MdeModulePkg/Core/Pei/Security/Security.c

   1 /** @file
   2   EFI PEI Core Security services
   3
   4 Copyright (c) 2006, Intel Corporation
   5 All rights reserved. This program and the accompanying materials
   6 are licensed and made available under the terms and conditions of the BSD License
   7 which accompanies this distribution.  The full text of the license may be found at
   8 http://opensource.org/licenses/bsd-license.php
   9
  10 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
  11 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
  12
  13 **/
  14
  15 #include <PeiMain.h>
  16
  17 /**
  18
  19   Provide a callback for when the security PPI is installed.
  20
  21   @param PeiServices        An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation.
  22   @param NotifyDescriptor   The descriptor for the notification event.
  23   @param Ppi                Pointer to the PPI in question.
  24
  25   @return Always success
  26
  27 **/
  28 EFI_STATUS
  29 EFIAPI
  30 SecurityPpiNotifyCallback (
  31   IN EFI_PEI_SERVICES           **PeiServices,
  32   IN EFI_PEI_NOTIFY_DESCRIPTOR  *NotifyDescriptor,
  33   IN VOID                       *Ppi
  34   );
  35
  36 STATIC EFI_PEI_NOTIFY_DESCRIPTOR mNotifyList = {
  37    EFI_PEI_PPI_DESCRIPTOR_NOTIFY_DISPATCH | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,
  38    &gEfiPeiSecurity2PpiGuid,
  39    SecurityPpiNotifyCallback
  40 };
  41
  42 /**
  43   Initialize the security services.
  44
  45   @param PeiServices     An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation.
  46   @param OldCoreData     Pointer to the old core data.
  47                          NULL if being run in non-permament memory mode.
  48
  49 **/
  50 VOID
  51 InitializeSecurityServices (
  52   IN EFI_PEI_SERVICES  **PeiServices,
  53   IN PEI_CORE_INSTANCE *OldCoreData
  54   )
  55 {
  56   if (OldCoreData == NULL) {
  57     PeiServicesNotifyPpi (&mNotifyList);
  58   }
  59   return;
  60 }
  61
  62 /**
  63
  64   Provide a callback for when the security PPI is installed.
  65   This routine will cache installed security PPI into PeiCore's private data.
  66
  67   @param PeiServices        An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation.
  68   @param NotifyDescriptor   The descriptor for the notification event.
  69   @param Ppi                Pointer to the PPI in question.
  70
  71   @return Always success
  72
  73 **/
  74 EFI_STATUS
  75 EFIAPI
  76 SecurityPpiNotifyCallback (
  77   IN EFI_PEI_SERVICES           **PeiServices,
  78   IN EFI_PEI_NOTIFY_DESCRIPTOR  *NotifyDescriptor,
  79   IN VOID                       *Ppi
  80   )
  81 {
  82   PEI_CORE_INSTANCE                       *PrivateData;
  83
  84   //
  85   // Get PEI Core private data
  86   //
  87   PrivateData = PEI_CORE_INSTANCE_FROM_PS_THIS (PeiServices);
  88
  89   //
  90   // If there isn't a security PPI installed, use the one from notification
  91   //
  92   if (PrivateData->PrivateSecurityPpi == NULL) {
  93     PrivateData->PrivateSecurityPpi = (EFI_PEI_SECURITY2_PPI *)Ppi;
  94   }
  95   return EFI_SUCCESS;
  96 }
  97
  98 /**
  99
 100   Provide a callout to the security verification service.
 101
 102
 103   @param PrivateData     PeiCore's private data structure
 104   @param VolumeHandle    Handle of FV
 105   @param FileHandle      Handle of PEIM's ffs
 106
 107   @retval EFI_SUCCESS              Image is OK
 108   @retval EFI_SECURITY_VIOLATION   Image is illegal
 109   @retval EFI_NOT_FOUND            If security PPI is not installed.
 110 **/
 111 EFI_STATUS
 112 VerifyPeim (
 113   IN PEI_CORE_INSTANCE      *PrivateData,
 114   IN EFI_PEI_FV_HANDLE      VolumeHandle,
 115   IN EFI_PEI_FILE_HANDLE    FileHandle
 116   )
 117 {
 118   EFI_STATUS                      Status;
 119   UINT32                          AuthenticationStatus;
 120   BOOLEAN                         DeferExection;
 121
 122   //
 123   // Set a default authentication state
 124   //
 125   AuthenticationStatus = 0;
 126
 127   if (PrivateData->PrivateSecurityPpi == NULL) {
 128     Status = EFI_NOT_FOUND;
 129   } else {
 130     //
 131     // Check to see if the image is OK
 132     //
 133     Status = PrivateData->PrivateSecurityPpi->AuthenticationState (
 134                                                 (CONST EFI_PEI_SERVICES **) &PrivateData->PS,
 135                                                 PrivateData->PrivateSecurityPpi,
 136                                                 AuthenticationStatus,
 137                                                 VolumeHandle,
 138                                                 FileHandle,
 139                                                 &DeferExection
 140                                                 );
 141     if (DeferExection) {
 142       Status = EFI_SECURITY_VIOLATION;
 143     }
 144   }
 145   return Status;
 146 }
 147
 148
 149 /**
 150   Verify a Firmware volume.
 151
 152   @param CurrentFvAddress   Pointer to the current Firmware Volume under consideration
 153
 154   @retval EFI_SUCCESS       Firmware Volume is legal
 155
 156 **/
 157 EFI_STATUS
 158 VerifyFv (
 159   IN EFI_FIRMWARE_VOLUME_HEADER  *CurrentFvAddress
 160   )
 161 {
 162   //
 163   // Right now just pass the test.  Future can authenticate and/or check the
 164   // FV-header or other metric for goodness of binary.
 165   //
 166   return EFI_SUCCESS;
 167 }