Commit Graph

2146 Commits

Author SHA1 Message Date
Michal Simek
c2f0950c33 lib: fdt: Convert fdtdes_setup_mem..() to livetree API
Convert fdtdec_setup_mem_size_base(), get_next_memory_node(),
fdtdec_setup_memory_banksize() and fdtdec_setup_mem_size_base_lowest() to
livetree API.

Tested on ZynqMP zcu104 board.

Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2020-08-20 09:49:20 +02:00
Michal Simek
7fce739665 lib: fdt: Introduce fdtdec_setup_mem_size_base_lowest()
New function should be called from board dram_init() because it initialized
gd->ram_base/ram_size. It finds the lowest available memory.

On systems with multiple memory nodes finding out the first memory node by
fdtdec_setup_mem_size_base() is not enough because this memory can be above
actual U-Boot VA mapping. Currently only mapping till 39bit is supported
(Full 44bit mapping was removed by commit 7985cdf74b ("arm64: Remove
non-full-va map code")).
If DT starts with the first memory node above 39bit address then system can
be unpredictable.

The function is available only when multiple memory bank support is
enabled.

Calling fdtdec_setup_memory_banksize() from dram_init() is not possible
because fdtdec_setup_memory_banksize() is saving dram information to bd
structure which is placed on stack but not initialized at this time. Also
stack is placed at location setup in dram_init().

Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2020-08-20 09:49:20 +02:00
Tom Rini
789bfb5266 Pull request for UEFI sub-system for efi-2020-10-rc3 (2)
This series includes bug fixes for:
 
 * UEFI secure boot - images with multiple signatures
 * UEFI secure boot - support for intermediate certificates
 * corrections for UEFI unit tests
 * missing loadaddr on MAIX board
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAl82zyEACgkQxIHbvCwF
 GsR8GQ/9FzCCfmhu2VhVI1cUKIT2B/FhAXbADAAhmBFk1SezhnKrsWUFFUbHeD+v
 c0+QKBldIARxpD40M68FNP7QVA35iaU2+Z5jBQ7r5ZUuTuZkxeFavtHRXlSCL02R
 rmdsKTtwPTRgve3IxEFJcxc4jpvAhNH+QLveK+PA+gUGjd2UoYWoGknJ4n8oe2rG
 uDX4em8Sy1LXrkJLCf5Ae8+M3FBOtsBAFif1tX5cWnH5kP3DbL9A5A5JHxlVJEQi
 SBC8NuJW+At89VlckEGpREt8itFMicdbLT/dSKDU3kh+l/h6zTbd9fGmoKLKXDdw
 O/qwC2kwsKg/jrfZwYOTzUIpRt3jhe+CwrEajVJY12jIQzAW4kvj2mo9AeBEydHO
 umFfbExGH8zwZgynrhhbjHdNxcGBahUGLoKLCkJI51I7EwCMCrN5rtUpUzxVybTE
 VJKyTqlyUSIZGU4AsQT3KflLGRGU/HNS2ariQWjEbKWcCC03Q7dXH1RQMUxTlqL3
 Owhqv/NI07WIvQZD3oWPkn3Z8tiQMzF370qO2gb/AwM7U0P3ggkcUxAs7mCIj5x6
 81PP65di4+zRzCyU1IHCILem7LHxGR6drGatbHspGBYAJrPduyM2cYAa0eXUOCvX
 Hz1GURhlVGwBdBAwaZ+g13/NtisrkRBQQYZO8jiEBqhnWoc3514=
 =0ZD1
 -----END PGP SIGNATURE-----

Merge tag 'efi-2020-10-rc3-2' of https://gitlab.denx.de/u-boot/custodians/u-boot-efi

Pull request for UEFI sub-system for efi-2020-10-rc3 (2)

This series includes bug fixes for:

* UEFI secure boot - images with multiple signatures
* UEFI secure boot - support for intermediate certificates
* corrections for UEFI unit tests
* missing loadaddr on MAIX board
2020-08-15 09:01:01 -04:00
Andrii Anisov
e87dfb0526 lib: sscanf: add sscanf implementation
Port sscanf implementation from mini-os and introduce new
Kconfig option to enable it: CONFIG_SSCANF. Disable by default.

