]> git.proxmox.com Git - mirror_edk2.git/blob - SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
projects / mirror_edk2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
UefiCpuPkg: Move AsmRelocateApLoopStart from Mpfuncs.nasm to AmdSev.nasm
[mirror_edk2.git] / SecurityPkg / Library / DxeTpmMeasureBootLib / DxeTpmMeasureBootLib.c
1 /** @file
2 The library instance provides security service of TPM measure boot.
3
4 Caution: This file requires additional review when modified.
5 This library will have external input - PE/COFF image and GPT partition.
6 This external input must be validated carefully to avoid security issue like
7 buffer overflow, integer overflow.
8
9 DxeTpmMeasureBootLibImageRead() function will make sure the PE/COFF image content
10 read is within the image buffer.
11
12 TcgMeasurePeImage() function will accept untrusted PE/COFF image and validate its
13 data structure within this image buffer before use.
14
15 TcgMeasureGptTable() function will receive untrusted GPT partition table, and parse
16 partition data carefully.
17
18 Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
19 SPDX-License-Identifier: BSD-2-Clause-Patent
20
21 **/
22
23 #include <PiDxe.h>
24
25 #include <Protocol/TcgService.h>
26 #include <Protocol/BlockIo.h>
27 #include <Protocol/DiskIo.h>
28 #include <Protocol/FirmwareVolumeBlock.h>
29
30 #include <Guid/MeasuredFvHob.h>
31
32 #include <Library/BaseLib.h>
33 #include <Library/DebugLib.h>
34 #include <Library/BaseMemoryLib.h>
35 #include <Library/MemoryAllocationLib.h>
36 #include <Library/DevicePathLib.h>
37 #include <Library/UefiBootServicesTableLib.h>
38 #include <Library/BaseCryptLib.h>
39 #include <Library/PeCoffLib.h>
40 #include <Library/SecurityManagementLib.h>
41 #include <Library/HobLib.h>
42
43 //
44 // Flag to check GPT partition. It only need be measured once.
45 //
46 BOOLEAN mMeasureGptTableFlag = FALSE;
47 UINTN mMeasureGptCount = 0;
48 VOID *mFileBuffer;
49 UINTN mTpmImageSize;
50 //
51 // Measured FV handle cache
52 //
53 EFI_HANDLE mCacheMeasuredHandle = NULL;
54 MEASURED_HOB_DATA *mMeasuredHobData = NULL;
55
56 /**
57 Reads contents of a PE/COFF image in memory buffer.
58
59 Caution: This function may receive untrusted input.
60 PE/COFF image is external input, so this function will make sure the PE/COFF image content
61 read is within the image buffer.
62
63 @param FileHandle Pointer to the file handle to read the PE/COFF image.
64 @param FileOffset Offset into the PE/COFF image to begin the read operation.
65 @param ReadSize On input, the size in bytes of the requested read operation.
66 On output, the number of bytes actually read.
67 @param Buffer Output buffer that contains the data read from the PE/COFF image.
68
69 @retval EFI_SUCCESS The specified portion of the PE/COFF image was read and the size
70 **/
71 EFI_STATUS
72 EFIAPI
73 DxeTpmMeasureBootLibImageRead (
74 IN VOID *FileHandle,
75 IN UINTN FileOffset,
76 IN OUT UINTN *ReadSize,
77 OUT VOID *Buffer
78 )
79 {
80 UINTN EndPosition;
81
82 if ((FileHandle == NULL) || (ReadSize == NULL) || (Buffer == NULL)) {
83 return EFI_INVALID_PARAMETER;
84 }
85
86 if (MAX_ADDRESS - FileOffset < *ReadSize) {
87 return EFI_INVALID_PARAMETER;
88 }
89
90 EndPosition = FileOffset + *ReadSize;
91 if (EndPosition > mTpmImageSize) {
92 *ReadSize = (UINT32)(mTpmImageSize - FileOffset);
93 }
94
95 if (FileOffset >= mTpmImageSize) {
96 *ReadSize = 0;
97 }
98
99 CopyMem (Buffer, (UINT8 *)((UINTN)FileHandle + FileOffset), *ReadSize);
100
101 return EFI_SUCCESS;
102 }
103
104 /**
105 Measure GPT table data into TPM log.
106
107 Caution: This function may receive untrusted input.
108 The GPT partition table is external input, so this function should parse partition data carefully.
109
110 @param TcgProtocol Pointer to the located TCG protocol instance.
111 @param GptHandle Handle that GPT partition was installed.
112
113 @retval EFI_SUCCESS Successfully measure GPT table.
114 @retval EFI_UNSUPPORTED Not support GPT table on the given handle.
115 @retval EFI_DEVICE_ERROR Can't get GPT table because device error.
116 @retval EFI_OUT_OF_RESOURCES No enough resource to measure GPT table.
