Gitiles
Code Review Sign In
gerrit.devboardsforandroid.linaro.org / device / linaro / hikey960 / 0e33772df9ca72fb5f6e3d9a9b9ee547997b1b66 / . / uefi / linaro-edk2 / MdeModulePkg / Library / DxeSecurityManagementLib / DxeSecurityManagementLib.c
blob: 6a50937adea560edbf999922408537e5b6e86fd9 [file] [log] [blame]
Vishal Bhoj82c80712015-12-15 21:13:33 +0530[diff] [blame]1/** @file
2 Provides generic security measurement functions for DXE module.
3
4Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
5This program and the accompanying materials
6are licensed and made available under the terms and conditions of the BSD License
7which accompanies this distribution. The full text of the license may be found at
8http://opensource.org/licenses/bsd-license.php
9
10THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
11WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
12
13**/
14
15#include <PiDxe.h>
16#include <Library/DebugLib.h>
17#include <Library/DxeServicesLib.h>
18#include <Library/MemoryAllocationLib.h>
19#include <Library/SecurityManagementLib.h>
20
21#define SECURITY_HANDLER_TABLE_SIZE 0x10
22
23//
24// Secruity Operation on Image and none Image.
25//
26#define EFI_AUTH_IMAGE_OPERATION_MASK (EFI_AUTH_OPERATION_VERIFY_IMAGE \
27 | EFI_AUTH_OPERATION_DEFER_IMAGE_LOAD \
28 | EFI_AUTH_OPERATION_MEASURE_IMAGE)
29#define EFI_AUTH_NONE_IMAGE_OPERATION_MASK (EFI_AUTH_OPERATION_CONNECT_POLICY \
30 | EFI_AUTH_OPERATION_AUTHENTICATION_STATE)
31
32typedef struct {
33 UINT32 SecurityOperation;
34 SECURITY_FILE_AUTHENTICATION_STATE_HANDLER SecurityHandler;
35} SECURITY_INFO;
36
37typedef struct {
38 UINT32 Security2Operation;
39 SECURITY2_FILE_AUTHENTICATION_HANDLER Security2Handler;
40} SECURITY2_INFO;
41
42UINT32 mCurrentAuthOperation = 0;
43UINT32 mNumberOfSecurityHandler = 0;
44UINT32 mMaxNumberOfSecurityHandler = 0;
45SECURITY_INFO *mSecurityTable = NULL;
46
47UINT32 mCurrentAuthOperation2 = 0;
48UINT32 mNumberOfSecurity2Handler = 0;
49UINT32 mMaxNumberOfSecurity2Handler = 0;
50SECURITY2_INFO *mSecurity2Table = NULL;
51
52/**
53 Reallocates more global memory to store the registered Handler list.
54
55 @retval RETURN_SUCCESS Reallocate memory successfully.
56 @retval RETURN_OUT_OF_RESOURCES No enough memory to allocated.
57**/
58RETURN_STATUS
59EFIAPI
60ReallocateSecurityHandlerTable (
61 )
62{
63 //
64 // Reallocate memory for security info structure.
65 //
66 mSecurityTable = ReallocatePool (
67 mMaxNumberOfSecurityHandler * sizeof (SECURITY_INFO),
68 (mMaxNumberOfSecurityHandler + SECURITY_HANDLER_TABLE_SIZE) * sizeof (SECURITY_INFO),
69 mSecurityTable
70 );
71
72 //
73 // No enough resource is allocated.
74 //
75 if (mSecurityTable == NULL) {
76 return RETURN_OUT_OF_RESOURCES;
77 }
78
79 //
80 // Increase max handler number
81 //
82 mMaxNumberOfSecurityHandler = mMaxNumberOfSecurityHandler + SECURITY_HANDLER_TABLE_SIZE;
83 return RETURN_SUCCESS;
84}
85
86/**
87 Check whether an operation is valid according to the requirement of current operation,
88 which must make sure that the measure image operation is the last one.
89
90 @param CurrentAuthOperation Current operation.
91 @param CheckAuthOperation Operation to be checked.
92
93 @retval TRUE Operation is valid for current operation.
94 @retval FALSE Operation is invalid for current operation.
