[mirror_edk2.git] / SecurityPkg / Library / DxeImageAuthenticationStatusLib / DxeImageAuthenticationStatusLib.c

/** @file\r
  Implement image authentication status check in UEFI2.3.1.\r
\r
Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
which accompanies this distribution.  The full text of the license may be found at\r
http://opensource.org/licenses/bsd-license.php\r
\r
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
\r
**/\r
\r
#include <PiDxe.h>\r
#include <Library/SecurityManagementLib.h>\r
\r
\r
/**\r
  Check image authentication status returned from Section Extraction Protocol\r
\r
  @param[in]    AuthenticationStatus  This is the authentication status returned from\r
                             the Section Extraction Protocol when reading the input file.\r
  @param[in]    File       This is a pointer to the device path of the file that is\r
                           being dispatched. This will optionally be used for logging.\r
  @param[in]    FileBuffer File buffer matches the input file device path.\r
  @param[in]    FileSize   Size of File buffer matches the input file device path.\r
  @param[in]    BootPolicy A boot policy that was used to call LoadImage() UEFI service.\r
\r
  @retval EFI_SUCCESS            The input file specified by File did authenticate, and the\r
                                 platform policy dictates that the DXE Core may use File.\r
  @retval EFI_ACCESS_DENIED      The file specified by File and FileBuffer did not\r
                                 authenticate, and the platform policy dictates that the DXE\r
                                 Foundation many not use File.\r
\r
**/\r
EFI_STATUS\r
EFIAPI\r
DxeImageAuthenticationStatusHandler (\r
  IN  UINT32                           AuthenticationStatus,\r
  IN  CONST EFI_DEVICE_PATH_PROTOCOL   *File,\r
  IN  VOID                             *FileBuffer,\r
  IN  UINTN                            FileSize,\r
  IN  BOOLEAN                          BootPolicy\r
  )\r
{\r
  if ((AuthenticationStatus & EFI_AUTH_STATUS_IMAGE_SIGNED) != 0) {\r
    if ((AuthenticationStatus & (EFI_AUTH_STATUS_TEST_FAILED | EFI_AUTH_STATUS_NOT_TESTED)) != 0) {\r
      return EFI_ACCESS_DENIED;\r
    }\r
  }\r
\r
  return EFI_SUCCESS;\r
}\r
\r
\r
/**\r
  Register image authenticaion status check handler.\r
\r
  @param  ImageHandle   ImageHandle of the loaded driver.\r
  @param  SystemTable   Pointer to the EFI System Table.\r
\r
  @retval EFI_SUCCESS   The handlers were registered successfully.\r
**/\r
EFI_STATUS\r
EFIAPI\r
DxeImageAuthenticationStatusLibConstructor (\r
  IN EFI_HANDLE        ImageHandle,\r
  IN EFI_SYSTEM_TABLE  *SystemTable\r
  )\r
{\r
  return RegisterSecurity2Handler (\r
           DxeImageAuthenticationStatusHandler,\r
           EFI_AUTH_OPERATION_AUTHENTICATION_STATE\r
           );\r
}\r
Commit	Line	Data
d0043e49	1	/** @file\r
	2	Implement image authentication status check in UEFI2.3.1.\r
	3	\r
b3548d32	4	Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>\r
d0043e49	5	This program and the accompanying materials\r
	6	are licensed and made available under the terms and conditions of the BSD License\r
	7	which accompanies this distribution. The full text of the license may be found at\r
	8	http://opensource.org/licenses/bsd-license.php\r
	9	\r
	10	THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
	11	WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
	12	\r
	13	**/\r
	14	\r
	15	#include <PiDxe.h>\r
	16	#include <Library/SecurityManagementLib.h>\r
	17	\r
	18	\r
	19	/**\r
	20	Check image authentication status returned from Section Extraction Protocol\r
b3548d32 LG	21	\r
b3548d32 LG	22	@param[in] AuthenticationStatus This is the authentication status returned from\r
d0043e49	23	the Section Extraction Protocol when reading the input file.\r
	24	@param[in] File This is a pointer to the device path of the file that is\r
	25	being dispatched. This will optionally be used for logging.\r
	26	@param[in] FileBuffer File buffer matches the input file device path.\r
	27	@param[in] FileSize Size of File buffer matches the input file device path.\r
	28	@param[in] BootPolicy A boot policy that was used to call LoadImage() UEFI service.\r
	29	\r
	30	@retval EFI_SUCCESS The input file specified by File did authenticate, and the\r
	31	platform policy dictates that the DXE Core may use File.\r
	32	@retval EFI_ACCESS_DENIED The file specified by File and FileBuffer did not\r
	33	authenticate, and the platform policy dictates that the DXE\r
	34	Foundation many not use File.\r
	35	\r
	36	**/\r
	37	EFI_STATUS\r
	38	EFIAPI\r
	39	DxeImageAuthenticationStatusHandler (\r
	40	IN UINT32 AuthenticationStatus,\r
	41	IN CONST EFI_DEVICE_PATH_PROTOCOL *File,\r
	42	IN VOID *FileBuffer,\r
	43	IN UINTN FileSize,\r
	44	IN BOOLEAN BootPolicy\r
	45	)\r
	46	{\r
89799ec9	47	if ((AuthenticationStatus & EFI_AUTH_STATUS_IMAGE_SIGNED) != 0) {\r
89799ec9	48	if ((AuthenticationStatus & (EFI_AUTH_STATUS_TEST_FAILED \| EFI_AUTH_STATUS_NOT_TESTED)) != 0) {\r
d0043e49	49	return EFI_ACCESS_DENIED;\r
	50	}\r
	51	}\r
	52	\r
	53	return EFI_SUCCESS;\r
	54	}\r
	55	\r
	56	\r
	57	/**\r
	58	Register image authenticaion status check handler.\r
	59	\r
	60	@param ImageHandle ImageHandle of the loaded driver.\r
	61	@param SystemTable Pointer to the EFI System Table.\r
	62	\r
	63	@retval EFI_SUCCESS The handlers were registered successfully.\r
	64	**/\r
	65	EFI_STATUS\r
	66	EFIAPI\r
	67	DxeImageAuthenticationStatusLibConstructor (\r
	68	IN EFI_HANDLE ImageHandle,\r
	69	IN EFI_SYSTEM_TABLE *SystemTable\r
	70	)\r
	71	{\r
	72	return RegisterSecurity2Handler (\r
	73	DxeImageAuthenticationStatusHandler,\r
	74	EFI_AUTH_OPERATION_AUTHENTICATION_STATE\r
	75	);\r
	76	}\r