117 @retval other error value
118 **/
119 EFI_STATUS
120 EFIAPI
121 TcgMeasureGptTable (
122 IN EFI_TCG_PROTOCOL *TcgProtocol,
123 IN EFI_HANDLE GptHandle
124 )
125 {
126 EFI_STATUS Status;
127 EFI_BLOCK_IO_PROTOCOL *BlockIo;
128 EFI_DISK_IO_PROTOCOL *DiskIo;
129 EFI_PARTITION_TABLE_HEADER *PrimaryHeader;
130 EFI_PARTITION_ENTRY *PartitionEntry;
131 UINT8 *EntryPtr;
132 UINTN NumberOfPartition;
133 UINT32 Index;
134 TCG_PCR_EVENT *TcgEvent;
135 EFI_GPT_DATA *GptData;
136 UINT32 EventSize;
137 UINT32 EventNumber;
138 EFI_PHYSICAL_ADDRESS EventLogLastEntry;
139
140 if (mMeasureGptCount > 0) {
141 return EFI_SUCCESS;
142 }
143
144 Status = gBS->HandleProtocol (GptHandle, &gEfiBlockIoProtocolGuid, (VOID **)&BlockIo);
145 if (EFI_ERROR (Status)) {
146 return EFI_UNSUPPORTED;
147 }
148
149 Status = gBS->HandleProtocol (GptHandle, &gEfiDiskIoProtocolGuid, (VOID **)&DiskIo);
150 if (EFI_ERROR (Status)) {
151 return EFI_UNSUPPORTED;
152 }
153
154 //
155 // Read the EFI Partition Table Header
156 //
157 PrimaryHeader = (EFI_PARTITION_TABLE_HEADER *)AllocatePool (BlockIo->Media->BlockSize);
158 if (PrimaryHeader == NULL) {
159 return EFI_OUT_OF_RESOURCES;
160 }
161
162 Status = DiskIo->ReadDisk (
163 DiskIo,
164 BlockIo->Media->MediaId,
165 1 * BlockIo->Media->BlockSize,
166 BlockIo->Media->BlockSize,
167 (UINT8 *)PrimaryHeader
168 );
169 if (EFI_ERROR (Status)) {
170 DEBUG ((DEBUG_ERROR, "Failed to Read Partition Table Header!\n"));
171 FreePool (PrimaryHeader);
172 return EFI_DEVICE_ERROR;
173 }
174
175 //
176 // Read the partition entry.
177 //
178 EntryPtr = (UINT8 *)AllocatePool (PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry);
179 if (EntryPtr == NULL) {
180 FreePool (PrimaryHeader);
181 return EFI_OUT_OF_RESOURCES;
182 }
183
184 Status = DiskIo->ReadDisk (
185 DiskIo,
186 BlockIo->Media->MediaId,
187 MultU64x32 (PrimaryHeader->PartitionEntryLBA, BlockIo->Media->BlockSize),
188 PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry,
189 EntryPtr
190 );
191 if (EFI_ERROR (Status)) {
192 FreePool (PrimaryHeader);
193 FreePool (EntryPtr);
194 return EFI_DEVICE_ERROR;
195 }
196
197 //
198 // Count the valid partition
199 //
200 PartitionEntry = (EFI_PARTITION_ENTRY *)EntryPtr;
201 NumberOfPartition = 0;
202 for (Index = 0; Index < PrimaryHeader->NumberOfPartitionEntries; Index++) {
203 if (!IsZeroGuid (&PartitionEntry->PartitionTypeGUID)) {
204 NumberOfPartition++;
205 }
206
207 PartitionEntry = (EFI_PARTITION_ENTRY *)((UINT8 *)PartitionEntry + PrimaryHeader->SizeOfPartitionEntry);
208 }
209
210 //
211 // Prepare Data for Measurement
212 //
213 EventSize = (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions)
214 + NumberOfPartition * PrimaryHeader->SizeOfPartitionEntry);
215 TcgEvent = (TCG_PCR_EVENT *)AllocateZeroPool (EventSize + sizeof (TCG_PCR_EVENT_HDR));
216 if (TcgEvent == NULL) {
217 FreePool (PrimaryHeader);
218 FreePool (EntryPtr);
219 return EFI_OUT_OF_RESOURCES;
220 }
221
222 TcgEvent->PCRIndex = 5;
223 TcgEvent->EventType = EV_EFI_GPT_EVENT;
224 TcgEvent->EventSize = EventSize;
225 GptData = (EFI_GPT_DATA *)TcgEvent->Event;
226
227 //
228 // Copy the EFI_PARTITION_TABLE_HEADER and NumberOfPartition
229 //
230 CopyMem ((UINT8 *)GptData, (UINT8 *)PrimaryHeader, sizeof (EFI_PARTITION_TABLE_HEADER));
231 GptData->NumberOfPartitions = NumberOfPartition;
232 //
233 // Copy the valid partition entry
234 //
235 PartitionEntry = (EFI_PARTITION_ENTRY *)EntryPtr;
236 NumberOfPartition = 0;
237 for (Index = 0; Index < PrimaryHeader->NumberOfPartitionEntries; Index++) {
238 if (!IsZeroGuid (&PartitionEntry->PartitionTypeGUID)) {
239 CopyMem (
240 (UINT8 *)&GptData->Partitions + NumberOfPartition * PrimaryHeader->SizeOfPartitionEntry,
241 (UINT8 *)PartitionEntry,
242 PrimaryHeader->SizeOfPartitionEntry
243 );
244 NumberOfPartition++;
245 }
246
247 PartitionEntry = (EFI_PARTITION_ENTRY *)((UINT8 *)PartitionEntry + PrimaryHeader->SizeOfPartitionEntry);
248 }
249
250 //
251 // Measure the GPT data
252 //
253 EventNumber = 1;
254 Status = TcgProtocol->HashLogExtendEvent (
255 TcgProtocol,
256 (EFI_PHYSICAL_ADDRESS)(UINTN)(VOID *)GptData,
257 (UINT64)TcgEvent->EventSize,
258 TPM_ALG_SHA,
259 TcgEvent,
260 &EventNumber,
261 &EventLogLastEntry
262 );
263 if (!EFI_ERROR (Status)) {
264 mMeasureGptCount++;
265 }
266
267 FreePool (PrimaryHeader);
268 FreePool (EntryPtr);
269 FreePool (TcgEvent);
270
271 return Status;
