]>
Commit | Line | Data |
---|---|---|
f6f91d38 JY |
1 | /** @file\r |
2 | SetImage instance to report system firmware and act as agent to system update.\r | |
3 | \r | |
4 | Caution: This module requires additional review when modified.\r | |
5 | This module will have external input - capsule image.\r | |
6 | This external input must be validated carefully to avoid security issue like\r | |
7 | buffer overflow, integer overflow.\r | |
8 | \r | |
9 | FmpSetImage() will receive untrusted input and do basic validation.\r | |
10 | \r | |
153f5c7a | 11 | Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>\r |
fbf06957 | 12 | SPDX-License-Identifier: BSD-2-Clause-Patent\r |
f6f91d38 JY |
13 | \r |
14 | **/\r | |
15 | \r | |
16 | #include "SystemFirmwareDxe.h"\r | |
17 | \r | |
18 | //\r | |
19 | // SystemFmp driver private data\r | |
20 | //\r | |
b8786489 | 21 | SYSTEM_FMP_PRIVATE_DATA *mSystemFmpPrivate = NULL;\r |
f6f91d38 JY |
22 | \r |
23 | /**\r | |
24 | Dispatch system FMP images.\r | |
25 | \r | |
26 | Caution: This function may receive untrusted input.\r | |
27 | \r | |
28 | @param[in] Image The EDKII system FMP capsule image.\r | |
29 | @param[in] ImageSize The size of the EDKII system FMP capsule image in bytes.\r | |
30 | @param[out] LastAttemptVersion The last attempt version, which will be recorded in ESRT and FMP EFI_FIRMWARE_IMAGE_DESCRIPTOR.\r | |
31 | @param[out] LastAttemptStatus The last attempt status, which will be recorded in ESRT and FMP EFI_FIRMWARE_IMAGE_DESCRIPTOR.\r | |
32 | \r | |
c38f0816 | 33 | @retval EFI_SUCCESS Process Capsule Image successfully.\r |
f6f91d38 JY |
34 | @retval EFI_UNSUPPORTED Capsule image is not supported by the firmware.\r |
35 | @retval EFI_VOLUME_CORRUPTED FV volume in the capsule is corrupted.\r | |
36 | @retval EFI_OUT_OF_RESOURCES Not enough memory.\r | |
37 | **/\r | |
38 | EFI_STATUS\r | |
39 | DispatchSystemFmpImages (\r | |
b8786489 MK |
40 | IN VOID *Image,\r |
41 | IN UINTN ImageSize,\r | |
42 | OUT UINT32 *LastAttemptVersion,\r | |
43 | OUT UINT32 *LastAttemptStatus\r | |
f6f91d38 JY |
44 | )\r |
45 | {\r | |
b8786489 MK |
46 | EFI_STATUS Status;\r |
47 | VOID *AuthenticatedImage;\r | |
48 | UINTN AuthenticatedImageSize;\r | |
49 | VOID *DispatchFvImage;\r | |
50 | UINTN DispatchFvImageSize;\r | |
51 | EFI_HANDLE FvProtocolHandle;\r | |
52 | EFI_FIRMWARE_VOLUME_HEADER *FvImage;\r | |
53 | BOOLEAN Result;\r | |
f6f91d38 | 54 | \r |
8b66342c HW |
55 | AuthenticatedImage = NULL;\r |
56 | AuthenticatedImageSize = 0;\r | |
57 | \r | |
b8786489 | 58 | DEBUG ((DEBUG_INFO, "DispatchSystemFmpImages\n"));\r |
f6f91d38 JY |
59 | \r |
60 | //\r | |
61 | // Verify\r | |
62 | //\r | |
b8786489 MK |
63 | Status = CapsuleAuthenticateSystemFirmware (Image, ImageSize, FALSE, LastAttemptVersion, LastAttemptStatus, &AuthenticatedImage, &AuthenticatedImageSize);\r |
64 | if (EFI_ERROR (Status)) {\r | |
65 | DEBUG ((DEBUG_INFO, "SystemFirmwareAuthenticateImage - %r\n", Status));\r | |
f6f91d38 JY |
66 | return Status;\r |
67 | }\r | |
68 | \r | |
69 | //\r | |
70 | // Get FV\r | |
71 | //\r | |
b8786489 | 72 | Result = ExtractDriverFvImage (AuthenticatedImage, AuthenticatedImageSize, &DispatchFvImage, &DispatchFvImageSize);\r |
