MdeModulePkg/Core/Pei/Security/Security.c

   1 /*++
   2
   3 Copyright (c) 2006, Intel Corporation
   4 All rights reserved. This program and the accompanying materials
   5 are licensed and made available under the terms and conditions of the BSD License
   6 which accompanies this distribution.  The full text of the license may be found at
   7 http://opensource.org/licenses/bsd-license.php
   8
   9 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
  10 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
  11
  12 Module Name:
  13
  14   Security.c
  15
  16 Abstract:
  17
  18   EFI PEI Core Security services
  19
  20 --*/
  21
  22 //
  23 // Include common header file for this module.
  24 //
  25 #include "CommonHeader.h"
  26
  27 #include <PeiMain.h>
  28
  29 STATIC
  30 EFI_STATUS
  31 EFIAPI
  32 SecurityPpiNotifyCallback (
  33   IN EFI_PEI_SERVICES           **PeiServices,
  34   IN EFI_PEI_NOTIFY_DESCRIPTOR  *NotifyDescriptor,
  35   IN VOID                       *Ppi
  36   );
  37
  38 static EFI_PEI_NOTIFY_DESCRIPTOR mNotifyList = {
  39    EFI_PEI_PPI_DESCRIPTOR_NOTIFY_DISPATCH | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,
  40    &gEfiPeiSecurityPpiGuid,
  41    SecurityPpiNotifyCallback
  42 };
  43
  44 VOID
  45 InitializeSecurityServices (
  46   IN EFI_PEI_SERVICES  **PeiServices,
  47   IN PEI_CORE_INSTANCE *OldCoreData
  48   )
  49 /*++
  50
  51 Routine Description:
  52
  53   Initialize the security services.
  54
  55 Arguments:
  56
  57   PeiServices - The PEI core services table.
  58   OldCoreData - Pointer to the old core data.
  59                 NULL if being run in non-permament memory mode.
  60 Returns:
  61
  62   None
  63
  64 --*/
  65 {
  66   if (OldCoreData == NULL) {
  67     PeiServicesNotifyPpi (&mNotifyList);
  68   }
  69   return;
  70 }
  71
  72 STATIC
  73 EFI_STATUS
  74 EFIAPI
  75 SecurityPpiNotifyCallback (
  76   IN EFI_PEI_SERVICES           **PeiServices,
  77   IN EFI_PEI_NOTIFY_DESCRIPTOR  *NotifyDescriptor,
  78   IN VOID                       *Ppi
  79   )
  80 /*++
  81
  82 Routine Description:
  83
  84   Provide a callback for when the security PPI is installed.
  85
  86 Arguments:
  87
  88   PeiServices       - The PEI core services table.
  89   NotifyDescriptor  - The descriptor for the notification event.
  90   Ppi               - Pointer to the PPI in question.
  91
  92 Returns:
  93
  94   EFI_SUCCESS - The function is successfully processed.
  95
  96 --*/
  97 {
  98   PEI_CORE_INSTANCE                       *PrivateData;
  99
 100   //
 101   // Get PEI Core private data
 102   //
 103   PrivateData = PEI_CORE_INSTANCE_FROM_PS_THIS (PeiServices);
 104
 105   //
 106   // If there isn't a security PPI installed, use the one from notification
 107   //
 108   if (PrivateData->PrivateSecurityPpi == NULL) {
 109     PrivateData->PrivateSecurityPpi = (EFI_PEI_SECURITY_PPI *)Ppi;
 110   }
 111   return EFI_SUCCESS;
 112 }
 113
 114 EFI_STATUS
 115 VerifyPeim (
 116   IN EFI_PEI_SERVICES     **PeiServices,
 117   IN EFI_FFS_FILE_HEADER  *CurrentPeimAddress
 118   )
 119 /*++
 120
 121 Routine Description:
 122
 123   Provide a callout to the security verification service.
 124
 125 Arguments:
 126
 127   PeiServices          - The PEI core services table.
 128   CurrentPeimAddress   - Pointer to the Firmware File under investigation.
 129
 130 Returns:
 131
 132   EFI_SUCCESS             - Image is OK
 133   EFI_SECURITY_VIOLATION  - Image is illegal
 134
 135 --*/
 136 {
 137   PEI_CORE_INSTANCE               *PrivateData;
 138   EFI_STATUS                      Status;
 139   UINT32                          AuthenticationStatus;
 140   BOOLEAN                         StartCrisisRecovery;
 141
 142   //
 143   // Set a default authentication state
 144   //
 145   AuthenticationStatus = 0;
 146
 147   //
 148   // get security PPI instance from PEI private data
 149   //
 150   PrivateData = PEI_CORE_INSTANCE_FROM_PS_THIS (PeiServices);
 151
 152   if (PrivateData->PrivateSecurityPpi == NULL) {
 153     Status = EFI_NOT_FOUND;
 154   } else {
 155     //
 156     // Check to see if the image is OK
 157     //
 158     Status = PrivateData->PrivateSecurityPpi->AuthenticationState (
 159                                                 PeiServices,
 160                                                 PrivateData->PrivateSecurityPpi,
 161                                                 AuthenticationStatus,
 162                                                 CurrentPeimAddress,
 163                                                 &StartCrisisRecovery
 164                                                 );
 165     if (StartCrisisRecovery) {
 166       Status = EFI_SECURITY_VIOLATION;
 167     }
 168   }
 169   return Status;
 170 }
 171
 172
 173 EFI_STATUS
 174 VerifyFv (
 175   IN EFI_FIRMWARE_VOLUME_HEADER  *CurrentFvAddress
 176   )
 177 /*++
 178
 179 Routine Description:
 180
 181   Verify a Firmware volume
 182
 183 Arguments:
 184
 185   CurrentFvAddress - Pointer to the current Firmware Volume under consideration
 186
 187 Returns:
 188
 189   EFI_SUCCESS             - Firmware Volume is legal
 190   EFI_SECURITY_VIOLATION  - Firmware Volume fails integrity test
 191
 192 --*/
 193 {
 194   //
 195   // Right now just pass the test.  Future can authenticate and/or check the
 196   // FV-header or other metric for goodness of binary.
 197   //
 198   return EFI_SUCCESS;
 199 }