272 }
273
274 /**
275 Measure PE image into TPM log based on the authenticode image hashing in
276 PE/COFF Specification 8.0 Appendix A.
277
278 Caution: This function may receive untrusted input.
279 PE/COFF image is external input, so this function will validate its data structure
280 within this image buffer before use.
281
282 Notes: PE/COFF image has been checked by BasePeCoffLib PeCoffLoaderGetImageInfo() in
283 its caller function DxeTpmMeasureBootHandler().
284
285 @param[in] TcgProtocol Pointer to the located TCG protocol instance.
286 @param[in] ImageAddress Start address of image buffer.
287 @param[in] ImageSize Image size
288 @param[in] LinkTimeBase Address that the image is loaded into memory.
289 @param[in] ImageType Image subsystem type.
290 @param[in] FilePath File path is corresponding to the input image.
291
292 @retval EFI_SUCCESS Successfully measure image.
293 @retval EFI_OUT_OF_RESOURCES No enough resource to measure image.
294 @retval EFI_UNSUPPORTED ImageType is unsupported or PE image is mal-format.
295 @retval other error value
296
297 **/
298 EFI_STATUS
299 EFIAPI
300 TcgMeasurePeImage (
301 IN EFI_TCG_PROTOCOL *TcgProtocol,
302 IN EFI_PHYSICAL_ADDRESS ImageAddress,
303 IN UINTN ImageSize,
304 IN UINTN LinkTimeBase,
305 IN UINT16 ImageType,
306 IN EFI_DEVICE_PATH_PROTOCOL *FilePath
307 )
308 {
309 EFI_STATUS Status;
310 TCG_PCR_EVENT *TcgEvent;
311 EFI_IMAGE_LOAD_EVENT *ImageLoad;
312 UINT32 FilePathSize;
313 VOID *Sha1Ctx;
314 UINTN CtxSize;
315 EFI_IMAGE_DOS_HEADER *DosHdr;
316 UINT32 PeCoffHeaderOffset;
317 EFI_IMAGE_SECTION_HEADER *Section;
318 UINT8 *HashBase;
319 UINTN HashSize;
320 UINTN SumOfBytesHashed;
321 EFI_IMAGE_SECTION_HEADER *SectionHeader;
322 UINTN Index;
323 UINTN Pos;
324 UINT32 EventSize;
325 UINT32 EventNumber;
326 EFI_PHYSICAL_ADDRESS EventLogLastEntry;
327 EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION Hdr;
328 UINT32 NumberOfRvaAndSizes;
329 BOOLEAN HashStatus;
330 UINT32 CertSize;
331
332 Status = EFI_UNSUPPORTED;
333 ImageLoad = NULL;
334 SectionHeader = NULL;
335 Sha1Ctx = NULL;
336 FilePathSize = (UINT32)GetDevicePathSize (FilePath);
337
338 //
339 // Determine destination PCR by BootPolicy
340 //
341 EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
342 TcgEvent = AllocateZeroPool (EventSize + sizeof (TCG_PCR_EVENT));
343 if (TcgEvent == NULL) {
344 return EFI_OUT_OF_RESOURCES;
345 }
346
347 TcgEvent->EventSize = EventSize;
348 ImageLoad = (EFI_IMAGE_LOAD_EVENT *)TcgEvent->Event;
349
350 switch (ImageType) {
351 case EFI_IMAGE_SUBSYSTEM_EFI_APPLICATION:
352 TcgEvent->EventType = EV_EFI_BOOT_SERVICES_APPLICATION;
353 TcgEvent->PCRIndex = 4;
354 break;
355 case EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER:
356 TcgEvent->EventType = EV_EFI_BOOT_SERVICES_DRIVER;
357 TcgEvent->PCRIndex = 2;
358 break;
359 case EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER:
360 TcgEvent->EventType = EV_EFI_RUNTIME_SERVICES_DRIVER;
361 TcgEvent->PCRIndex = 2;
362 break;
363 default:
364 DEBUG ((
365 DEBUG_ERROR,
366 "TcgMeasurePeImage: Unknown subsystem type %d",
367 ImageType
368 ));
369 goto Finish;
370 }
371
372 ImageLoad->ImageLocationInMemory = ImageAddress;
373 ImageLoad->ImageLengthInMemory = ImageSize;
