From: czhang46 Date: Thu, 13 Sep 2012 08:34:32 +0000 (+0000) Subject: Add ImageAuthenticationStatusLib to SAP to check Authentication Status returned from X-Git-Tag: edk2-stable201903~13051 X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=commitdiff_plain;h=d0043e49ffcfe020a8e934e1203a25561e94b0a5 Add ImageAuthenticationStatusLib to SAP to check Authentication Status returned from Section Extraction Protocol Signed-off-by: Chao Zhang Reviewed-by : Gao Liming git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13729 6f19259b-4bc3-4df7-8a09-765794883524 --- diff --git a/SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthenticationStatusLib.c b/SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthenticationStatusLib.c new file mode 100644 index 0000000000..9d3103639c --- /dev/null +++ b/SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthenticationStatusLib.c @@ -0,0 +1,76 @@ +/** @file + Implement image authentication status check in UEFI2.3.1. + +Copyright (c) 2012, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include +#include + + +/** + Check image authentication status returned from Section Extraction Protocol + + @param[in] AuthenticationStatus This is the authentication status returned from + the Section Extraction Protocol when reading the input file. + @param[in] File This is a pointer to the device path of the file that is + being dispatched. This will optionally be used for logging. + @param[in] FileBuffer File buffer matches the input file device path. + @param[in] FileSize Size of File buffer matches the input file device path. + @param[in] BootPolicy A boot policy that was used to call LoadImage() UEFI service. + + @retval EFI_SUCCESS The input file specified by File did authenticate, and the + platform policy dictates that the DXE Core may use File. + @retval EFI_ACCESS_DENIED The file specified by File and FileBuffer did not + authenticate, and the platform policy dictates that the DXE + Foundation many not use File. + +**/ +EFI_STATUS +EFIAPI +DxeImageAuthenticationStatusHandler ( + IN UINT32 AuthenticationStatus, + IN CONST EFI_DEVICE_PATH_PROTOCOL *File, + IN VOID *FileBuffer, + IN UINTN FileSize, + IN BOOLEAN BootPolicy + ) +{ + if (AuthenticationStatus & EFI_AUTH_STATUS_IMAGE_SIGNED) { + if (AuthenticationStatus & (EFI_AUTH_STATUS_TEST_FAILED | EFI_AUTH_STATUS_NOT_TESTED)) { + return EFI_ACCESS_DENIED; + } + } + + return EFI_SUCCESS; +} + + +/** + Register image authenticaion status check handler. + + @param ImageHandle ImageHandle of the loaded driver. + @param SystemTable Pointer to the EFI System Table. + + @retval EFI_SUCCESS The handlers were registered successfully. +**/ +EFI_STATUS +EFIAPI +DxeImageAuthenticationStatusLibConstructor ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + return RegisterSecurity2Handler ( + DxeImageAuthenticationStatusHandler, + EFI_AUTH_OPERATION_AUTHENTICATION_STATE + ); +} diff --git a/SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthenticationStatusLib.inf b/SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthenticationStatusLib.inf new file mode 100644 index 0000000000..43608007e9 --- /dev/null +++ b/SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthenticationStatusLib.inf @@ -0,0 +1,39 @@ +## @file +# The library instance provides security service of image authentication +# status check in UEFI2.3.1. +# Authentication Status Library module supports UEFI2.3.1 +# +# Copyright (c) 2012, Intel Corporation. All rights reserved.
+# This program and the accompanying materials +# are licensed and made available under the terms and conditions of the BSD License +# which accompanies this distribution. The full text of the license may be found at +# http://opensource.org/licenses/bsd-license.php +# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = DxeImageAuthenticationStatusLib + FILE_GUID = EB92D1DE-7C36-4680-BB88-A67E96049F72 + MODULE_TYPE = DXE_DRIVER + VERSION_STRING = 1.0 + LIBRARY_CLASS = NULL|DXE_DRIVER DXE_RUNTIME_DRIVER DXE_SAL_DRIVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER + CONSTRUCTOR = DxeImageAuthenticationStatusLibConstructor + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 IPF EBC +# + +[Sources] + DxeImageAuthenticationStatusLib.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + +[LibraryClasses] + SecurityManagementLib diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index 4ef646ade7..5f3b8d709f 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -88,6 +88,7 @@ SecurityPkg/VariableAuthenticated/Pei/VariablePei.inf SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.inf + SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthenticationStatusLib.inf SecurityPkg/UserIdentification/UserIdentifyManagerDxe/UserIdentifyManagerDxe.inf SecurityPkg/UserIdentification/UserProfileManagerDxe/UserProfileManagerDxe.inf SecurityPkg/UserIdentification/PwdCredentialProviderDxe/PwdCredentialProviderDxe.inf