Add PI1.2.1 SAP2 support and UEFI231B mantis 896

1. Update three Security Handlers to depend on new SecurityManagementLib APIs to register Security service for SAP2

Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Guo Dong <dong.guo@intel.com>


git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13661 6f19259b-4bc3-4df7-8a09-765794883524

3 files changed, 61 insertions, 57 deletions

diff --git a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.c b/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.c
index 84b8cf7..fd18d2f 100644
--- a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.c
+++ b/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.c
@@ -714,18 +714,22 @@ GetDefferedImageInfo (
                                     logging.

   @param[in]  FileBuffer            File buffer matches the input file device path.

   @param[in]  FileSize              Size of File buffer matches the input file device path.

-

-  @retval EFI_SUCCESS               The file specified by File did authenticate, and the

-                                    platform policy dictates that the DXE Core may use File.

-  @retval EFI_INVALID_PARAMETER     File is NULL.

-  @retval EFI_SECURITY_VIOLATION    The file specified by File did not authenticate, and

-                                    the platform policy dictates that File should be placed

-                                    in the untrusted state. A file may be promoted from

-                                    the untrusted to the trusted state at a future time

-                                    with a call to the Trust() DXE Service.

-  @retval EFI_ACCESS_DENIED         The file specified by File did not authenticate, and

-                                    the platform policy dictates that File should not be

-                                    used for any purpose.

+  @param[in]  BootPolicy            A boot policy that was used to call LoadImage() UEFI service.

+

+  @retval EFI_SUCCESS               FileBuffer is NULL and current user has permission to start

+                                    UEFI device drivers on the device path specified by DevicePath.

+  @retval EFI_SUCCESS               The file specified by DevicePath and non-NULL

+                                    FileBuffer did authenticate, and the platform policy dictates

+                                    that the DXE Foundation may use the file.

+  @retval EFI_SECURITY_VIOLATION    FileBuffer is NULL and the user has no

+                                    permission to start UEFI device drivers on the device path specified

+                                    by DevicePath.

+  @retval EFI_SECURITY_VIOLATION    FileBuffer is not NULL and the user has no permission to load

+                                    drivers from the device path specified by DevicePath. The

+                                    image has been added into the list of the deferred images.

+  @retval EFI_ACCESS_DENIED         The file specified by File and FileBuffer did not

+                                    authenticate, and the platform policy dictates that the DXE

+                                    Foundation many not use File.

 

 **/

 EFI_STATUS

@@ -734,17 +738,20 @@ DxeDeferImageLoadHandler (
   IN  UINT32                           AuthenticationStatus,

   IN  CONST EFI_DEVICE_PATH_PROTOCOL   *File,

   IN  VOID                             *FileBuffer,

-  IN  UINTN                            FileSize

+  IN  UINTN                            FileSize,

+  IN  BOOLEAN                          BootPolicy

   )

-

 {

   EFI_STATUS                           Status;

   EFI_USER_PROFILE_HANDLE              CurrentUser;

   UINT32                               Policy;

   UINT32                               FileType;

 

+  //

+  // Ignore if File is NULL.

+  //

   if (File == NULL) {

-    return EFI_INVALID_PARAMETER;

+    return EFI_SUCCESS;

   }

 

   //

@@ -759,7 +766,7 @@ DxeDeferImageLoadHandler (
       //

       if (!VerifyDevicePath (File)) {

         DEBUG ((EFI_D_ERROR, "[Security] The image is forbidden to load!\n"));

-        return EFI_ACCESS_DENIED;

+        return EFI_SECURITY_VIOLATION;

       }

       return EFI_SUCCESS;

     }

@@ -779,7 +786,7 @@ DxeDeferImageLoadHandler (
   }

  

   DEBUG ((EFI_D_ERROR, "[Security] No user identified, the image is deferred to load!\n"));

-  PutDefferedImageInfo (File, NULL, 0);

+  PutDefferedImageInfo (File, FileBuffer, FileSize);

 

   //

   // Install the Deferred Image Load Protocol onto a new handle.

