[PATCH 0/4] efi_loader: centralize known vendor GUIDs
The UEFI specification defines which vendor GUIDs should be used for predefined variables like 'PK'. Currently we have multiple places where this relationship is stored.
With this patch series a function for retrieving the GUID is provided and existing code is adjusted to used it.
Heinrich Schuchardt (4): efi_loader: treat UEFI variable name as const efi_loader: function to get GUID for variable name efi_loader: simplify efi_sigstore_parse_sigdb() efi_loader: simplify tcg2_measure_secure_boot_variable()
include/efi_loader.h | 2 +- include/efi_variable.h | 24 +++++++++++++++------ lib/efi_loader/efi_signature.c | 35 ++++++------------------------- lib/efi_loader/efi_tcg2.c | 31 +++++++++++++-------------- lib/efi_loader/efi_var_common.c | 14 +++++++++++-- lib/efi_loader/efi_var_mem.c | 7 ++++--- lib/efi_loader/efi_variable.c | 9 ++++---- lib/efi_loader/efi_variable_tee.c | 16 ++++++++------ 8 files changed, 70 insertions(+), 68 deletions(-)
-- 2.30.2
Adjust several internal functions to treat UEFI variable names as const.
Signed-off-by: Heinrich Schuchardt xypron.glpk@gmx.de --- include/efi_loader.h | 2 +- include/efi_variable.h | 16 ++++++++++------ lib/efi_loader/efi_tcg2.c | 2 +- lib/efi_loader/efi_var_common.c | 5 +++-- lib/efi_loader/efi_var_mem.c | 7 ++++--- lib/efi_loader/efi_variable.c | 9 +++++---- lib/efi_loader/efi_variable_tee.c | 16 ++++++++++------ 7 files changed, 34 insertions(+), 23 deletions(-)
diff --git a/include/efi_loader.h b/include/efi_loader.h index c440962fe5..125052d002 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -816,7 +816,7 @@ efi_status_t EFIAPI efi_query_variable_info( u64 *remaining_variable_storage_size, u64 *maximum_variable_size);
-void *efi_get_var(u16 *name, const efi_guid_t *vendor, efi_uintn_t *size); +void *efi_get_var(const u16 *name, const efi_guid_t *vendor, efi_uintn_t *size);
/* * See section 3.1.3 in the v2.7 UEFI spec for more details on diff --git a/include/efi_variable.h b/include/efi_variable.h index 0440d356bc..8f666b2309 100644 --- a/include/efi_variable.h +++ b/include/efi_variable.h @@ -32,7 +32,8 @@ enum efi_auth_var_type { * @timep: authentication time (seconds since start of epoch) * Return: status code */ -efi_status_t efi_get_variable_int(u16 *variable_name, const efi_guid_t *vendor, +efi_status_t efi_get_variable_int(const u16 *variable_name, + const efi_guid_t *vendor, u32 *attributes, efi_uintn_t *data_size, void *data, u64 *timep);
@@ -47,7 +48,8 @@ efi_status_t efi_get_variable_int(u16 *variable_name, const efi_guid_t *vendor, * @ro_check: check the read only read only bit in attributes * Return: status code */ -efi_status_t efi_set_variable_int(u16 *variable_name, const efi_guid_t *vendor, +efi_status_t efi_set_variable_int(const u16 *variable_name, + const efi_guid_t *vendor, u32 attributes, efi_uintn_t data_size, const void *data, bool ro_check);
@@ -224,7 +226,7 @@ void efi_var_mem_del(struct efi_var_entry *var); * @time: time of authentication (as seconds since start of epoch) * Result: status code */ -efi_status_t efi_var_mem_ins(u16 *variable_name, +efi_status_t efi_var_mem_ins(const u16 *variable_name, const efi_guid_t *vendor, u32 attributes, const efi_uintn_t size1, const void *data1, const efi_uintn_t size2, const void *data2, @@ -251,7 +253,8 @@ efi_status_t efi_init_secure_state(void); * @guid: guid of UEFI variable * Return: identifier for authentication related variables */ -enum efi_auth_var_type efi_auth_var_get_type(u16 *name, const efi_guid_t *guid); +enum efi_auth_var_type efi_auth_var_get_type(const u16 *name, + const efi_guid_t *guid);
/** * efi_get_next_variable_name_mem() - Runtime common code across efi variable @@ -280,8 +283,9 @@ efi_get_next_variable_name_mem(efi_uintn_t *variable_name_size, u16 *variable_na * Return: status code */ efi_status_t __efi_runtime -efi_get_variable_mem(u16 *variable_name, const efi_guid_t *vendor, u32 *attributes, - efi_uintn_t *data_size, void *data, u64 *timep); +efi_get_variable_mem(const u16 *variable_name, const efi_guid_t *vendor, + u32 *attributes, efi_uintn_t *data_size, void *data, + u64 *timep);
/** * efi_get_variable_runtime() - runtime implementation of GetVariable() diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 401acf3d4f..beb224f66a 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -1359,7 +1359,7 @@ static efi_status_t efi_append_scrtm_version(struct udevice *dev) * Return: status code */ static efi_status_t tcg2_measure_variable(struct udevice *dev, u32 pcr_index, - u32 event_type, u16 *var_name, + u32 event_type, const u16 *var_name, const efi_guid_t *guid, efi_uintn_t data_size, u8 *data) { diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c index a00bbf1620..e179932124 100644 --- a/lib/efi_loader/efi_var_common.c +++ b/lib/efi_loader/efi_var_common.c @@ -374,7 +374,8 @@ bool efi_secure_boot_enabled(void) return efi_secure_boot; }
-enum efi_auth_var_type efi_auth_var_get_type(u16 *name, const efi_guid_t *guid) +enum efi_auth_var_type efi_auth_var_get_type(const u16 *name, + const efi_guid_t *guid) { for (size_t i = 0; i < ARRAY_SIZE(name_type); ++i) { if (!u16_strcmp(name, name_type[i].name) && @@ -393,7 +394,7 @@ enum efi_auth_var_type efi_auth_var_get_type(u16 *name, const efi_guid_t *guid) * * Return: buffer with variable data or NULL */ -void *efi_get_var(u16 *name, const efi_guid_t *vendor, efi_uintn_t *size) +void *efi_get_var(const u16 *name, const efi_guid_t *vendor, efi_uintn_t *size) { efi_status_t ret; void *buf = NULL; diff --git a/lib/efi_loader/efi_var_mem.c b/lib/efi_loader/efi_var_mem.c index 3d335a8274..13909b1d26 100644 --- a/lib/efi_loader/efi_var_mem.c +++ b/lib/efi_loader/efi_var_mem.c @@ -134,7 +134,7 @@ void __efi_runtime efi_var_mem_del(struct efi_var_entry *var) }
efi_status_t __efi_runtime efi_var_mem_ins( - u16 *variable_name, + const u16 *variable_name, const efi_guid_t *vendor, u32 attributes, const efi_uintn_t size1, const void *data1, const efi_uintn_t size2, const void *data2, @@ -274,8 +274,9 @@ efi_status_t efi_var_mem_init(void) }