374 ImageLoad->ImageLinkTimeAddress = LinkTimeBase;
375 ImageLoad->LengthOfDevicePath = FilePathSize;
376 if ((FilePath != NULL) && (FilePathSize != 0)) {
377 CopyMem (ImageLoad->DevicePath, FilePath, FilePathSize);
378 }
379
380 //
381 // Check PE/COFF image
382 //
383 DosHdr = (EFI_IMAGE_DOS_HEADER *)(UINTN)ImageAddress;
384 PeCoffHeaderOffset = 0;
385 if (DosHdr->e_magic == EFI_IMAGE_DOS_SIGNATURE) {
386 PeCoffHeaderOffset = DosHdr->e_lfanew;
387 }
388
389 Hdr.Pe32 = (EFI_IMAGE_NT_HEADERS32 *)((UINT8 *)(UINTN)ImageAddress + PeCoffHeaderOffset);
390 if (Hdr.Pe32->Signature != EFI_IMAGE_NT_SIGNATURE) {
391 goto Finish;
392 }
393
394 //
395 // PE/COFF Image Measurement
396 //
397 // NOTE: The following codes/steps are based upon the authenticode image hashing in
398 // PE/COFF Specification 8.0 Appendix A.
399 //
400 //
401
402 // 1. Load the image header into memory.
403
404 // 2. Initialize a SHA hash context.
405 CtxSize = Sha1GetContextSize ();
406 Sha1Ctx = AllocatePool (CtxSize);
407 if (Sha1Ctx == NULL) {
408 Status = EFI_OUT_OF_RESOURCES;
409 goto Finish;
410 }
411
412 HashStatus = Sha1Init (Sha1Ctx);
413 if (!HashStatus) {
414 goto Finish;
415 }
416
417 //
418 // Measuring PE/COFF Image Header;
419 // But CheckSum field and SECURITY data directory (certificate) are excluded
420 //
421
422 //
423 // 3. Calculate the distance from the base of the image header to the image checksum address.
424 // 4. Hash the image header from its base to beginning of the image checksum.
425 //
426 HashBase = (UINT8 *)(UINTN)ImageAddress;
427 if (Hdr.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
428 //
429 // Use PE32 offset
430 //
431 NumberOfRvaAndSizes = Hdr.Pe32->OptionalHeader.NumberOfRvaAndSizes;
432 HashSize = (UINTN)(&Hdr.Pe32->OptionalHeader.CheckSum) - (UINTN)HashBase;
433 } else {
434 //
435 // Use PE32+ offset
436 //
437 NumberOfRvaAndSizes = Hdr.Pe32Plus->OptionalHeader.NumberOfRvaAndSizes;
438 HashSize = (UINTN)(&Hdr.Pe32Plus->OptionalHeader.CheckSum) - (UINTN)HashBase;
439 }
440
441 HashStatus = Sha1Update (Sha1Ctx, HashBase, HashSize);
442 if (!HashStatus) {
443 goto Finish;
444 }
445
446 //
447 // 5. Skip over the image checksum (it occupies a single ULONG).
448 //
449 if (NumberOfRvaAndSizes <= EFI_IMAGE_DIRECTORY_ENTRY_SECURITY) {
450 //
451 // 6. Since there is no Cert Directory in optional header, hash everything
452 // from the end of the checksum to the end of image header.
453 //
454 if (Hdr.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
455 //
456 // Use PE32 offset.
457 //
458 HashBase = (UINT8 *)&Hdr.Pe32->OptionalHeader.CheckSum + sizeof (UINT32);
459 HashSize = Hdr.Pe32->OptionalHeader.SizeOfHeaders - (UINTN)(HashBase - ImageAddress);
460 } else {
461 //
462 // Use PE32+ offset.
463 //
464 HashBase = (UINT8 *)&Hdr.Pe32Plus->OptionalHeader.CheckSum + sizeof (UINT32);
465 HashSize = Hdr.Pe32Plus->OptionalHeader.SizeOfHeaders - (UINTN)(HashBase - ImageAddress);
466 }
467
468 if (HashSize != 0) {
469 HashStatus = Sha1Update (Sha1Ctx, HashBase, HashSize);
470 if (!HashStatus) {
471 goto Finish;
472 }
473 }
474 } else {
475 //
476 // 7. Hash everything from the end of the checksum to the start of the Cert Directory.
