LXR uboot/lib/efi_loader/efi_image

   1// SPDX-License-Identifier: GPL-2.0+
   2/*
   3 *  EFI image loader
   4 *
   5 *  based partly on wine code
   6 *
   7 *  Copyright (c) 2016 Alexander Graf
   8 */
   9
  10#define LOG_CATEGORY LOGC_EFI
  11
  12#include <common.h>
  13#include <cpu_func.h>
  14#include <efi_loader.h>
  15#include <log.h>
  16#include <malloc.h>
  17#include <pe.h>
  18#include <sort.h>
  19#include <crypto/pkcs7_parser.h>
  20#include <linux/err.h>
  21
  22const efi_guid_t efi_global_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
  23const efi_guid_t efi_guid_device_path = EFI_DEVICE_PATH_PROTOCOL_GUID;
  24const efi_guid_t efi_guid_loaded_image = EFI_LOADED_IMAGE_PROTOCOL_GUID;
  25const efi_guid_t efi_guid_loaded_image_device_path =
  26                EFI_LOADED_IMAGE_DEVICE_PATH_PROTOCOL_GUID;
  27const efi_guid_t efi_simple_file_system_protocol_guid =
  28                EFI_SIMPLE_FILE_SYSTEM_PROTOCOL_GUID;
  29const efi_guid_t efi_file_info_guid = EFI_FILE_INFO_GUID;
  30
  31static int machines[] = {
  32#if defined(__aarch64__)
  33        IMAGE_FILE_MACHINE_ARM64,
  34#elif defined(__arm__)
  35        IMAGE_FILE_MACHINE_ARM,
  36        IMAGE_FILE_MACHINE_THUMB,
  37        IMAGE_FILE_MACHINE_ARMNT,
  38#endif
  39
  40#if defined(__x86_64__)
  41        IMAGE_FILE_MACHINE_AMD64,
  42#elif defined(__i386__)
  43        IMAGE_FILE_MACHINE_I386,
  44#endif
  45
  46#if defined(__riscv) && (__riscv_xlen == 32)
  47        IMAGE_FILE_MACHINE_RISCV32,
  48#endif
  49
  50#if defined(__riscv) && (__riscv_xlen == 64)
  51        IMAGE_FILE_MACHINE_RISCV64,
  52#endif
  53        0 };
  54
  55/**
  56 * efi_print_image_info() - print information about a loaded image
  57 *
  58 * If the program counter is located within the image the offset to the base
  59 * address is shown.
  60 *
  61 * @obj:        EFI object
  62 * @image:      loaded image
  63 * @pc:         program counter (use NULL to suppress offset output)
  64 * Return:      status code
  65 */
  66static efi_status_t efi_print_image_info(struct efi_loaded_image_obj *obj,
  67                                         struct efi_loaded_image *image,
  68                                         void *pc)
  69{
  70        printf("UEFI image");
  71        printf(" [0x%p:0x%p]",
  72               image->image_base, image->image_base + image->image_size - 1);
  73        if (pc && pc >= image->image_base &&
  74            pc < image->image_base + image->image_size)
  75                printf(" pc=0x%zx", pc - image->image_base);
  76        if (image->file_path)
  77                printf(" '%pD'", image->file_path);
  78        printf("\n");
  79        return EFI_SUCCESS;
  80}
  81
  82/**
  83 * efi_print_image_infos() - print information about all loaded images
  84 *
  85 * @pc:         program counter (use NULL to suppress offset output)
  86 */
  87void efi_print_image_infos(void *pc)
  88{
  89        struct efi_object *efiobj;
  90        struct efi_handler *handler;
  91
  92        list_for_each_entry(efiobj, &efi_obj_list, link) {
  93                list_for_each_entry(handler, &efiobj->protocols, link) {
  94                        if (!guidcmp(handler->guid, &efi_guid_loaded_image)) {
  95                                efi_print_image_info(
  96                                        (struct efi_loaded_image_obj *)efiobj,
  97                                        handler->protocol_interface, pc);
  98                        }
  99                }
 100        }
 101}
 102
 103/**
 104 * efi_loader_relocate() - relocate UEFI binary
 105 *
 106 * @rel:                pointer to the relocation table
 107 * @rel_size:           size of the relocation table in bytes
 108 * @efi_reloc:          actual load address of the image
 109 * @pref_address:       preferred load address of the image
 110 * Return:              status code
 111 */
 112static efi_status_t efi_loader_relocate(const IMAGE_BASE_RELOCATION *rel,
 113                        unsigned long rel_size, void *efi_reloc,
 114                        unsigned long pref_address)
 115{
 116        unsigned long delta = (unsigned long)efi_reloc - pref_address;
 117        const IMAGE_BASE_RELOCATION *end;
 118        int i;
 119
 120        if (delta == 0)
 121                return EFI_SUCCESS;
 122
 123        end = (const IMAGE_BASE_RELOCATION *)((const char *)rel + rel_size);
 124        while (rel < end && rel->SizeOfBlock) {
 125                const uint16_t *relocs = (const uint16_t *)(rel + 1);
 126                i = (rel->SizeOfBlock - sizeof(*rel)) / sizeof(uint16_t);
 127                while (i--) {
 128                        uint32_t offset = (uint32_t)(*relocs & 0xfff) +