efi_status_t __efi_runtime -efi_get_variable_mem(u16 *variable_name, const efi_guid_t *vendor, u32 *attributes, - efi_uintn_t *data_size, void *data, u64 *timep) +efi_get_variable_mem(const u16 *variable_name, const efi_guid_t *vendor, + u32 *attributes, efi_uintn_t *data_size, void *data, + u64 *timep) { efi_uintn_t old_size; struct efi_var_entry *var; diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index fa2b6bc7a8..5adc7f821a 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -45,7 +45,7 @@ * * Return: status code */ -static efi_status_t efi_variable_authenticate(u16 *variable, +static efi_status_t efi_variable_authenticate(const u16 *variable, const efi_guid_t *vendor, efi_uintn_t *data_size, const void **data, u32 given_attr, @@ -194,7 +194,7 @@ err: return ret; } #else -static efi_status_t efi_variable_authenticate(u16 *variable, +static efi_status_t efi_variable_authenticate(const u16 *variable, const efi_guid_t *vendor, efi_uintn_t *data_size, const void **data, u32 given_attr, @@ -205,7 +205,7 @@ static efi_status_t efi_variable_authenticate(u16 *variable, #endif /* CONFIG_EFI_SECURE_BOOT */
efi_status_t __efi_runtime -efi_get_variable_int(u16 *variable_name, const efi_guid_t *vendor, +efi_get_variable_int(const u16 *variable_name, const efi_guid_t *vendor, u32 *attributes, efi_uintn_t *data_size, void *data, u64 *timep) { @@ -219,7 +219,8 @@ efi_get_next_variable_name_int(efi_uintn_t *variable_name_size, return efi_get_next_variable_name_mem(variable_name_size, variable_name, vendor); }
-efi_status_t efi_set_variable_int(u16 *variable_name, const efi_guid_t *vendor, +efi_status_t efi_set_variable_int(const u16 *variable_name, + const efi_guid_t *vendor, u32 attributes, efi_uintn_t data_size, const void *data, bool ro_check) { diff --git a/lib/efi_loader/efi_variable_tee.c b/lib/efi_loader/efi_variable_tee.c index 51920bcb51..281f886124 100644 --- a/lib/efi_loader/efi_variable_tee.c +++ b/lib/efi_loader/efi_variable_tee.c @@ -284,7 +284,8 @@ out: * StMM can store internal attributes and properties for variables, i.e enabling * R/O variables */ -static efi_status_t set_property_int(u16 *variable_name, efi_uintn_t name_size, +static efi_status_t set_property_int(const u16 *variable_name, + efi_uintn_t name_size, const efi_guid_t *vendor, struct var_check_property *var_property) { @@ -317,7 +318,8 @@ out: return ret; }
-static efi_status_t get_property_int(u16 *variable_name, efi_uintn_t name_size, +static efi_status_t get_property_int(const u16 *variable_name, + efi_uintn_t name_size, const efi_guid_t *vendor, struct var_check_property *var_property) { @@ -361,7 +363,8 @@ out: return ret; }
-efi_status_t efi_get_variable_int(u16 *variable_name, const efi_guid_t *vendor, +efi_status_t efi_get_variable_int(const u16 *variable_name, + const efi_guid_t *vendor, u32 *attributes, efi_uintn_t *data_size, void *data, u64 *timep) { @@ -502,9 +505,10 @@ out: return ret; }
-efi_status_t efi_set_variable_int(u16 *variable_name, const efi_guid_t *vendor, - u32 attributes, efi_uintn_t data_size, - const void *data, bool ro_check) +efi_status_t efi_set_variable_int(const u16 *variable_name, + const efi_guid_t *vendor, u32 attributes, + efi_uintn_t data_size, const void *data, + bool ro_check) { efi_status_t ret, alt_ret = EFI_SUCCESS; struct var_check_property var_property; -- 2.30.2
Hi Heinrich,
On Sat, Sep 11, 2021 at 09:28:29AM +0200, Heinrich Schuchardt wrote:
Adjust several internal functions to treat UEFI variable names as const.
It's obvious what the patch does, but is there a reason ? I think that's a better fit for the commit log.
Cheers /Ilias
Signed-off-by: Heinrich Schuchardt xypron.glpk@gmx.de
include/efi_loader.h | 2 +- include/efi_variable.h | 16 ++++++++++------ lib/efi_loader/efi_tcg2.c | 2 +- lib/efi_loader/efi_var_common.c | 5 +++-- lib/efi_loader/efi_var_mem.c | 7 ++++--- lib/efi_loader/efi_variable.c | 9 +++++---- lib/efi_loader/efi_variable_tee.c | 16 ++++++++++------ 7 files changed, 34 insertions(+), 23 deletions(-)
diff --git a/include/efi_loader.h b/include/efi_loader.h index c440962fe5..125052d002 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -816,7 +816,7 @@ efi_status_t EFIAPI efi_query_variable_info( u64 *remaining_variable_storage_size, u64 *maximum_variable_size);
-void *efi_get_var(u16 *name, const efi_guid_t *vendor, efi_uintn_t *size); +void *efi_get_var(const u16 *name, const efi_guid_t *vendor, efi_uintn_t *size);
/*
- See section 3.1.3 in the v2.7 UEFI spec for more details on
diff --git a/include/efi_variable.h b/include/efi_variable.h index 0440d356bc..8f666b2309 100644 --- a/include/efi_variable.h +++ b/include/efi_variable.h @@ -32,7 +32,8 @@ enum efi_auth_var_type {
- @timep: authentication time (seconds since start of epoch)
- Return: status code
*/ -efi_status_t efi_get_variable_int(u16 *variable_name, const efi_guid_t *vendor, +efi_status_t efi_get_variable_int(const u16 *variable_name,
const efi_guid_t *vendor, u32 *attributes, efi_uintn_t *data_size, void *data, u64 *timep);@@ -47,7 +48,8 @@ efi_status_t efi_get_variable_int(u16 *variable_name, const efi_guid_t *vendor,
- @ro_check: check the read only read only bit in attributes
- Return: status code
*/ -efi_status_t efi_set_variable_int(u16 *variable_name, const efi_guid_t *vendor, +efi_status_t efi_set_variable_int(const u16 *variable_name,
const efi_guid_t *vendor, u32 attributes, efi_uintn_t data_size, const void *data, bool ro_check);@@ -224,7 +226,7 @@ void efi_var_mem_del(struct efi_var_entry *var);
- @time: time of authentication (as seconds since start of epoch)
- Result: status code
*/ -efi_status_t efi_var_mem_ins(u16 *variable_name, +efi_status_t efi_var_mem_ins(const u16 *variable_name, const efi_guid_t *vendor, u32 attributes, const efi_uintn_t size1, const void *data1, const efi_uintn_t size2, const void *data2, @@ -251,7 +253,8 @@ efi_status_t efi_init_secure_state(void);
- @guid: guid of UEFI variable
- Return: identifier for authentication related variables
