2 The logic to process capsule.
4 Caution: This module requires additional review when modified.
5 This driver will have external input - capsule image.
6 This external input must be validated carefully to avoid security issue like
7 buffer overflow, integer overflow.
9 CapsuleDataCoalesce() will do basic validation before coalesce capsule data
12 (C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>
13 Copyright (c) 2011 - 2014, Intel Corporation. All rights reserved.<BR>
14 This program and the accompanying materials
15 are licensed and made available under the terms and conditions of the BSD License
16 which accompanies this distribution. The full text of the license may be found at
17 http://opensource.org/licenses/bsd-license.php
19 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
20 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
27 #include <Guid/CapsuleVendor.h>
29 #include <Library/BaseMemoryLib.h>
30 #include <Library/DebugLib.h>
31 #include <Library/PrintLib.h>
32 #include <Library/BaseLib.h>
34 #include "CommonHeader.h"
36 #define MIN_COALESCE_ADDR (1024 * 1024)
39 Given a pointer to the capsule block list, info on the available system
40 memory, and the size of a buffer, find a free block of memory where a
41 buffer of the given size can be copied to safely.
43 @param BlockList Pointer to head of capsule block descriptors
44 @param MemBase Pointer to the base of memory in which we want to find free space
45 @param MemSize The size of the block of memory pointed to by MemBase
46 @param DataSize How big a free block we want to find
48 @return A pointer to a memory block of at least DataSize that lies somewhere
49 between MemBase and (MemBase + MemSize). The memory pointed to does not
50 contain any of the capsule block descriptors or capsule blocks pointed to
56 EFI_CAPSULE_BLOCK_DESCRIPTOR
*BlockList
,
63 Check the integrity of the capsule descriptors.
65 @param BlockList Pointer to the capsule descriptors
67 @retval NULL BlockList is not valid.
68 @retval LastBlockDesc Last one Block in BlockList
71 EFI_CAPSULE_BLOCK_DESCRIPTOR
*
72 ValidateCapsuleIntegrity (
73 IN EFI_CAPSULE_BLOCK_DESCRIPTOR
*BlockList
77 The capsule block descriptors may be fragmented and spread all over memory.
78 To simplify the coalescing of capsule blocks, first coalesce all the
79 capsule block descriptors low in memory.
81 The descriptors passed in can be fragmented throughout memory. Here
82 they are relocated into memory to turn them into a contiguous (null
85 @param PeiServices pointer to PEI services table
86 @param BlockList pointer to the capsule block descriptors
87 @param NumDescriptors number of capsule data block descriptors, whose Length is non-zero.
88 @param MemBase base of system memory in which we can work
89 @param MemSize size of the system memory pointed to by MemBase
91 @retval NULL could not relocate the descriptors
92 @retval Pointer to the base of the successfully-relocated block descriptors.
95 EFI_CAPSULE_BLOCK_DESCRIPTOR
*
96 RelocateBlockDescriptors (
97 IN EFI_PEI_SERVICES
**PeiServices
,
98 IN EFI_CAPSULE_BLOCK_DESCRIPTOR
*BlockList
,
99 IN UINTN NumDescriptors
,
105 Check every capsule header.
107 @param CapsuleHeader The pointer to EFI_CAPSULE_HEADER
109 @retval FALSE Capsule is OK
110 @retval TRUE Capsule is corrupted
115 IN EFI_CAPSULE_HEADER
*CapsuleHeader
119 Determine if two buffers overlap in memory.
121 @param Buff1 pointer to first buffer
122 @param Size1 size of Buff1
123 @param Buff2 pointer to second buffer
124 @param Size2 size of Buff2
126 @retval TRUE Buffers overlap in memory.
127 @retval FALSE Buffer doesn't overlap.
139 Given a pointer to a capsule block descriptor, traverse the list to figure
140 out how many legitimate descriptors there are, and how big the capsule it
143 @param Desc Pointer to the capsule block descriptors
144 @param NumDescriptors Optional pointer to where to return the number of capsule data descriptors, whose Length is non-zero.
145 @param CapsuleSize Optional pointer to where to return the capsule image size
146 @param CapsuleNumber Optional pointer to where to return the number of capsule
148 @retval EFI_NOT_FOUND No descriptors containing data in the list
149 @retval EFI_SUCCESS Return data is valid
154 IN EFI_CAPSULE_BLOCK_DESCRIPTOR
*Desc
,
155 IN OUT UINTN
*NumDescriptors OPTIONAL
,
156 IN OUT UINTN
*CapsuleSize OPTIONAL
,
157 IN OUT UINTN
*CapsuleNumber OPTIONAL
161 Given a pointer to the capsule block list, info on the available system
162 memory, and the size of a buffer, find a free block of memory where a
163 buffer of the given size can be copied to safely.
165 @param BlockList Pointer to head of capsule block descriptors
166 @param MemBase Pointer to the base of memory in which we want to find free space
167 @param MemSize The size of the block of memory pointed to by MemBase
168 @param DataSize How big a free block we want to find
170 @return A pointer to a memory block of at least DataSize that lies somewhere
171 between MemBase and (MemBase + MemSize). The memory pointed to does not
172 contain any of the capsule block descriptors or capsule blocks pointed to
178 EFI_CAPSULE_BLOCK_DESCRIPTOR
*BlockList
,
185 EFI_CAPSULE_BLOCK_DESCRIPTOR
*CurrDesc
;
186 EFI_CAPSULE_BLOCK_DESCRIPTOR
*TempDesc
;
191 // Need at least enough to copy the data to at the end of the buffer, so
192 // say the end is less the data size for easy comparisons here.
