diff options
| author | lzeng14 <lzeng14@6f19259b-4bc3-4df7-8a09-765794883524> | 2013-01-29 07:43:17 +0000 |
|---|---|---|
| committer | lzeng14 <lzeng14@6f19259b-4bc3-4df7-8a09-765794883524> | 2013-01-29 07:43:17 +0000 |
| commit | 022ff6bbba14e86ad721de66d43e0ddb2109ff8a (patch) | |
| tree | 3229b6af25fe3eae7d27875b3776668a6f880724 /MdeModulePkg/Core | |
| parent | 0777cea600819daf53dedefe1f922fed927fe71f (diff) | |
| download | edk2-platforms-022ff6bbba14e86ad721de66d43e0ddb2109ff8a.tar.xz | |
1. Update DxeCore to get correct AuthenticationStatus and invoke gSecurity after FV image file is extracted by ReadSection(), and remove the gSecurity invoking in SmmDriverDispatchHandler() in SmmCore since FV has been verified in DxeCore.
2. Update SmmLoadImage() to return EFI_SECURITY_VIOLATION when gSecurity returns EFI_SECURITY_VIOLATION.
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14113 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'MdeModulePkg/Core')
| -rw-r--r-- | MdeModulePkg/Core/Dxe/Dispatcher/Dispatcher.c | 48 | ||||
| -rw-r--r-- | MdeModulePkg/Core/PiSmmCore/Dispatcher.c | 31 |
2 files changed, 32 insertions, 47 deletions
diff --git a/MdeModulePkg/Core/Dxe/Dispatcher/Dispatcher.c b/MdeModulePkg/Core/Dxe/Dispatcher/Dispatcher.c index 45a236a7b8..75d6267f61 100644 --- a/MdeModulePkg/Core/Dxe/Dispatcher/Dispatcher.c +++ b/MdeModulePkg/Core/Dxe/Dispatcher/Dispatcher.c @@ -26,7 +26,7 @@ Depex - Dependency Expresion.
SOR - Schedule On Request - Don't schedule if this bit is set.
-Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2013, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -984,6 +984,7 @@ CoreProcessFvImageFile ( UINTN BufferSize;
EFI_FIRMWARE_VOLUME_HEADER *FvHeader;
UINT32 FvAlignment;
+ EFI_DEVICE_PATH_PROTOCOL *FvFileDevicePath;
//
// Read the first (and only the first) firmware volume section
@@ -1004,6 +1005,32 @@ CoreProcessFvImageFile ( &AuthenticationStatus
);
if (!EFI_ERROR (Status)) {
+ //
+ // Evaluate the authentication status of the Firmware Volume through
+ // Security Architectural Protocol
+ //
+ if (gSecurity != NULL) {
+ FvFileDevicePath = CoreFvToDevicePath (Fv, FvHandle, DriverName);
+ Status = gSecurity->FileAuthenticationState (
+ gSecurity,
+ AuthenticationStatus,
+ FvFileDevicePath
+ );
+ if (FvFileDevicePath != NULL) {
+ FreePool (FvFileDevicePath);
+ }
+
+ if (Status != EFI_SUCCESS) {
+ //
+ // Security check failed. The firmware volume should not be used for any purpose.
+ //
+ if (Buffer != NULL) {
+ FreePool (Buffer);
+ }
+ return Status;
+ }
+ }
+
//
// FvImage should be at its required alignment.
//
@@ -1087,7 +1114,6 @@ CoreFwVolEventProtocolNotify ( {
EFI_STATUS Status;
EFI_STATUS GetNextFileStatus;
- EFI_STATUS SecurityStatus;
EFI_FIRMWARE_VOLUME2_PROTOCOL *Fv;
EFI_DEVICE_PATH_PROTOCOL *FvDevicePath;
EFI_HANDLE FvHandle;
@@ -1160,24 +1186,6 @@ CoreFwVolEventProtocolNotify ( }
//
- // Evaluate the authentication status of the Firmware Volume through
- // Security Architectural Protocol
- //
- if (gSecurity != NULL) {
- SecurityStatus = gSecurity->FileAuthenticationState (
- gSecurity,
- 0,
- FvDevicePath
- );
- if (SecurityStatus != EFI_SUCCESS) {
- //
- // Security check failed. The firmware volume should not be used for any purpose.
- //
- continue;
- }
- }
-
- //
// Discover Drivers in FV and add them to the Discovered Driver List.
// Process EFI_FV_FILETYPE_DRIVER type and then EFI_FV_FILETYPE_COMBINED_PEIM_DRIVER
// EFI_FV_FILETYPE_DXE_CORE is processed to produce a Loaded Image protocol for the core
diff --git a/MdeModulePkg/Core/PiSmmCore/Dispatcher.c b/MdeModulePkg/Core/PiSmmCore/Dispatcher.c index 8a9d99b158..b2e3d6a1e7 100644 --- a/MdeModulePkg/Core/PiSmmCore/Dispatcher.c +++ b/MdeModulePkg/Core/PiSmmCore/Dispatcher.c @@ -27,7 +27,7 @@ Depex - Dependency Expresion.
- Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials are licensed and made available
under the terms and conditions of the BSD License which accompanies this
distribution. The full text of the license may be found at
@@ -671,6 +671,9 @@ SmmLoadImage ( // used the UEFI Boot Services AllocatePool() function
//
Status = gBS->FreePool(Buffer);
+ if (!EFI_ERROR (Status) && EFI_ERROR (SecurityStatus)) {
+ Status = SecurityStatus;
+ }
return Status;
}
@@ -1197,7 +1200,6 @@ SmmDriverDispatchHandler ( UINTN HandleCount;
EFI_HANDLE *HandleBuffer;
EFI_STATUS GetNextFileStatus;
- EFI_STATUS SecurityStatus;
EFI_FIRMWARE_VOLUME2_PROTOCOL *Fv;
EFI_DEVICE_PATH_PROTOCOL *FvDevicePath;
EFI_HANDLE FvHandle;
@@ -1259,31 +1261,6 @@ SmmDriverDispatchHandler ( }
//
- // If the Security Architectural Protocol has not been located yet, then attempt to locate it
- //
- if (mSecurity == NULL) {
- gBS->LocateProtocol (&gEfiSecurityArchProtocolGuid, NULL, (VOID**)&mSecurity);
- }
-
- //
- // Evaluate the authentication status of the Firmware Volume through
- // Security Architectural Protocol
- //
- if (mSecurity != NULL) {
- SecurityStatus = mSecurity->FileAuthenticationState (
- mSecurity,
- 0,
- FvDevicePath
- );
- if (SecurityStatus != EFI_SUCCESS) {
- //
- // Security check failed. The firmware volume should not be used for any purpose.
- //
- continue;
- }
- }
-
- //
// Discover Drivers in FV and add them to the Discovered Driver List.
// Process EFI_FV_FILETYPE_SMM type and then EFI_FV_FILETYPE_COMBINED_SMM_DXE
//
|