 129                                          rel->VirtualAddress;
 130                        int type = *relocs >> EFI_PAGE_SHIFT;
 131                        uint64_t *x64 = efi_reloc + offset;
 132                        uint32_t *x32 = efi_reloc + offset;
 133                        uint16_t *x16 = efi_reloc + offset;
 134
 135                        switch (type) {
 136                        case IMAGE_REL_BASED_ABSOLUTE:
 137                                break;
 138                        case IMAGE_REL_BASED_HIGH:
 139                                *x16 += ((uint32_t)delta) >> 16;
 140                                break;
 141                        case IMAGE_REL_BASED_LOW:
 142                                *x16 += (uint16_t)delta;
 143                                break;
 144                        case IMAGE_REL_BASED_HIGHLOW:
 145                                *x32 += (uint32_t)delta;
 146                                break;
 147                        case IMAGE_REL_BASED_DIR64:
 148                                *x64 += (uint64_t)delta;
 149                                break;
 150#ifdef __riscv
 151                        case IMAGE_REL_BASED_RISCV_HI20:
 152                                *x32 = ((*x32 & 0xfffff000) + (uint32_t)delta) |
 153                                        (*x32 & 0x00000fff);
 154                                break;
 155                        case IMAGE_REL_BASED_RISCV_LOW12I:
 156                        case IMAGE_REL_BASED_RISCV_LOW12S:
 157                                /* We know that we're 4k aligned */
 158                                if (delta & 0xfff) {
 159                                        log_err("Unsupported reloc offset\n");
 160                                        return EFI_LOAD_ERROR;
 161                                }
 162                                break;
 163#endif
 164                        default:
 165                                log_err("Unknown Relocation off %x type %x\n",
 166                                        offset, type);
 167                                return EFI_LOAD_ERROR;
 168                        }
 169                        relocs++;
 170                }
 171                rel = (const IMAGE_BASE_RELOCATION *)relocs;
 172        }
 173        return EFI_SUCCESS;
 174}
 175
 176void __weak invalidate_icache_all(void)
 177{
 178        /* If the system doesn't support icache_all flush, cross our fingers */
 179}
 180
 181/**
 182 * efi_set_code_and_data_type() - determine the memory types to be used for code
 183 *                                and data.
 184 *
 185 * @loaded_image_info:  image descriptor
 186 * @image_type:         field Subsystem of the optional header for
 187 *                      Windows specific field
 188 */
 189static void efi_set_code_and_data_type(
 190                        struct efi_loaded_image *loaded_image_info,
 191                        uint16_t image_type)
 192{
 193        switch (image_type) {
 194        case IMAGE_SUBSYSTEM_EFI_APPLICATION:
 195                loaded_image_info->image_code_type = EFI_LOADER_CODE;
 196                loaded_image_info->image_data_type = EFI_LOADER_DATA;
 197                break;
 198        case IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER:
 199                loaded_image_info->image_code_type = EFI_BOOT_SERVICES_CODE;
 200                loaded_image_info->image_data_type = EFI_BOOT_SERVICES_DATA;
 201                break;
 202        case IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER:
 203        case IMAGE_SUBSYSTEM_EFI_ROM:
 204                loaded_image_info->image_code_type = EFI_RUNTIME_SERVICES_CODE;
 205                loaded_image_info->image_data_type = EFI_RUNTIME_SERVICES_DATA;
 206                break;
 207        default:
 208                log_err("invalid image type: %u\n", image_type);
 209                /* Let's assume it is an application */
 210                loaded_image_info->image_code_type = EFI_LOADER_CODE;
 211                loaded_image_info->image_data_type = EFI_LOADER_DATA;
 212                break;
 213        }
 214}
 215
 216/**
 217 * efi_image_region_add() - add an entry of region
 218 * @regs:       Pointer to array of regions
 219 * @start:      Start address of region (included)
 220 * @end:        End address of region (excluded)
 221 * @nocheck:    flag against overlapped regions
 222 *
 223 * Take one entry of region \[@start, @end\[ and insert it into the list.
 224 *
 225 * * If @nocheck is false, the list will be sorted ascending by address.
 226 *   Overlapping entries will not be allowed.
 227 *
 228 * * If @nocheck is true, the list will be sorted ascending by sequence
 229 *   of adding the entries. Overlapping is allowed.
