From 76956556fc56c8aaa782f131f4e4fa6fbaaf640f Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Fri, 10 Apr 2020 17:39:23 +0200 Subject: efi_loader: function descriptions efi_unicode_collation.c Correct function descriptions in efi_unicode_collation.c Add the Unicode collation protocol to the generated HTML documentation. Signed-off-by: Heinrich Schuchardt --- doc/api/efi.rst | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'doc') diff --git a/doc/api/efi.rst b/doc/api/efi.rst index 631c0ceb1d..b9c0c6efc5 100644 --- a/doc/api/efi.rst +++ b/doc/api/efi.rst @@ -151,3 +151,9 @@ Text IO protocols .. kernel-doc:: lib/efi_loader/efi_console.c :internal: + +Unicode Collation protocol +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. kernel-doc:: lib/efi_loader/efi_unicode_collation.c + :internal: -- cgit v1.2.3 From 540faca8a1d98997d09cdb3ee964a57a9cf9c5c4 Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Fri, 10 Apr 2020 17:51:56 +0200 Subject: efi_loader: function descriptions efi_watchdog.c Correct function descriptions in efi_watchdog.c. Add the descriptions to the generated HTML documentation. Signed-off-by: Heinrich Schuchardt --- doc/api/efi.rst | 6 ++++++ lib/efi_loader/efi_watchdog.c | 18 +++++++++++------- 2 files changed, 17 insertions(+), 7 deletions(-) (limited to 'doc') diff --git a/doc/api/efi.rst b/doc/api/efi.rst index b9c0c6efc5..0667c3aef7 100644 --- a/doc/api/efi.rst +++ b/doc/api/efi.rst @@ -78,6 +78,12 @@ Memory services .. kernel-doc:: lib/efi_loader/efi_memory.c :internal: +SetWatchdogTimer service +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. kernel-doc:: lib/efi_loader/efi_watchdog.c + :internal: + Runtime services ---------------- diff --git a/lib/efi_loader/efi_watchdog.c b/lib/efi_loader/efi_watchdog.c index 6f69b76e4d..61ea0f7926 100644 --- a/lib/efi_loader/efi_watchdog.c +++ b/lib/efi_loader/efi_watchdog.c @@ -13,7 +13,9 @@ static struct efi_event *watchdog_timer_event; -/* +/** + * efi_watchdog_timer_notify() - resets system upon watchdog event + * * Reset the system when the watchdog event is notified. * * @event: the watchdog event @@ -31,13 +33,13 @@ static void EFIAPI efi_watchdog_timer_notify(struct efi_event *event, EFI_EXIT(EFI_UNSUPPORTED); } -/* - * Reset the watchdog timer. +/** + * efi_set_watchdog() - resets the watchdog timer * * This function is used by the SetWatchdogTimer service. * * @timeout: seconds before reset by watchdog - * @return: status code + * Return: status code */ efi_status_t efi_set_watchdog(unsigned long timeout) { @@ -53,10 +55,12 @@ efi_status_t efi_set_watchdog(unsigned long timeout) return r; } -/* - * Initialize the EFI watchdog. +/** + * efi_watchdog_register() - initializes the EFI watchdog + * + * This function is called by efi_init_obj_list(). * - * This function is called by efi_init_obj_list() + * Return: status code */ efi_status_t efi_watchdog_register(void) { -- cgit v1.2.3 From b2ace8753d0048487ab6e8955ae9067a6af91559 Mon Sep 17 00:00:00 2001 From: AKASHI Takahiro Date: Tue, 14 Apr 2020 11:51:54 +0900 Subject: efi_loader: add some description about UEFI secure boot A small text in docs/uefi/uefi.rst was added to explain how we can configure and utilise UEFI secure boot feature on U-Boot. Signed-off-by: AKASHI Takahiro Acked-by: Ilias Apalodimas --- doc/uefi/uefi.rst | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) (limited to 'doc') diff --git a/doc/uefi/uefi.rst b/doc/uefi/uefi.rst index cfe2d84a4c..a35fbd331c 100644 --- a/doc/uefi/uefi.rst +++ b/doc/uefi/uefi.rst @@ -97,6 +97,83 @@ Below you find the output of an example session starting GRUB:: See doc/uImage.FIT/howto.txt for an introduction to FIT images. +Configuring UEFI secure boot +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +UEFI specification[1] defines a secure way of executing UEFI images +by verifying a signature (or message digest) of image with certificates. +This feature on U-Boot is enabled with:: + + CONFIG_UEFI_SECURE_BOOT=y + +To make the boot sequence safe, you need to establish a chain of trust; +In UEFI secure boot, you can make it with the UEFI variables, "PK" +(Platform Key), "KEK" (Key Exchange Keys), "db" (white list database) +and "dbx" (black list database). + +There are many online documents that describe what UEFI secure boot is +and how it works. Please consult some of them for details. + +Here is a simple example that you can follow for your initial attempt +(Please note that the actual steps would absolutely depend on your system +and environment.): + +1. Install utility commands on your host + * openssl + * efitools + * sbsigntool + +2. Create signing keys and key database files on your host + for PK:: + + $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ \ + -keyout PK.key -out PK.crt -nodes -days 365 + $ cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \ + PK.crt PK.esl; + $ sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth + + for KEK:: + + $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ \ + -keyout KEK.key -out KEK.crt -nodes -days 365 + $ cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \ + KEK.crt KEK.esl + $ sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth + + for db:: + + $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db/ \ + -keyout db.key -out db.crt -nodes -days 365 + $ cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \ + db.crt db.esl + $ sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth + + Copy \*.auth to media, say mmc, that is accessible from U-Boot. + +3. Sign an image with one key in "db" on your host:: + + $ sbsign --key db.key --cert db.crt helloworld.efi + +4. Install keys on your board:: + + ==> fatload mmc 0:1 PK.auth + ==> setenv -e -nv -bs -rt -at -i ,$filesize PK + ==> fatload mmc 0:1 KEK.auth + ==> setenv -e -nv -bs -rt -at -i ,$filesize KEK + ==> fatload mmc 0:1 db.auth + ==> setenv -e -nv -bs -rt -at -i ,$filesize db + +5. Set up boot parameters on your board:: + + ==> efidebug boot add 1 HELLO mmc 0:1 /helloworld.efi.signed "" + +Then your board runs that image from Boot manager (See below). +You can also try this sequence by running Pytest, test_efi_secboot, +on sandbox:: + + $ cd + $ pytest.py test/py/tests/test_efi_secboot/test_signed.py --bd sandbox + Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~ -- cgit v1.2.3