Akashi-san,
On Thu, Jan 14, 2021 at 01:23:30PM +0900, AKASHI Takahiro wrote:
> Ilias,
>
> On Wed, Jan 13, 2021 at 01:11:48PM +0200, Ilias Apalodimas wrote:
> > Up to now we install EFI_LOAD_FILE2_PROTOCOL to load an initrd
> > unconditionally. Although we correctly return v
Akashi-san,
> > + efi_uintn_t *size, int idx)
[...]
>
> The type of "idx" should be 'enum load_option_dp_type'.
>
> Currently, "idx" is used as an index into the array of device paths,
> but given each device path is set to have its own guid, "idx" should be
>
On Fri, Jan 15, 2021 at 11:33:40AM -0800, Atish Patra wrote:
> On Fri, Jan 15, 2021 at 8:00 AM Ilias Apalodimas
> wrote:
> >
> > Atish reports than on RISC-V, accessing the EFI variables causes
> > a kernel panic. An objdump of the file verifies that, since the
> >
2
So let's switch efi_var_buf to static and create a helper function for
anyone that needs to update it.
Fixes: e01aed47d6a0 ("efi_loader: Enable run-time variable support for tee
based variables")
Reported-by: Atish Patra
Tested-by: Atish Patra
Reviewed-by: Heinrich Schuchardt
Sig
> + }
> + file->close(file);
> + } else {
> + error(L"Failed to open file\r\n");
> + }
> + root->close(root);
> +
> +out:
> + if (initrd)
> + bs->free_pages((uintptr_t)initrd,
> +efi_size_in_pages(initrd_size));
> + return ret;
> +}
> +
> +/**
> + * efi_main() - entry point of the EFI application.
> + *
> + * @handle: handle of the loaded image
> + * @systab: system table
> + * @return: status code
> + */
> +efi_status_t EFIAPI efi_main(efi_handle_t image_handle,
> + struct efi_system_table *systab)
> +{
> + handle = image_handle;
> + systable = systab;
> + cerr = systable->std_err;
> + cout = systable->con_out;
> + cin = systable->con_in;
> + bs = systable->boottime;
> +
> + cout->set_attribute(cout, EFI_LIGHTBLUE | EFI_BACKGROUND_BLACK);
> + cout->clear_screen(cout);
> + cout->set_attribute(cout, EFI_WHITE | EFI_BACKGROUND_BLACK);
> + print(L"INITRD Dump\r\n\r\n\r\n");
> + cout->set_attribute(cout, EFI_LIGHTBLUE | EFI_BACKGROUND_BLACK);
> +
> + for (;;) {
> + u16 command[BUFFER_SIZE];
> + u16 *pos;
> + efi_uintn_t ret;
> +
> + print(L"=> ");
> + ret = efi_input(command, sizeof(command));
> + if (ret == EFI_ABORTED)
> + break;
> + pos = skip_whitespace(command);
> + if (starts_with(pos, L"exit"))
> + break;
> + else if (starts_with(pos, L"load"))
> + do_load();
> + else if (starts_with(pos, L"save "))
> + do_save(pos + 5);
> + else
> + do_help();
> + }
> +
> + cout->set_attribute(cout, EFI_LIGHTGRAY | EFI_BACKGROUND_BLACK);
> + cout->clear_screen(cout);
> + return EFI_SUCCESS;
> +}
> --
> 2.29.2
>
Acked-by: Ilias Apalodimas
/Makefile | 3 +-
> lib/efi_loader/efi_bootmgr.c | 135 ---
> lib/efi_loader/efi_load_options.c | 149 ++
> 7 files changed, 183 insertions(+), 145 deletions(-)
> create mode 100644 lib/efi_loader/efi_load_options.c
>
> --
> 2.29.2
>
For the series
Acked-by: Ilias Apalodimas
Hi Atish,
> >
> > diff --git a/lib/efi_loader/efi_var_mem.c b/lib/efi_loader/efi_var_mem.c
> > index 7a2dba7dc263..fd97d5b56300 100644
> > --- a/lib/efi_loader/efi_var_mem.c
> > +++ b/lib/efi_loader/efi_var_mem.c
> > @@ -10,7 +10,7 @@
> > #include
> > #include
> >
> > -static struct
_pubek(struct udevice *dev, void *data, size_t count)
> +{
> + if (is_tpm1(dev))
> + return tpm1_read_pubek(dev, data, count);
> + else
> + return -ENOSYS; /* not implemented yet */
> +}
> +
> +u32 tpm_force_clear(struct udevice *dev)
> +{
> + if (is_tpm1(dev))
> + return tpm1_force_clear(dev);
> + else
> + return -ENOSYS;
> +}
> +
> +u32 tpm_physical_enable(struct udevice *dev)
> +{
> + if (is_tpm1(dev))
> + return tpm1_physical_enable(dev);
> + else
> + return -ENOSYS;
> +}
> +
> +u32 tpm_physical_disable(struct udevice *dev)