Signed-off-by: Andrii Anisov <andrii_anisov@epam.com>
Signed-off-by: Anastasiia Lukianenko <anastasiia_lukianenko@epam.com>
Signed-off-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
2020-08-14 15:18:30 -04:00
AKASHI Takahiro
52956e535e efi_loader: signature: correct a behavior against multiple signatures
Under the current implementation, all the signatures, if any, in
a signed image must be verified before loading it.

Meanwhile, UEFI specification v2.8b section 32.5.3.3 says,
    Multiple signatures are allowed to exist in the binary’s certificate
    table (as per PE/COFF Section “Attribute Certificate Table”). Only
    one hash or signature is required to be present in db in order to pass
    validation, so long as neither the SHA-256 hash of the binary nor any
    present signature is reflected in dbx.

This patch makes the semantics of signature verification compliant with
the specification mentioned above.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-14 12:28:25 +02:00
AKASHI Takahiro
f68a6d5835 efi_loader: variable: fix secure state initialization
Under the new file-based variable implementation, the secure state
is always and falsely set to 0 (hence, the secure boot gets disabled)
after the reboot even if PK (and other signature database) has already
been enrolled in the previous boot.

This is because the secure state is set up *before* loading non-volatile
variables' values from saved data.

This patch fixes the order of variable initialization and secure state
initialization.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Fixes: 5f7dcf079d ("efi_loader: UEFI variable persistence")
2020-08-13 22:37:42 +02:00
AKASHI Takahiro
1115edd846 efi_loader: signature: rework for intermediate certificates support
In this commit, efi_signature_verify(with_sigdb) will be re-implemented
using pcks7_verify_one() in order to support certificates chain, where
the signer's certificate will be signed by an intermediate CA (certificate
authority) and the latter's certificate will also be signed by another CA
and so on.

What we need to do here is to search for certificates in a signature,
build up a chain of certificates and verify one by one. pkcs7_verify_one()
handles most of these steps except the last one.

pkcs7_verify_one() returns, if succeeded, the last certificate to verify,
which can be either a self-signed one or one that should be signed by one
of certificates in "db". Re-worked efi_signature_verify() will take care
of this step.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-08-13 22:37:36 +02:00
AKASHI Takahiro
0658bb29b0 efi_loader: variable: keep temporary buffer during the authentication
This is a bug fix; Setting an authenticated variable may fail due to
a memory corruption in the authentication.

A temporary buffer will, if needed, be allocated to parse a variable's
authentication data, and some portion of buffer, specifically signer's
certificates, will be referenced by efi_signature_verify().

So the buffer should be kept valid until the authentication process
is finished.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Tested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-13 22:37:36 +02:00
Heinrich Schuchardt
0ad64007fe efi_loader: set load options in boot manager
Up to now we used the value of the bootargs environment variable as load
options in the boot manager. This is not correct. The data has to be taken
from the Boot#### variable.

Let the boot manager copy the optional data of the EFI_LOAD_OPTION as load
options to the loaded image protocol.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-08 19:03:24 +02:00
Heinrich Schuchardt
1064d04920 efi_loader: factor out efi_set_load_options()
The bootefi bootmgr command has to set the load options for a loaded image
from the value of BootXXXX variable. If the boot manager is not used, the
value is set from the environment variable bootargs (or efi_selftest).

