From f67cc2f05676da86a3c591f1938393439a47a4af Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Fri, 28 Oct 2022 22:28:09 +0200 Subject: [PATCH 1/8] doc: update sbi command example The output of the sbi command has been changed since the last release of the man-page. Update the example. Signed-off-by: Heinrich Schuchardt --- doc/usage/cmd/sbi.rst | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/doc/usage/cmd/sbi.rst b/doc/usage/cmd/sbi.rst index 96d8861057..713e0b9c81 100644 --- a/doc/usage/cmd/sbi.rst +++ b/doc/usage/cmd/sbi.rst @@ -21,27 +21,34 @@ The output may look like: :: => sbi - SBI 0.2 - OpenSBI + SBI 1.0 + OpenSBI 1.1 + Machine: + Vendor ID 0 + Architecture ID 0 + Implementation ID 0 Extensions: - sbi_set_timer - sbi_console_putchar - sbi_console_getchar - sbi_clear_ipi - sbi_send_ipi - sbi_remote_fence_i - sbi_remote_sfence_vma - sbi_remote_sfence_vma_asid - sbi_shutdown + Set Timer + Console Putchar + Console Getchar + Clear IPI + Send IPI + Remote FENCE.I + Remote SFENCE.VMA + Remote SFENCE.VMA with ASID + System Shutdown SBI Base Functionality Timer Extension IPI Extension RFENCE Extension Hart State Management Extension + System Reset Extension + Performance Monitoring Unit Extension The first line indicates the version of the RISC-V SBI specification. The second line indicates the implementation. -The further lines enumerate the implemented extensions. +The Machine section shows the values of the machine information registers. +The Extensions section enumerates the implemented SBI extensions. Configuration ------------- From 541e68d0ee61cb7141546481371b4cda2c33cf5e Mon Sep 17 00:00:00 2001 From: Tom Rini Date: Thu, 3 Nov 2022 14:25:44 -0400 Subject: [PATCH 2/8] docs: Add a basic security document Based loosely on the Linux kernel Documentation/admin-guide/security-bugs.rst file, create a basic security document for U-Boot. In sum, security issues should be disclosed in public on the mailing list if at all possible as an initial position. Signed-off-by: Tom Rini Reviewed-by: Simon Glass Reviewed-by: Heinrich Schuchardt --- doc/develop/index.rst | 3 ++- doc/develop/security.rst | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 doc/develop/security.rst diff --git a/doc/develop/index.rst b/doc/develop/index.rst index 5934d9ffb1..97c526e997 100644 --- a/doc/develop/index.rst +++ b/doc/develop/index.rst @@ -14,8 +14,9 @@ General patman process release_cycle - system_configuration + security sending_patches + system_configuration Implementation -------------- diff --git a/doc/develop/security.rst b/doc/develop/security.rst new file mode 100644 index 0000000000..84b130646f --- /dev/null +++ b/doc/develop/security.rst @@ -0,0 +1,32 @@ +.. SPDX-License-Identifier: GPL-2.0+: + +Handling of security vulnerabilities +==================================== + +The U-Boot project takes security very seriously. As such, we'd like to know +when a security bug is found so that it can be fixed and disclosed as quickly +as possible. + +Contact +------- + +The preferred initial point of contact is to send email to +`u-boot@lists.denx.de` and use `scripts/get_maintainers.pl` to also include any +relevant custodians. In addition, Tom Rini should be contacted at +`trini@konsulko.com`. + +CVE assignment +-------------- + +The U-Boot project cannot directly assign CVEs, nor do we require them for +reports or fixes, as this can