1 // SPDX-License-Identifier: GPL-2.0+
5 * based partly on wine code
7 * Copyright (c) 2016 Alexander Graf
10 #define LOG_CATEGORY LOGC_EFI
14 #include <efi_loader.h>
19 #include <crypto/pkcs7_parser.h>
20 #include <linux/err.h>
22 const efi_guid_t efi_global_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
23 const efi_guid_t efi_guid_device_path = EFI_DEVICE_PATH_PROTOCOL_GUID;
24 const efi_guid_t efi_guid_loaded_image = EFI_LOADED_IMAGE_PROTOCOL_GUID;
25 const efi_guid_t efi_guid_loaded_image_device_path =
26 EFI_LOADED_IMAGE_DEVICE_PATH_PROTOCOL_GUID;
27 const efi_guid_t efi_simple_file_system_protocol_guid =
28 EFI_SIMPLE_FILE_SYSTEM_PROTOCOL_GUID;
29 const efi_guid_t efi_file_info_guid = EFI_FILE_INFO_GUID;
31 static int machines[] = {
32 #if defined(__aarch64__)
33 IMAGE_FILE_MACHINE_ARM64,
34 #elif defined(__arm__)
35 IMAGE_FILE_MACHINE_ARM,
36 IMAGE_FILE_MACHINE_THUMB,
37 IMAGE_FILE_MACHINE_ARMNT,
40 #if defined(__x86_64__)
41 IMAGE_FILE_MACHINE_AMD64,
42 #elif defined(__i386__)
43 IMAGE_FILE_MACHINE_I386,
46 #if defined(__riscv) && (__riscv_xlen == 32)
47 IMAGE_FILE_MACHINE_RISCV32,
50 #if defined(__riscv) && (__riscv_xlen == 64)
51 IMAGE_FILE_MACHINE_RISCV64,
56 * efi_print_image_info() - print information about a loaded image
58 * If the program counter is located within the image the offset to the base
62 * @image: loaded image
63 * @pc: program counter (use NULL to suppress offset output)
66 static efi_status_t efi_print_image_info(struct efi_loaded_image_obj *obj,
67 struct efi_loaded_image *image,
71 printf(" [0x%p:0x%p]",
72 image->image_base, image->image_base + image->image_size - 1);
73 if (pc && pc >= image->image_base &&
74 pc < image->image_base + image->image_size)
75 printf(" pc=0x%zx", pc - image->image_base);
77 printf(" '%pD'", image->file_path);
83 * efi_print_image_infos() - print information about all loaded images
85 * @pc: program counter (use NULL to suppress offset output)
87 void efi_print_image_infos(void *pc)
89 struct efi_object *efiobj;
90 struct efi_handler *handler;
92 list_for_each_entry(efiobj, &efi_obj_list, link) {
93 list_for_each_entry(handler, &efiobj->protocols, link) {
94 if (!guidcmp(&handler->guid, &efi_guid_loaded_image)) {
96 (struct efi_loaded_image_obj *)efiobj,
97 handler->protocol_interface, pc);
104 * efi_loader_relocate() - relocate UEFI binary
106 * @rel: pointer to the relocation table
107 * @rel_size: size of the relocation table in bytes
108 * @efi_reloc: actual load address of the image
109 * @pref_address: preferred load address of the image
110 * Return: status code
112 static efi_status_t efi_loader_relocate(const IMAGE_BASE_RELOCATION *rel,
113 unsigned long rel_size, void *efi_reloc,
114 unsigned long pref_address)
116 unsigned long delta = (unsigned long)efi_reloc - pref_address;
117 const IMAGE_BASE_RELOCATION *end;
123 end = (const IMAGE_BASE_RELOCATION *)((const char *)rel + rel_size);
124 while (rel < end && rel->SizeOfBlock) {
125 const uint16_t *relocs = (const uint16_t *)(rel + 1);
126 i = (rel->SizeOfBlock - sizeof(*rel)) / sizeof(uint16_t);
128 uint32_t offset = (uint32_t)(*relocs & 0xfff) +
130 int type = *relocs >> EFI_PAGE_SHIFT;
131 uint64_t *x64 = efi_reloc + offset;
132 uint32_t *x32 = efi_reloc + offset;
133 uint16_t *x16 = efi_reloc + offset;
136 case IMAGE_REL_BASED_ABSOLUTE:
138 case IMAGE_REL_BASED_HIGH:
139 *x16 += ((uint32_t)delta) >> 16;
141 case IMAGE_REL_BASED_LOW:
142 *x16 += (uint16_t)delta;
144 case IMAGE_REL_BASED_HIGHLOW:
145 *x32 += (uint32_t)delta;
147 case IMAGE_REL_BASED_DIR64:
148 *x64 += (uint64_t)delta;
151 case IMAGE_REL_BASED_RISCV_HI20:
152 *x32 = ((*x32 & 0xfffff000) + (uint32_t)delta) |
155 case IMAGE_REL_BASED_RISCV_LOW12I:
156 case IMAGE_REL_BASED_RISCV_LOW12S:
157 /* We know that we're 4k aligned */
159 log_err("Unsupported reloc offset\n");
160 return EFI_LOAD_ERROR;
165 log_err("Unknown Relocation off %x type %x\n",
167 return EFI_LOAD_ERROR;
171 rel = (const IMAGE_BASE_RELOCATION *)relocs;
176 void __weak invalidate_icache_all(void)
178 /* If the system doesn't support icache_all flush, cross our fingers */
182 * efi_set_code_and_data_type() - determine the memory types to be used for code
185 * @loaded_image_info: image descriptor
186 * @image_type: field Subsystem of the optional header for
187 * Windows specific field
189 static void efi_set_code_and_data_type(
190 struct efi_loaded_image *loaded_image_info,
193 switch (image_type) {
194 case IMAGE_SUBSYSTEM_EFI_APPLICATION:
195 loaded_image_info->image_code_type = EFI_LOADER_CODE;
196 loaded_image_info->image_data_type = EFI_LOADER_DATA;
198 case IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER:
199 loaded_image_info->image_code_type = EFI_BOOT_SERVICES_CODE;
200 loaded_image_info->image_data_type = EFI_BOOT_SERVICES_DATA;
202 case IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER:
203 case IMAGE_SUBSYSTEM_EFI_ROM:
204 loaded_image_info->image_code_type = EFI_RUNTIME_SERVICES_CODE;
205 loaded_image_info->image_data_type = EFI_RUNTIME_SERVICES_DATA;
208 log_err("invalid image type: %u\n", image_type);
209 /* Let's assume it is an application */
210 loaded_image_info->image_code_type = EFI_LOADER_CODE;
211 loaded_image_info->image_data_type = EFI_LOADER_DATA;
217 * efi_image_region_add() - add an entry of region
218 * @regs: Pointer to array of regions
219 * @start: Start address of region (included)
220 * @end: End address of region (excluded)
221 * @nocheck: flag against overlapped regions
223 * Take one entry of region \[@start, @end\[ and insert it into the list.
225 * * If @nocheck is false, the list will be sorted ascending by address.
226 * Overlapping entries will not be allowed.
228 * * If @nocheck is true, the list will be sorted ascending by sequence
229 * of adding the entries. Overlapping is allowed.
231 * Return: status code
233 efi_status_t efi_image_region_add(struct efi_image_regions *regs,
234 const void *start, const void *end,
237 struct image_region *reg;
240 if (regs->num >= regs->max) {
241 EFI_PRINT("%s: no more room for regions\n", __func__);
242 return EFI_OUT_OF_RESOURCES;
246 return EFI_INVALID_PARAMETER;
248 for (i = 0; i < regs->num; i++) {
253 /* new data after registered region */
254 if (start >= reg->data + reg->size)
257 /* new data preceding registered region */
258 if (end <= reg->data) {
259 for (j = regs->num - 1; j >= i; j--)
260 memcpy(®s->reg[j + 1], ®s->reg[j],
265 /* new data overlapping registered region */
266 EFI_PRINT("%s: new region already part of another\n", __func__);
267 return EFI_INVALID_PARAMETER;
272 reg->size = end - start;
279 * cmp_pe_section() - compare virtual addresses of two PE image sections
280 * @arg1: pointer to pointer to first section header
281 * @arg2: pointer to pointer to second section header
283 * Compare the virtual addresses of two sections of an portable executable.
