TcgMeasureGptTable() function will receive untrusted GPT partition table, and parse\r
partition data carefully.\r
\r
-Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials \r
are licensed and made available under the terms and conditions of the BSD License \r
which accompanies this distribution. The full text of the license may be found at \r
#include <PiDxe.h>\r
\r
#include <Protocol/TcgService.h>\r
-#include <Protocol/FirmwareVolume2.h>\r
#include <Protocol/BlockIo.h>\r
#include <Protocol/DiskIo.h>\r
-#include <Protocol/DevicePathToText.h>\r
+#include <Protocol/FirmwareVolumeBlock.h>\r
+\r
+#include <Guid/MeasuredFvHob.h>\r
\r
#include <Library/BaseLib.h>\r
#include <Library/DebugLib.h>\r
#include <Library/BaseCryptLib.h>\r
#include <Library/PeCoffLib.h>\r
#include <Library/SecurityManagementLib.h>\r
+#include <Library/HobLib.h>\r
\r
//\r
// Flag to check GPT partition. It only need be measured once.\r
//\r
BOOLEAN mMeasureGptTableFlag = FALSE;\r
-EFI_GUID mZeroGuid = {0, 0, 0, {0, 0, 0, 0, 0, 0, 0, 0}};\r
UINTN mMeasureGptCount = 0;\r
VOID *mFileBuffer;\r
-UINTN mImageSize;\r
+UINTN mTpmImageSize;\r
+//\r
+// Measured FV handle cache\r
+//\r
+EFI_HANDLE mCacheMeasuredHandle = NULL;\r
+MEASURED_HOB_DATA *mMeasuredHobData = NULL;\r
\r
/**\r
Reads contents of a PE/COFF image in memory buffer.\r
}\r
\r
EndPosition = FileOffset + *ReadSize;\r
- if (EndPosition > mImageSize) {\r
- *ReadSize = (UINT32)(mImageSize - FileOffset);\r
+ if (EndPosition > mTpmImageSize) {\r
+ *ReadSize = (UINT32)(mTpmImageSize - FileOffset);\r
}\r
\r
- if (FileOffset >= mImageSize) {\r
+ if (FileOffset >= mTpmImageSize) {\r
*ReadSize = 0;\r
}\r
\r
PartitionEntry = (EFI_PARTITION_ENTRY *)EntryPtr;\r
NumberOfPartition = 0;\r
for (Index = 0; Index < PrimaryHeader->NumberOfPartitionEntries; Index++) {\r
- if (!CompareGuid (&PartitionEntry->PartitionTypeGUID, &mZeroGuid)) {\r
+ if (!IsZeroGuid (&PartitionEntry->PartitionTypeGUID)) {\r
NumberOfPartition++; \r
}\r
PartitionEntry = (EFI_PARTITION_ENTRY *)((UINT8 *)PartitionEntry + PrimaryHeader->SizeOfPartitionEntry);\r
PartitionEntry = (EFI_PARTITION_ENTRY*)EntryPtr;\r
NumberOfPartition = 0;\r
for (Index = 0; Index < PrimaryHeader->NumberOfPartitionEntries; Index++) {\r
- if (!CompareGuid (&PartitionEntry->PartitionTypeGUID, &mZeroGuid)) {\r
+ if (!IsZeroGuid (&PartitionEntry->PartitionTypeGUID)) {\r
CopyMem (\r
(UINT8 *)&GptData->Partitions + NumberOfPartition * PrimaryHeader->SizeOfPartitionEntry,\r
(UINT8 *)PartitionEntry,\r
PE/COFF image is external input, so this function will validate its data structure\r
within this image buffer before use.\r
\r
+ Notes: PE/COFF image has been checked by BasePeCoffLib PeCoffLoaderGetImageInfo() in \r
+ its caller function DxeTpmMeasureBootHandler().\r
+\r
