1 /** @file
2   Implement image authentication status check in UEFI2.3.1.
3 
4 Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
5 This program and the accompanying materials
6 are licensed and made available under the terms and conditions of the BSD License
7 which accompanies this distribution.  The full text of the license may be found at
8 http://opensource.org/licenses/bsd-license.php
9 
10 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
11 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
12 
13 **/
14 
15 #include <PiDxe.h>
16 #include <Library/SecurityManagementLib.h>
17 
18 
19 /**
20   Check image authentication status returned from Section Extraction Protocol
21 
22   @param[in]    AuthenticationStatus  This is the authentication status returned from
23                              the Section Extraction Protocol when reading the input file.
24   @param[in]    File       This is a pointer to the device path of the file that is
25                            being dispatched. This will optionally be used for logging.
26   @param[in]    FileBuffer File buffer matches the input file device path.
27   @param[in]    FileSize   Size of File buffer matches the input file device path.
28   @param[in]    BootPolicy A boot policy that was used to call LoadImage() UEFI service.
29 
30   @retval EFI_SUCCESS            The input file specified by File did authenticate, and the
31                                  platform policy dictates that the DXE Core may use File.
32   @retval EFI_ACCESS_DENIED      The file specified by File and FileBuffer did not
33                                  authenticate, and the platform policy dictates that the DXE
34                                  Foundation many not use File.
35 
36 **/
37 EFI_STATUS
38 EFIAPI
DxeImageAuthenticationStatusHandler(IN UINT32 AuthenticationStatus,IN CONST EFI_DEVICE_PATH_PROTOCOL * File,IN VOID * FileBuffer,IN UINTN FileSize,IN BOOLEAN BootPolicy)39 DxeImageAuthenticationStatusHandler (
40   IN  UINT32                           AuthenticationStatus,
41   IN  CONST EFI_DEVICE_PATH_PROTOCOL   *File,
42   IN  VOID                             *FileBuffer,
43   IN  UINTN                            FileSize,
44   IN  BOOLEAN                          BootPolicy
45   )
46 {
47   if ((AuthenticationStatus & EFI_AUTH_STATUS_IMAGE_SIGNED) != 0) {
48     if ((AuthenticationStatus & (EFI_AUTH_STATUS_TEST_FAILED | EFI_AUTH_STATUS_NOT_TESTED)) != 0) {
49       return EFI_ACCESS_DENIED;
50     }
51   }
52 
53   return EFI_SUCCESS;
54 }
55 
56 
57 /**
58   Register image authenticaion status check handler.
59 
60   @param  ImageHandle   ImageHandle of the loaded driver.
61   @param  SystemTable   Pointer to the EFI System Table.
62 
63   @retval EFI_SUCCESS   The handlers were registered successfully.
64 **/
65 EFI_STATUS
66 EFIAPI
DxeImageAuthenticationStatusLibConstructor(IN EFI_HANDLE ImageHandle,IN EFI_SYSTEM_TABLE * SystemTable)67 DxeImageAuthenticationStatusLibConstructor (
68   IN EFI_HANDLE        ImageHandle,
69   IN EFI_SYSTEM_TABLE  *SystemTable
70   )
71 {
72   return RegisterSecurity2Handler (
73            DxeImageAuthenticationStatusHandler,
74            EFI_AUTH_OPERATION_AUTHENTICATION_STATE
75            );
76 }
77