284 * The arguments are defined as const void * to allow usage with qsort().
286 * Return: -1 if the virtual address of arg1 is less than that of arg2,
287 * 0 if the virtual addresses are equal, 1 if the virtual address
288 * of arg1 is greater than that of arg2.
290 static int cmp_pe_section(const void *arg1, const void *arg2)
292 const IMAGE_SECTION_HEADER *section1, *section2;
294 section1 = *((const IMAGE_SECTION_HEADER **)arg1);
295 section2 = *((const IMAGE_SECTION_HEADER **)arg2);
297 if (section1->VirtualAddress < section2->VirtualAddress)
299 else if (section1->VirtualAddress == section2->VirtualAddress)
306 * efi_prepare_aligned_image() - prepare 8-byte aligned image
307 * @efi: pointer to the EFI binary
308 * @efi_size: size of @efi binary
310 * If @efi is not 8-byte aligned, this function newly allocates
313 * Return: valid pointer to a image, return NULL if allocation fails.
315 void *efi_prepare_aligned_image(void *efi, u64 *efi_size)
321 * Size must be 8-byte aligned and the trailing bytes must be
322 * zero'ed. Otherwise hash value may be incorrect.
324 if (!IS_ALIGNED(*efi_size, 8)) {
325 new_efi_size = ALIGN(*efi_size, 8);
326 new_efi = calloc(new_efi_size, 1);
329 memcpy(new_efi, efi, *efi_size);
330 *efi_size = new_efi_size;
338 * efi_image_parse() - parse a PE image
339 * @efi: Pointer to image
341 * @regp: Pointer to a list of regions
342 * @auth: Pointer to a pointer to authentication data in PE
343 * @auth_len: Size of @auth
345 * Parse image binary in PE32(+) format, assuming that sanity of PE image
346 * has been checked by a caller.
347 * On success, an address of authentication data in @efi and its size will
348 * be returned in @auth and @auth_len, respectively.
350 * Return: true on success, false on error
352 bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp,
353 WIN_CERTIFICATE **auth, size_t *auth_len)
355 struct efi_image_regions *regs;
356 IMAGE_DOS_HEADER *dos;
357 IMAGE_NT_HEADERS32 *nt;
358 IMAGE_SECTION_HEADER *sections, **sorted;
359 int num_regions, num_sections, i;
360 int ctidx = IMAGE_DIRECTORY_ENTRY_SECURITY;
361 u32 align, size, authsz, authoff;
365 nt = (void *)(efi + dos->e_lfanew);
370 * Count maximum number of regions to be digested.
371 * We don't have to have an exact number here.
372 * See efi_image_region_add()'s in parsing below.
374 num_regions = 3; /* for header */
375 num_regions += nt->FileHeader.NumberOfSections;
376 num_regions++; /* for extra */
378 regs = calloc(sizeof(*regs) + sizeof(struct image_region) * num_regions,
382 regs->max = num_regions;
385 * Collect data regions for hash calculation
388 if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) {
389 IMAGE_NT_HEADERS64 *nt64 = (void *)nt;
390 IMAGE_OPTIONAL_HEADER64 *opt = &nt64->OptionalHeader;
393 efi_image_region_add(regs, efi, &opt->CheckSum, 0);
394 if (nt64->OptionalHeader.NumberOfRvaAndSizes <= ctidx) {
395 efi_image_region_add(regs,
397 efi + opt->SizeOfHeaders, 0);
399 /* Skip Certificates Table */
400 efi_image_region_add(regs,
402 &opt->DataDirectory[ctidx], 0);
403 efi_image_region_add(regs,
404 &opt->DataDirectory[ctidx] + 1,
405 efi + opt->SizeOfHeaders, 0);
407 authoff = opt->DataDirectory[ctidx].VirtualAddress;
408 authsz = opt->DataDirectory[ctidx].Size;
411 bytes_hashed = opt->SizeOfHeaders;
412 align = opt->FileAlignment;