477 //
478 if (Hdr.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
479 //
480 // Use PE32 offset
481 //
482 HashBase = (UINT8 *)&Hdr.Pe32->OptionalHeader.CheckSum + sizeof (UINT32);
483 HashSize = (UINTN)(&Hdr.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]) - (UINTN)HashBase;
484 } else {
485 //
486 // Use PE32+ offset
487 //
488 HashBase = (UINT8 *)&Hdr.Pe32Plus->OptionalHeader.CheckSum + sizeof (UINT32);
489 HashSize = (UINTN)(&Hdr.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]) - (UINTN)HashBase;
490 }
491
492 if (HashSize != 0) {
493 HashStatus = Sha1Update (Sha1Ctx, HashBase, HashSize);
494 if (!HashStatus) {
495 goto Finish;
496 }
497 }
498
499 //
500 // 8. Skip over the Cert Directory. (It is sizeof(IMAGE_DATA_DIRECTORY) bytes.)
501 // 9. Hash everything from the end of the Cert Directory to the end of image header.
502 //
503 if (Hdr.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
504 //
505 // Use PE32 offset
506 //
507 HashBase = (UINT8 *)&Hdr.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1];
508 HashSize = Hdr.Pe32->OptionalHeader.SizeOfHeaders - (UINTN)(HashBase - ImageAddress);
509 } else {
510 //
511 // Use PE32+ offset
512 //
513 HashBase = (UINT8 *)&Hdr.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1];
514 HashSize = Hdr.Pe32Plus->OptionalHeader.SizeOfHeaders - (UINTN)(HashBase - ImageAddress);
515 }
516
517 if (HashSize != 0) {
518 HashStatus = Sha1Update (Sha1Ctx, HashBase, HashSize);
519 if (!HashStatus) {
520 goto Finish;
521 }
522 }
523 }
524
525 //
526 // 10. Set the SUM_OF_BYTES_HASHED to the size of the header
527 //
528 if (Hdr.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
529 //
530 // Use PE32 offset
531 //
532 SumOfBytesHashed = Hdr.Pe32->OptionalHeader.SizeOfHeaders;
533 } else {
534 //
535 // Use PE32+ offset
536 //
537 SumOfBytesHashed = Hdr.Pe32Plus->OptionalHeader.SizeOfHeaders;
538 }
539
540 //
541 // 11. Build a temporary table of pointers to all the IMAGE_SECTION_HEADER
542 // structures in the image. The 'NumberOfSections' field of the image
543 // header indicates how big the table should be. Do not include any
544 // IMAGE_SECTION_HEADERs in the table whose 'SizeOfRawData' field is zero.
545 //
546 SectionHeader = (EFI_IMAGE_SECTION_HEADER *)AllocateZeroPool (sizeof (EFI_IMAGE_SECTION_HEADER) * Hdr.Pe32->FileHeader.NumberOfSections);
547 if (SectionHeader == NULL) {
548 Status = EFI_OUT_OF_RESOURCES;
549 goto Finish;
550 }
551
552 //
553 // 12. Using the 'PointerToRawData' in the referenced section headers as
554 // a key, arrange the elements in the table in ascending order. In other
555 // words, sort the section headers according to the disk-file offset of
556 // the section.
557 //
558 Section = (EFI_IMAGE_SECTION_HEADER *)(
559 (UINT8 *)(UINTN)ImageAddress +
560 PeCoffHeaderOffset +
561 sizeof (UINT32) +
562 sizeof (EFI_IMAGE_FILE_HEADER) +
563 Hdr.Pe32->FileHeader.SizeOfOptionalHeader
564 );
565 for (Index = 0; Index < Hdr.Pe32->FileHeader.NumberOfSections; Index++) {
566 Pos = Index;
567 while ((Pos > 0) && (Section->PointerToRawData < SectionHeader[Pos - 1].PointerToRawData)) {
568 CopyMem (&SectionHeader[Pos], &SectionHeader[Pos - 1], sizeof (EFI_IMAGE_SECTION_HEADER));
569 Pos--;
570 }
571
572 CopyMem (&SectionHeader[Pos], Section, sizeof (EFI_IMAGE_SECTION_HEADER));
573 Section += 1;
574 }
575
576 //
577 // 13. Walk through the sorted table, bring the corresponding section
578 // into memory, and hash the entire section (using the 'SizeOfRawData'
579 // field in the section header to determine the amount of data to hash).
580 // 14. Add the section's 'SizeOfRawData' to SUM_OF_BYTES_HASHED .
581 // 15. Repeat steps 13 and 14 for all the sections in the sorted table.