*/ -enum efi_auth_var_type efi_auth_var_get_type(u16 *name, const efi_guid_t *guid); +enum efi_auth_var_type efi_auth_var_get_type(const u16 *name,
const efi_guid_t *guid);/**
- efi_get_next_variable_name_mem() - Runtime common code across efi variable
@@ -280,8 +283,9 @@ efi_get_next_variable_name_mem(efi_uintn_t *variable_name_size, u16 *variable_na
- Return: status code
*/ efi_status_t __efi_runtime -efi_get_variable_mem(u16 *variable_name, const efi_guid_t *vendor, u32 *attributes,
efi_uintn_t *data_size, void *data, u64 *timep);+efi_get_variable_mem(const u16 *variable_name, const efi_guid_t *vendor,
u32 *attributes, efi_uintn_t *data_size, void *data,u64 *timep);/**
- efi_get_variable_runtime() - runtime implementation of GetVariable()
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 401acf3d4f..beb224f66a 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -1359,7 +1359,7 @@ static efi_status_t efi_append_scrtm_version(struct udevice *dev)
- Return: status code
*/ static efi_status_t tcg2_measure_variable(struct udevice *dev, u32 pcr_index,
u32 event_type, u16 *var_name,
u32 event_type, const u16 *var_name, const efi_guid_t *guid, efi_uintn_t data_size, u8 *data){ diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c index a00bbf1620..e179932124 100644 --- a/lib/efi_loader/efi_var_common.c +++ b/lib/efi_loader/efi_var_common.c @@ -374,7 +374,8 @@ bool efi_secure_boot_enabled(void) return efi_secure_boot; }
-enum efi_auth_var_type efi_auth_var_get_type(u16 *name, const efi_guid_t *guid) +enum efi_auth_var_type efi_auth_var_get_type(const u16 *name,
const efi_guid_t *guid){ for (size_t i = 0; i < ARRAY_SIZE(name_type); ++i) { if (!u16_strcmp(name, name_type[i].name) && @@ -393,7 +394,7 @@ enum efi_auth_var_type efi_auth_var_get_type(u16 *name, const efi_guid_t *guid)
- Return: buffer with variable data or NULL
*/ -void *efi_get_var(u16 *name, const efi_guid_t *vendor, efi_uintn_t *size) +void *efi_get_var(const u16 *name, const efi_guid_t *vendor, efi_uintn_t *size) { efi_status_t ret; void *buf = NULL; diff --git a/lib/efi_loader/efi_var_mem.c b/lib/efi_loader/efi_var_mem.c index 3d335a8274..13909b1d26 100644 --- a/lib/efi_loader/efi_var_mem.c +++ b/lib/efi_loader/efi_var_mem.c @@ -134,7 +134,7 @@ void __efi_runtime efi_var_mem_del(struct efi_var_entry *var) }
efi_status_t __efi_runtime efi_var_mem_ins(
u16 *variable_name,
const u16 *variable_name, const efi_guid_t *vendor, u32 attributes, const efi_uintn_t size1, const void *data1, const efi_uintn_t size2, const void *data2,@@ -274,8 +274,9 @@ efi_status_t efi_var_mem_init(void) }
efi_status_t __efi_runtime -efi_get_variable_mem(u16 *variable_name, const efi_guid_t *vendor, u32 *attributes,
efi_uintn_t *data_size, void *data, u64 *timep)+efi_get_variable_mem(const u16 *variable_name, const efi_guid_t *vendor,
u32 *attributes, efi_uintn_t *data_size, void *data,u64 *timep){ efi_uintn_t old_size; struct efi_var_entry *var; diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index fa2b6bc7a8..5adc7f821a 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -45,7 +45,7 @@
- Return: status code
*/ -static efi_status_t efi_variable_authenticate(u16 *variable, +static efi_status_t efi_variable_authenticate(const u16 *variable, const efi_guid_t *vendor, efi_uintn_t *data_size, const void **data, u32 given_attr, @@ -194,7 +194,7 @@ err: return ret; } #else -static efi_status_t efi_variable_authenticate(u16 *variable, +static efi_status_t efi_variable_authenticate(const u16 *variable, const efi_guid_t *vendor, efi_uintn_t *data_size, const void **data, u32 given_attr, @@ -205,7 +205,7 @@ static efi_status_t efi_variable_authenticate(u16 *variable, #endif /* CONFIG_EFI_SECURE_BOOT */
efi_status_t __efi_runtime -efi_get_variable_int(u16 *variable_name, const efi_guid_t *vendor, +efi_get_variable_int(const u16 *variable_name, const efi_guid_t *vendor, u32 *attributes, efi_uintn_t *data_size, void *data, u64 *timep) { @@ -219,7 +219,8 @@ efi_get_next_variable_name_int(efi_uintn_t *variable_name_size, return efi_get_next_variable_name_mem(variable_name_size, variable_name, vendor); }
-efi_status_t efi_set_variable_int(u16 *variable_name, const efi_guid_t *vendor, +efi_status_t efi_set_variable_int(const u16 *variable_name,
const efi_guid_t *vendor, u32 attributes, efi_uintn_t data_size, const void *data, bool ro_check){ diff --git a/lib/efi_loader/efi_variable_tee.c b/lib/efi_loader/efi_variable_tee.c index 51920bcb51..281f886124 100644 --- a/lib/efi_loader/efi_variable_tee.c +++ b/lib/efi_loader/efi_variable_tee.c @@ -284,7 +284,8 @@ out:
- StMM can store internal attributes and properties for variables, i.e enabling
- R/O variables
*/ -static efi_status_t set_property_int(u16 *variable_name, efi_uintn_t name_size, +static efi_status_t set_property_int(const u16 *variable_name,
efi_uintn_t name_size, const efi_guid_t *vendor, struct var_check_property *var_property){ @@ -317,7 +318,8 @@ out: return ret; }
-static efi_status_t get_property_int(u16 *variable_name, efi_uintn_t name_size, +static efi_status_t get_property_int(const u16 *variable_name,
efi_uintn_t name_size, const efi_guid_t *vendor, struct var_check_property *var_property){ @@ -361,7 +363,8 @@ out: return ret; }
-efi_status_t efi_get_variable_int(u16 *variable_name, const efi_guid_t *vendor, +efi_status_t efi_get_variable_int(const u16 *variable_name,
const efi_guid_t *vendor, u32 *attributes, efi_uintn_t *data_size, void *data, u64 *timep){ @@ -502,9 +505,10 @@ out: return ret; }
-efi_status_t efi_set_variable_int(u16 *variable_name, const efi_guid_t *vendor,
u32 attributes, efi_uintn_t data_size,const void *data, bool ro_check)+efi_status_t efi_set_variable_int(const u16 *variable_name,
const efi_guid_t *vendor, u32 attributes,efi_uintn_t data_size, const void *data,bool ro_check){ efi_status_t ret, alt_ret = EFI_SUCCESS; struct var_check_property var_property; -- 2.30.2
On 9/11/21 4:10 PM, Ilias Apalodimas wrote:
Hi Heinrich,
On Sat, Sep 11, 2021 at 09:28:29AM +0200, Heinrich Schuchardt wrote:
Adjust several internal functions to treat UEFI variable names as const.
