tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
audk/SecurityPkg/FvReportPei/FvReportPei.inf

59 lines
1.4 KiB
INI
Raw Normal View History

SecurityPkg/FvReportPei: implement a common FV verifier and reporter https://bugzilla.tianocore.org/show_bug.cgi?id=1617 This driver implements a common checker, verifier and reporter which is independent of hardware based root-of-trust. Usually the hardware based root-of-trust will not verify all BIOS but part of it. For example, Boot Guard will only verify IBB segment. The IBB needs to verify other part of BIOS, i.e. other FVs to transfer control to from IBB. This driver plays the role in IBB to verify FVs not covered by hardware root-of-trust to make sure integrity of the chain of trust. To be hardware/platform independent, PPI gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid is introduced for platform to pass digest information to this driver. This PPI should include all information needed to verify required FVs in required boot mode. struct _EDKII_PEI_FIRMWARE_VOLUME_INFO_STORED_HASH_FV_PPI { FV_HASH_INFO HashInfo; UINTN FvNumber; HASHED_FV_INFO FvInfo[1]; }; To avoid TOCTOU issue, all FVs to be verified will be copied to memory before hash calculation. That also means this driver has to be run after permanent memory has been discovered. For a measured boot, this driver will install gEdkiiPeiFirmwareVolumeInfoPrehashedFvPpiGuid to report digest of each FV to TCG driver. For a verified boot, this driver will verify the final hash value (calculated from the concatenation of each FV's hash) for indicated FVs against the hash got from platform/hardware. If pass, it will build EFI_HOB_TYPE_FV (consumed by DXE core) and/or install gEfiPeiFirmwareVolumeInfoPpiGuid (consumed by PEI core), and then report status code PcdStatusCodeFvVerificationPass. If fail, it just report status code PcdStatusCodeFvVerificationFail and go to dead loop if status report returns. The platform can register customized handler to process pass and fail cases differently. Currently, this driver only supports hash (sha256/384/512) verification for the performance consideration. Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: "Hernandez Beltran, Jorge" <jorge.hernandez.beltran@intel.com> Cc: Harry Han <harry.han@intel.com> Signed-off-by: Jian J Wang <jian.j.wang@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2019-05-10 04:19:36 +02:00
## @file
# FV Report/Verify PEI Driver.
#
# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
##
[Defines]
INF_VERSION = 0x00010005
BASE_NAME = FvReportPei
MODULE_UNI_FILE = FvReportPei.uni
FILE_GUID = 72405B40-38DA-4ABA-9283-CA8321C23E63
MODULE_TYPE = PEIM
VERSION_STRING = 1.0
ENTRY_POINT = FvReportEntryPoint
#
# The following information is for reference only and not required by the build tools.
#
# VALID_ARCHITECTURES = IA32 X64
#
[Sources]
FvReportPei.c
FvReportPei.h
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
CryptoPkg/CryptoPkg.dec
SecurityPkg/SecurityPkg.dec
[LibraryClasses]
PeimEntryPoint
PeiServicesLib
BaseLib
DebugLib
BaseMemoryLib
PcdLib
HobLib
MemoryAllocationLib
BaseCryptLib
ReportStatusCodeLib
[Ppis]
gEdkiiPeiFirmwareVolumeInfoPrehashedFvPpiGuid ## PRODUCES
gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid ## CONSUMES
[Pcd]
gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeFvVerificationPass
gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeFvVerificationFail
[Depex]
gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid AND gEfiPeiMemoryDiscoveredPpiGuid
[UserExtensions.TianoCore."ExtraFiles"]
FvReportPeiPeiExtra.uni