1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3 * EFI image loader
4 *
5 * based partly on wine code
6 *
7 * Copyright (c) 2016 Alexander Graf
8 */
9
10 #define LOG_CATEGORY LOGC_EFI
11
12 #include <common.h>
13 #include <cpu_func.h>
14 #include <efi_loader.h>
15 #include <log.h>
16 #include <malloc.h>
17 #include <pe.h>
18 #include <sort.h>
19 #include <crypto/pkcs7_parser.h>
20 #include <linux/err.h>
21
22 const efi_guid_t efi_global_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
23 const efi_guid_t efi_guid_device_path = EFI_DEVICE_PATH_PROTOCOL_GUID;
24 const efi_guid_t efi_guid_loaded_image = EFI_LOADED_IMAGE_PROTOCOL_GUID;
25 const efi_guid_t efi_guid_loaded_image_device_path =
26 EFI_LOADED_IMAGE_DEVICE_PATH_PROTOCOL_GUID;
27 const efi_guid_t efi_simple_file_system_protocol_guid =
28 EFI_SIMPLE_FILE_SYSTEM_PROTOCOL_GUID;
29 const efi_guid_t efi_file_info_guid = EFI_FILE_INFO_GUID;
30
31 static int machines[] = {
32 #if defined(__aarch64__)
33 IMAGE_FILE_MACHINE_ARM64,
34 #elif defined(__arm__)
35 IMAGE_FILE_MACHINE_ARM,
36 IMAGE_FILE_MACHINE_THUMB,
37 IMAGE_FILE_MACHINE_ARMNT,
38 #endif
39
40 #if defined(__x86_64__)
41 IMAGE_FILE_MACHINE_AMD64,
42 #elif defined(__i386__)
43 IMAGE_FILE_MACHINE_I386,
44 #endif
45
46 #if defined(__riscv) && (__riscv_xlen == 32)
47 IMAGE_FILE_MACHINE_RISCV32,
48 #endif
49
50 #if defined(__riscv) && (__riscv_xlen == 64)
51 IMAGE_FILE_MACHINE_RISCV64,
52 #endif
53 0 };
54
55 /**
56 * efi_print_image_info() - print information about a loaded image
57 *
58 * If the program counter is located within the image the offset to the base
59 * address is shown.
60 *
61 * @obj: EFI object
62 * @image: loaded image
63 * @pc: program counter (use NULL to suppress offset output)
64 * Return: status code
65 */
efi_print_image_info(struct efi_loaded_image_obj * obj,struct efi_loaded_image * image,void * pc)66 static efi_status_t efi_print_image_info(struct efi_loaded_image_obj *obj,
67 struct efi_loaded_image *image,
68 void *pc)
69 {
70 printf("UEFI image");
71 printf(" [0x%p:0x%p]",
72 image->image_base, image->image_base + image->image_size - 1);
73 if (pc && pc >= image->image_base &&
74 pc < image->image_base + image->image_size)
75 printf(" pc=0x%zx", pc - image->image_base);
76 if (image->file_path)
77 printf(" '%pD'", image->file_path);
78 printf("\n");
79 return EFI_SUCCESS;
80 }
81
82 /**
83 * efi_print_image_infos() - print information about all loaded images
84 *
85 * @pc: program counter (use NULL to suppress offset output)
86 */
efi_print_image_infos(void * pc)87 void efi_print_image_infos(void *pc)
88 {
89 struct efi_object *efiobj;
90 struct efi_handler *handler;
91
92 list_for_each_entry(efiobj, &efi_obj_list, link) {
93 list_for_each_entry(handler, &efiobj->protocols, link) {
94 if (!guidcmp(handler->guid, &efi_guid_loaded_image)) {
95 efi_print_image_info(
96 (struct efi_loaded_image_obj *)efiobj,
97 handler->protocol_interface, pc);
98 }
99 }
100 }
101 }
102
103 /**
104 * efi_loader_relocate() - relocate UEFI binary
105 *
106 * @rel: pointer to the relocation table
107 * @rel_size: size of the relocation table in bytes
108 * @efi_reloc: actual load address of the image
109 * @pref_address: preferred load address of the image
110 * Return: status code
111 */
efi_loader_relocate(const IMAGE_BASE_RELOCATION * rel,unsigned long rel_size,void * efi_reloc,unsigned long pref_address)112 static efi_status_t efi_loader_relocate(const IMAGE_BASE_RELOCATION *rel,
113 unsigned long rel_size, void *efi_reloc,