 230 *
 231 * Return:      status code
 232 */
 233efi_status_t efi_image_region_add(struct efi_image_regions *regs,
 234                                  const void *start, const void *end,
 235                                  int nocheck)
 236{
 237        struct image_region *reg;
 238        int i, j;
 239
 240        if (regs->num >= regs->max) {
 241                EFI_PRINT("%s: no more room for regions\n", __func__);
 242                return EFI_OUT_OF_RESOURCES;
 243        }
 244
 245        if (end < start)
 246                return EFI_INVALID_PARAMETER;
 247
 248        for (i = 0; i < regs->num; i++) {
 249                reg = &regs->reg[i];
 250                if (nocheck)
 251                        continue;
 252
 253                /* new data after registered region */
 254                if (start >= reg->data + reg->size)
 255                        continue;
 256
 257                /* new data preceding registered region */
 258                if (end <= reg->data) {
 259                        for (j = regs->num - 1; j >= i; j--)
 260                                memcpy(&regs->reg[j + 1], &regs->reg[j],
 261                                       sizeof(*reg));
 262                        break;
 263                }
 264
 265                /* new data overlapping registered region */
 266                EFI_PRINT("%s: new region already part of another\n", __func__);
 267                return EFI_INVALID_PARAMETER;
 268        }
 269
 270        reg = &regs->reg[i];
 271        reg->data = start;
 272        reg->size = end - start;
 273        regs->num++;
 274
 275        return EFI_SUCCESS;
 276}
 277
 278/**
 279 * cmp_pe_section() - compare virtual addresses of two PE image sections
 280 * @arg1:       pointer to pointer to first section header
 281 * @arg2:       pointer to pointer to second section header
 282 *
 283 * Compare the virtual addresses of two sections of an portable executable.
 284 * The arguments are defined as const void * to allow usage with qsort().
 285 *
 286 * Return:      -1 if the virtual address of arg1 is less than that of arg2,
 287 *              0 if the virtual addresses are equal, 1 if the virtual address
 288 *              of arg1 is greater than that of arg2.
 289 */
 290static int cmp_pe_section(const void *arg1, const void *arg2)
 291{
 292        const IMAGE_SECTION_HEADER *section1, *section2;
 293
 294        section1 = *((const IMAGE_SECTION_HEADER **)arg1);
 295        section2 = *((const IMAGE_SECTION_HEADER **)arg2);
 296
 297        if (section1->VirtualAddress < section2->VirtualAddress)
 298                return -1;
 299        else if (section1->VirtualAddress == section2->VirtualAddress)
 300                return 0;
 301        else
 302                return 1;
 303}
 304
 305/**
 306 * efi_prepare_aligned_image() - prepare 8-byte aligned image
 307 * @efi:                pointer to the EFI binary
 308 * @efi_size:           size of @efi binary
 309 *
 310 * If @efi is not 8-byte aligned, this function newly allocates
 311 * the image buffer.
 312 *
 313 * Return:      valid pointer to a image, return NULL if allocation fails.
 314 */
 315void *efi_prepare_aligned_image(void *efi, u64 *efi_size)
 316{
 317        size_t new_efi_size;
 318        void *new_efi;
 319
 320        /*
 321         * Size must be 8-byte aligned and the trailing bytes must be
 322         * zero'ed. Otherwise hash value may be incorrect.
 323         */
 324        if (!IS_ALIGNED(*efi_size, 8)) {
 325                new_efi_size = ALIGN(*efi_size, 8);
 326                new_efi = calloc(new_efi_size, 1);
 327                if (!new_efi)
 328                        return NULL;
 329                memcpy(new_efi, efi, *efi_size);
 330                *efi_size = new_efi_size;
 331                return new_efi;
 332        } else {
 333                return efi;
 334        }
 335}
 336
 337/**
 338 * efi_image_parse() - parse a PE image
 339 * @efi:        Pointer to image
 340 * @len:        Size of @efi
 341 * @regp:       Pointer to a list of regions
 342 * @auth:       Pointer to a pointer to authentication data in PE
 343 * @auth_len:   Size of @auth
 344 *
 345 * Parse image binary in PE32(+) format, assuming that sanity of PE image
 346 * has been checked by a caller.
 347 * On success, an address of authentication data in @efi and its size will
 348 * be returned in @auth and @auth_len, respectively.
 349 *
 350 * Return:      true on success, false on error
 351 */
 352bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp,
 353                     WIN_CERTIFICATE **auth, size_t *auth_len)
 354{
 355        struct efi_image_regions *regs;
 356        IMAGE_DOS_HEADER *dos;
 357        IMAGE_NT_HEADERS32 *nt;
 358        IMAGE_SECTION_HEADER *sections, **sorted;
 359        int num_regions, num_sections, i;
 360        int ctidx = IMAGE_DIRECTORY_ENTRY_SECURITY;
 361        u32 align, size, authsz, authoff;
 362        size_t bytes_hashed;
 363
 364        dos = (void *)efi;
 365        nt = (void *)(efi + dos->e_lfanew);
 366        authoff = 0;
 367        authsz = 0;
 368
 369        /*
 370         * Count maximum number of regions to be digested.
 371         * We don't have to have an exact number here.
 372         * See efi_image_region_add()'s in parsing below.
