diff options
Diffstat (limited to 'meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0038-corstone1000-introduce-EFI-authenticated-capsule-upd.patch')
| -rw-r--r-- | meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0038-corstone1000-introduce-EFI-authenticated-capsule-upd.patch | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0038-corstone1000-introduce-EFI-authenticated-capsule-upd.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0038-corstone1000-introduce-EFI-authenticated-capsule-upd.patch new file mode 100644 index 0000000000..6e268d436b --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0038-corstone1000-introduce-EFI-authenticated-capsule-upd.patch @@ -0,0 +1,77 @@ +From 0d1975369f3c483b540818cec8a088ed35116bbb Mon Sep 17 00:00:00 2001 +From: Emekcan Aras <emekcan.aras@arm.com> +Date: Wed, 13 Sep 2023 13:55:08 +0100 +Subject: [PATCH 38/38] corstone1000: introduce EFI authenticated capsule + update + +Introduces EFI authenticated capsule update for corstone1000. Corstone1000 +implements platform-specific capsule update mechanism in u-bootdue to the SoC +design. This patch add authenticated capsule update mechanism to the +platform-specific firmware-update routine. + +Signed-off-by: Emekcan Aras <emekcan.aras@arm.com> +Upstream-Status: Inappropriate [Redesign of Capsule update interface is required] +--- + lib/efi_loader/efi_capsule.c | 39 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c +index 6a06605ad9..e1c78d8c1c 100644 +--- a/lib/efi_loader/efi_capsule.c ++++ b/lib/efi_loader/efi_capsule.c +@@ -820,6 +820,12 @@ efi_status_t __efi_runtime EFIAPI efi_update_capsule( + u64 scatter_gather_list) + { + struct efi_capsule_header *capsule; ++ struct efi_firmware_management_capsule_header *capsule_header; ++ struct efi_firmware_management_capsule_image_header *image; ++ size_t image_binary_size; ++ size_t tmp_capsule_payload_size=0; ++ void *tmp_capsule_payload=NULL; ++ void *image_binary; + unsigned int i; + efi_status_t ret; + +@@ -859,6 +865,39 @@ efi_status_t __efi_runtime EFIAPI efi_update_capsule( + goto out; + } + ++ capsule_header = (void *)capsule + capsule->header_size; ++ image = (void *)capsule_header + capsule_header->item_offset_list[0]; ++ if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) && ++ !(image->image_capsule_support & ++ CAPSULE_SUPPORT_AUTHENTICATION)) { ++ /* no signature */ ++ log_err("Corstone1000: Capsule authentication flag check failed. Aborting update\n"); ++ ret = EFI_SECURITY_VIOLATION; ++ goto out; ++ } ++ ++ image_binary = (void *)image + sizeof(*image); ++ image_binary_size = image->update_image_size; ++ if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) && ++ (image->image_capsule_support & ++ CAPSULE_SUPPORT_AUTHENTICATION)){ ++ ret = efi_capsule_authenticate(image_binary, image_binary_size, ++ &tmp_capsule_payload, ++ &tmp_capsule_payload_size); ++ ++ if (ret == EFI_SECURITY_VIOLATION) { ++ log_err("Corstone1000: Capsule authentication check failed. Aborting update\n"); ++ goto out; ++ } else if (ret != EFI_SUCCESS) { ++ goto out; ++ } ++ ++ log_debug("Corstone1000: Capsule authentication successful\n"); ++ } else { ++ log_debug("Corstone1000: Capsule authentication disabled. "); ++ log_debug("Corstone1000: Updating capsule without authenticating.\n"); ++ } ++ + /* copy the data to the contiguous buffer */ + efi_memcpy_runtime(corstone1000_capsule_buf, capsule, capsule->capsule_image_size); + +-- +2.25.1 + |