needlessly complicate the process and may delay +the bug handling. If a reporter wishes to have a CVE identifier assigned ahead +of public disclosure, they will need to coordinate this on their own. When +such a CVE identifier is known before a patch is provided, it is desirable to +mention it in the commit message if the reporter agrees. + +Non-disclosure agreements +------------------------- + +The U-Boot project is not a formal body and therefore unable to enter any +non-disclosure agreements. From 607566d010925c53355839c6e6c6451b15adfa58 Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Sun, 6 Nov 2022 10:23:55 +0100 Subject: [PATCH 3/8] MAINTAINERS: add arch/arm/lib/*_efi.* to EFI_PAYLOAD The files arch/arm/lib/*_efi.* are only relevant for the UEFI sub-system. Signed-off-by: Heinrich Schuchardt --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index 1cf99c1393..8d3d528650 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -879,6 +879,7 @@ M: Heinrich Schuchardt M: Ilias Apalodimas S: Maintained T: git https://source.denx.de/u-boot/custodians/u-boot-efi.git +F: arch/arm/lib/*_efi.* F: doc/api/efi.rst F: doc/develop/uefi/* F: doc/mkeficapsule.1 From 77b5c4a5b1dcc6dafde116bfdd66f769769a0aeb Mon Sep 17 00:00:00 2001 From: Jan Kiszka Date: Fri, 14 Oct 2022 18:10:06 +0200 Subject: [PATCH 4/8] efi_loader: Let networking support depend on NETDEVICES CONFIG_NET does not imply that there are actually network devices available, only CONFIG_NETDEVICES does. Changing to this dependency obsoletes the check in Kconfig because NETDEVICES means DM_ETH. Fixes: 0efe1bcf5c2c ("efi_loader: Add network access support") Suggested-by: Tom Rini Signed-off-by: Jan Kiszka Reviewed-by: Heinrich Schuchardt --- lib/efi_loader/Kconfig | 1 - lib/efi_loader/Makefile | 2 +- lib/efi_loader/efi_device_path.c | 6 +++--- lib/efi_loader/efi_setup.c | 2 +- lib/efi_selftest/Makefile | 2 +- net/bootp.c | 4 +++- 6 files changed, 9 insertions(+), 8 deletions(-) diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 41756ea539..68e6c2531e 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -11,7 +11,6 @@ config EFI_LOADER # We need EFI_STUB_32BIT to be set on x86_32 with EFI_STUB depends on !EFI_STUB || !X86 || X86_64 || EFI_STUB_32BIT depends on BLK - depends on DM_ETH || !NET depends on !EFI_APP default y if !ARM || SYS_CPU = armv7 || SYS_CPU = armv8 select CHARSET diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile index f8e8afe128..8738757dd2 100644 --- a/lib/efi_loader/Makefile +++ b/lib/efi_loader/Makefile @@ -68,7 +68,7 @@ obj-y += efi_watchdog.o obj-$(CONFIG_EFI_ESRT) += efi_esrt.o obj-$(CONFIG_VIDEO) += efi_gop.o obj-$(CONFIG_BLK) += efi_disk.o -obj-$(CONFIG_NET) += efi_net.o +obj-$(CONFIG_NETDEVICES) += efi_net.o obj-$(CONFIG_GENERATE_ACPI_TABLE) += efi_acpi.o obj-$(CONFIG_GENERATE_SMBIOS_TABLE) += efi_smbios.o obj-$(CONFIG_EFI_RNG_PROTOCOL) += efi_rng.o diff --git a/lib/efi_loader/efi_device_path.c b/lib/efi_loader/efi_device_path.c index acae007f26..d45985a760 100644 --- a/lib/efi_loader/efi_device_path.c +++ b/lib/efi_loader/efi_device_path.c @@ -613,7 +613,7 @@ __maybe_unused static void *dp_fill(void *buf, struct udevice *dev) *vdp = ROOT; return &vdp[1]; } -#ifdef CONFIG_NET +#ifdef CONFIG_NETDEVICES case UCLASS_ETH: { struct efi_device_path_mac_addr *dp = dp_fill(buf, dev->parent); @@ -1052,7 +1052,7 @@ struct efi_device_path *efi_dp_from_uart(void) return buf; } -#ifdef CONFIG_NET +#ifdef CONFIG_NETDEVICES struct efi_device_path *efi_dp_from_eth(void) { void *buf, *start; @@ -1169,7 +1169,7 @@ efi_status_t efi_dp_from_name(const char *dev, const char *devnr, return EFI_INVALID_PARAMETER; if (!strcmp(dev, "Net")) { -#ifdef CONFIG_NET +#ifdef CONFIG_NETDEVICES if (device) *device = efi_dp_from_eth(); #endif diff --git a/lib/efi_loader/efi_setup.c b/lib/efi_loader/efi_setup.c index a340bc3880..e40f64fd0e 100644 --- a/lib/efi_loader/efi_setup.c +++ b/lib/efi_loader/efi_setup.c @@ -331,7 +331,7 @@ efi_status_t efi_init_obj_list(void) if (ret != EFI_SUCCESS) goto out; } -#ifdef CONFIG_NET +#ifdef CONFIG_NETDEVICES ret = efi_net_register(); if (ret != EFI_SUCCESS) goto out; diff --git a/lib/efi_selftest/Makefile b/lib/efi_selftest/Makefile index daac6c3968..e4d75420bf 100644 --- a/lib/efi_selftest/Makefile +++ b/lib/efi_selftest/Makefile @@ -50,7 +50,7 @@ efi_selftest_variables_runtime.o \ efi_selftest_watchdog.o obj-$(CONFIG_EFI_ECPT) += efi_selftest_ecpt.o -obj-$(CONFIG_NET) += efi_selftest_snp.o +obj-$(CONFIG_NETDEVICES) += efi_selftest_snp.o obj-$(CONFIG_EFI_DEVICE_PATH_TO_TEXT) += efi_selftest_devicepath.o obj-$(CONFIG_EFI_UNICODE_COLLATION_PROTOCOL2) += \ diff --git a/net/bootp.c b/net/bootp.c index b260d5d09e..6c01e38153 100644 --- a/net/bootp.c +++ b/net/bootp.c @@ -1077,7 +1077,9 @@ static void dhcp_handler(uchar *pkt, unsigned dest, struct in_addr sip, strlen(CONFIG_SYS_BOOTFILE_PREFIX)) == 0) { #endif /* CONFIG_SYS_BOOTFILE_PREFIX */ dhcp_packet_process_options(bp); - efi_net_set_dhcp_ack(pkt, len); + if (CONFIG_IS_ENABLED(EFI_LOADER) && + CONFIG_IS_ENABLED(NET_DEVICES)) + efi_net_set_dhcp_ack(pkt, len); #if defined(CONFIG_SERVERIP_FROM_PROXYDHCP) if (!net_server_ip.s_addr) From 023d9c93932cd0106fb921290c6128705343a6da Mon Sep 17 00:00:00 2001 From: AKASHI Takahiro Date: Fri, 21 Oct 2022 12:01:57 +0900 Subject: [PATCH 5/8] efi_loader: remove CONFIG_EFI_SETUP_EARLY Since the commit a9bf024b2933 ("efi_loader: disk: a helper function to create efi_disk objects from udevice"), CONFIG_EFI_SETUP_EARLY option is by default on and will never be turned off. So just remove this option. Signed-off-by: AKASHI Takahiro Reviewed-by: Heinrich Schuchardt Reviewed-by: Ilias Apalodimas --- common/board_r.c | 2 +- lib/efi_loader/Kconfig | 5 ----- lib/efi_loader/efi_setup.c | 43 ++++++++++---------------------------- 3 files changed, 12 insertions(+), 38 deletions(-) diff --git a/common/board_r.c b/common/board_r.c index db9cfb33ad..f7fb7df54a 100644 --- a/common/board_r.c +++ b/common/board_r.c @@ -694,7 +694,7 @@ static init_fnc_t init_sequence_r[] = { /* initialize higher level parts of CPU like time base and timers */ cpu_init_r, #endif -#ifdef CONFIG_EFI_SETUP_EARLY +#ifdef CONFIG_EFI_LOADER efi_init_early, #endif #ifdef CONFIG_CMD_NAND diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 68e6c2531e..e2b643871b 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -41,10 +41,6 @@ config CMD_BOOTEFI_BOOTMGR via UEFI variables Boot####, BootOrder, and BootNext. This enables the 'bootefi bootmgr' command. -config EFI_SETUP_EARLY - bool - default y - choice prompt "Store for non-volatile UEFI variables" default EFI_VARIABLE_FILE_STORE @@ -160,7 +156,6 @@ config EFI_IGNORE_OSINDICATIONS config EFI_CAPSULE_ON_DISK_EARLY bool "Initiate capsule-on-disk at U-Boot