tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add PI1.2.1 SAP2 support and UEFI231B mantis 896 

1. Update three Security Handlers to depend on new SecurityManagementLib APIs to register Security service for SAP2

Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Guo Dong <dong.guo@intel.com>


git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13661 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
lgao4 2012-08-22 02:33:00 +00:00
parent bc2dfdbcfc
commit 5db28a6753
3 changed files with 59 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.c
View File

@ -714,18 +714,22 @@ GetDefferedImageInfo (
logging. logging.
@param[in] FileBuffer File buffer matches the input file device path. @param[in] FileBuffer File buffer matches the input file device path.
@param[in] FileSize Size of File buffer matches the input file device path. @param[in] FileSize Size of File buffer matches the input file device path.
@param[in] BootPolicy A boot policy that was used to call LoadImage() UEFI service.
@retval EFI_SUCCESS The file specified by File did authenticate, and the @retval EFI_SUCCESS FileBuffer is NULL and current user has permission to start
platform policy dictates that the DXE Core may use File. UEFI device drivers on the device path specified by DevicePath.
@retval EFI_INVALID_PARAMETER File is NULL. @retval EFI_SUCCESS The file specified by DevicePath and non-NULL
@retval EFI_SECURITY_VIOLATION The file specified by File did not authenticate, and FileBuffer did authenticate, and the platform policy dictates
the platform policy dictates that File should be placed that the DXE Foundation may use the file.
in the untrusted state. A file may be promoted from @retval EFI_SECURITY_VIOLATION FileBuffer is NULL and the user has no
the untrusted to the trusted state at a future time permission to start UEFI device drivers on the device path specified
with a call to the Trust() DXE Service. by DevicePath.
@retval EFI_ACCESS_DENIED The file specified by File did not authenticate, and @retval EFI_SECURITY_VIOLATION FileBuffer is not NULL and the user has no permission to load
the platform policy dictates that File should not be drivers from the device path specified by DevicePath. The
used for any purpose. image has been added into the list of the deferred images.
@retval EFI_ACCESS_DENIED The file specified by File and FileBuffer did not
authenticate, and the platform policy dictates that the DXE
Foundation many not use File.
**/ **/
EFI_STATUS EFI_STATUS
@ -734,17 +738,20 @@ DxeDeferImageLoadHandler (
IN UINT32 AuthenticationStatus, IN UINT32 AuthenticationStatus,
IN CONST EFI_DEVICE_PATH_PROTOCOL *File, IN CONST EFI_DEVICE_PATH_PROTOCOL *File,
IN VOID *FileBuffer, IN VOID *FileBuffer,
IN UINTN FileSize IN UINTN FileSize,
IN BOOLEAN BootPolicy
) )
{ {
EFI_STATUS Status; EFI_STATUS Status;
EFI_USER_PROFILE_HANDLE CurrentUser; EFI_USER_PROFILE_HANDLE CurrentUser;
UINT32 Policy; UINT32 Policy;
UINT32 FileType; UINT32 FileType;
//
// Ignore if File is NULL.
//
if (File == NULL) { if (File == NULL) {
return EFI_INVALID_PARAMETER; return EFI_SUCCESS;
} }
// //
@ -759,7 +766,7 @@ DxeDeferImageLoadHandler (
// //
if (!VerifyDevicePath (File)) { if (!VerifyDevicePath (File)) {
DEBUG ((EFI_D_ERROR, "[Security] The image is forbidden to load!\n")); DEBUG ((EFI_D_ERROR, "[Security] The image is forbidden to load!\n"));
return EFI_ACCESS_DENIED; return EFI_SECURITY_VIOLATION;
} }
return EFI_SUCCESS; return EFI_SUCCESS;
} }
@ -779,7 +786,7 @@ DxeDeferImageLoadHandler (
} }
DEBUG ((EFI_D_ERROR, "[Security] No user identified, the image is deferred to load!\n")); DEBUG ((EFI_D_ERROR, "[Security] No user identified, the image is deferred to load!\n"));
PutDefferedImageInfo (File, NULL, 0); PutDefferedImageInfo (File, FileBuffer, FileSize);
// //
// Install the Deferred Image Load Protocol onto a new handle. // Install the Deferred Image Load Protocol onto a new handle.
@ -849,7 +856,7 @@ DxeDeferImageLoadLibConstructor (
&Registration &Registration
); );
return RegisterSecurityHandler ( return RegisterSecurity2Handler (
DxeDeferImageLoadHandler, DxeDeferImageLoadHandler,
EFI_AUTH_OPERATION_DEFER_IMAGE_LOAD EFI_AUTH_OPERATION_DEFER_IMAGE_LOAD
); );