95**/
96BOOLEAN
97CheckAuthenticationOperation (
98 IN UINT32 CurrentAuthOperation,
99 IN UINT32 CheckAuthOperation
100 )
101{
102 //
103 // Make sure new auth operation can be recognized.
104 //
105 ASSERT ((CheckAuthOperation & ~(EFI_AUTH_IMAGE_OPERATION_MASK | EFI_AUTH_OPERATION_AUTHENTICATION_STATE | EFI_AUTH_OPERATION_IMAGE_REQUIRED)) == 0);
106
107 //
108 // When current operation includes measure image operation,
109 // only another measure image operation or none operation will be allowed.
110 //
111 if ((CurrentAuthOperation & EFI_AUTH_OPERATION_MEASURE_IMAGE) == EFI_AUTH_OPERATION_MEASURE_IMAGE) {
112 if (((CheckAuthOperation & EFI_AUTH_OPERATION_MEASURE_IMAGE) == EFI_AUTH_OPERATION_MEASURE_IMAGE) ||
113 ((CheckAuthOperation & EFI_AUTH_IMAGE_OPERATION_MASK) == EFI_AUTH_OPERATION_NONE)) {
114 return TRUE;
115 } else {
116 return FALSE;
117 }
118 }
119
120 //
121 // When current operation doesn't include measure image operation,
122 // any new operation will be allowed.
123 //
124 return TRUE;
125}
126
127/**
128 Register security measurement handler with its operation type. The different
129 handler with the same operation can all be registered.
130
131 If SecurityHandler is NULL, then ASSERT().
132 If no enough resources available to register new handler, then ASSERT().
133 If AuthenticationOperation is not recongnized, then ASSERT().
134 If the previous register handler can't be executed before the later register handler, then ASSERT().
135
136 @param[in] SecurityHandler Security measurement service handler to be registered.
137 @param[in] AuthenticationOperation Operation type is specified for the registered handler.
138
139 @retval EFI_SUCCESS The handlers were registered successfully.
140**/
141EFI_STATUS
142EFIAPI
143RegisterSecurityHandler (
144 IN SECURITY_FILE_AUTHENTICATION_STATE_HANDLER SecurityHandler,
145 IN UINT32 AuthenticationOperation
146 )
147{
148 EFI_STATUS Status;
149
150 ASSERT (SecurityHandler != NULL);
151
152 //
153 // Make sure AuthenticationOperation is valid in the register order.
154 //
155 ASSERT (CheckAuthenticationOperation (mCurrentAuthOperation, AuthenticationOperation));
156 mCurrentAuthOperation = mCurrentAuthOperation | AuthenticationOperation;
157
158 //
159 // Check whether the handler lists is enough to store new handler.
160 //
161 if (mNumberOfSecurityHandler == mMaxNumberOfSecurityHandler) {
162 //
163 // Allocate more resources for new handler.
164 //
165 Status = ReallocateSecurityHandlerTable();
166 ASSERT_EFI_ERROR (Status);
167 }
168
169 //
170 // Register new handler into the handler list.
171 //
172 mSecurityTable[mNumberOfSecurityHandler].SecurityOperation = AuthenticationOperation;
173 mSecurityTable[mNumberOfSecurityHandler].SecurityHandler = SecurityHandler;
174 mNumberOfSecurityHandler ++;
175
176 return EFI_SUCCESS;
177}
178
179/**
180 Execute registered handlers until one returns an error and that error is returned.
181 If none of the handlers return an error, then EFI_SUCCESS is returned.
182
183 Before exectue handler, get the image buffer by file device path if a handler
184 requires the image file. And return the image buffer to each handler when exectue handler.
185
186 The handlers are executed in same order to their registered order.
187
188 @param[in] AuthenticationStatus
189 This is the authentication type returned from the Section
190 Extraction protocol. See the Section Extraction Protocol
191 Specification for details on this type.
192 @param[in] FilePath This is a pointer to the device path of the file that is
193 being dispatched. This will optionally be used for logging.
194
195 @retval EFI_SUCCESS The file specified by File did authenticate when more
196 than one security handler services were registered,
197 or the file did not authenticate when no security
198 handler service was registered. And the platform policy
199 dictates that the DXE Core may use File.
