MdeModulePkg/Core/Pei/Security/Security.c

   1 /*++
   2
   3 Copyright (c) 2006, Intel Corporation
   4 All rights reserved. This program and the accompanying materials
   5 are licensed and made available under the terms and conditions of the BSD License
   6 which accompanies this distribution.  The full text of the license may be found at
   7 http://opensource.org/licenses/bsd-license.php
   8
   9 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
  10 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
  11
  12 Module Name:
  13
  14   Security.c
  15
  16 Abstract:
  17
  18   EFI PEI Core Security services
  19
  20 --*/
  21
  22 #include <PeiMain.h>
  23
  24 STATIC
  25 EFI_STATUS
  26 EFIAPI
  27 SecurityPpiNotifyCallback (
  28   IN EFI_PEI_SERVICES           **PeiServices,
  29   IN EFI_PEI_NOTIFY_DESCRIPTOR  *NotifyDescriptor,
  30   IN VOID                       *Ppi
  31   );
  32
  33 static EFI_PEI_NOTIFY_DESCRIPTOR mNotifyList = {
  34    EFI_PEI_PPI_DESCRIPTOR_NOTIFY_DISPATCH | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,
  35    &gEfiPeiSecurity2PpiGuid,
  36    SecurityPpiNotifyCallback
  37 };
  38
  39 VOID
  40 InitializeSecurityServices (
  41   IN EFI_PEI_SERVICES  **PeiServices,
  42   IN PEI_CORE_INSTANCE *OldCoreData
  43   )
  44 /*++
  45
  46 Routine Description:
  47
  48   Initialize the security services.
  49
  50 Arguments:
  51
  52   PeiServices - The PEI core services table.
  53   OldCoreData - Pointer to the old core data.
  54                 NULL if being run in non-permament memory mode.
  55 Returns:
  56
  57   None
  58
  59 --*/
  60 {
  61   if (OldCoreData == NULL) {
  62     PeiServicesNotifyPpi (&mNotifyList);
  63   }
  64   return;
  65 }
  66
  67 STATIC
  68 EFI_STATUS
  69 EFIAPI
  70 SecurityPpiNotifyCallback (
  71   IN EFI_PEI_SERVICES           **PeiServices,
  72   IN EFI_PEI_NOTIFY_DESCRIPTOR  *NotifyDescriptor,
  73   IN VOID                       *Ppi
  74   )
  75 /*++
  76
  77 Routine Description:
  78
  79   Provide a callback for when the security PPI is installed.
  80
  81 Arguments:
  82
  83   PeiServices       - The PEI core services table.
  84   NotifyDescriptor  - The descriptor for the notification event.
  85   Ppi               - Pointer to the PPI in question.
  86
  87 Returns:
  88
  89   EFI_SUCCESS - The function is successfully processed.
  90
  91 --*/
  92 {
  93   PEI_CORE_INSTANCE                       *PrivateData;
  94
  95   //
  96   // Get PEI Core private data
  97   //
  98   PrivateData = PEI_CORE_INSTANCE_FROM_PS_THIS (PeiServices);
  99
 100   //
 101   // If there isn't a security PPI installed, use the one from notification
 102   //
 103   if (PrivateData->PrivateSecurityPpi == NULL) {
 104     PrivateData->PrivateSecurityPpi = (EFI_PEI_SECURITY2_PPI *)Ppi;
 105   }
 106   return EFI_SUCCESS;
 107 }
 108
 109 EFI_STATUS
 110 VerifyPeim (
 111   IN PEI_CORE_INSTANCE      *PrivateData,
 112   IN EFI_PEI_FV_HANDLE      VolumeHandle,
 113   IN EFI_PEI_FILE_HANDLE    FileHandle
 114   )
 115 /*++
 116
 117 Routine Description:
 118
 119   Provide a callout to the security verification service.
 120
 121 Arguments:
 122
 123   PeiServices          - The PEI core services table.
 124   CurrentPeimAddress   - Pointer to the Firmware File under investigation.
 125
 126 Returns:
 127
 128   EFI_SUCCESS             - Image is OK
 129   EFI_SECURITY_VIOLATION  - Image is illegal
 130
 131 --*/
 132 {
 133   EFI_STATUS                      Status;
 134   UINT32                          AuthenticationStatus;
 135   BOOLEAN                         DeferExection;
 136
 137   //
 138   // Set a default authentication state
 139   //
 140   AuthenticationStatus = 0;
 141
 142   if (PrivateData->PrivateSecurityPpi == NULL) {
 143     Status = EFI_NOT_FOUND;
 144   } else {
 145     //
 146     // Check to see if the image is OK
 147     //
 148     Status = PrivateData->PrivateSecurityPpi->AuthenticationState (
 149                                                 (CONST EFI_PEI_SERVICES **) &PrivateData->PS,
 150                                                 PrivateData->PrivateSecurityPpi,
 151                                                 AuthenticationStatus,
 152                                                 VolumeHandle,
 153                                                 FileHandle,
 154                                                 &DeferExection
 155                                                 );
 156     if (DeferExection) {
 157       Status = EFI_SECURITY_VIOLATION;
 158     }
 159   }
 160   return Status;
 161 }
 162
 163
 164 EFI_STATUS
 165 VerifyFv (
 166   IN EFI_FIRMWARE_VOLUME_HEADER  *CurrentFvAddress
 167   )
 168 /*++
 169
 170 Routine Description:
 171
 172   Verify a Firmware volume
 173
 174 Arguments:
 175
 176   CurrentFvAddress - Pointer to the current Firmware Volume under consideration
 177
 178 Returns:
 179
 180   EFI_SUCCESS             - Firmware Volume is legal
 181   EFI_SECURITY_VIOLATION  - Firmware Volume fails integrity test
 182
 183 --*/
 184 {
 185   //
 186   // Right now just pass the test.  Future can authenticate and/or check the
 187   // FV-header or other metric for goodness of binary.
 188   //
 189   return EFI_SUCCESS;
 190 }