summaryrefslogtreecommitdiffstats
path: root/SecurityPkg/Library/DxeTpmMeasureBootLib
diff options
context:
space:
mode:
authorczhang46 <czhang46@6f19259b-4bc3-4df7-8a09-765794883524>2012-09-11 02:26:50 +0000
committerczhang46 <czhang46@6f19259b-4bc3-4df7-8a09-765794883524>2012-09-11 02:26:50 +0000
commit2aadc9205b8c1ea8b002e2bc05dcaed7b1505121 (patch)
treec24b5fb392f17b23bfad734da88fb717c07ae126 /SecurityPkg/Library/DxeTpmMeasureBootLib
parent884ed923564f35084c45a8f3f132c076b26f2423 (diff)
downloadedk2-2aadc9205b8c1ea8b002e2bc05dcaed7b1505121.tar.gz
edk2-2aadc9205b8c1ea8b002e2bc05dcaed7b1505121.tar.bz2
edk2-2aadc9205b8c1ea8b002e2bc05dcaed7b1505121.zip
Enable TPM measurement lib to measure all PE image from a FV unmeasured by TcgPei
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by : Dong, Guo <guo.dong@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13714 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'SecurityPkg/Library/DxeTpmMeasureBootLib')
-rw-r--r--SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c97
-rw-r--r--SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf6
2 files changed, 84 insertions, 19 deletions
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
index 300a15fe6b..9b13806e89 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
@@ -29,10 +29,12 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <PiDxe.h>
#include <Protocol/TcgService.h>
-#include <Protocol/FirmwareVolume2.h>
#include <Protocol/BlockIo.h>
#include <Protocol/DiskIo.h>
#include <Protocol/DevicePathToText.h>
+#include <Protocol/FirmwareVolumeBlock.h>
+
+#include <Guid/TrustedFvHob.h>
#include <Library/BaseLib.h>
#include <Library/DebugLib.h>
@@ -43,6 +45,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <Library/BaseCryptLib.h>
#include <Library/PeCoffLib.h>
#include <Library/SecurityManagementLib.h>
+#include <Library/HobLib.h>
//
// Flag to check GPT partition. It only need be measured once.
@@ -52,6 +55,11 @@ EFI_GUID mZeroGuid = {0, 0, 0, {0, 0, 0, 0, 0, 0, 0, 0}
UINTN mMeasureGptCount = 0;
VOID *mFileBuffer;
UINTN mImageSize;
+//
+// Measured FV handle cache
+//
+EFI_HANDLE mCacheMeasuredHandle = NULL;
+UINT32 *mGuidHobData = NULL;
/**
Reads contents of a PE/COFF image in memory buffer.
@@ -718,17 +726,22 @@ DxeTpmMeasureBootHandler (
IN BOOLEAN BootPolicy
)
{
- EFI_TCG_PROTOCOL *TcgProtocol;
- EFI_STATUS Status;
- TCG_EFI_BOOT_SERVICE_CAPABILITY ProtocolCapability;
- UINT32 TCGFeatureFlags;
- EFI_PHYSICAL_ADDRESS EventLogLocation;
- EFI_PHYSICAL_ADDRESS EventLogLastEntry;
- EFI_DEVICE_PATH_PROTOCOL *DevicePathNode;
- EFI_DEVICE_PATH_PROTOCOL *OrigDevicePathNode;
- EFI_HANDLE Handle;
- BOOLEAN ApplicationRequired;
- PE_COFF_LOADER_IMAGE_CONTEXT ImageContext;
+ EFI_TCG_PROTOCOL *TcgProtocol;
+ EFI_STATUS Status;
+ TCG_EFI_BOOT_SERVICE_CAPABILITY ProtocolCapability;
+ UINT32 TCGFeatureFlags;
+ EFI_PHYSICAL_ADDRESS EventLogLocation;
+ EFI_PHYSICAL_ADDRESS EventLogLastEntry;
+ EFI_DEVICE_PATH_PROTOCOL *DevicePathNode;
+ EFI_DEVICE_PATH_PROTOCOL *OrigDevicePathNode;
+ EFI_HANDLE Handle;
+ EFI_HANDLE TempHandle;
+ BOOLEAN ApplicationRequired;
+ PE_COFF_LOADER_IMAGE_CONTEXT ImageContext;
+ EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL *FvbProtocol;
+ EFI_PHYSICAL_ADDRESS FvAddress;
+ EFI_PLATFORM_FIRMWARE_BLOB *TrustedFvBuf;
+ UINT32 Index;
Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **) &TcgProtocol);
if (EFI_ERROR (Status)) {
@@ -822,10 +835,10 @@ DxeTpmMeasureBootHandler (
ApplicationRequired = FALSE;
//
- // Check whether this device path support FV2 protocol.
