| /* |
| * Copyright (C) 2008 Michael Brown <mbrown@fensystems.co.uk>. |
| * |
| * This program is free software; you can redistribute it and/or |
| * modify it under the terms of the GNU General Public License as |
| * published by the Free Software Foundation; either version 2 of the |
| * License, or any later version. |
| * |
| * This program is distributed in the hope that it will be useful, but |
| * WITHOUT ANY WARRANTY; without even the implied warranty of |
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| * General Public License for more details. |
| * |
| * You should have received a copy of the GNU General Public License |
| * along with this program; if not, write to the Free Software |
| * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
| * 02110-1301, USA. |
| */ |
| |
| FILE_LICENCE ( GPL2_OR_LATER ); |
| |
| #include <errno.h> |
| #include <stdlib.h> |
| #include <wchar.h> |
| #include <ipxe/efi/efi.h> |
| #include <ipxe/efi/efi_snp.h> |
| #include <ipxe/efi/efi_download.h> |
| #include <ipxe/efi/efi_file.h> |
| #include <ipxe/efi/efi_path.h> |
| #include <ipxe/efi/efi_strings.h> |
| #include <ipxe/efi/efi_wrap.h> |
| #include <ipxe/efi/efi_pxe.h> |
| #include <ipxe/efi/efi_driver.h> |
| #include <ipxe/efi/efi_image.h> |
| #include <ipxe/efi/efi_shim.h> |
| #include <ipxe/image.h> |
| #include <ipxe/init.h> |
| #include <ipxe/features.h> |
| #include <ipxe/uri.h> |
| #include <ipxe/console.h> |
| |
| FEATURE ( FEATURE_IMAGE, "EFI", DHCP_EB_FEATURE_EFI, 1 ); |
| |
| /* Disambiguate the various error causes */ |
| #define EINFO_EEFI_LOAD \ |
| __einfo_uniqify ( EINFO_EPLATFORM, 0x01, \ |
| "Could not load image" ) |
| #define EINFO_EEFI_LOAD_PROHIBITED \ |
| __einfo_platformify ( EINFO_EEFI_LOAD, EFI_SECURITY_VIOLATION, \ |
| "Image prohibited by security policy" ) |
| #define EEFI_LOAD_PROHIBITED \ |
| __einfo_error ( EINFO_EEFI_LOAD_PROHIBITED ) |
| #define EEFI_LOAD( efirc ) EPLATFORM ( EINFO_EEFI_LOAD, efirc, \ |
| EEFI_LOAD_PROHIBITED ) |
| #define EINFO_EEFI_START \ |
| __einfo_uniqify ( EINFO_EPLATFORM, 0x02, \ |
| "Could not start image" ) |
| #define EEFI_START( efirc ) EPLATFORM ( EINFO_EEFI_START, efirc ) |
| |
| /** |
| * Create device path for image |
| * |
| * @v image EFI image |
| * @v parent Parent device path |
| * @ret path Device path, or NULL on failure |
| * |
| * The caller must eventually free() the device path. |
| */ |
| static EFI_DEVICE_PATH_PROTOCOL * |
| efi_image_path ( struct image *image, EFI_DEVICE_PATH_PROTOCOL *parent ) { |
| EFI_DEVICE_PATH_PROTOCOL *path; |
| FILEPATH_DEVICE_PATH *filepath; |
| EFI_DEVICE_PATH_PROTOCOL *end; |
| size_t name_len; |
| size_t prefix_len; |
| size_t filepath_len; |
| size_t len; |
| |
| /* Calculate device path lengths */ |
| prefix_len = efi_path_len ( parent ); |
| name_len = strlen ( image->name ); |
| filepath_len = ( SIZE_OF_FILEPATH_DEVICE_PATH + |
| ( name_len + 1 /* NUL */ ) * sizeof ( wchar_t ) ); |
| len = ( prefix_len + filepath_len + sizeof ( *end ) ); |
| |
| /* Allocate device path */ |
| path = zalloc ( len ); |
| if ( ! path ) |
| return NULL; |
| |
| /* Construct device path */ |
| memcpy ( path, parent, prefix_len ); |
| filepath = ( ( ( void * ) path ) + prefix_len ); |
| filepath->Header.Type = MEDIA_DEVICE_PATH; |
| filepath->Header.SubType = MEDIA_FILEPATH_DP; |
| filepath->Header.Length[0] = ( filepath_len & 0xff ); |
| filepath->Header.Length[1] = ( filepath_len >> 8 ); |
| efi_snprintf ( filepath->PathName, ( name_len + 1 /* NUL */ ), |
| "%s", image->name ); |
| end = ( ( ( void * ) filepath ) + filepath_len ); |
