From 9d8de12c31628da255155a544641ae7473581f04 Mon Sep 17 00:00:00 2001 From: "Gao, Liming" Date: Mon, 18 Aug 2014 05:43:06 +0000 Subject: [PATCH] Update PeiCore to follow PI spec to retrieve GUIDED section data when ExtractionPpi is not found. Enhance PeiCore Security Policy to check AuthenticationStatus when SecurityPpi is not found. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Gao, Liming Reviewed-by: Zeng, Star git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15817 6f19259b-4bc3-4df7-8a09-765794883524 --- MdeModulePkg/Core/Pei/FwVol/FwVol.c | 22 ++++++++++++++++++++-- MdeModulePkg/Core/Pei/Security/Security.c | 13 ++++++++++--- 2 files changed, 30 insertions(+), 5 deletions(-) diff --git a/MdeModulePkg/Core/Pei/FwVol/FwVol.c b/MdeModulePkg/Core/Pei/FwVol/FwVol.c index a347129be4..357f0979e2 100644 --- a/MdeModulePkg/Core/Pei/FwVol/FwVol.c +++ b/MdeModulePkg/Core/Pei/FwVol/FwVol.c @@ -735,6 +735,7 @@ ProcessSection ( BOOLEAN SectionCached; VOID *TempOutputBuffer; UINT32 TempAuthenticationStatus; + UINT16 GuidedSectionAttributes; PrivateData = PEI_CORE_INSTANCE_FROM_PS_THIS (PeiServices); *OutputBuffer = NULL; @@ -834,9 +835,11 @@ ProcessSection ( Authentication = 0; if (Section->Type == EFI_SECTION_GUID_DEFINED) { if (IS_SECTION2 (Section)) { - SectionDefinitionGuid = &((EFI_GUID_DEFINED_SECTION2 *)Section)->SectionDefinitionGuid; + SectionDefinitionGuid = &((EFI_GUID_DEFINED_SECTION2 *)Section)->SectionDefinitionGuid; + GuidedSectionAttributes = ((EFI_GUID_DEFINED_SECTION2 *)Section)->Attributes; } else { - SectionDefinitionGuid = &((EFI_GUID_DEFINED_SECTION *)Section)->SectionDefinitionGuid; + SectionDefinitionGuid = &((EFI_GUID_DEFINED_SECTION *)Section)->SectionDefinitionGuid; + GuidedSectionAttributes = ((EFI_GUID_DEFINED_SECTION *)Section)->Attributes; } if (VerifyGuidedSectionGuid (SectionDefinitionGuid, &GuidSectionPpi)) { Status = GuidSectionPpi->ExtractSection ( @@ -846,6 +849,21 @@ ProcessSection ( &PpiOutputSize, &Authentication ); + } else if ((GuidedSectionAttributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) == 0) { + // + // Figure out the proper authentication status for GUIDED section without processing required + // + Status = EFI_SUCCESS; + if ((GuidedSectionAttributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) == EFI_GUIDED_SECTION_AUTH_STATUS_VALID) { + Authentication |= EFI_AUTH_STATUS_IMAGE_SIGNED | EFI_AUTH_STATUS_NOT_TESTED; + } + if (IS_SECTION2 (Section)) { + PpiOutputSize = SECTION2_SIZE (Section) - ((EFI_GUID_DEFINED_SECTION2 *) Section)->DataOffset; + PpiOutput = (UINT8 *) Section + ((EFI_GUID_DEFINED_SECTION2 *) Section)->DataOffset; + } else { + PpiOutputSize = SECTION_SIZE (Section) - ((EFI_GUID_DEFINED_SECTION *) Section)->DataOffset; + PpiOutput = (UINT8 *) Section + ((EFI_GUID_DEFINED_SECTION *) Section)->DataOffset; + } } } else if (Section->Type == EFI_SECTION_COMPRESSION) { Status = PeiServicesLocatePpi (&gEfiPeiDecompressPpiGuid, 0, NULL, (VOID **) &DecompressPpi); diff --git a/MdeModulePkg/Core/Pei/Security/Security.c b/MdeModulePkg/Core/Pei/Security/Security.c index f08926766a..763126057d 100644 --- a/MdeModulePkg/Core/Pei/Security/Security.c +++ b/MdeModulePkg/Core/Pei/Security/Security.c @@ -1,7 +1,7 @@ /** @file EFI PEI Core Security services -Copyright (c) 2006 - 2013, Intel Corporation. All rights reserved.
+Copyright (c) 2006 - 2014, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -100,9 +100,16 @@ VerifyPeim ( EFI_STATUS Status; BOOLEAN DeferExection; - + Status = EFI_NOT_FOUND; if (PrivateData->PrivateSecurityPpi == NULL) { - Status = EFI_NOT_FOUND; + // + // Check AuthenticationStatus first. + // + if ((AuthenticationStatus & EFI_AUTH_STATUS_IMAGE_SIGNED) != 0) { + if ((AuthenticationStatus & (EFI_AUTH_STATUS_TEST_FAILED | EFI_AUTH_STATUS_NOT_TESTED)) != 0) { + Status = EFI_SECURITY_VIOLATION; + } + } } else { // // Check to see if the image is OK -- 2.39.2