> +{
> + if (is_tpm1(dev))
> + return tpm1_physical_disable(dev);
> + else
> + return -ENOSYS;
> +}
> +
> +u32 tpm_physical_set_deactivated(struct udevice *dev, u8 state)
> +{
> + if (is_tpm1(dev))
> + return tpm1_physical_set_deactivated(dev, state);
> + else
> + return -ENOSYS;
> +}
> +
> +u32 tpm_get_capability(struct udevice *dev, u32 cap_area, u32 sub_cap,
> +void *cap, size_t count)
> +{
> + if (is_tpm1(dev))
> + return tpm1_get_capability(dev, cap_area, sub_cap, cap, count);
> + else
> + return -ENOSYS;
> +}
> +
> +u32 tpm_get_permissions(struct udevice *dev, u32 index, u32 *perm)
> +{
> + if (is_tpm1(dev))
> + return tpm1_get_permissions(dev, index, perm);
> + else
> + return -ENOSYS; /* not implemented yet */
> +}
> +
> +u32 tpm_get_random(struct udevice *dev, void *data, u32 count)
> +{
> + if (is_tpm1(dev))
> + return tpm1_get_random(dev, data, count);
> + else
> + return -ENOSYS; /* not implemented yet */
> +}
> --
> 2.30.0.280.ga3ce27912f-goog
>
This looks good. I don't have a TPMv1 available to check more, hence
Acked-by: Ilias Apalodimas
rithm,
>*/
> ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
> offset, digest, digest_len);
> - offset += digest_len;
> if (ret)
> return TPM_LIB_ERROR;
>
> --
> 2.30.0.280.ga3ce27912f-goog
>
Reviewed-by: Ilias Apalodimas
pm1(dev))
> return -ENOSYS;
> else if (is_tpm2(dev))
> - return -ENOSYS;
> + return tpm2_write_lock(dev, index);
> else
> return -ENOSYS;
> }
> --
> 2.30.0.280.ga3ce27912f-goog
>
Acked-by: Ilias Apalodimas
tpm_nv_read_value(struct udevice *dev, u32 index,
> void *data, u32 count)
> if (is_tpm1(dev))
> return tpm1_nv_read_value(dev, index, data, count);
> else if (is_tpm2(dev))
> - return -ENOSYS;
> + return tpm2_nv_read_value(dev, index, data, count);
> else
> return -ENOSYS;
> }
> @@ -129,7 +129,7 @@ u32 tpm_nv_write_value(struct udevice *dev, u32 index,
> const void *data,
> if (is_tpm1(dev))
> return tpm1_nv_write_value(dev, index, data, count);
> else if (is_tpm2(dev))
> - return -ENOSYS;
> + return tpm2_nv_write_value(dev, index, data, count);
> else
> return -ENOSYS;
> }
> --
> 2.30.0.280.ga3ce27912f-goog
>
Acked-by: Ilias Apalodimas
+ };
> + int ret;
> +
> + ret = tpm_sendrecv_command(dev, command_v2, NULL, NULL);
> + log_info("ret=%s, %x\n", dev->name, ret);
> + if (ret)
> + return ret;
> +
> + priv->plat_hier_disabled = true;
> +
> + return 0;
> +}
> --
> 2.30.0.280.ga3ce27912f-goog
>
Acked-by: Ilias Apalodimas
ret;
>
> - log_debug("%s: len=%x\n", __func__, len);
> + log_debug("len=%x\n", len);
> timeout = timer_get_us() + TIMEOUT_LONG_US;
> do {
> ret = cr50_i2c_status(dev);
> --
> 2.30.0.280.ga3ce27912f-goog
>
Reviewed-by: Ilias Apalodimas
uot;invalid count value %x %zx\n", count, send_size);
> return -E2BIG;
> }
>
> - debug("%s: Calling send\n", __func__);
> + log_debug("%s: Calling send\n", __func__);
> ret = ops->send(dev, sendbuf, send_size);
> if (ret < 0)
> return ret;
> --
> 2.30.0.280.ga3ce27912f-goog
>
Reviewed-by: Ilias Apalodimas
On Sat, Jan 23, 2021 at 10:26:04AM -0700, Simon Glass wrote:
> Add support for this so that the TPM can be set up for use with
> Chromium OS verified boot.
>
> Signed-off-by: Simon Glass
> ---
[...]
> + /*
> + * Fill the command structure starting from the first buffer:
> + *
On Sat, Jan 23, 2021 at 10:25:59AM -0700, Simon Glass wrote:
> The response is shown but not the request. Update the code to show both
> if debugging is enabled.
>
> Signed-off-by: Simon Glass
> ---
>
> (no changes since v1)
>
> lib/tpm-common.c | 11 ---
> 1 file changed, 8
On Sat, Jan 23, 2021 at 10:26:01AM -0700, Simon Glass wrote:
> Take over the plain 'tpm_...' functions for use by the new TPM API. Rename
> all the TPMv1 functions so they are called from the API.
