X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=blobdiff_plain;f=SecurityPkg%2FLibrary%2FDxeTpmMeasureBootLib%2FDxeTpmMeasureBootLib.c;h=eae68eab6babb05d0059f9417e4dfc2249d144f5;hp=300a15fe6b6f9db17381879a559ee73c31c912f9;hb=0758c830f7b4a388b15fb825b896f5f366985bbf;hpb=4dbb98ab164c70d788b956723199c90018467648 diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c index 300a15fe6b..eae68eab6b 100644 --- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c +++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c @@ -29,10 +29,12 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include #include -#include #include #include #include +#include + +#include #include #include @@ -43,6 +45,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include #include #include +#include // // Flag to check GPT partition. It only need be measured once. @@ -52,6 +55,11 @@ EFI_GUID mZeroGuid = {0, 0, 0, {0, 0, 0, 0, 0, 0, 0, 0} UINTN mMeasureGptCount = 0; VOID *mFileBuffer; UINTN mImageSize; +// +// Measured FV handle cache +// +EFI_HANDLE mCacheMeasuredHandle = NULL; +MEASURED_HOB_DATA *mMeasuredHobData = NULL; /** Reads contents of a PE/COFF image in memory buffer. @@ -718,17 +726,21 @@ DxeTpmMeasureBootHandler ( IN BOOLEAN BootPolicy ) { - EFI_TCG_PROTOCOL *TcgProtocol; - EFI_STATUS Status; - TCG_EFI_BOOT_SERVICE_CAPABILITY ProtocolCapability; - UINT32 TCGFeatureFlags; - EFI_PHYSICAL_ADDRESS EventLogLocation; - EFI_PHYSICAL_ADDRESS EventLogLastEntry; - EFI_DEVICE_PATH_PROTOCOL *DevicePathNode; - EFI_DEVICE_PATH_PROTOCOL *OrigDevicePathNode; - EFI_HANDLE Handle; - BOOLEAN ApplicationRequired; - PE_COFF_LOADER_IMAGE_CONTEXT ImageContext; + EFI_TCG_PROTOCOL *TcgProtocol; + EFI_STATUS Status; + TCG_EFI_BOOT_SERVICE_CAPABILITY ProtocolCapability; + UINT32 TCGFeatureFlags; + EFI_PHYSICAL_ADDRESS EventLogLocation; + EFI_PHYSICAL_ADDRESS EventLogLastEntry; + EFI_DEVICE_PATH_PROTOCOL *DevicePathNode; + EFI_DEVICE_PATH_PROTOCOL *OrigDevicePathNode; + EFI_HANDLE Handle; + EFI_HANDLE TempHandle; + BOOLEAN ApplicationRequired; + PE_COFF_LOADER_IMAGE_CONTEXT ImageContext; + EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL *FvbProtocol; + EFI_PHYSICAL_ADDRESS FvAddress; + UINT32 Index; Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **) &TcgProtocol); if (EFI_ERROR (Status)) { @@ -822,10 +834,10 @@ DxeTpmMeasureBootHandler ( ApplicationRequired = FALSE; // - // Check whether this device path support FV2 protocol. + // Check whether this device path support FVB protocol. // DevicePathNode = OrigDevicePathNode; - Status = gBS->LocateDevicePath (&gEfiFirmwareVolume2ProtocolGuid, &DevicePathNode, &Handle); + Status = gBS->LocateDevicePath (&gEfiFirmwareVolumeBlockProtocolGuid, &DevicePathNode, &Handle); if (!EFI_ERROR (Status)) { // // Don't check FV image, and directly return EFI_SUCCESS. @@ -835,13 +847,50 @@ DxeTpmMeasureBootHandler ( return EFI_SUCCESS; } // - // The image from Firmware image will not be mearsured. - // Current policy doesn't measure PeImage from Firmware if it is driver - // If the got PeImage is application, it will be still be measured. + // The PE image from unmeasured Firmware volume need be measured + // The PE image from measured Firmware volume will be mearsured according to policy below. + // If it is driver, do not measure + // If it is application, still measure. // ApplicationRequired = TRUE; + + if (mCacheMeasuredHandle != Handle && mMeasuredHobData != NULL) { + // + // Search for Root FV of this PE image + // + TempHandle = Handle; + do { + Status = gBS->HandleProtocol( + TempHandle, + &gEfiFirmwareVolumeBlockProtocolGuid, + (VOID**)&FvbProtocol + ); + TempHandle = FvbProtocol->ParentHandle; + } while (!EFI_ERROR(Status) && FvbProtocol->ParentHandle != NULL); + + // + // Search in measured FV Hob + // + Status = FvbProtocol->GetPhysicalAddress(FvbProtocol, &FvAddress); + if (EFI_ERROR(Status)){ + return Status; + } + + ApplicationRequired = FALSE; + + for (Index = 0; Index < mMeasuredHobData->Num; Index++) { + if(mMeasuredHobData->MeasuredFvBuf[Index].BlobBase == FvAddress) { + // + // Cache measured FV for next measurement + // + mCacheMeasuredHandle = Handle; + ApplicationRequired = TRUE; + break; + } + } + } } - + // // File is not found. // @@ -941,6 +990,16 @@ DxeTpmMeasureBootLibConstructor ( IN EFI_SYSTEM_TABLE *SystemTable ) { + EFI_HOB_GUID_TYPE *GuidHob; + + GuidHob = NULL; + + GuidHob = GetFirstGuidHob (&gMeasuredFvHobGuid); + + if (GuidHob != NULL) { + mMeasuredHobData = GET_GUID_HOB_DATA (GuidHob); + } + return RegisterSecurity2Handler ( DxeTpmMeasureBootHandler, EFI_AUTH_OPERATION_MEASURE_IMAGE | EFI_AUTH_OPERATION_IMAGE_REQUIRED