mirror of https://github.com/acidanthera/audk.git
MdeModulePkg/SecurityStubDxe: Report failure if image is load earlier
The 3rd party image should be loaded after EndOfDxe event signal and DxeSmmReadyToLock protocol installation. But non-SMM platform doesn't published DxeSmmReadyToLock protocol. So the SecurityStubDxe can only depend on EndOfDxe event. This patch enhances the SecurityStubDxe to listen on DxeSmmReadyToLock protocol installation and if any 3rd party image is loaded before DxeSmmReadyToLock, it reports failure. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Sunny Wang <sunnywang@hpe.com>
This commit is contained in:
parent
048bcba1bc
commit
e048823f57
|
@ -30,6 +30,7 @@ typedef struct {
|
||||||
DEFERRED_3RD_PARTY_IMAGE_INFO *ImageInfo; ///< deferred 3rd party image item
|
DEFERRED_3RD_PARTY_IMAGE_INFO *ImageInfo; ///< deferred 3rd party image item
|
||||||
} DEFERRED_3RD_PARTY_IMAGE_TABLE;
|
} DEFERRED_3RD_PARTY_IMAGE_TABLE;
|
||||||
|
|
||||||
|
BOOLEAN mImageLoadedAfterEndOfDxe = FALSE;
|
||||||
BOOLEAN mEndOfDxe = FALSE;
|
BOOLEAN mEndOfDxe = FALSE;
|
||||||
DEFERRED_3RD_PARTY_IMAGE_TABLE mDeferred3rdPartyImage = {
|
DEFERRED_3RD_PARTY_IMAGE_TABLE mDeferred3rdPartyImage = {
|
||||||
0, // Deferred image count
|
0, // Deferred image count
|
||||||
|
@ -256,6 +257,53 @@ EndOfDxe (
|
||||||
mEndOfDxe = TRUE;
|
mEndOfDxe = TRUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
Event notification for gEfiDxeSmmReadyToLockProtocolGuid event.
|
||||||
|
|
||||||
|
This function reports failure if any deferred image is loaded before
|
||||||
|
this callback.
|
||||||
|
Platform should publish ReadyToLock protocol immediately after signaling
|
||||||
|
of the End of DXE Event.
|
||||||
|
|
||||||
|
@param Event The Event that is being processed, not used.
|
||||||
|
@param Context Event Context, not used.
|
||||||
|
|
||||||
|
**/
|
||||||
|
VOID
|
||||||
|
EFIAPI
|
||||||
|
DxeSmmReadyToLock (
|
||||||
|
IN EFI_EVENT Event,
|
||||||
|
IN VOID *Context
|
||||||
|
)
|
||||||
|
{
|
||||||
|
EFI_STATUS Status;
|
||||||
|
VOID *Interface;
|
||||||
|
|
||||||
|
Status = gBS->LocateProtocol (&gEfiDxeSmmReadyToLockProtocolGuid, NULL, &Interface);
|
||||||
|
if (EFI_ERROR (Status)) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
gBS->CloseEvent (Event);
|
||||||
|
|
||||||
|
if (mImageLoadedAfterEndOfDxe) {
|
||||||
|
//
|
||||||
|
// Platform should not dispatch the 3rd party images after signaling EndOfDxe event
|
||||||
|
// but before publishing DxeSmmReadyToLock protocol.
|
||||||
|
//
|
||||||
|
DEBUG ((
|
||||||
|
DEBUG_ERROR,
|
||||||
|
"[Security] 3rd party images must be dispatched after DxeSmmReadyToLock Protocol installation!\n"
|
||||||
|
));
|
||||||
|
REPORT_STATUS_CODE (
|
||||||
|
EFI_ERROR_CODE | EFI_ERROR_UNRECOVERED,
|
||||||
|
(EFI_SOFTWARE_DXE_BS_DRIVER | EFI_SW_EC_ILLEGAL_SOFTWARE_STATE)
|
||||||
|
);
|
||||||
|
ASSERT (FALSE);
|
||||||
|
CpuDeadLoop ();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Defer the 3rd party image load and installs Deferred Image Load Protocol.
|
Defer the 3rd party image load and installs Deferred Image Load Protocol.
|
||||||
|
|
||||||
|
@ -303,6 +351,7 @@ Defer3rdPartyImageLoad (
|
||||||
);
|
);
|
||||||
|
|
||||||
if (mEndOfDxe) {
|
if (mEndOfDxe) {
|
||||||
|
mImageLoadedAfterEndOfDxe = TRUE;
|
||||||
//
|
//
|
||||||
// The image might be first time loaded after EndOfDxe,
|
// The image might be first time loaded after EndOfDxe,
|
||||||
// So ImageInfo can be NULL.
