From 2ed845b3c3cd4dd9f4b0b3cf259ad5f92e28cb6c Mon Sep 17 00:00:00 2001 From: "Xu, Wei6" Date: Fri, 10 Jan 2020 13:34:54 +0800 Subject: [PATCH] FmdDevicePkg/FmpDxe: Support Fmp Capsule Dependency. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2421 Capsule Dependency is an incremental change of Fmp Capsule Update. The capsule format is extended to include a set of binary encoded dependency expression. The dependency expression is signed together with the Fmp payload and evaluated before update is applied. This feature is defined in UEFI Spec 2.8. The dependency evaluation has two steps: 1. Validate platform existing Fmp images' version satisfy the dependency expression in capsule image. 2. Validate the capsule image version satisfy all the platform existing Fmp image's dependency expression. If the dependency expression evaluates to FALSE, then the capsule update fails and last attempt status is set to LAST_ATTEMPT_STATUS_ERROR_UNSATISFIED_DEPENDENCIES. The dependency saving and getting is FmpDeviceLib implementation scope. The parameter "Image" of FmpDeviceSetImage and FmpDeviceGetImage function is extended to contain the dependency. The layout: +--------------------------+ | Dependency Op-codes | +--------------------------+ | Fmp Payload Image | +--------------------------+ 1. FmpDeviceSetImage is responsible for retrieving the dependency from the parameter "Image" and saving it to a protected storage. 2. FmpDeviceGetImage is responsible for retrieving the dependency from the storage where FmpDeviceSetImage saves dependency and combining it with the Fmp Payload Image into one buffer which is returned to the caller. This dependency will be populated into EFI_FIRMWARE_IMAGE_DESCRIPTOR and used for dependency evaluation. 3. FmpDeviceGetAttributes must set the bit IMAGE_ATTRIBUTE_DEPENDENCY to indicate the Fmp device supports Fmp Capsule Dependency feature. Cc: Michael D Kinney Cc: Liming Gao Signed-off-by: Wei6 Xu Reviewed-by: Liming Gao --- FmpDevicePkg/FmpDxe/Dependency.c | 679 ++++++++++++++++++++++++++++++ FmpDevicePkg/FmpDxe/Dependency.h | 63 +++ FmpDevicePkg/FmpDxe/FmpDxe.c | 238 ++++++++++- FmpDevicePkg/FmpDxe/FmpDxe.inf | 4 +- FmpDevicePkg/FmpDxe/FmpDxeLib.inf | 4 +- 5 files changed, 972 insertions(+), 16 deletions(-) create mode 100644 FmpDevicePkg/FmpDxe/Dependency.c create mode 100644 FmpDevicePkg/FmpDxe/Dependency.h diff --git a/FmpDevicePkg/FmpDxe/Dependency.c b/FmpDevicePkg/FmpDxe/Dependency.c new file mode 100644 index 0000000000..b63a36b989 --- /dev/null +++ b/FmpDevicePkg/FmpDxe/Dependency.c @@ -0,0 +1,679 @@ +/** @file + Supports Capsule Dependency Expression. + + Copyright (c) 2020, Intel Corporation. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ +#include "FmpDxe.h" +#include "Dependency.h" + +// +// Define the initial size of the dependency expression evaluation stack +// +#define DEPEX_STACK_SIZE_INCREMENT 0x1000 + +// +// Type of stack element +// +typedef enum { + BooleanType, + VersionType +} ELEMENT_TYPE; + +// +// Value of stack element +// +typedef union { + BOOLEAN Boolean; + UINT32 Version; +} ELEMENT_VALUE; + +// +// Stack element used to evaluate dependency expressions +// +typedef struct { + ELEMENT_VALUE Value; + ELEMENT_TYPE Type; +} DEPEX_ELEMENT; + +// +// Global variable used to support dependency evaluation +// +UINTN mNumberOfFmpInstance = 0; +EFI_FIRMWARE_IMAGE_DESCRIPTOR **mFmpImageInfoBuf = NULL; + +// +// Indicates the status of dependency check, default value is DEPENDENCIES_SATISFIED. +// +UINT8 mDependenciesCheckStatus = DEPENDENCIES_SATISFIED; + +// +// Global stack used to evaluate dependency expressions +// +DEPEX_ELEMENT *mDepexEvaluationStack = NULL; +DEPEX_ELEMENT *mDepexEvaluationStackEnd = NULL; +DEPEX_ELEMENT *mDepexEvaluationStackPointer = NULL; + +/** + Grow size of the Depex stack + + @retval EFI_SUCCESS Stack successfully growed. + @retval EFI_OUT_OF_RESOURCES There is not enough system memory to grow the stack. + +**/ +EFI_STATUS +GrowDepexStack ( + VOID + ) +{ + DEPEX_ELEMENT *NewStack; + UINTN Size; + + Size = DEPEX_STACK_SIZE_INCREMENT; + if (mDepexEvaluationStack != NULL) { + Size = Size + (mDepexEvaluationStackEnd - mDepexEvaluationStack); + } + + NewStack = AllocatePool (Size * sizeof (DEPEX_ELEMENT)); + if (NewStack == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + if (mDepexEvaluationStack != NULL) { + // + // Copy to Old Stack to the New Stack + // + CopyMem ( + NewStack, + mDepexEvaluationStack, + (mDepexEvaluationStackEnd - mDepexEvaluationStack) * sizeof (DEPEX_ELEMENT) + ); + + // + // Free The Old Stack + // + FreePool (mDepexEvaluationStack); + } + + // + // Make the Stack pointer point to the old data in the new stack + // + mDepexEvaluationStackPointer = NewStack + (mDepexEvaluationStackPointer - mDepexEvaluationStack); + mDepexEvaluationStack = NewStack; + mDepexEvaluationStackEnd = NewStack + Size; + + return EFI_SUCCESS; +} + +/** + Push an element onto the Stack. + + @param[in] Value Value to push. + @param[in] Type Element Type + + @retval EFI_SUCCESS The value was pushed onto the stack. + @retval EFI_OUT_OF_RESOURCES There is not enough system memory to grow the stack. + @retval EFI_INVALID_PARAMETER Wrong stack element type. + +**/ +EFI_STATUS +Push ( + IN UINT32 Value, + IN UINTN Type + ) +{ + EFI_STATUS Status; + DEPEX_ELEMENT Element; + + // + // Check Type + // + if (Type != BooleanType && Type != VersionType) { + return EFI_INVALID_PARAMETER; + } + + // + // Check for a stack overflow condition + // + if (mDepexEvaluationStackPointer == mDepexEvaluationStackEnd) { + // + // Grow the stack + // + Status = GrowDepexStack (); + if (EFI_ERROR (Status)) { + return Status; + } + } + + Element.Value.Version = Value; + Element.Type = Type; + + // + // Push the item onto the stack + // + *mDepexEvaluationStackPointer = Element; + mDepexEvaluationStackPointer++; + + return EFI_SUCCESS; +} + + +/** + Pop an element from the stack. + + @param[in] Value Element to pop. + @param[in] Type Type of element. + + @retval EFI_SUCCESS The value was popped onto the stack. + @retval EFI_ACCESS_DENIED The pop operation underflowed the stack. + @retval EFI_INVALID_PARAMETER Type is mismatched. + +**/ +EFI_STATUS +Pop ( + OUT DEPEX_ELEMENT *Element, + IN ELEMENT_TYPE Type + ) +{ + // + // Check for a stack underflow condition + // + if (mDepexEvaluationStackPointer == mDepexEvaluationStack) { + return EFI_ACCESS_DENIED; + } + + // + // Pop the item off the stack + // + mDepexEvaluationStackPointer--; + *Element = *mDepexEvaluationStackPointer; + if ((*Element).Type != Type) { + return EFI_INVALID_PARAMETER; + } + return EFI_SUCCESS; +} + +/** + Evaluate the dependencies. + + @param[in] Dependencies Dependency expressions. + @param[in] DependenciesSize Size of Dependency expressions. + + @retval TRUE Dependency expressions evaluate to TRUE. + @retval FALSE Dependency expressions evaluate to FALSE. + +**/ +BOOLEAN +EvaluateDependencies ( + IN CONST EFI_FIRMWARE_IMAGE_DEP * Dependencies, + IN CONST UINTN DependenciesSize + ) +{ + EFI_STATUS Status; + UINT8 *Iterator; + UINT8 Index; + DEPEX_ELEMENT Element1; + DEPEX_ELEMENT Element2; + GUID ImageTypeId; + UINT32 Version; + + if (Dependencies == NULL || DependenciesSize == 0) { + return FALSE; + } + + // + // Clean out memory leaks in Depex Boolean stack. Leaks are only caused by + // incorrectly formed DEPEX expressions + // + mDepexEvaluationStackPointer = mDepexEvaluationStack; + + Iterator = (UINT8 *) Dependencies->Dependencies; + while (Iterator < (UINT8 *) Dependencies->Dependencies + DependenciesSize) { + switch (*Iterator) + { + case EFI_FMP_DEP_PUSH_GUID: + if (Iterator + sizeof (EFI_GUID) >= (UINT8 *) Dependencies->Dependencies + DependenciesSize) { + Status = EFI_INVALID_PARAMETER; + goto Error; + } + + CopyGuid (&ImageTypeId, (EFI_GUID *) (Iterator + 1)); + Iterator = Iterator + sizeof (EFI_GUID); + + for (Index = 0; Index < mNumberOfFmpInstance; Index ++){ + if (mFmpImageInfoBuf[Index] == NULL) { + continue; + } + if(CompareGuid (&mFmpImageInfoBuf[Index]->ImageTypeId, &ImageTypeId)){ + Status = Push (mFmpImageInfoBuf[Index]->Version, VersionType); + if (EFI_ERROR (Status)) { + goto Error; + } + break; + } + } + if (Index == mNumberOfFmpInstance) { + Status = EFI_NOT_FOUND; + goto Error; + } + break; + case EFI_FMP_DEP_PUSH_VERSION: + if (Iterator + sizeof (UINT32) >= (UINT8 *) Dependencies->Dependencies + DependenciesSize ) { + Status = EFI_INVALID_PARAMETER; + goto Error; + } + + Version = *(UINT32 *) (Iterator + 1); + Status = Push (Version, VersionType); + if (EFI_ERROR (Status)) { + goto Error; + } + Iterator = Iterator + sizeof (UINT32); + break; + case EFI_FMP_DEP_VERSION_STR: + Iterator += AsciiStrnLenS ((CHAR8 *) Iterator, DependenciesSize - (Iterator - Dependencies->Dependencies)); + break; + case EFI_FMP_DEP_AND: + Status = Pop (&Element1, BooleanType); + if (EFI_ERROR (Status)) { + goto Error; + } + Status = Pop (&Element2, BooleanType); + if (EFI_ERROR (Status)) { + goto Error; + } + Status = Push (Element1.Value.Boolean & Element2.Value.Boolean, BooleanType); + if (EFI_ERROR (Status)) { + goto Error; + } + break; + case EFI_FMP_DEP_OR: + Status = Pop (&Element1, BooleanType); + if (EFI_ERROR (Status)) { + goto Error; + } + Status = Pop(&Element2, BooleanType); + if (EFI_ERROR (Status)) { + goto Error; + } + Status = Push (Element1.Value.Boolean | Element2.Value.Boolean, BooleanType); + if (EFI_ERROR (Status)) { + goto Error; + } + break; + case EFI_FMP_DEP_NOT: + Status = Pop (&Element1, BooleanType); + if (EFI_ERROR (Status)) { + goto Error; + } + Status = Push (!(Element1.Value.Boolean), BooleanType); + if (EFI_ERROR (Status)) { + goto Error; + } + break; + case EFI_FMP_DEP_TRUE: + Status = Push (TRUE, BooleanType); + if (EFI_ERROR (Status)) { + goto Error; + } + break; + case EFI_FMP_DEP_FALSE: + Status = Push (FALSE, BooleanType); + if (EFI_ERROR (Status)) { + goto Error; + } + break; + case EFI_FMP_DEP_EQ: + Status = Pop (&Element1, VersionType); + if (EFI_ERROR (Status)) { + goto Error; + } + Status = Pop (&Element2, VersionType); + if (EFI_ERROR (Status)) { + goto Error; + } + Status = (Element1.Value.Version == Element2.Value.Version) ? Push (TRUE, BooleanType) : Push (FALSE, BooleanType); + if (EFI_ERROR (Status)) { + goto Error; + } + break; + case EFI_FMP_DEP_GT: + Status = Pop (&Element1, VersionType); + if (EFI_ERROR (Status)) { + goto Error; + } + Status = Pop (&Element2, VersionType); + if (EFI_ERROR (Status)) { + goto Error; + } + Status = (Element1.Value.Version > Element2.Value.Version) ? Push (TRUE, BooleanType) : Push (FALSE, BooleanType); + if (EFI_ERROR (Status)) { + goto Error; + } + break; + case EFI_FMP_DEP_GTE: + Status = Pop (&Element1, VersionType); + if (EFI_ERROR (Status)) { + goto Error; + } + Status = Pop (&Element2, VersionType); + if (EFI_ERROR (Status)) { + goto Error; + } + Status = (Element1.Value.Version >= Element2.Value.Version) ? Push (TRUE, BooleanType) : Push (FALSE, BooleanType); + if (EFI_ERROR (Status)) { + goto Error; + } + break; + case EFI_FMP_DEP_LT: + Status = Pop (&Element1, VersionType); + if (EFI_ERROR (Status)) { + goto Error; + } + Status = Pop (&Element2, VersionType); + if (EFI_ERROR (Status)) { + goto Error; + } + Status = (Element1.Value.Version < Element2.Value.Version) ? Push (TRUE, BooleanType) : Push (FALSE, BooleanType); + if (EFI_ERROR (Status)) { + goto Error; + } + break; + case EFI_FMP_DEP_LTE: + Status = Pop (&Element1, VersionType); + if (EFI_ERROR (Status)) { + goto Error; + } + Status = Pop (&Element2, VersionType); + if (EFI_ERROR (Status)) { + goto Error; + } + Status = (Element1.Value.Version <= Element2.Value.Version) ? Push (TRUE, BooleanType) : Push (FALSE, BooleanType); + if (EFI_ERROR (Status)) { + goto Error; + } + break; + case EFI_FMP_DEP_END: + Status = Pop (&Element1, BooleanType); + if (EFI_ERROR (Status)) { + goto Error; + } + return Element1.Value.Boolean; + default: + Status = EFI_INVALID_PARAMETER; + goto Error; + } + Iterator++; + } + +Error: + + DEBUG ((DEBUG_ERROR, "FmpDxe(%s): EvaluateDependencies() - RESULT = FALSE (Status = %r)\n", mImageIdName, Status)); + return FALSE; +} + +/** + Validate the dependency expression and output