413 } else if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
414 IMAGE_OPTIONAL_HEADER32 *opt = &nt->OptionalHeader;
417 efi_image_region_add(regs, efi, &opt->CheckSum, 0);
418 if (nt->OptionalHeader.NumberOfRvaAndSizes <= ctidx) {
419 efi_image_region_add(regs,
421 efi + opt->SizeOfHeaders, 0);
423 /* Skip Certificates Table */
424 efi_image_region_add(regs, &opt->Subsystem,
425 &opt->DataDirectory[ctidx], 0);
426 efi_image_region_add(regs,
427 &opt->DataDirectory[ctidx] + 1,
428 efi + opt->SizeOfHeaders, 0);
430 authoff = opt->DataDirectory[ctidx].VirtualAddress;
431 authsz = opt->DataDirectory[ctidx].Size;
434 bytes_hashed = opt->SizeOfHeaders;
435 align = opt->FileAlignment;
437 EFI_PRINT("%s: Invalid optional header magic %x\n", __func__,
438 nt->OptionalHeader.Magic);
443 num_sections = nt->FileHeader.NumberOfSections;
444 sections = (void *)((uint8_t *)&nt->OptionalHeader +
445 nt->FileHeader.SizeOfOptionalHeader);
446 sorted = calloc(sizeof(IMAGE_SECTION_HEADER *), num_sections);
448 EFI_PRINT("%s: Out of memory\n", __func__);
453 * Make sure the section list is in ascending order.
455 for (i = 0; i < num_sections; i++)
456 sorted[i] = §ions[i];
457 qsort(sorted, num_sections, sizeof(sorted[0]), cmp_pe_section);
459 for (i = 0; i < num_sections; i++) {
460 if (!sorted[i]->SizeOfRawData)
463 size = (sorted[i]->SizeOfRawData + align - 1) & ~(align - 1);
464 efi_image_region_add(regs, efi + sorted[i]->PointerToRawData,
465 efi + sorted[i]->PointerToRawData + size,
467 EFI_PRINT("section[%d](%s): raw: 0x%x-0x%x, virt: %x-%x\n",
469 sorted[i]->PointerToRawData,
470 sorted[i]->PointerToRawData + size,
471 sorted[i]->VirtualAddress,
472 sorted[i]->VirtualAddress
473 + sorted[i]->Misc.VirtualSize);
475 bytes_hashed += size;
479 /* 3. Extra data excluding Certificates Table */
480 if (bytes_hashed + authsz < len) {
481 EFI_PRINT("extra data for hash: %zu\n",
482 len - (bytes_hashed + authsz));
483 efi_image_region_add(regs, efi + bytes_hashed,
484 efi + len - authsz, 0);
487 /* Return Certificates Table */
489 if (len < authoff + authsz) {
490 EFI_PRINT("%s: Size for auth too large: %u >= %zu\n",
491 __func__, authsz, len - authoff);
494 if (authsz < sizeof(*auth)) {
495 EFI_PRINT("%s: Size for auth too small: %u < %zu\n",
496 __func__, authsz, sizeof(*auth));
499 *auth = efi + authoff;
501 EFI_PRINT("WIN_CERTIFICATE: 0x%x, size: 0x%x\n", authoff,
518 #ifdef CONFIG_EFI_SECURE_BOOT
520 * efi_image_authenticate() - verify a signature of signed image
521 * @efi: Pointer to image
522 * @efi_size: Size of @efi
524 * A signed image should have its signature stored in a table of its PE header.
525 * So if an image is signed and only if if its signature is verified using
526 * signature databases, an image is authenticated.
527 * If an image is not signed, its validity is checked by using
528 * efi_image_unsigned_authenticated().
530 * When AuditMode==0, if the image's signature is not found in
531 * the authorized database, or is found in the forbidden database,
532 * the image will not be started and instead, information about it
533 * will be placed in this table.
534 * When AuditMode==1, an EFI_IMAGE_EXECUTION_INFO element is created
535 * in the EFI_IMAGE_EXECUTION_INFO_TABLE for every certificate found
536 * in the certificate table of every image that is validated.