194 MemEnd
= MemBase
+ MemSize
- DataSize
;
195 CurrDesc
= BlockList
;
197 // Go through all the descriptor blocks and see if any obstruct the range
199 while (CurrDesc
!= NULL
) {
201 // Get the size of this block list and see if it's in the way
205 Size
= sizeof (EFI_CAPSULE_BLOCK_DESCRIPTOR
);
206 while (TempDesc
->Length
!= 0) {
207 Size
+= sizeof (EFI_CAPSULE_BLOCK_DESCRIPTOR
);
211 if (IsOverlapped (MemBase
, DataSize
, (UINT8
*) CurrDesc
, Size
)) {
213 // Set our new base to the end of this block list and start all over
215 MemBase
= (UINT8
*) CurrDesc
+ Size
;
216 CurrDesc
= BlockList
;
217 if (MemBase
> MemEnd
) {
224 // Now go through all the blocks and make sure none are in the way
226 while ((CurrDesc
->Length
!= 0) && (!Failed
)) {
227 if (IsOverlapped (MemBase
, DataSize
, (UINT8
*) (UINTN
) CurrDesc
->Union
.DataBlock
, (UINTN
) CurrDesc
->Length
)) {
229 // Set our new base to the end of this block and start all over
232 MemBase
= (UINT8
*) ((UINTN
) CurrDesc
->Union
.DataBlock
) + CurrDesc
->Length
;
233 CurrDesc
= BlockList
;
234 if (MemBase
> MemEnd
) {
241 // Normal continuation -- jump to next block descriptor list
244 CurrDesc
= (EFI_CAPSULE_BLOCK_DESCRIPTOR
*) (UINTN
) CurrDesc
->Union
.ContinuationPointer
;
251 Check the integrity of the capsule descriptors.
253 @param BlockList Pointer to the capsule descriptors
255 @retval NULL BlockList is not valid.
256 @retval LastBlockDesc Last one Block in BlockList
259 EFI_CAPSULE_BLOCK_DESCRIPTOR
*
260 ValidateCapsuleIntegrity (
261 IN EFI_CAPSULE_BLOCK_DESCRIPTOR
*BlockList
264 EFI_CAPSULE_HEADER
*CapsuleHeader
;
267 EFI_CAPSULE_BLOCK_DESCRIPTOR
*Ptr
;
269 DEBUG ((EFI_D_INFO
, "ValidateCapsuleIntegrity\n"));
272 // Go through the list to look for inconsistencies. Check for:
273 // * misaligned block descriptors.
274 // * The first capsule header guid
275 // * The first capsule header flag
276 // * The first capsule header HeaderSize
277 // * Length > MAX_ADDRESS
278 // * ContinuationPointer > MAX_ADDRESS
279 // * DataBlock + Length > MAX_ADDRESS
285 DEBUG ((EFI_D_INFO
, "Ptr - 0x%x\n", Ptr
));
286 DEBUG ((EFI_D_INFO
, "Ptr->Length - 0x%x\n", Ptr
->Length
));
287 DEBUG ((EFI_D_INFO
, "Ptr->Union - 0x%x\n", Ptr
->Union
.ContinuationPointer
));
288 while ((Ptr
->Length
!= 0) || (Ptr
->Union
.ContinuationPointer
!= (EFI_PHYSICAL_ADDRESS
) (UINTN
) NULL
)) {
290 // Make sure the descriptor is aligned at UINT64 in memory
292 if ((UINTN
) Ptr
& (sizeof(UINT64
) - 1)) {
293 DEBUG ((EFI_D_ERROR
, "ERROR: BlockList address failed alignment check\n"));
299 if (Ptr
->Length
> MAX_ADDRESS
) {
300 DEBUG ((EFI_D_ERROR
, "ERROR: Ptr->Length(0x%lx) > MAX_ADDRESS\n", Ptr
->Length
));
304 if (Ptr
->Length
== 0) {
308 if (Ptr
->Union
.ContinuationPointer
> MAX_ADDRESS
) {
309 DEBUG ((EFI_D_ERROR
, "ERROR: Ptr->Union.ContinuationPointer(0x%lx) > MAX_ADDRESS\n", Ptr
->Union
.ContinuationPointer
));
313 // Descriptor points to another list of block descriptors somewhere
316 Ptr
= (EFI_CAPSULE_BLOCK_DESCRIPTOR
*) (UINTN
) Ptr
->Union
.ContinuationPointer
;
317 DEBUG ((EFI_D_INFO
, "Ptr(C) - 0x%x\n", Ptr
));
318 DEBUG ((EFI_D_INFO
, "Ptr->Length - 0x%x\n", Ptr
->Length
));
319 DEBUG ((EFI_D_INFO
, "Ptr->Union - 0x%x\n", Ptr
->Union
.ContinuationPointer
));
324 if (Ptr
->Union
.DataBlock
> (MAX_ADDRESS
- (UINTN
)Ptr
->Length
)) {
325 DEBUG ((EFI_D_ERROR
, "ERROR: Ptr->Union.DataBlock(0x%lx) > (MAX_ADDRESS - (UINTN)Ptr->Length(0x%lx))\n", Ptr
->Union
.DataBlock
, Ptr
->Length
));
330 //To enhance the reliability of check-up, the first capsule's header is checked here.
331 //More reliabilities check-up will do later.
333 if (CapsuleSize
== 0) {
335 //Move to the first capsule to check its header.
337 CapsuleHeader
= (EFI_CAPSULE_HEADER
*)((UINTN
)Ptr
->Union
.DataBlock
);
341 if (Ptr
->Length
< sizeof(EFI_CAPSULE_HEADER
)) {
342 DEBUG ((EFI_D_ERROR
, "ERROR: Ptr->Length(0x%lx) < sizeof(EFI_CAPSULE_HEADER)\n", Ptr
->Length
));
346 // Make sure HeaderSize field is valid
348 if (CapsuleHeader
->HeaderSize
> CapsuleHeader
->CapsuleImageSize
) {
349 DEBUG ((EFI_D_ERROR
, "ERROR: CapsuleHeader->HeaderSize(0x%x) > CapsuleHeader->CapsuleImageSize(0x%x)\n", CapsuleHeader
->HeaderSize
, CapsuleHeader
->CapsuleImageSize
));
352 if (IsCapsuleCorrupted (CapsuleHeader
)) {
356 CapsuleSize
= CapsuleHeader
->CapsuleImageSize
;
359 if (CapsuleSize
>= Ptr
->Length
) {
360 CapsuleSize
= CapsuleSize
- Ptr
->Length
;
362 DEBUG ((EFI_D_ERROR
, "ERROR: CapsuleSize(0x%lx) < Ptr->Length(0x%lx)\n", CapsuleSize
, Ptr
->Length
));
370 // Move to next BLOCK descriptor
373 DEBUG ((EFI_D_INFO
, "Ptr(B) - 0x%x\n", Ptr
));
374 DEBUG ((EFI_D_INFO
, "Ptr->Length - 0x%x\n", Ptr
->Length
));
375 DEBUG ((EFI_D_INFO
, "Ptr->Union - 0x%x\n", Ptr
->Union
.ContinuationPointer
));
379 if (CapsuleCount
== 0) {
381 // No any capsule is found in BlockList
383 DEBUG ((EFI_D_ERROR
, "ERROR: CapsuleCount(0x%x) == 0\n", CapsuleCount
));
387 if (CapsuleSize
!= 0) {
389 // Capsule data is incomplete.
