Using HTTPS without root (CA) certificates is a security issue. Print a
warning in this case. Also, when certificate verification fail, print
an additional message because "HTTP client error 4" is not very
informative (4 is HTTPC_RESULT_ERR_CLOSED).
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Instead of relying on some build time configuration to determine if
server certificates need to be checked against CA certificates, do it
based on the availability of such certificates. If no CA is configured
then no check can succeed; on the other hand if we have CA certs then
we should not ignore them. It is always possible to remove the CA certs
(via 'wget cacert 0 0') to force an HTTPS download that would fail
certificate validation.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
CONFIG_SYS_FDT_PAD defines the number of unused bytes added to a
device-tree and not the total size.
Fixes: 40ed7be4af ("Convert CONFIG_SYS_FDT_PAD to Kconfig")
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Structure jmp_buf_data provides the underlying format of jmp_buf, which
we actually don't care about. Clean up existing code to use the standard
jmp_buf type. This introduces no functional change.
Signed-off-by: Yao Zi <ziyao@disroot.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Separate setjmp.h into an architecture independent part and an architecture
specific part. This simplifies moving from using struct jmp_buf_data
directly to using type jmp_buf in our code which is the C compliant way.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Add support for multiple efi_net_obj structs in efi_net.c. This comes
in preparation for an EFI network driver supporting multiple network
interfaces. For now the EFI network stack still registers a single ethernet
udevice as an EFI network device even if multiple are present, namely
the one that was the current device at the moment of EFI initialization.
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
In preparation to support mutiple efi net udevices. Add a device path
cache to support device paths from multiple ethernet udevices.
The device paths can be added to the cache before EFI gets initialized and
the protocols get installed.
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
In preparation to support multiple EFI net objects, support
constructing device paths using an ethernet device different
than the default. Add a udevice argument to the device path
generation, and keep the callsites with eth_get_dev() to
preserve existing functionality.
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
This gets called each time a payload is to get executed by bootefi.
For now this only updates the PXE IP address.
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
The coomand bootefi calls efi_init_obj_list to do the efi set up
before launching an .efi payload, but efi_init_obj_list is called
only once. There are some initializations which depend on the
environment and should be done each time a payload gets launched and
not only once. A motivation for this changes is the following order
of events:
1. Launch an EFI application (e.g. bootefi hello)
2. Change the ip address
3. Launch another application which uses the pxe protocol
As the EFI pxe protocol was initialized when the handles
for efi net were created in 1., the ip was hardcoded there.
In this example, another possibility would be to make a callback for ip
address changes to go all the way up to efi_net.
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
The following symbols are exposed:
- efi_reinstall_protocol_interface
This is done so that the device path protocol interface
of the network device can be changed internally by u-boot
when a new bootfile gets downloaded.
- eth_set_dev
To support multiple network udevices
- efi_close_event
This comes in preparation to support unregistering
an EFI network device from the EFI network stack when
the underlying U-boot device gets removed
- efi_[dis]connect_controller
The EFI network driver uses ConnectController to add a
NIC to the EFI network stack.
- efi_uninstall_protocol_interface
connect_controler for the efi network driver can install
protocols, which need to be uninstalled in disconnect_controller
- EFI_SIMPLE_NETWORK_PROTOCOL_GUID
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
This commit fixes an use after free introduced in Commit e55a4acb54
(" efi_loader: net: set EFI bootdevice device path to HTTP when loaded
from wget"). The logic in efi_net_set_dp is reworked so that when the
function is invoked it not only changes the value of the static variable
net_dp (this is how the function was implemented in e55a4acb54) but also
updates the protocol interface of the device path protocol in case efi
has started.
Fixes: e55a4acb54 ("efi_loader: net: set EFI bootdevice device path to HTTP when loaded from wget")
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
Gabriel Dalimonte <gabriel.dalimonte@gmail.com> says:
This series adds support for file renaming to EFI_FILE_PROTOCOL.SetInfo().
One of the use cases for renaming in EFI is to facilitate boot loader
boot counting.
No existing filesystems in U-Boot currently include file renaming,
resulting in support for renaming at the filesystem level and a
concrete implementation for the FAT filesystem.
Link: https://lore.kernel.org/r/20250217182648.31294-1-gabriel.dalimonte@gmail.com
Following the UEFI specification. The specification did not seem to
delineate if file_name was explicitly a file name only, or could
include paths to move the file to a different directory. The more
generous interpretation of supporting paths was selected.
Signed-off-by: Gabriel Dalimonte <gabriel.dalimonte@gmail.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
In order to support renaming via SetInfo(), path must allow for longer
values than what was originally present when file_handle was allocated.