its size. + + @param[in] ImageDepex Pointer to the EFI_FIRMWARE_IMAGE_DEP. + @param[in] MaxDepexSize Max size of the dependency. + @param[out] DepexSize Size of dependency. + + @retval TRUE The capsule is valid. + @retval FALSE The capsule is invalid. + +**/ +BOOLEAN +ValidateImageDepex ( + IN EFI_FIRMWARE_IMAGE_DEP *ImageDepex, + IN CONST UINTN MaxDepexSize, + OUT UINT32 *DepexSize + ) +{ + UINT8 *Depex; + + *DepexSize = 0; + Depex = ImageDepex->Dependencies; + while (Depex < ImageDepex->Dependencies + MaxDepexSize) { + switch (*Depex) + { + case EFI_FMP_DEP_PUSH_GUID: + Depex += sizeof (EFI_GUID) + 1; + break; + case EFI_FMP_DEP_PUSH_VERSION: + Depex += sizeof (UINT32) + 1; + break; + case EFI_FMP_DEP_VERSION_STR: + Depex += AsciiStrnLenS ((CHAR8 *) Depex, ImageDepex->Dependencies + MaxDepexSize - Depex) + 1; + break; + case EFI_FMP_DEP_AND: + case EFI_FMP_DEP_OR: + case EFI_FMP_DEP_NOT: + case EFI_FMP_DEP_TRUE: + case EFI_FMP_DEP_FALSE: + case EFI_FMP_DEP_EQ: + case EFI_FMP_DEP_GT: + case EFI_FMP_DEP_GTE: + case EFI_FMP_DEP_LT: + case EFI_FMP_DEP_LTE: + Depex += 1; + break; + case EFI_FMP_DEP_END: + Depex += 1; + *DepexSize = (UINT32)(Depex - ImageDepex->Dependencies); + return TRUE; + default: + return FALSE; + } + } + + return FALSE; +} + + +/** + Get the size of dependencies. Assume the dependencies is validated before + calling this function. + + @param[in] Dependencies Pointer to the EFI_FIRMWARE_IMAGE_DEP. + + @retval The size of dependencies. + +**/ +UINTN +GetDepexSize ( + IN CONST EFI_FIRMWARE_IMAGE_DEP *Dependencies + ) +{ + UINTN Index; + + if (Dependencies == NULL) { + return 0; + } + + Index = 0; + while (Dependencies->Dependencies[Index] != EFI_FMP_DEP_END) { + Index ++; + } + + return Index + 1; +} + +/** + Check dependency for firmware update. + + @param[in] ImageTypeId Image Type Id. + @param[in] Version New version. + @param[in] Dependencies The dependencies. + @param[in] DependenciesSize Size of the dependencies + @param[out] IsSatisfied Indicate the dependencies is satisfied or not. + + @retval EFI_SUCCESS Dependency Evaluation is successful. + @retval Others Dependency Evaluation fails with unexpected error. + +**/ +EFI_STATUS +EvaluateImageDependencies ( + IN CONST EFI_GUID ImageTypeId, + IN CONST UINT32 Version, + IN CONST EFI_FIRMWARE_IMAGE_DEP *Dependencies, + IN CONST UINT32 DependenciesSize, + OUT BOOLEAN *IsSatisfied + ) +{ + EFI_STATUS Status; + EFI_HANDLE *HandleBuffer; + UINTN Index; + EFI_FIRMWARE_MANAGEMENT_PROTOCOL *Fmp; + UINTN ImageInfoSize; + UINT32 FmpImageInfoDescriptorVer; + UINT8 FmpImageInfoCount; + UINTN DescriptorSize; + UINT32 PackageVersion; + CHAR16 *PackageVersionName; + UINTN DepexSize; + + *IsSatisfied = TRUE; + PackageVersionName = NULL; + + // + // Get ImageDescriptors of all FMP instances, and archive them for depex evaluation. + // + Status = gBS->LocateHandleBuffer ( + ByProtocol, + &gEfiFirmwareManagementProtocolGuid, + NULL, + &mNumberOfFmpInstance, + &HandleBuffer + ); + if (EFI_ERROR (Status)) { + return EFI_ABORTED; + } + + mFmpImageInfoBuf = AllocatePool (sizeof(EFI_FIRMWARE_IMAGE_DESCRIPTOR *) * mNumberOfFmpInstance); + if (mFmpImageInfoBuf == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + for (Index = 0; Index < mNumberOfFmpInstance; Index ++) { + Status = gBS->HandleProtocol ( + HandleBuffer[Index], + &gEfiFirmwareManagementProtocolGuid, + (VOID **) &Fmp + ); + if (EFI_ERROR(Status)) { + continue; + } + + ImageInfoSize = 0; + Status = Fmp->GetImageInfo ( + Fmp, + &ImageInfoSize, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL + ); + if (Status != EFI_BUFFER_TOO_SMALL) { + continue; + } + + mFmpImageInfoBuf[Index] = AllocateZeroPool (ImageInfoSize); + if (mFmpImageInfoBuf[Index] == NULL) { + continue; + } + + Status = Fmp->GetImageInfo ( + Fmp, + &ImageInfoSize, // ImageInfoSize + mFmpImageInfoBuf[Index], // ImageInfo + &FmpImageInfoDescriptorVer, // DescriptorVersion + &FmpImageInfoCount, // DescriptorCount + &DescriptorSize, // DescriptorSize + &PackageVersion, // PackageVersion + &PackageVersionName // PackageVersionName + ); + if (EFI_ERROR(Status)) { + FreePool (mFmpImageInfoBuf[Index]); + mFmpImageInfoBuf[Index] = NULL; + continue; + } + + if (PackageVersionName != NULL) { + FreePool (PackageVersionName); + PackageVersionName = NULL; + } + } + + // + // Step 1 - Evaluate firmware image's depex, against the version of other Fmp instances. + // + if (Dependencies != NULL) { + *IsSatisfied = EvaluateDependencies (Dependencies, DependenciesSize); + } + + if (!