summaryrefslogtreecommitdiffstats
path: root/src/boot (follow)
Commit message (Collapse)AuthorAgeFilesLines
* treewide: drop "RUN_" from "RUN_WITH_UMASK"Zbigniew Jędrzejewski-Szmek2022-12-131-3/+3
| | | | | | RUN_WITH_UMASK was initially conceived for spawning externals progs with the umask set. But nowadays we use it various syscalls and stuff that doesn't "run" anything, so the "RUN_" prefix has outlived its usefulness.
* sd-id128: make id128_read() or friends return -ENOPKG when the file contents ↵Yu Watanabe2022-12-121-1/+1
| | | | | | | | | is "uninitialized" Then, this drops ID128_PLAIN_OR_UNINIT. Also, this renames Id128Format -> Id128FormatFlag, and make it bitfield. Fixes #25634.
* boot: fix false maybe-uninitialized warningYu Watanabe2022-12-063-4/+4
| | | | Fixes #25641.
* boot: cleanups for efivar_get() and friendsYu Watanabe2022-12-062-32/+37
| | | | | | | - rename function arguments for storing results, and support the case that they are NULL, - return earlier on error, - always validate read size in efivar_get_uint32_le() and efivar_get_uint64_le().
* boot: Only do full driver initialization in VMsJan Janssen2022-11-292-6/+4
| | | | | | | | | Doing the reconnect dance on some real firmware creates huge delays on boot. This should not be needed anymore as we now ask the firmware to make console devices and xbootldr partitions available explicitly in a more targeted fashion. Fixes: #25510
* boot: Make sure all partitions drivers are connectedJan Janssen2022-11-291-0/+4
|
* boot: Use EFI_BOOT_MANAGER_POLICY_PROTOCOL to connect console devicesJan Janssen2022-11-292-0/+35
|
* Merge pull request #25222 from medhefgo/stub-cmdlineLuca Boccassi2022-11-2813-204/+261
|\ | | | | stub: Fix cmdline handling
| * stub: Detect empty LoadOptions when run from EFI shellJan Janssen2022-11-272-11/+61
| | | | | | | | | | | | | | | | | | | | | | | | | | The EFI shell will pass the entire command line to the application it starts, which includes the file path of the stub binary. This prevents us from using the built-in cmdline if the command line is otherwise empty. Fortunately, the EFI shell registers a protocol on any images it starts this way. The protocol even lets us access the args individually, making it easy to strip the stub path off. Fixes: #25201
| * stub: Fix cmdline handlingJan Janssen2022-11-227-46/+60
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes some bugs that could lead to garbage getting appended to the command line passed to the kernel: 1. The .cmdline section is not guaranteed to be NUL-terminated, but it was used as if it was. 2. The conversion of the command line to ASCII that was passed to the stub ate the NUL at the end. 3. LoadOptions is not guaranteed to be a NUL-terminated EFI string (it really should be and generally always is, though). This also fixes the inconsistent mangling of the command line. If the .cmdline section was used ASCII controls chars (new lines in particular) would not be converted to spaces. As part of this commit, we optimize conversion for the generic code instead of the (deprecated) EFI handover protocol. Previously we would convert to ASCII/UTF-8 and then back to EFI string for the (now) default generic code path. Instead we now convert to EFI string and mangle that back to ASCII in the EFI handover protocol path.
| * boot: Use xstr8_to_16 for path conversionJan Janssen2022-11-224-108/+24
| |
| * boot: Use xstr8_to_16Jan Janssen2022-11-225-48/+17
| |
| * boot: Add xstrn8_to_16Jan Janssen2022-11-223-1/+109
| |
* | stub: Small code style changesJan Janssen2022-11-241-43/+20
| | | | | | | | No actual changes in behavior.
* | stub: Fix splash alpha blendingJan Janssen2022-11-241-33/+60
| | | | | | | | | | | | How to interpret the pixel format depends on the masks in the DIB header (if present). Also, 16bpp (unlike 24bpp) can carry an alpha channel. This was previously not accounted for.
* | stub: handle random seed like sd-boot doesJason A. Donenfeld2022-11-237-24/+42
|/ | | | | | | | | sd-stub has an opportunity to handle the seed the same way sd-boot does, which would have benefits for UKIs when sd-boot is not in use. This commit wires that up. It refactors the XBOOTLDR partition discovery to also find the ESP partition, so that it access the random seed there.
* boot: remove random-seed-modeJason A. Donenfeld2022-11-223-47/+4
| | | | | | | | Now that the random seed is used on virtualized systems, there's no point in having a random-seed-mode toggle switch. Let's just always require it now, with the existing logic already being there to allow not having it if EFI itself has an RNG. In other words, the logic for this can now be automatic.
