MdePkg/Include/Ppi/Security2.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

/** @file
  This file declares Security2 Architectural PPI.

  Copyright (c) 2006 - 2007, Intel Corporation
  All rights reserved. This program and the accompanying materials                          
  are licensed and made available under the terms and conditions of the BSD License         
  which accompanies this distribution.  The full text of the license may be found at        
  http://opensource.org/licenses/bsd-license.php                                            

  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,                     
  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.             

  Module Name:  Security.h

  @par Revision Reference:
  This PPI is defined in PI.
  Version 1.0.

**/

#ifndef __SECURITY2_PPI_H__
#define __SECURITY2_PPI_H__

#define EFI_PEI_SECURITY2_PPI_GUID \
  { 0xdcd0be23, 0x9586, 0x40f4, { 0xb6, 0x43, 0x6, 0x52, 0x2c, 0xed, 0x4e, 0xde } }


typedef struct _EFI_PEI_SECURITY2_PPI  EFI_PEI_SECURITY2_PPI;

/**
   
  This service is published by some platform PEIM. The purpose of
  this service is to expose a given platform's policy-based
  response to the PEI Foundation. For example, if there is a PEIM
  in a GUIDed encapsulation section and the extraction of the PEI
  file section yields an authentication failure, there is no a
  priori policy in the PEI Foundation. Specifically, this
  situation leads to the question whether PEIMs that are either
  not in GUIDed sections or are in sections whose authentication
  fails should still be executed. In fact, it is the
  responsibility of the platform builder to make this decision.
  This platform-scoped policy is a result that a desktop system
  might not be able to skip or not execute PEIMs because the
  skipped PEIM could be the agent that initializes main memory.
  Alternately, a system may require that unsigned PEIMs not be
  executed under any circumstances. In either case, the PEI
  Foundation simply multiplexes access to the Section Extraction
  PPI and the Security PPI. The Section Extraction PPI determines
  the contents of a section, and the Security PPI tells the PEI
  Foundation whether or not to invoke the PEIM. The PEIM that
  publishes the AuthenticationState() service uses its parameters
  in the following ways: ?? AuthenticationStatus conveys the
  source information upon which the PEIM acts. 1) The
  DeferExecution value tells the PEI Foundation whether or not to
  dispatch the PEIM. In addition, between receiving the
  AuthenticationState() from the PEI Foundation and returning with
  the DeferExecution value, the PEIM that publishes
  AuthenticationState() can do the following: 2) Log the file
  state. 3) Lock the firmware hubs in response to an unsigned
  PEIM being discovered. These latter behaviors are platform-
  and market-specific and thus outside the scope of the PEI CIS.

  @param This   Interface pointer that implements the particular
                EFI_PEI_SECURITY2_PPI instance.


  @param AuthenticationStatus   Authentication status of the
                                file.

  @param FvHandle   Handle of the volume in which the file
                    resides. Type EFI_PEI_FV_HANDLE is defined
                    in FfsFindNextVolume. This allows different
                    policies depending on different firmware
                    volumes.

  @param FileHandle   Handle of the file under review. Type
                      EFI_PEI FILE HANDLE is defined in
                      FfsFindNextFile.

  @param DeferExecution   Pointer to a variable that alerts the
                          PEI Foundation to defer execution of a
                          PEIM.

  @retval EFI_SUCCESS   The service performed its action
                        successfully.

  @retval EFI_SECURITY_VIOLATION  The object cannot be trusted.

**/
typedef
EFI_STATUS
(EFIAPI *EFI_PEI_SECURITY_AUTHENTICATION_STATE) (
  IN CONST  EFI_PEI_SERVICES      **PeiServices,
  IN CONST  EFI_PEI_SECURITY2_PPI *This,
  IN CONST  UINT32                AuthenticationStatus,
  IN CONST  EFI_PEI_FV_HANDLE     FvHandle,
  IN CONST  EFI_PEI_FV_HANDLE     FileHandle,
  IN OUT    BOOLEAN               *DeferExecution
);

/**
   
  This PPI is a means by which the platform builder can indicate
  a response to a PEIM's authentication state. This can be in
  the form of a requirement for the PEI Foundation to skip a
  module using the DeferExecution Boolean output in the
  AuthenticationState() member function. Alternately, the
  Security PPI can invoke something like a cryptographic PPI
  that hashes the PEIM contents to log attestations, for which
  the FileHandle parameter in AuthenticationState() will be
  useful. If this PPI does not exist, PEIMs will be considered
  trusted.

  @param AuthenticationState  Allows the platform builder to
                              implement a security policy in
                              response to varying file
                              authentication states. See the
                              AuthenticationState() function
                              description.

**/
struct _EFI_PEI_SECURITY2_PPI {
  EFI_PEI_SECURITY_AUTHENTICATION_STATE   AuthenticationState;
};


extern EFI_GUID gEfiPeiSecurity2PpiGuid;

#endif