4 Caution: This module requires additional review when modified.
5 This module will have external input - capsule image.
6 This external input must be validated carefully to avoid security issue like
7 buffer overflow, integer overflow.
9 ProcessCapsules(), ProcessTheseCapsules() will receive untrusted
10 input and do basic validation.
12 Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
13 This program and the accompanying materials
14 are licensed and made available under the terms and conditions of the BSD License
15 which accompanies this distribution. The full text of the license may be found at
16 http://opensource.org/licenses/bsd-license.php
18 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
19 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
24 #include <Protocol/EsrtManagement.h>
25 #include <Protocol/FirmwareManagementProgress.h>
27 #include <Library/BaseLib.h>
28 #include <Library/DebugLib.h>
29 #include <Library/BaseMemoryLib.h>
30 #include <Library/UefiBootServicesTableLib.h>
31 #include <Library/UefiRuntimeServicesTableLib.h>
32 #include <Library/MemoryAllocationLib.h>
33 #include <Library/UefiLib.h>
34 #include <Library/PcdLib.h>
35 #include <Library/HobLib.h>
36 #include <Library/ReportStatusCodeLib.h>
37 #include <Library/CapsuleLib.h>
38 #include <Library/DisplayUpdateProgressLib.h>
40 #include <IndustryStandard/WindowsUxCapsule.h>
42 extern EDKII_FIRMWARE_MANAGEMENT_PROGRESS_PROTOCOL
*mFmpProgress
;
45 Return if this FMP is a system FMP or a device FMP, based upon CapsuleHeader.
47 @param[in] CapsuleHeader A pointer to EFI_CAPSULE_HEADER
49 @retval TRUE It is a system FMP.
50 @retval FALSE It is a device FMP.
54 IN EFI_CAPSULE_HEADER
*CapsuleHeader
58 Validate Fmp capsules layout.
60 Caution: This function may receive untrusted input.
62 This function assumes the caller validated the capsule by using
63 IsValidCapsuleHeader(), so that all fields in EFI_CAPSULE_HEADER are correct.
64 The capsule buffer size is CapsuleHeader->CapsuleImageSize.
66 This function validates the fields in EFI_FIRMWARE_MANAGEMENT_CAPSULE_HEADER
67 and EFI_FIRMWARE_MANAGEMENT_CAPSULE_IMAGE_HEADER.
69 This function need support nested FMP capsule.
71 @param[in] CapsuleHeader Points to a capsule header.
72 @param[out] EmbeddedDriverCount The EmbeddedDriverCount in the FMP capsule.
74 @retval EFI_SUCESS Input capsule is a correct FMP capsule.
75 @retval EFI_INVALID_PARAMETER Input capsule is not a correct FMP capsule.
79 IN EFI_CAPSULE_HEADER
*CapsuleHeader
,
80 OUT UINT16
*EmbeddedDriverCount OPTIONAL
84 Validate if it is valid capsule header
86 This function assumes the caller provided correct CapsuleHeader pointer
89 This function validates the fields in EFI_CAPSULE_HEADER.
91 @param[in] CapsuleHeader Points to a capsule header.
92 @param[in] CapsuleSize Size of the whole capsule image.
96 IsValidCapsuleHeader (
97 IN EFI_CAPSULE_HEADER
*CapsuleHeader
,
101 extern BOOLEAN mDxeCapsuleLibEndOfDxe
;
105 EFI_STATUS
*mCapsuleStatusArray
;
106 UINT32 mCapsuleTotalNumber
;
109 Function indicate the current completion progress of the firmware
110 update. Platform may override with own specific progress function.
112 @param[in] Completion A value between 1 and 100 indicating the current
113 completion progress of the firmware update
115 @retval EFI_SUCESS The capsule update progress was updated.
116 @retval EFI_INVALID_PARAMETER Completion is greater than 100%.
120 UpdateImageProgress (
126 EFI_GRAPHICS_OUTPUT_BLT_PIXEL_UNION
*Color
;
128 DEBUG((DEBUG_INFO
, "Update Progress - %d%%\n", Completion
));
130 if (Completion
> 100) {
131 return EFI_INVALID_PARAMETER
;
135 // Use a default timeout of 5 minutes if there is not FMP Progress Protocol.