582 //
583 for (Index = 0; Index < Hdr.Pe32->FileHeader.NumberOfSections; Index++) {
584 Section = (EFI_IMAGE_SECTION_HEADER *)&SectionHeader[Index];
585 if (Section->SizeOfRawData == 0) {
586 continue;
587 }
588
589 HashBase = (UINT8 *)(UINTN)ImageAddress + Section->PointerToRawData;
590 HashSize = (UINTN)Section->SizeOfRawData;
591
592 HashStatus = Sha1Update (Sha1Ctx, HashBase, HashSize);
593 if (!HashStatus) {
594 goto Finish;
595 }
596
597 SumOfBytesHashed += HashSize;
598 }
599
600 //
601 // 16. If the file size is greater than SUM_OF_BYTES_HASHED, there is extra
602 // data in the file that needs to be added to the hash. This data begins
603 // at file offset SUM_OF_BYTES_HASHED and its length is:
604 // FileSize - (CertDirectory->Size)
605 //
606 if (ImageSize > SumOfBytesHashed) {
607 HashBase = (UINT8 *)(UINTN)ImageAddress + SumOfBytesHashed;
608
609 if (NumberOfRvaAndSizes <= EFI_IMAGE_DIRECTORY_ENTRY_SECURITY) {
610 CertSize = 0;
611 } else {
612 if (Hdr.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
613 //
614 // Use PE32 offset.
615 //
616 CertSize = Hdr.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size;
617 } else {
618 //
619 // Use PE32+ offset.
620 //
621 CertSize = Hdr.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size;
622 }
623 }
624
625 if (ImageSize > CertSize + SumOfBytesHashed) {
626 HashSize = (UINTN)(ImageSize - CertSize - SumOfBytesHashed);
627
628 HashStatus = Sha1Update (Sha1Ctx, HashBase, HashSize);
629 if (!HashStatus) {
630 goto Finish;
631 }
632 } else if (ImageSize < CertSize + SumOfBytesHashed) {
633 goto Finish;
634 }
635 }
636
637 //
638 // 17. Finalize the SHA hash.
639 //
640 HashStatus = Sha1Final (Sha1Ctx, (UINT8 *)&TcgEvent->Digest);
641 if (!HashStatus) {
642 goto Finish;
643 }
644
645 //
646 // Log the PE data
647 //
648 EventNumber = 1;
649 Status = TcgProtocol->HashLogExtendEvent (
650 TcgProtocol,
651 (EFI_PHYSICAL_ADDRESS)(UINTN)(VOID *)NULL,
652 0,
653 TPM_ALG_SHA,
654 TcgEvent,
655 &EventNumber,
656 &EventLogLastEntry
657 );
658 if (Status == EFI_OUT_OF_RESOURCES) {
659 //
660 // Out of resource here means the image is hashed and its result is extended to PCR.
661 // But the event log can't be saved since log area is full.
662 // Just return EFI_SUCCESS in order not to block the image load.
663 //
664 Status = EFI_SUCCESS;
665 }
666
667 Finish:
668 FreePool (TcgEvent);
669
670 if (SectionHeader != NULL) {
671 FreePool (SectionHeader);
672 }
673
674 if (Sha1Ctx != NULL ) {
675 FreePool (Sha1Ctx);
676 }
677
678 return Status;
679 }
680
681 /**
682 The security handler is used to abstract platform-specific policy
683 from the DXE core response to an attempt to use a file that returns a
684 given status for the authentication check from the section extraction protocol.
685
686 The possible responses in a given SAP implementation may include locking
687 flash upon failure to authenticate, attestation logging for all signed drivers,
688 and other exception operations. The File parameter allows for possible logging
689 within the SAP of the driver.
690
691 If the file specified by File with an authentication status specified by
692 AuthenticationStatus is safe for the DXE Core to use, then EFI_SUCCESS is returned.
693
694 If the file specified by File with an authentication status specified by
695 AuthenticationStatus is not safe for the DXE Core to use under any circumstances,
696 then EFI_ACCESS_DENIED is returned.
697
698 If the file specified by File with an authentication status specified by
699 AuthenticationStatus is not safe for the DXE Core to use right now, but it
700 might be possible to use it at a future time, then EFI_SECURITY_VIOLATION is
701 returned.
702
703 If check image specified by FileBuffer and File is NULL meanwhile, return EFI_ACCESS_DENIED.
704
705 @param[in] AuthenticationStatus This is the authentication status returned
706 from the securitymeasurement services for the
707 input file.
708 @param[in] File This is a pointer to the device path of the file that is
709 being dispatched. This will optionally be used for logging.
710 @param[in] FileBuffer File buffer matches the input file device path.
711 @param[in] FileSize Size of File buffer matches the input file device path.
712 @param[in] BootPolicy A boot policy that was used to call LoadImage() UEFI service.
713
714 @retval EFI_SUCCESS The file specified by DevicePath and non-NULL
715 FileBuffer did authenticate, and the platform policy dictates
716 that the DXE Foundation may use the file.