391 DEBUG ((EFI_D_ERROR
, "ERROR: CapsuleSize(0x%lx) != 0\n", CapsuleSize
));
399 The capsule block descriptors may be fragmented and spread all over memory.
400 To simplify the coalescing of capsule blocks, first coalesce all the
401 capsule block descriptors low in memory.
403 The descriptors passed in can be fragmented throughout memory. Here
404 they are relocated into memory to turn them into a contiguous (null
407 @param PeiServices pointer to PEI services table
408 @param BlockList pointer to the capsule block descriptors
409 @param NumDescriptors number of capsule data block descriptors, whose Length is non-zero.
410 @param MemBase base of system memory in which we can work
411 @param MemSize size of the system memory pointed to by MemBase
413 @retval NULL could not relocate the descriptors
414 @retval Pointer to the base of the successfully-relocated block descriptors.
417 EFI_CAPSULE_BLOCK_DESCRIPTOR
*
418 RelocateBlockDescriptors (
419 IN EFI_PEI_SERVICES
**PeiServices
,
420 IN EFI_CAPSULE_BLOCK_DESCRIPTOR
*BlockList
,
421 IN UINTN NumDescriptors
,
426 EFI_CAPSULE_BLOCK_DESCRIPTOR
*NewBlockList
;
427 EFI_CAPSULE_BLOCK_DESCRIPTOR
*CurrBlockDescHead
;
428 EFI_CAPSULE_BLOCK_DESCRIPTOR
*TempBlockDesc
;
429 EFI_CAPSULE_BLOCK_DESCRIPTOR
*PrevBlockDescTail
;
435 // Get the info on the blocks and descriptors. Since we're going to move
436 // the descriptors low in memory, adjust the base/size values accordingly here.
437 // NumDescriptors is the number of legit data descriptors, so add one for
438 // a terminator. (Already done by caller, no check is needed.)
441 BufferSize
= NumDescriptors
* sizeof (EFI_CAPSULE_BLOCK_DESCRIPTOR
);
442 NewBlockList
= (EFI_CAPSULE_BLOCK_DESCRIPTOR
*) MemBase
;
443 if (MemSize
< BufferSize
) {
447 MemSize
-= BufferSize
;
448 MemBase
+= BufferSize
;
450 // Go through all the blocks and make sure none are in the way
452 TempBlockDesc
= BlockList
;
453 while (TempBlockDesc
->Union
.ContinuationPointer
!= (EFI_PHYSICAL_ADDRESS
) (UINTN
) NULL
) {
454 if (TempBlockDesc
->Length
== 0) {
456 // Next block of descriptors
458 TempBlockDesc
= (EFI_CAPSULE_BLOCK_DESCRIPTOR
*) (UINTN
) TempBlockDesc
->Union
.ContinuationPointer
;
461 // If the capsule data pointed to by this descriptor is in the way,
465 (UINT8
*) NewBlockList
,
467 (UINT8
*) (UINTN
) TempBlockDesc
->Union
.DataBlock
,
468 (UINTN
) TempBlockDesc
->Length
471 // Relocate the block
473 RelocBuffer
= FindFreeMem (BlockList
, MemBase
, MemSize
, (UINTN
) TempBlockDesc
->Length
);
474 if (RelocBuffer
== NULL
) {
478 CopyMem ((VOID
*) RelocBuffer
, (VOID
*) (UINTN
) TempBlockDesc
->Union
.DataBlock
, (UINTN
) TempBlockDesc
->Length
);
479 DEBUG ((EFI_D_INFO
, "Capsule relocate descriptors from/to/size 0x%lX 0x%lX 0x%lX\n", TempBlockDesc
->Union
.DataBlock
, (UINT64
)(UINTN
)RelocBuffer
, TempBlockDesc
->Length
));
480 TempBlockDesc
->Union
.DataBlock
= (EFI_PHYSICAL_ADDRESS
) (UINTN
) RelocBuffer
;
486 // Now go through all the block descriptors to make sure that they're not
487 // in the memory region we want to copy them to.
489 CurrBlockDescHead
= BlockList
;
490 PrevBlockDescTail
= NULL
;
491 while ((CurrBlockDescHead
!= NULL
) && (CurrBlockDescHead
->Union
.ContinuationPointer
!= (EFI_PHYSICAL_ADDRESS
) (UINTN
) NULL
)) {
493 // Get the size of this list then see if it overlaps our low region
495 TempBlockDesc
= CurrBlockDescHead
;
496 BlockListSize
= sizeof (EFI_CAPSULE_BLOCK_DESCRIPTOR
);
497 while (TempBlockDesc
->Length
!= 0) {
498 BlockListSize
+= sizeof (EFI_CAPSULE_BLOCK_DESCRIPTOR
);
503 (UINT8
*) NewBlockList
,
505 (UINT8
*) CurrBlockDescHead
,
509 // Overlaps, so move it out of the way
511 RelocBuffer
= FindFreeMem (BlockList
, MemBase
, MemSize
, BlockListSize
);
512 if (RelocBuffer
== NULL
) {
515 CopyMem ((VOID
*) RelocBuffer
, (VOID
*) CurrBlockDescHead
, BlockListSize
);
516 DEBUG ((EFI_D_INFO
, "Capsule reloc descriptor block #2\n"));
518 // Point the previous block's next point to this copied version. If
519 // the tail pointer is null, then this is the first descriptor block.