boottime" depends on EFI_CAPSULE_ON_DISK - select EFI_SETUP_EARLY help Normally, without this option enabled, capsules will be executed only at the first time of invoking one of efi command. diff --git a/lib/efi_loader/efi_setup.c b/lib/efi_loader/efi_setup.c index e40f64fd0e..5437641135 100644 --- a/lib/efi_loader/efi_setup.c +++ b/lib/efi_loader/efi_setup.c @@ -175,16 +175,15 @@ static efi_status_t efi_init_os_indications(void) } /** - * __efi_init_early() - handle initialization at early stage + * efi_init_early() - handle initialization at early stage * - * This function is called in efi_init_obj_list() only if - * !CONFIG_EFI_SETUP_EARLY. + * expected to be called in board_init_r(). * * Return: status code */ -static efi_status_t __efi_init_early(void) +int efi_init_early(void) { - efi_status_t ret = EFI_SUCCESS; + efi_status_t ret; /* Allow unaligned memory access */ allow_unaligned(); @@ -200,29 +199,15 @@ static efi_status_t __efi_init_early(void) /* Initialize EFI driver uclass */ ret = efi_driver_init(); -out: - return ret; -} + if (ret != EFI_SUCCESS) + goto out; -/** - * efi_init_early() - handle initialization at early stage - * - * external version of __efi_init_early(); expected to be called in - * board_init_r(). - * - * Return: status code - */ -int efi_init_early(void) -{ - efi_status_t ret; - - ret = __efi_init_early(); - if (ret != EFI_SUCCESS) { - /* never re-init UEFI subsystem */ - efi_obj_list_initialized = ret; - return -1; - } return 0; +out: + /* never re-init UEFI subsystem */ + efi_obj_list_initialized = ret; + + return -1; } /** @@ -238,12 +223,6 @@ efi_status_t efi_init_obj_list(void) if (efi_obj_list_initialized != OBJ_LIST_NOT_INITIALIZED) return efi_obj_list_initialized; - if (!IS_ENABLED(CONFIG_EFI_SETUP_EARLY)) { - ret = __efi_init_early(); - if (ret != EFI_SUCCESS) - goto out; - } - /* Set up console modes */ efi_setup_console_size(); From 2b55ad304d61d697fadb6cdfd098e8712d5a639e Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Fri, 21 Oct 2022 08:33:44 +0200 Subject: [PATCH 6/8] efi_loader: discover if no efi_system_partition is set Variable efi_system_partition holds the efi_system_partition. Currently it is initialized as: { .uclass_id = 0 = UCLASS_ROOT, .denum = 0, .part = 0, } This indicates that host 0:0 is the efi_system_partition and we see output like: => bootefi hello ** Bad device specification host 0 ** Couldn't find partition host 0:0 To identify that no EFI system partition has been set use UCLASS_INVALID. Signed-off-by: Heinrich Schuchardt Reviewed-by: Ilias Apalodimas --- lib/efi_loader/efi_disk.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/efi_loader/efi_disk.c b/lib/efi_loader/efi_disk.c index f11722db2c..a50a46ce8d 100644 --- a/lib/efi_loader/efi_disk.c +++ b/lib/efi_loader/efi_disk.c @@ -19,7 +19,9 @@ #include #include -struct efi_system_partition efi_system_partition; +struct efi_system_partition efi_system_partition = { + .uclass_id = UCLASS_INVALID, +}; const efi_guid_t efi_block_io_guid = EFI_BLOCK_IO_PROTOCOL_GUID; const efi_guid_t efi_system_partition_guid = PARTITION_SYSTEM_GUID; @@ -511,7 +513,7 @@ static efi_status_t efi_disk_add_dev( diskobj->media.last_block); /* Store first EFI system partition */ - if (part && !efi_system_partition.uclass_id) { + if (part && efi_system_partition.uclass_id == UCLASS_INVALID) { if (part_info->bootable & PART_EFI_SYSTEM_PARTITION) { efi_system_partition.uclass_id = desc->uclass_id; efi_system_partition.devnum = desc->devnum; From 0b4cbeba593058104349a437ceb4d615e99b4019 Mon Sep 17 00:00:00 2001 From: Masahisa Kojima Date: Mon, 3 Oct 2022 16:12:15 +0900 Subject: [PATCH 7/8] test/py: efi_secboot: Remove unnecessary cert-to-efi-hash-list option 'cert-to-efi-hash-list -t 0' does not work as expected, it produces indeterminate timestamp. $ cert-to-efi-hash-list -t 0 -s 256 db.crt dbx_hash.crl TimeOfRevocation is 0-113-0 00:00:255 If we need the CRL revoked for all the time, just don't specify '-t' option. $ cert-to-efi-hash-list -s 256 db.crt dbx_hash.crl TimeOfRevocation is 0-0-0 00:00:00 Signed-off-by: Masahisa Kojima Acked-by: Ilias Apalodimas --- test/py/tests/test_efi_secboot/conftest.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index 406131cb45..65cde7a2f2 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -71,17 +71,17 @@ def efi_boot_env(request, u_boot_config): % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) # dbx_hash (digest of TEST_db certificate) - check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth' + check_call('cd %s; %scert-to-efi-hash-list -g %s -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) - check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 384 db.crt dbx_hash384.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash384.crl dbx_hash384.auth' + check_call('cd %s; %scert-to-efi-hash-list -g %s -s 384 db.crt dbx_hash384.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash384.crl dbx_hash384.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) - check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 512 db.crt dbx_hash512.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash512.crl dbx_hash512.auth' + check_call('cd %s; %scert-to-efi-hash-list -g %s -s 512 db.crt dbx_hash512.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash512.crl dbx_hash512.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) # dbx_hash1 (digest of TEST_db1 certificate) - check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' + check_call('cd %s; %scert-to-efi-hash-list -g %s -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) # dbx_db (with TEST_db certificate) From 53def68df5ec10c9aaa46d3422c58fc85d0c93e6 Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Sun, 6 Nov 2022 01:52:13 +0100 Subject: [PATCH 8/8] efi_loader: AllocateAddress requires page address AllocatePages() can be called with Type=AllocateAddress. Such a call can only succeed if *Memory points to the address of an unallocated page range. A call with *Memory being an address that is not page aligned must not succeed. The UEFI specification requires returning EFI_OUT_OF_RESOURCES if the requested pages cannot be allocated. Signed-off-by: Heinrich Schuchardt --- lib/efi_loader/efi_memory.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/efi_loader/efi_memory.c b/lib/efi_loader/efi_memory.c index e048a545e4..a17b426d11 100644 --- a/lib/efi_loader/efi_memory.c +++ b/lib/efi_loader/efi_memory.c @@ -483,6 +483,8 @@ efi_status_t efi_allocate_pages(enum efi_allocate_type type, return EFI_OUT_OF_RESOURCES; break; case EFI_ALLOCATE_ADDRESS: + if (*memory & EFI_PAGE_MASK) + return EFI_NOT_FOUND; /* Exact address, reserve it. The addr is already in *memory. */ ret = efi_check_allocated(*memory, false); if (ret != EFI_SUCCESS)