]>
Commit | Line | Data |
---|---|---|
615c6dd0 | 1 | /** @file\r |
b1f6a7c6 | 2 | EFI PEI Core Security services\r |
3 | \r | |
192f6d4c | 4 | Copyright (c) 2006, Intel Corporation \r |
5 | All rights reserved. This program and the accompanying materials \r | |
6 | are licensed and made available under the terms and conditions of the BSD License \r | |
7 | which accompanies this distribution. The full text of the license may be found at \r | |
8 | http://opensource.org/licenses/bsd-license.php \r | |
9 | \r | |
10 | THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, \r | |
11 | WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. \r | |
12 | \r | |
b1f6a7c6 | 13 | **/\r |
192f6d4c | 14 | \r |
b1f6a7c6 | 15 | #include <PeiMain.h>\r |
192f6d4c | 16 | \r |
b1f6a7c6 | 17 | /**\r |
192f6d4c | 18 | \r |
b1f6a7c6 | 19 | Provide a callback for when the security PPI is installed.\r |
192f6d4c | 20 | \r |
dc857d56 | 21 | @param PeiServices An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation.\r |
22 | @param NotifyDescriptor The descriptor for the notification event.\r | |
23 | @param Ppi Pointer to the PPI in question.\r | |
192f6d4c | 24 | \r |
b1f6a7c6 | 25 | @return Always success\r |
192f6d4c | 26 | \r |
b1f6a7c6 | 27 | **/\r |
192f6d4c | 28 | EFI_STATUS\r |
29 | EFIAPI\r | |
30 | SecurityPpiNotifyCallback (\r | |
31 | IN EFI_PEI_SERVICES **PeiServices,\r | |
32 | IN EFI_PEI_NOTIFY_DESCRIPTOR *NotifyDescriptor,\r | |
33 | IN VOID *Ppi\r | |
34 | );\r | |
35 | \r | |
fe1e36e5 | 36 | EFI_PEI_NOTIFY_DESCRIPTOR mNotifyList = {\r |
192f6d4c | 37 | EFI_PEI_PPI_DESCRIPTOR_NOTIFY_DISPATCH | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,\r |
b0d803fe | 38 | &gEfiPeiSecurity2PpiGuid,\r |
192f6d4c | 39 | SecurityPpiNotifyCallback\r |
40 | };\r | |
41 | \r | |
b1f6a7c6 | 42 | /**\r |
192f6d4c | 43 | Initialize the security services.\r |
44 | \r | |
dc857d56 | 45 | @param PeiServices An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation.\r |
40f26b8f | 46 | @param OldCoreData Pointer to the old core data.\r |
b1f6a7c6 | 47 | NULL if being run in non-permament memory mode.\r |
192f6d4c | 48 | \r |
b1f6a7c6 | 49 | **/\r |
50 | VOID\r | |
51 | InitializeSecurityServices (\r | |
52 | IN EFI_PEI_SERVICES **PeiServices,\r | |
53 | IN PEI_CORE_INSTANCE *OldCoreData\r | |
54 | )\r | |
192f6d4c | 55 | {\r |
56 | if (OldCoreData == NULL) {\r | |
57 | PeiServicesNotifyPpi (&mNotifyList);\r | |
58 | }\r | |
59 | return;\r | |
60 | }\r | |
61 | \r | |
b1f6a7c6 | 62 | /**\r |
63 | \r | |
64 | Provide a callback for when the security PPI is installed.\r | |
82b8c8df | 65 | This routine will cache installed security PPI into PeiCore's private data.\r |
66 | \r | |
dc857d56 | 67 | @param PeiServices An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation.\r |
68 | @param NotifyDescriptor The descriptor for the notification event.\r | |
69 | @param Ppi Pointer to the PPI in question.\r | |
b1f6a7c6 | 70 | \r |
71 | @return Always success\r | |
72 | \r | |
73 | **/\r | |
192f6d4c | 74 | EFI_STATUS\r |
75 | EFIAPI\r | |
76 | SecurityPpiNotifyCallback (\r | |
77 | IN EFI_PEI_SERVICES **PeiServices,\r | |