* bootctl: install system token on virtualized systemsJason A. Donenfeld2022-11-211-20/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | Removing the virtualization check might not be the worst thing in the world, and would potentially get many, many more systems properly seeded rather than not seeded. There are a few reasons to consider this: - In most QEMU setups and most guides on how to setup QEMU, a separate pflash file is used for nvram variables, and this generally isn't copied around. - We're now hashing in a timestamp, which should provide some level of differentiation, given that EFI_TIME has a nanoseconds field. - The kernel itself will additionally hash in: a high resolution time stamp, a cycle counter, RDRAND output, the VMGENID uniquely identifying the virtual machine, any other seeds from the hypervisor (like from FDT or setup_data). - During early boot, the RNG is reseeded quite frequently to account for the importance of early differentiation. So maybe the mitigating factors make the actual feared problem significantly less likely and therefore the pros of having file-based seeding might outweigh the cons of weird misconfigured setups having a hypothetical problem on first boot.
* boot: Replace firmware security hooks directlyJan Janssen2022-11-191-79/+40
| | | | | | | | | For some firmware, replacing their own security arch instance with our override using ReinstallProtocolInterface() is not enough as they will not use it. This commit goes back to how this was done before by directly modifying the security protocols. Fixes: #25336
* boot: Rework security arch overrideJan Janssen2022-11-194-152/+146
| | | | | This simplifies the caller interface for security arch overrides by only having to pass a validator and an optional context.
* boot: Manually convert filepaths if neededJan Janssen2022-11-191-4/+36
| | | | | The conversion of a filepath device path to text is needed for the stub loader to find credential files.
* boot: Do not require a loaded image pathJan Janssen2022-11-191-10/+3
| | | | | | | | | If the device path to text protocol is not available (looking angrily at Apple) we would fail to boot because we cannot get the loaded image path. As this is only used for cosmetic purposes, we can just silently continue. Fixes: #25363
* boot: Fix memory leakJan Janssen2022-11-191-1/+1
|
* bootctl: rework how we handle referenced but absent EFI boot entriesLennart Poettering2022-11-181-1/+5
| | | | | | | | Follow-up for #25368. Let's consider ENOENT an expected error, and just debug log about it (though, let's suffix it with `, ignoring.`). All other errors will log loudly, as they are unexpected errors.
* boot/measure: fix oom checkLi kunyu2022-11-181-1/+1
|
* Merge pull request #25414 from zx2c4-forks/krngseedLuca Boccassi2022-11-173-14/+23
|\ | | | | EFI random seed post #25319 review fixups
| * boot: only use __builtin_object_size with -O>0Jason A. Donenfeld2022-11-171-4/+4
| | | | | | | | | | __builtin_object_size() returns -1 with -O0, so disable this and warn about it instead.
| * boot: do not truncate random seed fileJason A. Donenfeld2022-11-171-5/+12
| | | | | | | | | | There are concerns about the FAT file system driver exploding if we try to do this, so just leave the bytes zeroed out instead.
| * random-seed: handle post-merge review nitsJason A. Donenfeld2022-11-173-5/+7
| | | | | | | | These are various misc things that came up after merging.
* | pcrphase: add $SYSTEMD_PCRPHASE_STUB_VERIFY env var for overriding stub checkLennart Poettering2022-11-161-11/+24
|/
* Merge pull request #25319 from zx2c4-forks/krngseedLuca Boccassi2022-11-164-167/+194
|\ | | | | boot: implement kernel EFI RNG seed protocol with proper hashing
| * boot: implement kernel EFI RNG seed protocol with proper hashingJason A. Donenfeld2022-11-144-167/+194
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rather than passing seeds up to userspace via EFI variables, pass seeds directly to the kernel's EFI stub loader, via LINUX_EFI_RANDOM_SEED_TABLE_GUID. EFI variables can potentially leak and suffer from forward secrecy issues, and processing these with userspace means that they are initialized much too late in boot to be useful. In contrast, LINUX_EFI_RANDOM_SEED_TABLE_GUID uses EFI configuration tables, and so is hidden from userspace entirely, and is parsed extremely early on by the kernel, so that every single call to get_random_bytes() by the kernel is seeded. In order to do this properly, we use a bit more robust hashing scheme, and make sure that each input is properly memzeroed out after use. The scheme is: key = HASH(LABEL || sizeof(input1) || input1 || ... || sizeof(inputN) || inputN) new_disk_seed = HASH(key || 0) seed_for_linux = HASH(key || 1) The various inputs are: - LINUX_EFI_RANDOM_SEED_TABLE_GUID from prior bootloaders - 256 bits of seed from EFI's RNG - The (immutable) system token, from its EFI variable - The prior on-disk seed - The UEFI monotonic counter - A timestamp This also adjusts the secure boot semantics, so that the operation is only aborted if it's not possible to get random bytes from EFI's RNG or a prior boot stage. With the proper hashing scheme, this should make boot seeds safe even on secure boot. There is currently a bug in Linux's EFI stub in which if the EFI stub manages to generate random bytes on its own using EFI's RNG, it will ignore what the bootloader passes. That's annoying, but it means that either way, via systemd-boot or via EFI stub's mechanism, the RNG *does* get initialized in a good safe way. And this bug is now fixed in the efi.git tree, and will hopefully be backported to older kernels. As the kernel recommends, the resultant seeds are 256 bits and are allocated using pool memory of type EfiACPIReclaimMemory, so that it gets freed at the right moment in boot.
