_runtime_services { EFI_GUID(0x607f766c, 0x7455, 0x42be, 0x93, \ 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f) +#define RISCV_EFI_BOOT_PROTOCOL_GUID \ + EFI_GUID(0xccd15fec, 0x6f73, 0x4eec, 0x83, \ + 0x95, 0x3e, 0x69, 0xe4, 0xb9, 0x40, 0xbf) + /** * struct efi_configuration_table - EFI Configuration Table * -- cgit v1.2.3 From 4b634313232ed4a17bbf66d228764fef639e1f65 Mon Sep 17 00:00:00 2001 From: Ilias Apalodimas Date: Sat, 29 Jan 2022 00:20:31 +0200 Subject: efi_loader: correctly handle mixed hashes and signatures in db A mix of signatures and hashes in db doesn't always work as intended. Currently if the digest algorithm is not explicitly set to sha256 we stop walking the security database and reject the image. That's problematic in case we find and try to check a signature before inspecting the sha256 hash. If the image is unsigned we will reject it even if the digest matches. Since we no longer reject the image on unknown algorithms add an explicit check and reject the image if any other hash algorithm apart from sha256 is detected on dbx. Suggested-by: Heinrich Schuchardt Signed-off-by: Ilias Apalodimas Reviewed-by: Heinrich Schuchardt --- include/efi_api.h | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'include/efi_api.h') diff --git a/include/efi_api.h b/include/efi_api.h index f123d0557c6..982c2001728 100644 --- a/include/efi_api.h +++ b/include/efi_api.h @@ -1849,9 +1849,21 @@ struct efi_system_resource_table { #define LAST_ATTEMPT_STATUS_ERROR_UNSUCCESSFUL_VENDOR_RANGE_MAX 0x00004000 /* Certificate types in signature database */ +#define EFI_CERT_SHA1_GUID \ + EFI_GUID(0x826ca512, 0xcf10, 0x4ac9, 0xb1, 0x87, \ + 0xbe, 0x01, 0x49, 0x66, 0x31, 0xbd) +#define EFI_CERT_SHA224_GUID \ + EFI_GUID(0xb6e5233, 0xa65c, 0x44c9, 0x94, 0x07, \ + 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd) #define EFI_CERT_SHA256_GUID \ EFI_GUID(0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, \ 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28) +#define EFI_CERT_SHA384_GUID \ + EFI_GUID(0xff3e5307, 0x9fd0, 0x48c9, 0x85, 0xf1, \ + 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x01) +#define EFI_CERT_SHA512_GUID \ + EFI_GUID(0x93e0fae, 0xa6c4, 0x4f50, 0x9f, 0x1b, \ + 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a) #define EFI_CERT_RSA2048_GUID \ EFI_GUID(0x3c5766e8, 0x269c, 0x4e34, 0xaa, 0x14, \ 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6) -- cgit v1.2.3