 373         */
 374        num_regions = 3; /* for header */
 375        num_regions += nt->FileHeader.NumberOfSections;
 376        num_regions++; /* for extra */
 377
 378        regs = calloc(sizeof(*regs) + sizeof(struct image_region) * num_regions,
 379                      1);
 380        if (!regs)
 381                goto err;
 382        regs->max = num_regions;
 383
 384        /*
 385         * Collect data regions for hash calculation
 386         * 1. File headers
 387         */
 388        if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) {
 389                IMAGE_NT_HEADERS64 *nt64 = (void *)nt;
 390                IMAGE_OPTIONAL_HEADER64 *opt = &nt64->OptionalHeader;
 391
 392                /* Skip CheckSum */
 393                efi_image_region_add(regs, efi, &opt->CheckSum, 0);
 394                if (nt64->OptionalHeader.NumberOfRvaAndSizes <= ctidx) {
 395                        efi_image_region_add(regs,
 396                                             &opt->Subsystem,
 397                                             efi + opt->SizeOfHeaders, 0);
 398                } else {
 399                        /* Skip Certificates Table */
 400                        efi_image_region_add(regs,
 401                                             &opt->Subsystem,
 402                                             &opt->DataDirectory[ctidx], 0);
 403                        efi_image_region_add(regs,
 404                                             &opt->DataDirectory[ctidx] + 1,
 405                                             efi + opt->SizeOfHeaders, 0);
 406
 407                        authoff = opt->DataDirectory[ctidx].VirtualAddress;
 408                        authsz = opt->DataDirectory[ctidx].Size;
 409                }
 410
 411                bytes_hashed = opt->SizeOfHeaders;
 412                align = opt->FileAlignment;
 413        } else if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
 414                IMAGE_OPTIONAL_HEADER32 *opt = &nt->OptionalHeader;
 415
 416                /* Skip CheckSum */
 417                efi_image_region_add(regs, efi, &opt->CheckSum, 0);
 418                if (nt->OptionalHeader.NumberOfRvaAndSizes <= ctidx) {
 419                        efi_image_region_add(regs,
 420                                             &opt->Subsystem,
 421                                             efi + opt->SizeOfHeaders, 0);
 422                } else {
 423                        /* Skip Certificates Table */
 424                        efi_image_region_add(regs, &opt->Subsystem,
 425                                             &opt->DataDirectory[ctidx], 0);
 426                        efi_image_region_add(regs,
 427                                             &opt->DataDirectory[ctidx] + 1,
 428                                             efi + opt->SizeOfHeaders, 0);
 429
 430                        authoff = opt->DataDirectory[ctidx].VirtualAddress;
 431                        authsz = opt->DataDirectory[ctidx].Size;
 432                }
 433
 434                bytes_hashed = opt->SizeOfHeaders;
 435                align = opt->FileAlignment;
 436        } else {
 437                EFI_PRINT("%s: Invalid optional header magic %x\n", __func__,
 438                          nt->OptionalHeader.Magic);
 439                goto err;
 440        }
 441
 442        /* 2. Sections */
 443        num_sections = nt->FileHeader.NumberOfSections;
 444        sections = (void *)((uint8_t *)&nt->OptionalHeader +
 445                            nt->FileHeader.SizeOfOptionalHeader);
 446        sorted = calloc(sizeof(IMAGE_SECTION_HEADER *), num_sections);
 447        if (!sorted) {
 448                EFI_PRINT("%s: Out of memory\n", __func__);
 449                goto err;
 450        }
 451
 452        /*
 453         * Make sure the section list is in ascending order.
 454         */
 455        for (i = 0; i < num_sections; i++)
 456                sorted[i] = &sections[i];
 457        qsort(sorted, num_sections, sizeof(sorted[0]), cmp_pe_section);
 458
 459        for (i = 0; i < num_sections; i++) {
 460                if (!sorted[i]->SizeOfRawData)
 461                        continue;
 462
 463                size = (sorted[i]->SizeOfRawData + align - 1) & ~(align - 1);
 464                efi_image_region_add(regs, efi + sorted[i]->PointerToRawData,
 465                                     efi + sorted[i]->PointerToRawData + size,
 466                                     0);
 467                EFI_PRINT("section[%d](%s): raw: 0x%x-0x%x, virt: %x-%x\n",
 468                          i, sorted[i]->Name,
 469                          sorted[i]->PointerToRawData,
 470                          sorted[i]->PointerToRawData + size,
 471                          sorted[i]->VirtualAddress,
 472                          sorted[i]->VirtualAddress
 473                            + sorted[i]->Misc.VirtualSize);
 474
 475                bytes_hashed += size;
 476        }
 477        free(sorted);
 478
 479        /* 3. Extra data excluding Certificates Table */
 480        if (bytes_hashed + authsz < len) {
 481                EFI_PRINT("extra data for hash: %zu\n",
 482                          len - (bytes_hashed + authsz));
 483                efi_image_region_add(regs, efi + bytes_hashed,
 484                                     efi + len - authsz, 0);
 485        }
 486
 487        /* Return Certificates Table */
 488        if (authsz) {
 489                if (len < authoff + authsz) {
 490                        EFI_PRINT("%s: Size for auth too large: %u >= %zu\n",
 491                                  __func__, authsz, len - authoff);
 492                        goto err;
 493                }
 494                if (authsz < sizeof(*auth)) {
 495                        EFI_PRINT("%s: Size for auth too small: %u < %zu\n",
 496                                  __func__, authsz, sizeof(*auth));
 497                        goto err;
 498                }
 499                *auth = efi + authoff;
 500                *auth_len = authsz;
 501                EFI_PRINT("WIN_CERTIFICATE: 0x%x, size: 0x%x\n", authoff,
 502                          authsz);
 503        } else {
 504                *auth = NULL;
 505                *auth_len = 0;
 506        }
 507
 508        *regp = regs;
 509
 510        return true;
 511
 512err:
 513        free(regs);
 514
 515        return false;
 516}
 517
 518#ifdef CONFIG_EFI_SECURE_BOOT
 519/**
 520 * efi_image_unsigned_authenticate() - authenticate unsigned image with
 521 * SHA256 hash
 522 * @regs:       List of regions to be verified
 523 *
 524 * If an image is not signed, it doesn't have a signature. In this case,
 525 * its message digest is calculated and it will be compared with one of
 526 * hash values stored in signature databases.