>
> Update the TPMv1 functions so that they are called from the API. Change
> existing users to use
return tpm1_get_capability(dev, cap_area, sub_cap, cap, count);
> + else if (is_tpm2(dev))
> + return tpm2_get_capability(dev, cap_area, sub_cap, cap, count);
> else
> return -ENOSYS;
> }
> @@ -202,14 +268,18 @@ u32 tpm_get_permissions(struct udevice *dev, u32 index,
> u32 *perm)
> {
> if (is_tpm1(dev))
> return tpm1_get_permissions(dev, index, perm);
> - else
> + else if (is_tpm2(dev))
> return -ENOSYS; /* not implemented yet */
> + else
> + return -ENOSYS;
> }
>
> u32 tpm_get_random(struct udevice *dev, void *data, u32 count)
> {
> if (is_tpm1(dev))
> return tpm1_get_random(dev, data, count);
> - else
> + else if (is_tpm2(dev))
> return -ENOSYS; /* not implemented yet */
> + else
> + return -ENOSYS;
> }
> --
> 2.30.0.280.ga3ce27912f-goog
>
Acked-by: Ilias Apalodimas
Hi Heinrich,
Overall the patch and idea seem fine.
Would it make sense to name the file differently?
Something similar to what I did on my initrd patches, i.e efi_helper.c, so we
can start adding helper functions that have a wider usage?
Thanks
/Ilias
On Fri, Jan 15, 2021 at 07:02:49PM +0100,
Hi Simon,
On Sat, Jan 16, 2021 at 02:51:35PM -0700, Simon Glass wrote:
> Add support for this so that the TPM can be set up for use with
> Chromium OS verified boot.
>
> Signed-off-by: Simon Glass
> ---
>
> include/tpm-v2.h | 18 ++
> lib/tpm-v2.c | 44
n(efi_handle_t image_handle,
> + struct efi_system_table *systab)
> +{
> + handle = image_handle;
> + systable = systab;
> + cerr = systable->std_err;
> + cout = systable->con_out;
> + cin = systable->con_in;
> + bs = systable->boottime;
> +
> + cout->set_attribute(cout, EFI_LIGHTBLUE | EFI_BACKGROUND_BLACK);
> + cout->clear_screen(cout);
> + cout->set_attribute(cout, EFI_WHITE | EFI_BACKGROUND_BLACK);
> + cout->output_string(cout, L"INITRD Dump\n\n\n");
> + cout->set_attribute(cout, EFI_LIGHTBLUE | EFI_BACKGROUND_BLACK);
> +
> + for (;;) {
> + u16 command[BUFFER_SIZE];
> + u16 *pos;
> + efi_uintn_t ret;
> +
> + cout->output_string(cout, L"=> ");
> + ret = efi_input(command, sizeof(command));
> + if (ret == EFI_ABORTED)
> + break;
> + pos = skip_whitespace(command);
> + if (starts_with(pos, L"exit"))
> + break;
> + else if (starts_with(pos, L"save "))
> + do_save(pos + 5);
> + else
> + do_help();
> + }
> +
> + cout->set_attribute(cout, EFI_LIGHTGRAY | EFI_BACKGROUND_BLACK);
> + cout->clear_screen(cout);
> + return EFI_SUCCESS;
> +}
> --
> 2.29.2
>
I guess we can use this in the selftests for initrd loading in the future
right?
This seems to be covering most of the protocol usage, so the self-test could
be something like 'download file' -> check md5sum/sha256(or similar) of the
saved file against the one we loaded.
Acked-by: Ilias Apalodimas
Hi Simon,
On Sat, Jan 16, 2021 at 02:51:34PM -0700, Simon Glass wrote:
> Update tpm2_clear() and tpm2_pcr_extend() so that the command size
> is not repeated twice. Add a small comment to the latter.
>
> Signed-off-by: Simon Glass
> ---
>
> lib/tpm-v2.c | 11 ++-
> 1 file changed, 6
;
> >
> > I guess we can use this in the selftests for initrd loading in the future
> > right?
> > This seems to be covering most of the protocol usage, so the self-test could
> > be something like 'download file' -> check md5sum/sha256(or similar) of the
> > saved file
2
So let's switch efi_var_buf to static and create a helper function for
anyone that needs to update it.
Fixes: e01aed47d6a0 ("efi_loader: Enable run-time variable support for tee
based variables")
Reported-by: Atish Patra
Signed-off-by: Ilias Apalodimas
---
Atish can you give it a spin a
Hi Andreas,
On Fri, Jan 15, 2021 at 05:34:04PM +0100, Andreas Schwab wrote:
> On Jan 14 2021, Atish Patra wrote:
>
> > I am a bit confused how this will work. This means it will reside in GOT
> > which is not mapped in virtual address for Linux. Whenever we try to
> > invoke get_variable
Hi Heinrich,
[...]
> > Atish can you give it a spin and let me know if this fixes the issue for
> > you?
> > The objdump seems to be correct now, but I am not familiar with RISC-V.
> > No regressions on Arm with TEE or memory backed variables.
> > include/efi_variable.h| 12
isk, we'll now install the load_file2 and the efi-stub will be able
to use it.
This opens up another path using U-Boot and defines a new boot flow.
A user will be able to control the kernel/initrd pairs without explicit
cmdline args or GRUB.
Signed-off-by: Ilias Apalodimas
---
cmd
is not included in the RFC.
I'll go ahead and change it if there's general agreement on the feature.
[1] https://lists.denx.de/pipermail/u-boot/2020-December/436080.html
[2] https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf
section 3.1.3
Ilias Apalodimas (3):
efi_loader: Introduce helper
efidebug slightly
and install the second file described in the command line as the
initrd device path.
