4 Caution: This module requires additional review when modified.
5 This module will have external input - capsule image.
6 This external input must be validated carefully to avoid security issue like
7 buffer overflow, integer overflow.
9 ProcessCapsules(), ProcessTheseCapsules() will receive untrusted
10 input and do basic validation.
12 Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
13 This program and the accompanying materials
14 are licensed and made available under the terms and conditions of the BSD License
15 which accompanies this distribution. The full text of the license may be found at
16 http://opensource.org/licenses/bsd-license.php
18 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
19 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
24 #include <Protocol/EsrtManagement.h>
26 #include <Library/BaseLib.h>
27 #include <Library/DebugLib.h>
28 #include <Library/BaseMemoryLib.h>
29 #include <Library/UefiBootServicesTableLib.h>
30 #include <Library/UefiRuntimeServicesTableLib.h>
31 #include <Library/MemoryAllocationLib.h>
32 #include <Library/UefiLib.h>
33 #include <Library/PcdLib.h>
34 #include <Library/HobLib.h>
35 #include <Library/ReportStatusCodeLib.h>
36 #include <Library/CapsuleLib.h>
38 #include <IndustryStandard/WindowsUxCapsule.h>
41 Return if this FMP is a system FMP or a device FMP, based upon CapsuleHeader.
43 @param[in] CapsuleHeader A pointer to EFI_CAPSULE_HEADER
45 @retval TRUE It is a system FMP.
46 @retval FALSE It is a device FMP.
50 IN EFI_CAPSULE_HEADER
*CapsuleHeader
54 Validate Fmp capsules layout.
56 Caution: This function may receive untrusted input.
58 This function assumes the caller validated the capsule by using
59 IsValidCapsuleHeader(), so that all fields in EFI_CAPSULE_HEADER are correct.
60 The capsule buffer size is CapsuleHeader->CapsuleImageSize.
62 This function validates the fields in EFI_FIRMWARE_MANAGEMENT_CAPSULE_HEADER
63 and EFI_FIRMWARE_MANAGEMENT_CAPSULE_IMAGE_HEADER.
65 This function need support nested FMP capsule.
67 @param[in] CapsuleHeader Points to a capsule header.
68 @param[out] EmbeddedDriverCount The EmbeddedDriverCount in the FMP capsule.
70 @retval EFI_SUCESS Input capsule is a correct FMP capsule.
71 @retval EFI_INVALID_PARAMETER Input capsule is not a correct FMP capsule.
75 IN EFI_CAPSULE_HEADER
*CapsuleHeader
,
76 OUT UINT16
*EmbeddedDriverCount OPTIONAL
80 Validate if it is valid capsule header
82 This function assumes the caller provided correct CapsuleHeader pointer
85 This function validates the fields in EFI_CAPSULE_HEADER.
87 @param[in] CapsuleHeader Points to a capsule header.
88 @param[in] CapsuleSize Size of the whole capsule image.
92 IsValidCapsuleHeader (
93 IN EFI_CAPSULE_HEADER
*CapsuleHeader
,
97 extern BOOLEAN mDxeCapsuleLibEndOfDxe
;
101 EFI_STATUS
*mCapsuleStatusArray
;
102 UINT32 mCapsuleTotalNumber
;
105 This function initializes the mCapsulePtr, mCapsuleStatusArray and mCapsuleTotalNumber.
112 EFI_PEI_HOB_POINTERS HobPointer
;
116 // Find all capsule images from hob
118 HobPointer
.Raw
= GetHobList ();
119 while ((HobPointer
.Raw
= GetNextHob (EFI_HOB_TYPE_UEFI_CAPSULE
, HobPointer
.Raw
)) != NULL
) {
120 if (!IsValidCapsuleHeader((VOID
*)(UINTN
)HobPointer
.Capsule
->BaseAddress
, HobPointer
.Capsule
->Length
)) {
121 HobPointer
.Header
->HobType
= EFI_HOB_TYPE_UNUSED
; // Mark this hob as invalid
123 mCapsuleTotalNumber
++;
125 HobPointer
.Raw
= GET_NEXT_HOB (HobPointer
);
128 DEBUG ((DEBUG_INFO
, "mCapsuleTotalNumber - 0x%x\n", mCapsuleTotalNumber
));
130 if (mCapsuleTotalNumber
== 0) {
135 // Init temp Capsule Data table.