139 if (mFmpProgress
!= NULL
) {
140 Seconds
= mFmpProgress
->WatchdogSeconds
;
141 Color
= &mFmpProgress
->ProgressBarForegroundColor
;
145 // Cancel the watchdog timer
147 gBS
->SetWatchdogTimer (0, 0x0000, 0, NULL
);
149 if (Completion
!= 100) {
151 // Arm the watchdog timer from PCD setting
154 DEBUG ((DEBUG_VERBOSE
, "Arm watchdog timer %d seconds\n", Seconds
));
155 gBS
->SetWatchdogTimer (Seconds
, 0x0000, 0, NULL
);
159 Status
= DisplayUpdateProgress (Completion
, Color
);
165 This function initializes the mCapsulePtr, mCapsuleStatusArray and mCapsuleTotalNumber.
172 EFI_PEI_HOB_POINTERS HobPointer
;
176 // Find all capsule images from hob
178 HobPointer
.Raw
= GetHobList ();
179 while ((HobPointer
.Raw
= GetNextHob (EFI_HOB_TYPE_UEFI_CAPSULE
, HobPointer
.Raw
)) != NULL
) {
180 if (!IsValidCapsuleHeader((VOID
*)(UINTN
)HobPointer
.Capsule
->BaseAddress
, HobPointer
.Capsule
->Length
)) {
181 HobPointer
.Header
->HobType
= EFI_HOB_TYPE_UNUSED
; // Mark this hob as invalid
183 mCapsuleTotalNumber
++;
185 HobPointer
.Raw
= GET_NEXT_HOB (HobPointer
);
188 DEBUG ((DEBUG_INFO
, "mCapsuleTotalNumber - 0x%x\n", mCapsuleTotalNumber
));
190 if (mCapsuleTotalNumber
== 0) {
195 // Init temp Capsule Data table.
197 mCapsulePtr
= (VOID
**) AllocateZeroPool (sizeof (VOID
*) * mCapsuleTotalNumber
);
198 if (mCapsulePtr
== NULL
) {
199 DEBUG ((DEBUG_ERROR
, "Allocate mCapsulePtr fail!\n"));
200 mCapsuleTotalNumber
= 0;
203 mCapsuleStatusArray
= (EFI_STATUS
*) AllocateZeroPool (sizeof (EFI_STATUS
) * mCapsuleTotalNumber
);
204 if (mCapsuleStatusArray
== NULL
) {
205 DEBUG ((DEBUG_ERROR
, "Allocate mCapsuleStatusArray fail!\n"));
206 FreePool (mCapsulePtr
);
208 mCapsuleTotalNumber
= 0;
211 SetMemN (mCapsuleStatusArray
, sizeof (EFI_STATUS
) * mCapsuleTotalNumber
, EFI_NOT_READY
);
214 // Find all capsule images from hob
216 HobPointer
.Raw
= GetHobList ();
218 while ((HobPointer
.Raw
= GetNextHob (EFI_HOB_TYPE_UEFI_CAPSULE
, HobPointer
.Raw
)) != NULL
) {
219 mCapsulePtr
[Index
++] = (VOID
*) (UINTN
) HobPointer
.Capsule
->BaseAddress
;
220 HobPointer
.Raw
= GET_NEXT_HOB (HobPointer
);
225 This function returns if all capsule images are processed.
227 @retval TRUE All capsule images are processed.
228 @retval FALSE Not all capsule images are processed.
