2 EFI PEI Core Security services
4 Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
5 This program and the accompanying materials
6 are licensed and made available under the terms and conditions of the BSD License
7 which accompanies this distribution. The full text of the license may be found at
8 http://opensource.org/licenses/bsd-license.php
10 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
11 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
18 EFI_PEI_NOTIFY_DESCRIPTOR mNotifyList
= {
19 EFI_PEI_PPI_DESCRIPTOR_NOTIFY_DISPATCH
| EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST
,
20 &gEfiPeiSecurity2PpiGuid
,
21 SecurityPpiNotifyCallback
25 Initialize the security services.
27 @param PeiServices An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation.
28 @param OldCoreData Pointer to the old core data.
29 NULL if being run in non-permament memory mode.
33 InitializeSecurityServices (
34 IN EFI_PEI_SERVICES
**PeiServices
,
35 IN PEI_CORE_INSTANCE
*OldCoreData
38 if (OldCoreData
== NULL
) {
39 PeiServicesNotifyPpi (&mNotifyList
);
46 Provide a callback for when the security PPI is installed.
47 This routine will cache installed security PPI into PeiCore's private data.
49 @param PeiServices An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation.
50 @param NotifyDescriptor The descriptor for the notification event.
51 @param Ppi Pointer to the PPI in question.
53 @return Always success
58 SecurityPpiNotifyCallback (
59 IN EFI_PEI_SERVICES
**PeiServices
,
60 IN EFI_PEI_NOTIFY_DESCRIPTOR
*NotifyDescriptor
,
64 PEI_CORE_INSTANCE
*PrivateData
;
67 // Get PEI Core private data
69 PrivateData
= PEI_CORE_INSTANCE_FROM_PS_THIS (PeiServices
);
72 // If there isn't a security PPI installed, use the one from notification
74 if (PrivateData
->PrivateSecurityPpi
== NULL
) {
75 PrivateData
->PrivateSecurityPpi
= (EFI_PEI_SECURITY2_PPI
*)Ppi
;
81 Provide a callout to the security verification service.
83 @param PrivateData PeiCore's private data structure
84 @param VolumeHandle Handle of FV
85 @param FileHandle Handle of PEIM's ffs
86 @param AuthenticationStatus Authentication status
88 @retval EFI_SUCCESS Image is OK
89 @retval EFI_SECURITY_VIOLATION Image is illegal
90 @retval EFI_NOT_FOUND If security PPI is not installed.
94 IN PEI_CORE_INSTANCE
*PrivateData
,
95 IN EFI_PEI_FV_HANDLE VolumeHandle
,
96 IN EFI_PEI_FILE_HANDLE FileHandle
,
97 IN UINT32 AuthenticationStatus
101 BOOLEAN DeferExection
;
103 Status
= EFI_NOT_FOUND
;
104 if (PrivateData
->PrivateSecurityPpi
== NULL
) {
106 // Check AuthenticationStatus first.
108 if ((AuthenticationStatus
& EFI_AUTH_STATUS_IMAGE_SIGNED
) != 0) {
109 if ((AuthenticationStatus
& (EFI_AUTH_STATUS_TEST_FAILED
| EFI_AUTH_STATUS_NOT_TESTED
)) != 0) {
110 Status
= EFI_SECURITY_VIOLATION
;
115 // Check to see if the image is OK
117 Status
= PrivateData
->PrivateSecurityPpi
->AuthenticationState (
118 (CONST EFI_PEI_SERVICES
**) &PrivateData
->Ps
,
119 PrivateData
->PrivateSecurityPpi
,
120 AuthenticationStatus
,
126 Status
= EFI_SECURITY_VIOLATION
;
134 Verify a Firmware volume.
136 @param CurrentFvAddress Pointer to the current Firmware Volume under consideration
138 @retval EFI_SUCCESS Firmware Volume is legal
143 IN EFI_FIRMWARE_VOLUME_HEADER
*CurrentFvAddress
147 // Right now just pass the test. Future can authenticate and/or check the
148 // FV-header or other metric for goodness of binary.