538 * Return: true if authenticated, false if not
540 static bool efi_image_authenticate(void *efi, size_t efi_size)
542 struct efi_image_regions *regs = NULL;
543 WIN_CERTIFICATE *wincerts = NULL, *wincert;
545 struct pkcs7_message *msg = NULL;
546 struct efi_signature_store *db = NULL, *dbx = NULL;
547 void *new_efi = NULL;
548 u8 *auth, *wincerts_end;
552 EFI_PRINT("%s: Enter, %d\n", __func__, ret);
554 if (!efi_secure_boot_enabled())
557 new_efi = efi_prepare_aligned_image(efi, (u64 *)&efi_size);
561 if (!efi_image_parse(new_efi, efi_size, ®s, &wincerts,
563 EFI_PRINT("Parsing PE executable image failed\n");
568 * verify signature using db and dbx
570 db = efi_sigstore_parse_sigdb(u"db");
572 EFI_PRINT("Getting signature database(db) failed\n");
576 dbx = efi_sigstore_parse_sigdb(u"dbx");
578 EFI_PRINT("Getting signature database(dbx) failed\n");
582 if (efi_signature_lookup_digest(regs, dbx, true)) {
583 EFI_PRINT("Image's digest was found in \"dbx\"\n");
588 * go through WIN_CERTIFICATE list
590 * We may have multiple signatures either as WIN_CERTIFICATE's
591 * in PE header, or as pkcs7 SignerInfo's in SignedData.
592 * So the verification policy here is:
593 * - Success if, at least, one of signatures is verified
594 * - unless signature is rejected explicitly with its digest.
597 for (wincert = wincerts, wincerts_end = (u8 *)wincerts + wincerts_len;
598 (u8 *)wincert < wincerts_end;
599 wincert = (WIN_CERTIFICATE *)
600 ((u8 *)wincert + ALIGN(wincert->dwLength, 8))) {
601 if ((u8 *)wincert + sizeof(*wincert) >= wincerts_end)
604 if (wincert->dwLength <= sizeof(*wincert)) {
605 EFI_PRINT("dwLength too small: %u < %zu\n",
606 wincert->dwLength, sizeof(*wincert));
610 EFI_PRINT("WIN_CERTIFICATE_TYPE: 0x%x\n",
611 wincert->wCertificateType);
613 auth = (u8 *)wincert + sizeof(*wincert);
614 auth_size = wincert->dwLength - sizeof(*wincert);
615 if (wincert->wCertificateType == WIN_CERT_TYPE_EFI_GUID) {
616 if (auth + sizeof(efi_guid_t) >= wincerts_end)
619 if (auth_size <= sizeof(efi_guid_t)) {
620 EFI_PRINT("dwLength too small: %u < %zu\n",
621 wincert->dwLength, sizeof(*wincert));
624 if (guidcmp(auth, &efi_guid_cert_type_pkcs7)) {
625 EFI_PRINT("Certificate type not supported: %pUs\n",
631 auth += sizeof(efi_guid_t);
632 auth_size -= sizeof(efi_guid_t);
633 } else if (wincert->wCertificateType
634 != WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
635 EFI_PRINT("Certificate type not supported\n");
640 msg = pkcs7_parse_message(auth, auth_size);
642 EFI_PRINT("Parsing image's signature failed\n");
649 * UEFI specification defines two signature types possible
650 * in signature database:
651 * a. x509 certificate, where a signature in image is
652 * a message digest encrypted by RSA public key
653 * (EFI_CERT_X509_GUID)
654 * b. bare hash value of message digest
655 * (EFI_CERT_SHAxxx_GUID)
657 * efi_signature_verify() handles case (a), while
658 * efi_signature_lookup_digest() handles case (b).
660 * There is a third type:
661 * c. message digest of a certificate
662 * (EFI_CERT_X509_SHAAxxx_GUID)
663 * This type of signature is used only in revocation list
664 * (dbx) and handled as part of efi_signatgure_verify().