521 if (PrevBlockDescTail
== NULL
) {
522 BlockList
= (EFI_CAPSULE_BLOCK_DESCRIPTOR
*) RelocBuffer
;
524 PrevBlockDescTail
->Union
.DataBlock
= (EFI_PHYSICAL_ADDRESS
) (UINTN
) RelocBuffer
;
528 // Save our new tail and jump to the next block list
530 PrevBlockDescTail
= TempBlockDesc
;
531 CurrBlockDescHead
= (EFI_CAPSULE_BLOCK_DESCRIPTOR
*) (UINTN
) TempBlockDesc
->Union
.ContinuationPointer
;
534 // Cleared out low memory. Now copy the descriptors down there.
536 TempBlockDesc
= BlockList
;
537 CurrBlockDescHead
= NewBlockList
;
538 while ((TempBlockDesc
!= NULL
) && (TempBlockDesc
->Union
.ContinuationPointer
!= (EFI_PHYSICAL_ADDRESS
) (UINTN
) NULL
)) {
539 if (TempBlockDesc
->Length
!= 0) {
540 CurrBlockDescHead
->Union
.DataBlock
= TempBlockDesc
->Union
.DataBlock
;
541 CurrBlockDescHead
->Length
= TempBlockDesc
->Length
;
545 TempBlockDesc
= (EFI_CAPSULE_BLOCK_DESCRIPTOR
*) (UINTN
) TempBlockDesc
->Union
.ContinuationPointer
;
551 CurrBlockDescHead
->Union
.ContinuationPointer
= (EFI_PHYSICAL_ADDRESS
) (UINTN
) NULL
;
552 CurrBlockDescHead
->Length
= 0;
557 Determine if two buffers overlap in memory.
559 @param Buff1 pointer to first buffer
560 @param Size1 size of Buff1
561 @param Buff2 pointer to second buffer
562 @param Size2 size of Buff2
564 @retval TRUE Buffers overlap in memory.
565 @retval FALSE Buffer doesn't overlap.
577 // If buff1's end is less than the start of buff2, then it's ok.
578 // Also, if buff1's start is beyond buff2's end, then it's ok.
580 if (((Buff1
+ Size1
) <= Buff2
) || (Buff1
>= (Buff2
+ Size2
))) {
588 Given a pointer to a capsule block descriptor, traverse the list to figure
589 out how many legitimate descriptors there are, and how big the capsule it
592 @param Desc Pointer to the capsule block descriptors
593 @param NumDescriptors Optional pointer to where to return the number of capsule data descriptors, whose Length is non-zero.
594 @param CapsuleSize Optional pointer to where to return the capsule image size
595 @param CapsuleNumber Optional pointer to where to return the number of capsule
597 @retval EFI_NOT_FOUND No descriptors containing data in the list
598 @retval EFI_SUCCESS Return data is valid
603 IN EFI_CAPSULE_BLOCK_DESCRIPTOR
*Desc
,
604 IN OUT UINTN
*NumDescriptors OPTIONAL
,
605 IN OUT UINTN
*CapsuleSize OPTIONAL
,
606 IN OUT UINTN
*CapsuleNumber OPTIONAL
612 UINTN ThisCapsuleImageSize
;
613 EFI_CAPSULE_HEADER
*CapsuleHeader
;
615 DEBUG ((EFI_D_INFO
, "GetCapsuleInfo enter\n"));
617 ASSERT (Desc
!= NULL
);
622 ThisCapsuleImageSize
= 0;
624 while (Desc
->Union
.ContinuationPointer
!= (EFI_PHYSICAL_ADDRESS
) (UINTN
) NULL
) {
625 if (Desc
->Length
== 0) {
627 // Descriptor points to another list of block descriptors somewhere
629 Desc
= (EFI_CAPSULE_BLOCK_DESCRIPTOR
*) (UINTN
) Desc
->Union
.ContinuationPointer
;
633 // It is needed, because ValidateCapsuleIntegrity() only validate one individual capsule Size.
634 // While here we need check all capsules size.
636 if (Desc
->Length
>= (MAX_ADDRESS
- Size
)) {
637 DEBUG ((EFI_D_ERROR
, "ERROR: Desc->Length(0x%lx) >= (MAX_ADDRESS - Size(0x%x))\n", Desc
->Length
, Size
));
638 return EFI_OUT_OF_RESOURCES
;
640 Size
+= (UINTN
) Desc
->Length
;
644 // See if this is first capsule's header
646 if (ThisCapsuleImageSize
== 0) {
647 CapsuleHeader
= (EFI_CAPSULE_HEADER
*)((UINTN
)Desc
->Union
.DataBlock
);
649 // This has been checked in ValidateCapsuleIntegrity()
652 ThisCapsuleImageSize
= CapsuleHeader
->CapsuleImageSize
;
656 // This has been checked in ValidateCapsuleIntegrity()
658 ASSERT (ThisCapsuleImageSize
>= Desc
->Length
);
659 ThisCapsuleImageSize
= (UINTN
)(ThisCapsuleImageSize
- Desc
->Length
);
668 // If no descriptors, then fail
671 DEBUG ((EFI_D_ERROR
, "ERROR: Count == 0\n"));
672 return EFI_NOT_FOUND
;
676 // checked in ValidateCapsuleIntegrity()
678 ASSERT (ThisCapsuleImageSize
== 0);
680 if (NumDescriptors
!= NULL
) {
681 *NumDescriptors
= Count
;
684 if (CapsuleSize
!= NULL
) {
688 if (CapsuleNumber
!= NULL
) {
689 *CapsuleNumber
= Number
;
696 Check every capsule header.
698 @param CapsuleHeader The pointer to EFI_CAPSULE_HEADER
700 @retval FALSE Capsule is OK
701 @retval TRUE Capsule is corrupted
706 IN EFI_CAPSULE_HEADER
*CapsuleHeader
710 //A capsule to be updated across a system reset should contain CAPSULE_FLAGS_PERSIST_ACROSS_RESET.