@param[in] TcgProtocol Pointer to the located TCG protocol instance.\r
@param[in] ImageAddress Start address of image buffer.\r
@param[in] ImageSize Image size\r
ImageLoad->ImageLengthInMemory = ImageSize;\r
ImageLoad->ImageLinkTimeAddress = LinkTimeBase;\r
ImageLoad->LengthOfDevicePath = FilePathSize;\r
- CopyMem (ImageLoad->DevicePath, FilePath, FilePathSize);\r
+ if ((FilePath != NULL) && (FilePathSize != 0)) {\r
+ CopyMem (ImageLoad->DevicePath, FilePath, FilePathSize);\r
+ }\r
\r
//\r
// Check PE/COFF image\r
&EventNumber,\r
&EventLogLastEntry\r
);\r
+ if (Status == EFI_OUT_OF_RESOURCES) {\r
+ //\r
+ // Out of resource here means the image is hashed and its result is extended to PCR.\r
+ // But the event log cann't be saved since log area is full.\r
+ // Just return EFI_SUCCESS in order not to block the image load.\r
+ //\r
+ Status = EFI_SUCCESS;\r
+ }\r
\r
Finish:\r
FreePool (TcgEvent);\r
IN BOOLEAN BootPolicy\r
)\r
{\r
- EFI_TCG_PROTOCOL *TcgProtocol;\r
- EFI_STATUS Status;\r
- TCG_EFI_BOOT_SERVICE_CAPABILITY ProtocolCapability;\r
- UINT32 TCGFeatureFlags;\r
- EFI_PHYSICAL_ADDRESS EventLogLocation;\r
- EFI_PHYSICAL_ADDRESS EventLogLastEntry;\r
- EFI_DEVICE_PATH_PROTOCOL *DevicePathNode;\r
- EFI_DEVICE_PATH_PROTOCOL *OrigDevicePathNode;\r
- EFI_HANDLE Handle;\r
- BOOLEAN ApplicationRequired;\r
- PE_COFF_LOADER_IMAGE_CONTEXT ImageContext;\r
+ EFI_TCG_PROTOCOL *TcgProtocol;\r
+ EFI_STATUS Status;\r
+ TCG_EFI_BOOT_SERVICE_CAPABILITY ProtocolCapability;\r
+ UINT32 TCGFeatureFlags;\r
+ EFI_PHYSICAL_ADDRESS EventLogLocation;\r
+ EFI_PHYSICAL_ADDRESS EventLogLastEntry;\r
+ EFI_DEVICE_PATH_PROTOCOL *DevicePathNode;\r
+ EFI_DEVICE_PATH_PROTOCOL *OrigDevicePathNode;\r
+ EFI_HANDLE Handle;\r
+ EFI_HANDLE TempHandle;\r
+ BOOLEAN ApplicationRequired;\r
+ PE_COFF_LOADER_IMAGE_CONTEXT ImageContext;\r
+ EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL *FvbProtocol;\r
+ EFI_PHYSICAL_ADDRESS FvAddress;\r
+ UINT32 Index;\r
\r
Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **) &TcgProtocol);\r
if (EFI_ERROR (Status)) {\r
&EventLogLocation,\r
&EventLogLastEntry\r
);\r
- if (EFI_ERROR (Status) || ProtocolCapability.TPMDeactivatedFlag) {\r
+ if (EFI_ERROR (Status) || ProtocolCapability.TPMDeactivatedFlag || (!ProtocolCapability.TPMPresentFlag)) {\r
//\r
// TPM device doesn't work or activate.\r
//\r
ApplicationRequired = FALSE;\r
\r
//\r
- // Check whether this device path support FV2 protocol.\r
+ // Check whether this device path support FVB protocol.\r
//\r
DevicePathNode = OrigDevicePathNode;\r
- Status = gBS->LocateDevicePath (&gEfiFirmwareVolume2ProtocolGuid, &DevicePathNode, &Handle);\r
+ Status = gBS->LocateDevicePath (&gEfiFirmwareVolumeBlockProtocolGuid, &DevicePathNode, &Handle);\r
if (!EFI_ERROR (Status)) {\r
//\r