Signed-off-by: Ilias Apalodimas
---
cmd/efidebug.c | 89 +-
1 file changed, 81 insertions(+), 8 deletions(-)
diff --git a/cmd/efidebug.c b/cmd
-off-by: Ilias Apalodimas
---
include/efi_helper.h| 23 ++
lib/efi_loader/efi_helper.c | 146
2 files changed, 169 insertions(+)
create mode 100644 include/efi_helper.h
create mode 100644 lib/efi_loader/efi_helper.c
diff --git a/include
> > + initrd= will stop working. The protocol will only be
[...]
>
> How about
>
> "Linux v5.7 and later can make use of this option. If the boot option
> selected by the UEFI boot manager specifies an existing file to be used
> as initial RAM disk, a Linux specific Load File2 protocol will
Hi Heinrich,
> > + efi_status_t ret;
> > + void *buf = NULL;
> > +
> > + *size = 0;
> > + ret = efi_get_variable_int(name, vendor, NULL, size, buf, NULL);
> > + if (ret == EFI_BUFFER_TOO_SMALL) {
> > + buf = malloc(*size);
>
> Please, always check the output of malloc(), e.g.
On Wed, Jan 13, 2021 at 02:13:44PM +0100, Heinrich Schuchardt wrote:
> On 13.01.21 12:11, Ilias Apalodimas wrote:
> > The UEFI spec allow a packed array of UEFI device paths in the
> > FilePathList[] of an EFI_LOAD_OPTION. The first file path must
> > describe the laoded imag
On Sat, Jan 02, 2021 at 05:42:23PM -0500, Tom Rini wrote:
> On Thu, Dec 31, 2020 at 05:25:14PM +0100, Heinrich Schuchardt wrote:
>
> > Dear Tom,
> >
> > please, merge into origin/next.
> >
> > @Takahiro, Ilias, Sughosh
> > *Thanks a lot for all your contributions this year.*
> >
> > The
is usable for the duration of the update
Signed-off-by: Ilias Apalodimas
---
configs/sandbox64_defconfig | 1 -
configs/sandbox_defconfig| 1 -
configs/xilinx_zynqmp_virt_defconfig | 1 -
include/efi_loader.h | 1 +
lib/efi_loader/Kconfig
Too fast on the trigger.
The efi_load_capsule_drivers() must go into an IS_ENABLED. I'll wait
for any other comments and send a V2
On Mon, 14 Jun 2021 at 18:10, Ilias Apalodimas
wrote:
>
> Right now we allow both of the FMPs (RAW and FIT based) to be installed at
> the same time. Mo
On Tue, Jun 15, 2021 at 09:49:58AM +0900, Masami Hiramatsu wrote:
> 2021年6月15日(火) 0:10 Ilias Apalodimas :
>
> >
> > Right now we allow both of the FMPs (RAW and FIT based) to be installed at
> > the same time. Moreover we only install those if a CapsuleUpdate is
> >
On Tue, Jun 15, 2021 at 01:44:58PM +0900, AKASHI Takahiro wrote:
> On Tue, Jun 15, 2021 at 06:55:50AM +0300, Ilias Apalodimas wrote:
> > Akashi-san,
> >
> > On Tue, Jun 15, 2021 at 10:51:01AM +0900, AKASHI Takahiro wrote:
> > > Ilias,
> > >
> > > I
On Tue, Jun 15, 2021 at 02:55:38PM +0900, AKASHI Takahiro wrote:
> On Tue, Jun 15, 2021 at 08:23:35AM +0300, Ilias Apalodimas wrote:
> > On Tue, Jun 15, 2021 at 01:44:58PM +0900, AKASHI Takahiro wrote:
> > > On Tue, Jun 15, 2021 at 06:55:50AM +0300, Ilias Apalodimas wrote:
> > >
[...]
> > > They are fixing "different" problems relating ESRT generation.
> > > That is my point.
> > >
> >
> > Sure, but it's a minor clean up really. As I said the current code works
> > fine. So I dont really mind the fact that it breaks a sentence of the spec.
> > Hence I
Akashi-san,
On Tue, Jun 15, 2021 at 10:51:01AM +0900, AKASHI Takahiro wrote:
> Ilias,
>
> In this patch, you are trying to address a couple of independent
> issues in a single commit.
> Please split.
> (Heinrich doesn't like that.)
>
> On Mon, Jun 14, 2021 at 06:10:14PM
We currently define the EFI support of an SMBIOS table as the third bit of
"BIOS Characteristics Extension Byte 1". The latest DMTF spec defines it
on "BIOS Characteristics Extension Byte 2".