Signed-off-by: Gabriel Dalimonte <gabriel.dalimonte@gmail.com>
The implementation roughly follows the POSIX specification for
rename() [1]. The ordering of operations attempting to minimize the chance
for data loss in unexpected circumstances.
The 'mv' command was implemented as a front end for the rename operation
as that is what most users are likely familiar with in terms of behavior.
The 'FAT_RENAME' Kconfig option was added to prevent code size increase on
size-oriented builds like SPL.
[1] https://pubs.opengroup.org/onlinepubs/9799919799/functions/rename.html
Signed-off-by: Gabriel Dalimonte <gabriel.dalimonte@gmail.com>
- Ensure `free_ctx` is called in both error and success paths.
- Fix memory leak in `ctx.signature` when `do_add` fails."
Triggers found by static analyzer Svace.
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
The current code has a problematic corner case with formar "%c" and
0 as parameter. The proper zero byte is being emitted into digit buffer
but the final copy into outstr expects null-terminated string and doesn't
copy the required \0 byte. This has lead to malformed TFTP packets, refer
to tftp_send() which relies on %c to generate multiple zero-terminated
strings in one buffer.
Introduce a variable to force the copy of one character in this case.
The new behaviour is consistent with non-tiny implementation.
Reported-by: Chintan Vankar <c-vankar@ti.com>
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
rsa_verify_openssl() is used in lib/rsa/rsa-verify.c to authenticate data
when building host tools.
Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com>
Baocheng Su <baocheng.su@siemens.com> says:
This introduces a sysinfo driver which also permits SMBIOS support.
The first 10 patches of v2 have already been applied. The remaining is
solely the sysinfo driver. To maintain consistency and ease of searching
through the history, the series title remains unchanged.
Link: https://lore.kernel.org/r/20250218023614.52574-1-baocheng.su@siemens.com
This commit fixes an use after free introduced in Commit e55a4acb54
(" efi_loader: net: set EFI bootdevice device path to HTTP when loaded
from wget"). The logic in efi_net_set_dp is reworked so that when the
function is invoked it not only changes the value of the static variable
net_dp (this is how the function was implemented in e55a4acb54) but also
updates the protocol interface of the device path protocol in case efi
has started.
Fixes: e55a4acb54 ("efi_loader: net: set EFI bootdevice device path to HTTP when loaded from wget")
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
Refactor the entire kconfig page for mbedtls, adapt mbedtls makefile
and default config file using 'XPL_', in order to have independent
mbedtls kconfig options in U-Boot Proper, SPL, TPL and VPL.
User can choose legacy or mbedtls libraries for them independently.
Set mbedtls native hashing libraries as default when MBEDTLS_LIB,
SPL_MBEDTLS_LIB, TPL_MBEDTLS_LIB or VPL_MBEDTLS_LIB is selected.
If users prefer using U-Boot legacy hashing libraries, please select
MBEDTLS_LIB_HASHING_ALT, SPL_MBEDTLS_LIB_HASHING_ALT,
TPL_MBEDTLS_LIB_HASHING_ALT or VPL_MBEDTLS_LIB_HASHING_ALT for U-Boot
Proper, SPL, TPL and VPL respectively.
Moreover, rename a few kconfig options and update their descriptions to
improve the consistency of terminology.
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
U-Boot requires to access x509_internal.h, mbedtls_sha256_context and
mbedtls_sha1_context in the porting layer, and this requires to
enable MBEDTLS_ALLOW_PRIVATE_ACCESS.
Enable it to mscode and pkcs7_parser to fix a mbedtls internal building
error when X509 is selected.
Moreover, Move it to a separate file to avoid enabling it in multiple
places.
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Fixed the building failures when WGET_HTTPS,NET_LWIP and MBEDTLS_LIB
are selected due to a few incorrect kconfig dependencies.
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
When building with qemu_arm64_defconfig with CONFIG_CC_OPTIMIZE_FOR_DEBUG=y
and CONFIG_EFI_LOADER=n an error undefined reference to efi_add_memory_map_pg
occurs.
Move the EFI dependent part of lmb_map_update_notify() to the EFI
sub-system.
Reported-by: Liya Huang <1425075683@qq.com>
Acked-by: Liya Huang <1425075683@qq.com>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Instead of testing the value of parameter op at runtime use an enum to
ensure that only valid values are used.
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Up to now root has been the parent device for all block devices created via
calling ConnectController(). This does not work well together with the
implementation of bootstd.
Add a dummy parent device for all EFI block devices.
With this change EFI block devices are also accessible via commands like
'cat', 'load', and 'ls'.