*IsSatisfied) { + goto cleanup; + } + + // + // Step 2 - Evaluate the depex of all other Fmp instances, against the new version in + // the firmware image. + // + + // + // Update the new version to mFmpImageInfoBuf. + // + for (Index = 0; Index < mNumberOfFmpInstance; Index ++) { + if (mFmpImageInfoBuf[Index] != NULL) { + if (CompareGuid (&ImageTypeId, &mFmpImageInfoBuf[Index]->ImageTypeId)) { + mFmpImageInfoBuf[Index]->Version = Version; + break; + } + } + } + + // + // Evaluate the Dependencies one by one. + // + for (Index = 0; Index < mNumberOfFmpInstance; Index ++) { + if (mFmpImageInfoBuf[Index] != NULL) { + // + // Skip the Fmp instance to be "SetImage". + // + if (CompareGuid (&ImageTypeId, &mFmpImageInfoBuf[Index]->ImageTypeId)) { + continue; + } + if ((mFmpImageInfoBuf[Index]->AttributesSupported & IMAGE_ATTRIBUTE_DEPENDENCY) && + mFmpImageInfoBuf[Index]->Dependencies != NULL) { + // + // Get the size of depex. + // Assume that the dependencies in EFI_FIRMWARE_IMAGE_DESCRIPTOR is validated when PopulateDescriptor(). + // + DepexSize = GetDepexSize (mFmpImageInfoBuf[Index]->Dependencies); + if (DepexSize > 0) { + *IsSatisfied = EvaluateDependencies (mFmpImageInfoBuf[Index]->Dependencies, DepexSize); + if (!*IsSatisfied) { + break; + } + } + } + } + } + +cleanup: + if (mFmpImageInfoBuf != NULL) { + for (Index = 0; Index < mNumberOfFmpInstance; Index ++) { + if (mFmpImageInfoBuf[Index] != NULL) { + FreePool (mFmpImageInfoBuf[Index]); + } + } + FreePool (mFmpImageInfoBuf); + } + + return EFI_SUCCESS; +} diff --git a/FmpDevicePkg/FmpDxe/Dependency.h b/FmpDevicePkg/FmpDxe/Dependency.h new file mode 100644 index 0000000000..a2aaaceeae --- /dev/null +++ b/FmpDevicePkg/FmpDxe/Dependency.h @@ -0,0 +1,63 @@ +/** @file + Fmp Capsule Dependency support functions for Firmware Management Protocol based + firmware updates. + + Copyright (c) 2020, Intel Corporation. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __DEPENDENCY_H__ +#define __DEPENDENCY_H__ + +#include +#include + +#define DEPENDENCIES_SATISFIED 0 +#define DEPENDENCIES_UNSATISFIED 1 +#define DEPENDENCIES_INVALID 2 + +extern UINT8 mDependenciesCheckStatus; + +/** + Validate the dependency expression and output its size. + + @param[in] ImageDepex Pointer to the EFI_FIRMWARE_IMAGE_DEP. + @param[in] MaxDepexSize Max size of the dependency. + @param[out] DepexSize Size of dependency. + + @retval TRUE The capsule is valid. + @retval FALSE The capsule is invalid. + +**/ +BOOLEAN +ValidateImageDepex ( + IN EFI_FIRMWARE_IMAGE_DEP *ImageDepex, + IN CONST UINTN MaxDepexSize, + OUT UINT32 *DepexSize + ); + +/** + Check dependency for firmware update. + + @param[in] ImageTypeId Image Type Id. + @param[in] Version New version. + @param[in] Dependencies The dependencies. + @param[in] DepexSize Size of the dependencies + @param[out] IsSatisfied Indicate the dependencies is satisfied or not. + + @retval EFI_SUCCESS Dependency Evaluation is successful. + @retval Others Dependency Evaluation fails with unexpected error. + +**/ +EFI_STATUS +EvaluateImageDependencies ( + IN CONST EFI_GUID ImageTypeId, + IN CONST UINT32 Version, + IN CONST EFI_FIRMWARE_IMAGE_DEP *Dependencies, + IN CONST UINT32 DependenciesSize, + OUT BOOLEAN *IsSatisfied + ); + +#endif diff --git a/FmpDevicePkg/FmpDxe/FmpDxe.c b/FmpDevicePkg/FmpDxe/FmpDxe.c index fe465af11e..aa92331966 100644 --- a/FmpDevicePkg/FmpDxe/FmpDxe.c +++ b/FmpDevicePkg/FmpDxe/FmpDxe.c @@ -4,7 +4,7 @@ information provided through PCDs and libraries. Copyright (c) 2016, Microsoft Corporation. All rights reserved.
- Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.
+ Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent @@ -12,6 +12,7 @@ #include "FmpDxe.h" #include "VariableSupport.h" +#include "Dependency.h" /// /// FILE_GUID from FmpDxe.inf. When FmpDxe.inf is used in a platform, the @@ -275,6 +276,13 @@ PopulateDescriptor ( ) { EFI_STATUS Status; + VOID *Image; + UINTN ImageSize; + BOOLEAN IsDepexValid; + UINT32 DepexSize; + + Image = NULL; + ImageSize = 0; if (Private->DescriptorPopulated) { return; @@ -378,7 +386,47 @@ PopulateDescriptor ( Private->Descriptor.LastAttemptVersion = GetLastAttemptVersionFromVariable (Private); Private->Descriptor.LastAttemptStatus = GetLastAttemptStatusFromVariable (Private); + // + // Get the dependency from the FmpDeviceLib and populate it to the descriptor. + // + Private->Descriptor.Dependencies = NULL; + + // + // Check the attribute IMAGE_ATTRIBUTE_DEPENDENCY + // + if (Private->Descriptor.AttributesSupported & IMAGE_ATTRIBUTE_DEPENDENCY) { + // + // The parameter "Image" of FmpDeviceGetImage() is extended to contain the dependency. + // Get the dependency from the Image. + // + ImageSize = Private->Descriptor.Size; + Image = AllocatePool (ImageSize); + if (Image != NULL) { + Status = FmpDeviceGetImage (Image, &ImageSize); + if (Status == EFI_BUFFER_TOO_SMALL) { + FreePool (Image); + Image = AllocatePool (ImageSize); + if (Image != NULL) { + Status = FmpDeviceGetImage (Image, &ImageSize); + } + } + } + if (!EFI_ERROR (Status) && Image != NULL) { + IsDepexValid = ValidateImageDepex ((EFI_FIRMWARE_IMAGE_DEP *) Image, ImageSize, &DepexSize); + if (IsDepexValid == TRUE) { + Private->Descriptor.Dependencies = AllocatePool (DepexSize); + if (Private->Descriptor.Dependencies != NULL) { + CopyMem (Private->Descriptor.Dependencies->Dependencies, Image, DepexSize); + } + } + } + } + Private->DescriptorPopulated = TRUE; + + if (Image != NULL) { + FreePool (Image); + } } /** @@ -540,12 +588,17 @@ GetTheImage ( EFI_STATUS Status; FIRMWARE_MANAGEMENT_PRIVATE_DATA *Private; UINTN Size; + UINT8 *ImageBuffer; + UINTN ImageBufferSize; + UINT32 DepexSize; if (!FeaturePcdGet (PcdFmpDeviceStorageAccessEnable)) { return EFI_UNSUPPORTED; } - Status = EFI_SUCCESS; + Status = EFI_SUCCESS; + ImageBuffer = NULL; + DepexSize = 0; // // Retrieve the private context structure @@ -575,8 +628,45 @@ GetTheImage ( if (EFI_ERROR (Status)) { Size = 0; } - if (*ImageSize < Size) { - *ImageSize = Size; + + // + // The parameter "Image" of FmpDeviceGetImage() is extended to contain the dependency. + // Get the Fmp Payload from the Image. + // + ImageBufferSize = Size; + ImageBuffer = AllocatePool (ImageBufferSize); + if (ImageBuffer == NULL) { + DEBUG ((DEBUG_ERROR, "FmpDxe(%s): GetImage() - AllocatePool fails.\n", mImageIdName)); + Status = EFI_NOT_FOUND; + goto cleanup; + } + Status = FmpDeviceGetImage (ImageBuffer, &ImageBufferSize); + if (Status == EFI_BUFFER_TOO_SMALL) { + FreePool (ImageBuffer); + ImageBuffer = AllocatePool (ImageBufferSize); + if (ImageBuffer == NULL) { + DEBUG ((DEBUG_ERROR, "FmpDxe(%s): GetImage() - AllocatePool fails.\n", mImageIdName)); + Status = EFI_NOT_FOUND; + goto cleanup; + } + Status = FmpDeviceGetImage (ImageBuffer, &ImageBufferSize); + } + if (EFI_ERROR (Status)) { + goto cleanup; + } + + // + // Check the attribute IMAGE_ATTRIBUTE_DEPENDENCY + // + if (Private->Descriptor.AttributesSetting & IMAGE_ATTRIBUTE_DEPENDENCY) { + // + // Validate the dependency to get its size. + // + ValidateImageDepex ((EFI_FIRMWARE_IMAGE_DEP *) ImageBuffer, ImageBufferSize, &DepexSize); + } + + if (*ImageSize < ImageBufferSize - DepexSize) { + *ImageSize = ImageBufferSize - DepexSize; DEBUG ((DEBUG_VERBOSE, "FmpDxe(%s): GetImage() - ImageSize is to small.\n", mImageIdName)); Status = EFI_BUFFER_TOO_SMALL; goto cleanup; @@ -588,8 +678,17 @@ GetTheImage ( goto cleanup; } - Status = FmpDeviceGetImage (Image, ImageSize); + // + // Image is after the dependency expression. + // + *ImageSize = ImageBufferSize - DepexSize; + CopyMem (Image, ImageBuffer + DepexSize, *ImageSize); + Status = EFI_SUCCESS; + cleanup: + if (ImageBuffer != NULL) { + FreePool (ImageBuffer); + } return Status; } @@ -710,6 +809,10 @@ CheckTheImage ( UINTN PublicKeyDataLength; UINT8 *PublicKeyDataXdr; UINT8 *PublicKeyDataXdrEnd; + EFI_FIRMWARE_IMAGE_DEP *Dependencies; + UINT32 DependenciesSize; + BOOLEAN IsDepexValid; + BOOLEAN IsDepexSatisfied; Status = EFI_SUCCESS; RawSize = 0; @@ -718,6 +821,8 @@ CheckTheImage ( Version = 0; FmpHeaderSize = 0; AllHeaderSize = 0; + Dependencies = NULL; + DependenciesSize = 0; if (!FeaturePcdGet (PcdFmpDeviceStorageAccessEnable)) { return EFI_UNSUPPORTED; @@ -842,10 +947,33 @@ CheckTheImage ( } Status = GetFmpPayloadHeaderVersion (FmpPayloadHeader, FmpPayloadSize, &Version); if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "FmpDxe(%s): CheckTheImage() - GetFmpPayloadHeaderVersion failed %r.