+ // Check whether this device path support FVB protocol.
//
DevicePathNode = OrigDevicePathNode;
- Status = gBS->LocateDevicePath (&gEfiFirmwareVolume2ProtocolGuid, &DevicePathNode, &Handle);
+ Status = gBS->LocateDevicePath (&gEfiFirmwareVolumeBlockProtocolGuid, &DevicePathNode, &Handle);
if (!EFI_ERROR (Status)) {
//
// Don't check FV image, and directly return EFI_SUCCESS.
@@ -835,13 +848,51 @@ DxeTpmMeasureBootHandler (
return EFI_SUCCESS;
}
//
- // The image from Firmware image will not be mearsured.
- // Current policy doesn't measure PeImage from Firmware if it is driver
- // If the got PeImage is application, it will be still be measured.
+ // The PE image from untrusted Firmware volume need be measured
+ // The PE image from trusted Firmware volume will be mearsured according to policy below.
+ // if it is driver, do not measure
+ // If it is application, still measure.
//
ApplicationRequired = TRUE;
+
+ if (mCacheMeasuredHandle != Handle && mGuidHobData != NULL) {
+ //
+ // Search for Root FV of this PE image
+ //
+ TempHandle = Handle;
+ do {
+ Status = gBS->HandleProtocol(
+ TempHandle,
+ &gEfiFirmwareVolumeBlockProtocolGuid,
+ &FvbProtocol
+ );
+ TempHandle = FvbProtocol->ParentHandle;
+ } while (!EFI_ERROR(Status) && FvbProtocol->ParentHandle != NULL);
+
+ //
+ // Search in measured FV Hob
+ //
+ Status = FvbProtocol->GetPhysicalAddress(FvbProtocol, &FvAddress);
+ if (EFI_ERROR(Status)){
+ return Status;
+ }
+
+ TrustedFvBuf = (EFI_PLATFORM_FIRMWARE_BLOB *)(mGuidHobData + 1);
+ ApplicationRequired = FALSE;
+
+ for (Index = 0; Index < *mGuidHobData; Index++) {
+ if(TrustedFvBuf[Index].BlobBase == FvAddress) {
+ //
+ // Cache measured FV for next measurement
+ //
+ mCacheMeasuredHandle = Handle;
+ ApplicationRequired = TRUE;
+ break;
+ }
+ }
+ }
}
-
+
//
// File is not found.
//
@@ -941,6 +992,16 @@ DxeTpmMeasureBootLibConstructor (
IN EFI_SYSTEM_TABLE *SystemTable
)
{
+ EFI_HOB_GUID_TYPE *GuidHob;
+
+ GuidHob = NULL;
+
+ GuidHob = GetFirstGuidHob (&gTrustedFvHobGuid);
+
+ if (GuidHob != NULL) {
+ mGuidHobData = GET_GUID_HOB_DATA (GuidHob);
+ }
+
return RegisterSecurity2Handler (
DxeTpmMeasureBootHandler,
EFI_AUTH_OPERATION_MEASURE_IMAGE | EFI_AUTH_OPERATION_IMAGE_REQUIRED
diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
index 44d27a0887..9b0e3cb79b 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
@@ -50,10 +50,14 @@
PeCoffLib
BaseLib
SecurityManagementLib
+ HobLib
+
+[Guids]
+ gTrustedFvHobGuid
[Protocols]
gEfiTcgProtocolGuid ## CONSUMES
- gEfiFirmwareVolume2ProtocolGuid ## CONSUMES
+ gEfiFirmwareVolumeBlockProtocolGuid ## CONSUMES
gEfiBlockIoProtocolGuid ## CONSUMES
gEfiDiskIoProtocolGuid ## CONSUMES
gEfiDevicePathToTextProtocolGuid ## SOMETIMES_CONSUMES (Only used in debug mode)