78 | IN EFI_PEI_NOTIFY_DESCRIPTOR *NotifyDescriptor,\r | |
79 | IN VOID *Ppi\r | |
80 | )\r | |
192f6d4c | 81 | {\r |
82 | PEI_CORE_INSTANCE *PrivateData;\r | |
83 | \r | |
84 | //\r | |
85 | // Get PEI Core private data\r | |
86 | //\r | |
87 | PrivateData = PEI_CORE_INSTANCE_FROM_PS_THIS (PeiServices);\r | |
88 | \r | |
89 | //\r | |
90 | // If there isn't a security PPI installed, use the one from notification\r | |
91 | //\r | |
92 | if (PrivateData->PrivateSecurityPpi == NULL) {\r | |
b0d803fe | 93 | PrivateData->PrivateSecurityPpi = (EFI_PEI_SECURITY2_PPI *)Ppi;\r |
192f6d4c | 94 | }\r |
95 | return EFI_SUCCESS;\r | |
96 | }\r | |
97 | \r | |
b1f6a7c6 | 98 | /**\r |
192f6d4c | 99 | \r |
100 | Provide a callout to the security verification service.\r | |
101 | \r | |
192f6d4c | 102 | \r |
b1f6a7c6 | 103 | @param PrivateData PeiCore's private data structure\r |
104 | @param VolumeHandle Handle of FV\r | |
105 | @param FileHandle Handle of PEIM's ffs\r | |
192f6d4c | 106 | \r |
b1f6a7c6 | 107 | @retval EFI_SUCCESS Image is OK\r |
108 | @retval EFI_SECURITY_VIOLATION Image is illegal\r | |
82b8c8df | 109 | @retval EFI_NOT_FOUND If security PPI is not installed.\r |
b1f6a7c6 | 110 | **/\r |
111 | EFI_STATUS\r | |
112 | VerifyPeim (\r | |
113 | IN PEI_CORE_INSTANCE *PrivateData,\r | |
114 | IN EFI_PEI_FV_HANDLE VolumeHandle,\r | |
115 | IN EFI_PEI_FILE_HANDLE FileHandle\r | |
116 | )\r | |
192f6d4c | 117 | {\r |
192f6d4c | 118 | EFI_STATUS Status;\r |
119 | UINT32 AuthenticationStatus;\r | |
b0d803fe | 120 | BOOLEAN DeferExection;\r |
192f6d4c | 121 | \r |
122 | //\r | |
123 | // Set a default authentication state\r | |
124 | //\r | |
125 | AuthenticationStatus = 0;\r | |
126 | \r | |
192f6d4c | 127 | if (PrivateData->PrivateSecurityPpi == NULL) {\r |
128 | Status = EFI_NOT_FOUND;\r | |
129 | } else {\r | |
130 | //\r | |
131 | // Check to see if the image is OK\r | |
132 | //\r | |
133 | Status = PrivateData->PrivateSecurityPpi->AuthenticationState (\r | |
b0d803fe | 134 | (CONST EFI_PEI_SERVICES **) &PrivateData->PS,\r |
192f6d4c | 135 | PrivateData->PrivateSecurityPpi,\r |
136 | AuthenticationStatus,\r | |
b0d803fe | 137 | VolumeHandle,\r |
138 | FileHandle,\r | |
139 | &DeferExection\r | |
192f6d4c | 140 | );\r |
b0d803fe | 141 | if (DeferExection) {\r |
192f6d4c | 142 | Status = EFI_SECURITY_VIOLATION;\r |
143 | }\r | |
144 | }\r | |
145 | return Status;\r | |
146 | }\r | |
147 | \r | |
148 | \r | |
b1f6a7c6 | 149 | /**\r |
150 | Verify a Firmware volume.\r | |
151 | \r | |
82b8c8df | 152 | @param CurrentFvAddress Pointer to the current Firmware Volume under consideration\r |
b1f6a7c6 | 153 | \r |
82b8c8df | 154 | @retval EFI_SUCCESS Firmware Volume is legal\r |
b1f6a7c6 | 155 | \r |
156 | **/\r | |
192f6d4c | 157 | EFI_STATUS\r |
158 | VerifyFv (\r | |
159 | IN EFI_FIRMWARE_VOLUME_HEADER *CurrentFvAddress\r | |
160 | )\r | |
192f6d4c | 161 | {\r |
162 | //\r | |
163 | // Right now just pass the test. Future can authenticate and/or check the\r | |
164 | // FV-header or other metric for goodness of binary.\r | |
165 | //\r | |
166 | return EFI_SUCCESS;\r | |
167 | }\r |