717 @retval other error value
718 **/
719 EFI_STATUS
720 EFIAPI
721 DxeTpmMeasureBootHandler (
722 IN UINT32 AuthenticationStatus,
723 IN CONST EFI_DEVICE_PATH_PROTOCOL *File OPTIONAL,
724 IN VOID *FileBuffer,
725 IN UINTN FileSize,
726 IN BOOLEAN BootPolicy
727 )
728 {
729 EFI_TCG_PROTOCOL *TcgProtocol;
730 EFI_STATUS Status;
731 TCG_EFI_BOOT_SERVICE_CAPABILITY ProtocolCapability;
732 UINT32 TCGFeatureFlags;
733 EFI_PHYSICAL_ADDRESS EventLogLocation;
734 EFI_PHYSICAL_ADDRESS EventLogLastEntry;
735 EFI_DEVICE_PATH_PROTOCOL *DevicePathNode;
736 EFI_DEVICE_PATH_PROTOCOL *OrigDevicePathNode;
737 EFI_HANDLE Handle;
738 EFI_HANDLE TempHandle;
739 BOOLEAN ApplicationRequired;
740 PE_COFF_LOADER_IMAGE_CONTEXT ImageContext;
741 EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL *FvbProtocol;
742 EFI_PHYSICAL_ADDRESS FvAddress;
743 UINT32 Index;
744
745 Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **)&TcgProtocol);
746 if (EFI_ERROR (Status)) {
747 //
748 // TCG protocol is not installed. So, TPM is not present.
749 // Don't do any measurement, and directly return EFI_SUCCESS.
750 //
751 return EFI_SUCCESS;
752 }
753
754 ProtocolCapability.Size = (UINT8)sizeof (ProtocolCapability);
755 Status = TcgProtocol->StatusCheck (
756 TcgProtocol,
757 &ProtocolCapability,
758 &TCGFeatureFlags,
759 &EventLogLocation,
760 &EventLogLastEntry
761 );
762 if (EFI_ERROR (Status) || ProtocolCapability.TPMDeactivatedFlag || (!ProtocolCapability.TPMPresentFlag)) {
763 //
764 // TPM device doesn't work or activate.
765 //
766 return EFI_SUCCESS;
767 }
768
769 //
770 // Copy File Device Path
771 //
772 OrigDevicePathNode = DuplicateDevicePath (File);
773
774 //
775 // 1. Check whether this device path support BlockIo protocol.
776 // Is so, this device path may be a GPT device path.
777 //
778 DevicePathNode = OrigDevicePathNode;
779 Status = gBS->LocateDevicePath (&gEfiBlockIoProtocolGuid, &DevicePathNode, &Handle);
780 if (!EFI_ERROR (Status) && !mMeasureGptTableFlag) {
781 //
782 // Find the gpt partition on the given devicepath
783 //
784 DevicePathNode = OrigDevicePathNode;
785 ASSERT (DevicePathNode != NULL);
786 while (!IsDevicePathEnd (DevicePathNode)) {
787 //
788 // Find the Gpt partition
789 //
790 if ((DevicePathType (DevicePathNode) == MEDIA_DEVICE_PATH) &&
791 (DevicePathSubType (DevicePathNode) == MEDIA_HARDDRIVE_DP))
792 {
793 //
794 // Check whether it is a gpt partition or not
795 //
796 if ((((HARDDRIVE_DEVICE_PATH *)DevicePathNode)->MBRType == MBR_TYPE_EFI_PARTITION_TABLE_HEADER) &&
797 (((HARDDRIVE_DEVICE_PATH *)DevicePathNode)->SignatureType == SIGNATURE_TYPE_GUID))
798 {
799 //
800 // Change the partition device path to its parent device path (disk) and get the handle.
801 //
802 DevicePathNode->Type = END_DEVICE_PATH_TYPE;
803 DevicePathNode->SubType = END_ENTIRE_DEVICE_PATH_SUBTYPE;
804 DevicePathNode = OrigDevicePathNode;
805 Status = gBS->LocateDevicePath (
806 &gEfiDiskIoProtocolGuid,
807 &DevicePathNode,
808 &Handle
809 );
810 if (!EFI_ERROR (Status)) {
811 //
812 // Measure GPT disk.
813 //
814 Status = TcgMeasureGptTable (TcgProtocol, Handle);
815 if (!EFI_ERROR (Status)) {
816 //
817 // GPT disk check done.
818 //
819 mMeasureGptTableFlag = TRUE;
820 }
821 }
822
823 FreePool (OrigDevicePathNode);
824 OrigDevicePathNode = DuplicateDevicePath (File);
825 ASSERT (OrigDevicePathNode != NULL);
826 break;
827 }
828 }
829
830 DevicePathNode = NextDevicePathNode (DevicePathNode);
831 }
832 }
833
834 //
835 // 2. Measure PE image.
836 //
837 ApplicationRequired = FALSE;
838
839 //
840 // Check whether this device path support FVB protocol.
841 //
842 DevicePathNode = OrigDevicePathNode;
843 Status = gBS->LocateDevicePath (&gEfiFirmwareVolumeBlockProtocolGuid, &DevicePathNode, &Handle);
844 if (!EFI_ERROR (Status)) {
845 //
846 // Don't check FV image, and directly return EFI_SUCCESS.
847 // It can be extended to the specific FV authentication according to the different requirement.
848 //
849 if (IsDevicePathEnd (DevicePathNode)) {
850 return EFI_SUCCESS;
851 }
852
853 //
854 // The PE image from unmeasured Firmware volume need be measured
855 // The PE image from measured Firmware volume will be measured according to policy below.
856 // If it is driver, do not measure
857 // If it is application, still measure.