231 AreAllImagesProcessed (
237 for (Index
= 0; Index
< mCapsuleTotalNumber
; Index
++) {
238 if (mCapsuleStatusArray
[Index
] == EFI_NOT_READY
) {
247 This function populates capsule in the configuration table.
250 PopulateCapsuleInConfigurationTable (
254 VOID
**CapsulePtrCache
;
255 EFI_GUID
*CapsuleGuidCache
;
256 EFI_CAPSULE_HEADER
*CapsuleHeader
;
257 EFI_CAPSULE_TABLE
*CapsuleTable
;
260 UINT32 CapsuleNumber
;
265 if (mCapsuleTotalNumber
== 0) {
269 CapsulePtrCache
= NULL
;
270 CapsuleGuidCache
= NULL
;
274 CapsulePtrCache
= (VOID
**) AllocateZeroPool (sizeof (VOID
*) * mCapsuleTotalNumber
);
275 if (CapsulePtrCache
== NULL
) {
276 DEBUG ((DEBUG_ERROR
, "Allocate CapsulePtrCache fail!\n"));
279 CapsuleGuidCache
= (EFI_GUID
*) AllocateZeroPool (sizeof (EFI_GUID
) * mCapsuleTotalNumber
);
280 if (CapsuleGuidCache
== NULL
) {
281 DEBUG ((DEBUG_ERROR
, "Allocate CapsuleGuidCache fail!\n"));
282 FreePool (CapsulePtrCache
);
287 // Capsules who have CAPSULE_FLAGS_POPULATE_SYSTEM_TABLE always are used for operating
288 // System to have information persist across a system reset. EFI System Table must
289 // point to an array of capsules that contains the same CapsuleGuid value. And agents
290 // searching for this type capsule will look in EFI System Table and search for the
291 // capsule's Guid and associated pointer to retrieve the data. Two steps below describes
292 // how to sorting the capsules by the unique guid and install the array to EFI System Table.
293 // Firstly, Loop for all coalesced capsules, record unique CapsuleGuids and cache them in an
294 // array for later sorting capsules by CapsuleGuid.
296 for (Index
= 0; Index
< mCapsuleTotalNumber
; Index
++) {
297 CapsuleHeader
= (EFI_CAPSULE_HEADER
*) mCapsulePtr
[Index
];
298 if ((CapsuleHeader
->Flags
& CAPSULE_FLAGS_POPULATE_SYSTEM_TABLE
) != 0) {
300 // For each capsule, we compare it with known CapsuleGuid in the CacheArray.
301 // If already has the Guid, skip it. Whereas, record it in the CacheArray as
302 // an additional one.
305 while (CacheIndex
< CacheNumber
) {
306 if (CompareGuid(&CapsuleGuidCache
[CacheIndex
],&CapsuleHeader
->CapsuleGuid
)) {
311 if (CacheIndex
== CacheNumber
) {
312 CopyMem(&CapsuleGuidCache
[CacheNumber
++],&CapsuleHeader
->CapsuleGuid
,sizeof(EFI_GUID
));
318 // Secondly, for each unique CapsuleGuid in CacheArray, gather all coalesced capsules
319 // whose guid is the same as it, and malloc memory for an array which preceding
320 // with UINT32. The array fills with entry point of capsules that have the same
321 // CapsuleGuid, and UINT32 represents the size of the array of capsules. Then install
322 // this array into EFI System Table, so that agents searching for this type capsule
323 // will look in EFI System Table and search for the capsule's Guid and associated
324 // pointer to retrieve the data.
326 for (CacheIndex
= 0; CacheIndex
< CacheNumber
; CacheIndex
++) {
328 for (Index
= 0; Index
< mCapsuleTotalNumber
; Index
++) {
329 CapsuleHeader
= (EFI_CAPSULE_HEADER
*) mCapsulePtr
[Index
];
330 if ((CapsuleHeader
->Flags
& CAPSULE_FLAGS_POPULATE_SYSTEM_TABLE
) != 0) {
331 if (CompareGuid (&CapsuleGuidCache
[CacheIndex
], &CapsuleHeader
->CapsuleGuid
)) {
333 // Cache Caspuleheader to the array, this array is uniqued with certain CapsuleGuid.
335 CapsulePtrCache
[CapsuleNumber
++] = (VOID
*)CapsuleHeader
;
339 if (CapsuleNumber
!= 0) {
340 Size
= sizeof(EFI_CAPSULE_TABLE
) + (CapsuleNumber
- 1) * sizeof(VOID
*);
341 CapsuleTable
= AllocateRuntimePool (Size
);
342 if (CapsuleTable
== NULL
) {
343 DEBUG ((DEBUG_ERROR
, "Allocate CapsuleTable (%g) fail!\n", &CapsuleGuidCache
[CacheIndex
]));
346 CapsuleTable
->CapsuleArrayNumber
= CapsuleNumber
;
347 CopyMem(&CapsuleTable
->CapsulePtr
[0], CapsulePtrCache
, CapsuleNumber
* sizeof(VOID
*));
348 Status
= gBS
->InstallConfigurationTable (&CapsuleGuidCache
[CacheIndex
], (VOID
*)CapsuleTable
);
349 if (EFI_ERROR (Status
)) {
350 DEBUG ((DEBUG_ERROR
, "InstallConfigurationTable (%g) fail!\n", &CapsuleGuidCache
[CacheIndex
]));
355 FreePool(CapsuleGuidCache
);
356 FreePool(CapsulePtrCache
);