114 unsigned long pref_address)
115 {
116 unsigned long delta = (unsigned long)efi_reloc - pref_address;
117 const IMAGE_BASE_RELOCATION *end;
118 int i;
119
120 if (delta == 0)
121 return EFI_SUCCESS;
122
123 end = (const IMAGE_BASE_RELOCATION *)((const char *)rel + rel_size);
124 while (rel < end && rel->SizeOfBlock) {
125 const uint16_t *relocs = (const uint16_t *)(rel + 1);
126 i = (rel->SizeOfBlock - sizeof(*rel)) / sizeof(uint16_t);
127 while (i--) {
128 uint32_t offset = (uint32_t)(*relocs & 0xfff) +
129 rel->VirtualAddress;
130 int type = *relocs >> EFI_PAGE_SHIFT;
131 uint64_t *x64 = efi_reloc + offset;
132 uint32_t *x32 = efi_reloc + offset;
133 uint16_t *x16 = efi_reloc + offset;
134
135 switch (type) {
136 case IMAGE_REL_BASED_ABSOLUTE:
137 break;
138 case IMAGE_REL_BASED_HIGH:
139 *x16 += ((uint32_t)delta) >> 16;
140 break;
141 case IMAGE_REL_BASED_LOW:
142 *x16 += (uint16_t)delta;
143 break;
144 case IMAGE_REL_BASED_HIGHLOW:
145 *x32 += (uint32_t)delta;
146 break;
147 case IMAGE_REL_BASED_DIR64:
148 *x64 += (uint64_t)delta;
149 break;
150 #ifdef __riscv
151 case IMAGE_REL_BASED_RISCV_HI20:
152 *x32 = ((*x32 & 0xfffff000) + (uint32_t)delta) |
153 (*x32 & 0x00000fff);
154 break;
155 case IMAGE_REL_BASED_RISCV_LOW12I:
156 case IMAGE_REL_BASED_RISCV_LOW12S:
157 /* We know that we're 4k aligned */
158 if (delta & 0xfff) {
159 log_err("Unsupported reloc offset\n");
160 return EFI_LOAD_ERROR;
161 }
162 break;
163 #endif
164 default:
165 log_err("Unknown Relocation off %x type %x\n",
166 offset, type);
167 return EFI_LOAD_ERROR;
168 }
169 relocs++;
170 }
171 rel = (const IMAGE_BASE_RELOCATION *)relocs;
172 }
173 return EFI_SUCCESS;
174 }
175
invalidate_icache_all(void)176 void __weak invalidate_icache_all(void)
177 {
178 /* If the system doesn't support icache_all flush, cross our fingers */
179 }
180
181 /**
182 * efi_set_code_and_data_type() - determine the memory types to be used for code
183 * and data.
184 *
185 * @loaded_image_info: image descriptor
186 * @image_type: field Subsystem of the optional header for
187 * Windows specific field
188 */
efi_set_code_and_data_type(struct efi_loaded_image * loaded_image_info,uint16_t image_type)189 static void efi_set_code_and_data_type(
190 struct efi_loaded_image *loaded_image_info,
191 uint16_t image_type)
192 {
193 switch (image_type) {
194 case IMAGE_SUBSYSTEM_EFI_APPLICATION:
195 loaded_image_info->image_code_type = EFI_LOADER_CODE;
196 loaded_image_info->image_data_type = EFI_LOADER_DATA;
197 break;
198 case IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER:
199 loaded_image_info->image_code_type = EFI_BOOT_SERVICES_CODE;
200 loaded_image_info->image_data_type = EFI_BOOT_SERVICES_DATA;
201 break;
202 case IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER:
203 case IMAGE_SUBSYSTEM_EFI_ROM:
204 loaded_image_info->image_code_type = EFI_RUNTIME_SERVICES_CODE;
205 loaded_image_info->image_data_type = EFI_RUNTIME_SERVICES_DATA;
206 break;
207 default:
208 log_err("invalid image type: %u\n", image_type);
209 /* Let's assume it is an application */
210 loaded_image_info->image_code_type = EFI_LOADER_CODE;
211 loaded_image_info->image_data_type = EFI_LOADER_DATA;
212 break;
213 }
214 }
215
216 #ifdef CONFIG_EFI_SECURE_BOOT
217 /**
218 * cmp_pe_section() - compare virtual addresses of two PE image sections
219 * @arg1: pointer to pointer to first section header
220 * @arg2: pointer to pointer to second section header
221 *
222 * Compare the virtual addresses of two sections of an portable executable.