f6f91d38 | 73 | if (Result) {\r |
b8786489 | 74 | DEBUG ((DEBUG_INFO, "ExtractDriverFvImage\n"));\r |
f6f91d38 JY |
75 | //\r |
76 | // Dispatch\r | |
77 | //\r | |
78 | if (((EFI_FIRMWARE_VOLUME_HEADER *)DispatchFvImage)->FvLength == DispatchFvImageSize) {\r | |
b8786489 | 79 | FvImage = AllocatePages (EFI_SIZE_TO_PAGES (DispatchFvImageSize));\r |
f6f91d38 | 80 | if (FvImage != NULL) {\r |
b8786489 MK |
81 | CopyMem (FvImage, DispatchFvImage, DispatchFvImageSize);\r |
82 | Status = gDS->ProcessFirmwareVolume (\r | |
f6f91d38 JY |
83 | (VOID *)FvImage,\r |
84 | (UINTN)FvImage->FvLength,\r | |
85 | &FvProtocolHandle\r | |
86 | );\r | |
b8786489 MK |
87 | DEBUG ((DEBUG_INFO, "ProcessFirmwareVolume - %r\n", Status));\r |
88 | if (!EFI_ERROR (Status)) {\r | |
89 | gDS->Dispatch ();\r | |
90 | DEBUG ((DEBUG_INFO, "Dispatch Done\n"));\r | |
f6f91d38 JY |
91 | }\r |
92 | }\r | |
93 | }\r | |
94 | }\r | |
95 | \r | |
96 | return EFI_SUCCESS;\r | |
97 | }\r | |
98 | \r | |
99 | /**\r | |
100 | Updates the firmware image of the device.\r | |
101 | \r | |
102 | This function updates the hardware with the new firmware image.\r | |
103 | This function returns EFI_UNSUPPORTED if the firmware image is not updatable.\r | |
104 | If the firmware image is updatable, the function should perform the following minimal validations\r | |
105 | before proceeding to do the firmware image update.\r | |
106 | - Validate the image authentication if image has attribute\r | |
107 | IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED. The function returns\r | |
108 | EFI_SECURITY_VIOLATION if the validation fails.\r | |
109 | - Validate the image is a supported image for this device. The function returns EFI_ABORTED if\r | |
110 | the image is unsupported. The function can optionally provide more detailed information on\r | |
111 | why the image is not a supported image.\r | |
112 | - Validate the data from VendorCode if not null. Image validation must be performed before\r | |
113 | VendorCode data validation. VendorCode data is ignored or considered invalid if image\r | |
114 | validation failed. The function returns EFI_ABORTED if the data is invalid.\r | |
115 | \r | |
116 | VendorCode enables vendor to implement vendor-specific firmware image update policy. Null if\r | |
117 | the caller did not specify the policy or use the default policy. As an example, vendor can implement\r | |
118 | a policy to allow an option to force a firmware image update when the abort reason is due to the new\r | |
119 | firmware image version is older than the current firmware image version or bad image checksum.\r | |
120 | Sensitive operations such as those wiping the entire firmware image and render the device to be\r | |
121 | non-functional should be encoded in the image itself rather than passed with the VendorCode.\r | |
122 | AbortReason enables vendor to have the option to provide a more detailed description of the abort\r | |
123 | reason to the caller.\r | |
124 | \r | |
125 | @param[in] This A pointer to the EFI_FIRMWARE_MANAGEMENT_PROTOCOL instance.\r | |
126 | @param[in] ImageIndex A unique number identifying the firmware image(s) within the device.\r | |
127 | The number is between 1 and DescriptorCount.\r | |