361 This routine is called to process capsules.
363 Caution: This function may receive untrusted input.
365 Each individual capsule result is recorded in capsule record variable.
367 @param[in] FirstRound TRUE: First round. Need skip the FMP capsules with non zero EmbeddedDriverCount.
368 FALSE: Process rest FMP capsules.
370 @retval EFI_SUCCESS There is no error when processing capsules.
371 @retval EFI_OUT_OF_RESOURCES No enough resource to process capsules.
375 ProcessTheseCapsules (
376 IN BOOLEAN FirstRound
380 EFI_CAPSULE_HEADER
*CapsuleHeader
;
382 ESRT_MANAGEMENT_PROTOCOL
*EsrtManagement
;
383 UINT16 EmbeddedDriverCount
;
385 REPORT_STATUS_CODE(EFI_PROGRESS_CODE
, (EFI_SOFTWARE
| PcdGet32(PcdStatusCodeSubClassCapsule
) | PcdGet32(PcdCapsuleStatusCodeProcessCapsulesBegin
)));
391 if (mCapsuleTotalNumber
== 0) {
393 // We didn't find a hob, so had no errors.
395 DEBUG ((DEBUG_ERROR
, "We can not find capsule data in capsule update boot mode.\n"));
399 if (AreAllImagesProcessed ()) {
404 // Check the capsule flags,if contains CAPSULE_FLAGS_POPULATE_SYSTEM_TABLE, install
405 // capsuleTable to configure table with EFI_CAPSULE_GUID
408 PopulateCapsuleInConfigurationTable ();
411 REPORT_STATUS_CODE(EFI_PROGRESS_CODE
, (EFI_SOFTWARE
| PcdGet32(PcdStatusCodeSubClassCapsule
) | PcdGet32(PcdCapsuleStatusCodeUpdatingFirmware
)));
414 // If Windows UX capsule exist, process it first
416 for (Index
= 0; Index
< mCapsuleTotalNumber
; Index
++) {
417 CapsuleHeader
= (EFI_CAPSULE_HEADER
*) mCapsulePtr
[Index
];
418 if (CompareGuid (&CapsuleHeader
->CapsuleGuid
, &gWindowsUxCapsuleGuid
)) {
419 DEBUG ((DEBUG_INFO
, "ProcessCapsuleImage (Ux) - 0x%x\n", CapsuleHeader
));
420 DEBUG ((DEBUG_INFO
, "Display logo capsule is found.\n"));
421 Status
= ProcessCapsuleImage (CapsuleHeader
);
422 mCapsuleStatusArray
[Index
] = EFI_SUCCESS
;
423 DEBUG((DEBUG_INFO
, "ProcessCapsuleImage (Ux) - %r\n", Status
));
428 DEBUG ((DEBUG_INFO
, "Updating the firmware ......\n"));
431 // All capsules left are recognized by platform.
433 for (Index
= 0; Index
< mCapsuleTotalNumber
; Index
++) {
434 if (mCapsuleStatusArray
[Index
] != EFI_NOT_READY
) {
438 CapsuleHeader
= (EFI_CAPSULE_HEADER
*) mCapsulePtr
[Index
];
439 if (!CompareGuid (&CapsuleHeader
->CapsuleGuid
, &gWindowsUxCapsuleGuid
)) {
441 // Call capsule library to process capsule image.