| efi_path_terminate ( end ); |
| |
| return path; |
| } |
| |
| /** |
| * Create command line for image |
| * |
| * @v image EFI image |
| * @ret cmdline Command line, or NULL on failure |
| */ |
| static wchar_t * efi_image_cmdline ( struct image *image ) { |
| wchar_t *cmdline; |
| |
| /* Allocate and construct command line */ |
| if ( efi_asprintf ( &cmdline, "%s%s%s", image->name, |
| ( image->cmdline ? " " : "" ), |
| ( image->cmdline ? image->cmdline : "" ) ) < 0 ) { |
| return NULL; |
| } |
| |
| return cmdline; |
| } |
| |
| /** |
| * Execute EFI image |
| * |
| * @v image EFI image |
| * @ret rc Return status code |
| */ |
| static int efi_image_exec ( struct image *image ) { |
| EFI_BOOT_SERVICES *bs = efi_systab->BootServices; |
| struct efi_snp_device *snpdev; |
| EFI_DEVICE_PATH_PROTOCOL *path; |
| union { |
| EFI_LOADED_IMAGE_PROTOCOL *image; |
| void *interface; |
| } loaded; |
| struct image *shim; |
| struct image *exec; |
| EFI_HANDLE handle; |
| EFI_MEMORY_TYPE type; |
| wchar_t *cmdline; |
| unsigned int toggle; |
| EFI_STATUS efirc; |
| int rc; |
| |
| /* Find an appropriate device handle to use */ |
| snpdev = last_opened_snpdev(); |
| if ( ! snpdev ) { |
| DBGC ( image, "EFIIMAGE %s could not identify SNP device\n", |
| image->name ); |
| rc = -ENODEV; |
| goto err_no_snpdev; |
| } |
| |
| /* Use shim instead of directly executing image if applicable */ |
| shim = ( efi_can_load ( image ) ? |
| NULL : find_image_tag ( &efi_shim ) ); |
| exec = ( shim ? shim : image ); |
| if ( shim ) { |
| DBGC ( image, "EFIIMAGE %s executing via %s\n", |
| image->name, shim->name ); |
| } |
| |
| /* Re-register as a hidden image to allow for access via file I/O */ |
| toggle = ( ~image->flags & IMAGE_HIDDEN ); |
| image->flags |= IMAGE_HIDDEN; |
| if ( ( rc = register_image ( image ) ) != 0 ) |
| goto err_register_image; |
| |
| /* Install file I/O protocols */ |
| if ( ( rc = efi_file_install ( snpdev->handle ) ) != 0 ) { |
| DBGC ( image, "EFIIMAGE %s could not install file protocol: " |
| "%s\n", image->name, strerror ( rc ) ); |
| goto err_file_install; |
| } |
| |
| /* Install PXE base code protocol */ |
| if ( ( rc = efi_pxe_install ( snpdev->handle, snpdev->netdev ) ) != 0 ){ |
| DBGC ( image, "EFIIMAGE %s could not install PXE protocol: " |
| "%s\n", image->name, strerror ( rc ) ); |
| goto err_pxe_install; |
| } |
| |
| /* Install iPXE download protocol */ |
| if ( ( rc = efi_download_install ( snpdev->handle ) ) != 0 ) { |
| DBGC ( image, "EFIIMAGE %s could not install iPXE download " |
| "protocol: %s\n", image->name, strerror ( rc ) ); |
| goto err_download_install; |
| } |
| |
| /* Create device path for image */ |
| path = efi_image_path ( exec, snpdev->path ); |
| if ( ! path ) { |
| DBGC ( image, "EFIIMAGE %s could not create device path\n", |
| image->name ); |
| rc = -ENOMEM; |
| goto err_image_path; |
| } |
| |
| /* Create command line for image */ |
| cmdline = efi_image_cmdline ( image ); |
| if ( ! cmdline ) { |
| DBGC ( image, "EFIIMAGE %s could not create command line\n", |
| image->name ); |
| rc = -ENOMEM; |
| goto err_cmdline; |
| } |
| |
| /* Install shim special handling if applicable */ |
| if ( shim && |
| ( ( rc = efi_shim_install ( shim, snpdev->handle, |
| &cmdline ) ) != 0 ) ){ |
| DBGC ( image, "EFIIMAGE %s could not install shim handling: " |
| "%s\n", image->name, strerror ( rc ) ); |
| goto err_shim_install; |
| } |
| |
| /* Attempt loading image */ |
| handle = NULL; |
| if ( ( efirc = bs->LoadImage ( FALSE, efi_image_handle, path, |