223 * The arguments are defined as const void * to allow usage with qsort().
224 *
225 * Return: -1 if the virtual address of arg1 is less than that of arg2,
226 * 0 if the virtual addresses are equal, 1 if the virtual address
227 * of arg1 is greater than that of arg2.
228 */
cmp_pe_section(const void * arg1,const void * arg2)229 static int cmp_pe_section(const void *arg1, const void *arg2)
230 {
231 const IMAGE_SECTION_HEADER *section1, *section2;
232
233 section1 = *((const IMAGE_SECTION_HEADER **)arg1);
234 section2 = *((const IMAGE_SECTION_HEADER **)arg2);
235
236 if (section1->VirtualAddress < section2->VirtualAddress)
237 return -1;
238 else if (section1->VirtualAddress == section2->VirtualAddress)
239 return 0;
240 else
241 return 1;
242 }
243
244 /**
245 * efi_image_parse() - parse a PE image
246 * @efi: Pointer to image
247 * @len: Size of @efi
248 * @regp: Pointer to a list of regions
249 * @auth: Pointer to a pointer to authentication data in PE
250 * @auth_len: Size of @auth
251 *
252 * Parse image binary in PE32(+) format, assuming that sanity of PE image
253 * has been checked by a caller.
254 * On success, an address of authentication data in @efi and its size will
255 * be returned in @auth and @auth_len, respectively.
256 *
257 * Return: true on success, false on error
258 */
efi_image_parse(void * efi,size_t len,struct efi_image_regions ** regp,WIN_CERTIFICATE ** auth,size_t * auth_len)259 bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp,
260 WIN_CERTIFICATE **auth, size_t *auth_len)
261 {
262 struct efi_image_regions *regs;
263 IMAGE_DOS_HEADER *dos;
264 IMAGE_NT_HEADERS32 *nt;
265 IMAGE_SECTION_HEADER *sections, **sorted;
266 int num_regions, num_sections, i;
267 int ctidx = IMAGE_DIRECTORY_ENTRY_SECURITY;
268 u32 align, size, authsz, authoff;
269 size_t bytes_hashed;
270
271 dos = (void *)efi;
272 nt = (void *)(efi + dos->e_lfanew);
273 authoff = 0;
274 authsz = 0;
275
276 /*
277 * Count maximum number of regions to be digested.
278 * We don't have to have an exact number here.
279 * See efi_image_region_add()'s in parsing below.
280 */
281 num_regions = 3; /* for header */
282 num_regions += nt->FileHeader.NumberOfSections;
283 num_regions++; /* for extra */
284
285 regs = calloc(sizeof(*regs) + sizeof(struct image_region) * num_regions,
286 1);
287 if (!regs)
288 goto err;
289 regs->max = num_regions;
290
291 /*
292 * Collect data regions for hash calculation
293 * 1. File headers
294 */
295 if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) {
296 IMAGE_NT_HEADERS64 *nt64 = (void *)nt;
297 IMAGE_OPTIONAL_HEADER64 *opt = &nt64->OptionalHeader;
298
299 /* Skip CheckSum */
300 efi_image_region_add(regs, efi, &opt->CheckSum, 0);
301 if (nt64->OptionalHeader.NumberOfRvaAndSizes <= ctidx) {
302 efi_image_region_add(regs,
303 &opt->Subsystem,
304 efi + opt->SizeOfHeaders, 0);
305 } else {
306 /* Skip Certificates Table */
307 efi_image_region_add(regs,
308 &opt->Subsystem,
309 &opt->DataDirectory[ctidx], 0);
310 efi_image_region_add(regs,
311 &opt->DataDirectory[ctidx] + 1,
312 efi + opt->SizeOfHeaders, 0);
313
314 authoff = opt->DataDirectory[ctidx].VirtualAddress;
315 authsz = opt->DataDirectory[ctidx].Size;
316 }
317
318 bytes_hashed = opt->SizeOfHeaders;
319 align = opt->FileAlignment;