It's obvious what the patch does, but is there a reason ? I think that's a better fit for the commit log.
Thanks for reviewing.
We all this functions with const strings like "PE". It does not make sense to convert to from (u16 *) to (const u16 *) somewhere in the code. Instead the changed functions should offer an easily usable interface.
I will rework the commit message.
Best regards
Heinrich
Cheers /Ilias
Signed-off-by: Heinrich Schuchardt xypron.glpk@gmx.de
include/efi_loader.h | 2 +- include/efi_variable.h | 16 ++++++++++------ lib/efi_loader/efi_tcg2.c | 2 +- lib/efi_loader/efi_var_common.c | 5 +++-- lib/efi_loader/efi_var_mem.c | 7 ++++--- lib/efi_loader/efi_variable.c | 9 +++++---- lib/efi_loader/efi_variable_tee.c | 16 ++++++++++------ 7 files changed, 34 insertions(+), 23 deletions(-)
diff --git a/include/efi_loader.h b/include/efi_loader.h index c440962fe5..125052d002 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -816,7 +816,7 @@ efi_status_t EFIAPI efi_query_variable_info( u64 *remaining_variable_storage_size, u64 *maximum_variable_size);
-void *efi_get_var(u16 *name, const efi_guid_t *vendor, efi_uintn_t *size); +void *efi_get_var(const u16 *name, const efi_guid_t *vendor, efi_uintn_t *size);
/*
- See section 3.1.3 in the v2.7 UEFI spec for more details on
diff --git a/include/efi_variable.h b/include/efi_variable.h index 0440d356bc..8f666b2309 100644 --- a/include/efi_variable.h +++ b/include/efi_variable.h @@ -32,7 +32,8 @@ enum efi_auth_var_type {
- @timep: authentication time (seconds since start of epoch)
- Return: status code
*/ -efi_status_t efi_get_variable_int(u16 *variable_name, const efi_guid_t *vendor, +efi_status_t efi_get_variable_int(const u16 *variable_name,
const efi_guid_t *vendor, u32 *attributes, efi_uintn_t *data_size, void *data, u64 *timep);@@ -47,7 +48,8 @@ efi_status_t efi_get_variable_int(u16 *variable_name, const efi_guid_t *vendor,
- @ro_check: check the read only read only bit in attributes
- Return: status code
*/ -efi_status_t efi_set_variable_int(u16 *variable_name, const efi_guid_t *vendor, +efi_status_t efi_set_variable_int(const u16 *variable_name,
const efi_guid_t *vendor, u32 attributes, efi_uintn_t data_size, const void *data, bool ro_check);@@ -224,7 +226,7 @@ void efi_var_mem_del(struct efi_var_entry *var);
- @time: time of authentication (as seconds since start of epoch)
- Result: status code
*/ -efi_status_t efi_var_mem_ins(u16 *variable_name, +efi_status_t efi_var_mem_ins(const u16 *variable_name, const efi_guid_t *vendor, u32 attributes, const efi_uintn_t size1, const void *data1, const efi_uintn_t size2, const void *data2, @@ -251,7 +253,8 @@ efi_status_t efi_init_secure_state(void);
- @guid: guid of UEFI variable
- Return: identifier for authentication related variables
*/ -enum efi_auth_var_type efi_auth_var_get_type(u16 *name, const efi_guid_t *guid); +enum efi_auth_var_type efi_auth_var_get_type(const u16 *name,
const efi_guid_t *guid);/**
- efi_get_next_variable_name_mem() - Runtime common code across efi variable
@@ -280,8 +283,9 @@ efi_get_next_variable_name_mem(efi_uintn_t *variable_name_size, u16 *variable_na
- Return: status code
*/ efi_status_t __efi_runtime -efi_get_variable_mem(u16 *variable_name, const efi_guid_t *vendor, u32 *attributes,
efi_uintn_t *data_size, void *data, u64 *timep);+efi_get_variable_mem(const u16 *variable_name, const efi_guid_t *vendor,
u32 *attributes, efi_uintn_t *data_size, void *data,u64 *timep);/**
- efi_get_variable_runtime() - runtime implementation of GetVariable()
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 401acf3d4f..beb224f66a 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -1359,7 +1359,7 @@ static efi_status_t efi_append_scrtm_version(struct udevice *dev)
- Return: status code
*/ static efi_status_t tcg2_measure_variable(struct udevice *dev, u32 pcr_index,
u32 event_type, u16 *var_name,
u32 event_type, const u16 *var_name, const efi_guid_t *guid, efi_uintn_t data_size, u8 *data)diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c index a00bbf1620..e179932124 100644 --- a/lib/efi_loader/efi_var_common.c +++ b/lib/efi_loader/efi_var_common.c @@ -374,7 +374,8 @@ bool efi_secure_boot_enabled(void) return efi_secure_boot; }
-enum efi_auth_var_type efi_auth_var_get_type(u16 *name, const efi_guid_t *guid) +enum efi_auth_var_type efi_auth_var_get_type(const u16 *name,
const efi_guid_t *guid)@@ -393,7 +394,7 @@ enum efi_auth_var_type efi_auth_var_get_type(u16 *name, const efi_guid_t *guid)
- Return: buffer with variable data or NULL
*/ -void *efi_get_var(u16 *name, const efi_guid_t *vendor, efi_uintn_t *size) +void *efi_get_var(const u16 *name, const efi_guid_t *vendor, efi_uintn_t *size) { efi_status_t ret; void *buf = NULL; diff --git a/lib/efi_loader/efi_var_mem.c b/lib/efi_loader/efi_var_mem.c index 3d335a8274..13909b1d26 100644 --- a/lib/efi_loader/efi_var_mem.c +++ b/lib/efi_loader/efi_var_mem.c @@ -134,7 +134,7 @@ void __efi_runtime efi_var_mem_del(struct efi_var_entry *var) }
efi_status_t __efi_runtime efi_var_mem_ins(
u16 *variable_name,