| user_to_virt ( exec->data, 0 ), |
| exec->len, &handle ) ) != 0 ) { |
| /* Not an EFI image */ |
| rc = -EEFI_LOAD ( efirc ); |
| DBGC ( image, "EFIIMAGE %s could not load: %s\n", |
| image->name, strerror ( rc ) ); |
| if ( efirc == EFI_SECURITY_VIOLATION ) { |
| goto err_load_image_security_violation; |
| } else { |
| goto err_load_image; |
| } |
| } |
| |
| /* Get the loaded image protocol for the newly loaded image */ |
| efirc = bs->OpenProtocol ( handle, &efi_loaded_image_protocol_guid, |
| &loaded.interface, efi_image_handle, |
| NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL ); |
| if ( efirc ) { |
| /* Should never happen */ |
| rc = -EEFI ( efirc ); |
| goto err_open_protocol; |
| } |
| |
| /* Some EFI 1.10 implementations seem not to fill in DeviceHandle */ |
| if ( loaded.image->DeviceHandle == NULL ) { |
| DBGC ( image, "EFIIMAGE %s filling in missing DeviceHandle\n", |
| image->name ); |
| loaded.image->DeviceHandle = snpdev->handle; |
| } |
| |
| /* Sanity checks */ |
| assert ( loaded.image->ParentHandle == efi_image_handle ); |
| assert ( loaded.image->DeviceHandle == snpdev->handle ); |
| assert ( loaded.image->LoadOptionsSize == 0 ); |
| assert ( loaded.image->LoadOptions == NULL ); |
| |
| /* Record image code type */ |
| type = loaded.image->ImageCodeType; |
| |
| /* Set command line */ |
| loaded.image->LoadOptions = cmdline; |
| loaded.image->LoadOptionsSize = |
| ( ( wcslen ( cmdline ) + 1 /* NUL */ ) * sizeof ( wchar_t ) ); |
| |
| /* Release network devices for use via SNP */ |
| efi_snp_release(); |
| |
| /* Wrap calls made by the loaded image (for debugging) */ |
| efi_wrap ( handle ); |
| |
| /* Reset console since image will probably use it */ |
| console_reset(); |
| |
| /* Start the image */ |
| if ( ( efirc = bs->StartImage ( handle, NULL, NULL ) ) != 0 ) { |
| rc = -EEFI_START ( efirc ); |
| DBGC ( image, "EFIIMAGE %s could not start (or returned with " |
| "error): %s\n", image->name, strerror ( rc ) ); |
| goto err_start_image; |
| } |
| |
| /* If image was a driver, connect it up to anything available */ |
| if ( type == EfiBootServicesCode ) { |
| DBGC ( image, "EFIIMAGE %s connecting drivers\n", image->name ); |
| efi_driver_reconnect_all(); |
| } |
| |
| /* Success */ |
| rc = 0; |
| |
| err_start_image: |
| efi_snp_claim(); |
| err_open_protocol: |
| /* If there was no error, then the image must have been |
| * started and returned successfully. It either unloaded |
| * itself, or it intended to remain loaded (e.g. it was a |
| * driver). We therefore do not unload successful images. |
| * |
| * If there was an error, attempt to unload the image. This |
| * may not work. In particular, there is no way to tell |
| * whether an error returned from StartImage() was due to |
| * being unable to start the image (in which case we probably |
| * should call UnloadImage()), or due to the image itself |
| * returning an error (in which case we probably should not |
| * call UnloadImage()). We therefore ignore any failures from |
| * the UnloadImage() call itself. |
| */ |
| err_load_image_security_violation: |
| if ( rc != 0 ) |
| bs->UnloadImage ( handle ); |
| err_load_image: |
| if ( shim ) |
| efi_shim_uninstall(); |
| err_shim_install: |
| free ( cmdline ); |
| err_cmdline: |
| free ( path ); |
| err_image_path: |
| efi_download_uninstall ( snpdev->handle ); |
| err_download_install: |
| efi_pxe_uninstall ( snpdev->handle ); |
| err_pxe_install: |
| efi_file_uninstall ( snpdev->handle ); |
| err_file_install: |
| unregister_image ( image ); |
| err_register_image: |
| image->flags ^= toggle; |