320 } else if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
321 IMAGE_OPTIONAL_HEADER32 *opt = &nt->OptionalHeader;
322
323 /* Skip CheckSum */
324 efi_image_region_add(regs, efi, &opt->CheckSum, 0);
325 if (nt->OptionalHeader.NumberOfRvaAndSizes <= ctidx) {
326 efi_image_region_add(regs,
327 &opt->Subsystem,
328 efi + opt->SizeOfHeaders, 0);
329 } else {
330 /* Skip Certificates Table */
331 efi_image_region_add(regs, &opt->Subsystem,
332 &opt->DataDirectory[ctidx], 0);
333 efi_image_region_add(regs,
334 &opt->DataDirectory[ctidx] + 1,
335 efi + opt->SizeOfHeaders, 0);
336
337 authoff = opt->DataDirectory[ctidx].VirtualAddress;
338 authsz = opt->DataDirectory[ctidx].Size;
339 }
340
341 bytes_hashed = opt->SizeOfHeaders;
342 align = opt->FileAlignment;
343 } else {
344 EFI_PRINT("%s: Invalid optional header magic %x\n", __func__,
345 nt->OptionalHeader.Magic);
346 goto err;
347 }
348
349 /* 2. Sections */
350 num_sections = nt->FileHeader.NumberOfSections;
351 sections = (void *)((uint8_t *)&nt->OptionalHeader +
352 nt->FileHeader.SizeOfOptionalHeader);
353 sorted = calloc(sizeof(IMAGE_SECTION_HEADER *), num_sections);
354 if (!sorted) {
355 EFI_PRINT("%s: Out of memory\n", __func__);
356 goto err;
357 }
358
359 /*
360 * Make sure the section list is in ascending order.
361 */
362 for (i = 0; i < num_sections; i++)
363 sorted[i] = §ions[i];
364 qsort(sorted, num_sections, sizeof(sorted[0]), cmp_pe_section);
365
366 for (i = 0; i < num_sections; i++) {
367 if (!sorted[i]->SizeOfRawData)
368 continue;
369
370 size = (sorted[i]->SizeOfRawData + align - 1) & ~(align - 1);
371 efi_image_region_add(regs, efi + sorted[i]->PointerToRawData,
372 efi + sorted[i]->PointerToRawData + size,
373 0);
374 EFI_PRINT("section[%d](%s): raw: 0x%x-0x%x, virt: %x-%x\n",
375 i, sorted[i]->Name,
376 sorted[i]->PointerToRawData,
377 sorted[i]->PointerToRawData + size,
378 sorted[i]->VirtualAddress,
379 sorted[i]->VirtualAddress
380 + sorted[i]->Misc.VirtualSize);
381
382 bytes_hashed += size;
383 }
384 free(sorted);
385
386 /* 3. Extra data excluding Certificates Table */
387 if (bytes_hashed + authsz < len) {
388 EFI_PRINT("extra data for hash: %zu\n",
389 len - (bytes_hashed + authsz));
390 efi_image_region_add(regs, efi + bytes_hashed,
391 efi + len - authsz, 0);
392 }
393
394 /* Return Certificates Table */
395 if (authsz) {
396 if (len < authoff + authsz) {
397 EFI_PRINT("%s: Size for auth too large: %u >= %zu\n",
398 __func__, authsz, len - authoff);
399 goto err;
400 }
401 if (authsz < sizeof(*auth)) {
402 EFI_PRINT("%s: Size for auth too small: %u < %zu\n",
403 __func__, authsz, sizeof(*auth));
404 goto err;
405 }
406 *auth = efi + authoff;
407 *auth_len = authsz;
408 EFI_PRINT("WIN_CERTIFICATE: 0x%x, size: 0x%x\n", authoff,
409 authsz);
410 } else {
411 *auth = NULL;
412 *auth_len = 0;
413 }
414
415 *regp = regs;
416
417 return true;
418
419 err:
420 free(regs);
421
422 return false;
423 }
424
425 /**
426 * efi_image_unsigned_authenticate() - authenticate unsigned image with
427 * SHA256 hash
428 * @regs: List of regions to be verified
429 *
430 * If an image is not signed, it doesn't have a signature. In this case,
431 * its message digest is calculated and it will be compared with one of
432 * hash values stored in signature databases.
