/* * Copyright (C) 2008 Michael Brown . * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation; either version 2 of the * License, or any later version. * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301, USA. */ FILE_LICENCE ( GPL2_OR_LATER ); #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include FEATURE ( FEATURE_IMAGE, "EFI", DHCP_EB_FEATURE_EFI, 1 ); /* Disambiguate the various error causes */ #define EINFO_EEFI_LOAD \ __einfo_uniqify ( EINFO_EPLATFORM, 0x01, \ "Could not load image" ) #define EINFO_EEFI_LOAD_PROHIBITED \ __einfo_platformify ( EINFO_EEFI_LOAD, EFI_SECURITY_VIOLATION, \ "Image prohibited by security policy" ) #define EEFI_LOAD_PROHIBITED \ __einfo_error ( EINFO_EEFI_LOAD_PROHIBITED ) #define EEFI_LOAD( efirc ) EPLATFORM ( EINFO_EEFI_LOAD, efirc, \ EEFI_LOAD_PROHIBITED ) #define EINFO_EEFI_START \ __einfo_uniqify ( EINFO_EPLATFORM, 0x02, \ "Could not start image" ) #define EEFI_START( efirc ) EPLATFORM ( EINFO_EEFI_START, efirc ) /** * Create device path for image * * @v image EFI image * @v parent Parent device path * @ret path Device path, or NULL on failure * * The caller must eventually free() the device path. */ static EFI_DEVICE_PATH_PROTOCOL * efi_image_path ( struct image *image, EFI_DEVICE_PATH_PROTOCOL *parent ) { EFI_DEVICE_PATH_PROTOCOL *path; FILEPATH_DEVICE_PATH *filepath; EFI_DEVICE_PATH_PROTOCOL *end; size_t name_len; size_t prefix_len; size_t filepath_len; size_t len; /* Calculate device path lengths */ prefix_len = efi_path_len ( parent ); name_len = strlen ( image->name ); filepath_len = ( SIZE_OF_FILEPATH_DEVICE_PATH + ( name_len + 1 /* NUL */ ) * sizeof ( wchar_t ) ); len = ( prefix_len + filepath_len + sizeof ( *end ) ); /* Allocate device path */ path = zalloc ( len ); if ( ! path ) return NULL; /* Construct device path */ memcpy ( path, parent, prefix_len ); filepath = ( ( ( void * ) path ) + prefix_len ); filepath->Header.Type = MEDIA_DEVICE_PATH; filepath->Header.SubType = MEDIA_FILEPATH_DP; filepath->Header.Length[0] = ( filepath_len & 0xff ); filepath->Header.Length[1] = ( filepath_len >> 8 ); efi_snprintf ( filepath->PathName, ( name_len + 1 /* NUL */ ), "%s", image->name ); end = ( ( ( void * ) filepath ) + filepath_len ); efi_path_terminate ( end ); return path; } /** * Create command line for image * * @v image EFI image * @ret cmdline Command line, or NULL on failure */ static wchar_t * efi_image_cmdline ( struct image *image ) { wchar_t *cmdline; /* Allocate and construct command line */ if ( efi_asprintf ( &cmdline, "%s%s%s", image->name, ( image->cmdline ? " " : "" ), ( image->cmdline ? image->cmdline : "" ) ) < 0 ) { return NULL; } return cmdline; } /** * Execute EFI image * * @v image EFI image * @ret rc Return status code */ static int efi_image_exec ( struct image *image ) { EFI_BOOT_SERVICES *bs = efi_systab->BootServices; struct efi_snp_device *snpdev; EFI_DEVICE_PATH_PROTOCOL *path; union { EFI_LOADED_IMAGE_PROTOCOL *image; void *interface; } loaded; struct image *shim; struct image *exec; EFI_HANDLE handle; EFI_MEMORY_TYPE type; wchar_t *cmdline; unsigned int toggle; EFI_STATUS efirc; int rc; /* Find an appropriate device handle to use */ snpdev = last_opened_snpdev(); if ( ! snpdev ) { DBGC ( image, "EFIIMAGE %s could not identify SNP device\n", image->name ); rc = -ENODEV; goto err_no_snpdev; } /* Use shim instead of directly executing image if applicable */ shim = ( efi_can_load ( image ) ? NULL : find_image_tag ( &efi_shim ) ); exec = ( shim ? shim : image ); if ( shim ) { DBGC ( image, "EFIIMAGE %s executing via %s\n", image->name, shim->name ); } /* Re-register as a hidden image to allow for access via file I/O */ toggle = ( ~image->flags & IMAGE_HIDDEN ); image->flags |= IMAGE_HIDDEN; if ( ( rc = register_image ( image ) ) != 0 ) goto err_register_image; /* Install file I/O protocols */ if ( ( rc = efi_file_install ( snpdev->handle ) ) != 0 ) { DBGC ( image, "EFIIMAGE %s could not install file protocol: " "%s\n", image->name, strerror ( rc ) ); goto err_file_install; } /* Install PXE base code protocol */ if ( ( rc = efi_pxe_install ( snpdev->handle, snpdev->netdev ) ) != 0 ){ DBGC ( image, "EFIIMAGE %s could not install PXE protocol: " "%s\n", image->name, strerror ( rc ) ); goto err_pxe_install; } /* Install iPXE download protocol */ if ( ( rc = efi_download_install ( snpdev->handle ) ) != 0 ) { DBGC ( image, "EFIIMAGE %s could not install iPXE download " "protocol: %s\n", image->name, strerror ( rc ) ); goto err_download_install; } /* Create device path for image */ path = efi_image_path ( exec, snpdev->path ); if ( ! path ) { DBGC ( image, "EFIIMAGE %s could not create device path\n", image->name ); rc = -ENOMEM; goto err_image_path; } /* Create command line for image */ cmdline = efi_image_cmdline ( image ); if ( ! cmdline ) { DBGC ( image, "EFIIMAGE %s could not create command line\n", image->name ); rc = -ENOMEM; goto err_cmdline; } /* Install shim special handling if applicable */ if ( shim && ( ( rc = efi_shim_install ( shim, snpdev->handle, &cmdline ) ) != 0 ) ){ DBGC ( image, "EFIIMAGE %s could not install shim handling: " "%s\n", image->name, strerror ( rc ) ); goto err_shim_install; } /* Attempt loading image */ handle = NULL; if ( ( efirc = bs->LoadImage ( FALSE, efi_image_handle, path, user_to_virt ( exec->data, 0 ), exec->len, &handle ) ) != 0 ) { /* Not an EFI image */ rc = -EEFI_LOAD ( efirc ); DBGC ( image, "EFIIMAGE %s could not load: %s\n", image->name, strerror ( rc ) ); if ( efirc == EFI_SECURITY_VIOLATION ) { goto err_load_image_security_violation; } else { goto err_load_image; } } /* Get the loaded image protocol for the newly loaded image */ efirc = bs->OpenProtocol ( handle, &efi_loaded_image_protocol_guid, &loaded.interface, efi_image_handle, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL ); if ( efirc ) { /* Should never happen */ rc = -EEFI ( efirc ); goto err_open_protocol; } /* Some EFI 1.10 implementations seem not to fill in DeviceHandle */ if ( loaded.image->DeviceHandle == NULL ) { DBGC ( image, "EFIIMAGE %s filling in missing DeviceHandle\n", image->name ); loaded.image->DeviceHandle = snpdev->handle; } /* Sanity checks */ assert ( loaded.image->ParentHandle == efi_image_handle ); assert ( loaded.image->DeviceHandle == snpdev->handle ); assert ( loaded.image->LoadOptionsSize == 0 ); assert ( loaded.image->LoadOptions == NULL ); /* Record image code type */ type = loaded.image->ImageCodeType; /* Set command line */ loaded.image->LoadOptions = cmdline; loaded.image->LoadOptionsSize = ( ( wcslen ( cmdline ) + 1 /* NUL */ ) * sizeof ( wchar_t ) ); /* Release network devices for use via SNP */ efi_snp_release(); /* Wrap calls made by the loaded image (for debugging) */ efi_wrap ( handle ); /* Reset console since image will probably use it */ console_reset(); /* Start the image */ if ( ( efirc = bs->StartImage ( handle, NULL, NULL ) ) != 0 ) { rc = -EEFI_START ( efirc ); DBGC ( image, "EFIIMAGE %s could not start (or returned with " "error): %s\n", image->name, strerror ( rc ) ); goto err_start_image; } /* If image was a driver, connect it up to anything available */ if ( type == EfiBootServicesCode ) { DBGC ( image, "EFIIMAGE %s connecting drivers\n", image->name ); efi_driver_reconnect_all(); } /* Success */ rc = 0; err_start_image: efi_snp_claim(); err_open_protocol: /* If there was no error, then the image must have been * started and returned successfully. It either unloaded * itself, or it intended to remain loaded (e.g. it was a * driver). We therefore do not unload successful images. * * If there was an error, attempt to unload the image. This * may not work. In particular, there is no way to tell * whether an error