Fix compile error
[mirror_edk2.git] / SecurityPkg / Library / DxeTpmMeasureBootLib / DxeTpmMeasureBootLib.c
index 300a15fe6b6f9db17381879a559ee73c31c912f9..f3e486eadc7a97bb9d129c0ec7b40c63abe9296d 100644 (file)
@@ -29,10 +29,12 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <PiDxe.h>\r
 \r
 #include <Protocol/TcgService.h>\r
-#include <Protocol/FirmwareVolume2.h>\r
 #include <Protocol/BlockIo.h>\r
 #include <Protocol/DiskIo.h>\r
 #include <Protocol/DevicePathToText.h>\r
+#include <Protocol/FirmwareVolumeBlock.h>\r
+\r
+#include <Guid/TrustedFvHob.h>\r
 \r
 #include <Library/BaseLib.h>\r
 #include <Library/DebugLib.h>\r
@@ -43,6 +45,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <Library/BaseCryptLib.h>\r
 #include <Library/PeCoffLib.h>\r
 #include <Library/SecurityManagementLib.h>\r
+#include <Library/HobLib.h>\r
 \r
 //\r
 // Flag to check GPT partition. It only need be measured once.\r
@@ -52,6 +55,11 @@ EFI_GUID                          mZeroGuid = {0, 0, 0, {0, 0, 0, 0, 0, 0, 0, 0}
 UINTN                             mMeasureGptCount = 0;\r
 VOID                              *mFileBuffer;\r
 UINTN                             mImageSize;\r
+//\r
+// Measured FV handle cache\r
+//\r
+EFI_HANDLE                        mCacheMeasuredHandle  = NULL;\r
+UINT32                            *mGuidHobData         = NULL;\r
 \r
 /**\r
   Reads contents of a PE/COFF image in memory buffer.\r
@@ -718,17 +726,22 @@ DxeTpmMeasureBootHandler (
   IN  BOOLEAN                          BootPolicy\r
   )\r
 {\r
-  EFI_TCG_PROTOCOL                  *TcgProtocol;\r
-  EFI_STATUS                        Status;\r
-  TCG_EFI_BOOT_SERVICE_CAPABILITY   ProtocolCapability;\r
-  UINT32                            TCGFeatureFlags;\r
-  EFI_PHYSICAL_ADDRESS              EventLogLocation;\r
-  EFI_PHYSICAL_ADDRESS              EventLogLastEntry;\r
-  EFI_DEVICE_PATH_PROTOCOL          *DevicePathNode;\r
-  EFI_DEVICE_PATH_PROTOCOL          *OrigDevicePathNode;\r
-  EFI_HANDLE                        Handle;\r
-  BOOLEAN                           ApplicationRequired;\r
-  PE_COFF_LOADER_IMAGE_CONTEXT      ImageContext;\r
+  EFI_TCG_PROTOCOL                    *TcgProtocol;\r
+  EFI_STATUS                          Status;\r
+  TCG_EFI_BOOT_SERVICE_CAPABILITY     ProtocolCapability;\r
+  UINT32                              TCGFeatureFlags;\r
+  EFI_PHYSICAL_ADDRESS                EventLogLocation;\r
+  EFI_PHYSICAL_ADDRESS                EventLogLastEntry;\r
+  EFI_DEVICE_PATH_PROTOCOL            *DevicePathNode;\r
+  EFI_DEVICE_PATH_PROTOCOL            *OrigDevicePathNode;\r
+  EFI_HANDLE                          Handle;\r
+  EFI_HANDLE                          TempHandle;\r
+  BOOLEAN                             ApplicationRequired;\r
+  PE_COFF_LOADER_IMAGE_CONTEXT        ImageContext;\r
+  EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL  *FvbProtocol;\r
+  EFI_PHYSICAL_ADDRESS                FvAddress;\r
+  EFI_PLATFORM_FIRMWARE_BLOB          *TrustedFvBuf;\r
+  UINT32                              Index;\r
 \r
   Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **) &TcgProtocol);\r
   if (EFI_ERROR (Status)) {\r
@@ -822,10 +835,10 @@ DxeTpmMeasureBootHandler (
   ApplicationRequired = FALSE;\r
 \r
   //\r
-  // Check whether this device path support FV2 protocol.\r
+  // Check whether this device path support FVB protocol.\r
   //\r
   DevicePathNode = OrigDevicePathNode;\r
-  Status = gBS->LocateDevicePath (&gEfiFirmwareVolume2ProtocolGuid, &DevicePathNode, &Handle);\r
+  Status = gBS->LocateDevicePath (&gEfiFirmwareVolumeBlockProtocolGuid, &DevicePathNode, &Handle);\r
   if (!EFI_ERROR (Status)) {\r
     //\r
     // Don't check FV image, and directly return EFI_SUCCESS.\r
@@ -835,13 +848,51 @@ DxeTpmMeasureBootHandler (
       return EFI_SUCCESS;\r
     }\r
     //\r
-    // The image from Firmware image will not be mearsured.\r
-    // Current policy doesn't measure PeImage from Firmware if it is driver\r
-    // If the got PeImage is application, it will be still be measured.\r
+    // The PE image from untrusted Firmware volume need be measured\r
+    // The PE image from trusted Firmware volume will be mearsured according to policy below.\r
+    //   if it is driver, do not measure\r
+    //   If it is application, still measure.\r
     //\r
     ApplicationRequired = TRUE;\r
+\r
+    if (mCacheMeasuredHandle != Handle && mGuidHobData != NULL) {\r
+      //\r
+      // Search for Root FV of this PE image\r
+      //\r
+      TempHandle = Handle;\r
+      do {\r
+        Status = gBS->HandleProtocol(\r
+                        TempHandle, \r
+                        &gEfiFirmwareVolumeBlockProtocolGuid,\r
+                        (VOID**)&FvbProtocol\r
+                        );\r
+        TempHandle = FvbProtocol->ParentHandle;\r
+      } while (!EFI_ERROR(Status) && FvbProtocol->ParentHandle != NULL);\r
+\r
+      //\r
+      // Search in measured FV Hob\r
+      //\r
+      Status = FvbProtocol->GetPhysicalAddress(FvbProtocol, &FvAddress);\r
+      if (EFI_ERROR(Status)){\r
+        return Status;\r
+      }\r
+\r
+      TrustedFvBuf        = (EFI_PLATFORM_FIRMWARE_BLOB *)(mGuidHobData + 1);\r
+      ApplicationRequired = FALSE;\r
+\r
+      for (Index = 0; Index < *mGuidHobData; Index++) {\r
+        if(TrustedFvBuf[Index].BlobBase == FvAddress) {\r
+          //\r
+          // Cache measured FV for next measurement\r
+          //\r
+          mCacheMeasuredHandle = Handle;\r
+          ApplicationRequired  = TRUE;\r
+          break;\r
+        }\r
+      }\r
+    }\r
   }\r
-  \r
+\r
   //\r
   // File is not found.\r
   //\r
@@ -941,6 +992,16 @@ DxeTpmMeasureBootLibConstructor (
   IN EFI_SYSTEM_TABLE  *SystemTable\r
   )\r
 {\r
+  EFI_HOB_GUID_TYPE  *GuidHob;\r
+\r
+  GuidHob = NULL;\r
+\r
+  GuidHob = GetFirstGuidHob (&gTrustedFvHobGuid);\r
+\r
+  if (GuidHob != NULL) {\r
+    mGuidHobData = GET_GUID_HOB_DATA (GuidHob);\r
+  }\r
+\r
   return RegisterSecurity2Handler (\r
           DxeTpmMeasureBootHandler,\r
           EFI_AUTH_OPERATION_MEASURE_IMAGE | EFI_AUTH_OPERATION_IMAGE_REQUIRED\r