433 *
434 * Return: true if authenticated, false if not
435 */
efi_image_unsigned_authenticate(struct efi_image_regions * regs)436 static bool efi_image_unsigned_authenticate(struct efi_image_regions *regs)
437 {
438 struct efi_signature_store *db = NULL, *dbx = NULL;
439 bool ret = false;
440
441 dbx = efi_sigstore_parse_sigdb(L"dbx");
442 if (!dbx) {
443 EFI_PRINT("Getting signature database(dbx) failed\n");
444 goto out;
445 }
446
447 db = efi_sigstore_parse_sigdb(L"db");
448 if (!db) {
449 EFI_PRINT("Getting signature database(db) failed\n");
450 goto out;
451 }
452
453 /* try black-list first */
454 if (efi_signature_lookup_digest(regs, dbx)) {
455 EFI_PRINT("Image is not signed and its digest found in \"dbx\"\n");
456 goto out;
457 }
458
459 /* try white-list */
460 if (efi_signature_lookup_digest(regs, db))
461 ret = true;
462 else
463 EFI_PRINT("Image is not signed and its digest not found in \"db\" or \"dbx\"\n");
464
465 out:
466 efi_sigstore_free(db);
467 efi_sigstore_free(dbx);
468
469 return ret;
470 }
471
472 /**
473 * efi_image_authenticate() - verify a signature of signed image
474 * @efi: Pointer to image
475 * @efi_size: Size of @efi
476 *
477 * A signed image should have its signature stored in a table of its PE header.
478 * So if an image is signed and only if if its signature is verified using
479 * signature databases, an image is authenticated.
480 * If an image is not signed, its validity is checked by using
481 * efi_image_unsigned_authenticated().
482 * TODO:
483 * When AuditMode==0, if the image's signature is not found in
484 * the authorized database, or is found in the forbidden database,
485 * the image will not be started and instead, information about it
486 * will be placed in this table.
487 * When AuditMode==1, an EFI_IMAGE_EXECUTION_INFO element is created
488 * in the EFI_IMAGE_EXECUTION_INFO_TABLE for every certificate found
489 * in the certificate table of every image that is validated.
490 *
491 * Return: true if authenticated, false if not
492 */
efi_image_authenticate(void * efi,size_t efi_size)493 static bool efi_image_authenticate(void *efi, size_t efi_size)
494 {
495 struct efi_image_regions *regs = NULL;
496 WIN_CERTIFICATE *wincerts = NULL, *wincert;
497 size_t wincerts_len;
498 struct pkcs7_message *msg = NULL;
499 struct efi_signature_store *db = NULL, *dbx = NULL;
500 void *new_efi = NULL;
501 u8 *auth, *wincerts_end;
502 size_t new_efi_size, auth_size;
503 bool ret = false;
504
505 EFI_PRINT("%s: Enter, %d\n", __func__, ret);
506
507 if (!efi_secure_boot_enabled())
508 return true;
509
510 /*
511 * Size must be 8-byte aligned and the trailing bytes must be
512 * zero'ed. Otherwise hash value may be incorrect.
513 */
514 if (efi_size & 0x7) {
515 new_efi_size = (efi_size + 0x7) & ~0x7ULL;
516 new_efi = calloc(new_efi_size, 1);
517 if (!new_efi)
518 return false;
519 memcpy(new_efi, efi, efi_size);
520 efi = new_efi;
521 efi_size = new_efi_size;
522 }
523
524 if (!efi_image_parse(efi, efi_size, ®s, &wincerts,
525 &wincerts_len)) {
526 EFI_PRINT("Parsing PE executable image failed\n");
527 goto err;
528 }
529
530 if (!wincerts) {
531 /* The image is not signed */
532 ret = efi_image_unsigned_authenticate(regs);
533
534 goto err;
535 }
536
537 /*
538 * verify signature using db and dbx
539 */
540 db = efi_sigstore_parse_sigdb(L"db");
541 if (!db) {
542 EFI_PRINT("Getting signature database(db) failed\n");
543 goto err;
544 }
545
546 dbx = efi_sigstore_parse_sigdb(L"dbx");
547 if (!dbx) {
548 EFI_PRINT("Getting signature database(dbx) failed\n");
549 goto err;
550 }
551
552 if (efi_signature_lookup_digest(regs, dbx)) {
553 EFI_PRINT("Image's digest was found in \"dbx\"\n");
554 goto err;
555 }
556
557 /*
558 * go through WIN_CERTIFICATE list
559 * NOTE:
560 * We may have multiple signatures either as WIN_CERTIFICATE's
561 * in PE header, or as pkcs7 SignerInfo's in SignedData.