@@ -849,7 +856,7 @@ DxeDeferImageLoadLibConstructor (
     &Registration

     );

   

-  return RegisterSecurityHandler (

+  return RegisterSecurity2Handler (

            DxeDeferImageLoadHandler,

            EFI_AUTH_OPERATION_DEFER_IMAGE_LOAD 

            );      

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 402540e..c86ce1f 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -141,6 +141,10 @@ GetImageType (
   EFI_DEVICE_PATH_PROTOCOL          *TempDevicePath;

   EFI_BLOCK_IO_PROTOCOL             *BlockIo;

 

+  if (File == NULL) {

+    return IMAGE_UNKNOWN;

+  }

+

   //

   // First check to see if File is from a Firmware Volume

   //

@@ -1034,19 +1038,23 @@ VerifyCertPkcsSignedData (
                            being dispatched. This will optionally be used for logging.

   @param[in]    FileBuffer File buffer matches the input file device path.

   @param[in]    FileSize   Size of File buffer matches the input file device path.

-

-  @retval EFI_SUCCESS            The file specified by File did authenticate, and the

-                                 platform policy dictates that the DXE Core may use File.

-  @retval EFI_INVALID_PARAMETER  Input argument is incorrect.

+  @param[in]    BootPolicy A boot policy that was used to call LoadImage() UEFI service.

+

+  @retval EFI_SUCCESS            The file specified by DevicePath and non-NULL

+                                 FileBuffer did authenticate, and the platform policy dictates

+                                 that the DXE Foundation may use the file.

+  @retval EFI_SUCCESS            The device path specified by NULL device path DevicePath

+                                 and non-NULL FileBuffer did authenticate, and the platform

+                                 policy dictates that the DXE Foundation may execute the image in

+                                 FileBuffer.

   @retval EFI_OUT_RESOURCE       Fail to allocate memory.

   @retval EFI_SECURITY_VIOLATION The file specified by File did not authenticate, and

                                  the platform policy dictates that File should be placed

-                                 in the untrusted state. A file may be promoted from

-                                 the untrusted to the trusted state at a future time

-                                 with a call to the Trust() DXE Service.

-  @retval EFI_ACCESS_DENIED      The file specified by File did not authenticate, and

-                                 the platform policy dictates that File should not be

-                                 used for any purpose.

+                                 in the untrusted state. The image has been added to the file

+                                 execution table.

+  @retval EFI_ACCESS_DENIED      The file specified by File and FileBuffer did not

+                                 authenticate, and the platform policy dictates that the DXE

+                                 Foundation many not use File.

 

 **/

 EFI_STATUS

@@ -1055,7 +1063,8 @@ DxeImageVerificationHandler (
   IN  UINT32                           AuthenticationStatus,

   IN  CONST EFI_DEVICE_PATH_PROTOCOL   *File,

   IN  VOID                             *FileBuffer,

-  IN  UINTN                            FileSize

+  IN  UINTN                            FileSize,

+  IN  BOOLEAN                          BootPolicy

   )

 {

   EFI_STATUS                           Status;

@@ -1073,10 +1082,6 @@ DxeImageVerificationHandler (
   UINT32                               NumberOfRvaAndSizes;

   UINT32                               CertSize;

 

-  if (File == NULL) {

-    return EFI_INVALID_PARAMETER;

-  }

-

   SignatureList     = NULL;

   SignatureListSize = 0;

   WinCertificate    = NULL;

@@ -1326,6 +1331,7 @@ Done:
     // Policy decides to defer or reject the image; add its information in image executable information table.

     //

     AddImageExeInfo (Action, NULL, File, SignatureList, SignatureListSize);

+    Status = EFI_SECURITY_VIOLATION;

   }

 

   if (SignatureList != NULL) {

@@ -1410,7 +1416,7 @@ DxeImageVerificationLibConstructor (
     &Registration

     );

 

-  return RegisterSecurityHandler (

+  return RegisterSecurity2Handler (

           DxeImageVerificationHandler,

           EFI_AUTH_OPERATION_VERIFY_IMAGE | EFI_AUTH_OPERATION_IMAGE_REQUIRED

           );

diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
index d4616fa..a552960 100644
--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
@@ -694,34 +694,28 @@ Finish:
   might be possible to use it at a future time, then EFI_SECURITY_VIOLATION is 

   returned.

