diff options
author | Sughosh Ganu <sughosh.ganu@linaro.org> | 2020-12-30 19:27:09 +0530 |
---|---|---|
committer | Heinrich Schuchardt <xypron.glpk@gmx.de> | 2020-12-31 14:41:31 +0100 |
commit | 04be98bd6bcfccf3ab028fda0ca962dd00f61260 (patch) | |
tree | 3c5364e835613770b47a069ca9dd398ac0ac4ceb /include | |
parent | b4f20a5d83f0b8a5c30128966eabe68748631e66 (diff) | |
download | u-boot-04be98bd6bcfccf3ab028fda0ca962dd00f61260.tar.gz u-boot-04be98bd6bcfccf3ab028fda0ca962dd00f61260.tar.xz u-boot-04be98bd6bcfccf3ab028fda0ca962dd00f61260.zip |
efi: capsule: Add support for uefi capsule authentication
Add support for authenticating uefi capsules. Most of the signature
verification functionality is shared with the uefi secure boot
feature.
The root certificate containing the public key used for the signature
verification is stored as part of the device tree blob. The root
certificate is stored as an efi signature list(esl) file -- this file
contains the x509 certificate which is the root certificate.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/efi_api.h | 18 | ||||
-rw-r--r-- | include/efi_loader.h | 6 |
2 files changed, 24 insertions, 0 deletions
diff --git a/include/efi_api.h b/include/efi_api.h index e82d4ca9ff..ecb43a0607 100644 --- a/include/efi_api.h +++ b/include/efi_api.h @@ -1813,6 +1813,24 @@ struct efi_variable_authentication_2 { } __attribute__((__packed__)); /** + * efi_firmware_image_authentication - Capsule authentication method + * descriptor + * + * This structure describes an authentication information for + * a capsule with IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED set + * and should be included as part of the capsule. + * Only EFI_CERT_TYPE_PKCS7_GUID is accepted. + * + * @monotonic_count: Count to prevent replay + * @auth_info: Authentication info + */ +struct efi_firmware_image_authentication { + uint64_t monotonic_count; + struct win_certificate_uefi_guid auth_info; +} __attribute__((__packed__)); + + +/** * efi_signature_data - A format of signature * * This structure describes a single signature in signature database. diff --git a/include/efi_loader.h b/include/efi_loader.h index 7fd65eeb8d..4719fa93f0 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -819,6 +819,8 @@ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name); bool efi_secure_boot_enabled(void); +bool efi_capsule_auth_enabled(void); + bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp, WIN_CERTIFICATE **auth, size_t *auth_len); @@ -847,6 +849,10 @@ efi_status_t EFIAPI efi_query_capsule_caps( u64 *maximum_capsule_size, u32 *reset_type); +efi_status_t efi_capsule_authenticate(const void *capsule, + efi_uintn_t capsule_size, + void **image, efi_uintn_t *image_size); + #define EFI_CAPSULE_DIR L"\\EFI\\UpdateCapsule\\" /* Hook at initialization */ |