 527 *
 528 * Return:      true if authenticated, false if not
 529 */
 530static bool efi_image_unsigned_authenticate(struct efi_image_regions *regs)
 531{
 532        struct efi_signature_store *db = NULL, *dbx = NULL;
 533        bool ret = false;
 534
 535        dbx = efi_sigstore_parse_sigdb(L"dbx");
 536        if (!dbx) {
 537                EFI_PRINT("Getting signature database(dbx) failed\n");
 538                goto out;
 539        }
 540
 541        db = efi_sigstore_parse_sigdb(L"db");
 542        if (!db) {
 543                EFI_PRINT("Getting signature database(db) failed\n");
 544                goto out;
 545        }
 546
 547        /* try black-list first */
 548        if (efi_signature_lookup_digest(regs, dbx)) {
 549                EFI_PRINT("Image is not signed and its digest found in \"dbx\"\n");
 550                goto out;
 551        }
 552
 553        /* try white-list */
 554        if (efi_signature_lookup_digest(regs, db))
 555                ret = true;
 556        else
 557                EFI_PRINT("Image is not signed and its digest not found in \"db\" or \"dbx\"\n");
 558
 559out:
 560        efi_sigstore_free(db);
 561        efi_sigstore_free(dbx);
 562
 563        return ret;
 564}
 565
 566/**
 567 * efi_image_authenticate() - verify a signature of signed image
 568 * @efi:        Pointer to image
 569 * @efi_size:   Size of @efi
 570 *
 571 * A signed image should have its signature stored in a table of its PE header.
 572 * So if an image is signed and only if if its signature is verified using
 573 * signature databases, an image is authenticated.
 574 * If an image is not signed, its validity is checked by using
 575 * efi_image_unsigned_authenticated().
 576 * TODO:
 577 * When AuditMode==0, if the image's signature is not found in
 578 * the authorized database, or is found in the forbidden database,
 579 * the image will not be started and instead, information about it
 580 * will be placed in this table.
 581 * When AuditMode==1, an EFI_IMAGE_EXECUTION_INFO element is created
 582 * in the EFI_IMAGE_EXECUTION_INFO_TABLE for every certificate found
 583 * in the certificate table of every image that is validated.
 584 *
 585 * Return:      true if authenticated, false if not
 586 */
 587static bool efi_image_authenticate(void *efi, size_t efi_size)
 588{
 589        struct efi_image_regions *regs = NULL;
 590        WIN_CERTIFICATE *wincerts = NULL, *wincert;
 591        size_t wincerts_len;
 592        struct pkcs7_message *msg = NULL;
 593        struct efi_signature_store *db = NULL, *dbx = NULL;
 594        void *new_efi = NULL;
 595        u8 *auth, *wincerts_end;
 596        size_t auth_size;
 597        bool ret = false;
 598
 599        EFI_PRINT("%s: Enter, %d\n", __func__, ret);
 600
 601        if (!efi_secure_boot_enabled())
 602                return true;
 603
 604        new_efi = efi_prepare_aligned_image(efi, (u64 *)&efi_size);
 605        if (!new_efi)
 606                return false;
 607
 608        if (!efi_image_parse(new_efi, efi_size, &regs, &wincerts,
 609                             &wincerts_len)) {
 610                EFI_PRINT("Parsing PE executable image failed\n");
 611                goto err;
 612        }
 613
 614        if (!wincerts) {
 615                /* The image is not signed */
 616                ret = efi_image_unsigned_authenticate(regs);
 617
 618                goto err;
 619        }
 620
 621        /*
 622         * verify signature using db and dbx
 623         */
 624        db = efi_sigstore_parse_sigdb(L"db");
 625        if (!db) {
 626                EFI_PRINT("Getting signature database(db) failed\n");
 627                goto err;
 628        }
 629
 630        dbx = efi_sigstore_parse_sigdb(L"dbx");
 631        if (!dbx) {
 632                EFI_PRINT("Getting signature database(dbx) failed\n");
 633                goto err;
 634        }
 635
 636        if (efi_signature_lookup_digest(regs, dbx)) {
 637                EFI_PRINT("Image's digest was found in \"dbx\"\n");
 638                goto err;
 639        }
 640
 641        /*
 642         * go through WIN_CERTIFICATE list
 643         * NOTE:
 644         * We may have multiple signatures either as WIN_CERTIFICATE's
 645         * in PE header, or as pkcs7 SignerInfo's in SignedData.