 

-  @param[in, out] AuthenticationStatus  This is the authentication status returned

+  @param[in]      AuthenticationStatus  This is the authentication status returned

                                         from the securitymeasurement services for the

                                         input file.

   @param[in]      File       This is a pointer to the device path of the file that is

                              being dispatched. This will optionally be used for logging.

   @param[in]      FileBuffer File buffer matches the input file device path.

   @param[in]      FileSize   Size of File buffer matches the input file device path.

+  @param[in]      BootPolicy A boot policy that was used to call LoadImage() UEFI service.

 

-  @retval EFI_SUCCESS            The file specified by File did authenticate, and the

-                                 platform policy dictates that the DXE Core may use File.

-  @retval EFI_INVALID_PARAMETER  File is NULL.

-  @retval EFI_SECURITY_VIOLATION The file specified by File did not authenticate, and

-                                 the platform policy dictates that File should be placed

-                                 in the untrusted state. A file may be promoted from

-                                 the untrusted to the trusted state at a future time

-                                 with a call to the Trust() DXE Service.

-  @retval EFI_ACCESS_DENIED      The file specified by File did not authenticate, and

-                                 the platform policy dictates that File should not be

-                                 used for any purpose.

-

+  @retval EFI_SUCCESS             The file specified by DevicePath and non-NULL

+                                  FileBuffer did authenticate, and the platform policy dictates

+                                  that the DXE Foundation may use the file.

+  @retval other error value

 **/

 EFI_STATUS

 EFIAPI

 DxeTpmMeasureBootHandler (

-  IN  OUT   UINT32                     AuthenticationStatus,

+  IN  UINT32                           AuthenticationStatus,

   IN  CONST EFI_DEVICE_PATH_PROTOCOL   *File,

-  IN  VOID                             *FileBuffer OPTIONAL,

-  IN  UINTN                            FileSize OPTIONAL

+  IN  VOID                             *FileBuffer,

+  IN  UINTN                            FileSize,

+  IN  BOOLEAN                          BootPolicy

   )

 {

   EFI_TCG_PROTOCOL                  *TcgProtocol;

@@ -736,10 +730,6 @@ DxeTpmMeasureBootHandler (
   BOOLEAN                           ApplicationRequired;

   PE_COFF_LOADER_IMAGE_CONTEXT      ImageContext;

 

-  if (File == NULL) {

-    return EFI_INVALID_PARAMETER;

-  }

-

   Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **) &TcgProtocol);

   if (EFI_ERROR (Status)) {

     //

@@ -768,7 +758,6 @@ DxeTpmMeasureBootHandler (
   // Copy File Device Path

   //

   OrigDevicePathNode = DuplicateDevicePath (File);

-  ASSERT (OrigDevicePathNode != NULL);

   

   //

   // 1. Check whether this device path support BlockIo protocol.

@@ -928,7 +917,9 @@ DxeTpmMeasureBootHandler (
   // Done, free the allocated resource.

   //

 Finish:

-  FreePool (OrigDevicePathNode);

+  if (OrigDevicePathNode != NULL) {

+    FreePool (OrigDevicePathNode);

+  }

 

   return Status;

 }

@@ -949,7 +940,7 @@ DxeTpmMeasureBootLibConstructor (
   IN EFI_SYSTEM_TABLE  *SystemTable

   )

 {

-  return RegisterSecurityHandler (

+  return RegisterSecurity2Handler (

           DxeTpmMeasureBootHandler,

           EFI_AUTH_OPERATION_MEASURE_IMAGE | EFI_AUTH_OPERATION_IMAGE_REQUIRED

           );