const u16 *variable_name, const efi_guid_t *vendor, u32 attributes, const efi_uintn_t size1, const void *data1, const efi_uintn_t size2, const void *data2,@@ -274,8 +274,9 @@ efi_status_t efi_var_mem_init(void) }
efi_status_t __efi_runtime -efi_get_variable_mem(u16 *variable_name, const efi_guid_t *vendor, u32 *attributes,
efi_uintn_t *data_size, void *data, u64 *timep)+efi_get_variable_mem(const u16 *variable_name, const efi_guid_t *vendor,
u32 *attributes, efi_uintn_t *data_size, void *data,u64 *timep)diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index fa2b6bc7a8..5adc7f821a 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -45,7 +45,7 @@
- Return: status code
*/ -static efi_status_t efi_variable_authenticate(u16 *variable, +static efi_status_t efi_variable_authenticate(const u16 *variable, const efi_guid_t *vendor, efi_uintn_t *data_size, const void **data, u32 given_attr, @@ -194,7 +194,7 @@ err: return ret; } #else -static efi_status_t efi_variable_authenticate(u16 *variable, +static efi_status_t efi_variable_authenticate(const u16 *variable, const efi_guid_t *vendor, efi_uintn_t *data_size, const void **data, u32 given_attr, @@ -205,7 +205,7 @@ static efi_status_t efi_variable_authenticate(u16 *variable, #endif /* CONFIG_EFI_SECURE_BOOT */
efi_status_t __efi_runtime -efi_get_variable_int(u16 *variable_name, const efi_guid_t *vendor, +efi_get_variable_int(const u16 *variable_name, const efi_guid_t *vendor, u32 *attributes, efi_uintn_t *data_size, void *data, u64 *timep) { @@ -219,7 +219,8 @@ efi_get_next_variable_name_int(efi_uintn_t *variable_name_size, return efi_get_next_variable_name_mem(variable_name_size, variable_name, vendor); }
-efi_status_t efi_set_variable_int(u16 *variable_name, const efi_guid_t *vendor, +efi_status_t efi_set_variable_int(const u16 *variable_name,
const efi_guid_t *vendor, u32 attributes, efi_uintn_t data_size, const void *data, bool ro_check)diff --git a/lib/efi_loader/efi_variable_tee.c b/lib/efi_loader/efi_variable_tee.c index 51920bcb51..281f886124 100644 --- a/lib/efi_loader/efi_variable_tee.c +++ b/lib/efi_loader/efi_variable_tee.c @@ -284,7 +284,8 @@ out:
- StMM can store internal attributes and properties for variables, i.e enabling
- R/O variables
*/ -static efi_status_t set_property_int(u16 *variable_name, efi_uintn_t name_size, +static efi_status_t set_property_int(const u16 *variable_name,
efi_uintn_t name_size, const efi_guid_t *vendor, struct var_check_property *var_property)@@ -317,7 +318,8 @@ out: return ret; }
-static efi_status_t get_property_int(u16 *variable_name, efi_uintn_t name_size, +static efi_status_t get_property_int(const u16 *variable_name,
efi_uintn_t name_size, const efi_guid_t *vendor, struct var_check_property *var_property)@@ -361,7 +363,8 @@ out: return ret; }
-efi_status_t efi_get_variable_int(u16 *variable_name, const efi_guid_t *vendor, +efi_status_t efi_get_variable_int(const u16 *variable_name,
const efi_guid_t *vendor, u32 *attributes, efi_uintn_t *data_size, void *data, u64 *timep)@@ -502,9 +505,10 @@ out: return ret; }
-efi_status_t efi_set_variable_int(u16 *variable_name, const efi_guid_t *vendor,
u32 attributes, efi_uintn_t data_size,const void *data, bool ro_check)+efi_status_t efi_set_variable_int(const u16 *variable_name,
const efi_guid_t *vendor, u32 attributes,efi_uintn_t data_size, const void *data,bool ro_check)-- 2.30.2
In multiple places we need the default GUID used for variables like 'PK', 'KEK', 'db'. Provide a function for it.
Signed-off-by: Heinrich Schuchardt xypron.glpk@gmx.de --- include/efi_variable.h | 8 ++++++++ lib/efi_loader/efi_var_common.c | 9 +++++++++ 2 files changed, 17 insertions(+)
diff --git a/include/efi_variable.h b/include/efi_variable.h index 8f666b2309..03a3ecb235 100644 --- a/include/efi_variable.h +++ b/include/efi_variable.h @@ -256,6 +256,14 @@ efi_status_t efi_init_secure_state(void); enum efi_auth_var_type efi_auth_var_get_type(const u16 *name, const efi_guid_t *guid);
+/** + * efi_auth_var_get_guid() - get the predefined GUID for a variable name + * + * @name: name of UEFI variable + * Return: guid of UEFI variable + */ +const efi_guid_t *efi_auth_var_get_guid(const u16 *name); + /** * efi_get_next_variable_name_mem() - Runtime common code across efi variable * implementations for GetNextVariable() diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c index e179932124..3cbb7c96c2 100644 --- a/lib/efi_loader/efi_var_common.c +++ b/lib/efi_loader/efi_var_common.c @@ -385,6 +385,15 @@ enum efi_auth_var_type efi_auth_var_get_type(const u16 *name, return EFI_AUTH_VAR_NONE; }
+const efi_guid_t *efi_auth_var_get_guid(const u16 *name) +{ + for (size_t i = 0; i < ARRAY_SIZE(name_type); ++i) { + if (!u16_strcmp(name, name_type[i].name)) + return name_type[i].guid; + } + return &efi_global_variable_guid; +} + /** * efi_get_var() - read value of an EFI variable * -- 2.30.2
On Sat, Sep 11, 2021 at 09:28:30AM +0200, Heinrich Schuchardt wrote:
In multiple places we need the default GUID used for variables like 'PK', 'KEK', 'db'. Provide a function for it.