\n", mImageIdName, Status)); - *ImageUpdatable = IMAGE_UPDATABLE_INVALID; - Status = EFI_SUCCESS; - goto cleanup; + // + // Check if there is dependency expression + // + IsDepexValid = ValidateImageDepex ((EFI_FIRMWARE_IMAGE_DEP*) FmpPayloadHeader, FmpPayloadSize, &DependenciesSize); + if (IsDepexValid && (DependenciesSize < FmpPayloadSize)) { + // + // Fmp payload is after dependency expression + // + Dependencies = (EFI_FIRMWARE_IMAGE_DEP*) FmpPayloadHeader; + FmpPayloadHeader = (UINT8 *) Dependencies + DependenciesSize; + FmpPayloadSize = FmpPayloadSize - DependenciesSize; + Status = GetFmpPayloadHeaderVersion (FmpPayloadHeader, FmpPayloadSize, &Version); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "FmpDxe(%s): CheckTheImage() - GetFmpPayloadHeaderVersion failed %r.\n", mImageIdName, Status)); + *ImageUpdatable = IMAGE_UPDATABLE_INVALID; + Status = EFI_SUCCESS; + goto cleanup; + } + } else { + DEBUG ((DEBUG_ERROR, "FmpDxe(%s): CheckTheImage() - Dependency is invalid.\n", mImageIdName)); + mDependenciesCheckStatus = DEPENDENCIES_INVALID; + *ImageUpdatable = IMAGE_UPDATABLE_INVALID; + Status = EFI_SUCCESS; + goto cleanup; + } + } else { + DEBUG ((DEBUG_WARN, "FmpDxe(%s): CheckTheImage() - No dependency associated in image.\n", mImageIdName)); } // @@ -862,6 +990,22 @@ CheckTheImage ( goto cleanup; } + // + // Evaluate dependency expression + // + Status = EvaluateImageDependencies (Private->Descriptor.ImageTypeId, Version, Dependencies, DependenciesSize, &IsDepexSatisfied); + if (!IsDepexSatisfied || EFI_ERROR (Status)) { + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "FmpDxe(%s): CheckTheImage() - Dependency check failed %r.\n", mImageIdName, Status)); + } else { + DEBUG ((DEBUG_ERROR, "FmpDxe(%s): CheckTheImage() - Dependency is not satisfied.\n", mImageIdName)); + } + mDependenciesCheckStatus = DEPENDENCIES_UNSATISFIED; + *ImageUpdatable = IMAGE_UPDATABLE_INVALID; + Status = EFI_SUCCESS; + goto cleanup; + } + // // Get the FmpHeaderSize so we can determine the real payload size // @@ -877,7 +1021,7 @@ CheckTheImage ( // Call FmpDevice Lib Check Image on the // Raw payload. So all headers need stripped off // - AllHeaderSize = GetAllHeaderSize ( (EFI_FIRMWARE_IMAGE_AUTHENTICATION *)Image, FmpHeaderSize ); + AllHeaderSize = GetAllHeaderSize ( (EFI_FIRMWARE_IMAGE_AUTHENTICATION *)Image, FmpHeaderSize + DependenciesSize); if (AllHeaderSize == 0) { DEBUG ((DEBUG_ERROR, "FmpDxe(%s): CheckTheImage() - GetAllHeaderSize failed.\n", mImageIdName)); Status = EFI_ABORTED; @@ -967,6 +1111,11 @@ SetTheImage ( UINT32 LastAttemptStatus; UINT32 Version; UINT32 LowestSupportedVersion; + EFI_FIRMWARE_IMAGE_DEP *Dependencies; + UINT32 DependenciesSize; + BOOLEAN IsDepexValid; + UINT8 *ImageBuffer; + UINTN ImageBufferSize; Status = EFI_SUCCESS; Updateable = 0; @@ -975,8 +1124,12 @@ SetTheImage ( FmpHeader = NULL; FmpPayloadSize = 0; AllHeaderSize = 0; - IncomingFwVersion = 0; + IncomingFwVersion = 0; LastAttemptStatus = LAST_ATTEMPT_STATUS_ERROR_UNSUCCESSFUL; + Dependencies = NULL; + DependenciesSize = 0; + ImageBuffer = NULL; + ImageBufferSize = 0; if (!FeaturePcdGet (PcdFmpDeviceStorageAccessEnable)) { return EFI_UNSUPPORTED; @@ -1008,6 +1161,11 @@ SetTheImage ( goto cleanup; } + // + // Set check status to satisfied before CheckTheImage() + // + mDependenciesCheckStatus = DEPENDENCIES_SATISFIED; + // // Call check image to verify the image // @@ -1031,6 +1189,21 @@ SetTheImage ( goto cleanup; } Status = GetFmpPayloadHeaderVersion (FmpHeader, FmpPayloadSize, &IncomingFwVersion); + if (EFI_ERROR (Status)) { + // + // Check if there is dependency expression + // + IsDepexValid = ValidateImageDepex ((EFI_FIRMWARE_IMAGE_DEP*) FmpHeader, FmpPayloadSize, &DependenciesSize); + if (IsDepexValid && (DependenciesSize < FmpPayloadSize)) { + // + // Fmp payload is after dependency expression + // + Dependencies = (EFI_FIRMWARE_IMAGE_DEP*) FmpHeader; + FmpHeader = (UINT8 *) FmpHeader + DependenciesSize; + FmpPayloadSize = FmpPayloadSize - DependenciesSize; + Status = GetFmpPayloadHeaderVersion (FmpHeader, FmpPayloadSize, &IncomingFwVersion); + } + } if (!EFI_ERROR (Status)) { // // Set to actual value @@ -1045,6 +1218,11 @@ SetTheImage ( "FmpDxe(%s): SetTheImage() - Check The Image returned that the Image was not valid for update. Updatable value = 0x%X.