--- /dev/null
+/** @file\r
+ SetImage instance to report system firmware and act as agent to system update.\r
+\r
+ Caution: This module requires additional review when modified.\r
+ This module will have external input - capsule image.\r
+ This external input must be validated carefully to avoid security issue like\r
+ buffer overflow, integer overflow.\r
+\r
+ FmpSetImage() will receive untrusted input and do basic validation.\r
+\r
+ Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>\r
+ This program and the accompanying materials\r
+ are licensed and made available under the terms and conditions of the BSD License\r
+ which accompanies this distribution. The full text of the license may be found at\r
+ http://opensource.org/licenses/bsd-license.php\r
+\r
+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
+ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
+\r
+**/\r
+\r
+#include "SystemFirmwareDxe.h"\r
+\r
+//\r
+// SystemFmp driver private data\r
+//\r
+SYSTEM_FMP_PRIVATE_DATA *mSystemFmpPrivate = NULL;\r
+\r
+/**\r
+ Dispatch system FMP images.\r
+\r
+ Caution: This function may receive untrusted input.\r
+\r
+ @param[in] Image The EDKII system FMP capsule image.\r
+ @param[in] ImageSize The size of the EDKII system FMP capsule image in bytes.\r
+ @param[out] LastAttemptVersion The last attempt version, which will be recorded in ESRT and FMP EFI_FIRMWARE_IMAGE_DESCRIPTOR.\r
+ @param[out] LastAttemptStatus The last attempt status, which will be recorded in ESRT and FMP EFI_FIRMWARE_IMAGE_DESCRIPTOR.\r
+\r
+ @retval EFI_SUCESS Process Capsule Image successfully.\r
+ @retval EFI_UNSUPPORTED Capsule image is not supported by the firmware.\r
+ @retval EFI_VOLUME_CORRUPTED FV volume in the capsule is corrupted.\r
+ @retval EFI_OUT_OF_RESOURCES Not enough memory.\r
+**/\r
+EFI_STATUS\r
+DispatchSystemFmpImages (\r
+ IN VOID *Image,\r
+ IN UINTN ImageSize,\r
+ OUT UINT32 *LastAttemptVersion,\r
+ OUT UINT32 *LastAttemptStatus\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+ VOID *AuthenticatedImage;\r
+ UINTN AuthenticatedImageSize;\r
+ VOID *DispatchFvImage;\r
+ UINTN DispatchFvImageSize;\r
+ EFI_HANDLE FvProtocolHandle;\r
+ EFI_FIRMWARE_VOLUME_HEADER *FvImage;\r
+ BOOLEAN Result;\r
+\r
+ DEBUG((DEBUG_INFO, "DispatchSystemFmpImages\n"));\r
+\r
+ //\r
+ // Verify\r
+ //\r
+ Status = CapsuleAuthenticateSystemFirmware(Image, ImageSize, FALSE, LastAttemptVersion, LastAttemptStatus, &AuthenticatedImage, &AuthenticatedImageSize);\r
+ if (EFI_ERROR(Status)) {\r
+ DEBUG((DEBUG_INFO, "SystemFirmwareAuthenticateImage - %r\n", Status));\r
+ return Status;\r
+ }\r
+\r
+ //\r
+ // Get FV\r
+ //\r
+ Result = ExtractDriverFvImage(AuthenticatedImage, AuthenticatedImageSize, &DispatchFvImage, &DispatchFvImageSize);\r
+ if (Result) {\r
+ DEBUG((DEBUG_INFO, "ExtractDriverFvImage\n"));\r
+ //\r
+ // Dispatch\r
+ //\r
+ if (((EFI_FIRMWARE_VOLUME_HEADER *)DispatchFvImage)->FvLength == DispatchFvImageSize) {\r
+ FvImage = AllocatePages(EFI_SIZE_TO_PAGES(DispatchFvImageSize));\r
+ if (FvImage != NULL) {\r
+ CopyMem(FvImage, DispatchFvImage, DispatchFvImageSize);\r
+ Status = gDS->ProcessFirmwareVolume(\r
+ (VOID *)FvImage,\r
+ (UINTN)FvImage->FvLength,\r
+ &FvProtocolHandle\r
+ );\r
+ DEBUG((DEBUG_INFO, "ProcessFirmwareVolume - %r\n", Status));\r
+ if (!EFI_ERROR(Status)) {\r
+ gDS->Dispatch();\r