=> dm tree
Class Seq Probed Driver Name
-----------------------------------------------------------
efi 0 [ + ] EFI block driver `-- efi
blk 3 [ + ] efi_blk `-- efi.efiblk#0
partition 0 [ + ] blk_partition `-- efi.efiblk#0:1
=> ls efiloader 0:1
13 hello.txt
7 u-boot.txt
2 file(s), 0 dir(s)
=> cat efiloader 0:1 hello.txt
Hello world!
=> efidebug dh
0000000018df1700 (efi.efiblk#0:1)
/VenHw(dbca4c98-6cb0-694d-0872-819c650cb7b8)/HD(1,MBR,0xd1535d21,0x1,0x7f)
Block IO
Simple File System
Adjust the event dump unit test to consider the new event spy.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
For EFI runtime services, we manage to preserve string literals
by placing the .efi_runtime section just before .data and preserving
it when marking the runtime memory by marking surrounding boottime
code as runtime. This is ok for now but will break if we update any
linker scripts and decouple .text and .runtime sections.
So let's define the strings we used to compare in the appropriate
section for runtime services
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
After having been compared to a NULL value at efi_disk.c:426,
pointer 'part_info' is dereferenced at efi_disk.c:534.
Signed-off-by: Maks Mishin <maks.mishinFZ@gmail.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Add more EFI protocols GUIDs to the translation table used by
uuid_guid_get_str().
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Tom Rini <trini@konsulko.com>
When we squash imported mbedtls, the git submodule "framework" was
preserved in the commit. However, U-Boot itself does not use git
submodule, and provides no .gitmodules file to specify the submodule
repository.
This is normally not an issue when cloning U-Boot repository. However,
when U-Boot is imported as a submodule, this will break git option
`--recurse-submodules` as it fails to resolve "framework".
As we do not use the submodule, remove it to unbreak existing workflows.
Fixes: 12f1212e95 ("Merge commit '0344c602eadc0802776b65ff90f0a02c856cf53c' as 'lib/mbedtls/external/mbedtls'")
Signed-off-by: ZHANG Yuntian <yt@radxa.com>
Implement library function strnstr().
Implement strstr() using strnstr().
Sort the includes.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
[jf: replace <stdint.h> by <limits.h>, folded from next patch]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Find_option() is used to retrieve the block size value in an option
acknowledgment in response to a request containing a block size option
according to RFC2348.
The format of an OACK response is described in RFC2347 as
+-------+---~~---+---+---~~---+---+---~~---+---+---~~---+---+
| opc | opt1 | 0 | value1 | 0 | optN | 0 | valueN | 0 |
+-------+---~~---+---+---~~---+---+---~~---+---+---~~---+---+
The current implementation of find_option() only works if
* blksize is the first option
* lwip_strnstr() ignores the length parameter,
i.e. is implemented via strstr()
The OACK messages starts with 0x00 0x06. If 'blksize' is the first option,
strstr() reports a match when the first parameter points to 0x06. Adding
the string length of 'blksize' plus 2 to the location of the 0x06 byte
points to the value.
Find_option() would report a match for option 'blksize' if the response
contained an option called 'foo_blksize_bar'. In this case find_option()
would return 'bar' as the value string.
If 'blksize' were the second option, find_option() would return a pointer
to the second character of the value string.
Furthermore find_option() does not detect if the value string is NUL
terminated. This may lead to a buffer overrun.
Provide an implementation that correctly steps from option to option.
Fixes: 27d7ccda94 ("net: lwip: tftp: add support of blksize option to client")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (qemu_arm64_lwip)
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Mark these functions as needed by relocation. These functions are used
to copy data while relocating the next-phase image.
Drop the 'safe' versions from SPL as they are not needed. Change the
static array to a local one, to avoid link errors when trying to access
the data.
Signed-off-by: Simon Glass <sjg@chromium.org>
Mark the lz4 decompression code as needed by relocation. This is used to
decompress the next-phase image.
Drop the 'safe' versions from SPL as they are not needed. Change the
static array to a local one, to avoid a crash errors when trying to
access the data from relocated code. Make this conditional to avoid a
code-size increase when SPL_RELOC is not used/
Signed-off-by: Simon Glass <sjg@chromium.org>
Mark the crc8 code as needed by relocation. This is used as a simple
check against corruption of the code when copying.
Signed-off-by: Simon Glass <sjg@chromium.org>
Update the build rule so that hash algorithms are only included in an
SPL build if they are requested. This helps to reduce code size.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
This code is not necessarily needed in VPL, even if SPL uses it, so
adjust the rules to allow it to be dropped.
Do the same for the hash API.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