\n", mImageIdName, Updateable) ); + if (mDependenciesCheckStatus == DEPENDENCIES_UNSATISFIED) { + LastAttemptStatus = LAST_ATTEMPT_STATUS_ERROR_UNSATISFIED_DEPENDENCIES; + } else if (mDependenciesCheckStatus == DEPENDENCIES_INVALID) { + LastAttemptStatus = LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT; + } Status = EFI_ABORTED; goto cleanup; } @@ -1138,13 +1316,41 @@ SetTheImage ( goto cleanup; } - AllHeaderSize = GetAllHeaderSize ( (EFI_FIRMWARE_IMAGE_AUTHENTICATION *)Image, FmpHeaderSize ); + AllHeaderSize = GetAllHeaderSize ((EFI_FIRMWARE_IMAGE_AUTHENTICATION *)Image, FmpHeaderSize + DependenciesSize); if (AllHeaderSize == 0) { DEBUG ((DEBUG_ERROR, "FmpDxe(%s): SetTheImage() - GetAllHeaderSize failed.\n", mImageIdName)); Status = EFI_ABORTED; goto cleanup; } + // + // Check the attribute IMAGE_ATTRIBUTE_DEPENDENCY + // + if (Private->Descriptor.AttributesSetting & IMAGE_ATTRIBUTE_DEPENDENCY) { + // + // To support saving dependency, extend param "Image" of FmpDeviceSetImage() to + // contain the dependency inside. FmpDeviceSetImage() is responsible for saving + // the dependency which can be used for future dependency check. + // + ImageBufferSize = DependenciesSize + ImageSize - AllHeaderSize; + ImageBuffer = AllocatePool (ImageBufferSize); + if (ImageBuffer == NULL) { + DEBUG ((DEBUG_ERROR, "FmpDxe(%s): SetTheImage() - AllocatePool failed.\n", mImageIdName)); + Status = EFI_ABORTED; + goto cleanup; + } + CopyMem (ImageBuffer, Dependencies->Dependencies, DependenciesSize); + CopyMem (ImageBuffer + DependenciesSize, (UINT8 *)Image + AllHeaderSize, ImageBufferSize - DependenciesSize); + } else { + ImageBufferSize = ImageSize - AllHeaderSize; + ImageBuffer = AllocateCopyPool(ImageBufferSize, (UINT8 *)Image + AllHeaderSize); + if (ImageBuffer == NULL) { + DEBUG ((DEBUG_ERROR, "FmpDxe(%s): SetTheImage() - AllocatePool failed.\n", mImageIdName)); + Status = EFI_ABORTED; + goto cleanup; + } + } + // // Indicate that control is handed off to FmpDeviceLib // @@ -1154,8 +1360,8 @@ SetTheImage ( //Copy the requested image to the firmware using the FmpDeviceLib // Status = FmpDeviceSetImage ( - (((UINT8 *)Image) + AllHeaderSize), - ImageSize - AllHeaderSize, + ImageBuffer, + ImageBufferSize, VendorCode, FmpDxeProgress, IncomingFwVersion, @@ -1192,6 +1398,10 @@ SetTheImage ( LastAttemptStatus = LAST_ATTEMPT_STATUS_SUCCESS; cleanup: + if (ImageBuffer != NULL) { + FreePool (ImageBuffer); + } + mProgressFunc = NULL; SetLastAttemptStatusInVariable (Private, LastAttemptStatus); diff --git a/FmpDevicePkg/FmpDxe/FmpDxe.inf b/FmpDevicePkg/FmpDxe/FmpDxe.inf index bec73aa8fb..97b6518fa1 100644 --- a/FmpDevicePkg/FmpDxe/FmpDxe.inf +++ b/FmpDevicePkg/FmpDxe/FmpDxe.inf @@ -4,7 +4,7 @@ # information provided through PCDs and libraries. # # Copyright (c) 2016, Microsoft Corporation. All rights reserved.
-# Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.
+# Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.
# # SPDX-License-Identifier: BSD-2-Clause-Patent ## @@ -28,6 +28,8 @@ [Sources] FmpDxe.c FmpDxe.h + Dependency.c + Dependency.h DetectTestKey.c VariableSupport.h VariableSupport.c diff --git a/FmpDevicePkg/FmpDxe/FmpDxeLib.inf b/FmpDevicePkg/FmpDxe/FmpDxeLib.inf index edc0cd66c1..de005b6892 100644 --- a/FmpDevicePkg/FmpDxe/FmpDxeLib.inf +++ b/FmpDevicePkg/FmpDxe/FmpDxeLib.inf @@ -4,7 +4,7 @@ # information provided through PCDs and libraries. # # Copyright (c) 2016, Microsoft Corporation. All rights reserved.
-# Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.
+# Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.
# # SPDX-License-Identifier: BSD-2-Clause-Patent ## @@ -29,6 +29,8 @@ [Sources] FmpDxe.c FmpDxe.h + Dependency.c + Dependency.h DetectTestKey.c VariableSupport.h VariableSupport.c -- 2.39.2