Signed-off-by: Heinrich Schuchardt xypron.glpk@gmx.de
include/efi_variable.h | 8 ++++++++ lib/efi_loader/efi_var_common.c | 9 +++++++++ 2 files changed, 17 insertions(+)
diff --git a/include/efi_variable.h b/include/efi_variable.h index 8f666b2309..03a3ecb235 100644 --- a/include/efi_variable.h +++ b/include/efi_variable.h @@ -256,6 +256,14 @@ efi_status_t efi_init_secure_state(void); enum efi_auth_var_type efi_auth_var_get_type(const u16 *name, const efi_guid_t *guid);
+/**
- efi_auth_var_get_guid() - get the predefined GUID for a variable name
- @name: name of UEFI variable
- Return: guid of UEFI variable
- */
+const efi_guid_t *efi_auth_var_get_guid(const u16 *name);
/**
- efi_get_next_variable_name_mem() - Runtime common code across efi variable
implementations for GetNextVariable()diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c index e179932124..3cbb7c96c2 100644 --- a/lib/efi_loader/efi_var_common.c +++ b/lib/efi_loader/efi_var_common.c @@ -385,6 +385,15 @@ enum efi_auth_var_type efi_auth_var_get_type(const u16 *name, return EFI_AUTH_VAR_NONE; }
+const efi_guid_t *efi_auth_var_get_guid(const u16 *name) +{
- for (size_t i = 0; i < ARRAY_SIZE(name_type); ++i) {
if (!u16_strcmp(name, name_type[i].name))return name_type[i].guid;- }
- return &efi_global_variable_guid;
+}
/**
- efi_get_var() - read value of an EFI variable
-- 2.30.2
Reviewed-by: Ilias Apalodimas ilias.apalodimas@linaro.org
On Sat, 11 Sept 2021 at 17:13, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
On Sat, Sep 11, 2021 at 09:28:30AM +0200, Heinrich Schuchardt wrote:
In multiple places we need the default GUID used for variables like 'PK', 'KEK', 'db'. Provide a function for it.
Signed-off-by: Heinrich Schuchardt xypron.glpk@gmx.de
include/efi_variable.h | 8 ++++++++ lib/efi_loader/efi_var_common.c | 9 +++++++++ 2 files changed, 17 insertions(+)
diff --git a/include/efi_variable.h b/include/efi_variable.h index 8f666b2309..03a3ecb235 100644 --- a/include/efi_variable.h +++ b/include/efi_variable.h @@ -256,6 +256,14 @@ efi_status_t efi_init_secure_state(void); enum efi_auth_var_type efi_auth_var_get_type(const u16 *name, const efi_guid_t *guid);
+/**
- efi_auth_var_get_guid() - get the predefined GUID for a variable name
- @name: name of UEFI variable
- Return: guid of UEFI variable
- */
+const efi_guid_t *efi_auth_var_get_guid(const u16 *name);
/**
- efi_get_next_variable_name_mem() - Runtime common code across efi variable
implementations for GetNextVariable()diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c index e179932124..3cbb7c96c2 100644 --- a/lib/efi_loader/efi_var_common.c +++ b/lib/efi_loader/efi_var_common.c @@ -385,6 +385,15 @@ enum efi_auth_var_type efi_auth_var_get_type(const u16 *name, return EFI_AUTH_VAR_NONE; }
+const efi_guid_t *efi_auth_var_get_guid(const u16 *name) +{
for (size_t i = 0; i < ARRAY_SIZE(name_type); ++i) {if (!u16_strcmp(name, name_type[i].name))return name_type[i].guid;}return &efi_global_variable_guid;
Actually looking at the following patch, shouldn't this be NULL?
+}
/**
- efi_get_var() - read value of an EFI variable
-- 2.30.2
Reviewed-by: Ilias Apalodimas ilias.apalodimas@linaro.org
Simplify efi_sigstore_parse_sigdb() by using existing functions.
Signed-off-by: Heinrich Schuchardt xypron.glpk@gmx.de --- lib/efi_loader/efi_signature.c | 35 ++++++---------------------------- 1 file changed, 6 insertions(+), 29 deletions(-)
diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index bdd09881fc..b741905a99 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -7,6 +7,7 @@ #include <common.h> #include <charset.h> #include <efi_loader.h> +#include <efi_variable.h> #include <image.h> #include <hexdump.h> #include <malloc.h> @@ -740,44 +741,20 @@ err: */ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name) { - struct efi_signature_store *sigstore = NULL; const efi_guid_t *vendor; void *db; efi_uintn_t db_size; - efi_status_t ret;
- if (!u16_strcmp(name, L"PK") || !u16_strcmp(name, L"KEK")) { - vendor = &efi_global_variable_guid; - } else if (!u16_strcmp(name, L"db") || !u16_strcmp(name, L"dbx")) { - vendor = &efi_guid_image_security_database; - } else { + vendor = efi_auth_var_get_guid(name); + if (!vendor) { EFI_PRINT("unknown signature database, %ls\n", name); return NULL; }
- /* retrieve variable data */ - db_size = 0; - ret = EFI_CALL(efi_get_variable(name, vendor, NULL, &db_size, NULL)); - if (ret == EFI_NOT_FOUND) { - EFI_PRINT("variable, %ls, not found\n", name); - sigstore = calloc(sizeof(*sigstore), 1); - return sigstore; - } else if (ret != EFI_BUFFER_TOO_SMALL) { - EFI_PRINT("Getting variable, %ls, failed\n", name); - return NULL; - } - - db = malloc(db_size); + db = efi_get_var(name, vendor, &db_size); if (!db) { - EFI_PRINT("Out of memory\n"); - return NULL; - } - - ret = EFI_CALL(efi_get_variable(name, vendor, NULL, &db_size, db)); - if (ret != EFI_SUCCESS) { - EFI_PRINT("Getting variable, %ls, failed\n", name); - free(db); - return NULL; + EFI_PRINT("variable, %ls, not found\n", name); + return calloc(sizeof(struct efi_signature_store), 1); }
return efi_build_signature_store(db, db_size); -- 2.30.2
On Sat, Sep 11, 2021 at 09:28:31AM +0200, Heinrich Schuchardt wrote:
Simplify efi_sigstore_parse_sigdb() by using existing functions.
Signed-off-by: Heinrich Schuchardt xypron.glpk@gmx.de
lib/efi_loader/efi_signature.c | 35 ++++++---------------------------- 1 file changed, 6 insertions(+), 29 deletions(-)
diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index bdd09881fc..b741905a99 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -7,6 +7,7 @@ #include <common.h> #include <charset.h> #include <efi_loader.h> +#include <efi_variable.h> #include <image.h> #include <hexdump.h> #include <malloc.h> @@ -740,44 +741,20 @@ err: */ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name) {
struct efi_signature_store *sigstore = NULL; const efi_guid_t *vendor; void *db; efi_uintn_t db_size;
efi_status_t ret;
if (!u16_strcmp(name, L"PK") || !u16_strcmp(name, L"KEK")) {
vendor = &efi_global_variable_guid;} else if (!u16_strcmp(name, L"db") || !u16_strcmp(name, L"dbx")) {
vendor = &efi_guid_image_security_database;} else {
- vendor = efi_auth_var_get_guid(name);
- if (!vendor) { EFI_PRINT("unknown signature database, %ls\n", name); return NULL; }
efi_auth_var_get_guid() will return &efi_global_variable_guid if the GUID for the variable name isn't found.
