blob: 6e268d436b5729469dbe01d858fd7de47425f04d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
From 0d1975369f3c483b540818cec8a088ed35116bbb Mon Sep 17 00:00:00 2001
From: Emekcan Aras <emekcan.aras@arm.com>
Date: Wed, 13 Sep 2023 13:55:08 +0100
Subject: [PATCH 38/38] corstone1000: introduce EFI authenticated capsule
update
Introduces EFI authenticated capsule update for corstone1000. Corstone1000
implements platform-specific capsule update mechanism in u-bootdue to the SoC
design. This patch add authenticated capsule update mechanism to the
platform-specific firmware-update routine.
Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Upstream-Status: Inappropriate [Redesign of Capsule update interface is required]
---
lib/efi_loader/efi_capsule.c | 39 ++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c
index 6a06605ad9..e1c78d8c1c 100644
--- a/lib/efi_loader/efi_capsule.c
+++ b/lib/efi_loader/efi_capsule.c
@@ -820,6 +820,12 @@ efi_status_t __efi_runtime EFIAPI efi_update_capsule(
u64 scatter_gather_list)
{
struct efi_capsule_header *capsule;
+ struct efi_firmware_management_capsule_header *capsule_header;
+ struct efi_firmware_management_capsule_image_header *image;
+ size_t image_binary_size;
+ size_t tmp_capsule_payload_size=0;
+ void *tmp_capsule_payload=NULL;
+ void *image_binary;
unsigned int i;
efi_status_t ret;
@@ -859,6 +865,39 @@ efi_status_t __efi_runtime EFIAPI efi_update_capsule(
goto out;
}
+ capsule_header = (void *)capsule + capsule->header_size;
+ image = (void *)capsule_header + capsule_header->item_offset_list[0];
+ if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) &&
+ !(image->image_capsule_support &
+ CAPSULE_SUPPORT_AUTHENTICATION)) {
+ /* no signature */
+ log_err("Corstone1000: Capsule authentication flag check failed. Aborting update\n");
+ ret = EFI_SECURITY_VIOLATION;
+ goto out;
+ }
+
+ image_binary = (void *)image + sizeof(*image);
+ image_binary_size = image->update_image_size;
+ if (IS_ENABLED(CONFIG_EFI_CAPSULE_AUTHENTICATE) &&
+ (image->image_capsule_support &
+ CAPSULE_SUPPORT_AUTHENTICATION)){
+ ret = efi_capsule_authenticate(image_binary, image_binary_size,
+ &tmp_capsule_payload,
+ &tmp_capsule_payload_size);
+
+ if (ret == EFI_SECURITY_VIOLATION) {
+ log_err("Corstone1000: Capsule authentication check failed. Aborting update\n");
+ goto out;
+ } else if (ret != EFI_SUCCESS) {
+ goto out;
+ }
+
+ log_debug("Corstone1000: Capsule authentication successful\n");
+ } else {
+ log_debug("Corstone1000: Capsule authentication disabled. ");
+ log_debug("Corstone1000: Updating capsule without authenticating.\n");
+ }
+
/* copy the data to the contiguous buffer */
efi_memcpy_runtime(corstone1000_capsule_buf, capsule, capsule->capsule_image_size);
--
2.25.1
|