666 /* try black-list first */
667 if (efi_signature_verify_one(regs, msg, dbx)) {
669 EFI_PRINT("Signature was rejected by \"dbx\"\n");
673 if (!efi_signature_check_signers(msg, dbx)) {
675 EFI_PRINT("Signer(s) in \"dbx\"\n");
680 if (efi_signature_verify(regs, msg, db, dbx)) {
685 EFI_PRINT("Signature was not verified by \"db\"\n");
689 /* last resort try the image sha256 hash in db */
690 if (!ret && efi_signature_lookup_digest(regs, db, false))
694 efi_sigstore_free(db);
695 efi_sigstore_free(dbx);
696 pkcs7_free_message(msg);
701 EFI_PRINT("%s: Exit, %d\n", __func__, ret);
705 static bool efi_image_authenticate(void *efi, size_t efi_size)
709 #endif /* CONFIG_EFI_SECURE_BOOT */
713 * efi_check_pe() - check if a memory buffer contains a PE-COFF image
715 * @buffer: buffer to check
716 * @size: size of buffer
717 * @nt_header: on return pointer to NT header of PE-COFF image
718 * Return: EFI_SUCCESS if the buffer contains a PE-COFF image
720 efi_status_t efi_check_pe(void *buffer, size_t size, void **nt_header)
722 IMAGE_DOS_HEADER *dos = buffer;
723 IMAGE_NT_HEADERS32 *nt;
725 if (size < sizeof(*dos))
726 return EFI_INVALID_PARAMETER;
728 /* Check for DOS magix */
729 if (dos->e_magic != IMAGE_DOS_SIGNATURE)
730 return EFI_INVALID_PARAMETER;
733 * Check if the image section header fits into the file. Knowing that at
734 * least one section header follows we only need to check for the length
735 * of the 64bit header which is longer than the 32bit header.
737 if (size < dos->e_lfanew + sizeof(IMAGE_NT_HEADERS32))
738 return EFI_INVALID_PARAMETER;
739 nt = (IMAGE_NT_HEADERS32 *)((u8 *)buffer + dos->e_lfanew);
741 /* Check for PE-COFF magic */
742 if (nt->Signature != IMAGE_NT_SIGNATURE)
743 return EFI_INVALID_PARAMETER;
752 * section_size() - determine size of section
754 * The size of a section in memory if normally given by VirtualSize.
755 * If VirtualSize is not provided, use SizeOfRawData.
757 * @sec: section header
758 * Return: size of section in memory
760 static u32 section_size(IMAGE_SECTION_HEADER *sec)
762 if (sec->Misc.VirtualSize)
763 return sec->Misc.VirtualSize;
765 return sec->SizeOfRawData;
769 * efi_load_pe() - relocate EFI binary
771 * This function loads all sections from a PE binary into a newly reserved
772 * piece of memory. On success the entry point is returned as handle->entry.
774 * @handle: loaded image handle
775 * @efi: pointer to the EFI binary
776 * @efi_size: size of @efi binary
777 * @loaded_image_info: loaded image protocol
778 * Return: status code
780 efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle,
781 void *efi, size_t efi_size,
782 struct efi_loaded_image *loaded_image_info)
784 IMAGE_NT_HEADERS32 *nt;
785 IMAGE_DOS_HEADER *dos;
786 IMAGE_SECTION_HEADER *sections;
790 const IMAGE_BASE_RELOCATION *rel;
791 unsigned long rel_size;
792 int rel_idx = IMAGE_DIRECTORY_ENTRY_BASERELOC;
794 unsigned long virt_size = 0;
798 ret = efi_check_pe(efi, efi_size, (void **)&nt);
799 if (ret != EFI_SUCCESS) {
800 log_err("Not a PE-COFF file\n");
801 return EFI_LOAD_ERROR;
804 for (i = 0; machines[i]; i++)
805 if (machines[i] == nt->FileHeader.Machine) {
811 log_err("Machine type 0x%04x is not supported\n",
812 nt->FileHeader.Machine);
813 return EFI_LOAD_ERROR;
816 num_sections = nt->FileHeader.NumberOfSections;
817 sections = (void *)&nt->OptionalHeader +
818 nt->FileHeader.SizeOfOptionalHeader;
820 if (efi_size < ((void *)sections + sizeof(sections[0]) * num_sections
