MdeModulePkg/Core/Pei/Security/Security.c

   1 /** @file
   2   EFI PEI Core Security services
   3
   4 Copyright (c) 2006, Intel Corporation
   5 All rights reserved. This program and the accompanying materials
   6 are licensed and made available under the terms and conditions of the BSD License
   7 which accompanies this distribution.  The full text of the license may be found at
   8 http://opensource.org/licenses/bsd-license.php
   9
  10 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
  11 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
  12
  13 **/
  14
  15 #include <PeiMain.h>
  16
  17 /**
  18
  19   Provide a callback for when the security PPI is installed.
  20
  21   @param PeiServices     - The PEI core services table.
  22   @param NotifyDescriptor - The descriptor for the notification event.
  23   @param Ppi             - Pointer to the PPI in question.
  24
  25   @return Always success
  26
  27 **/
  28 EFI_STATUS
  29 EFIAPI
  30 SecurityPpiNotifyCallback (
  31   IN EFI_PEI_SERVICES           **PeiServices,
  32   IN EFI_PEI_NOTIFY_DESCRIPTOR  *NotifyDescriptor,
  33   IN VOID                       *Ppi
  34   );
  35
  36 STATIC EFI_PEI_NOTIFY_DESCRIPTOR mNotifyList = {
  37    EFI_PEI_PPI_DESCRIPTOR_NOTIFY_DISPATCH | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,
  38    &gEfiPeiSecurity2PpiGuid,
  39    SecurityPpiNotifyCallback
  40 };
  41
  42 /**
  43
  44   Initialize the security services.
  45
  46
  47   @param PeiServices     - The PEI core services table.
  48   @param OldCoreData     - Pointer to the old core data.
  49                          NULL if being run in non-permament memory mode.
  50
  51 **/
  52 VOID
  53 InitializeSecurityServices (
  54   IN EFI_PEI_SERVICES  **PeiServices,
  55   IN PEI_CORE_INSTANCE *OldCoreData
  56   )
  57 {
  58   if (OldCoreData == NULL) {
  59     PeiServicesNotifyPpi (&mNotifyList);
  60   }
  61   return;
  62 }
  63
  64 /**
  65
  66   Provide a callback for when the security PPI is installed.
  67
  68   @param PeiServices     - The PEI core services table.
  69   @param NotifyDescriptor - The descriptor for the notification event.
  70   @param Ppi             - Pointer to the PPI in question.
  71
  72   @return Always success
  73
  74 **/
  75 EFI_STATUS
  76 EFIAPI
  77 SecurityPpiNotifyCallback (
  78   IN EFI_PEI_SERVICES           **PeiServices,
  79   IN EFI_PEI_NOTIFY_DESCRIPTOR  *NotifyDescriptor,
  80   IN VOID                       *Ppi
  81   )
  82 {
  83   PEI_CORE_INSTANCE                       *PrivateData;
  84
  85   //
  86   // Get PEI Core private data
  87   //
  88   PrivateData = PEI_CORE_INSTANCE_FROM_PS_THIS (PeiServices);
  89
  90   //
  91   // If there isn't a security PPI installed, use the one from notification
  92   //
  93   if (PrivateData->PrivateSecurityPpi == NULL) {
  94     PrivateData->PrivateSecurityPpi = (EFI_PEI_SECURITY2_PPI *)Ppi;
  95   }
  96   return EFI_SUCCESS;
  97 }
  98
  99 /**
 100
 101   Provide a callout to the security verification service.
 102
 103
 104   @param PrivateData     PeiCore's private data structure
 105   @param VolumeHandle    Handle of FV
 106   @param FileHandle      Handle of PEIM's ffs
 107
 108   @retval EFI_SUCCESS              Image is OK
 109   @retval EFI_SECURITY_VIOLATION   Image is illegal
 110
 111 **/
 112 EFI_STATUS
 113 VerifyPeim (
 114   IN PEI_CORE_INSTANCE      *PrivateData,
 115   IN EFI_PEI_FV_HANDLE      VolumeHandle,
 116   IN EFI_PEI_FILE_HANDLE    FileHandle
 117   )
 118 {
 119   EFI_STATUS                      Status;
 120   UINT32                          AuthenticationStatus;
 121   BOOLEAN                         DeferExection;
 122
 123   //
 124   // Set a default authentication state
 125   //
 126   AuthenticationStatus = 0;
 127
 128   if (PrivateData->PrivateSecurityPpi == NULL) {
 129     Status = EFI_NOT_FOUND;
 130   } else {
 131     //
 132     // Check to see if the image is OK
 133     //
 134     Status = PrivateData->PrivateSecurityPpi->AuthenticationState (
 135                                                 (CONST EFI_PEI_SERVICES **) &PrivateData->PS,
 136                                                 PrivateData->PrivateSecurityPpi,
 137                                                 AuthenticationStatus,
 138                                                 VolumeHandle,
 139                                                 FileHandle,
 140                                                 &DeferExection
 141                                                 );
 142     if (DeferExection) {
 143       Status = EFI_SECURITY_VIOLATION;
 144     }
 145   }
 146   return Status;
 147 }
 148
 149
 150 /**
 151   Verify a Firmware volume.
 152
 153   @param CurrentFvAddress - Pointer to the current Firmware Volume under consideration
 154
 155   @retval EFI_SUCCESS             - Firmware Volume is legal
 156   @retval EFI_SECURITY_VIOLATION  - Firmware Volume fails integrity test
 157
 158 **/
 159 EFI_STATUS
 160 VerifyFv (
 161   IN EFI_FIRMWARE_VOLUME_HEADER  *CurrentFvAddress
 162   )
 163 {
 164   //
 165   // Right now just pass the test.  Future can authenticate and/or check the
 166   // FV-header or other metric for goodness of binary.
 167   //
 168   return EFI_SUCCESS;
 169 }