Merge tag 'efi-2024-07-rc5' of https://source.denx.de/u-boot/custodians/u-boot-efi
Pull request efi-2024-07-rc5
Documentation:
* update build dependency Python request module to version 2.32.2
* fix typos
UEFI:
* Correct signature check when appending to EFI variables.
diff --git a/doc/sphinx/requirements.txt b/doc/sphinx/requirements.txt
index 426f41e..54eb70a 100644
--- a/doc/sphinx/requirements.txt
+++ b/doc/sphinx/requirements.txt
@@ -9,7 +9,7 @@
MarkupSafe==2.1.3
packaging==23.2
Pygments==2.17.2
-requests==2.31.0
+requests==2.32.2
six==1.16.0
snowballstemmer==2.2.0
Sphinx==7.2.6
diff --git a/doc/usage/cmd/bootmeth.rst b/doc/usage/cmd/bootmeth.rst
index 2903977..bac9fdf 100644
--- a/doc/usage/cmd/bootmeth.rst
+++ b/doc/usage/cmd/bootmeth.rst
@@ -48,7 +48,7 @@
===== === ================== =================================
Order Seq Name Description
===== === ================== =================================
- 0 0 extlinunx Extlinux boot from a block device
+ 0 0 extlinux Extlinux boot from a block device
1 1 efi EFI boot from an .efi file
2 2 pxe PXE boot from a network device
3 3 sandbox Sandbox boot for testing
diff --git a/lib/efi_loader/capsule_esl.dtsi.in b/lib/efi_loader/capsule_esl.dtsi.in
index 61a9f2b..bc7db83 100644
--- a/lib/efi_loader/capsule_esl.dtsi.in
+++ b/lib/efi_loader/capsule_esl.dtsi.in
@@ -1,9 +1,9 @@
// SPDX-License-Identifier: GPL-2.0+
-/**
+/*
* Devicetree file with the public key EFI Signature List(ESL)
* node. This file is used to generate the dtsi file to be
* included into the DTB.
-*/
+ */
/ {
signature {
capsule-key = /incbin/("ESL_BIN_FILE");
diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c
index 1cc02ac..09651d4 100644
--- a/lib/efi_loader/efi_variable.c
+++ b/lib/efi_loader/efi_variable.c
@@ -288,7 +288,6 @@
/* check if a variable exists */
var = efi_var_mem_find(vendor, variable_name, NULL);
append = !!(attributes & EFI_VARIABLE_APPEND_WRITE);
- attributes &= ~EFI_VARIABLE_APPEND_WRITE;
delete = !append && (!data_size || !attributes);
/* check attributes */
@@ -304,7 +303,7 @@
/* attributes won't be changed */
if (!delete &&
- ((ro_check && var->attr != attributes) ||
+ ((ro_check && var->attr != (attributes & ~EFI_VARIABLE_APPEND_WRITE)) ||
(!ro_check && ((var->attr & ~EFI_VARIABLE_READ_ONLY)
!= (attributes & ~EFI_VARIABLE_READ_ONLY))))) {
return EFI_INVALID_PARAMETER;
@@ -378,7 +377,8 @@
for (; *old_data; ++old_data)
;
++old_data;
- ret = efi_var_mem_ins(variable_name, vendor, attributes,
+ ret = efi_var_mem_ins(variable_name, vendor,
+ attributes & ~EFI_VARIABLE_APPEND_WRITE,
var->length, old_data, data_size, data,
time);
} else {
diff --git a/test/py/requirements.txt b/test/py/requirements.txt
index 0f67c3c..c1dd636 100644
--- a/test/py/requirements.txt
+++ b/test/py/requirements.txt
@@ -20,7 +20,7 @@
pytest-xdist==2.5.0
python-mimeparse==1.6.0
python-subunit==1.3.0
-requests==2.31.0
+requests==2.32.2
setuptools==65.5.1
six==1.16.0
testtools==2.3.0
diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py
index ff7ac7c..0fa0747 100644
--- a/test/py/tests/test_efi_secboot/conftest.py
+++ b/test/py/tests/test_efi_secboot/conftest.py
@@ -64,6 +64,12 @@
check_call('cd %s; %scert-to-efi-sig-list -g %s db1.crt db1.esl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key db db1.esl db1.auth'
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
shell=True)
+ # db2 (APPEND_WRITE)
+ check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db2/ -keyout db2.key -out db2.crt -nodes -days 365'
+ % mnt_point, shell=True)
+ check_call('cd %s; %scert-to-efi-sig-list -g %s db2.crt db2.esl; %ssign-efi-sig-list -a -c KEK.crt -k KEK.key db db2.esl db2.auth'
+ % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
+ shell=True)
# dbx (TEST_dbx certificate)
check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_dbx/ -keyout dbx.key -out dbx.crt -nodes -days 365'