128 | @param[in] Image Points to the new image.\r | |
129 | @param[in] ImageSize Size of the new image in bytes.\r | |
130 | @param[in] VendorCode This enables vendor to implement vendor-specific firmware image update policy.\r | |
131 | Null indicates the caller did not specify the policy or use the default policy.\r | |
132 | @param[in] Progress A function used by the driver to report the progress of the firmware update.\r | |
133 | @param[out] AbortReason A pointer to a pointer to a null-terminated string providing more\r | |
134 | details for the aborted operation. The buffer is allocated by this function\r | |
135 | with AllocatePool(), and it is the caller's responsibility to free it with a\r | |
136 | call to FreePool().\r | |
137 | \r | |
138 | @retval EFI_SUCCESS The device was successfully updated with the new image.\r | |
139 | @retval EFI_ABORTED The operation is aborted.\r | |
140 | @retval EFI_INVALID_PARAMETER The Image was NULL.\r | |
141 | @retval EFI_UNSUPPORTED The operation is not supported.\r | |
c8dca871 | 142 | @retval EFI_SECURITY_VIOLATION The operation could not be performed due to an authentication failure.\r |
f6f91d38 JY |
143 | \r |
144 | **/\r | |
145 | EFI_STATUS\r | |
146 | EFIAPI\r | |
147 | FmpSetImage (\r | |
b8786489 MK |
148 | IN EFI_FIRMWARE_MANAGEMENT_PROTOCOL *This,\r |
149 | IN UINT8 ImageIndex,\r | |
150 | IN CONST VOID *Image,\r | |
151 | IN UINTN ImageSize,\r | |
152 | IN CONST VOID *VendorCode,\r | |
153 | IN EFI_FIRMWARE_MANAGEMENT_UPDATE_IMAGE_PROGRESS Progress,\r | |
154 | OUT CHAR16 **AbortReason\r | |
f6f91d38 JY |
155 | )\r |
156 | {\r | |
b8786489 MK |
157 | SYSTEM_FMP_PRIVATE_DATA *SystemFmpPrivate;\r |
158 | EFI_FIRMWARE_MANAGEMENT_PROTOCOL *SystemFmp;\r | |
159 | EFI_STATUS Status;\r | |
160 | EFI_STATUS VarStatus;\r | |
f6f91d38 | 161 | \r |
b8786489 | 162 | if ((Image == NULL) || (ImageSize == 0) || (AbortReason == NULL)) {\r |
f6f91d38 JY |
163 | return EFI_INVALID_PARAMETER;\r |
164 | }\r | |
165 | \r | |
b8786489 | 166 | SystemFmpPrivate = SYSTEM_FMP_PRIVATE_DATA_FROM_FMP (This);\r |
f6f91d38 JY |
167 | *AbortReason = NULL;\r |
168 | \r | |
b8786489 | 169 | if ((ImageIndex == 0) || (ImageIndex > SystemFmpPrivate->DescriptorCount)) {\r |
f6f91d38 JY |
170 | return EFI_INVALID_PARAMETER;\r |
171 | }\r | |
172 | \r | |
173 | //\r | |
174 | // Process FV\r | |
175 | //\r | |
b8786489 MK |
176 | Status = DispatchSystemFmpImages ((VOID *)Image, ImageSize, &SystemFmpPrivate->LastAttempt.LastAttemptVersion, &SystemFmpPrivate->LastAttempt.LastAttemptStatus);\r |
177 | DEBUG ((DEBUG_INFO, "(Agent)SetImage - LastAttempt Version - 0x%x, State - 0x%x\n", SystemFmpPrivate->LastAttempt.LastAttemptVersion, SystemFmpPrivate->LastAttempt.LastAttemptStatus));\r | |
178 | if (EFI_ERROR (Status)) {\r | |
179 | VarStatus = gRT->SetVariable (\r | |
f6f91d38 JY |
180 | SYSTEM_FMP_LAST_ATTEMPT_VARIABLE_NAME,\r |
181 | &gSystemFmpLastAttemptVariableGuid,\r | |
182 | EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r | |
b8786489 | 183 | sizeof (SystemFmpPrivate->LastAttempt),\r |
f6f91d38 JY |
184 | &SystemFmpPrivate->LastAttempt\r |
185 | );\r | |
b8786489 | 186 | DEBUG ((DEBUG_INFO, "(Agent)SetLastAttempt - %r\n", VarStatus));\r |
