[1/2] efi_loader: expose efi_image_parse() even if UEFI Secure Boot is disabled

Message ID 20210415133020.29175-2-masahisa.kojima@linaro.org
State New
Headers show
Series
  • PE/COFF measurement support
Related show

Commit Message

Masahisa Kojima April 15, 2021, 1:30 p.m.
This is preparation for PE/COFF measurement support.
PE/COFF image hash calculation is same in both
UEFI Secure Boot image verification and measurement in
measured boot. This commit exposes the hash calculation
functions even if UEFI Secure Boot is not enabled.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>

---
 lib/efi_loader/efi_image_loader.c | 2 +-
 lib/efi_loader/efi_signature.c    | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

-- 
2.17.1

Comments

Heinrich Schuchardt April 15, 2021, 1:58 p.m. | #1
On 15.04.21 15:30, Masahisa Kojima wrote:
> This is preparation for PE/COFF measurement support.

> PE/COFF image hash calculation is same in both

> UEFI Secure Boot image verification and measurement in

> measured boot. This commit exposes the hash calculation

> functions even if UEFI Secure Boot is not enabled.

>

> Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>

> ---

>  lib/efi_loader/efi_image_loader.c | 2 +-

>  lib/efi_loader/efi_signature.c    | 2 ++

>  2 files changed, 3 insertions(+), 1 deletion(-)

>

> diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c

> index f53ef367ec..2c35cb5651 100644

> --- a/lib/efi_loader/efi_image_loader.c

> +++ b/lib/efi_loader/efi_image_loader.c

> @@ -213,7 +213,6 @@ static void efi_set_code_and_data_type(

>  	}

>  }

>

> -#ifdef CONFIG_EFI_SECURE_BOOT

>  /**

>   * cmp_pe_section() - compare virtual addresses of two PE image sections

>   * @arg1:	pointer to pointer to first section header

> @@ -422,6 +421,7 @@ err:

>  	return false;

>  }

>

> +#ifdef CONFIG_EFI_SECURE_BOOT


Please, remove the #ifdef and replace it by

   if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT)) {

in function efi_image_authenticate().

The advantage of using 'if' instead of '#ifdef' is that all branches are
parsed by GCC. This allows us to catch code problems more easily.

>  /**

>   * efi_image_unsigned_authenticate() - authenticate unsigned image with

>   * SHA256 hash

> diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c

> index c7ec275414..1dd9d0e130 100644

> --- a/lib/efi_loader/efi_signature.c

> +++ b/lib/efi_loader/efi_signature.c

> @@ -538,6 +538,7 @@ out:

>  	EFI_PRINT("%s: Exit, revoked: %d\n", __func__, revoked);

>  	return !revoked;

>  }

> +#endif


The #if is superfluous. Just add the missing header

#include <u-boot/rsa-checksum.h>

efi_guid_t efi_guid_image_security_database should be moved to
efi_var_common.c. This allows us to decide if
lib/efi_loader/efi_signature.c shall be compiled in the Makefile.

Best regards

Heinrich

>

>  /**

>   * efi_image_region_add() - add an entry of region

> @@ -601,6 +602,7 @@ efi_status_t efi_image_region_add(struct efi_image_regions *regs,

>  	return EFI_SUCCESS;

>  }

>

> +#if defined(CONFIG_EFI_SECURE_BOOT) || defined(CONFIG_EFI_CAPSULE_AUTHENTICATE)

>  /**

>   * efi_sigstore_free - free signature store

>   * @sigstore:	Pointer to signature store structure

>

Patch

diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c
index f53ef367ec..2c35cb5651 100644
--- a/lib/efi_loader/efi_image_loader.c
+++ b/lib/efi_loader/efi_image_loader.c
@@ -213,7 +213,6 @@  static void efi_set_code_and_data_type(
 	}
 }
 
-#ifdef CONFIG_EFI_SECURE_BOOT
 /**
  * cmp_pe_section() - compare virtual addresses of two PE image sections
  * @arg1:	pointer to pointer to first section header
@@ -422,6 +421,7 @@  err:
 	return false;
 }
 
+#ifdef CONFIG_EFI_SECURE_BOOT
 /**
  * efi_image_unsigned_authenticate() - authenticate unsigned image with
  * SHA256 hash
diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
index c7ec275414..1dd9d0e130 100644
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@@ -538,6 +538,7 @@  out:
 	EFI_PRINT("%s: Exit, revoked: %d\n", __func__, revoked);
 	return !revoked;
 }
+#endif
 
 /**
  * efi_image_region_add() - add an entry of region
@@ -601,6 +602,7 @@  efi_status_t efi_image_region_add(struct efi_image_regions *regs,
 	return EFI_SUCCESS;
 }
 
+#if defined(CONFIG_EFI_SECURE_BOOT) || defined(CONFIG_EFI_CAPSULE_AUTHENTICATE)
 /**
  * efi_sigstore_free - free signature store
  * @sigstore:	Pointer to signature store structure