Signed-off-by: Ilias Apalodimas
---
include/smbios.h | 2 +-
lib/smbios.c
Hi Heinrich
On Thu, 10 Jun 2021 at 13:16, Heinrich Schuchardt wrote:
>
> On 6/9/21 5:14 PM, Ilias Apalodimas wrote:
> > We currently define the EFI support of an SMBIOS table as the third bit of
> > "BIOS Characteristics Extension Byte 1". The latest DMTF
ns")
Signed-off-by: Ilias Apalodimas
---
This depends on https://lists.denx.de/pipermail/u-boot/2021-June/451761.html
lib/smbios.c | 10 ++
1 file changed, 10 insertions(+)
diff --git a/lib/smbios.c b/lib/smbios.c
index abdd157a7084..e2c6b1a44ee3 100644
--- a/lib/smbios.c
+++ b/lib/smbios
d, as
long as they target different firmware hardware stores
Note that we are not using a Kconfig 'choice' on purpose, since we
want to allow both of those to be installed and tested in sandbox
Signed-off-by: Ilias Apalodimas
---
configs/xilinx_zynqmp_virt_defconfig | 1 -
lib/efi_load
we can use to run CapsuleUpdate on-disk
Signed-off-by: Ilias Apalodimas
---
include/efi_loader.h | 1 +
lib/efi_loader/efi_setup.c | 6 ++
2 files changed, 7 insertions(+)
diff --git a/include/efi_loader.h b/include/efi_loader.h
index 0a9c82a257e1..b81180cfda8b 100644
--- a/include
ces( _root,
_guid_firmware_management_protocol, _fmp_raw, NULL)
Command failed, result=1
To fix this issue, pass the handle variable as same as the efi_fmp_fit
installation.
Signed-off-by: Masami Hiramatsu
Signed-off-by: Ilias Apalodimas
---
v1 is at https://lists.denx.de/pipermail/u-boot/2021-J
[...]
> >v1 is at https://lists.denx.de/pipermail/u-boot/2021-June/452097.html
> >changes since v1:
> >- split patches
> >- pick up Masami's patch fixing the efi_root issue
> >- Don't use 'choice' on Kconfig sicne we need both of the FMPs
> >installed for sandbox testing
> > instead just make
we can use to run CapsuleUpdate on-disk
Signed-off-by: Ilias Apalodimas
---
Changes since v2:
-
Changes since v1:
- Only install the FMPs if CONFIG_EFI_HAVE_CAPSULE_SUPPORT is selected
include/efi_loader.h | 1 +
lib/efi_loader/efi_capsule.c | 11 +++
lib/efi_loader/efi_setup.c
d, as
long as they target different firmware hardware stores
Note that we are not using a Kconfig 'choice' on purpose, since we
want to allow both of those to be installed and tested in sandbox
Signed-off-by: Ilias Apalodimas
---
Changes since v2:
-
Changes since v1:
- Don't use 'choice' on Kconfig sic
ust discarded)
Signed-off-by: Masami Hiramatsu
Signed-off-by: Ilias Apalodimas
---
Changes since v2:
- Updated commit description
Changes since v1:
-
lib/efi_loader/efi_capsule.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loa
[...]
> > > > > Yes.
> > > > > We may have different *firmware* for different software components
> > > > > and different devices. For example,
> > > > > You have firmare like U-Boot binary and default variable storage
> > > > > in different partitions.
> > > > > On the other hand, you have an
On Fri, Jun 18, 2021 at 10:52:51PM +0900, Masami Hiramatsu wrote:
> Hi Ilias,
>
> 2021???6???18???(???) 19:51 Ilias Apalodimas :
> >
> > Chapter 23 of the EFI spec (rev 2.9) says:
> > "A specific updatable hardware firmware store must be represented
Acked-by: Ilias Apalodimas
Tested-by: Ilias Apalodimas
On Fri, 11 Jun 2021 at 10:25, Masami Hiramatsu
wrote:
> Hello,
>
> Would anyone have any comments on this series?
>
> Thank you,
>
> 2021年6月4日(金) 18:43 Masami Hiramatsu :
> >
> > Hi,
> >
&g
[...]
> > > FWIW I personally don't think we should even have a config option. But
> > > even
> > > if we did it certainly must not be dictated by a hardware config.
> > >
> > > When you install distro packages you accept whatever dependencies the
> > > package has. mkeficapsule is a capsule
ot;Windows Authenticode Portable Executable Signature
>* Format"
> - * Not supported for now
>*/
> if (flags & PE_COFF_IMAGE) {
> - ret = EFI_UNSUPPORTED;
> - goto out;
> - }
> + IMAGE_NT_HEADERS32 *nt;
>
> - pcr_index = efi_tcg_event->header.pcr_index;
> - event_type = efi_tcg_event->header.event_type;
> + ret = efi_check_pe((void *)data_to_hash, data_to_hash_len,
> +(void **));
> + if (ret != EFI_SUCCESS) {
> + log_err("Not a valid PE-COFF file\n");
> + goto out;
> + }
>
> - ret = tcg2_create_digest((u8 *)data_to_hash, data_to_hash_len,
> - _list);
> + ret = tcg2_hash_pe_image((void *)data_to_hash, data_to_hash_len,
> + _list);
> + } else {
> + ret = tcg2_create_digest((u8 *)data_to_hash, data_to_hash_len,
> + _list);
> + }
> if (ret != EFI_SUCCESS)
> goto out;
>
> + pcr_index = efi_tcg_event->header.pcr_index;
> + event_type = efi_tcg_event->header.event_type;
> +
> ret = tcg2_pcr_extend(dev, pcr_index, _list);
> if (ret != EFI_SUCCESS)
> goto out;
> --
> 2.17.1
>
This might need a rebase since Heinrich merged some minor cleanups
yesterday. Other than that
Acked-by: Ilias Apalodimas
Tested-by: Ilias Apalodimas
Akashi-san,
On Wed, May 12, 2021 at 01:57:51PM +0900, AKASHI Takahiro wrote:
> As we discussed, "-K" and "-D" options have nothing to do with
> creating a capsule file. The same result can be obtained by
> using standard commands like:
> === signature.dts ===
> /dts-v1/;
> /plugin/;
>
>
On Wed, May 12, 2021 at 03:59:47PM +0900, Masahisa Kojima wrote:
> Build error occurs when CONFIG_EFI_SECURE_BOOT/
> CONFIG_EFI_CAPSULE_AUTHENTICATE/CONFIG_EFI_TCG2_PROTOCOL
> is enabled, because hash-checksum.c is not compiled.
