tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add PI1.2.1 SAP2 support and UEFI231B mantis 896 

1. Update three Security Handlers to depend on new SecurityManagementLib APIs to register Security service for SAP2

Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Guo Dong <dong.guo@intel.com>


git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13661 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
lgao4 2012-08-22 02:33:00 +00:00
parent bc2dfdbcfc
commit 5db28a6753
3 changed files with 59 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.c
View File

@ -714,18 +714,22 @@ GetDefferedImageInfo (
logging.
@param[in] FileBuffer File buffer matches the input file device path.
@param[in] FileSize Size of File buffer matches the input file device path.
@param[in] BootPolicy A boot policy that was used to call LoadImage() UEFI service.
@retval EFI_SUCCESS The file specified by File did authenticate, and the
platform policy dictates that the DXE Core may use File.
@retval EFI_INVALID_PARAMETER File is NULL.
@retval EFI_SECURITY_VIOLATION The file specified by File did not authenticate, and
the platform policy dictates that File should be placed
in the untrusted state. A file may be promoted from
the untrusted to the trusted state at a future time
with a call to the Trust() DXE Service.
@retval EFI_ACCESS_DENIED The file specified by File did not authenticate, and
the platform policy dictates that File should not be
used for any purpose.
@retval EFI_SUCCESS FileBuffer is NULL and current user has permission to start
UEFI device drivers on the device path specified by DevicePath.
@retval EFI_SUCCESS The file specified by DevicePath and non-NULL
FileBuffer did authenticate, and the platform policy dictates
that the DXE Foundation may use the file.
@retval EFI_SECURITY_VIOLATION FileBuffer is NULL and the user has no
permission to start UEFI device drivers on the device path specified
by DevicePath.
@retval EFI_SECURITY_VIOLATION FileBuffer is not NULL and the user has no permission to load
drivers from the device path specified by DevicePath. The
image has been added into the list of the deferred images.
@retval EFI_ACCESS_DENIED The file specified by File and FileBuffer did not
authenticate, and the platform policy dictates that the DXE
Foundation many not use File.
**/
EFI_STATUS
@ -734,17 +738,20 @@ DxeDeferImageLoadHandler (
IN UINT32 AuthenticationStatus,
IN CONST EFI_DEVICE_PATH_PROTOCOL *File,
IN VOID *FileBuffer,
IN UINTN FileSize
IN UINTN FileSize,
IN BOOLEAN BootPolicy
)
{
EFI_STATUS Status;
EFI_USER_PROFILE_HANDLE CurrentUser;
UINT32 Policy;
UINT32 FileType;
//
// Ignore if File is NULL.
//
if (File == NULL) {
return EFI_INVALID_PARAMETER;
return EFI_SUCCESS;
}
//
@ -759,7 +766,7 @@ DxeDeferImageLoadHandler (
//
if (!VerifyDevicePath (File)) {
DEBUG ((EFI_D_ERROR, "[Security] The image is forbidden to load!\n"));
return EFI_ACCESS_DENIED;
return EFI_SECURITY_VIOLATION;
}
return EFI_SUCCESS;
}
@ -779,7 +786,7 @@ DxeDeferImageLoadHandler (
}
DEBUG ((EFI_D_ERROR, "[Security] No user identified, the image is deferred to load!\n"));
PutDefferedImageInfo (File, NULL, 0);
PutDefferedImageInfo (File, FileBuffer, FileSize);
//
// Install the Deferred Image Load Protocol onto a new handle.
@ -849,7 +856,7 @@ DxeDeferImageLoadLibConstructor (
&Registration
);
return RegisterSecurityHandler (
return RegisterSecurity2Handler (
DxeDeferImageLoadHandler,
EFI_AUTH_OPERATION_DEFER_IMAGE_LOAD
);