 646         * So the verification policy here is:
 647         *   - Success if, at least, one of signatures is verified
 648         *   - unless signature is rejected explicitly with its digest.
 649         */
 650
 651        for (wincert = wincerts, wincerts_end = (u8 *)wincerts + wincerts_len;
 652             (u8 *)wincert < wincerts_end;
 653             wincert = (WIN_CERTIFICATE *)
 654                        ((u8 *)wincert + ALIGN(wincert->dwLength, 8))) {
 655                if ((u8 *)wincert + sizeof(*wincert) >= wincerts_end)
 656                        break;
 657
 658                if (wincert->dwLength <= sizeof(*wincert)) {
 659                        EFI_PRINT("dwLength too small: %u < %zu\n",
 660                                  wincert->dwLength, sizeof(*wincert));
 661                        continue;
 662                }
 663
 664                EFI_PRINT("WIN_CERTIFICATE_TYPE: 0x%x\n",
 665                          wincert->wCertificateType);
 666
 667                auth = (u8 *)wincert + sizeof(*wincert);
 668                auth_size = wincert->dwLength - sizeof(*wincert);
 669                if (wincert->wCertificateType == WIN_CERT_TYPE_EFI_GUID) {
 670                        if (auth + sizeof(efi_guid_t) >= wincerts_end)
 671                                break;
 672
 673                        if (auth_size <= sizeof(efi_guid_t)) {
 674                                EFI_PRINT("dwLength too small: %u < %zu\n",
 675                                          wincert->dwLength, sizeof(*wincert));
 676                                continue;
 677                        }
 678                        if (guidcmp(auth, &efi_guid_cert_type_pkcs7)) {
 679                                EFI_PRINT("Certificate type not supported: %pUl\n",
 680                                          auth);
 681                                continue;
 682                        }
 683
 684                        auth += sizeof(efi_guid_t);
 685                        auth_size -= sizeof(efi_guid_t);
 686                } else if (wincert->wCertificateType
 687                                != WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
 688                        EFI_PRINT("Certificate type not supported\n");
 689                        continue;
 690                }
 691
 692                msg = pkcs7_parse_message(auth, auth_size);
 693                if (IS_ERR(msg)) {
 694                        EFI_PRINT("Parsing image's signature failed\n");
 695                        msg = NULL;
 696                        continue;
 697                }
 698
 699                /*
 700                 * NOTE:
 701                 * UEFI specification defines two signature types possible
 702                 * in signature database:
 703                 * a. x509 certificate, where a signature in image is
 704                 *    a message digest encrypted by RSA public key
 705                 *    (EFI_CERT_X509_GUID)
 706                 * b. bare hash value of message digest
 707                 *    (EFI_CERT_SHAxxx_GUID)
 708                 *
 709                 * efi_signature_verify() handles case (a), while
 710                 * efi_signature_lookup_digest() handles case (b).
 711                 *
 712                 * There is a third type:
 713                 * c. message digest of a certificate
 714                 *    (EFI_CERT_X509_SHAAxxx_GUID)
 715                 * This type of signature is used only in revocation list
 716                 * (dbx) and handled as part of efi_signatgure_verify().
 717                 */
 718                /* try black-list first */
 719                if (efi_signature_verify_one(regs, msg, dbx)) {
 720                        EFI_PRINT("Signature was rejected by \"dbx\"\n");
 721                        continue;
 722                }
 723
 724                if (!efi_signature_check_signers(msg, dbx)) {
 725                        EFI_PRINT("Signer(s) in \"dbx\"\n");
 726                        continue;
 727                }
 728
 729                /* try white-list */
 730                if (efi_signature_verify(regs, msg, db, dbx)) {
 731                        ret = true;
 732                        break;
 733                }
 734
 735                EFI_PRINT("Signature was not verified by \"db\"\n");
 736
 737                if (efi_signature_lookup_digest(regs, db)) {
 738                        ret = true;
 739                        break;
 740                }
 741
 742                EFI_PRINT("Image's digest was not found in \"db\" or \"dbx\"\n");
 743        }
 744
 745err:
 746        efi_sigstore_free(db);
 747        efi_sigstore_free(dbx);
 748        pkcs7_free_message(msg);
 749        free(regs);
 750        if (new_efi != efi)
 751                free(new_efi);
 752
 753        EFI_PRINT("%s: Exit, %d\n", __func__, ret);
 754        return ret;
 755}
 756#else
 757static bool efi_image_authenticate(void *efi, size_t efi_size)
 758{
 759        return true;
 760}
 761#endif /* CONFIG_EFI_SECURE_BOOT */
 762
 763
 764/**
 765 * efi_check_pe() - check if a memory buffer contains a PE-COFF image
 766 *
 767 * @buffer:     buffer to check
 768 * @size:       size of buffer
 769 * @nt_header:  on return pointer to NT header of PE-COFF image
 770 * Return:      EFI_SUCCESS if the buffer contains a PE-COFF image
 771 */
 772efi_status_t efi_check_pe(void *buffer, size_t size, void **nt_header)
 773{
 774        IMAGE_DOS_HEADER *dos = buffer;
 775        IMAGE_NT_HEADERS32 *nt;
 776
 777        if (size < sizeof(*dos))
 778                return EFI_INVALID_PARAMETER;
 779
 780        /* Check for DOS magix */
 781        if (dos->e_magic != IMAGE_DOS_SIGNATURE)
 782                return EFI_INVALID_PARAMETER;
 783
 784        /*
 785         * Check if the image section header fits into the file. Knowing that at
 786         * least one section header follows we only need to check for the length
 787         * of the 64bit header which is longer than the 32bit header.