- /* retrieve variable data */
- db_size = 0;
- ret = EFI_CALL(efi_get_variable(name, vendor, NULL, &db_size, NULL));
- if (ret == EFI_NOT_FOUND) {
EFI_PRINT("variable, %ls, not found\n", name);sigstore = calloc(sizeof(*sigstore), 1);return sigstore;- } else if (ret != EFI_BUFFER_TOO_SMALL) {
EFI_PRINT("Getting variable, %ls, failed\n", name);return NULL;- }
- db = malloc(db_size);
- db = efi_get_var(name, vendor, &db_size); if (!db) {
EFI_PRINT("Out of memory\n");return NULL;- }
- ret = EFI_CALL(efi_get_variable(name, vendor, NULL, &db_size, db));
- if (ret != EFI_SUCCESS) {
EFI_PRINT("Getting variable, %ls, failed\n", name);free(db);return NULL;
EFI_PRINT("variable, %ls, not found\n", name);return calloc(sizeof(struct efi_signature_store), 1);}
return efi_build_signature_store(db, db_size);
-- 2.30.2
On 9/11/21 4:25 PM, Ilias Apalodimas wrote:
On Sat, Sep 11, 2021 at 09:28:31AM +0200, Heinrich Schuchardt wrote:
Simplify efi_sigstore_parse_sigdb() by using existing functions.
Signed-off-by: Heinrich Schuchardt xypron.glpk@gmx.de
lib/efi_loader/efi_signature.c | 35 ++++++---------------------------- 1 file changed, 6 insertions(+), 29 deletions(-)
diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index bdd09881fc..b741905a99 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -7,6 +7,7 @@ #include <common.h> #include <charset.h> #include <efi_loader.h> +#include <efi_variable.h> #include <image.h> #include <hexdump.h> #include <malloc.h> @@ -740,44 +741,20 @@ err: */ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name) {
struct efi_signature_store *sigstore = NULL; const efi_guid_t *vendor; void *db; efi_uintn_t db_size;
efi_status_t ret;
if (!u16_strcmp(name, L"PK") || !u16_strcmp(name, L"KEK")) {
vendor = &efi_global_variable_guid;} else if (!u16_strcmp(name, L"db") || !u16_strcmp(name, L"dbx")) {
vendor = &efi_guid_image_security_database;} else {
- vendor = efi_auth_var_get_guid(name);
- if (!vendor) { EFI_PRINT("unknown signature database, %ls\n", name); return NULL; }
efi_auth_var_get_guid() will return &efi_global_variable_guid if the GUID for the variable name isn't found.
Hello Ilias, that is on purpose. In nevedit_efi we need a default GUID. I want to reuse the same function there in future.
Best regards
Heinrich
- /* retrieve variable data */
- db_size = 0;
- ret = EFI_CALL(efi_get_variable(name, vendor, NULL, &db_size, NULL));
- if (ret == EFI_NOT_FOUND) {
EFI_PRINT("variable, %ls, not found\n", name);sigstore = calloc(sizeof(*sigstore), 1);return sigstore;- } else if (ret != EFI_BUFFER_TOO_SMALL) {
EFI_PRINT("Getting variable, %ls, failed\n", name);return NULL;- }
- db = malloc(db_size);
- db = efi_get_var(name, vendor, &db_size); if (!db) {
EFI_PRINT("Out of memory\n");return NULL;- }
- ret = EFI_CALL(efi_get_variable(name, vendor, NULL, &db_size, db));
- if (ret != EFI_SUCCESS) {
EFI_PRINT("Getting variable, %ls, failed\n", name);free(db);return NULL;
EFI_PRINT("variable, %ls, not found\n", name);return calloc(sizeof(struct efi_signature_store), 1);}
return efi_build_signature_store(db, db_size);
-- 2.30.2
Hi Heinrich
[...]
- if (!u16_strcmp(name, L"PK") || !u16_strcmp(name, L"KEK")) {
vendor = &efi_global_variable_guid;- } else if (!u16_strcmp(name, L"db") || !u16_strcmp(name, L"dbx")) {
vendor = &efi_guid_image_security_database;- } else {
- vendor = efi_auth_var_get_guid(name);
- if (!vendor) { EFI_PRINT("unknown signature database, %ls\n", name); return NULL; }
efi_auth_var_get_guid() will return &efi_global_variable_guid if the GUID for the variable name isn't found.
Hello Ilias, that is on purpose. In nevedit_efi we need a default GUID. I want to reuse the same function there in future.
Best regards
Then I guess the check can go away ?
Heinrich
- /* retrieve variable data */
- db_size = 0;
- ret = EFI_CALL(efi_get_variable(name, vendor, NULL, &db_size, NULL));
- if (ret == EFI_NOT_FOUND) {
EFI_PRINT("variable, %ls, not found\n", name);sigstore = calloc(sizeof(*sigstore), 1);return sigstore;- } else if (ret != EFI_BUFFER_TOO_SMALL) {
EFI_PRINT("Getting variable, %ls, failed\n", name);return NULL;- }
- db = malloc(db_size);
- db = efi_get_var(name, vendor, &db_size); if (!db) {
EFI_PRINT("Out of memory\n");return NULL;- }
- ret = EFI_CALL(efi_get_variable(name, vendor, NULL, &db_size, db));
- if (ret != EFI_SUCCESS) {
EFI_PRINT("Getting variable, %ls, failed\n", name);free(db);return NULL;
EFI_PRINT("variable, %ls, not found\n", name);return calloc(sizeof(struct efi_signature_store), 1);
Why? From the patch alone it's not clear why you want to allocate memory here instead of returning NULL.
} return efi_build_signature_store(db, db_size);-- 2.30.2
Cheers /Ilias
On 9/12/21 21:23, Ilias Apalodimas wrote:
Hi Heinrich
[...]
- if (!u16_strcmp(name, L"PK") || !u16_strcmp(name, L"KEK")) {
vendor = &efi_global_variable_guid;- } else if (!u16_strcmp(name, L"db") || !u16_strcmp(name, L"dbx")) {
vendor = &efi_guid_image_security_database;- } else {
- vendor = efi_auth_var_get_guid(name);
- if (!vendor) { EFI_PRINT("unknown signature database, %ls\n", name); return NULL; }
efi_auth_var_get_guid() will return &efi_global_variable_guid if the GUID for the variable name isn't found.