858 //
859 ApplicationRequired = TRUE;
860
861 if ((mCacheMeasuredHandle != Handle) && (mMeasuredHobData != NULL)) {
862 //
863 // Search for Root FV of this PE image
864 //
865 TempHandle = Handle;
866 do {
867 Status = gBS->HandleProtocol (
868 TempHandle,
869 &gEfiFirmwareVolumeBlockProtocolGuid,
870 (VOID **)&FvbProtocol
871 );
872 TempHandle = FvbProtocol->ParentHandle;
873 } while (!EFI_ERROR (Status) && FvbProtocol->ParentHandle != NULL);
874
875 //
876 // Search in measured FV Hob
877 //
878 Status = FvbProtocol->GetPhysicalAddress (FvbProtocol, &FvAddress);
879 if (EFI_ERROR (Status)) {
880 return Status;
881 }
882
883 ApplicationRequired = FALSE;
884
885 for (Index = 0; Index < mMeasuredHobData->Num; Index++) {
886 if (mMeasuredHobData->MeasuredFvBuf[Index].BlobBase == FvAddress) {
887 //
888 // Cache measured FV for next measurement
889 //
890 mCacheMeasuredHandle = Handle;
891 ApplicationRequired = TRUE;
892 break;
893 }
894 }
895 }
896 }
897
898 //
899 // File is not found.
900 //
901 if (FileBuffer == NULL) {
902 Status = EFI_SECURITY_VIOLATION;
903 goto Finish;
904 }
905
906 mTpmImageSize = FileSize;
907 mFileBuffer = FileBuffer;
908
909 //
910 // Measure PE Image
911 //
912 DevicePathNode = OrigDevicePathNode;
913 ZeroMem (&ImageContext, sizeof (ImageContext));
914 ImageContext.Handle = (VOID *)FileBuffer;
915 ImageContext.ImageRead = (PE_COFF_LOADER_READ_FILE)DxeTpmMeasureBootLibImageRead;
916
917 //
918 // Get information about the image being loaded
919 //
920 Status = PeCoffLoaderGetImageInfo (&ImageContext);
921 if (EFI_ERROR (Status)) {
922 //
923 // Check for invalid parameters.
924 //
925 if (File == NULL) {
926 return EFI_ACCESS_DENIED;
927 }
928
929 //
930 // The information can't be got from the invalid PeImage
931 //
932 goto Finish;
933 }
934
935 //
936 // Measure only application if Application flag is set
937 // Measure drivers and applications if Application flag is not set
938 //
939 if ((!ApplicationRequired) ||
940 (ApplicationRequired && (ImageContext.ImageType == EFI_IMAGE_SUBSYSTEM_EFI_APPLICATION)))
941 {
942 //
943 // Print the image path to be measured.
944 //
945 DEBUG_CODE_BEGIN ();
946 CHAR16 *ToText;
947 ToText = ConvertDevicePathToText (
948 DevicePathNode,
949 FALSE,
950 TRUE
951 );
952 if (ToText != NULL) {
953 DEBUG ((DEBUG_INFO, "The measured image path is %s.\n", ToText));
954 FreePool (ToText);
955 }
956
957 DEBUG_CODE_END ();
958
959 //
960 // Measure PE image into TPM log.
961 //
962 Status = TcgMeasurePeImage (
963 TcgProtocol,
964 (EFI_PHYSICAL_ADDRESS)(UINTN)FileBuffer,
965 FileSize,
966 (UINTN)ImageContext.ImageAddress,
967 ImageContext.ImageType,
968 DevicePathNode
969 );
970 }
971
972 //
973 // Done, free the allocated resource.
974 //
975 Finish:
976 if (OrigDevicePathNode != NULL) {
977 FreePool (OrigDevicePathNode);
978 }
979
980 return Status;
981 }
982
983 /**
984 Register the security handler to provide TPM measure boot service.
985
986 @param ImageHandle ImageHandle of the loaded driver.
987 @param SystemTable Pointer to the EFI System Table.
988
989 @retval EFI_SUCCESS Register successfully.
990 @retval EFI_OUT_OF_RESOURCES No enough memory to register this handler.
991 **/
992 EFI_STATUS
993 EFIAPI
994 DxeTpmMeasureBootLibConstructor (
995 IN EFI_HANDLE ImageHandle,
996 IN EFI_SYSTEM_TABLE *SystemTable
997 )
998 {
999 EFI_HOB_GUID_TYPE *GuidHob;
1000
1001 GuidHob = NULL;
1002
1003 GuidHob = GetFirstGuidHob (&gMeasuredFvHobGuid);
1004
1005 if (GuidHob != NULL) {
1006 mMeasuredHobData = GET_GUID_HOB_DATA (GuidHob);
1007 }
1008
1009 return RegisterSecurity2Handler (
1010 DxeTpmMeasureBootHandler,
1011 EFI_AUTH_OPERATION_MEASURE_IMAGE | EFI_AUTH_OPERATION_IMAGE_REQUIRED
1012 );
1013 }
EFI Development Kit II mirror for PVE