+ DEBUG((DEBUG_INFO, "Dispatch Done\n"));\r
+ }\r
+ }\r
+ }\r
+ }\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Updates the firmware image of the device.\r
+\r
+ This function updates the hardware with the new firmware image.\r
+ This function returns EFI_UNSUPPORTED if the firmware image is not updatable.\r
+ If the firmware image is updatable, the function should perform the following minimal validations\r
+ before proceeding to do the firmware image update.\r
+ - Validate the image authentication if image has attribute\r
+ IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED. The function returns\r
+ EFI_SECURITY_VIOLATION if the validation fails.\r
+ - Validate the image is a supported image for this device. The function returns EFI_ABORTED if\r
+ the image is unsupported. The function can optionally provide more detailed information on\r
+ why the image is not a supported image.\r
+ - Validate the data from VendorCode if not null. Image validation must be performed before\r
+ VendorCode data validation. VendorCode data is ignored or considered invalid if image\r
+ validation failed. The function returns EFI_ABORTED if the data is invalid.\r
+\r
+ VendorCode enables vendor to implement vendor-specific firmware image update policy. Null if\r
+ the caller did not specify the policy or use the default policy. As an example, vendor can implement\r
+ a policy to allow an option to force a firmware image update when the abort reason is due to the new\r
+ firmware image version is older than the current firmware image version or bad image checksum.\r
+ Sensitive operations such as those wiping the entire firmware image and render the device to be\r
+ non-functional should be encoded in the image itself rather than passed with the VendorCode.\r
+ AbortReason enables vendor to have the option to provide a more detailed description of the abort\r
+ reason to the caller.\r
+\r
+ @param[in] This A pointer to the EFI_FIRMWARE_MANAGEMENT_PROTOCOL instance.\r
+ @param[in] ImageIndex A unique number identifying the firmware image(s) within the device.\r
+ The number is between 1 and DescriptorCount.\r
+ @param[in] Image Points to the new image.\r
+ @param[in] ImageSize Size of the new image in bytes.\r
+ @param[in] VendorCode This enables vendor to implement vendor-specific firmware image update policy.\r
+ Null indicates the caller did not specify the policy or use the default policy.\r
+ @param[in] Progress A function used by the driver to report the progress of the firmware update.\r
+ @param[out] AbortReason A pointer to a pointer to a null-terminated string providing more\r
+ details for the aborted operation. The buffer is allocated by this function\r
+ with AllocatePool(), and it is the caller's responsibility to free it with a\r
+ call to FreePool().\r
+\r
+ @retval EFI_SUCCESS The device was successfully updated with the new image.\r
+ @retval EFI_ABORTED The operation is aborted.\r
+ @retval EFI_INVALID_PARAMETER The Image was NULL.\r
+ @retval EFI_UNSUPPORTED The operation is not supported.\r
+ @retval EFI_SECURITY_VIOLATIO The operation could not be performed due to an authentication failure.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+FmpSetImage (\r
+ IN EFI_FIRMWARE_MANAGEMENT_PROTOCOL *This,\r
+ IN UINT8 ImageIndex,\r
+ IN CONST VOID *Image,\r
+ IN UINTN ImageSize,\r
+ IN CONST VOID *VendorCode,\r
