MdeModulePkg/Core/Pei/Security/Security.c

   1 /** @file
   2   EFI PEI Core Security services
   3
   4 Copyright (c) 2006, Intel Corporation
   5 All rights reserved. This program and the accompanying materials
   6 are licensed and made available under the terms and conditions of the BSD License
   7 which accompanies this distribution.  The full text of the license may be found at
   8 http://opensource.org/licenses/bsd-license.php
   9
  10 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
  11 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
  12
  13 **/
  14
  15 #include <PeiMain.h>
  16
  17 /**
  18
  19   Provide a callback for when the security PPI is installed.
  20
  21   @param PeiServices        An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation.
  22   @param NotifyDescriptor   The descriptor for the notification event.
  23   @param Ppi                Pointer to the PPI in question.
  24
  25   @return Always success
  26
  27 **/
  28 EFI_STATUS
  29 EFIAPI
  30 SecurityPpiNotifyCallback (
  31   IN EFI_PEI_SERVICES           **PeiServices,
  32   IN EFI_PEI_NOTIFY_DESCRIPTOR  *NotifyDescriptor,
  33   IN VOID                       *Ppi
  34   );
  35
  36 STATIC EFI_PEI_NOTIFY_DESCRIPTOR mNotifyList = {
  37    EFI_PEI_PPI_DESCRIPTOR_NOTIFY_DISPATCH | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,
  38    &gEfiPeiSecurity2PpiGuid,
  39    SecurityPpiNotifyCallback
  40 };
  41
  42 /**
  43   Initialize the security services.
  44
  45   @param PeiServices     An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation.
  46   @param OldCoreData     Pointer to the old core data.
  47                          NULL if being run in non-permament memory mode.
  48
  49 **/
  50 VOID
  51 InitializeSecurityServices (
  52   IN EFI_PEI_SERVICES  **PeiServices,
  53   IN PEI_CORE_INSTANCE *OldCoreData
  54   )
  55 {
  56   if (OldCoreData == NULL) {
  57     PeiServicesNotifyPpi (&mNotifyList);
  58   }
  59   return;
  60 }
  61
  62 /**
  63
  64   Provide a callback for when the security PPI is installed.
  65
  66   @param PeiServices        An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation.
  67   @param NotifyDescriptor   The descriptor for the notification event.
  68   @param Ppi                Pointer to the PPI in question.
  69
  70   @return Always success
  71
  72 **/
  73 EFI_STATUS
  74 EFIAPI
  75 SecurityPpiNotifyCallback (
  76   IN EFI_PEI_SERVICES           **PeiServices,
  77   IN EFI_PEI_NOTIFY_DESCRIPTOR  *NotifyDescriptor,
  78   IN VOID                       *Ppi
  79   )
  80 {
  81   PEI_CORE_INSTANCE                       *PrivateData;
  82
  83   //
  84   // Get PEI Core private data
  85   //
  86   PrivateData = PEI_CORE_INSTANCE_FROM_PS_THIS (PeiServices);
  87
  88   //
  89   // If there isn't a security PPI installed, use the one from notification
  90   //
  91   if (PrivateData->PrivateSecurityPpi == NULL) {
  92     PrivateData->PrivateSecurityPpi = (EFI_PEI_SECURITY2_PPI *)Ppi;
  93   }
  94   return EFI_SUCCESS;
  95 }
  96
  97 /**
  98
  99   Provide a callout to the security verification service.
 100
 101
 102   @param PrivateData     PeiCore's private data structure
 103   @param VolumeHandle    Handle of FV
 104   @param FileHandle      Handle of PEIM's ffs
 105
 106   @retval EFI_SUCCESS              Image is OK
 107   @retval EFI_SECURITY_VIOLATION   Image is illegal
 108
 109 **/
 110 EFI_STATUS
 111 VerifyPeim (
 112   IN PEI_CORE_INSTANCE      *PrivateData,
 113   IN EFI_PEI_FV_HANDLE      VolumeHandle,
 114   IN EFI_PEI_FILE_HANDLE    FileHandle
 115   )
 116 {
 117   EFI_STATUS                      Status;
 118   UINT32                          AuthenticationStatus;
 119   BOOLEAN                         DeferExection;
 120
 121   //
 122   // Set a default authentication state
 123   //
 124   AuthenticationStatus = 0;
 125
 126   if (PrivateData->PrivateSecurityPpi == NULL) {
 127     Status = EFI_NOT_FOUND;
 128   } else {
 129     //
 130     // Check to see if the image is OK
 131     //
 132     Status = PrivateData->PrivateSecurityPpi->AuthenticationState (
 133                                                 (CONST EFI_PEI_SERVICES **) &PrivateData->PS,
 134                                                 PrivateData->PrivateSecurityPpi,
 135                                                 AuthenticationStatus,
 136                                                 VolumeHandle,
 137                                                 FileHandle,
 138                                                 &DeferExection
 139                                                 );
 140     if (DeferExection) {
 141       Status = EFI_SECURITY_VIOLATION;
 142     }
 143   }
 144   return Status;
 145 }
 146
 147
 148 /**
 149   Verify a Firmware volume.
 150
 151   @param CurrentFvAddress - Pointer to the current Firmware Volume under consideration
 152
 153   @retval EFI_SUCCESS              Firmware Volume is legal
 154   @retval EFI_SECURITY_VIOLATION   Firmware Volume fails integrity test
 155
 156 **/
 157 EFI_STATUS
 158 VerifyFv (
 159   IN EFI_FIRMWARE_VOLUME_HEADER  *CurrentFvAddress
 160   )
 161 {
 162   //
 163   // Right now just pass the test.  Future can authenticate and/or check the
 164   // FV-header or other metric for goodness of binary.
 165   //
 166   return EFI_SUCCESS;
 167 }