>
> With the following commit,
> commit 0bcb28dfb946 ("lib: Rename
On Wed, May 12, 2021 at 04:49:02PM +0900, Masami Hiramatsu wrote:
> Hi Ilias,
>
> 2021年5月12日(水) 16:21 Ilias Apalodimas :
> >
> > Akashi-san,
> >
> > On Wed, May 12, 2021 at 01:57:51PM +0900, AKASHI Takahiro wrote:
> > > As we discussed, "-K" and
EFI_TCG2 depends not only on TPMv2 but also on the underlying algorithms.
So select the missing SHA1, SHA256, SHA384 and SHA512 we currently support
Reported-by: Michal Simek
Signed-off-by: Ilias Apalodimas
---
changes since v3:
- add multiple select lines
changes since v2:
- remove 'on' after
EFI_TCG2 depends not only on TPMv2 but also on the underlying algorithms.
So select the missing SHA1, SHA256, SHA384 and SHA512 we currently support
Reported-by: Michal Simek
Signed-off-by: Ilias Apalodimas
---
changes since v1:
- use 'select' instead of 'depend'
changes since v2:
- remove
EFI_TCG2 depends not only on TPMv2 but also on the underlying algorithms.
So select the missing SHA1, SHA256, SHA384 and SHA512 we currently support
Reported-by: Michal Simek
Signed-off-by: Ilias Apalodimas
---
Changes since v1:
- use 'select' instead of 'depends'
lib/efi_loader/Kconfig | 1
doh yea, forgot to delete the 'on' from depends. Let me send a v3
On Tue, 11 May 2021 at 14:03, Michal Simek wrote:
>
>
>
> On 5/11/21 12:57 PM, Ilias Apalodimas wrote:
> > EFI_TCG2 depends not only on TPMv2 but also on the underlying algorithms.
> > So select the miss
Sure looks good.
Thanks!
On Tue, 11 May 2021 at 09:39, Heinrich Schuchardt wrote:
>
> From: Ilias Apalodimas
>
> Instead of just failing, clean up the installed config table and
> EventLog memory if logging an s-crtm event fails during the protocol
> installation
>
&
On Tue, May 11, 2021 at 09:25:04AM +0200, Heinrich Schuchardt wrote:
> On 10.05.21 20:26, Ilias Apalodimas wrote:
> > EFI_TCG2 depends not only on TPMv2 but also on the underlying algorithms.
> > So add the missing SHA1, SHA256, SHA384 and SHA512 we currently support
>
> >
[...]
> > Based on what was discussed in the thread waht I think would make more
> > sense is:
> > - Build u-boot and use the script Akashi sent to inject the certificate.
> > Whether we create a single binary (always signed if a config option is
> > there) or 2 binaries (1 signed. 1
Hi,
On Wed, May 12, 2021 at 06:19:58PM +0200, Heinrich Schuchardt wrote:
> On 12.05.21 18:05, Simon Glass wrote:
> > Hi Heinrich,
> >
> > On Wed, 12 May 2021 at 10:01, Heinrich Schuchardt
> > wrote:
> >>
> >> On 17.02.21 04:20, Joel Stanley wrote:
> >>> Similar to support for SHA1 and SHA256,
[...]
> +
> /**
> * efi_tcg2_hash_log_extend_event() - extend and optionally log events
> *
> @@ -758,24 +937,32 @@ efi_tcg2_hash_log_extend_event(struct efi_tcg2_protocol
> *this, u64 flags,
> /*
>* if PE_COFF_IMAGE is set we need to make sure the image is not
>*
Reviewed-by: Ilias Apalodimas
On Wed, 12 May 2021 at 18:40, Heinrich Schuchardt wrote:
>
> Building 32bit boards with the TCG2 protocol enabled leads to a build
> warning due to a missing conversion.
>
> lib/efi_loader/efi_tcg2.c:774:27:
> error: cast to po
On Thu, May 13, 2021 at 05:38:51PM +0900, AKASHI Takahiro wrote:
> On Thu, May 13, 2021 at 05:18:36PM +0900, Masami Hiramatsu wrote:
> > 2021年5月13日(木) 16:24 AKASHI Takahiro :
> >
> > > > >> > BTW, IMHO, if u-boot.bin can not find the ESL in the device tree,
> > > > >> > it should skip
On Fri, May 14, 2021 at 10:09:46PM +0900, Masami Hiramatsu wrote:
> Hi all,
>
> I think it's time to summarize the topics on this thread.