+ IN EFI_FIRMWARE_MANAGEMENT_UPDATE_IMAGE_PROGRESS Progress,\r
+ OUT CHAR16 **AbortReason\r
+ )\r
+{\r
+ SYSTEM_FMP_PRIVATE_DATA *SystemFmpPrivate;\r
+ EFI_FIRMWARE_MANAGEMENT_PROTOCOL *SystemFmp;\r
+ EFI_STATUS Status;\r
+ EFI_STATUS VarStatus;\r
+\r
+ if (Image == NULL || ImageSize == 0 || AbortReason == NULL) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ SystemFmpPrivate = SYSTEM_FMP_PRIVATE_DATA_FROM_FMP(This);\r
+ *AbortReason = NULL;\r
+\r
+ if (ImageIndex == 0 || ImageIndex > SystemFmpPrivate->DescriptorCount) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ //\r
+ // Process FV\r
+ //\r
+ Status = DispatchSystemFmpImages((VOID *)Image, ImageSize, &SystemFmpPrivate->LastAttempt.LastAttemptVersion, &SystemFmpPrivate->LastAttempt.LastAttemptStatus);\r
+ DEBUG((DEBUG_INFO, "(Agent)SetImage - LastAttemp Version - 0x%x, State - 0x%x\n", SystemFmpPrivate->LastAttempt.LastAttemptVersion, SystemFmpPrivate->LastAttempt.LastAttemptStatus));\r
+ if (EFI_ERROR(Status)) {\r
+ VarStatus = gRT->SetVariable(\r
+ SYSTEM_FMP_LAST_ATTEMPT_VARIABLE_NAME,\r
+ &gSystemFmpLastAttemptVariableGuid,\r
+ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
+ sizeof(SystemFmpPrivate->LastAttempt),\r
+ &SystemFmpPrivate->LastAttempt\r
+ );\r
+ DEBUG((DEBUG_INFO, "(Agent)SetLastAttemp - %r\n", VarStatus));\r
+ return Status;\r
+ }\r
+\r
+ //\r
+ // Pass Thru\r
+ //\r
+ Status = gBS->LocateProtocol(&gSystemFmpProtocolGuid, NULL, (VOID **)&SystemFmp);\r
+ if (EFI_ERROR(Status)) {\r
+ DEBUG((DEBUG_INFO, "(Agent)SetImage - SystemFmpProtocol - %r\n", Status));\r
+ SystemFmpPrivate->LastAttempt.LastAttemptStatus = LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT;\r
+ VarStatus = gRT->SetVariable(\r
+ SYSTEM_FMP_LAST_ATTEMPT_VARIABLE_NAME,\r
+ &gSystemFmpLastAttemptVariableGuid,\r
+ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
+ sizeof(SystemFmpPrivate->LastAttempt),\r
+ &SystemFmpPrivate->LastAttempt\r
+ );\r
+ DEBUG((DEBUG_INFO, "(Agent)SetLastAttemp - %r\n", VarStatus));\r
+ return Status;\r
+ }\r
+\r
+ return SystemFmp->SetImage(SystemFmp, ImageIndex, Image, ImageSize, VendorCode, Progress, AbortReason);\r
+}\r
+\r
+/**\r
+ System FMP module entrypoint\r
+\r
+ @param[in] ImageHandle The firmware allocated handle for the EFI image.\r
+ @param[in] SystemTable A pointer to the EFI System Table.\r
+\r
+ @return EFI_SUCCESS System FMP module is initialized.\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+SystemFirmwareReportMainDxe (\r
+ IN EFI_HANDLE ImageHandle,\r
+ IN EFI_SYSTEM_TABLE *SystemTable\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+\r
+ //\r
+ // Initialize SystemFmpPrivateData\r
+ //\r
+ mSystemFmpPrivate = AllocateZeroPool (sizeof(SYSTEM_FMP_PRIVATE_DATA));\r
+ if (mSystemFmpPrivate == NULL) {\r
+ return EFI_OUT_OF_RESOURCES;\r
+ }\r
+\r
+ Status = InitializePrivateData(mSystemFmpPrivate);\r
+ if (EFI_ERROR(Status)) {\r
+ FreePool(mSystemFmpPrivate);\r
+ mSystemFmpPrivate = NULL;\r
+ return Status;\r
+ }\r
+\r
+ //\r
+ // Install FMP protocol.\r
+ //\r
+ Status = gBS->InstallProtocolInterface (\r
+ &mSystemFmpPrivate->Handle,\r
+ &gEfiFirmwareManagementProtocolGuid,\r
+ EFI_NATIVE_INTERFACE,\r
+ &mSystemFmpPrivate->Fmp\r
+ );\r
+ if (EFI_ERROR (Status)) {\r
+ FreePool(mSystemFmpPrivate);\r
+ mSystemFmpPrivate = NULL;\r
+ return Status;\r
+ }\r
+\r
+ return Status;\r
+}\r