EdkModulePkg/Core/Pei/Security/Security.c

   1 /*++
   2
   3 Copyright (c) 2006, Intel Corporation
   4 All rights reserved. This program and the accompanying materials
   5 are licensed and made available under the terms and conditions of the BSD License
   6 which accompanies this distribution.  The full text of the license may be found at
   7 http://opensource.org/licenses/bsd-license.php
   8
   9 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
  10 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
  11
  12 Module Name:
  13
  14   Security.c
  15
  16 Abstract:
  17
  18   EFI PEI Core Security services
  19
  20 --*/
  21
  22 #include <PeiMain.h>
  23
  24 EFI_STATUS
  25 EFIAPI
  26 SecurityPpiNotifyCallback (
  27   IN EFI_PEI_SERVICES           **PeiServices,
  28   IN EFI_PEI_NOTIFY_DESCRIPTOR  *NotifyDescriptor,
  29   IN VOID                       *Ppi
  30   );
  31
  32 static EFI_PEI_NOTIFY_DESCRIPTOR mNotifyList = {
  33    EFI_PEI_PPI_DESCRIPTOR_NOTIFY_DISPATCH | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,
  34    &gEfiPeiSecurityPpiGuid,
  35    SecurityPpiNotifyCallback
  36 };
  37
  38 VOID
  39 InitializeSecurityServices (
  40   IN EFI_PEI_SERVICES  **PeiServices,
  41   IN PEI_CORE_INSTANCE *OldCoreData
  42   )
  43 /*++
  44
  45 Routine Description:
  46
  47   Initialize the security services.
  48
  49 Arguments:
  50
  51   PeiServices - The PEI core services table.
  52   OldCoreData - Pointer to the old core data.
  53                 NULL if being run in non-permament memory mode.
  54 Returns:
  55
  56   None
  57
  58 --*/
  59 {
  60   if (OldCoreData == NULL) {
  61     PeiCoreNotifyPpi (&mNotifyList);
  62   }
  63   return;
  64 }
  65
  66 EFI_STATUS
  67 EFIAPI
  68 SecurityPpiNotifyCallback (
  69   IN EFI_PEI_SERVICES           **PeiServices,
  70   IN EFI_PEI_NOTIFY_DESCRIPTOR  *NotifyDescriptor,
  71   IN VOID                       *Ppi
  72   )
  73 /*++
  74
  75 Routine Description:
  76
  77   Provide a callback for when the security PPI is installed.
  78
  79 Arguments:
  80
  81   PeiServices       - The PEI core services table.
  82   NotifyDescriptor  - The descriptor for the notification event.
  83   Ppi               - Pointer to the PPI in question.
  84
  85 Returns:
  86
  87   EFI_SUCCESS - The function is successfully processed.
  88
  89 --*/
  90 {
  91   PEI_CORE_INSTANCE                       *PrivateData;
  92
  93   //
  94   // Get PEI Core private data
  95   //
  96   PrivateData = PEI_CORE_INSTANCE_FROM_PS_THIS (PeiServices);
  97
  98   //
  99   // If there isn't a security PPI installed, use the one from notification
 100   //
 101   if (PrivateData->PrivateSecurityPpi == NULL) {
 102     PrivateData->PrivateSecurityPpi = (EFI_PEI_SECURITY_PPI *)Ppi;
 103   }
 104   return EFI_SUCCESS;
 105 }
 106
 107 EFI_STATUS
 108 VerifyPeim (
 109   IN EFI_PEI_SERVICES     **PeiServices,
 110   IN EFI_FFS_FILE_HEADER  *CurrentPeimAddress
 111   )
 112 /*++
 113
 114 Routine Description:
 115
 116   Provide a callout to the security verification service.
 117
 118 Arguments:
 119
 120   PeiServices          - The PEI core services table.
 121   CurrentPeimAddress   - Pointer to the Firmware File under investigation.
 122
 123 Returns:
 124
 125   EFI_SUCCESS             - Image is OK
 126   EFI_SECURITY_VIOLATION  - Image is illegal
 127
 128 --*/
 129 {
 130   PEI_CORE_INSTANCE               *PrivateData;
 131   EFI_STATUS                      Status;
 132   UINT32                          AuthenticationStatus;
 133   BOOLEAN                         StartCrisisRecovery;
 134
 135   //
 136   // Set a default authentication state
 137   //
 138   AuthenticationStatus = 0;
 139
 140   //
 141   // get security PPI instance from PEI private data
 142   //
 143   PrivateData = PEI_CORE_INSTANCE_FROM_PS_THIS (PeiServices);
 144
 145   if (PrivateData->PrivateSecurityPpi == NULL) {
 146     Status = EFI_NOT_FOUND;
 147   } else {
 148     //
 149     // Check to see if the image is OK
 150     //
 151     Status = PrivateData->PrivateSecurityPpi->AuthenticationState (
 152                                                 PeiServices,
 153                                                 PrivateData->PrivateSecurityPpi,
 154                                                 AuthenticationStatus,
 155                                                 CurrentPeimAddress,
 156                                                 &StartCrisisRecovery
 157                                                 );
 158     if (StartCrisisRecovery) {
 159       Status = EFI_SECURITY_VIOLATION;
 160     }
 161   }
 162   return Status;
 163 }
 164
 165
 166 EFI_STATUS
 167 VerifyFv (
 168   IN EFI_FIRMWARE_VOLUME_HEADER  *CurrentFvAddress
 169   )
 170 /*++
 171
 172 Routine Description:
 173
 174   Verify a Firmware volume
 175
 176 Arguments:
 177
 178   CurrentFvAddress - Pointer to the current Firmware Volume under consideration
 179
 180 Returns:
 181
 182   EFI_SUCCESS             - Firmware Volume is legal
 183   EFI_SECURITY_VIOLATION  - Firmware Volume fails integrity test
 184
 185 --*/
 186 {
 187   //
 188   // Right now just pass the test.  Future can authenticate and/or check the
 189   // FV-header or other metric for goodness of binary.
 190   //
 191   return EFI_SUCCESS;
 192 }