712 if ((CapsuleHeader
->Flags
& CAPSULE_FLAGS_PERSIST_ACROSS_RESET
) == 0) {
716 //Make sure the flags combination is supported by the platform.
718 if ((CapsuleHeader
->Flags
& (CAPSULE_FLAGS_PERSIST_ACROSS_RESET
| CAPSULE_FLAGS_POPULATE_SYSTEM_TABLE
)) == CAPSULE_FLAGS_POPULATE_SYSTEM_TABLE
) {
721 if ((CapsuleHeader
->Flags
& (CAPSULE_FLAGS_PERSIST_ACROSS_RESET
| CAPSULE_FLAGS_INITIATE_RESET
)) == CAPSULE_FLAGS_INITIATE_RESET
) {
729 Try to verify the integrity of a capsule test pattern before the
730 capsule gets coalesced. This can be useful in narrowing down
731 where capsule data corruption occurs.
733 The test pattern mode fills in memory with a counting UINT32 value.
734 If the capsule is not divided up in a multiple of 4-byte blocks, then
735 things get messy doing the check. Therefore there are some cases
736 here where we just give up and skip the pre-coalesce check.
738 @param PeiServices PEI services table
739 @param Desc Pointer to capsule descriptors
742 CapsuleTestPatternPreCoalesce (
743 IN EFI_PEI_SERVICES
**PeiServices
,
744 IN EFI_CAPSULE_BLOCK_DESCRIPTOR
*Desc
751 DEBUG ((EFI_D_INFO
, "CapsuleTestPatternPreCoalesce\n"));
754 // Find first data descriptor
756 while ((Desc
->Length
== 0) && (Desc
->Union
.ContinuationPointer
!= (EFI_PHYSICAL_ADDRESS
) (UINTN
) NULL
)) {
757 Desc
= (EFI_CAPSULE_BLOCK_DESCRIPTOR
*) (UINTN
) Desc
->Union
.ContinuationPointer
;
760 if (Desc
->Union
.ContinuationPointer
== 0) {
764 // First one better be long enough to at least hold the test signature
766 if (Desc
->Length
< sizeof (UINT32
)) {
767 DEBUG ((EFI_D_INFO
, "Capsule test pattern pre-coalesce punted #1\n"));
771 TestPtr
= (UINT32
*) (UINTN
) Desc
->Union
.DataBlock
;
775 if (*TestPtr
!= 0x54534554) {
780 TestSize
= (UINT32
) Desc
->Length
- 2 * sizeof (UINT32
);
782 // Skip over the signature and the size fields in the pattern data header
786 if ((TestSize
& 0x03) != 0) {
787 DEBUG ((EFI_D_INFO
, "Capsule test pattern pre-coalesce punted #2\n"));
791 while (TestSize
> 0) {
792 if (*TestPtr
!= TestCounter
) {
793 DEBUG ((EFI_D_INFO
, "Capsule test pattern pre-coalesce failed data corruption check\n"));
797 TestSize
-= sizeof (UINT32
);
802 while ((Desc
->Length
== 0) && (Desc
->Union
.ContinuationPointer
!= (EFI_PHYSICAL_ADDRESS
) (UINTN
) NULL
)) {
803 Desc
= (EFI_CAPSULE_BLOCK_DESCRIPTOR
*) (UINTN
) Desc
->Union
.ContinuationPointer
;
806 if (Desc
->Union
.ContinuationPointer
== (EFI_PHYSICAL_ADDRESS
) (UINTN
) NULL
) {
809 TestSize
= (UINT32
) Desc
->Length
;
810 TestPtr
= (UINT32
*) (UINTN
) Desc
->Union
.DataBlock
;
815 Checks for the presence of capsule descriptors.
816 Get capsule descriptors from variable CapsuleUpdateData, CapsuleUpdateData1, CapsuleUpdateData2...
818 @param BlockListBuffer Pointer to the buffer of capsule descriptors variables
819 @param BlockDescriptorList Pointer to the capsule descriptors list
821 @retval EFI_SUCCESS a valid capsule is present
822 @retval EFI_NOT_FOUND if a valid capsule is not present
825 BuildCapsuleDescriptors (
826 IN EFI_PHYSICAL_ADDRESS
*BlockListBuffer
,
827 OUT EFI_CAPSULE_BLOCK_DESCRIPTOR
**BlockDescriptorList
831 EFI_CAPSULE_BLOCK_DESCRIPTOR
*LastBlock
;
832 EFI_CAPSULE_BLOCK_DESCRIPTOR
*TempBlock
;
833 EFI_CAPSULE_BLOCK_DESCRIPTOR
*HeadBlock
;
835 DEBUG ((EFI_D_INFO
, "BuildCapsuleDescriptors enter\n"));
842 while (BlockListBuffer
[Index
] != 0) {
844 // Test integrity of descriptors.
846 if (BlockListBuffer
[Index
] < MAX_ADDRESS
) {
847 TempBlock
= ValidateCapsuleIntegrity ((EFI_CAPSULE_BLOCK_DESCRIPTOR
*)(UINTN
)BlockListBuffer
[Index
]);
848 if (TempBlock
!= NULL
) {
849 if (LastBlock
== NULL
) {
850 LastBlock
= TempBlock
;
853 // Return the base of the block descriptors
855 HeadBlock
= (EFI_CAPSULE_BLOCK_DESCRIPTOR
*)(UINTN
)BlockListBuffer
[Index
];
858 // Combine the different BlockList into single BlockList.