>
> 1. tools/mkeficapsule, config options dependency
> - The tools, especially useful and distributable tools like
> mkeficapsule should not be changed by
. If the protocol fails
to install the PCRs will never be extended to the expected values, so
some other entity later in the boot flow will eventually figure it out
and take the necessary actions.
Signed-off-by: Ilias Apalodimas
---
lib/efi_loader/efi_tcg2.c | 16
1 file changed, 12
ion
fails.
Signed-off-by: Ilias Apalodimas
---
changes since v1:
- stop printing a warning when tcg2_uninit was called before installing
the final events config table
lib/efi_loader/efi_tcg2.c | 33 -
1 file changed, 28 insertions(+), 5 deletions(-)
diff -
efi_init_event_log() calls tcg2_uninit() in case of failure.
We can skip that since the function is called on efi_tcg2_register()
which also cleans up if an error occurs
Signed-off-by: Ilias Apalodimas
---
lib/efi_loader/efi_tcg2.c | 4
1 file changed, 4 deletions(-)
diff --git a/lib
Instead of just failing, clean up the installed config table and
EventLog memory if logging an s-crtm event fails during the protocol
installation
Signed-off-by: Ilias Apalodimas
---
lib/efi_loader/efi_tcg2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/efi_loader
EFI_TCG2 depends not only on TPMv2 but also on the underlying algorithms.
So add the missing SHA1, SHA256, SHA384 and SHA512 we currently support
as depenmdencies
Signed-off-by: Ilias Apalodimas
---
lib/efi_loader/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/efi_loader
+CC Michal who actually noticed this.
Heinrich can you add a
Reported-by: Michal Simek
before merging this? Or you prefer me to resend?
On Mon, 10 May 2021 at 21:26, Ilias Apalodimas
wrote:
>
> EFI_TCG2 depends not only on TPMv2 but also on the underlying algorithms.
> So add the mis
77,10 @@ void tee_optee_ta_uuid_from_octets(struct
> tee_optee_ta_uuid *d,
> void tee_optee_ta_uuid_to_octets(u8 d[TEE_UUID_LEN],
>const struct tee_optee_ta_uuid *s);
>
> +/**
> + * tee_flush_all_shm_dcache() - Flush data cache for all shared memories
> + * @dev: The TEE device
> + */
> +void tee_flush_all_shm_dcache(struct udevice *dev);
> +
> #endif /* __TEE_H */
> --
> 2.17.1
>
Acked-by: Ilias Apalodimas
Compiling with -Wextra produces a number of (harmless) warnings for the EFI
TCG2 protocol. Let's fix those in case we ever enable the flag on the EFI
subsystem
Signed-off-by: Ilias Apalodimas
---
lib/efi_loader/efi_tcg2.c | 40 +--
1 file changed, 22
, since the values are always OR'ed after querying the
hardware.
Signed-off-by: Ilias Apalodimas
---
lib/efi_loader/efi_tcg2.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
index 39074f754772..ee743f5951fb 100644
Unfortunately I don't
have time for a more detailed review, but I did manage to run this on my
Synquacer and managed to run a full linux distro with EFI.
Tested-by: Ilias Apalodimas
> Changes in v4
> -
>
> I dropped a PCI bugfix because it has been merged. And add I2
[...]
> >
> > At least Debian and Ubuntu do not allow /boot to be on a FAT file system.
> > If we want to boot Linux via the EFI stub without GRUB, we need ext4
> > support exposed to the EFI sub-system. See Ilias' recent contributions for
> > the EFI_LOAD_FILE2_PROTOCOL for initrd and
On Thu, Jun 03, 2021 at 03:36:38PM +0900, Masami Hiramatsu wrote:
> Hi Ilias,
>
> 2021年6月3日(木) 15:25 Ilias Apalodimas :
> >
> > [...]
> > > >
> > > > At least Debian and Ubuntu do not allow /boot to be on a FAT file
> > > > system. If we
new_efi);
> +
> bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp,
>WIN_CERTIFICATE **auth, size_t *auth_len);
>
> diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h
> index 40e241ce31..bcfb98168a 100644
> --- a/include/efi_tcg2.h
> +++
_path);
> printf(" file_path: %ls\n", dp_str);
> @@ -1194,7 +1184,6 @@ static void show_efi_boot_opt_data(u16 *varname16, void
> *data, size_t *size)
> printf(" data:\n");
> print_hex_dump("", DUMP_PREFIX_OFFSET, 16, 1,
> lo.optional_data, *size, true);
> - free(label);
> }
>
> /**
> --
> 2.30.2
>
Reviewed-by: Ilias Apalodimas
rder", ,
> EFI_VARIABLE_NON_VOLATILE |
> EFI_VARIABLE_BOOTSERVICE_ACCESS |
> EFI_VARIABLE_RUNTIME_ACCESS,
> - size, bootorder));
> + size, bootorder, true);
> if (ret != EFI_SUCCESS) {
> printf("Cannot set BootOrder\n");
> r = CMD_RET_FAILURE;
> --
> 2.30.2
>
Tested-by: Ilias Apalodimas
Reviewed-by: Ilias Apalodimas
t;
> - }
> - p = label;
> - utf16_utf8_strncpy(, lo.label, label_len16);
> - printf("%2d: %s: %s\n", i + 1, var_name, label);
> - free(label);
> + printf("%2d: %s: %ls\n", i + 1, var_name, lo.label);
>
> free(data);
> }
> --
> 2.30.2
>
Reviewed-by: Ilias Apalodimas
if (ret != EFI_BUFFER_TOO_SMALL) {
> - printf("%2d: %s: (not defined)\n", i + 1, var_name);
> + printf("%2d: %ls: (not defined)\n", i + 1, var_name16);
> continue;
> }
>
> @@ -1378,7 +1369,7 @@ static int show_efi_boot_order(void)
> goto out;
> }
>
> - printf("%2d: %s: %ls\n", i + 1, var_name, lo.label);
> + printf("%2d: %ls: %ls\n", i + 1, var_name16, lo.label);
>
> free(data);
> }
> --
> 2.30.2
>
Reviewed-by: Ilias Apalodimas
spec, will
only have to provide the underlying bus communication mechanisms.
