Changeset 58459 in vbox for trunk/src/VBox/Devices/EFI/Firmware/MdeModulePkg/Universal/SecurityStubDxe

Timestamp:

Oct 28, 2015 8:17:18 PM (9 years ago)

Author:

vboxsync

Message:

EFI/Firmware: 'svn merge ^{/vendor/edk2/UDK2010.SR1} /vendor/edk2/current .', reverting and removing files+dirs listed in ReadMe.vbox, resolving conflicts with help from ../UDK2014.SP1/. This is a raw untested merge.

Location:

trunk/src/VBox/Devices/EFI/Firmware

Files:

• . (modified) (1 prop)
• MdeModulePkg/Universal/SecurityStubDxe/SecurityStub.c (modified) (6 diffs)
• MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf (modified) (3 diffs)

trunk/src/VBox/Devices/EFI/Firmware/MdeModulePkg/Universal/SecurityStubDxe/SecurityStub.c

@@ -1 +1 @@
 /** @file
-  This driver produces security architectural protocol based on SecurityManagementLib.
+  This driver produces Security2 and Security architectural protocol based on SecurityManagementLib.
  
-  Copyright (c) 2006 - 2009, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2006 - 2013, Intel Corporation. All rights reserved.<BR>
   This program and the accompanying materials                          
   are licensed and made available under the terms and conditions of the BSD License         
@@ -16 +16 @@
 #include <Uefi.h>
 #include <Protocol/Security.h>
+#include <Protocol/Security2.h>
 #include <Library/DebugLib.h>
 #include <Library/UefiBootServicesTableLib.h>
@@ -69 +70 @@
   )
 {
-  return ExecuteSecurityHandlers (AuthenticationStatus, File);
+  EFI_STATUS Status;
+  
+  Status = ExecuteSecurity2Handlers (EFI_AUTH_OPERATION_AUTHENTICATION_STATE, 
+                                   AuthenticationStatus, 
+                                   File,
+                                   NULL, 
+                                   0, 
+                                   FALSE
+                                   );
+  if (Status == EFI_SUCCESS) {
+    Status = ExecuteSecurityHandlers (AuthenticationStatus, File);
+  }
+  
+  return Status;
 }
 
-//
-// Security Architectural Protocol instance produced by this driver
+/**
+  The DXE Foundation uses this service to measure and/or verify a UEFI image.
+
+  This service abstracts the invocation of Trusted Computing Group (TCG) measured boot, UEFI
+  Secure boot, and UEFI User Identity infrastructure. For the former two, the DXE Foundation
+  invokes the FileAuthentication() with a DevicePath and corresponding image in
+  FileBuffer memory. The TCG measurement code will record the FileBuffer contents into the
+  appropriate PCR. The image verification logic will confirm the integrity and provenance of the
+  image in FileBuffer of length FileSize . The origin of the image will be DevicePath in
+  these cases.
+  If the FileBuffer is NULL, the interface will determine if the DevicePath can be connected
+  in order to support the User Identification policy.
+  
+  @param  This             The EFI_SECURITY2_ARCH_PROTOCOL instance.
+  @param  File             A pointer to the device path of the file that is
+                           being dispatched. This will optionally be used for logging.
+  @param  FileBuffer       A pointer to the buffer with the UEFI file image.
+  @param  FileSize         The size of the file.
+  @param  BootPolicy       A boot policy that was used to call LoadImage() UEFI service. If
+                           FileAuthentication() is invoked not from the LoadImage(),
+                           BootPolicy must be set to FALSE.
+  
+  @retval EFI_SUCCESS             The file specified by DevicePath and non-NULL
+                                  FileBuffer did authenticate, and the platform policy dictates
+                                  that the DXE Foundation may use the file.
+  @retval EFI_SUCCESS             The device path specified by NULL device path DevicePath
+                                  and non-NULL FileBuffer did authenticate, and the platform
+                                  policy dictates that the DXE Foundation may execute the image in
+                                  FileBuffer.
+  @retval EFI_SUCCESS             FileBuffer is NULL and current user has permission to start
+                                  UEFI device drivers on the device path specified by DevicePath.
+  @retval EFI_SECURITY_VIOLATION  The file specified by DevicePath and FileBuffer did not
+                                  authenticate, and the platform policy dictates that the file should be
+                                  placed in the untrusted state. The image has been added to the file
+                                  execution table.
+  @retval EFI_ACCESS_DENIED       The file specified by File and FileBuffer did not
+                                  authenticate, and the platform policy dictates that the DXE
+                                  Foundation many not use File.
+  @retval EFI_SECURITY_VIOLATION  FileBuffer is NULL and the user has no
+                                  permission to start UEFI device drivers on the device path specified
+                                  by DevicePath.
+  @retval EFI_SECURITY_VIOLATION  FileBuffer is not NULL and the user has no permission to load
+                                  drivers from the device path specified by DevicePath. The
+                                  image has been added into the list of the deferred images.
+**/
+EFI_STATUS
+EFIAPI
+Security2StubAuthenticate (
+  IN CONST EFI_SECURITY2_ARCH_PROTOCOL *This,
+  IN CONST EFI_DEVICE_PATH_PROTOCOL    *File,
+  IN VOID                              *FileBuffer,
+  IN UINTN                             FileSize,
+  IN BOOLEAN                           BootPolicy
+  )
+{
+  return ExecuteSecurity2Handlers (EFI_AUTH_OPERATION_VERIFY_IMAGE | 
+                                   EFI_AUTH_OPERATION_DEFER_IMAGE_LOAD | 
+                                   EFI_AUTH_OPERATION_MEASURE_IMAGE |
+                                   EFI_AUTH_OPERATION_CONNECT_POLICY, 
+                                   0, 
+                                   File,
+                                   FileBuffer, 
+                                   FileSize, 
+                                   BootPolicy
+                                   );
+}
+
+//
+// Security2 and Security Architectural Protocol instance produced by this driver
 //
 EFI_SECURITY_ARCH_PROTOCOL  mSecurityStub = { 
@@ -79 +160 @@
 };
 