36
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
View File

@ -141,6 +141,10 @@ GetImageType (
EFI_DEVICE_PATH_PROTOCOL *TempDevicePath;
EFI_BLOCK_IO_PROTOCOL *BlockIo;
if (File == NULL) {
return IMAGE_UNKNOWN;
}
//
// First check to see if File is from a Firmware Volume
//
@ -1034,19 +1038,23 @@ VerifyCertPkcsSignedData (
being dispatched. This will optionally be used for logging.
@param[in] FileBuffer File buffer matches the input file device path.
@param[in] FileSize Size of File buffer matches the input file device path.
@param[in] BootPolicy A boot policy that was used to call LoadImage() UEFI service.
@retval EFI_SUCCESS The file specified by File did authenticate, and the
platform policy dictates that the DXE Core may use File.
@retval EFI_INVALID_PARAMETER Input argument is incorrect.
@retval EFI_SUCCESS The file specified by DevicePath and non-NULL
FileBuffer did authenticate, and the platform policy dictates
that the DXE Foundation may use the file.
@retval EFI_SUCCESS The device path specified by NULL device path DevicePath
and non-NULL FileBuffer did authenticate, and the platform
policy dictates that the DXE Foundation may execute the image in
FileBuffer.
@retval EFI_OUT_RESOURCE Fail to allocate memory.
@retval EFI_SECURITY_VIOLATION The file specified by File did not authenticate, and
the platform policy dictates that File should be placed
in the untrusted state. A file may be promoted from
the untrusted to the trusted state at a future time
with a call to the Trust() DXE Service.
@retval EFI_ACCESS_DENIED The file specified by File did not authenticate, and
the platform policy dictates that File should not be
used for any purpose.
in the untrusted state. The image has been added to the file
execution table.
@retval EFI_ACCESS_DENIED The file specified by File and FileBuffer did not
authenticate, and the platform policy dictates that the DXE
Foundation many not use File.
**/
EFI_STATUS
@ -1055,7 +1063,8 @@ DxeImageVerificationHandler (
IN UINT32 AuthenticationStatus,
IN CONST EFI_DEVICE_PATH_PROTOCOL *File,
IN VOID *FileBuffer,
IN UINTN FileSize
IN UINTN FileSize,
IN BOOLEAN BootPolicy
)
{
EFI_STATUS Status;
@ -1073,10 +1082,6 @@ DxeImageVerificationHandler (
UINT32 NumberOfRvaAndSizes;
UINT32 CertSize;
if (File == NULL) {
return EFI_INVALID_PARAMETER;
}
SignatureList = NULL;
SignatureListSize = 0;
WinCertificate = NULL;
@ -1326,6 +1331,7 @@ Done:
// Policy decides to defer or reject the image; add its information in image executable information table.
//
AddImageExeInfo (Action, NULL, File, SignatureList, SignatureListSize);
Status = EFI_SECURITY_VIOLATION;
}
if (SignatureList != NULL) {
@ -1410,7 +1416,7 @@ DxeImageVerificationLibConstructor (
&Registration
);
return RegisterSecurityHandler (
return RegisterSecurity2Handler (
DxeImageVerificationHandler,
EFI_AUTH_OPERATION_VERIFY_IMAGE | EFI_AUTH_OPERATION_IMAGE_REQUIRED
);

37
SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
View File

@ -694,34 +694,28 @@ Finish:
might be possible to use it at a future time, then EFI_SECURITY_VIOLATION is
returned.
@param[in, out] AuthenticationStatus This is the authentication status returned
@param[in] AuthenticationStatus This is the authentication status returned
from the securitymeasurement services for the
input file.
@param[in] File This is a pointer to the device path of the file that is
being dispatched. This will optionally be used for logging.
@param[in] FileBuffer File buffer matches the input file device path.
@param[in] FileSize Size of File buffer matches the input file device path.
@param[in] BootPolicy A boot policy that was used to call LoadImage() UEFI service.
@retval EFI_SUCCESS The file specified by File did authenticate, and the
platform policy dictates that the DXE Core may use File.
@retval EFI_INVALID_PARAMETER File is NULL.
@retval EFI_SECURITY_VIOLATION The file specified by File did not authenticate, and
the platform policy dictates that File should be placed
in the untrusted state. A file may be promoted from
the untrusted to the trusted state at a future time
with a call to the Trust() DXE Service.
@retval EFI_ACCESS_DENIED The file specified by File did not authenticate, and
the platform policy dictates that File should not be
used for any purpose.
@retval EFI_SUCCESS The file specified by DevicePath and non-NULL
FileBuffer did authenticate, and the platform policy dictates
that the DXE Foundation may use the file.
@retval other error value
**/
EFI_STATUS
EFIAPI
DxeTpmMeasureBootHandler (
IN OUT UINT32 AuthenticationStatus,
IN UINT32 AuthenticationStatus,
IN CONST EFI_DEVICE_PATH_PROTOCOL *File,
IN VOID *FileBuffer OPTIONAL,
IN UINTN FileSize OPTIONAL
IN VOID *FileBuffer,
IN UINTN FileSize,
IN BOOLEAN BootPolicy
)
{
EFI_TCG_PROTOCOL *TcgProtocol;
@ -736,10 +730,6 @@ DxeTpmMeasureBootHandler (
BOOLEAN ApplicationRequired;
PE_COFF_LOADER_IMAGE_CONTEXT ImageContext;
if (File == NULL) {
return EFI_INVALID_PARAMETER;
}
Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **) &TcgProtocol);
if (EFI_ERROR (Status)) {
//
@ -768,7 +758,6 @@ DxeTpmMeasureBootHandler (
// Copy File Device Path
//
OrigDevicePathNode = DuplicateDevicePath (File);
ASSERT (OrigDevicePathNode != NULL);
//
// 1. Check whether this device path support BlockIo protocol.
@ -928,7 +917,9 @@ DxeTpmMeasureBootHandler (
// Done, free the allocated resource.
//
Finish:
FreePool (OrigDevicePathNode);
if (OrigDevicePathNode != NULL) {
FreePool (OrigDevicePathNode);
}
return Status;
}
@ -949,7 +940,7 @@ DxeTpmMeasureBootLibConstructor (
IN EFI_SYSTEM_TABLE *SystemTable
)
{
return RegisterSecurityHandler (
return RegisterSecurity2Handler (
DxeTpmMeasureBootHandler,
EFI_AUTH_OPERATION_MEASURE_IMAGE | EFI_AUTH_OPERATION_IMAGE_REQUIRED
);