2 EFI PEI Core Security services
4 Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
5 SPDX-License-Identifier: BSD-2-Clause-Patent
11 EFI_PEI_NOTIFY_DESCRIPTOR mNotifyList
= {
12 EFI_PEI_PPI_DESCRIPTOR_NOTIFY_DISPATCH
| EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST
,
13 &gEfiPeiSecurity2PpiGuid
,
14 SecurityPpiNotifyCallback
18 Initialize the security services.
20 @param PeiServices An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation.
21 @param OldCoreData Pointer to the old core data.
22 NULL if being run in non-permanent memory mode.
26 InitializeSecurityServices (
27 IN EFI_PEI_SERVICES
**PeiServices
,
28 IN PEI_CORE_INSTANCE
*OldCoreData
31 if (OldCoreData
== NULL
) {
32 PeiServicesNotifyPpi (&mNotifyList
);
40 Provide a callback for when the security PPI is installed.
41 This routine will cache installed security PPI into PeiCore's private data.
43 @param PeiServices An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation.
44 @param NotifyDescriptor The descriptor for the notification event.
45 @param Ppi Pointer to the PPI in question.
47 @return Always success
52 SecurityPpiNotifyCallback (
53 IN EFI_PEI_SERVICES
**PeiServices
,
54 IN EFI_PEI_NOTIFY_DESCRIPTOR
*NotifyDescriptor
,
58 PEI_CORE_INSTANCE
*PrivateData
;
61 // Get PEI Core private data
63 PrivateData
= PEI_CORE_INSTANCE_FROM_PS_THIS (PeiServices
);
66 // If there isn't a security PPI installed, use the one from notification
68 if (PrivateData
->PrivateSecurityPpi
== NULL
) {
69 PrivateData
->PrivateSecurityPpi
= (EFI_PEI_SECURITY2_PPI
*)Ppi
;
76 Provide a callout to the security verification service.
78 @param PrivateData PeiCore's private data structure
79 @param VolumeHandle Handle of FV
80 @param FileHandle Handle of PEIM's FFS
81 @param AuthenticationStatus Authentication status
83 @retval EFI_SUCCESS Image is OK
84 @retval EFI_SECURITY_VIOLATION Image is illegal
85 @retval EFI_NOT_FOUND If security PPI is not installed.
89 IN PEI_CORE_INSTANCE
*PrivateData
,
90 IN EFI_PEI_FV_HANDLE VolumeHandle
,
91 IN EFI_PEI_FILE_HANDLE FileHandle
,
92 IN UINT32 AuthenticationStatus
96 BOOLEAN DeferExecution
;
98 Status
= EFI_NOT_FOUND
;
99 if (PrivateData
->PrivateSecurityPpi
== NULL
) {
101 // Check AuthenticationStatus first.
103 if ((AuthenticationStatus
& EFI_AUTH_STATUS_IMAGE_SIGNED
) != 0) {
104 if ((AuthenticationStatus
& (EFI_AUTH_STATUS_TEST_FAILED
| EFI_AUTH_STATUS_NOT_TESTED
)) != 0) {
105 Status
= EFI_SECURITY_VIOLATION
;
110 // Check to see if the image is OK
112 Status
= PrivateData
->PrivateSecurityPpi
->AuthenticationState (
113 (CONST EFI_PEI_SERVICES
**)&PrivateData
->Ps
,
114 PrivateData
->PrivateSecurityPpi
,
115 AuthenticationStatus
,
120 if (DeferExecution
) {
121 Status
= EFI_SECURITY_VIOLATION
;
129 Verify a Firmware volume.
131 @param CurrentFvAddress Pointer to the current Firmware Volume under consideration
133 @retval EFI_SUCCESS Firmware Volume is legal
138 IN EFI_FIRMWARE_VOLUME_HEADER
*CurrentFvAddress
142 // Right now just pass the test. Future can authenticate and/or check the
143 // FV-header or other metric for goodness of binary.