+EFI_SECURITY2_ARCH_PROTOCOL mSecurity2Stub = { 
+  Security2StubAuthenticate 
+};
+
 /**
-  Installs Security Architectural Protocol.
+  Installs Security2 and Security Architectural Protocol.
 
   @param  ImageHandle  The image handle of this driver.
@@ -100 +185 @@
   // Make sure the Security Architectural Protocol is not already installed in the system
   //
+  ASSERT_PROTOCOL_ALREADY_INSTALLED (NULL, &gEfiSecurity2ArchProtocolGuid);
   ASSERT_PROTOCOL_ALREADY_INSTALLED (NULL, &gEfiSecurityArchProtocolGuid);
 
@@ -107 +193 @@
   Status = gBS->InstallMultipleProtocolInterfaces (
                   &mSecurityArchProtocolHandle,
+                  &gEfiSecurity2ArchProtocolGuid,
+                  &mSecurity2Stub,
                   &gEfiSecurityArchProtocolGuid,
                   &mSecurityStub,

trunk/src/VBox/Devices/EFI/Firmware/MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf

@@ -1 +1 @@
 ## @file
-#  This driver produces security architectural protocol based on SecurityManagementLib.
+#  This driver produces security2 and security architectural protocol based on SecurityManagementLib.
 #
-#  Copyright (c) 2006 - 2010, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2006 - 2014, Intel Corporation. All rights reserved.<BR>
 #  This program and the accompanying materials
 #  are licensed and made available under the terms and conditions of the BSD License
@@ -17 +17 @@
   INF_VERSION                    = 0x00010005
   BASE_NAME                      = SecurityStubDxe
+  MODULE_UNI_FILE                = SecurityStubDxe.uni
   FILE_GUID                      = F80697E9-7FD6-4665-8646-88E33EF71DFC
   MODULE_TYPE                    = DXE_DRIVER
@@ -41 +42 @@
 
 [Protocols]
-  gEfiSecurityArchProtocolGuid                  ## PRODUCED
+  gEfiSecurityArchProtocolGuid                  ## PRODUCES
+  gEfiSecurity2ArchProtocolGuid                 ## PRODUCES
 
 [Depex]
   TRUE
-  
+
+[UserExtensions.TianoCore."ExtraFiles"]
+  SecurityStubDxeExtra.uni