f6f91d38 JY |
187 | return Status;\r |
188 | }\r | |
189 | \r | |
190 | //\r | |
153f5c7a | 191 | // Pass Thru to System FMP Protocol on same handle as FMP Protocol\r |
f6f91d38 | 192 | //\r |
b8786489 | 193 | Status = gBS->HandleProtocol (\r |
153f5c7a KM |
194 | SystemFmpPrivate->Handle,\r |
195 | &gSystemFmpProtocolGuid,\r | |
196 | (VOID **)&SystemFmp\r | |
197 | );\r | |
b8786489 | 198 | if (EFI_ERROR (Status)) {\r |
fc0494a6 SZ |
199 | Status = gBS->LocateProtocol (\r |
200 | &gSystemFmpProtocolGuid,\r | |
201 | NULL,\r | |
202 | (VOID **)&SystemFmp\r | |
203 | );\r | |
b8786489 MK |
204 | if (EFI_ERROR (Status)) {\r |
205 | DEBUG ((DEBUG_INFO, "(Agent)SetImage - SystemFmpProtocol - %r\n", Status));\r | |
fc0494a6 | 206 | SystemFmpPrivate->LastAttempt.LastAttemptStatus = LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT;\r |
b8786489 MK |
207 | VarStatus = gRT->SetVariable (\r |
208 | SYSTEM_FMP_LAST_ATTEMPT_VARIABLE_NAME,\r | |
209 | &gSystemFmpLastAttemptVariableGuid,\r | |
210 | EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r | |
211 | sizeof (SystemFmpPrivate->LastAttempt),\r | |
212 | &SystemFmpPrivate->LastAttempt\r | |
213 | );\r | |
214 | DEBUG ((DEBUG_INFO, "(Agent)SetLastAttempt - %r\n", VarStatus));\r | |
fc0494a6 SZ |
215 | return Status;\r |
216 | }\r | |
f6f91d38 JY |
217 | }\r |
218 | \r | |
b8786489 | 219 | return SystemFmp->SetImage (SystemFmp, ImageIndex, Image, ImageSize, VendorCode, Progress, AbortReason);\r |
f6f91d38 JY |
220 | }\r |
221 | \r | |
222 | /**\r | |
223 | System FMP module entrypoint\r | |
224 | \r | |
225 | @param[in] ImageHandle The firmware allocated handle for the EFI image.\r | |
226 | @param[in] SystemTable A pointer to the EFI System Table.\r | |
227 | \r | |
228 | @return EFI_SUCCESS System FMP module is initialized.\r | |
229 | **/\r | |
230 | EFI_STATUS\r | |
231 | EFIAPI\r | |
232 | SystemFirmwareReportMainDxe (\r | |
b8786489 MK |
233 | IN EFI_HANDLE ImageHandle,\r |
234 | IN EFI_SYSTEM_TABLE *SystemTable\r | |
f6f91d38 JY |
235 | )\r |
236 | {\r | |
b8786489 | 237 | EFI_STATUS Status;\r |
f6f91d38 JY |
238 | \r |
239 | //\r | |
240 | // Initialize SystemFmpPrivateData\r | |
241 | //\r | |
b8786489 | 242 | mSystemFmpPrivate = AllocateZeroPool (sizeof (SYSTEM_FMP_PRIVATE_DATA));\r |
f6f91d38 JY |
243 | if (mSystemFmpPrivate == NULL) {\r |
244 | return EFI_OUT_OF_RESOURCES;\r | |
245 | }\r | |
246 | \r | |
b8786489 MK |
247 | Status = InitializePrivateData (mSystemFmpPrivate);\r |
248 | if (EFI_ERROR (Status)) {\r | |
249 | FreePool (mSystemFmpPrivate);\r | |
f6f91d38 JY |
250 | mSystemFmpPrivate = NULL;\r |
251 | return Status;\r | |
252 | }\r | |
253 | \r | |
254 | //\r | |
255 | // Install FMP protocol.\r | |
256 | //\r | |
257 | Status = gBS->InstallProtocolInterface (\r | |
258 | &mSystemFmpPrivate->Handle,\r | |
259 | &gEfiFirmwareManagementProtocolGuid,\r | |
260 | EFI_NATIVE_INTERFACE,\r | |
261 | &mSystemFmpPrivate->Fmp\r | |
262 | );\r | |
263 | if (EFI_ERROR (Status)) {\r | |
b8786489 | 264 | FreePool (mSystemFmpPrivate);\r |
f6f91d38 JY |
265 | mSystemFmpPrivate = NULL;\r |
266 | return Status;\r | |
267 | }\r | |
268 | \r | |
269 | return Status;\r | |
270 | }\r |