mirror of https://github.com/acidanthera/audk.git
3743e71a06
https://bugzilla.tianocore.org/show_bug.cgi?id=1617 This driver implements a common checker, verifier and reporter which is independent of hardware based root-of-trust. Usually the hardware based root-of-trust will not verify all BIOS but part of it. For example, Boot Guard will only verify IBB segment. The IBB needs to verify other part of BIOS, i.e. other FVs to transfer control to from IBB. This driver plays the role in IBB to verify FVs not covered by hardware root-of-trust to make sure integrity of the chain of trust. To be hardware/platform independent, PPI gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid is introduced for platform to pass digest information to this driver. This PPI should include all information needed to verify required FVs in required boot mode. struct _EDKII_PEI_FIRMWARE_VOLUME_INFO_STORED_HASH_FV_PPI { FV_HASH_INFO HashInfo; UINTN FvNumber; HASHED_FV_INFO FvInfo[1]; }; To avoid TOCTOU issue, all FVs to be verified will be copied to memory before hash calculation. That also means this driver has to be run after permanent memory has been discovered. For a measured boot, this driver will install gEdkiiPeiFirmwareVolumeInfoPrehashedFvPpiGuid to report digest of each FV to TCG driver. For a verified boot, this driver will verify the final hash value (calculated from the concatenation of each FV's hash) for indicated FVs against the hash got from platform/hardware. If pass, it will build EFI_HOB_TYPE_FV (consumed by DXE core) and/or install gEfiPeiFirmwareVolumeInfoPpiGuid (consumed by PEI core), and then report status code PcdStatusCodeFvVerificationPass. If fail, it just report status code PcdStatusCodeFvVerificationFail and go to dead loop if status report returns. The platform can register customized handler to process pass and fail cases differently. Currently, this driver only supports hash (sha256/384/512) verification for the performance consideration. Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: "Hernandez Beltran, Jorge" <jorge.hernandez.beltran@intel.com> Cc: Harry Han <harry.han@intel.com> Signed-off-by: Jian J Wang <jian.j.wang@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com> |
||
|---|---|---|
| .. | ||
| FvReportPei | ||
| Hash2DxeCrypto | ||
| HddPassword | ||
| Include | ||
| Library | ||
| Pkcs7Verify/Pkcs7VerifyDxe | ||
| RandomNumberGenerator/RngDxe | ||
| Tcg | ||
| VariableAuthenticated/SecureBootConfigDxe | ||
| SecurityPkg.dec | ||
| SecurityPkg.dsc | ||
| SecurityPkg.uni | ||
| SecurityPkgExtra.uni | ||