860 LastBlock
->Union
.DataBlock
= (EFI_PHYSICAL_ADDRESS
)(UINTN
)BlockListBuffer
[Index
];
861 LastBlock
->Length
= 0;
862 LastBlock
= TempBlock
;
866 DEBUG ((EFI_D_ERROR
, "ERROR: BlockListBuffer[Index](0x%lx) < MAX_ADDRESS\n", BlockListBuffer
[Index
]));
871 if (HeadBlock
!= NULL
) {
872 *BlockDescriptorList
= HeadBlock
;
875 return EFI_NOT_FOUND
;
879 The function to coalesce a fragmented capsule in memory.
881 Memory Map for coalesced capsule:
882 MemBase + ---->+---------------------------+<-----------+
883 MemSize | ------------------------- | |
884 | | Capsule [Num-1] | | |
885 | ------------------------- | |
886 | | ................ | | |
887 | ------------------------- | |
888 | | Capsule [1] | | |
889 | ------------------------- | |
890 | | Capsule [0] | | |
891 | ------------------------- | |
893 CapsuleImageBase-->+---------------------------+
894 | ------------------------- | |
895 | | CapsuleOffset[Num-1] | | |
896 | ------------------------- | |
897 | | ................ | | CapsuleSize
898 | ------------------------- | |
899 | | CapsuleOffset[1] | | |
900 | ------------------------- | |
901 | | CapsuleOffset[0] | | |
902 |---------------------------| |
903 | | CapsuleNumber | | |
904 | ------------------------- | |
905 | | CapsuleAllImageSize | | |
906 | ------------------------- | |
908 DestPtr ---->+---------------------------+<-----------+
910 | FreeMem | FreeMemSize
912 FreeMemBase --->+---------------------------+<-----------+
914 +---------------------------+
915 | BlockDescriptor n |
916 +---------------------------+
917 | ................. |
918 +---------------------------+
919 | BlockDescriptor 1 |
920 +---------------------------+
921 | BlockDescriptor 0 |
922 +---------------------------+
923 | PrivateDataDesc 0 |
924 MemBase ---->+---------------------------+<----- BlockList
926 Caution: This function may receive untrusted input.
927 The capsule data is external input, so this routine will do basic validation before
928 coalesce capsule data into memory.
930 @param PeiServices General purpose services available to every PEIM.
931 @param BlockListBuffer Point to the buffer of Capsule Descriptor Variables.
932 @param MemoryBase Pointer to the base of a block of memory that we can walk
933 all over while trying to coalesce our buffers.
934 On output, this variable will hold the base address of
936 @param MemorySize Size of the memory region pointed to by MemoryBase.
937 On output, this variable will contain the size of the
940 @retval EFI_NOT_FOUND If we could not find the capsule descriptors.
942 @retval EFI_BUFFER_TOO_SMALL
943 If we could not coalesce the capsule in the memory
944 region provided to us.
946 @retval EFI_SUCCESS Processed the capsule successfully.
950 CapsuleDataCoalesce (
951 IN EFI_PEI_SERVICES
**PeiServices
,
952 IN EFI_PHYSICAL_ADDRESS
*BlockListBuffer
,
953 IN OUT VOID
**MemoryBase
,
954 IN OUT UINTN
*MemorySize
957 VOID
*NewCapsuleBase
;
958 VOID
*CapsuleImageBase
;
966 UINT64 CapsuleImageSize
;
969 UINTN DescriptorsSize
;
971 UINTN NumDescriptors
;
972 BOOLEAN CapsuleBeginFlag
;
974 EFI_CAPSULE_HEADER
*CapsuleHeader
;
975 EFI_CAPSULE_PEIM_PRIVATE_DATA PrivateData
;
976 EFI_CAPSULE_PEIM_PRIVATE_DATA
*PrivateDataPtr
;
977 EFI_CAPSULE_BLOCK_DESCRIPTOR
*BlockList
;
978 EFI_CAPSULE_BLOCK_DESCRIPTOR
*CurrentBlockDesc
;
979 EFI_CAPSULE_BLOCK_DESCRIPTOR
*TempBlockDesc
;
980 EFI_CAPSULE_BLOCK_DESCRIPTOR PrivateDataDesc
[2];
982 DEBUG ((EFI_D_INFO
, "CapsuleDataCoalesce enter\n"));
987 CapsuleImageSize
= 0;
988 PrivateDataPtr
= NULL
;
989 CapsuleHeader
= NULL
;
990 CapsuleBeginFlag
= TRUE
;
995 // Build capsule descriptors list
997 Status
= BuildCapsuleDescriptors (BlockListBuffer
, &BlockList
);
998 if (EFI_ERROR (Status
)) {
1003 CapsuleTestPatternPreCoalesce (PeiServices
, BlockList
);
1007 // Get the size of our descriptors and the capsule size. GetCapsuleInfo()
1008 // returns the number of descriptors that actually point to data, so add
1009 // one for a terminator. Do that below.
1011 Status
= GetCapsuleInfo (BlockList
, &NumDescriptors
, &CapsuleSize
, &CapsuleNumber
);
1012 if (EFI_ERROR (Status
)) {
1015 DEBUG ((EFI_D_INFO
, "CapsuleSize - 0x%x\n", CapsuleSize
));
1016 DEBUG ((EFI_D_INFO
, "CapsuleNumber - 0x%x\n", CapsuleNumber
));
1017 DEBUG ((EFI_D_INFO
, "NumDescriptors - 0x%x\n", NumDescriptors
));
1018 if ((CapsuleSize
== 0) || (NumDescriptors
== 0) || (CapsuleNumber
== 0)) {
1019 return EFI_NOT_FOUND
;
1022 if (CapsuleNumber
- 1 >= (MAX_ADDRESS
- (sizeof (EFI_CAPSULE_PEIM_PRIVATE_DATA
) + sizeof(UINT64
))) / sizeof(UINT64
)) {
1023 DEBUG ((EFI_D_ERROR
, "ERROR: CapsuleNumber - 0x%x\n", CapsuleNumber
));
1024 return EFI_BUFFER_TOO_SMALL
;
1028 // Initialize our local copy of private data. When we're done, we'll create a
1029 // descriptor for it as well so that it can be put into free memory without
1030 // trashing anything.
1032 PrivateData
.Signature
= EFI_CAPSULE_PEIM_PRIVATE_DATA_SIGNATURE
;
1033 PrivateData
.CapsuleAllImageSize
= (UINT64
) CapsuleSize
;
1034 PrivateData
.CapsuleNumber
= (UINT64
) CapsuleNumber
;
1035 PrivateData
.CapsuleOffset
[0] = 0;
1037 // NOTE: Only data in sizeof (EFI_CAPSULE_PEIM_PRIVATE_DATA) is valid, CapsuleOffset field is unitialized at this moment.
1038 // The code sets partial length here for Descriptor.Length check, but later it will use full length to reserve those PrivateData region.