% mnt_point, shell=True)
@@ -84,6 +90,10 @@
check_call('cd %s; %scert-to-efi-hash-list -g %s -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth'
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
shell=True)
+ # dbx_hash2 (digest of TEST_db2 certificate, with APPEND_WRITE)
+ check_call('cd %s; %scert-to-efi-hash-list -g %s -s 256 db2.crt dbx_hash2.crl; %ssign-efi-sig-list -a -c KEK.crt -k KEK.key dbx dbx_hash2.crl dbx_hash2.auth'
+ % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
+ shell=True)
# dbx_db (with TEST_db certificate)
check_call('cd %s; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx db.esl dbx_db.auth'
% (mnt_point, EFITOOLS_PATH),
diff --git a/test/py/tests/test_efi_secboot/test_authvar.py b/test/py/tests/test_efi_secboot/test_authvar.py
index f99b827..d5aeb65 100644
--- a/test/py/tests/test_efi_secboot/test_authvar.py
+++ b/test/py/tests/test_efi_secboot/test_authvar.py
@@ -183,7 +183,7 @@
assert 'db:' in ''.join(output)
output = u_boot_console.run_command_list([
- 'fatload host 0:1 4000000 db1.auth',
+ 'fatload host 0:1 4000000 db2.auth',
'setenv -e -nv -bs -rt -a -i 4000000:$filesize db'])
assert 'Failed to set EFI variable' in ''.join(output)
@@ -197,7 +197,7 @@
with u_boot_console.log.section('Test Case 3c'):
# Test Case 3c, update with correct signature
output = u_boot_console.run_command_list([
- 'fatload host 0:1 4000000 db1.auth',
+ 'fatload host 0:1 4000000 db2.auth',
'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db',
'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
assert 'Failed to set EFI variable' not in ''.join(output)
diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py
index 5000a4a..f604138 100644
--- a/test/py/tests/test_efi_secboot/test_signed.py
+++ b/test/py/tests/test_efi_secboot/test_signed.py
@@ -177,7 +177,7 @@
with u_boot_console.log.section('Test Case 5b'):
# Test Case 5b, authenticated if both signatures are verified
output = u_boot_console.run_command_list([
- 'fatload host 0:1 4000000 db1.auth',
+ 'fatload host 0:1 4000000 db2.auth',
'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db'])
assert 'Failed to set EFI variable' not in ''.join(output)
output = u_boot_console.run_command_list([
@@ -201,7 +201,7 @@
with u_boot_console.log.section('Test Case 5d'):
# Test Case 5d, rejected if both of signatures are revoked
output = u_boot_console.run_command_list([
- 'fatload host 0:1 4000000 dbx_hash1.auth',
+ 'fatload host 0:1 4000000 dbx_hash2.auth',
'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize dbx'])
assert 'Failed to set EFI variable' not in ''.join(output)
output = u_boot_console.run_command_list([
@@ -223,7 +223,7 @@
'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
'fatload host 0:1 4000000 PK.auth',
'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
- 'fatload host 0:1 4000000 db1.auth',
+ 'fatload host 0:1 4000000 db2.auth',
'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db',
'fatload host 0:1 4000000 dbx_hash1.auth',
'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx'])
@@ -300,7 +300,7 @@
'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
'fatload host 0:1 4000000 PK.auth',
'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
- 'fatload host 0:1 4000000 db1.auth',
+ 'fatload host 0:1 4000000 db2.auth',
'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db',
'fatload host 0:1 4000000 dbx_hash384.auth',
'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx'])
@@ -323,7 +323,7 @@
'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
'fatload host 0:1 4000000 PK.auth',
'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
- 'fatload host 0:1 4000000 db1.auth',
+ 'fatload host 0:1 4000000 db2.auth',
'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db',
'fatload host 0:1 4000000 dbx_hash512.auth',
'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx'])