1 /** @file
2 EFI PEI Platform Security services
3 
4 Copyright (c) 2013 Intel Corporation.
5 
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution.  The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php
10 
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
13 
14 **/
15 
16 #include "PeiFvSecurity.h"
17 
18 EFI_PEI_NOTIFY_DESCRIPTOR mNotifyOnFvInfoSecurityList = {
19     (EFI_PEI_PPI_DESCRIPTOR_NOTIFY_CALLBACK | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST),
20     &gEfiPeiFirmwareVolumeInfoPpiGuid,
21     FirmwareVolmeInfoPpiNotifySecurityCallback
22 };
23 
24 /**
25   Callback function to perform FV security checking on a FV Info PPI.
26 
27   @param PeiServices       An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation
28   @param NotifyDescriptor  Address of the notification descriptor data structure.
29   @param Ppi               Address of the PPI that was installed.
30 
31   @retval EFI_SUCCESS
32 
33 **/
34 EFI_STATUS
35 EFIAPI
FirmwareVolmeInfoPpiNotifySecurityCallback(IN EFI_PEI_SERVICES ** PeiServices,IN EFI_PEI_NOTIFY_DESCRIPTOR * NotifyDescriptor,IN VOID * Ppi)36 FirmwareVolmeInfoPpiNotifySecurityCallback (
37   IN EFI_PEI_SERVICES              **PeiServices,
38   IN EFI_PEI_NOTIFY_DESCRIPTOR     *NotifyDescriptor,
39   IN VOID                          *Ppi
40   )
41 {
42   EFI_STATUS  Status;
43   EFI_PEI_FIRMWARE_VOLUME_INFO_PPI      *FvInfoPpi;
44   EFI_PEI_FIRMWARE_VOLUME_PPI           *FvPpi;
45 
46   FvInfoPpi = (EFI_PEI_FIRMWARE_VOLUME_INFO_PPI *)Ppi;
47 
48   //
49   // Locate the corresponding FV_PPI according to founded FV's format guid
50   //
51   Status = PeiServicesLocatePpi (
52              &FvInfoPpi->FvFormat,
53              0,
54              NULL,
55              (VOID**)&FvPpi
56              );
57   ASSERT_EFI_ERROR (Status);
58 
59   //
60   // Only authenticate parent Firmware Volume (child firmware volumes are covered by the parent)
61   //
62   if ((VOID *)FvInfoPpi->ParentFvName == NULL && (VOID *)FvInfoPpi->ParentFileName == NULL) {
63     Status = PeiSecurityVerifyFv ((EFI_FIRMWARE_VOLUME_HEADER*) FvInfoPpi->FvInfo);
64     ASSERT_EFI_ERROR (Status);
65   }
66 
67   return EFI_SUCCESS;
68 }
69 
70 /**
71   Authenticates the Firmware Volume
72 
73   @param CurrentFvAddress   Pointer to the current Firmware Volume under consideration
74 
75   @retval EFI_SUCCESS       Firmware Volume is legal
76 
77 **/
78 EFI_STATUS
PeiSecurityVerifyFv(IN EFI_FIRMWARE_VOLUME_HEADER * CurrentFvAddress)79 PeiSecurityVerifyFv (
80   IN EFI_FIRMWARE_VOLUME_HEADER  *CurrentFvAddress
81   )
82 {
83   EFI_STATUS  Status;
84 
85   //
86   // Call Security library to authenticate the Firmware Volume
87   //
88   DEBUG ((DEBUG_INFO, "PeiSecurityVerifyFv - CurrentFvAddress=0x%8x\n", (UINT32)CurrentFvAddress));
89   Status = EFI_SUCCESS;
90 
91   return Status;
92 }
93 
94 /**
95 
96   Entry point for the PEI Security PEIM
97   Sets up a notification to perform PEI security checking
98 
99   @param  FfsHeader    Not used.
100   @param  PeiServices  General purpose services available to every PEIM.
101 
102   @return EFI_SUCCESS  PEI Security notification installed successfully.
103           All others: PEI Security notification failed to install.
104 
105 **/
106 EFI_STATUS
PeiInitializeFvSecurity(VOID)107 PeiInitializeFvSecurity (
108   VOID
109   )
110 {
111   EFI_STATUS  Status;
112 
113   Status = PeiServicesNotifyPpi (&mNotifyOnFvInfoSecurityList);
114 
115   return Status;
116 }
117 
118