562 * So the verification policy here is:
563 * - Success if, at least, one of signatures is verified
564 * - unless signature is rejected explicitly with its digest.
565 */
566
567 for (wincert = wincerts, wincerts_end = (u8 *)wincerts + wincerts_len;
568 (u8 *)wincert < wincerts_end;
569 wincert = (WIN_CERTIFICATE *)
570 ((u8 *)wincert + ALIGN(wincert->dwLength, 8))) {
571 if ((u8 *)wincert + sizeof(*wincert) >= wincerts_end)
572 break;
573
574 if (wincert->dwLength <= sizeof(*wincert)) {
575 EFI_PRINT("dwLength too small: %u < %zu\n",
576 wincert->dwLength, sizeof(*wincert));
577 continue;
578 }
579
580 EFI_PRINT("WIN_CERTIFICATE_TYPE: 0x%x\n",
581 wincert->wCertificateType);
582
583 auth = (u8 *)wincert + sizeof(*wincert);
584 auth_size = wincert->dwLength - sizeof(*wincert);
585 if (wincert->wCertificateType == WIN_CERT_TYPE_EFI_GUID) {
586 if (auth + sizeof(efi_guid_t) >= wincerts_end)
587 break;
588
589 if (auth_size <= sizeof(efi_guid_t)) {
590 EFI_PRINT("dwLength too small: %u < %zu\n",
591 wincert->dwLength, sizeof(*wincert));
592 continue;
593 }
594 if (guidcmp(auth, &efi_guid_cert_type_pkcs7)) {
595 EFI_PRINT("Certificate type not supported: %pUl\n",
596 auth);
597 continue;
598 }
599
600 auth += sizeof(efi_guid_t);
601 auth_size -= sizeof(efi_guid_t);
602 } else if (wincert->wCertificateType
603 != WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
604 EFI_PRINT("Certificate type not supported\n");
605 continue;
606 }
607
608 msg = pkcs7_parse_message(auth, auth_size);
609 if (IS_ERR(msg)) {
610 EFI_PRINT("Parsing image's signature failed\n");
611 msg = NULL;
612 continue;
613 }
614
615 /*
616 * NOTE:
617 * UEFI specification defines two signature types possible
618 * in signature database:
619 * a. x509 certificate, where a signature in image is
620 * a message digest encrypted by RSA public key
621 * (EFI_CERT_X509_GUID)
622 * b. bare hash value of message digest
623 * (EFI_CERT_SHAxxx_GUID)
624 *
625 * efi_signature_verify() handles case (a), while
626 * efi_signature_lookup_digest() handles case (b).
627 *
628 * There is a third type:
629 * c. message digest of a certificate
630 * (EFI_CERT_X509_SHAAxxx_GUID)
631 * This type of signature is used only in revocation list
632 * (dbx) and handled as part of efi_signatgure_verify().