Factor out a common function efi_set_load_options().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-08 19:03:24 +02:00
AKASHI Takahiro
dd92aad81c efi_loader: add copyright notice
Some amount of code was moved/derived from efi_variable.c regarding
UEFI secure boot, in particluar in the commit 012c56ac76 ("efi_loader:
restructure code for TEE variables").
So add the orignal author's copyright notice.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-08 19:03:24 +02:00
Heinrich Schuchardt
9bdbc8ef98 lib/crypto: simplify public_key_verify_signature
The variable region is filled but never used. Remove it.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-08 19:03:12 +02:00
Joao Marcos Costa
81014f73f0 include/u-boot, lib/zlib: add sources for zlib decompression
Add zlib (v1.2.11) uncompr() function to U-Boot. SquashFS depends on
this function to decompress data from a raw disk image. The actual
support for zlib into SquashFS sources will be added in a follow-up
commit.

Signed-off-by: Joao Marcos Costa <joaomarcos.costa@bootlin.com>
2020-08-07 22:31:32 -04:00
Tero Kristo
9996cea75f lmb/bdinfo: dump lmb info via bdinfo
Dump lmb status from the bdinfo command. This is useful for seeing the
reserved memory regions from the u-boot cmdline.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
2020-08-04 23:30:02 -04:00
Simon Glass
e1e10f29f9 efi: Tidy up header includes
Two files relies on efi_driver.h to include common.h and dm.h which is
incorrect. The former should always be included in a non-host C file and
the latter should be included if driver model is used.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-08-03 22:19:54 -04:00
Heinrich Schuchardt
5c2227e495 efi_selftest: block device test requires CONFIG_DOS_PARTITION
Do not execute the block device test if CONFIG_DOS_PARTITION=n.

Imply CONFIG_DOS_PARTITION in Kconfig.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-01 11:58:39 +02:00
Heinrich Schuchardt
a1077bf582 efi_selftest: SNP test depends on network
If CONFIG_NET=n, testing the simple network protocol makes no sense.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-01 11:58:39 +02:00
Heinrich Schuchardt
74b869bae7 efi_loader: use CONFIG_STACK_SIZE in the UEFI sub-system
The Kconfig symbol CONFIG_STACK_SIZE is used both by ARM and Microblaze
with the same meaning. Move it to menu 'General setup' so that we can use
it for all architectures.

Use the value of CONFIG_STACK_SIZE instead of a hard coded 16 MiB value for
reserving memory in the UEFI sub-system.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-01 11:58:23 +02:00
Ilias Apalodimas
e01aed47d6 efi_loader: Enable run-time variable support for tee based variables
We recently added functions for storing/restoring variables
from a file to a memory backed buffer marked as __efi_runtime_data
commit f1f990a8c9 ("efi_loader: memory buffer for variables")
commit 5f7dcf079d ("efi_loader: UEFI variable persistence")

Using the same idea we now can support GetVariable() and GetNextVariable()
on the OP-TEE based variables as well.

So let's re-arrange the code a bit and move the commmon code for
accessing variables out of efi_variable.c. Create common functions for
reading variables from memory that both implementations can use on
run-time. Then just use those functions in the run-time variants of the
OP-TEE based EFI variable implementation and initialize the memory
buffer on ExitBootServices()

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-01 11:57:41 +02:00
Ilias Apalodimas
db94dfbd52 efi_loader: Trim output buffer size correctly for tee variables
The current code does not trim the output buffer correctly.
In fact it doesn't trim the buffer at all, since it calculates a wrong
value for it, which isn't even applied.
So let's remove the unused temporary size variable and trim the buffer
correctly.
Since we are editing efi_get_next_variable_name_int(), fix an indentation
error along the way.

Fixes: f042e47e8f ("efi_loader: Implement EFI variable handling via OP-TEE")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Remove superfluous conversion to (u8 *) for memcpy argument.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-08-01 11:57:41 +02:00
Marek Vasut
d045cbacf2 env: Add support for explicit write access list
This option marks any U-Boot variable which does not have explicit 'w'
writeable flag set as read-only. This way the environment can be locked
down and only variables explicitly configured to be writeable can ever
be changed by either 'env import', 'env set' or loading user environment
from environment storage.

Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Tom Rini <trini@konsulko.com>
2020-07-31 10:13:00 -04:00
Marek Vasut
47f3b1f243 env: Add option to only ever append environment
Add configuration option which prevents the environment hash table to be
ever cleared and reloaded with different content. This is useful in case
the first environment loaded into the hash table contains e.g. sensitive
content which must not be dropped or reloaded.

Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Tom Rini <trini@konsulko.com>
2020-07-31 10:13:00 -04:00
Michal Simek
50c7b723bd Revert "lib: fdt: Split fdtdec_setup_mem_size_base()"
This reverts commit 3ebe09d09a.

There is no user of this split function that's why remove it.

Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2020-07-25 14:46:57 -06:00
Michal Simek
62897c4344 Revert "lib: fdt: Split fdtdec_setup_memory_banksize()"
This reverts commit 118f4d4559.

There is no user of this split function that's why remove it.

Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2020-07-25 14:46:57 -06:00
Tom Rini
7208396bbf Revert "Merge tag 'dm-pull-20jul20' of git://git.denx.de/u-boot-dm"
This reverts commit 5d3a21df66, reversing
changes made to 56d37f1c56.

Unfortunately this is causing CI failures:
https://travis-ci.org/github/trini/u-boot/jobs/711313649

Signed-off-by: Tom Rini <trini@konsulko.com>
2020-07-24 08:42:06 -04:00
Tom Rini
5d3a21df66 binman support for FIT
new UCLASS_SOC
 patman switch 'test' command
 minor fdt fixes
 patman usability improvements
 -----BEGIN PGP SIGNATURE-----
 
 iQFFBAABCgAvFiEEslwAIq+Gp8wWVbYnfxc6PpAIreYFAl8V+WQRHHNqZ0BjaHJv
 bWl1bS5vcmcACgkQfxc6PpAIrebNgAgAmgHHPakg1fkJT8xZkbPD53r21t5fkF7h
 JTLVU93BKfC+Zz2bbizCEkCl9L9bdHSaSzJY5rb07E24yV/zwDcIkRApCmkDjVHN
 EHOb0P36Ht9acowSd5kN66wd2z0Q/V+7lfEdB6Adtprh0vVaWIKYtLPxogpRv6k9
 l/CaGsBCwvupmPeHZcE3pVQlflbKyYzp62VObEBI4RIJLisvDXaPRUcBa4vz904P
 yu0baIYW8hWBcZhb0Lkex/9x7ys2T1bnnw8G7WL05GtHSZfVvT46Y70o+3i5ycBh
 GAI93Lx4r1gCjol9LVE4i1bewbPiMqyNXOtKGPRt/IIvYI4HZ67lFA==
 =YIpM
 -----END PGP SIGNATURE-----

Merge tag 'dm-pull-20jul20' of git://git.denx.de/u-boot-dm

binman support for FIT
new UCLASS_SOC
patman switch 'test' command
minor fdt fixes
patman usability improvements
2020-07-23 15:56:06 -04:00
AKASHI Takahiro
5ee81c6e3f lib: crypto: export and enhance pkcs7_verify_one()
The function, pkcs7_verify_one(), will be utilized to rework signature
verification logic aiming to support intermediate certificates in
"chain of trust."

To do that, its function interface is expanded, adding an extra argument
which is expected to return the last certificate in trusted chain.
Then, this last one must further be verified with signature database, db
and/or dbx.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-07-22 12:37:17 +02:00
AKASHI Takahiro
05329fa4c0 lib: crypto: add pkcs7_digest()
This function was nullified when the file, pkcs7_verify.c, was imported
because it calls further linux-specific interfaces inside, hence that
could lead to more files being imported from linux.