36
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
View File

@ -141,6 +141,10 @@ GetImageType (
EFI_DEVICE_PATH_PROTOCOL *TempDevicePath; EFI_DEVICE_PATH_PROTOCOL *TempDevicePath;
EFI_BLOCK_IO_PROTOCOL *BlockIo; EFI_BLOCK_IO_PROTOCOL *BlockIo;
if (File == NULL) {
return IMAGE_UNKNOWN;
}
// //
// First check to see if File is from a Firmware Volume // First check to see if File is from a Firmware Volume
// //
@ -1034,19 +1038,23 @@ VerifyCertPkcsSignedData (
being dispatched. This will optionally be used for logging. being dispatched. This will optionally be used for logging.
@param[in] FileBuffer File buffer matches the input file device path. @param[in] FileBuffer File buffer matches the input file device path.
@param[in] FileSize Size of File buffer matches the input file device path. @param[in] FileSize Size of File buffer matches the input file device path.
@param[in] BootPolicy A boot policy that was used to call LoadImage() UEFI service.
@retval EFI_SUCCESS The file specified by File did authenticate, and the @retval EFI_SUCCESS The file specified by DevicePath and non-NULL
platform policy dictates that the DXE Core may use File. FileBuffer did authenticate, and the platform policy dictates
@retval EFI_INVALID_PARAMETER Input argument is incorrect. that the DXE Foundation may use the file.
@retval EFI_SUCCESS The device path specified by NULL device path DevicePath
and non-NULL FileBuffer did authenticate, and the platform
policy dictates that the DXE Foundation may execute the image in
FileBuffer.
@retval EFI_OUT_RESOURCE Fail to allocate memory. @retval EFI_OUT_RESOURCE Fail to allocate memory.
@retval EFI_SECURITY_VIOLATION The file specified by File did not authenticate, and @retval EFI_SECURITY_VIOLATION The file specified by File did not authenticate, and
the platform policy dictates that File should be placed the platform policy dictates that File should be placed
in the untrusted state. A file may be promoted from in the untrusted state. The image has been added to the file
the untrusted to the trusted state at a future time execution table.
with a call to the Trust() DXE Service. @retval EFI_ACCESS_DENIED The file specified by File and FileBuffer did not
@retval EFI_ACCESS_DENIED The file specified by File did not authenticate, and authenticate, and the platform policy dictates that the DXE
the platform policy dictates that File should not be Foundation many not use File.
used for any purpose.
**/ **/
EFI_STATUS EFI_STATUS
@ -1055,7 +1063,8 @@ DxeImageVerificationHandler (
IN UINT32 AuthenticationStatus, IN UINT32 AuthenticationStatus,
IN CONST EFI_DEVICE_PATH_PROTOCOL *File, IN CONST EFI_DEVICE_PATH_PROTOCOL *File,
IN VOID *FileBuffer, IN VOID *FileBuffer,
IN UINTN FileSize IN UINTN FileSize,
IN BOOLEAN BootPolicy
) )
{ {
EFI_STATUS Status; EFI_STATUS Status;
@ -1073,10 +1082,6 @@ DxeImageVerificationHandler (
UINT32 NumberOfRvaAndSizes; UINT32 NumberOfRvaAndSizes;
UINT32 CertSize; UINT32 CertSize;
if (File == NULL) {
return EFI_INVALID_PARAMETER;
}
SignatureList = NULL; SignatureList = NULL;
SignatureListSize = 0; SignatureListSize = 0;
WinCertificate = NULL; WinCertificate = NULL;
@ -1326,6 +1331,7 @@ Done:
// Policy decides to defer or reject the image; add its information in image executable information table. // Policy decides to defer or reject the image; add its information in image executable information table.
// //
AddImageExeInfo (Action, NULL, File, SignatureList, SignatureListSize); AddImageExeInfo (Action, NULL, File, SignatureList, SignatureListSize);
Status = EFI_SECURITY_VIOLATION;
} }
if (SignatureList != NULL) { if (SignatureList != NULL) {
@ -1410,7 +1416,7 @@ DxeImageVerificationLibConstructor (
&Registration &Registration
); );
return RegisterSecurityHandler ( return RegisterSecurity2Handler (
DxeImageVerificationHandler, DxeImageVerificationHandler,
EFI_AUTH_OPERATION_VERIFY_IMAGE | EFI_AUTH_OPERATION_IMAGE_REQUIRED EFI_AUTH_OPERATION_VERIFY_IMAGE | EFI_AUTH_OPERATION_IMAGE_REQUIRED
); );