137 mCapsulePtr
= (VOID
**) AllocateZeroPool (sizeof (VOID
*) * mCapsuleTotalNumber
);
138 if (mCapsulePtr
== NULL
) {
139 DEBUG ((DEBUG_ERROR
, "Allocate mCapsulePtr fail!\n"));
140 mCapsuleTotalNumber
= 0;
143 mCapsuleStatusArray
= (EFI_STATUS
*) AllocateZeroPool (sizeof (EFI_STATUS
) * mCapsuleTotalNumber
);
144 if (mCapsuleStatusArray
== NULL
) {
145 DEBUG ((DEBUG_ERROR
, "Allocate mCapsuleStatusArray fail!\n"));
146 FreePool (mCapsulePtr
);
148 mCapsuleTotalNumber
= 0;
151 SetMemN (mCapsuleStatusArray
, sizeof (EFI_STATUS
) * mCapsuleTotalNumber
, EFI_NOT_READY
);
154 // Find all capsule images from hob
156 HobPointer
.Raw
= GetHobList ();
158 while ((HobPointer
.Raw
= GetNextHob (EFI_HOB_TYPE_UEFI_CAPSULE
, HobPointer
.Raw
)) != NULL
) {
159 mCapsulePtr
[Index
++] = (VOID
*) (UINTN
) HobPointer
.Capsule
->BaseAddress
;
160 HobPointer
.Raw
= GET_NEXT_HOB (HobPointer
);
165 This function returns if all capsule images are processed.
167 @retval TRUE All capsule images are processed.
168 @retval FALSE Not all capsule images are processed.
171 AreAllImagesProcessed (
177 for (Index
= 0; Index
< mCapsuleTotalNumber
; Index
++) {
178 if (mCapsuleStatusArray
[Index
] == EFI_NOT_READY
) {
187 This function populates capsule in the configuration table.
190 PopulateCapsuleInConfigurationTable (
194 VOID
**CapsulePtrCache
;
195 EFI_GUID
*CapsuleGuidCache
;
196 EFI_CAPSULE_HEADER
*CapsuleHeader
;
197 EFI_CAPSULE_TABLE
*CapsuleTable
;
200 UINT32 CapsuleNumber
;
205 if (mCapsuleTotalNumber
== 0) {
209 CapsulePtrCache
= NULL
;
210 CapsuleGuidCache
= NULL
;
214 CapsulePtrCache
= (VOID
**) AllocateZeroPool (sizeof (VOID
*) * mCapsuleTotalNumber
);
215 if (CapsulePtrCache
== NULL
) {
216 DEBUG ((DEBUG_ERROR
, "Allocate CapsulePtrCache fail!\n"));
219 CapsuleGuidCache
= (EFI_GUID
*) AllocateZeroPool (sizeof (EFI_GUID
) * mCapsuleTotalNumber
);
220 if (CapsuleGuidCache
== NULL
) {
221 DEBUG ((DEBUG_ERROR
, "Allocate CapsuleGuidCache fail!\n"));
222 FreePool (CapsulePtrCache
);
227 // Capsules who have CAPSULE_FLAGS_POPULATE_SYSTEM_TABLE always are used for operating
228 // System to have information persist across a system reset. EFI System Table must
229 // point to an array of capsules that contains the same CapsuleGuid value. And agents
230 // searching for this type capsule will look in EFI System Table and search for the
231 // capsule's Guid and associated pointer to retrieve the data. Two steps below describes
232 // how to sorting the capsules by the unique guid and install the array to EFI System Table.
233 // Firstly, Loop for all coalesced capsules, record unique CapsuleGuids and cache them in an
234 // array for later sorting capsules by CapsuleGuid.