1040 PrivateDataDesc
[0].Union
.DataBlock
= (EFI_PHYSICAL_ADDRESS
) (UINTN
) &PrivateData
;
1041 PrivateDataDesc
[0].Length
= sizeof (EFI_CAPSULE_PEIM_PRIVATE_DATA
);
1042 PrivateDataDesc
[1].Union
.DataBlock
= (EFI_PHYSICAL_ADDRESS
) (UINTN
) BlockList
;
1043 PrivateDataDesc
[1].Length
= 0;
1045 // Add PrivateDataDesc[0] in beginning beginning, as it is new descriptor. PrivateDataDesc[1] is NOT needed.
1046 // In addition, one NULL terminator is added in the end. See RelocateBlockDescriptors().
1048 NumDescriptors
+= 2;
1052 if (CapsuleSize
>= (MAX_ADDRESS
- (sizeof (EFI_CAPSULE_PEIM_PRIVATE_DATA
) + (CapsuleNumber
- 1) * sizeof(UINT64
) + sizeof(UINT64
)))) {
1053 DEBUG ((EFI_D_ERROR
, "ERROR: CapsuleSize - 0x%x\n", CapsuleSize
));
1054 return EFI_BUFFER_TOO_SMALL
;
1057 // Need add sizeof(UINT64) for PrivateData alignment
1059 CapsuleSize
+= sizeof (EFI_CAPSULE_PEIM_PRIVATE_DATA
) + (CapsuleNumber
- 1) * sizeof(UINT64
) + sizeof(UINT64
);
1060 BlockList
= PrivateDataDesc
;
1064 if (NumDescriptors
>= (MAX_ADDRESS
/ sizeof(EFI_CAPSULE_BLOCK_DESCRIPTOR
))) {
1065 DEBUG ((EFI_D_ERROR
, "ERROR: NumDescriptors - 0x%x\n", NumDescriptors
));
1066 return EFI_BUFFER_TOO_SMALL
;
1068 DescriptorsSize
= NumDescriptors
* sizeof (EFI_CAPSULE_BLOCK_DESCRIPTOR
);
1072 if (DescriptorsSize
>= (MAX_ADDRESS
- CapsuleSize
)) {
1073 DEBUG ((EFI_D_ERROR
, "ERROR: DescriptorsSize - 0x%lx, CapsuleSize - 0x%lx\n", (UINT64
)DescriptorsSize
, (UINT64
)CapsuleSize
));
1074 return EFI_BUFFER_TOO_SMALL
;
1078 // Don't go below some min address. If the base is below it,
1079 // then move it up and adjust the size accordingly.
1081 DEBUG ((EFI_D_INFO
, "Capsule Memory range from 0x%8X to 0x%8X\n", (UINTN
) *MemoryBase
, (UINTN
)*MemoryBase
+ *MemorySize
));
1082 if ((UINTN
)*MemoryBase
< (UINTN
) MIN_COALESCE_ADDR
) {
1083 if (((UINTN
)*MemoryBase
+ *MemorySize
) < (UINTN
) MIN_COALESCE_ADDR
) {
1084 DEBUG ((EFI_D_ERROR
, "ERROR: *MemoryBase + *MemorySize - 0x%x\n", (UINTN
)*MemoryBase
+ *MemorySize
));
1085 return EFI_BUFFER_TOO_SMALL
;
1087 *MemorySize
= *MemorySize
- ((UINTN
) MIN_COALESCE_ADDR
- (UINTN
) *MemoryBase
);
1088 *MemoryBase
= (VOID
*) (UINTN
) MIN_COALESCE_ADDR
;
1092 if (*MemorySize
<= (CapsuleSize
+ DescriptorsSize
)) {
1093 DEBUG ((EFI_D_ERROR
, "ERROR: CapsuleSize + DescriptorsSize - 0x%x\n", CapsuleSize
+ DescriptorsSize
));
1094 return EFI_BUFFER_TOO_SMALL
;
1097 FreeMemBase
= *MemoryBase
;
1098 FreeMemSize
= *MemorySize
;
1099 DEBUG ((EFI_D_INFO
, "Capsule Free Memory from 0x%8X to 0x%8X\n", (UINTN
) FreeMemBase
, (UINTN
) FreeMemBase
+ FreeMemSize
));
1102 // Relocate all the block descriptors to low memory to make further
1103 // processing easier.
1105 BlockList
= RelocateBlockDescriptors (PeiServices
, BlockList
, NumDescriptors
, FreeMemBase
, FreeMemSize
);
1106 if (BlockList
== NULL
) {
1108 // Not enough room to relocate the descriptors
1110 return EFI_BUFFER_TOO_SMALL
;
1114 // Take the top of memory for the capsule. UINT64 align up.
1116 DestPtr
= FreeMemBase
+ FreeMemSize
- CapsuleSize
;
1117 DestPtr
= (UINT8
*) (((UINTN
)DestPtr
+ sizeof (UINT64
) - 1) & ~(sizeof (UINT64
) - 1));
1118 FreeMemBase
= (UINT8
*) BlockList
+ DescriptorsSize
;
1119 FreeMemSize
= (UINTN
) DestPtr
- (UINTN
) FreeMemBase
;
1120 NewCapsuleBase
= (VOID
*) DestPtr
;
1121 CapsuleImageBase
= (UINT8
*)NewCapsuleBase
+ sizeof(EFI_CAPSULE_PEIM_PRIVATE_DATA
) + (CapsuleNumber
- 1) * sizeof(UINT64
);
1123 PrivateDataPtr
= (EFI_CAPSULE_PEIM_PRIVATE_DATA
*) NewCapsuleBase
;
1126 // Move all the blocks to the top (high) of memory.
1127 // Relocate all the obstructing blocks. Note that the block descriptors
1128 // were coalesced when they were relocated, so we can just ++ the pointer.
1130 CurrentBlockDesc
= BlockList
;
1131 while ((CurrentBlockDesc
->Length
!= 0) || (CurrentBlockDesc
->Union
.ContinuationPointer
!= (EFI_PHYSICAL_ADDRESS
) (UINTN
) NULL
)) {
1132 if (CapsuleTimes
== 0) {
1134 // The first entry is the block descriptor for EFI_CAPSULE_PEIM_PRIVATE_DATA.