37
SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
View File

@ -694,34 +694,28 @@ Finish:
might be possible to use it at a future time, then EFI_SECURITY_VIOLATION is might be possible to use it at a future time, then EFI_SECURITY_VIOLATION is
returned. returned.
@param[in, out] AuthenticationStatus This is the authentication status returned @param[in] AuthenticationStatus This is the authentication status returned
from the securitymeasurement services for the from the securitymeasurement services for the
input file. input file.
@param[in] File This is a pointer to the device path of the file that is @param[in] File This is a pointer to the device path of the file that is
being dispatched. This will optionally be used for logging. being dispatched. This will optionally be used for logging.
@param[in] FileBuffer File buffer matches the input file device path. @param[in] FileBuffer File buffer matches the input file device path.
@param[in] FileSize Size of File buffer matches the input file device path. @param[in] FileSize Size of File buffer matches the input file device path.
@param[in] BootPolicy A boot policy that was used to call LoadImage() UEFI service.
@retval EFI_SUCCESS The file specified by File did authenticate, and the @retval EFI_SUCCESS The file specified by DevicePath and non-NULL
platform policy dictates that the DXE Core may use File. FileBuffer did authenticate, and the platform policy dictates
@retval EFI_INVALID_PARAMETER File is NULL. that the DXE Foundation may use the file.
@retval EFI_SECURITY_VIOLATION The file specified by File did not authenticate, and @retval other error value
the platform policy dictates that File should be placed
in the untrusted state. A file may be promoted from
the untrusted to the trusted state at a future time
with a call to the Trust() DXE Service.
@retval EFI_ACCESS_DENIED The file specified by File did not authenticate, and
the platform policy dictates that File should not be
used for any purpose.
**/ **/
EFI_STATUS EFI_STATUS
EFIAPI EFIAPI
DxeTpmMeasureBootHandler ( DxeTpmMeasureBootHandler (
IN OUT UINT32 AuthenticationStatus, IN UINT32 AuthenticationStatus,
IN CONST EFI_DEVICE_PATH_PROTOCOL *File, IN CONST EFI_DEVICE_PATH_PROTOCOL *File,
IN VOID *FileBuffer OPTIONAL, IN VOID *FileBuffer,
IN UINTN FileSize OPTIONAL IN UINTN FileSize,
IN BOOLEAN BootPolicy
) )
{ {
EFI_TCG_PROTOCOL *TcgProtocol; EFI_TCG_PROTOCOL *TcgProtocol;
@ -736,10 +730,6 @@ DxeTpmMeasureBootHandler (
BOOLEAN ApplicationRequired; BOOLEAN ApplicationRequired;
PE_COFF_LOADER_IMAGE_CONTEXT ImageContext; PE_COFF_LOADER_IMAGE_CONTEXT ImageContext;
if (File == NULL) {
return EFI_INVALID_PARAMETER;
}
Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **) &TcgProtocol); Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **) &TcgProtocol);
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
// //
@ -768,7 +758,6 @@ DxeTpmMeasureBootHandler (
// Copy File Device Path // Copy File Device Path
// //
OrigDevicePathNode = DuplicateDevicePath (File); OrigDevicePathNode = DuplicateDevicePath (File);
ASSERT (OrigDevicePathNode != NULL);
// //
// 1. Check whether this device path support BlockIo protocol. // 1. Check whether this device path support BlockIo protocol.
@ -928,7 +917,9 @@ DxeTpmMeasureBootHandler (
// Done, free the allocated resource. // Done, free the allocated resource.
// //
Finish: Finish:
FreePool (OrigDevicePathNode); if (OrigDevicePathNode != NULL) {
FreePool (OrigDevicePathNode);
}
return Status; return Status;
} }
@ -949,7 +940,7 @@ DxeTpmMeasureBootLibConstructor (
IN EFI_SYSTEM_TABLE *SystemTable IN EFI_SYSTEM_TABLE *SystemTable
) )
{ {
return RegisterSecurityHandler ( return RegisterSecurity2Handler (
DxeTpmMeasureBootHandler, DxeTpmMeasureBootHandler,
EFI_AUTH_OPERATION_MEASURE_IMAGE | EFI_AUTH_OPERATION_IMAGE_REQUIRED EFI_AUTH_OPERATION_MEASURE_IMAGE | EFI_AUTH_OPERATION_IMAGE_REQUIRED
); );