|
// So ImageInfo can be NULL.
|
||||||
|
@ -334,6 +383,7 @@ Defer3rdPartyImageLoadInitialize (
|
||||||
EFI_STATUS Status;
|
EFI_STATUS Status;
|
||||||
EFI_HANDLE Handle;
|
EFI_HANDLE Handle;
|
||||||
EFI_EVENT Event;
|
EFI_EVENT Event;
|
||||||
|
VOID *Registration;
|
||||||
|
|
||||||
Handle = NULL;
|
Handle = NULL;
|
||||||
Status = gBS->InstallMultipleProtocolInterfaces (
|
Status = gBS->InstallMultipleProtocolInterfaces (
|
||||||
|
@ -353,4 +403,12 @@ Defer3rdPartyImageLoadInitialize (
|
||||||
&Event
|
&Event
|
||||||
);
|
);
|
||||||
ASSERT_EFI_ERROR (Status);
|
ASSERT_EFI_ERROR (Status);
|
||||||
|
|
||||||
|
EfiCreateProtocolNotifyEvent (
|
||||||
|
&gEfiDxeSmmReadyToLockProtocolGuid,
|
||||||
|
TPL_CALLBACK,
|
||||||
|
DxeSmmReadyToLock,
|
||||||
|
NULL,
|
||||||
|
&Registration
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
|
@ -15,16 +15,19 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
||||||
#ifndef _DEFER_3RD_PARTY_IMAGE_LOAD_H_
|
#ifndef _DEFER_3RD_PARTY_IMAGE_LOAD_H_
|
||||||
#define _DEFER_3RD_PARTY_IMAGE_LOAD_H_
|
#define _DEFER_3RD_PARTY_IMAGE_LOAD_H_
|
||||||
|
|
||||||
#include <Uefi.h>
|
#include <PiDxe.h>
|
||||||
#include <Guid/EventGroup.h>
|
#include <Guid/EventGroup.h>
|
||||||
#include <Protocol/DeferredImageLoad.h>
|
#include <Protocol/DeferredImageLoad.h>
|
||||||
#include <Protocol/FirmwareVolume2.h>
|
#include <Protocol/FirmwareVolume2.h>
|
||||||
|
#include <Protocol/DxeSmmReadyToLock.h>
|
||||||
|
|
||||||
#include <Library/UefiBootServicesTableLib.h>
|
#include <Library/UefiBootServicesTableLib.h>
|
||||||
#include <Library/BaseMemoryLib.h>
|
#include <Library/BaseMemoryLib.h>
|
||||||
#include <Library/MemoryAllocationLib.h>
|
#include <Library/MemoryAllocationLib.h>
|
||||||
#include <Library/DevicePathLib.h>
|
#include <Library/DevicePathLib.h>
|
||||||
#include <Library/DebugLib.h>
|
#include <Library/DebugLib.h>
|
||||||
|
#include <Library/UefiLib.h>
|
||||||
|
#include <Library/ReportStatusCodeLib.h>
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Returns information about a deferred image.
|
Returns information about a deferred image.
|
||||||
|
|
|
@ -41,6 +41,8 @@
|
||||||
UefiBootServicesTableLib
|
UefiBootServicesTableLib
|
||||||
DebugLib
|
DebugLib
|
||||||
SecurityManagementLib
|
SecurityManagementLib
|
||||||
|
ReportStatusCodeLib
|
||||||
|
UefiLib
|
||||||
|
|
||||||
[Guids]
|
[Guids]
|
||||||
gEfiEndOfDxeEventGroupGuid ## CONSUMES ## Event
|
gEfiEndOfDxeEventGroupGuid ## CONSUMES ## Event
|
||||||
|
@ -49,6 +51,7 @@
|
||||||
gEfiSecurityArchProtocolGuid ## PRODUCES
|
gEfiSecurityArchProtocolGuid ## PRODUCES
|
||||||
gEfiSecurity2ArchProtocolGuid ## PRODUCES
|
gEfiSecurity2ArchProtocolGuid ## PRODUCES
|
||||||
gEfiDeferredImageLoadProtocolGuid ## PRODUCES
|
gEfiDeferredImageLoadProtocolGuid ## PRODUCES
|
||||||
|
gEfiDxeSmmReadyToLockProtocolGuid ## CONSUMES
|
||||||
|
|
||||||
[Depex]
|
[Depex]
|
||||||
TRUE
|
TRUE
|
||||||
|
|
Loading…
Reference in New Issue