 788         */
 789        if (size < dos->e_lfanew + sizeof(IMAGE_NT_HEADERS32))
 790                return EFI_INVALID_PARAMETER;
 791        nt = (IMAGE_NT_HEADERS32 *)((u8 *)buffer + dos->e_lfanew);
 792
 793        /* Check for PE-COFF magic */
 794        if (nt->Signature != IMAGE_NT_SIGNATURE)
 795                return EFI_INVALID_PARAMETER;
 796
 797        if (nt_header)
 798                *nt_header = nt;
 799
 800        return EFI_SUCCESS;
 801}
 802
 803/**
 804 * section_size() - determine size of section
 805 *
 806 * The size of a section in memory if normally given by VirtualSize.
 807 * If VirtualSize is not provided, use SizeOfRawData.
 808 *
 809 * @sec:        section header
 810 * Return:      size of section in memory
 811 */
 812static u32 section_size(IMAGE_SECTION_HEADER *sec)
 813{
 814        if (sec->Misc.VirtualSize)
 815                return sec->Misc.VirtualSize;
 816        else
 817                return sec->SizeOfRawData;
 818}
 819
 820/**
 821 * efi_load_pe() - relocate EFI binary
 822 *
 823 * This function loads all sections from a PE binary into a newly reserved
 824 * piece of memory. On success the entry point is returned as handle->entry.
 825 *
 826 * @handle:             loaded image handle
 827 * @efi:                pointer to the EFI binary
 828 * @efi_size:           size of @efi binary
 829 * @loaded_image_info:  loaded image protocol
 830 * Return:              status code
 831 */
 832efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle,
 833                         void *efi, size_t efi_size,
 834                         struct efi_loaded_image *loaded_image_info)
 835{
 836        IMAGE_NT_HEADERS32 *nt;
 837        IMAGE_DOS_HEADER *dos;
 838        IMAGE_SECTION_HEADER *sections;
 839        int num_sections;
 840        void *efi_reloc;
 841        int i;
 842        const IMAGE_BASE_RELOCATION *rel;
 843        unsigned long rel_size;
 844        int rel_idx = IMAGE_DIRECTORY_ENTRY_BASERELOC;
 845        uint64_t image_base;
 846        unsigned long virt_size = 0;
 847        int supported = 0;
 848        efi_status_t ret;
 849
 850        ret = efi_check_pe(efi, efi_size, (void **)&nt);
 851        if (ret != EFI_SUCCESS) {
 852                log_err("Not a PE-COFF file\n");
 853                return EFI_LOAD_ERROR;
 854        }
 855
 856        for (i = 0; machines[i]; i++)
 857                if (machines[i] == nt->FileHeader.Machine) {
 858                        supported = 1;
 859                        break;
 860                }
 861
 862        if (!supported) {
 863                log_err("Machine type 0x%04x is not supported\n",
 864                        nt->FileHeader.Machine);
 865                return EFI_LOAD_ERROR;
 866        }
 867
 868        num_sections = nt->FileHeader.NumberOfSections;
 869        sections = (void *)&nt->OptionalHeader +
 870                            nt->FileHeader.SizeOfOptionalHeader;
 871
 872        if (efi_size < ((void *)sections + sizeof(sections[0]) * num_sections
 873                        - efi)) {
 874                log_err("Invalid number of sections: %d\n", num_sections);
 875                return EFI_LOAD_ERROR;
 876        }
 877
 878        /* Authenticate an image */
 879        if (efi_image_authenticate(efi, efi_size)) {
 880                handle->auth_status = EFI_IMAGE_AUTH_PASSED;
 881        } else {
 882                handle->auth_status = EFI_IMAGE_AUTH_FAILED;
 883                log_err("Image not authenticated\n");
 884        }
 885
 886        /* Calculate upper virtual address boundary */
 887        for (i = num_sections - 1; i >= 0; i--) {
 888                IMAGE_SECTION_HEADER *sec = &sections[i];
 889
 890                virt_size = max_t(unsigned long, virt_size,
 891                                  sec->VirtualAddress + section_size(sec));
 892        }
 893
 894        /* Read 32/64bit specific header bits */
 895        if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) {
 896                IMAGE_NT_HEADERS64 *nt64 = (void *)nt;
 897                IMAGE_OPTIONAL_HEADER64 *opt = &nt64->OptionalHeader;
 898                image_base = opt->ImageBase;
 899                efi_set_code_and_data_type(loaded_image_info, opt->Subsystem);
 900                handle->image_type = opt->Subsystem;