633 */
634 /* try black-list first */
635 if (efi_signature_verify_one(regs, msg, dbx)) {
636 EFI_PRINT("Signature was rejected by \"dbx\"\n");
637 continue;
638 }
639
640 if (!efi_signature_check_signers(msg, dbx)) {
641 EFI_PRINT("Signer(s) in \"dbx\"\n");
642 continue;
643 }
644
645 /* try white-list */
646 if (efi_signature_verify(regs, msg, db, dbx)) {
647 ret = true;
648 break;
649 }
650
651 EFI_PRINT("Signature was not verified by \"db\"\n");
652
653 if (efi_signature_lookup_digest(regs, db)) {
654 ret = true;
655 break;
656 }
657
658 EFI_PRINT("Image's digest was not found in \"db\" or \"dbx\"\n");
659 }
660
661 err:
662 efi_sigstore_free(db);
663 efi_sigstore_free(dbx);
664 pkcs7_free_message(msg);
665 free(regs);
666 free(new_efi);
667
668 EFI_PRINT("%s: Exit, %d\n", __func__, ret);
669 return ret;
670 }
671 #else
efi_image_authenticate(void * efi,size_t efi_size)672 static bool efi_image_authenticate(void *efi, size_t efi_size)
673 {
674 return true;
675 }
676 #endif /* CONFIG_EFI_SECURE_BOOT */
677
678
679 /**
680 * efi_check_pe() - check if a memory buffer contains a PE-COFF image
681 *
682 * @buffer: buffer to check
683 * @size: size of buffer
684 * @nt_header: on return pointer to NT header of PE-COFF image
685 * Return: EFI_SUCCESS if the buffer contains a PE-COFF image
686 */
efi_check_pe(void * buffer,size_t size,void ** nt_header)687 efi_status_t efi_check_pe(void *buffer, size_t size, void **nt_header)
688 {
689 IMAGE_DOS_HEADER *dos = buffer;
690 IMAGE_NT_HEADERS32 *nt;
691
692 if (size < sizeof(*dos))
693 return EFI_INVALID_PARAMETER;
694
695 /* Check for DOS magix */
696 if (dos->e_magic != IMAGE_DOS_SIGNATURE)
697 return EFI_INVALID_PARAMETER;
698
699 /*
700 * Check if the image section header fits into the file. Knowing that at
701 * least one section header follows we only need to check for the length
702 * of the 64bit header which is longer than the 32bit header.
703 */
704 if (size < dos->e_lfanew + sizeof(IMAGE_NT_HEADERS32))
705 return EFI_INVALID_PARAMETER;
706 nt = (IMAGE_NT_HEADERS32 *)((u8 *)buffer + dos->e_lfanew);
707
708 /* Check for PE-COFF magic */
709 if (nt->Signature != IMAGE_NT_SIGNATURE)
710 return EFI_INVALID_PARAMETER;
711
712 if (nt_header)
713 *nt_header = nt;
714
715 return EFI_SUCCESS;
716 }
717
718 /**
719 * efi_load_pe() - relocate EFI binary
720 *
721 * This function loads all sections from a PE binary into a newly reserved
722 * piece of memory. On success the entry point is returned as handle->entry.
723 *
724 * @handle: loaded image handle
725 * @efi: pointer to the EFI binary
726 * @efi_size: size of @efi binary
727 * @loaded_image_info: loaded image protocol
728 * Return: status code
729 */
efi_load_pe(struct efi_loaded_image_obj * handle,void * efi,size_t efi_size,struct efi_loaded_image * loaded_image_info)730 efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle,
731 void *efi, size_t efi_size,
732 struct efi_loaded_image *loaded_image_info)
733 {
734 IMAGE_NT_HEADERS32 *nt;
735 IMAGE_DOS_HEADER *dos;
736 IMAGE_SECTION_HEADER *sections;
737 int num_sections;
738 void *efi_reloc;
739 int i;
740 const IMAGE_BASE_RELOCATION *rel;
741 unsigned long rel_size;
742 int rel_idx = IMAGE_DIRECTORY_ENTRY_BASERELOC;
743 uint64_t image_base;
744 unsigned long virt_size = 0;
745 int supported = 0;
746 efi_status_t ret;
747
748 ret = efi_check_pe(efi, efi_size, (void **)&nt);
749 if (ret != EFI_SUCCESS) {
750 log_err("Not a PE-COFF file\n");
751 return EFI_LOAD_ERROR;
752 }
753
754 for (i = 0; machines[i]; i++)
755 if (machines[i] == nt->FileHeader.Machine) {
756 supported = 1;
757 break;
758 }
759
760 if (!supported) {
761 log_err("Machine type 0x%04x is not supported\n",