We need this function in pkcs7_verify_one() and so simply re-implement it
here instead of re-using the code.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-07-22 12:36:29 +02:00
AKASHI Takahiro
063499e38e lib: crypto: import pkcs7_verify.c from linux
The file, pkcs7_verify.c, will now be imported from linux code
(crypto/asymmetric_keys/pkcs7_verify.c in 5.7) and modified to fit
into U-Boot environment.

In particular, pkcs7_verify_one() function will be used in a later patch
to rework signature verification logic aiming to support intermediate
certificates in "chain of trust."

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-07-22 12:35:45 +02:00
AKASHI Takahiro
6244b3c7d9 lib: crypto: enable x509_check_for_self_signed()
When the file, x509_public_key.c, was imported from linux code in
    commit b4adf627d5 ("lib: crypto: add x509 parser"),
x509_check_for_self_signed() was commented out for simplicity.

Now it need be enabled in order to make pkcs7_verify_one(), which will be
imported in a later patch, functional.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-07-22 12:35:04 +02:00
AKASHI Takahiro
b2a1049b5c lib: crypto: add public_key_verify_signature()
This function will be called from x509_check_for_self_signed() and
pkcs7_verify_one(), which will be imported from linux in a later patch.

While it does exist in linux code and has a similar functionality of
rsa_verify(), it calls further linux-specific interfaces inside.
That could lead to more files being imported from linux.

So simply re-implement it here instead of re-using the code.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-07-22 12:33:55 +02:00
Heinrich Schuchardt
af457cfca9 efi_loader: use logging for block device messages
Use logging instead of printf() for messages occurring when scanning block
devices during the initialization of the UEFI sub-system.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-22 12:32:42 +02:00
Heinrich Schuchardt
e7d64065cb efi_loader: document efi_save_gd(), efi_restore_gd()
Provide function descriptions for efi_save_gd() and efi_restore_gd().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-22 12:32:42 +02:00
Stefan Sørensen
1ef1cf1f93 efi_loader: loosen buffer parameter check in efi_file_read
When reading a directory, EFI_BUFFER_TOO_SMALL should be returned when
the supplied buffer is too small, so a use-case is to call
efi_file_read with *buffer_size=0 and buffer=NULL to obtain the needed
size before doing the actual read.

So move the buffer!=NULL check to after the buffer size has been checked.

This fix allows the Redhat shim fallback to run and e.g. Fedora 32 now
boots out of the box.

Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-22 12:32:41 +02:00
Ilias Apalodimas
9b87d4429c efi_loader: Check for the native OP-TEE result on mm_communicate calls
Currently we only check for the return value of tee_invoke_func().
Although OP-TEE and StMM will correctly set param[1].u.value.a and we'll
eventually return an error, the correct thing to do is check for the
OP_TEE return code as well.
So let's check for that and move tee_shm_free() and tee_close_session()
before exiting with an error to make sure we always clear the registered
memory.

Fixes: f042e47e8f ("efi_loader: Implement EFI variable handling via OP-TEE")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Use EFI_DEVICE_ERROR for TEE communication problems.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-22 12:32:41 +02:00
Ilias Apalodimas
5d1f79ba43 efi_loader: Rename and correct values for ARM_SMC_MM_*
Instead of adding the definition for the specific MM SVC used in
StandAloneMM we added the one used in the standard SMC calls.
So change the value from -4 to -5 to match the correct one defined in
EDK2 and rename them to avoid future confusion

Fixes 23a397d2e2: ("efi_loader: Add headers for EDK2 StandAloneMM communication")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-22 12:32:41 +02:00
Heinrich Schuchardt
ebbad02c1b efi_loader: don't use memmove() in efi_var_mem_del()
efi_var_mem_del() is in __efi_runtime because it would be needed for a
runtime implementation of SetVariable(). memmove() is not in __efi_runtime.
So we should not use it in efi_var_mem_del().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-22 12:32:41 +02:00
Heinrich Schuchardt
01fa922bbb efi_loader: efi_current_var after SetVirtualAddressMap
Variable efi_current_var is a pointer to a physical memory address that
becomes invalid after SetVirtualAddressMap(). Instead of converting it via
ConvertPointer() simply set it to NULL.