443 EmbeddedDriverCount
= 0;
444 if (IsFmpCapsule(CapsuleHeader
)) {
445 Status
= ValidateFmpCapsule (CapsuleHeader
, &EmbeddedDriverCount
);
446 if (EFI_ERROR(Status
)) {
447 DEBUG((DEBUG_ERROR
, "ValidateFmpCapsule failed. Ignore!\n"));
448 mCapsuleStatusArray
[Index
] = EFI_ABORTED
;
452 mCapsuleStatusArray
[Index
] = EFI_ABORTED
;
456 if ((!FirstRound
) || (EmbeddedDriverCount
== 0)) {
457 DEBUG((DEBUG_INFO
, "ProcessCapsuleImage - 0x%x\n", CapsuleHeader
));
458 Status
= ProcessCapsuleImage (CapsuleHeader
);
459 mCapsuleStatusArray
[Index
] = Status
;
460 DEBUG((DEBUG_INFO
, "ProcessCapsuleImage - %r\n", Status
));
462 if (Status
!= EFI_NOT_READY
) {
463 if (EFI_ERROR(Status
)) {
464 REPORT_STATUS_CODE(EFI_ERROR_CODE
, (EFI_SOFTWARE
| PcdGet32(PcdStatusCodeSubClassCapsule
) | PcdGet32(PcdCapsuleStatusCodeUpdateFirmwareFailed
)));
465 DEBUG ((DEBUG_ERROR
, "Capsule process failed!\n"));
467 REPORT_STATUS_CODE(EFI_PROGRESS_CODE
, (EFI_SOFTWARE
| PcdGet32(PcdStatusCodeSubClassCapsule
) | PcdGet32(PcdCapsuleStatusCodeUpdateFirmwareSuccess
)));
470 if ((CapsuleHeader
->Flags
& PcdGet16(PcdSystemRebootAfterCapsuleProcessFlag
)) != 0 ||
471 IsFmpCapsule(CapsuleHeader
)) {
479 Status
= gBS
->LocateProtocol(&gEsrtManagementProtocolGuid
, NULL
, (VOID
**)&EsrtManagement
);
481 // Always sync ESRT Cache from FMP Instance
483 if (!EFI_ERROR(Status
)) {
484 EsrtManagement
->SyncEsrtFmp();
486 Status
= EFI_SUCCESS
;
488 REPORT_STATUS_CODE(EFI_PROGRESS_CODE
, (EFI_SOFTWARE
| PcdGet32(PcdStatusCodeSubClassCapsule
) | PcdGet32(PcdCapsuleStatusCodeProcessCapsulesEnd
)));
501 DEBUG((DEBUG_INFO
, "Capsule Request Cold Reboot."));
503 REPORT_STATUS_CODE(EFI_PROGRESS_CODE
, (EFI_SOFTWARE
| PcdGet32(PcdStatusCodeSubClassCapsule
) | PcdGet32(PcdCapsuleStatusCodeResettingSystem
)));
505 gRT
->ResetSystem(EfiResetCold
, EFI_SUCCESS
, 0, NULL
);
512 This routine is called to process capsules.
514 Caution: This function may receive untrusted input.
516 The capsules reported in EFI_HOB_UEFI_CAPSULE are processed.
517 If there is no EFI_HOB_UEFI_CAPSULE, this routine does nothing.
519 This routine should be called twice in BDS.
520 1) The first call must be before EndOfDxe. The system capsules is processed.
521 If device capsule FMP protocols are exposted at this time and device FMP
522 capsule has zero EmbeddedDriverCount, the device capsules are processed.
523 Each individual capsule result is recorded in capsule record variable.
524 System may reset in this function, if reset is required by capsule and
525 all capsules are processed.
526 If not all capsules are processed, reset will be defered to second call.
528 2) The second call must be after EndOfDxe and after ConnectAll, so that all
529 device capsule FMP protocols are exposed.
530 The system capsules are skipped. If the device capsules are NOT processed
531 in first call, they are processed here.
532 Each individual capsule result is recorded in capsule record variable.
533 System may reset in this function, if reset is required by capsule
534 processed in first call and second call.
536 @retval EFI_SUCCESS There is no error when processing capsules.
537 @retval EFI_OUT_OF_RESOURCES No enough resource to process capsules.
548 if (!mDxeCapsuleLibEndOfDxe
) {
549 Status
= ProcessTheseCapsules(TRUE
);
552 // Reboot System if and only if all capsule processed.
553 // If not, defer reset to 2nd process.
555 if (mNeedReset
&& AreAllImagesProcessed()) {
559 Status
= ProcessTheseCapsules(FALSE
);
561 // Reboot System if required after all capsule processed