762 nt->FileHeader.Machine);
763 return EFI_LOAD_ERROR;
764 }
765
766 num_sections = nt->FileHeader.NumberOfSections;
767 sections = (void *)&nt->OptionalHeader +
768 nt->FileHeader.SizeOfOptionalHeader;
769
770 if (efi_size < ((void *)sections + sizeof(sections[0]) * num_sections
771 - efi)) {
772 log_err("Invalid number of sections: %d\n", num_sections);
773 return EFI_LOAD_ERROR;
774 }
775
776 /* Authenticate an image */
777 if (efi_image_authenticate(efi, efi_size)) {
778 handle->auth_status = EFI_IMAGE_AUTH_PASSED;
779 } else {
780 handle->auth_status = EFI_IMAGE_AUTH_FAILED;
781 log_err("Image not authenticated\n");
782 }
783
784 /* Calculate upper virtual address boundary */
785 for (i = num_sections - 1; i >= 0; i--) {
786 IMAGE_SECTION_HEADER *sec = §ions[i];
787 virt_size = max_t(unsigned long, virt_size,
788 sec->VirtualAddress + sec->Misc.VirtualSize);
789 }
790
791 /* Read 32/64bit specific header bits */
792 if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) {
793 IMAGE_NT_HEADERS64 *nt64 = (void *)nt;
794 IMAGE_OPTIONAL_HEADER64 *opt = &nt64->OptionalHeader;
795 image_base = opt->ImageBase;
796 efi_set_code_and_data_type(loaded_image_info, opt->Subsystem);
797 handle->image_type = opt->Subsystem;
798 efi_reloc = efi_alloc(virt_size,
799 loaded_image_info->image_code_type);
800 if (!efi_reloc) {
801 log_err("Out of memory\n");
802 ret = EFI_OUT_OF_RESOURCES;
803 goto err;
804 }
805 handle->entry = efi_reloc + opt->AddressOfEntryPoint;
806 rel_size = opt->DataDirectory[rel_idx].Size;
807 rel = efi_reloc + opt->DataDirectory[rel_idx].VirtualAddress;
808 virt_size = ALIGN(virt_size, opt->SectionAlignment);
809 } else if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
810 IMAGE_OPTIONAL_HEADER32 *opt = &nt->OptionalHeader;
811 image_base = opt->ImageBase;
812 efi_set_code_and_data_type(loaded_image_info, opt->Subsystem);
813 handle->image_type = opt->Subsystem;
814 efi_reloc = efi_alloc(virt_size,
815 loaded_image_info->image_code_type);
816 if (!efi_reloc) {
817 log_err("Out of memory\n");
818 ret = EFI_OUT_OF_RESOURCES;
819 goto err;
820 }
821 handle->entry = efi_reloc + opt->AddressOfEntryPoint;
822 rel_size = opt->DataDirectory[rel_idx].Size;
823 rel = efi_reloc + opt->DataDirectory[rel_idx].VirtualAddress;
824 virt_size = ALIGN(virt_size, opt->SectionAlignment);
825 } else {
826 log_err("Invalid optional header magic %x\n",
827 nt->OptionalHeader.Magic);
828 ret = EFI_LOAD_ERROR;
829 goto err;
830 }
831
832 /* Copy PE headers */
833 memcpy(efi_reloc, efi,
834 sizeof(*dos)
835 + sizeof(*nt)
836 + nt->FileHeader.SizeOfOptionalHeader
837 + num_sections * sizeof(IMAGE_SECTION_HEADER));
838
839 /* Load sections into RAM */
840 for (i = num_sections - 1; i >= 0; i--) {
841 IMAGE_SECTION_HEADER *sec = §ions[i];
842 memset(efi_reloc + sec->VirtualAddress, 0,
843 sec->Misc.VirtualSize);
844 memcpy(efi_reloc + sec->VirtualAddress,
845 efi + sec->PointerToRawData,
846 min(sec->Misc.VirtualSize, sec->SizeOfRawData));
847 }
848
849 /* Run through relocations */
850 if (efi_loader_relocate(rel, rel_size, efi_reloc,
851 (unsigned long)image_base) != EFI_SUCCESS) {
852 efi_free_pages((uintptr_t) efi_reloc,
853 (virt_size + EFI_PAGE_MASK) >> EFI_PAGE_SHIFT);
854 ret = EFI_LOAD_ERROR;
855 goto err;
856 }
857
858 /* Flush cache */
859 flush_cache((ulong)efi_reloc,
860 ALIGN(virt_size, EFI_CACHELINE_SIZE));
861 invalidate_icache_all();
862
863 /* Populate the loaded image interface bits */
864 loaded_image_info->image_base = efi_reloc;
865 loaded_image_info->image_size = virt_size;
866
867 if (handle->auth_status == EFI_IMAGE_AUTH_PASSED)
868 return EFI_SUCCESS;
869 else
870 return EFI_SECURITY_VIOLATION;
871
872 err:
873 return ret;
874 }
875