Fixes: b02a707152 ("efi_loader: enable UEFI variables at runtime")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-07-22 12:32:41 +02:00
Michal Simek
b589b80971 Revert "lib: fdt: Split fdtdec_setup_mem_size_base()"
This reverts commit 3ebe09d09a.

There is no user of this split function that's why remove it.

Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2020-07-20 11:37:47 -06:00
Michal Simek
d4cc6f638c Revert "lib: fdt: Split fdtdec_setup_memory_banksize()"
This reverts commit 118f4d4559.

There is no user of this split function that's why remove it.

Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2020-07-20 11:37:47 -06:00
Masahiro Yamada
b75d8dc564 treewide: convert bd_t to struct bd_info by coccinelle
The Linux coding style guide (Documentation/process/coding-style.rst)
clearly says:

  It's a **mistake** to use typedef for structures and pointers.

Besides, using typedef for structures is annoying when you try to make
headers self-contained.

Let's say you have the following function declaration in a header:

  void foo(bd_t *bd);

This is not self-contained since bd_t is not defined.

To tell the compiler what 'bd_t' is, you need to include <asm/u-boot.h>

  #include <asm/u-boot.h>
  void foo(bd_t *bd);

Then, the include direcective pulls in more bloat needlessly.

If you use 'struct bd_info' instead, it is enough to put a forward
declaration as follows:

  struct bd_info;
  void foo(struct bd_info *bd);

Right, typedef'ing bd_t is a mistake.

I used coccinelle to generate this commit.

The semantic patch that makes this change is as follows:

  <smpl>
  @@
  typedef bd_t;
  @@
  -bd_t
  +struct bd_info
  </smpl>

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
2020-07-17 09:30:13 -04:00
Chin Liang See
499b7493e7 lib: zlib: Remove offset pointer optimization in inftrees.c
This fixes the CVE-2016-9840. Commit imported from [1].

inftrees.c was subtracting an offset from a pointer to an array,
in order to provide a pointer that allowed indexing starting at
the offset. This is not compliant with the C standard, for which
the behavior of a pointer decremented before its allocated memory
is undefined. Per the recommendation of a security audit of the
zlib code by Trail of Bits and TrustInSoft, in support of the
Mozilla Foundation, this tiny optimization was removed, in order
to avoid the possibility of undefined behavior.

[1]: 6a043145ca

Signed-off-by: Mark Adler <madler@alumni.caltech.edu>
Signed-off-by: Chin Liang See <chin.liang.see@intel.com>
Signed-off-by: Ley Foon Tan <ley.foon.tan@intel.com>
2020-07-17 08:51:29 -04:00
Rasmus Villemoes
e7885a48bb lz4: fix decompressor on big-endian powerpc
Booting an lz4-compressed kernel image fails on our powerpc board with
-EPROTONOSUPPORT. Adding a bit of debug prints, we get

  magic: 0x184d2204
  flags: 0x64
  reserved0: 1
  has_content_checksum: 1
  has_content_size: 0
  has_block_checksum: 0
  independent_blocks: 1
  version: 0
  block_descriptor: 70
  reserved1: 7
  max_block_size: 0
  reserved2: 0

So the magic is ok, but the version check fails, also some reserved
bits are apparently set. But that's because the code interprets the
"flags" and "block_descriptor" bytes wrongly:

Using bit-fields to access individual bits of an "on the wire" format
is not portable, not even when restricted to the C flavour implemented
by gcc. Quoting the gcc manual:

   * 'The order of allocation of bit-fields within a unit (C90 6.5.2.1,
     C99 and C11 6.7.2.1).'

     Determined by ABI.

and indeed, the PPC Processor ABI supplement says

   * Bit-fields are allocated from right to left (least to most
     significant) on Little-Endian implementations and from left to
     right (most to least significant) on Big-Endian implementations.