Signed-off-by: Ilias Apalodimas
---
Changes since v1:
-
drivers/tpm/tpm2_tis_core.c | 545
drivers/tpm/tpm_tis.h | 40 +++
include/tpm-v2.h| 1 +
3 files changed
core functions,
which the current driver is consuming.
Signed-off-by: Ilias Apalodimas
---
Changes since v1:
- split off the tis core code into a different file
drivers/tpm/Kconfig | 9 +++
drivers/tpm/Makefile| 1 +
drivers/tpm/tpm2_tis_mmio.c | 156
pectively. If those are not found either warn the
user at runtime and use "Unknown" for both entries.
Signed-off-by: Ilias Apalodimas
---
lib/smbios.c | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/lib/smbios.c b/lib/smbios.c
index b52e125eeb14..d1997ce7
>
[...]
> commit 44ffb6f0ecaf ("smbios: Allow properties to come from the device
> tree") still used CONFIG symbols.
>
> commit e4f8e543f1a9 ("smbios: Drop the unused Kconfig options") dropped
> the CONFIG symbols
Exactly, that was the point I tried to make. I think whatever Da was seing
on
Hi Simon,
On Wed, Jul 07, 2021 at 11:37:01AM -0600, Simon Glass wrote:
> Hi Masahisa,
>
> On Wed, 7 Jul 2021 at 07:36, Masahisa Kojima
> wrote:
> >
> > TCG PC Client PFP spec requires to measure the secure
> > boot policy before validating the UEFI image.
> > This commit adds the secure boot
Hi Kojima-san,
> +{
[...]
> + u16 *boot_order;
> + u16 var_name[] = L"BootOrder";
> + u16 boot_name[] = L"Boot";
> + u16 hexmap[] = L"0123456789ABCDEF";
> + u8 *bootvar;
> + efi_uintn_t var_data_size;
> + u32 count, i;
> + efi_status_t ret;
> +
> +
On Wed, Jul 07, 2021 at 11:49:33AM -0600, Simon Glass wrote:
> Hi Ilias,
>
> On Wed, 7 Jul 2021 at 11:40, Ilias Apalodimas
> wrote:
> >
> > Hi Simon,
> >
> > On Wed, Jul 07, 2021 at 11:37:01AM -0600, Simon Glass wrote:
> > > Hi Masahisa,
> > &
On Thu, Jul 08, 2021 at 11:42:29AM +0200, Heinrich Schuchardt wrote:
> On 08.07.21 10:23, Ilias Apalodimas wrote:
> > Add support for devices that expose a TPMv2 though MMIO.
> > Apart from those devices, we can use the driver in our QEMU setups and
> > test TPM related co
spec, will
only have to provide the underlying bus communication mechanisms.
Signed-off-by: Ilias Apalodimas
---
drivers/tpm/tpm2_tis_core.c | 545
drivers/tpm/tpm_tis.h | 40 +++
include/tpm-v2.h| 1 +
3 files changed, 586 insertions
protocol
Changes since v1:
- introduce TPM TIS APUI
Changes since v2:
- Add myself as a maintainer on TPM drivers
[1] https://qemu.readthedocs.io/en/latest/specs/tpm.html
Ilias Apalodimas (3):
tpm2: Introduce TIS tpm core
tpm2: Add a TPMv2 MMIO TIS driver
MAINTAINERS: Add entry for TPM drivers
core functions,
which the current driver is consuming.
Signed-off-by: Ilias Apalodimas
---
drivers/tpm/Kconfig | 9 +++
drivers/tpm/Makefile| 1 +
drivers/tpm/tpm2_tis_mmio.c | 156
3 files changed, 166 insertions(+)
create mode 100644
TPM drivers have currently no maintainers. Add myself since I contributed
the TIS implementation.
Signed-off-by: Ilias Apalodimas
---
MAINTAINERS | 5 +
1 file changed, 5 insertions(+)
diff --git a/MAINTAINERS b/MAINTAINERS
index 11e11d51a7da..d67e22401cf4 100644
--- a/MAINTAINERS
+++ b
201 - 300 of 2169 matches
Mail list logo