200 @retval EFI_INVALID_PARAMETER File is NULL.
201 @retval EFI_SECURITY_VIOLATION The file specified by File did not authenticate, and
202 the platform policy dictates that File should be placed
203 in the untrusted state. A file may be promoted from
204 the untrusted to the trusted state at a future time
205 with a call to the Trust() DXE Service.
206 @retval EFI_ACCESS_DENIED The file specified by File did not authenticate, and
207 the platform policy dictates that File should not be
208 used for any purpose.
209**/
210EFI_STATUS
211EFIAPI
212ExecuteSecurityHandlers (
213 IN UINT32 AuthenticationStatus,
214 IN CONST EFI_DEVICE_PATH_PROTOCOL *FilePath
215 )
216{
217 UINT32 Index;
218 EFI_STATUS Status;
219 UINT32 HandlerAuthenticationStatus;
220 VOID *FileBuffer;
221 UINTN FileSize;
222
223 if (FilePath == NULL) {
224 return EFI_INVALID_PARAMETER;
225 }
226
227 //
228 // Directly return successfully when no handler is registered.
229 //
230 if (mNumberOfSecurityHandler == 0) {
231 return EFI_SUCCESS;
232 }
233
234 Status = EFI_SUCCESS;
235 FileBuffer = NULL;
236 FileSize = 0;
237 HandlerAuthenticationStatus = AuthenticationStatus;
238 //
239 // Run security handler in same order to their registered list
240 //
241 for (Index = 0; Index < mNumberOfSecurityHandler; Index ++) {
242 if ((mSecurityTable[Index].SecurityOperation & EFI_AUTH_OPERATION_IMAGE_REQUIRED) == EFI_AUTH_OPERATION_IMAGE_REQUIRED) {
243 //
244 // Try get file buffer when the handler requires image buffer.
245 //
246 if (FileBuffer == NULL) {
247 //
248 // Try to get image by FALSE boot policy for the exact boot file path.
249 //
250 FileBuffer = GetFileBufferByFilePath (FALSE, FilePath, &FileSize, &AuthenticationStatus);
251 if (FileBuffer == NULL) {
252 //
253 // Try to get image by TRUE boot policy for the inexact boot file path.
254 //
255 FileBuffer = GetFileBufferByFilePath (TRUE, FilePath, &FileSize, &AuthenticationStatus);
256 }
257 }
258 }
259 Status = mSecurityTable[Index].SecurityHandler (
260 HandlerAuthenticationStatus,
261 FilePath,
262 FileBuffer,
263 FileSize
264 );
265 if (EFI_ERROR (Status)) {
266 break;
267 }
268 }
269
270 if (FileBuffer != NULL) {
271 FreePool (FileBuffer);
272 }
273
274 return Status;
275}
276
277/**
278 Reallocates more global memory to store the registered Securit2Handler list.
279
280 @retval RETURN_SUCCESS Reallocate memory successfully.
281 @retval RETURN_OUT_OF_RESOURCES No enough memory to allocated.
282**/
283RETURN_STATUS
284EFIAPI
285ReallocateSecurity2HandlerTable (
286 )
287{
288 //
289 // Reallocate memory for security info structure.
290 //
291 mSecurity2Table = ReallocatePool (
292 mMaxNumberOfSecurity2Handler * sizeof (SECURITY2_INFO),
293 (mMaxNumberOfSecurity2Handler + SECURITY_HANDLER_TABLE_SIZE) * sizeof (SECURITY2_INFO),
294 mSecurity2Table
295 );
296
297 //
298 // No enough resource is allocated.
299 //
300 if (mSecurity2Table == NULL) {
301 return RETURN_OUT_OF_RESOURCES;
302 }
303
304 //
305 // Increase max handler number
306 //
307 mMaxNumberOfSecurity2Handler = mMaxNumberOfSecurity2Handler + SECURITY_HANDLER_TABLE_SIZE;
308 return RETURN_SUCCESS;
309}
310
311/**
312 Check whether an operation is valid according to the requirement of current operation,
313 which must make sure that the measure image operation is the last one.