The upstream code (github.com/lz4/lz4) uses explicit shifts and masks
for encoding/decoding:

    /* FLG Byte */
    *dstPtr++ = (BYTE)(((1 & _2BITS) << 6)    /* Version('01') */
        + ((cctxPtr->prefs.frameInfo.blockMode & _1BIT ) << 5)
        + ((cctxPtr->prefs.frameInfo.blockChecksumFlag & _1BIT ) << 4)
        + ((unsigned)(cctxPtr->prefs.frameInfo.contentSize > 0) << 3)
        + ((cctxPtr->prefs.frameInfo.contentChecksumFlag & _1BIT ) << 2)
        +  (cctxPtr->prefs.frameInfo.dictID > 0) );

    /* Flags */
    {   U32 const FLG = srcPtr[4];
        U32 const version = (FLG>>6) & _2BITS;
        blockChecksumFlag = (FLG>>4) & _1BIT;
        blockMode = (FLG>>5) & _1BIT;
        contentSizeFlag = (FLG>>3) & _1BIT;
        contentChecksumFlag = (FLG>>2) & _1BIT;
        dictIDFlag = FLG & _1BIT;
        /* validate */
        if (((FLG>>1)&_1BIT) != 0) return err0r(LZ4F_ERROR_reservedFlag_set); /* Reserved bit */
        if (version != 1) return err0r(LZ4F_ERROR_headerVersion_wrong);        /* Version Number, only supported value */
    }

Do the same here, and while at it, be more careful to use unaligned
accessors to what is most likely unaligned. Also update the comment to
make it clear that it only refers to the lz4.c file, not the following
code of lz4_wrapper.c.

This has been tested partly, of course, by seeing that my
lz4-compressed kernel now boots, partly by running the (de)compression
test-suite in the (x86_64) sandbox - i.e., it should still work just
fine on little-endian hosts.

Reviewed-by: Julius Werner <jwerner@chromium.org>
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
2020-07-17 08:45:29 -04:00
Simon Glass
bb6772c3ff acpi: Support writing named values
Allow writing named integers and strings to the generated ACPI code.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Wolfgang Wallner <wolfgang.wallner@br-automation.com>
[bmeng: Fix the "new blank line at EOF" warning]
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
2020-07-17 14:32:24 +08:00
Simon Glass
91c2f9c32e acpi: Support generation of a device
Allow writing an ACPI device to the generated ACPI code.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Wolfgang Wallner <wolfgang.wallner@br-automation.com>
[bmeng: Fix build failures on Sandbox]
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
2020-07-17 14:32:24 +08:00
Simon Glass
d7d631df2d acpi: Support generation of a generic register
Allow writing out a generic register.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Wolfgang Wallner <wolfgang.wallner@br-automation.com>
[bmeng: Fix build failures on Sandbox]
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
2020-07-17 14:32:24 +08:00
Simon Glass
82659cc910 acpi: Support generation of a scope
Add a function to write a scope to the generated ACPI code.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Wolfgang Wallner <wolfgang.wallner@br-automation.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
[bmeng: Fix build failures on Sandbox]
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
2020-07-17 14:32:24 +08:00
Simon Glass
8f9877df95 binman: Add way to locate an entry in memory
Add support for accessing an entry's contents in memory-mapped SPI flash.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
2020-07-17 14:32:24 +08:00
Simon Glass
956a9082d3 binman: Refactor binman_entry_find() to allow other nodes
At present we can only read from a top-level binman node entry. Refactor
this function to produce a second local function which supports reading
from any node.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
2020-07-17 14:32:24 +08:00
Simon Glass
db6fb7d152 binman: Allow setting the ROM offset
On x86 the SPI ROM can be memory-mapped, at least most of it. Add a way
to tell binman the offset from a ROM address to a RAM address.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
2020-07-17 14:32:24 +08:00