* | boot: improve support for qemuGerd Hoffmann2022-11-164-1/+148
| | | | | | | | | | | | | | | | | | | | | | | | | | systemd-boot expects being loaded from ESP and is quite unhappy in case the loaded image device path is something else. When running on qemu this can easily happen though. Case one is direct kernel boot, i.e. loading via 'qemu -kernel systemd-bootx64.efi'. Case two is sd-boot being added to the ovmf firmware image and being loaded from there. This patch detects both cases and goes inspect all file systems known to the firmware, trying to find the ESP. When present the VMMBootOrderNNNN variables are used to inspect the file systems in the given order.
* | Merge pull request #25368 from yuwata/bootctl-ignore-invalid-boot-entriesYu Watanabe2022-11-141-2/+2
|\ \ | | | | | | bootctl: ignore invalid boot entries
| * | bootctl: downgrade log message when firmware reports non-existent or invalid ↵Yu Watanabe2022-11-131-1/+1
| | | | | | | | | | | | | | | | | | boot entry Fixes #25359.
| * | bootctl: make boot entry id logged in hexYu Watanabe2022-11-131-2/+2
| | | | | | | | | | | | | | | To make consistent with the printed boot id below and other tools e.g. efibootmgr.
* | | boot: Fix error messageJan Janssen2022-11-131-1/+1
| | |
* | | boot: Silence driver reconnect errorsJan Janssen2022-11-131-15/+13
| |/ |/|
* | bootctl,bootspec: make use of CHASE_PROHIBIT_SYMLINKS whenever we access the ↵Lennart Poettering2022-11-131-9/+9
|/ | | | | | | | | | | | | | | | ESP/XBOOTLDR Let's make use of the new flag whenever we access the ESP or XBOOTLDR. The resources we make use of in these partitions can't possibly use symlinks (because UEFI knows no symlink concept), and they are untrusted territory, hence under no circumstances we should be tricked into following symlinks that shouldn't be there in the first place. Of course, you might argue thta ESP/XBOOTLDR are VFAT and thus don#t know symlinks. But the thing is, they don#t have to be. Firmware can support other file systems too, and people can use efifs to gain access to arbitrary Linux file systems from EFI. Hence, let's better be safe than sorry.
* basic: move version() to build.h+cZbigniew Jędrzejewski-Szmek2022-11-085-3/+5
|
* basic: create new basic/initrd-util.[ch] for initrd-related functionsZbigniew Jędrzejewski-Szmek2022-11-081-0/+1
| | | | | | | | | I changed imports of util.h to initrd-util.h, or added an import of initrd-util.h, to keep compilation working. It turns out that many files didn't import util.h directly. When viewing the patch, don't be confused by git rename detection logic: a new .c file is added and two functions moved into it.
* measure: honour phases when signingLennart Poettering2022-10-311-124/+146
|
* measure: banks and phases list are always non-emptyLennart Poettering2022-10-311-3/+6
| | | | | | When parsing parameters, we populate these lists with defaults when empty, hence we can rely that there's at least one bank and one phase defined.
* boot: Mark some functions as staticJan Janssen2022-10-303-3/+3
|
* tree-wide: fix typoYu Watanabe2022-10-251-1/+1
|
* boot: Rework shim image verificationJan Janssen2022-10-173-84/+44
| | | | | | | | | | This moves the shim security arch override to the new ReinstallProtocolInterface based interface. This also has the benefit to reduce the time window in which we have this override active and also actually removes it, which was not previously done. The shim hooks themselves are also modernized too. The upcalls should really not be neccessary if shim is happy with the provided binary.
* stub: Allow loading unsigned kernel imagesJan Janssen2022-10-173-2/+145
|
* boot: Use proper security arch protocol namesJan Janssen2022-10-172-37/+35
| | | | This is how the Platform Intregration Specification defines these.
* boot: Remove unused parameters from pe_kernel_infoJan Janssen2022-10-174-40/+24
| | | | | | | Only the compat entry address is used now. This also now only returns the compat entry address. If the image is native we do not need to try calling into the entry address again as we would already have done so from StartImage (and failed).
* stub: Use LoadImage/StartImage to start the kernelJan Janssen2022-10-172-112/+59
| | | | | | | | | This is the proper way to start any EFI binary. The fact this even ever worked was because the kernel does not have any PE relocations. The only downside is that the embedded kernel image has to be signed and trusted by the firmware under secure boot. A future commit will try to deal with that.