314
315 If AuthenticationOperation is not recongnized, return FALSE.
316 If AuthenticationOperation is EFI_AUTH_OPERATION_NONE, return FALSE.
317 If AuthenticationOperation includes security operation and authentication operation, return FALSE.
318 If the previous register handler can't be executed before the later register handler, return FALSE.
319
320 @param CurrentAuthOperation Current operation.
321 @param CheckAuthOperation Operation to be checked.
322
323 @retval TRUE Operation is valid for current operation.
324 @retval FALSE Operation is invalid for current operation.
325**/
326BOOLEAN
327CheckAuthentication2Operation (
328 IN UINT32 CurrentAuthOperation,
329 IN UINT32 CheckAuthOperation
330 )
331{
332 //
333 // Make sure new auth operation can be recognized.
334 //
335 if (CheckAuthOperation == EFI_AUTH_OPERATION_NONE) {
336 return FALSE;
337 }
338 if ((CheckAuthOperation & ~(EFI_AUTH_IMAGE_OPERATION_MASK |
339 EFI_AUTH_NONE_IMAGE_OPERATION_MASK |
340 EFI_AUTH_OPERATION_IMAGE_REQUIRED)) != 0) {
341 return FALSE;
342 }
343
344 //
345 // When current operation includes measure image operation,
346 // only another measure image or none image operation will be allowed.
347 //
348 if ((CurrentAuthOperation & EFI_AUTH_OPERATION_MEASURE_IMAGE) == EFI_AUTH_OPERATION_MEASURE_IMAGE) {
349 if (((CheckAuthOperation & EFI_AUTH_OPERATION_MEASURE_IMAGE) == EFI_AUTH_OPERATION_MEASURE_IMAGE) ||
350 ((CheckAuthOperation & EFI_AUTH_IMAGE_OPERATION_MASK) == 0)) {
351 return TRUE;
352 } else {
353 return FALSE;
354 }
355 }
356
357 //
358 // Any other operation will be allowed.
359 //
360 return TRUE;
361}
362
363/**
364 Register security measurement handler with its operation type. Different
365 handlers with the same operation can all be registered.
366
367 If Security2Handler is NULL, then ASSERT().
368 If no enough resources available to register new handler, then ASSERT().
369 If AuthenticationOperation is not recongnized, then ASSERT().
370 If AuthenticationOperation is EFI_AUTH_OPERATION_NONE, then ASSERT().
371 If the previous register handler can't be executed before the later register handler, then ASSERT().
372
373 @param[in] Security2Handler The security measurement service handler to be registered.
374 @param[in] AuthenticationOperation The operation type is specified for the registered handler.
375
376 @retval EFI_SUCCESS The handlers were registered successfully.
377**/
378EFI_STATUS
379EFIAPI
380RegisterSecurity2Handler (
381 IN SECURITY2_FILE_AUTHENTICATION_HANDLER Security2Handler,
382 IN UINT32 AuthenticationOperation
383 )
384{
385 EFI_STATUS Status;
386
387 ASSERT (Security2Handler != NULL);
388
389 //
390 // Make sure AuthenticationOperation is valid in the register order.
391 //
392 ASSERT (CheckAuthentication2Operation (mCurrentAuthOperation2, AuthenticationOperation));
393 mCurrentAuthOperation2 = mCurrentAuthOperation2 | AuthenticationOperation;
394
395 //
396 // Check whether the handler lists is enough to store new handler.
397 //
398 if (mNumberOfSecurity2Handler == mMaxNumberOfSecurity2Handler) {
399 //
400 // Allocate more resources for new handler.
401 //
402 Status = ReallocateSecurity2HandlerTable();
403 ASSERT_EFI_ERROR (Status);
404 }
405
406 //
407 // Register new handler into the handler list.
408 //
409 mSecurity2Table[mNumberOfSecurity2Handler].Security2Operation = AuthenticationOperation;
410 mSecurity2Table[mNumberOfSecurity2Handler].Security2Handler = Security2Handler;
411 mNumberOfSecurity2Handler ++;
412
413 return EFI_SUCCESS;
414}
415
416/**
417 Execute registered handlers based on input AuthenticationOperation until
418 one returns an error and that error is returned.