236 for (Index
= 0; Index
< mCapsuleTotalNumber
; Index
++) {
237 CapsuleHeader
= (EFI_CAPSULE_HEADER
*) mCapsulePtr
[Index
];
238 if ((CapsuleHeader
->Flags
& CAPSULE_FLAGS_POPULATE_SYSTEM_TABLE
) != 0) {
240 // For each capsule, we compare it with known CapsuleGuid in the CacheArray.
241 // If already has the Guid, skip it. Whereas, record it in the CacheArray as
242 // an additional one.
245 while (CacheIndex
< CacheNumber
) {
246 if (CompareGuid(&CapsuleGuidCache
[CacheIndex
],&CapsuleHeader
->CapsuleGuid
)) {
251 if (CacheIndex
== CacheNumber
) {
252 CopyMem(&CapsuleGuidCache
[CacheNumber
++],&CapsuleHeader
->CapsuleGuid
,sizeof(EFI_GUID
));
258 // Secondly, for each unique CapsuleGuid in CacheArray, gather all coalesced capsules
259 // whose guid is the same as it, and malloc memory for an array which preceding
260 // with UINT32. The array fills with entry point of capsules that have the same
261 // CapsuleGuid, and UINT32 represents the size of the array of capsules. Then install
262 // this array into EFI System Table, so that agents searching for this type capsule
263 // will look in EFI System Table and search for the capsule's Guid and associated
264 // pointer to retrieve the data.
266 for (CacheIndex
= 0; CacheIndex
< CacheNumber
; CacheIndex
++) {
268 for (Index
= 0; Index
< mCapsuleTotalNumber
; Index
++) {
269 CapsuleHeader
= (EFI_CAPSULE_HEADER
*) mCapsulePtr
[Index
];
270 if ((CapsuleHeader
->Flags
& CAPSULE_FLAGS_POPULATE_SYSTEM_TABLE
) != 0) {
271 if (CompareGuid (&CapsuleGuidCache
[CacheIndex
], &CapsuleHeader
->CapsuleGuid
)) {
273 // Cache Caspuleheader to the array, this array is uniqued with certain CapsuleGuid.
275 CapsulePtrCache
[CapsuleNumber
++] = (VOID
*)CapsuleHeader
;
279 if (CapsuleNumber
!= 0) {
280 Size
= sizeof(EFI_CAPSULE_TABLE
) + (CapsuleNumber
- 1) * sizeof(VOID
*);
281 CapsuleTable
= AllocateRuntimePool (Size
);
282 if (CapsuleTable
== NULL
) {
283 DEBUG ((DEBUG_ERROR
, "Allocate CapsuleTable (%g) fail!\n", &CapsuleGuidCache
[CacheIndex
]));
286 CapsuleTable
->CapsuleArrayNumber
= CapsuleNumber
;
287 CopyMem(&CapsuleTable
->CapsulePtr
[0], CapsulePtrCache
, CapsuleNumber
* sizeof(VOID
*));
288 Status
= gBS
->InstallConfigurationTable (&CapsuleGuidCache
[CacheIndex
], (VOID
*)CapsuleTable
);
289 if (EFI_ERROR (Status
)) {
290 DEBUG ((DEBUG_ERROR
, "InstallConfigurationTable (%g) fail!\n", &CapsuleGuidCache
[CacheIndex
]));
295 FreePool(CapsuleGuidCache
);
296 FreePool(CapsulePtrCache
);
301 This routine is called to process capsules.
303 Caution: This function may receive untrusted input.
305 Each individual capsule result is recorded in capsule record variable.
307 @param[in] FirstRound TRUE: First round. Need skip the FMP capsules with non zero EmbeddedDriverCount.
308 FALSE: Process rest FMP capsules.
310 @retval EFI_SUCCESS There is no error when processing capsules.
311 @retval EFI_OUT_OF_RESOURCES No enough resource to process capsules.
