| Message ID | 20210415133020.29175-2-masahisa.kojima@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | PE/COFF measurement support | expand |
On 15.04.21 15:30, Masahisa Kojima wrote: > This is preparation for PE/COFF measurement support. > PE/COFF image hash calculation is same in both > UEFI Secure Boot image verification and measurement in > measured boot. This commit exposes the hash calculation > functions even if UEFI Secure Boot is not enabled. > > Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> > --- > lib/efi_loader/efi_image_loader.c | 2 +- > lib/efi_loader/efi_signature.c | 2 ++ > 2 files changed, 3 insertions(+), 1 deletion(-) > > diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c > index f53ef367ec..2c35cb5651 100644 > --- a/lib/efi_loader/efi_image_loader.c > +++ b/lib/efi_loader/efi_image_loader.c > @@ -213,7 +213,6 @@ static void efi_set_code_and_data_type( > } > } > > -#ifdef CONFIG_EFI_SECURE_BOOT > /** > * cmp_pe_section() - compare virtual addresses of two PE image sections > * @arg1: pointer to pointer to first section header > @@ -422,6 +421,7 @@ err: > return false; > } > > +#ifdef CONFIG_EFI_SECURE_BOOT Please, remove the #ifdef and replace it by if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT)) { in function efi_image_authenticate(). The advantage of using 'if' instead of '#ifdef' is that all branches are parsed by GCC. This allows us to catch code problems more easily. > /** > * efi_image_unsigned_authenticate() - authenticate unsigned image with > * SHA256 hash > diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c > index c7ec275414..1dd9d0e130 100644 > --- a/lib/efi_loader/efi_signature.c > +++ b/lib/efi_loader/efi_signature.c > @@ -538,6 +538,7 @@ out: > EFI_PRINT("%s: Exit, revoked: %d\n", __func__, revoked); > return !revoked; > } > +#endif The #if is superfluous. Just add the missing header #include <u-boot/rsa-checksum.h> efi_guid_t efi_guid_image_security_database should be moved to efi_var_common.c. This allows us to decide if lib/efi_loader/efi_signature.c shall be compiled in the Makefile. Best regards Heinrich > > /** > * efi_image_region_add() - add an entry of region > @@ -601,6 +602,7 @@ efi_status_t efi_image_region_add(struct efi_image_regions *regs, > return EFI_SUCCESS; > } > > +#if defined(CONFIG_EFI_SECURE_BOOT) || defined(CONFIG_EFI_CAPSULE_AUTHENTICATE) > /** > * efi_sigstore_free - free signature store > * @sigstore: Pointer to signature store structure >
diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c index f53ef367ec..2c35cb5651 100644 --- a/lib/efi_loader/efi_image_loader.c +++ b/lib/efi_loader/efi_image_loader.c @@ -213,7 +213,6 @@ static void efi_set_code_and_data_type( } } -#ifdef CONFIG_EFI_SECURE_BOOT /** * cmp_pe_section() - compare virtual addresses of two PE image sections * @arg1: pointer to pointer to first section header @@ -422,6 +421,7 @@ err: return false; } +#ifdef CONFIG_EFI_SECURE_BOOT /** * efi_image_unsigned_authenticate() - authenticate unsigned image with * SHA256 hash diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index c7ec275414..1dd9d0e130 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -538,6 +538,7 @@ out: EFI_PRINT("%s: Exit, revoked: %d\n", __func__, revoked); return !revoked; } +#endif /** * efi_image_region_add() - add an entry of region @@ -601,6 +602,7 @@ efi_status_t efi_image_region_add(struct efi_image_regions *regs, return EFI_SUCCESS; } +#if defined(CONFIG_EFI_SECURE_BOOT) || defined(CONFIG_EFI_CAPSULE_AUTHENTICATE) /** * efi_sigstore_free - free signature store * @sigstore: Pointer to signature store structure
This is preparation for PE/COFF measurement support. PE/COFF image hash calculation is same in both UEFI Secure Boot image verification and measurement in measured boot. This commit exposes the hash calculation functions even if UEFI Secure Boot is not enabled. Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> --- lib/efi_loader/efi_image_loader.c | 2 +- lib/efi_loader/efi_signature.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) -- 2.17.1