Hello Ilias, that is on purpose. In nevedit_efi we need a default GUID. I want to reuse the same function there in future.
Best regards
Then I guess the check can go away ?
Yes
Heinrich
- /* retrieve variable data */
- db_size = 0;
- ret = EFI_CALL(efi_get_variable(name, vendor, NULL, &db_size, NULL));
- if (ret == EFI_NOT_FOUND) {
EFI_PRINT("variable, %ls, not found\n", name);sigstore = calloc(sizeof(*sigstore), 1);return sigstore;- } else if (ret != EFI_BUFFER_TOO_SMALL) {
EFI_PRINT("Getting variable, %ls, failed\n", name);return NULL;- }
- db = malloc(db_size);
- db = efi_get_var(name, vendor, &db_size); if (!db) {
EFI_PRINT("Out of memory\n");return NULL;- }
- ret = EFI_CALL(efi_get_variable(name, vendor, NULL, &db_size, db));
- if (ret != EFI_SUCCESS) {
EFI_PRINT("Getting variable, %ls, failed\n", name);free(db);return NULL;
EFI_PRINT("variable, %ls, not found\n", name);return calloc(sizeof(struct efi_signature_store), 1);Why? From the patch alone it's not clear why you want to allocate memory here instead of returning NULL.
This is existing code. See the same lines deleted above.
Best regards
Heinrich
} return efi_build_signature_store(db, db_size);-- 2.30.2
Cheers /Ilias
Hi Heinrich,
On Fri, Oct 01, 2021 at 06:42:14PM +0200, Heinrich Schuchardt wrote:
On 9/12/21 21:23, Ilias Apalodimas wrote:
Hi Heinrich
[...]
- if (!u16_strcmp(name, L"PK") || !u16_strcmp(name, L"KEK")) {
vendor = &efi_global_variable_guid;- } else if (!u16_strcmp(name, L"db") || !u16_strcmp(name, L"dbx")) {
vendor = &efi_guid_image_security_database;- } else {
- vendor = efi_auth_var_get_guid(name);
- if (!vendor) { EFI_PRINT("unknown signature database, %ls\n", name); return NULL; }
efi_auth_var_get_guid() will return &efi_global_variable_guid if the GUID for the variable name isn't found.
Hello Ilias, that is on purpose. In nevedit_efi we need a default GUID. I want to reuse the same function there in future.
Best regards
Then I guess the check can go away ?
Yes
Heinrich
- /* retrieve variable data */
- db_size = 0;
- ret = EFI_CALL(efi_get_variable(name, vendor, NULL, &db_size, NULL));
- if (ret == EFI_NOT_FOUND) {
EFI_PRINT("variable, %ls, not found\n", name);sigstore = calloc(sizeof(*sigstore), 1);return sigstore;- } else if (ret != EFI_BUFFER_TOO_SMALL) {
EFI_PRINT("Getting variable, %ls, failed\n", name);return NULL;- }
- db = malloc(db_size);
- db = efi_get_var(name, vendor, &db_size); if (!db) {
EFI_PRINT("Out of memory\n");return NULL;- }
- ret = EFI_CALL(efi_get_variable(name, vendor, NULL, &db_size, db));
- if (ret != EFI_SUCCESS) {
EFI_PRINT("Getting variable, %ls, failed\n", name);free(db);return NULL;
EFI_PRINT("variable, %ls, not found\n", name);return calloc(sizeof(struct efi_signature_store), 1);Why? From the patch alone it's not clear why you want to allocate memory here instead of returning NULL.
This is existing code. See the same lines deleted above.
If I read the code correctly, we are trying to be smart about the buffer outcome. Check for example efi_image_unsigned_authenticate(). By returning an empty buffer the 'dbx' check will succeed but the 'db' check a few lines after will fail.
But this is pointless imho... Why don't we just have efi_status_t efi_signature_store efi_sigstore_parse_sigdb(u16 *name, struct efi_signature_store *store)
We can the control the EFI return value in efi_sigstore_parse_sigdb() and any callers would just have to look at the result, instead of getting a memory that contains empty data and try to reason about it. IOW you can check for EFI_NOT_FOUND in both cases on the caller function. If you are working with 'dbx' then that's fine and you can continue. If you are working with 'db' you need to fail the authentication. This imho is much more readable.
Regards /Ilias
Don't duplicate GUIDs.
Signed-off-by: Heinrich Schuchardt xypron.glpk@gmx.de --- lib/efi_loader/efi_tcg2.c | 29 +++++++++++++---------------- 1 file changed, 13 insertions(+), 16 deletions(-)
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index beb224f66a..eb2c0a413c 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -11,6 +11,7 @@ #include <common.h> #include <dm.h> #include <efi_loader.h> +#include <efi_variable.h> #include <efi_tcg2.h> #include <log.h> #include <malloc.h> @@ -79,17 +80,12 @@ static const struct digest_info hash_algo_list[] = { }, };
-struct variable_info { - u16 *name; - const efi_guid_t *guid; -}; - -static struct variable_info secure_variables[] = { - {L"SecureBoot", &efi_global_variable_guid}, - {L"PK", &efi_global_variable_guid}, - {L"KEK", &efi_global_variable_guid}, - {L"db", &efi_guid_image_security_database}, - {L"dbx", &efi_guid_image_security_database}, +static const u16 *secure_variables[] = { + u"SecureBoot", + u"PK", + u"KEK", + u"db", + u"dbx", };
#define MAX_HASH_COUNT ARRAY_SIZE(hash_algo_list) @@ -1587,19 +1583,20 @@ static efi_status_t tcg2_measure_secure_boot_variable(struct udevice *dev)
count = ARRAY_SIZE(secure_variables); for (i = 0; i < count; i++) { + const efi_guid_t *guid; + + guid = efi_auth_var_get_guid(secure_variables[i]); + /* * According to the TCG2 PC Client PFP spec, "SecureBoot", * "PK", "KEK", "db" and "dbx" variables must be measured * even if they are empty. */ - data = efi_get_var(secure_variables[i].name, - secure_variables[i].guid, - &data_size); + data = efi_get_var(secure_variables[i], guid, &data_size);
ret = tcg2_measure_variable(dev, 7, EV_EFI_VARIABLE_DRIVER_CONFIG, - secure_variables[i].name, - secure_variables[i].guid, + secure_variables[i], guid, data_size, data); free(data); if (ret != EFI_SUCCESS) -- 2.30.2
participants (2)
-
Heinrich Schuchardt -
Ilias Apalodimas