315 ProcessTheseCapsules (
316 IN BOOLEAN FirstRound
320 EFI_CAPSULE_HEADER
*CapsuleHeader
;
322 BOOLEAN DisplayCapsuleExist
;
323 ESRT_MANAGEMENT_PROTOCOL
*EsrtManagement
;
324 UINT16 EmbeddedDriverCount
;
326 REPORT_STATUS_CODE(EFI_PROGRESS_CODE
, (EFI_SOFTWARE
| PcdGet32(PcdStatusCodeSubClassCapsule
) | PcdGet32(PcdCapsuleStatusCodeProcessCapsulesBegin
)));
332 if (mCapsuleTotalNumber
== 0) {
334 // We didn't find a hob, so had no errors.
336 DEBUG ((DEBUG_ERROR
, "We can not find capsule data in capsule update boot mode.\n"));
340 if (AreAllImagesProcessed ()) {
345 // Check the capsule flags,if contains CAPSULE_FLAGS_POPULATE_SYSTEM_TABLE, install
346 // capsuleTable to configure table with EFI_CAPSULE_GUID
349 PopulateCapsuleInConfigurationTable ();
352 REPORT_STATUS_CODE(EFI_PROGRESS_CODE
, (EFI_SOFTWARE
| PcdGet32(PcdStatusCodeSubClassCapsule
) | PcdGet32(PcdCapsuleStatusCodeUpdatingFirmware
)));
355 // If Windows UX capsule exist, process it first
357 DisplayCapsuleExist
= FALSE
;
358 for (Index
= 0; Index
< mCapsuleTotalNumber
; Index
++) {
359 CapsuleHeader
= (EFI_CAPSULE_HEADER
*) mCapsulePtr
[Index
];
360 if (CompareGuid (&CapsuleHeader
->CapsuleGuid
, &gWindowsUxCapsuleGuid
)) {
361 DEBUG ((DEBUG_INFO
, "ProcessCapsuleImage (Ux) - 0x%x\n", CapsuleHeader
));
362 DisplayCapsuleExist
= TRUE
;
363 DEBUG ((DEBUG_INFO
, "Display logo capsule is found.\n"));
364 Status
= ProcessCapsuleImage (CapsuleHeader
);
365 mCapsuleStatusArray
[Index
] = EFI_SUCCESS
;
366 DEBUG((DEBUG_INFO
, "ProcessCapsuleImage (Ux) - %r\n", Status
));
371 if (!DisplayCapsuleExist
) {
373 // Display Capsule not found. Display the default string.
375 Print (L
"Updating the firmware ......\r\n");
379 // All capsules left are recognized by platform.
381 for (Index
= 0; Index
< mCapsuleTotalNumber
; Index
++) {
382 if (mCapsuleStatusArray
[Index
] != EFI_NOT_READY
) {
386 CapsuleHeader
= (EFI_CAPSULE_HEADER
*) mCapsulePtr
[Index
];
387 if (!CompareGuid (&CapsuleHeader
->CapsuleGuid
, &gWindowsUxCapsuleGuid
)) {
389 // Call capsule library to process capsule image.