returned from StartImage() was due to * being unable to start the image (in which case we probably * should call UnloadImage()), or due to the image itself * returning an error (in which case we probably should not * call UnloadImage()). We therefore ignore any failures from * the UnloadImage() call itself. */ err_load_image_security_violation: if ( rc != 0 ) bs->UnloadImage ( handle ); err_load_image: if ( shim ) efi_shim_uninstall(); err_shim_install: free ( cmdline ); err_cmdline: free ( path ); err_image_path: efi_download_uninstall ( snpdev->handle ); err_download_install: efi_pxe_uninstall ( snpdev->handle ); err_pxe_install: efi_file_uninstall ( snpdev->handle ); err_file_install: unregister_image ( image ); err_register_image: image->flags ^= toggle; err_no_snpdev: return rc; } /** * Probe EFI image * * @v image EFI file * @ret rc Return status code */ static int efi_image_probe ( struct image *image ) { EFI_BOOT_SERVICES *bs = efi_systab->BootServices; static EFI_DEVICE_PATH_PROTOCOL empty_path = { .Type = END_DEVICE_PATH_TYPE, .SubType = END_ENTIRE_DEVICE_PATH_SUBTYPE, .Length[0] = sizeof ( empty_path ), }; EFI_HANDLE handle; EFI_STATUS efirc; int rc; /* Attempt loading image */ handle = NULL; if ( ( efirc = bs->LoadImage ( FALSE, efi_image_handle, &empty_path, user_to_virt ( image->data, 0 ), image->len, &handle ) ) != 0 ) { /* Not an EFI image */ rc = -EEFI_LOAD ( efirc ); DBGC ( image, "EFIIMAGE %s could not load: %s\n", image->name, strerror ( rc ) ); if ( efirc == EFI_SECURITY_VIOLATION ) { goto err_load_image_security_violation; } else { goto err_load_image; } } /* Unload the image. We can't leave it loaded, because we * have no "unload" operation. */ bs->UnloadImage ( handle ); return 0; err_load_image_security_violation: bs->UnloadImage ( handle ); err_load_image: return rc; } /** * Probe EFI PE image * * @v image EFI file * @ret rc Return status code * * The extremely broken UEFI Secure Boot model provides no way for us * to unambiguously determine that a valid EFI executable image was * rejected by LoadImage() because it failed signature verification. * We must therefore use heuristics to guess whether not an image that * was rejected by LoadImage() could still be loaded via a separate PE * loader such as the UEFI shim. */ static int efi_pe_image_probe ( struct image *image ) { const UINT16 magic = ( ( sizeof ( UINTN ) == sizeof ( uint32_t ) ) ? EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC : EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC ); union { EFI_IMAGE_DOS_HEADER dos; EFI_IMAGE_OPTIONAL_HEADER_UNION pe; } u; /* Check for existence of DOS header */ if ( image->len < sizeof ( u.dos ) ) { DBGC ( image, "EFIIMAGE %s too short for DOS header\n", image->name ); return -ENOEXEC; } copy_from_user ( &u.dos, image->data, 0, sizeof ( u.dos ) ); if ( u.dos.e_magic != EFI_IMAGE_DOS_SIGNATURE ) { DBGC ( image, "EFIIMAGE %s missing MZ signature\n", image->name ); return -ENOEXEC; } /* Check for existence of PE header */ if ( ( image->len < u.dos.e_lfanew ) || ( ( image->len - u.dos.e_lfanew ) < sizeof ( u.pe ) ) ) { DBGC ( image, "EFIIMAGE %s too short for PE header\n", image->name ); return -ENOEXEC; } copy_from_user ( &u.pe, image->data, u.dos.e_lfanew, sizeof ( u.pe ) ); if ( u.pe.Pe32.Signature != EFI_IMAGE_NT_SIGNATURE ) { DBGC ( image, "EFIIMAGE %s missing PE signature\n", image->name ); return -ENOEXEC; } /* Check PE header magic */ if ( u.pe.Pe32.OptionalHeader.Magic != magic ) { DBGC ( image, "EFIIMAGE %s incorrect magic %04x\n", image->name, u.pe.Pe32.OptionalHeader.Magic ); return -ENOEXEC; } return 0; } /** EFI image types */ struct image_type efi_image_type[] __image_type ( PROBE_NORMAL ) = { { .name = "EFI", .probe = efi_image_probe, .exec = efi_image_exec, }, { .name = "EFIPE", .probe = efi_pe_image_probe, .exec = efi_image_exec, }, };