// Don't check FV image, and directly return EFI_SUCCESS.\r
return EFI_SUCCESS;\r
}\r
//\r
- // The image from Firmware image will not be mearsured.\r
- // Current policy doesn't measure PeImage from Firmware if it is driver\r
- // If the got PeImage is application, it will be still be measured.\r
+ // The PE image from unmeasured Firmware volume need be measured\r
+ // The PE image from measured Firmware volume will be mearsured according to policy below.\r
+ // If it is driver, do not measure\r
+ // If it is application, still measure.\r
//\r
ApplicationRequired = TRUE;\r
+\r
+ if (mCacheMeasuredHandle != Handle && mMeasuredHobData != NULL) {\r
+ //\r
+ // Search for Root FV of this PE image\r
+ //\r
+ TempHandle = Handle;\r
+ do {\r
+ Status = gBS->HandleProtocol(\r
+ TempHandle, \r
+ &gEfiFirmwareVolumeBlockProtocolGuid,\r
+ (VOID**)&FvbProtocol\r
+ );\r
+ TempHandle = FvbProtocol->ParentHandle;\r
+ } while (!EFI_ERROR(Status) && FvbProtocol->ParentHandle != NULL);\r
+\r
+ //\r
+ // Search in measured FV Hob\r
+ //\r
+ Status = FvbProtocol->GetPhysicalAddress(FvbProtocol, &FvAddress);\r
+ if (EFI_ERROR(Status)){\r
+ return Status;\r
+ }\r
+\r
+ ApplicationRequired = FALSE;\r
+\r
+ for (Index = 0; Index < mMeasuredHobData->Num; Index++) {\r
+ if(mMeasuredHobData->MeasuredFvBuf[Index].BlobBase == FvAddress) {\r
+ //\r
+ // Cache measured FV for next measurement\r
+ //\r
+ mCacheMeasuredHandle = Handle;\r
+ ApplicationRequired = TRUE;\r
+ break;\r
+ }\r
+ }\r
+ }\r
}\r
- \r
+\r
//\r
// File is not found.\r
//\r
goto Finish;\r
}\r
\r
- mImageSize = FileSize;\r
+ mTpmImageSize = FileSize;\r
mFileBuffer = FileBuffer;\r
\r
//\r
// \r
DEBUG_CODE_BEGIN ();\r
CHAR16 *ToText;\r
- EFI_DEVICE_PATH_TO_TEXT_PROTOCOL *DevPathToText;\r
- Status = gBS->LocateProtocol (\r
- &gEfiDevicePathToTextProtocolGuid,\r
- NULL,\r
- (VOID **) &DevPathToText\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- ToText = DevPathToText->ConvertDevicePathToText (\r
- DevicePathNode,\r
- FALSE,\r
- TRUE\r
- );\r
- if (ToText != NULL) {\r
- DEBUG ((DEBUG_INFO, "The measured image path is %s.\n", ToText));\r
- }\r
+ ToText = ConvertDevicePathToText (\r
+ DevicePathNode,\r
+ FALSE,\r
+ TRUE\r
+ );\r
+ if (ToText != NULL) {\r
+ DEBUG ((DEBUG_INFO, "The measured image path is %s.\n", ToText));\r
+ FreePool (ToText);\r
}\r
DEBUG_CODE_END ();\r
\r
IN EFI_SYSTEM_TABLE *SystemTable\r
)\r
{\r
+ EFI_HOB_GUID_TYPE *GuidHob;\r
+\r
+ GuidHob = NULL;\r
+\r
+ GuidHob = GetFirstGuidHob (&gMeasuredFvHobGuid);\r
+\r
+ if (GuidHob != NULL) {\r
+ mMeasuredHobData = GET_GUID_HOB_DATA (GuidHob);\r
+ }\r
+\r
return RegisterSecurity2Handler (\r
DxeTpmMeasureBootHandler,\r
EFI_AUTH_OPERATION_MEASURE_IMAGE | EFI_AUTH_OPERATION_IMAGE_REQUIRED\r
projects / mirror_edk2.git / blobdiff