Add submodule dependency filesHEAD master

Change-Id: Iaf8d18082d3991dec7c0ebbea540f092188eb4ec
author: Angelos Mouzakitis <a.mouzakitis@virtualopensystems.com> 2023-10-10 14:33:42 +0000
committer: Angelos Mouzakitis <a.mouzakitis@virtualopensystems.com> 2023-10-10 14:33:42 +0000
commit: af1a266670d040d2f4083ff309d732d648afba2a (patch)
tree: 2fc46203448ddcc6f81546d379abfaeb323575e9 /roms/edk2/MdeModulePkg/Core/Pei/Security/Security.c
parent: e02cda008591317b1625707ff8e115a4841aa889 (diff)
1 files changed, 145 insertions, 0 deletions
diff --git a/roms/edk2/MdeModulePkg/Core/Pei/Security/Security.c b/roms/edk2/MdeModulePkg/Core/Pei/Security/Security.c
new file mode 100644
index 000000000..8c18ed6cc
--- /dev/null
+++ b/roms/edk2/MdeModulePkg/Core/Pei/Security/Security.c
@@ -0,0 +1,145 @@
+/** @file
+  EFI PEI Core Security services
+
+Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "PeiMain.h"
+
+
+EFI_PEI_NOTIFY_DESCRIPTOR mNotifyList = {
+   EFI_PEI_PPI_DESCRIPTOR_NOTIFY_DISPATCH | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,
+   &gEfiPeiSecurity2PpiGuid,
+   SecurityPpiNotifyCallback
+};
+
+/**
+  Initialize the security services.
+
+  @param PeiServices     An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation.
+  @param OldCoreData     Pointer to the old core data.
+                         NULL if being run in non-permanent memory mode.
+
+**/
+VOID
+InitializeSecurityServices (
+  IN EFI_PEI_SERVICES  **PeiServices,
+  IN PEI_CORE_INSTANCE *OldCoreData
+  )
+{
+  if (OldCoreData == NULL) {
+    PeiServicesNotifyPpi (&mNotifyList);
+  }
+  return;
+}
+
+/**
+
+  Provide a callback for when the security PPI is installed.
+  This routine will cache installed security PPI into PeiCore's private data.
+
+  @param PeiServices        An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation.
+  @param NotifyDescriptor   The descriptor for the notification event.
+  @param Ppi                Pointer to the PPI in question.
+
+  @return Always success
+
+**/
+EFI_STATUS
+EFIAPI
+SecurityPpiNotifyCallback (
+  IN EFI_PEI_SERVICES           **PeiServices,
+  IN EFI_PEI_NOTIFY_DESCRIPTOR  *NotifyDescriptor,
+  IN VOID                       *Ppi
+  )
+{
+  PEI_CORE_INSTANCE                       *PrivateData;
+
+  //
+  // Get PEI Core private data
+  //
+  PrivateData = PEI_CORE_INSTANCE_FROM_PS_THIS (PeiServices);
+
+  //
+  // If there isn't a security PPI installed, use the one from notification
+  //
+  if (PrivateData->PrivateSecurityPpi == NULL) {
+    PrivateData->PrivateSecurityPpi = (EFI_PEI_SECURITY2_PPI *)Ppi;
+  }
+  return EFI_SUCCESS;
+}
+
+/**
+  Provide a callout to the security verification service.
+
+  @param PrivateData     PeiCore's private data structure
+  @param VolumeHandle    Handle of FV
+  @param FileHandle      Handle of PEIM's FFS
+  @param AuthenticationStatus Authentication status
+
+  @retval EFI_SUCCESS              Image is OK
+  @retval EFI_SECURITY_VIOLATION   Image is illegal
+  @retval EFI_NOT_FOUND            If security PPI is not installed.
+**/
+EFI_STATUS
+VerifyPeim (
+  IN PEI_CORE_INSTANCE      *PrivateData,
+  IN EFI_PEI_FV_HANDLE      VolumeHandle,
+  IN EFI_PEI_FILE_HANDLE    FileHandle,
+  IN UINT32                 AuthenticationStatus
+  )
+{
+  EFI_STATUS                      Status;
+  BOOLEAN                         DeferExecution;
+
+  Status = EFI_NOT_FOUND;
+  if (PrivateData->PrivateSecurityPpi == NULL) {
+    //
+    // Check AuthenticationStatus first.
+    //
+    if ((AuthenticationStatus & EFI_AUTH_STATUS_IMAGE_SIGNED) != 0) {
+      if ((AuthenticationStatus & (EFI_AUTH_STATUS_TEST_FAILED | EFI_AUTH_STATUS_NOT_TESTED)) != 0) {
+        Status = EFI_SECURITY_VIOLATION;
+      }
+    }
+  } else {
+    //
+    // Check to see if the image is OK
+    //
+    Status = PrivateData->PrivateSecurityPpi->AuthenticationState (
+                                                (CONST EFI_PEI_SERVICES **) &PrivateData->Ps,
+                                                PrivateData->PrivateSecurityPpi,
+                                                AuthenticationStatus,
+                                                VolumeHandle,
+                                                FileHandle,
+                                                &DeferExecution
+                                                );
+    if (DeferExecution) {
+      Status = EFI_SECURITY_VIOLATION;
+    }
+  }
+  return Status;
+}
+
+
+/**
+  Verify a Firmware volume.
+
+  @param CurrentFvAddress   Pointer to the current Firmware Volume under consideration
+
+  @retval EFI_SUCCESS       Firmware Volume is legal
+
+**/
+EFI_STATUS
+VerifyFv (
+  IN EFI_FIRMWARE_VOLUME_HEADER  *CurrentFvAddress
+  )
+{
+  //
+  // Right now just pass the test.  Future can authenticate and/or check the
+  // FV-header or other metric for goodness of binary.
+  //
+  return EFI_SUCCESS;
+}
author	Angelos Mouzakitis <a.mouzakitis@virtualopensystems.com>	2023-10-10 14:33:42 +0000
committer	Angelos Mouzakitis <a.mouzakitis@virtualopensystems.com>	2023-10-10 14:33:42 +0000
commit	af1a266670d040d2f4083ff309d732d648afba2a (patch)
tree	2fc46203448ddcc6f81546d379abfaeb323575e9 /roms/edk2/MdeModulePkg/Core/Pei/Security/Security.c
parent	e02cda008591317b1625707ff8e115a4841aa889 (diff)