 901                efi_reloc = efi_alloc_aligned_pages(virt_size,
 902                                                    loaded_image_info->image_code_type,
 903                                                    opt->SectionAlignment);
 904                if (!efi_reloc) {
 905                        log_err("Out of memory\n");
 906                        ret = EFI_OUT_OF_RESOURCES;
 907                        goto err;
 908                }
 909                handle->entry = efi_reloc + opt->AddressOfEntryPoint;
 910                rel_size = opt->DataDirectory[rel_idx].Size;
 911                rel = efi_reloc + opt->DataDirectory[rel_idx].VirtualAddress;
 912        } else if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
 913                IMAGE_OPTIONAL_HEADER32 *opt = &nt->OptionalHeader;
 914                image_base = opt->ImageBase;
 915                efi_set_code_and_data_type(loaded_image_info, opt->Subsystem);
 916                handle->image_type = opt->Subsystem;
 917                efi_reloc = efi_alloc_aligned_pages(virt_size,
 918                                                    loaded_image_info->image_code_type,
 919                                                    opt->SectionAlignment);
 920                if (!efi_reloc) {
 921                        log_err("Out of memory\n");
 922                        ret = EFI_OUT_OF_RESOURCES;
 923                        goto err;
 924                }
 925                handle->entry = efi_reloc + opt->AddressOfEntryPoint;
 926                rel_size = opt->DataDirectory[rel_idx].Size;
 927                rel = efi_reloc + opt->DataDirectory[rel_idx].VirtualAddress;
 928        } else {
 929                log_err("Invalid optional header magic %x\n",
 930                        nt->OptionalHeader.Magic);
 931                ret = EFI_LOAD_ERROR;
 932                goto err;
 933        }
 934
 935#if CONFIG_IS_ENABLED(EFI_TCG2_PROTOCOL)
 936        /* Measure an PE/COFF image */
 937        ret = tcg2_measure_pe_image(efi, efi_size, handle, loaded_image_info);
 938        if (ret == EFI_SECURITY_VIOLATION) {
 939                /*
 940                 * TCG2 Protocol is installed but no TPM device found,
 941                 * this is not expected.
 942                 */
 943                log_err("PE image measurement failed, no tpm device found\n");
 944                goto err;
 945        }
 946
 947#endif
 948
 949        /* Copy PE headers */
 950        memcpy(efi_reloc, efi,
 951               sizeof(*dos)
 952                 + sizeof(*nt)
 953                 + nt->FileHeader.SizeOfOptionalHeader
 954                 + num_sections * sizeof(IMAGE_SECTION_HEADER));
 955
 956        /* Load sections into RAM */
 957        for (i = num_sections - 1; i >= 0; i--) {
 958                IMAGE_SECTION_HEADER *sec = &sections[i];
 959                u32 copy_size = section_size(sec);
 960
 961                if (copy_size > sec->SizeOfRawData) {
 962                        copy_size = sec->SizeOfRawData;
 963                        memset(efi_reloc + sec->VirtualAddress, 0,
 964                               sec->Misc.VirtualSize);
 965                }
 966                memcpy(efi_reloc + sec->VirtualAddress,
 967                       efi + sec->PointerToRawData,
 968                       copy_size);
 969        }
 970
 971        /* Run through relocations */
 972        if (efi_loader_relocate(rel, rel_size, efi_reloc,
 973                                (unsigned long)image_base) != EFI_SUCCESS) {
 974                efi_free_pages((uintptr_t) efi_reloc,
 975                               (virt_size + EFI_PAGE_MASK) >> EFI_PAGE_SHIFT);
 976                ret = EFI_LOAD_ERROR;
 977                goto err;
 978        }
 979
 980        /* Flush cache */
 981        flush_cache((ulong)efi_reloc,
 982                    ALIGN(virt_size, EFI_CACHELINE_SIZE));
 983        invalidate_icache_all();
 984
 985        /* Populate the loaded image interface bits */
 986        loaded_image_info->image_base = efi_reloc;
 987        loaded_image_info->image_size = virt_size;
 988
 989        if (handle->auth_status == EFI_IMAGE_AUTH_PASSED)
 990                return EFI_SUCCESS;
 991        else
 992                return EFI_SECURITY_VIOLATION;
 993
 994err:
 995        return ret;
 996}
 997