419
420 If none of the handlers return an error, then EFI_SUCCESS is returned.
421 The handlers those satisfy AuthenticationOperation will only be executed.
422 The handlers are executed in same order to their registered order.
423
424 @param[in] AuthenticationOperation
425 The operation type specifies which handlers will be executed.
426 @param[in] AuthenticationStatus
427 The authentication status for the input file.
428 @param[in] File This is a pointer to the device path of the file that is
429 being dispatched. This will optionally be used for logging.
430 @param[in] FileBuffer A pointer to the buffer with the UEFI file image
431 @param[in] FileSize The size of File buffer.
432 @param[in] BootPolicy A boot policy that was used to call LoadImage() UEFI service.
433
434 @retval EFI_SUCCESS The file specified by DevicePath and non-NULL
435 FileBuffer did authenticate, and the platform policy dictates
436 that the DXE Foundation may use the file.
437 @retval EFI_SUCCESS The device path specified by NULL device path DevicePath
438 and non-NULL FileBuffer did authenticate, and the platform
439 policy dictates that the DXE Foundation may execute the image in
440 FileBuffer.
441 @retval EFI_SUCCESS FileBuffer is NULL and current user has permission to start
442 UEFI device drivers on the device path specified by DevicePath.
443 @retval EFI_SECURITY_VIOLATION The file specified by File or FileBuffer did not
444 authenticate, and the platform policy dictates that
445 the file should be placed in the untrusted state.
446 @retval EFI_SECURITY_VIOLATION FileBuffer FileBuffer is NULL and the user has no
447 permission to start UEFI device drivers on the device path specified
448 by DevicePath.
449 @retval EFI_SECURITY_VIOLATION FileBuffer is not NULL and the user has no permission to load
450 drivers from the device path specified by DevicePath. The
451 image has been added into the list of the deferred images.
452 @retval EFI_ACCESS_DENIED The file specified by File did not authenticate, and
453 the platform policy dictates that the DXE
454 Foundation may not use File.
455 @retval EFI_INVALID_PARAMETER File and FileBuffer are both NULL.
456**/
457EFI_STATUS
458EFIAPI
459ExecuteSecurity2Handlers (
460 IN UINT32 AuthenticationOperation,
461 IN UINT32 AuthenticationStatus,
462 IN CONST EFI_DEVICE_PATH_PROTOCOL *File,
463 IN VOID *FileBuffer,
464 IN UINTN FileSize,
465 IN BOOLEAN BootPolicy
466 )
467{
468 UINT32 Index;
469 EFI_STATUS Status;
470
471 //
472 // Invalid case if File and FileBuffer are both NULL.
473 //
474 if (File == NULL && FileBuffer == NULL) {
475 return EFI_INVALID_PARAMETER;
476 }
477
478 //
479 // Directly return successfully when no handler is registered.
480 //
481 if (mNumberOfSecurity2Handler == 0) {
482 return EFI_SUCCESS;
483 }
484
485 //
486 // Run security handler in same order to their registered list
487 //
488 for (Index = 0; Index < mNumberOfSecurity2Handler; Index ++) {
489 //
490 // If FileBuffer is not NULL, the input is Image, which will be handled by EFI_AUTH_IMAGE_OPERATION_MASK operation.
491 // If FileBuffer is NULL, the input is not Image, which will be handled by EFI_AUTH_NONE_IMAGE_OPERATION_MASK operation.
492 // Other cases are ignored.
493 //
494 if ((FileBuffer != NULL && (mSecurity2Table[Index].Security2Operation & EFI_AUTH_IMAGE_OPERATION_MASK) != 0) ||
495 (FileBuffer == NULL && (mSecurity2Table[Index].Security2Operation & EFI_AUTH_NONE_IMAGE_OPERATION_MASK) != 0)) {
496 //
497 // Execute registered handlers based on input AuthenticationOperation
498 //
499 if ((mSecurity2Table[Index].Security2Operation & AuthenticationOperation) != 0) {
500 Status = mSecurity2Table[Index].Security2Handler (
501 AuthenticationStatus,
502 File,
503 FileBuffer,
504 FileSize,
505 BootPolicy
506 );
507 if (EFI_ERROR (Status)) {
508 return Status;
509 }
510 }
511 }
512 }
513
514 return EFI_SUCCESS;
515}