822 log_err("Invalid number of sections: %d\n", num_sections);
823 return EFI_LOAD_ERROR;
826 /* Authenticate an image */
827 if (efi_image_authenticate(efi, efi_size)) {
828 handle->auth_status = EFI_IMAGE_AUTH_PASSED;
830 handle->auth_status = EFI_IMAGE_AUTH_FAILED;
831 log_err("Image not authenticated\n");
834 /* Calculate upper virtual address boundary */
835 for (i = num_sections - 1; i >= 0; i--) {
836 IMAGE_SECTION_HEADER *sec = §ions[i];
838 virt_size = max_t(unsigned long, virt_size,
839 sec->VirtualAddress + section_size(sec));
842 /* Read 32/64bit specific header bits */
843 if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) {
844 IMAGE_NT_HEADERS64 *nt64 = (void *)nt;
845 IMAGE_OPTIONAL_HEADER64 *opt = &nt64->OptionalHeader;
846 image_base = opt->ImageBase;
847 efi_set_code_and_data_type(loaded_image_info, opt->Subsystem);
848 handle->image_type = opt->Subsystem;
849 efi_reloc = efi_alloc_aligned_pages(virt_size,
850 loaded_image_info->image_code_type,
851 opt->SectionAlignment);
853 log_err("Out of memory\n");
854 ret = EFI_OUT_OF_RESOURCES;
857 handle->entry = efi_reloc + opt->AddressOfEntryPoint;
858 rel_size = opt->DataDirectory[rel_idx].Size;
859 rel = efi_reloc + opt->DataDirectory[rel_idx].VirtualAddress;
860 } else if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
861 IMAGE_OPTIONAL_HEADER32 *opt = &nt->OptionalHeader;
862 image_base = opt->ImageBase;
863 efi_set_code_and_data_type(loaded_image_info, opt->Subsystem);
864 handle->image_type = opt->Subsystem;
865 efi_reloc = efi_alloc_aligned_pages(virt_size,
866 loaded_image_info->image_code_type,
867 opt->SectionAlignment);
869 log_err("Out of memory\n");
870 ret = EFI_OUT_OF_RESOURCES;
873 handle->entry = efi_reloc + opt->AddressOfEntryPoint;
874 rel_size = opt->DataDirectory[rel_idx].Size;
875 rel = efi_reloc + opt->DataDirectory[rel_idx].VirtualAddress;
877 log_err("Invalid optional header magic %x\n",
878 nt->OptionalHeader.Magic);
879 ret = EFI_LOAD_ERROR;
883 #if CONFIG_IS_ENABLED(EFI_TCG2_PROTOCOL)
884 /* Measure an PE/COFF image */
885 ret = tcg2_measure_pe_image(efi, efi_size, handle, loaded_image_info);
886 if (ret == EFI_SECURITY_VIOLATION) {
888 * TCG2 Protocol is installed but no TPM device found,
889 * this is not expected.
891 log_err("PE image measurement failed, no tpm device found\n");
897 /* Copy PE headers */
898 memcpy(efi_reloc, efi,
901 + nt->FileHeader.SizeOfOptionalHeader
902 + num_sections * sizeof(IMAGE_SECTION_HEADER));
904 /* Load sections into RAM */
905 for (i = num_sections - 1; i >= 0; i--) {
906 IMAGE_SECTION_HEADER *sec = §ions[i];
907 u32 copy_size = section_size(sec);
909 if (copy_size > sec->SizeOfRawData) {
910 copy_size = sec->SizeOfRawData;
911 memset(efi_reloc + sec->VirtualAddress, 0,
912 sec->Misc.VirtualSize);
914 memcpy(efi_reloc + sec->VirtualAddress,
915 efi + sec->PointerToRawData,
919 /* Run through relocations */
920 if (efi_loader_relocate(rel, rel_size, efi_reloc,
921 (unsigned long)image_base) != EFI_SUCCESS) {
922 efi_free_pages((uintptr_t) efi_reloc,
923 (virt_size + EFI_PAGE_MASK) >> EFI_PAGE_SHIFT);
924 ret = EFI_LOAD_ERROR;
929 flush_cache((ulong)efi_reloc,
930 ALIGN(virt_size, EFI_CACHELINE_SIZE));
931 invalidate_icache_all();
933 /* Populate the loaded image interface bits */
934 loaded_image_info->image_base = efi_reloc;
935 loaded_image_info->image_size = virt_size;
937 if (handle->auth_status == EFI_IMAGE_AUTH_PASSED)
940 return EFI_SECURITY_VIOLATION;