391 EmbeddedDriverCount
= 0;
392 if (IsFmpCapsule(CapsuleHeader
)) {
393 Status
= ValidateFmpCapsule (CapsuleHeader
, &EmbeddedDriverCount
);
394 if (EFI_ERROR(Status
)) {
395 DEBUG((DEBUG_ERROR
, "ValidateFmpCapsule failed. Ignore!\n"));
396 mCapsuleStatusArray
[Index
] = EFI_ABORTED
;
400 mCapsuleStatusArray
[Index
] = EFI_ABORTED
;
404 if ((!FirstRound
) || (EmbeddedDriverCount
== 0)) {
405 DEBUG((DEBUG_INFO
, "ProcessCapsuleImage - 0x%x\n", CapsuleHeader
));
406 Status
= ProcessCapsuleImage (CapsuleHeader
);
407 mCapsuleStatusArray
[Index
] = Status
;
408 DEBUG((DEBUG_INFO
, "ProcessCapsuleImage - %r\n", Status
));
410 if (Status
!= EFI_NOT_READY
) {
411 if (EFI_ERROR(Status
)) {
412 REPORT_STATUS_CODE(EFI_ERROR_CODE
, (EFI_SOFTWARE
| PcdGet32(PcdStatusCodeSubClassCapsule
) | PcdGet32(PcdCapsuleStatusCodeUpdateFirmwareFailed
)));
413 DEBUG ((DEBUG_ERROR
, "Capsule process failed!\n"));
414 Print (L
"Firmware update failed...\r\n");
416 REPORT_STATUS_CODE(EFI_PROGRESS_CODE
, (EFI_SOFTWARE
| PcdGet32(PcdStatusCodeSubClassCapsule
) | PcdGet32(PcdCapsuleStatusCodeUpdateFirmwareSuccess
)));
419 if ((CapsuleHeader
->Flags
& PcdGet16(PcdSystemRebootAfterCapsuleProcessFlag
)) != 0 ||
420 IsFmpCapsule(CapsuleHeader
)) {
428 Status
= gBS
->LocateProtocol(&gEsrtManagementProtocolGuid
, NULL
, (VOID
**)&EsrtManagement
);
430 // Always sync ESRT Cache from FMP Instance
432 if (!EFI_ERROR(Status
)) {
433 EsrtManagement
->SyncEsrtFmp();
435 Status
= EFI_SUCCESS
;
437 REPORT_STATUS_CODE(EFI_PROGRESS_CODE
, (EFI_SOFTWARE
| PcdGet32(PcdStatusCodeSubClassCapsule
) | PcdGet32(PcdCapsuleStatusCodeProcessCapsulesEnd
)));
452 REPORT_STATUS_CODE(EFI_PROGRESS_CODE
, (EFI_SOFTWARE
| PcdGet32(PcdStatusCodeSubClassCapsule
) | PcdGet32(PcdCapsuleStatusCodeResettingSystem
)));
454 Print(L
"Capsule Request Cold Reboot.\n");
455 DEBUG((DEBUG_INFO
, "Capsule Request Cold Reboot."));
457 for (Index
= 5; Index
> 0; Index
--) {
458 Print(L
"\rResetting system in %d seconds ...", Index
);
459 DEBUG((DEBUG_INFO
, "\rResetting system in %d seconds ...", Index
));
463 gRT
->ResetSystem(EfiResetCold
, EFI_SUCCESS
, 0, NULL
);
470 This routine is called to process capsules.
472 Caution: This function may receive untrusted input.
474 The capsules reported in EFI_HOB_UEFI_CAPSULE are processed.
475 If there is no EFI_HOB_UEFI_CAPSULE, this routine does nothing.
477 This routine should be called twice in BDS.
478 1) The first call must be before EndOfDxe. The system capsules is processed.
479 If device capsule FMP protocols are exposted at this time and device FMP
480 capsule has zero EmbeddedDriverCount, the device capsules are processed.
481 Each individual capsule result is recorded in capsule record variable.
482 System may reset in this function, if reset is required by capsule and
483 all capsules are processed.
484 If not all capsules are processed, reset will be defered to second call.
486 2) The second call must be after EndOfDxe and after ConnectAll, so that all
487 device capsule FMP protocols are exposed.
488 The system capsules are skipped. If the device capsules are NOT processed
489 in first call, they are processed here.
490 Each individual capsule result is recorded in capsule record variable.
491 System may reset in this function, if reset is required by capsule
492 processed in first call and second call.
494 @retval EFI_SUCCESS There is no error when processing capsules.
495 @retval EFI_OUT_OF_RESOURCES No enough resource to process capsules.
506 if (!mDxeCapsuleLibEndOfDxe
) {
507 Status
= ProcessTheseCapsules(TRUE
);
510 // Reboot System if and only if all capsule processed.
511 // If not, defer reset to 2nd process.
513 if (mNeedReset
&& AreAllImagesProcessed()) {
517 Status
= ProcessTheseCapsules(FALSE
);
519 // Reboot System if required after all capsule processed