1135 // CapsuleOffset field is uninitialized at this time. No need copy it, but need to reserve for future use.
1137 ASSERT (CurrentBlockDesc
->Union
.DataBlock
== (UINT64
)(UINTN
)&PrivateData
);
1138 DestLength
= sizeof (EFI_CAPSULE_PEIM_PRIVATE_DATA
) + (CapsuleNumber
- 1) * sizeof(UINT64
);
1140 DestLength
= (UINTN
)CurrentBlockDesc
->Length
;
1143 // See if any of the remaining capsule blocks are in the way
1145 TempBlockDesc
= CurrentBlockDesc
;
1146 while (TempBlockDesc
->Length
!= 0) {
1148 // Is this block in the way of where we want to copy the current descriptor to?
1153 (UINT8
*) (UINTN
) TempBlockDesc
->Union
.DataBlock
,
1154 (UINTN
) TempBlockDesc
->Length
1157 // Relocate the block
1159 RelocPtr
= FindFreeMem (BlockList
, FreeMemBase
, FreeMemSize
, (UINTN
) TempBlockDesc
->Length
);
1160 if (RelocPtr
== NULL
) {
1161 return EFI_BUFFER_TOO_SMALL
;
1164 CopyMem ((VOID
*) RelocPtr
, (VOID
*) (UINTN
) TempBlockDesc
->Union
.DataBlock
, (UINTN
) TempBlockDesc
->Length
);
1165 DEBUG ((EFI_D_INFO
, "Capsule reloc data block from 0x%8X to 0x%8X with size 0x%8X\n",
1166 (UINTN
) TempBlockDesc
->Union
.DataBlock
, (UINTN
) RelocPtr
, (UINTN
) TempBlockDesc
->Length
));
1168 TempBlockDesc
->Union
.DataBlock
= (EFI_PHYSICAL_ADDRESS
) (UINTN
) RelocPtr
;
1176 // Ok, we made it through. Copy the block.
1177 // we just support greping one capsule from the lists of block descs list.
1181 //Skip the first block descriptor that filled with EFI_CAPSULE_PEIM_PRIVATE_DATA
1183 if (CapsuleTimes
> 1) {
1185 //For every capsule entry point, check its header to determine whether to relocate it.
1186 //If it is invalid, skip it and move on to the next capsule. If it is valid, relocate it.
1188 if (CapsuleBeginFlag
) {
1189 CapsuleBeginFlag
= FALSE
;
1190 CapsuleHeader
= (EFI_CAPSULE_HEADER
*)(UINTN
)CurrentBlockDesc
->Union
.DataBlock
;
1191 SizeLeft
= CapsuleHeader
->CapsuleImageSize
;
1194 // No more check here is needed, because IsCapsuleCorrupted() already in ValidateCapsuleIntegrity()
1196 ASSERT (CapsuleIndex
< CapsuleNumber
);
1199 // Relocate this capsule
1201 CapsuleImageSize
+= SizeLeft
;
1203 // Cache the begin offset of this capsule
1205 ASSERT (PrivateDataPtr
->Signature
== EFI_CAPSULE_PEIM_PRIVATE_DATA_SIGNATURE
);
1206 ASSERT ((UINTN
)DestPtr
>= (UINTN
)CapsuleImageBase
);
1207 PrivateDataPtr
->CapsuleOffset
[CapsuleIndex
++] = (UINT64
)((UINTN
)DestPtr
- (UINTN
)CapsuleImageBase
);
1211 // Below ASSERT is checked in ValidateCapsuleIntegrity()
1213 ASSERT (CurrentBlockDesc
->Length
<= SizeLeft
);
1215 CopyMem ((VOID
*) DestPtr
, (VOID
*) (UINTN
) (CurrentBlockDesc
->Union
.DataBlock
), (UINTN
)CurrentBlockDesc
->Length
);
1216 DEBUG ((EFI_D_INFO
, "Capsule coalesce block no.0x%lX from 0x%lX to 0x%lX with size 0x%lX\n",(UINT64
)CapsuleTimes
,
1217 CurrentBlockDesc
->Union
.DataBlock
, (UINT64
)(UINTN
)DestPtr
, CurrentBlockDesc
->Length
));
1218 DestPtr
+= CurrentBlockDesc
->Length
;
1219 SizeLeft
-= CurrentBlockDesc
->Length
;
1221 if (SizeLeft
== 0) {
1223 //Here is the end of the current capsule image.
1225 CapsuleBeginFlag
= TRUE
;
1229 // The first entry is the block descriptor for EFI_CAPSULE_PEIM_PRIVATE_DATA.
1230 // CapsuleOffset field is uninitialized at this time. No need copy it, but need to reserve for future use.
1232 ASSERT (CurrentBlockDesc
->Length
== sizeof (EFI_CAPSULE_PEIM_PRIVATE_DATA
));
1233 ASSERT ((UINTN
)DestPtr
== (UINTN
)NewCapsuleBase
);
1234 CopyMem ((VOID
*) DestPtr
, (VOID
*) (UINTN
) CurrentBlockDesc
->Union
.DataBlock
, (UINTN
) CurrentBlockDesc
->Length
);
1235 DestPtr
+= sizeof (EFI_CAPSULE_PEIM_PRIVATE_DATA
) + (CapsuleNumber
- 1) * sizeof(UINT64
);
1238 //Walk through the block descriptor list.
1243 // We return the base of memory we want reserved, and the size.
1244 // The memory peim should handle it appropriately from there.
1246 *MemorySize
= (UINTN
) CapsuleSize
;
1247 *MemoryBase
= (VOID
*) NewCapsuleBase
;
1249 ASSERT (PrivateDataPtr
->Signature
== EFI_CAPSULE_PEIM_PRIVATE_DATA_SIGNATURE
);
1250 ASSERT (PrivateDataPtr
->CapsuleAllImageSize
== CapsuleImageSize
);
1251 ASSERT (PrivateDataPtr
->CapsuleNumber
== CapsuleIndex
);