| err_no_snpdev: |
| return rc; |
| } |
| |
| /** |
| * Probe EFI image |
| * |
| * @v image EFI file |
| * @ret rc Return status code |
| */ |
| static int efi_image_probe ( struct image *image ) { |
| EFI_BOOT_SERVICES *bs = efi_systab->BootServices; |
| static EFI_DEVICE_PATH_PROTOCOL empty_path = { |
| .Type = END_DEVICE_PATH_TYPE, |
| .SubType = END_ENTIRE_DEVICE_PATH_SUBTYPE, |
| .Length[0] = sizeof ( empty_path ), |
| }; |
| EFI_HANDLE handle; |
| EFI_STATUS efirc; |
| int rc; |
| |
| /* Attempt loading image */ |
| handle = NULL; |
| if ( ( efirc = bs->LoadImage ( FALSE, efi_image_handle, &empty_path, |
| user_to_virt ( image->data, 0 ), |
| image->len, &handle ) ) != 0 ) { |
| /* Not an EFI image */ |
| rc = -EEFI_LOAD ( efirc ); |
| DBGC ( image, "EFIIMAGE %s could not load: %s\n", |
| image->name, strerror ( rc ) ); |
| if ( efirc == EFI_SECURITY_VIOLATION ) { |
| goto err_load_image_security_violation; |
| } else { |
| goto err_load_image; |
| } |
| } |
| |
| /* Unload the image. We can't leave it loaded, because we |
| * have no "unload" operation. |
| */ |
| bs->UnloadImage ( handle ); |
| |
| return 0; |
| |
| err_load_image_security_violation: |
| bs->UnloadImage ( handle ); |
| err_load_image: |
| return rc; |
| } |
| |
| /** |
| * Probe EFI PE image |
| * |
| * @v image EFI file |
| * @ret rc Return status code |
| * |
| * The extremely broken UEFI Secure Boot model provides no way for us |
| * to unambiguously determine that a valid EFI executable image was |
| * rejected by LoadImage() because it failed signature verification. |
| * We must therefore use heuristics to guess whether not an image that |
| * was rejected by LoadImage() could still be loaded via a separate PE |
| * loader such as the UEFI shim. |
| */ |
| static int efi_pe_image_probe ( struct image *image ) { |
| const UINT16 magic = ( ( sizeof ( UINTN ) == sizeof ( uint32_t ) ) ? |
| EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC : |
| EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC ); |
| union { |
| EFI_IMAGE_DOS_HEADER dos; |
| EFI_IMAGE_OPTIONAL_HEADER_UNION pe; |
| } u; |
| |
| /* Check for existence of DOS header */ |
| if ( image->len < sizeof ( u.dos ) ) { |
| DBGC ( image, "EFIIMAGE %s too short for DOS header\n", |
| image->name ); |
| return -ENOEXEC; |
| } |
| copy_from_user ( &u.dos, image->data, 0, sizeof ( u.dos ) ); |
| if ( u.dos.e_magic != EFI_IMAGE_DOS_SIGNATURE ) { |
| DBGC ( image, "EFIIMAGE %s missing MZ signature\n", |
| image->name ); |
| return -ENOEXEC; |
| } |
| |
| /* Check for existence of PE header */ |
| if ( ( image->len < u.dos.e_lfanew ) || |
| ( ( image->len - u.dos.e_lfanew ) < sizeof ( u.pe ) ) ) { |
| DBGC ( image, "EFIIMAGE %s too short for PE header\n", |
| image->name ); |
| return -ENOEXEC; |
| } |
| copy_from_user ( &u.pe, image->data, u.dos.e_lfanew, sizeof ( u.pe ) ); |
| if ( u.pe.Pe32.Signature != EFI_IMAGE_NT_SIGNATURE ) { |
| DBGC ( image, "EFIIMAGE %s missing PE signature\n", |
| image->name ); |
| return -ENOEXEC; |
| } |
| |
| /* Check PE header magic */ |
| if ( u.pe.Pe32.OptionalHeader.Magic != magic ) { |
| DBGC ( image, "EFIIMAGE %s incorrect magic %04x\n", |
| image->name, u.pe.Pe32.OptionalHeader.Magic ); |
| return -ENOEXEC; |
| } |
| |
| return 0; |
| } |
| |
| /** EFI image types */ |
| struct image_type efi_image_type[] __image_type ( PROBE_NORMAL ) = { |
| { |
| .name = "EFI", |
| .probe = efi_image_probe, |
| .exec = efi_image_exec, |
| }, |
| { |
| .name = "EFIPE", |
| .probe = efi_pe_image_probe, |
| .exec = efi_image_exec, |
| }, |
| }; |
